CMMC Hashing Guide

Apr 13

The CMMC Hashing Guide (v2.13) provides instructions for using the CMMC Artifact Hashing Tool, a PowerShell-based script that generates cryptographic hashes (using SHA-256) of assessment artifacts. This process ensures the integrity of evidence collected during a CMMC Level 2 or Level 3 assessment.

Key Points:

• Hashing is required for C3PAO and government-led assessments (not for self-assessments).

• The tool creates a unique hash for each artifact and a final hash of the entire artifact list.

• These hashes help verify that artifacts remain unchanged over time.

• The artifacts themselves are retained by the contractor (OSA) for six years, per 32 CFR § 170.17 and § 170.18.

• The tool does not encrypt the artifacts—confidentiality must be managed separately.

This guide is critical for organizations undergoing formal CMMC assessments and ensures evidence integrity without requiring assessors to retain sensitive materials.

https://dodcio.defense.gov/Portals/0/Documents/CMMC/HashingGuidev2.pdf

Brian Hubbard

CMMC Hashing Guide

CMMC Level 3 Scoping Guidance

Useful CMMC Links

The MSP Cybersecurity Exchange