Evidence Retention Artifact Hashing Chain of Custody 32 CFR Part 170 // 7 MIN READ

CMMC Hashing and Evidence Retention

Proving What Was True on Assessment Day

A CMMC assessment is a point-in-time determination — and that determination must be defensible for six years after the CMMC Status Date. The mechanism that makes it defensible without exposing proprietary security artifacts to the government is the DoD Artifact Hashing Tool, which creates cryptographic references so integrity can be validated on demand long after the assessment closes.

Under 32 CFR Part 170 Subpart D, assessment artifacts must be retained for six years. The Cyber AB CAP references the DoD CMMC Hashing Guide as supplemental guidance and ties it to the eMASS submission workflow. When the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audits an organization — which can happen months or years after the original assessment — they will request the archived evidence, re-run the hashing tool, and compare the resulting hash to the value recorded in eMASS. An exact match is cryptographic proof that the files are unchanged. Any mismatch is proof that they are not.

The fundamental problem hashing solves: the government needs to verify that your controls were implemented on assessment day — not that they are implemented the day the audit arrives. Policies get updated. Configurations drift. Without a cryptographic reference tied to the original evidence, "we had it then" is an assertion. With a matching hash, it is proof.

What the Hashing Tool Does — and Why It Matters for Audit Defense

The DoD Artifact Hashing Tool generates a SHA-256 cryptographic hash — a fixed-length 64-character hexadecimal string — for each artifact in the evidence package. SHA-256 is a one-way function: the same file always produces the same hash, and any change to the file — even a single character, a metadata edit, or a filename change in some implementations — produces a completely different hash. There is no such thing as a "minor" file change in hash terms.

SHA-256 Hash Algorithm

What a SHA-256 Hash Looks Like

Each artifact produces a unique 256-bit (64 hex character) digest. The same file always produces the same output. Any alteration — content, metadata, or encoding — produces an entirely different string.

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

↑ SHA-256 hash of an empty file. The hash of your actual access control policy will be entirely different — and will never match this value regardless of how similar the files are.

The tool produces two outputs: individual hashes for each artifact, and a hash of the complete artifact list file. The list-level hash is what enters eMASS — it represents the entire evidence corpus as a single verifiable reference. The individual artifact hashes are retained by the OSC and support document-level integrity verification during audit.

Hashing Workflow — Assessment Day Through Audit Day
Assessment Day
Evidence Compiled
OSC compiles all artifacts — policies, configs, screenshots, interview records — in the exact directory structure used during the assessment. No changes after this point.
Hashing Tool Run
SHA-256 Hashes Generated
The DoD Artifact Hashing Tool generates a SHA-256 hash for each individual artifact and a hash of the complete artifact list. These values are mathematically tied to the exact file contents at this moment.
Post-Hashing
Split: Archive + eMASS
The artifact list hash goes to the C3PAO for eMASS submission. The original artifacts and individual hash values are archived by the OSC in read-only storage. The two paths diverge here and never rejoin.
OSC Archives — 6 Years

Original artifacts in read-only vault. Individual SHA-256 hashes retained. The hashing tool run record (date, file set, output) retained. Nothing in the archive is modified after the hash is generated.

eMASS Receives — Hash Reference Only

The artifact list hash enters eMASS as part of the assessment results package. Zero proprietary artifacts. The government holds a cryptographic reference, not the evidence itself.

Audit Day Verification: DIBCAC requests the archived files → OSC provides from vault → DIBCAC re-runs hashing tool → resulting hash compared to eMASS record → exact match = cryptographic proof of integrity. Any mismatch = evidence has changed since assessment day.

How Long Must CMMC Assessment Artifacts Be Retained

The source-of-truth retention requirement is 32 CFR Part 170 Subpart D: assessment artifacts must be retained for six years from the CMMC Status Date — not three years as is sometimes cited from the earlier CAP documentation. The six-year requirement aligns with the False Claims Act statute of limitations and the DIBCAC audit window, which can extend well beyond the initial triennial certification cycle.

6
32 CFR Part 170 Subpart D — Minimum Retention Period

Years from the CMMC Status Date. This applies to all artifacts used during the Level 2 assessment — examine artifacts, interview records, and test evidence — as well as the artifact list and individual SHA-256 hash values. The six-year window covers the full triennial certification cycle plus the False Claims Act lookback period. Organizations that calculated their archive destruction date based on a three-year assumption need to revise that timeline.

The six-year retention window has a practical implication for organizations in their second or third triennial cycle: the evidence from the first C3PAO assessment (Year 1) must be retained through the second triennial cycle (Year 7) before destruction is defensible. Build the archive destruction schedule from the CMMC Status Date, not from the physical assessment dates.

