Frequently Asked Questions

Common questions about AuditKit

General Questions

1Does this replace my auditor?

No. AuditKit automates the technical controls portion of compliance audits, but you still need:

  • SOC2: CPA firm for certification ($15,000 - $30,000)
  • CMMC: C3PAO for assessment ($25,000 - $150,000)
  • PCI-DSS: QSA for certification ($15,000 - $50,000)

What AuditKit replaces: Technical consultant fees ($30,000 - $100,000) for infrastructure scanning and remediation

What you still need: Certified auditor/assessor for final certification

2What's the difference between Free and Pro?

Feature Free Pro ($297/mo)
AWS/Azure/GCP/M365 Full support Full support
SOC2, PCI-DSS, NIST 800-53 All frameworks All frameworks
CMMC Level 1 17 practices 17 practices
CMMC Level 2 - 110 practices (CUI)
Multi-Account Scanning One at a time AWS Orgs, Azure MG, GCP Folders
Evidence Package Generator - C3PAO-ready ZIP files
Support Community Priority + 14-day trial

Try Pro Free for 14 Days →

3How much does it cost?

Free version: $0 forever (open source)
Pro version: $297/month with 14-day free trial

Compare to traditional costs:

  • SOC2 consultant: $50,000+
  • CMMC C3PAO assessment: $25,000+
  • Compliance platforms (Vanta/Drata): $5,000+/year

CMMC Questions

4What's the difference between CMMC Level 1 and Level 2?

CMMC Level 1 (17 practices) - FREE

  • Protects Federal Contract Information (FCI)
  • Basic cybersecurity hygiene
  • Required for all DoW contractors
  • Self-assessment allowed

CMMC Level 2 (110 practices) - PRO

  • Protects Controlled Unclassified Information (CUI)
  • Based on NIST SP 800-171 Rev 2
  • Required for contractors handling CUI
  • Requires C3PAO assessment

Important

If your DoW contract mentions CUI, you need Level 2.

5When is the CMMC deadline?

November 10, 2025 - CMMC requirements started appearing in DoW contracts

DoW contractors must be compliant when specified in contract solicitations. Many contracts now include CMMC Level 1 or Level 2 requirements.

Start your assessment now →

6Can AuditKit prepare me for C3PAO assessment?

Yes, for technical controls. AuditKit automates:

  • Technical security configuration checks
  • Evidence collection guides
  • Remediation commands
  • Assessment reports

You still need to handle:

  • Organizational policies
  • Security awareness training
  • Incident response procedures
  • Physical security measures

Timeline: Most contractors fix 80%+ of technical issues in 2-4 weeks with AuditKit.

Technical Questions

7Which cloud providers are supported?

Fully supported:

  • AWS (Amazon Web Services)
  • Azure (Microsoft Azure)
  • GCP (Google Cloud Platform)
  • M365 (Microsoft 365) via ScubaGear integration

Coverage:

  • AWS: 90+ checks, 64+ SOC2, 30+ PCI-DSS, 17 CMMC L1, 110 CMMC L2 (Pro)
  • Azure: 64+ checks, SOC2, PCI-DSS, CMMC (Free + Pro)
  • GCP: 170+ core checks (Free), +32 advanced checks (Pro)
  • M365: 29+ Entra ID rules via ScubaGear

8What frameworks are supported?

Framework Status Coverage
SOC2 Type II Production 64 controls
PCI-DSS v4.0 Production 30+ controls
CMMC Level 1 Production 17 practices
CMMC Level 2 Pro only 110 practices
NIST 800-53 Rev 5 Production ~150 controls
HIPAA Security Rule Production Technical Safeguards (215 mappings)
CIS Benchmarks Production AWS, Azure, GCP
ISO 27001:2022 Production Via framework crosswalk
FedRAMP Production Low/Moderate/High baselines via crosswalk
GDPR Production Technical controls (Articles 5, 25, 32)

9Does AuditKit make any changes to my infrastructure?

No. AuditKit is read-only. It only reads configuration, checks security settings, and generates reports. It never modifies your infrastructure.

The auditkit fix command generates a script for you to review and run manually.

10What permissions does AuditKit need?

  • AWS: ReadOnlyAccess managed policy
  • Azure: Reader role
  • GCP: roles/viewer role

All read-only, no write permissions required.

Setup guides →

Troubleshooting

11Why is my compliance score low?

1. Security services not enabled — enable these first:

  • AWS: GuardDuty, Config, CloudTrail, Security Hub
  • Azure: Defender for Cloud, Azure Policy, Activity Logs
  • GCP: Security Command Center, Cloud Logging, Cloud KMS

2. Basic security controls missing:

  • MFA not enforced
  • CloudTrail/logging not configured
  • Encryption not enabled
  • Public access on storage

Fix critical issues first, then re-scan.

12"Error: AWS credentials not configured"

aws configure
# Enter your AWS Access Key ID and Secret Access Key

AWS setup guide →

Getting More Help

13Where can I get support?

Documentation:

Community Support:

Pro Support:

Need CMMC Level 2 or advanced GCP features?

Try Pro Free for 14 Days →