Artifact Hashing for CMMC
A hash is a unique, fixed-length string of characters that is generated by a mathematical algorithm for artifacts like files, software executables, or other data. It is unique. So, if these artifacts change even slightly, the hash value will change. If artifacts are saved, the hashes can be used in the future to prove that they have not been changed or tampered with.
The CMMC program requires organizations seeking certification (OSC) to hash artifacts used in cybersecurity assessments to ensure data integrity. These artifacts, hashed with a NIST-approved algorithm, must be retained for six years from the certification date. The hashing verifies that no tampering has occurred in assessment documents. Each OSC must select a hashing algorithm, such as SHA256. For each artifact, the OSC records the file name, hash value, and hashing algorithm used. Then these hash values are shared with the Certified Third-Party Assessment Organization (C3PAO).
For Level 2 and Level 3 CMMC assessments, the C3PAO uploads this hashing data into the CMMC’s Enterprise Mission Assurance Support Service (eMASS) system, providing traceable evidence of the artifact’s integrity throughout the assessment lifecycle. This hashing process supports compliance and transparency, allowing the Department of Defense to verify the integrity of OSC-provided artifacts over the six-year retention period.
For Level 1 self-assessments, hashing requirements do not apply.