What Must Be Retained: Evidence Across All Three Assessment Methods

The archive must contain every artifact used to demonstrate a Met finding under each of the three assessment methods. Gaps in the archive — missing interview records, lost configuration exports, overwritten screenshots — cannot be filled retroactively. If the artifact does not exist in the archive, the hash verification fails and the finding cannot be substantiated.

Examine

Documentation Artifacts

Signed policy documents (all 14 domain families)
Procedures paired to each policy
System Security Plan — full version as assessed
Asset inventory as of assessment date
Network diagram and data flow diagram — current revision
Customer Responsibility Matrix (if applicable)
Evidence mapping file / control-to-artifact index
Interview

Personnel Record Artifacts

Interview notes or minutes for each control owner session
Control owner roster — names, roles, controls owned
Audio or video recordings if used (with consent documentation)
Daily checkpoint logs — all assessment days
Mock interview documentation (pre-assessment preparation records)
Training completion records referenced during interviews
Test

System Evidence Artifacts

Configuration exports — firewall rules, ACL rulesets, GPO exports
Screenshots of live system states taken during testing
Vulnerability scan results and remediation records
Log review records with assessor-witnessed date evidence
MFA enforcement configuration exports
Baseline configuration documentation
FIPS CMVP certificate numbers and vendor documentation
The interview records category is the most commonly omitted from archives. Organizations that treated assessor interviews as informal conversations without documentation cannot produce interview artifacts when DIBCAC asks for them. Document every interview session — the questions asked, the name and role of the interviewee, the date, and the key points of the response — as a formal artifact that can be hashed.

Common Integrity Failures That Break Hash Matches Later

Hash verification failures during DIBCAC audit are rarely caused by intentional tampering. They are almost always caused by routine file-handling mistakes that seem innocuous in the moment but produce cryptographically detectable changes. These four patterns account for the majority of archive integrity failures.

Failure 01Version Drift — Overwriting the Assessed Policy

The most common archive failure: an updated policy is saved over the assessed version in the same folder. An HR policy that was correct on assessment day is replaced by the revised version six months later. The new file produces a completely different hash. When DIBCAC re-hashes the archive, the output does not match the eMASS record — the assessed version no longer exists.

Version drift does not require malicious intent. It happens automatically when policy owners follow their normal update procedures without awareness that the archive folder is supposed to be immutable.

→ The read-only vault is the only reliable defense against version drift. Once hashing is complete, the archive directory must be locked against any modification. Active policy management belongs in a separate working directory that is explicitly not the archive.
Failure 02Storage Migration — Metadata Changes on Transit

Moving evidence files from a local directory to SharePoint, a cloud storage platform, or a new file server can alter file metadata — creation dates, last-modified timestamps, author fields — even when the file contents appear identical. Depending on how the hashing tool processes metadata, these changes can produce a different hash for the "same" document. The file looks unchanged in a text editor. The hash disagrees.

This failure is particularly insidious because the content is genuinely unchanged — only the container-level attributes shifted during migration. But "the content is the same" is not a defense against a hash mismatch in a DIBCAC verification.

→ Hash before migrating, not after. If a storage migration is necessary after the archive is established, re-run the hashing tool immediately post-migration and verify the hashes match before treating the migrated location as the definitive archive. If they do not match, the pre-migration location must be preserved.
Failure 03The Zip File Trap — Single Hash for the Entire Evidence Corpus

Some organizations attempt to simplify archive management by compressing all evidence into a single ZIP file and generating one master hash for the whole package. This approach appears to create a single defensible integrity checkpoint. In practice, it destroys document-level integrity verification entirely. Assessors and auditors require the ability to verify individual artifacts against specific control findings. A single zip hash cannot tell DIBCAC whether the access control policy or the SIEM configuration was the document that changed.

→ Maintain the original file structure and generate individual SHA-256 hashes for each artifact. The DoD Artifact Hashing Tool is designed for document-level hashing. Use it as designed.
Failure 04Missing the Hashing Tool Run Record

Organizations that generate hashes but do not retain documentation of when the hashing tool was run, against which file set, and what the output was have a hash value with no chain-of-custody record. If DIBCAC asks "when was this hash generated and what files were in scope?" the answer must exist as a document — not a recollection. A hash without a run record is an assertion. A hash with a run record is evidence.

→ Treat the hashing tool run itself as an auditable event. Document the date, the directory path, the tool version, and retain the output file. This record is itself an archive artifact that should be hashed and retained.
✗ Incorrect — Single ZIP Hash
AC-Policy.pdf AU-Procedure.docx SIEM-Config.xml MFA-Screenshot.png IR-Plan.pdf +495 more files
📦 AllEvidence.zip
Hash: a3f2c9… (one hash for 500 files)
✗ Cannot isolate which document changed. Document-level integrity unverifiable. DIBCAC cannot map hash to specific control findings.
✓ Correct — Document-Level Hashes
📁 /AC/ → AC-Policy.pdf [hash: e3b0c4…]
📁 /AU/ → AU-Procedure.docx [hash: 9f86d0…]
📁 /CA/ → SIEM-Config.xml [hash: 4e07a1…]
📁 /IA/ → MFA-Screenshot.png [hash: 8d969e…]
📁 /IR/ → IR-Plan.pdf [hash: 2cf24d…]
Artifact list itself also hashed → list hash enters eMASS
✓ Each artifact independently verifiable. Hash maps to specific control domain. DIBCAC can verify any single document without re-running the full corpus.

A Retention Playbook: Naming, Indexing, Vaulting, and Change Control

The retention architecture must be designed before the assessment concludes — not assembled retroactively after the C3PAO leaves. These five practices, taken together, produce an archive that is both technically sound and operationally defensible.

01
Embed the Control Practice ID in Every Artifact Filename
Include the CMMC practice identifier directly in each artifact's filename. When DIBCAC requests evidence for a specific control, the filename immediately identifies the relevant artifact without requiring an index lookup. It also prevents the accidental overwrite failure mode — a file named "AccessControlPolicy.pdf" is easy to replace; a file named with the control ID and date is harder to confuse with a current working version.
AC.L2-3.1.1_AccessControlPolicy_2024-11-15.pdf
02
Organize Artifacts by Domain Folder Structure Matching the Assessment
Mirror the 14 NIST SP 800-171 domain families in your archive directory structure. Each domain gets a root folder; each practice within the domain gets a subfolder. This structure allows the hashing tool to generate domain-level and practice-level hash chains and maps the archive to the assessor's finding structure without requiring a separate translation step.
/CMMC-Evidence-Archive/AC/3.1.1/ | /AU/3.3.1/ | /IA/3.5.3/
03
Maintain a Master Evidence Index Alongside the Archive
The evidence mapping file used during the assessment — control practice, assessment objective, pointer to specific artifact, page, and paragraph — must be retained as an archive artifact itself. It is the auditor's navigation tool and it maps hashes to specific findings. A DIBCAC reviewer who asks "which artifact supports objective AC.L2-3.1.1 [d]?" needs a one-document answer, not a folder to search through.
04
Lock the Archive as Read-Only Immediately After Hashing
The moment the final hashing tool run is complete, set the archive directory and all subdirectories to read-only at the file system level. Remove write permissions for all users including administrators. Log the permission change as an auditable event. The archive is now immutable — any subsequent modification requires a deliberate, documented permission override that creates an audit trail.
If a policy must be updated after the assessment, the update happens in the active policy management location — never in the archive. The archive version remains the assessed version for six years.
05
Designate an Archive Custodian and Document the Role in the SSP
Name a specific individual as archive custodian — the person responsible for maintaining archive integrity, responding to DIBCAC requests, and managing the archive destruction schedule. Document the role in the SSP with a named backup. If the primary custodian leaves the organization, the successor must be identified before the departure. A DIBCAC audit that arrives to find no one knows where the archive lives is a governance failure that compounds any substantive finding.
The Destruction Schedule
Build the archive destruction date into your records management calendar from Day 1 of the CMMC Status Date. Six years from that date, the archive can be destroyed — but not before. Organizations that destroy evidence prematurely because they assumed a three-year retention window (common in older guidance) may face a DIBCAC audit they cannot satisfy. Calculate the destruction date from 32 CFR Part 170's six-year requirement, not from informal program-level assumptions.

The Bottom Line

The hashing process and the six-year retention requirement are not administrative overhead. They are the mechanism by which a point-in-time assessment remains defensible — legally and cryptographically — for the entire period during which the DoD, DIBCAC, or a contracting officer might need to verify what was true on assessment day.

The operational requirements are straightforward: generate SHA-256 hashes for individual artifacts using the DoD tool, archive the original files in a read-only vault, retain the hash values and the tool run record, and maintain the archive for six years from the CMMC Status Date. The failures that break this chain are rarely intentional — they are the result of routine file management applied to files that are not allowed to be routinely managed.

The archive is not a backup — it is a legal record. Treat it accordingly: read-only from the moment the hash is generated, named and organized so any auditor can navigate it without your help, and retained for exactly as long as 32 CFR Part 170 requires. The hash in eMASS is only as trustworthy as the archive behind it.

Related Articles

eMASS vs SPRS: What Gets Submitted WhereAdequate vs Sufficient Evidence in CMMCThe CMMC Assessment Process (CAP): Phases and OutputsHow to Write a CMMC System Security Plan (SSP)How Assessors Evaluate Evidence: Examine, Interview, and Test