Why Artifact Integrity Matters

C3PAOs are charged with verifying that a contractor's security practices are real, current, and accurate. A policy document, a screenshot, a system-generated log, or a configuration export that has been altered after collection, whether accidentally or intentionally, is worthless as evidence. Within the CIA triad that underpins NIST SP 800-171 and CMMC 2.0, confidentiality protections for CUI receive the most attention during preparation, but integrity is the pillar that verifies all the other controls are working as documented. Without it, no artifact can be trusted.

A cryptographic hash function takes any input file and produces a fixed-length string called a digest. If even a single bit of the file changes after the hash was generated, the resulting digest is completely different. This avalanche effect is the core integrity property: there is no partial match. SHA-256 produces a 64-character hexadecimal digest that serves as an unforgeable seal on each piece of evidence.

Algorithm Selection Is Policy, Not Preference

Algorithm Digest Length Status DoD Acceptable
MD5 128-bit (32 hex) Cryptographically broken No
SHA-1 160-bit (40 hex) Deprecated (NIST 2011) No
SHA-256 256-bit (64 hex) FIPS 180-4 approved Yes
SHA-3 / SHA-512 256-bit / 512-bit Approved Yes

MD5 has had practical collisions demonstrated since 2004. SHA-1 was deprecated by NIST in 2011, and the SHAttered collision attack was published in 2017. NIST SP 800-131A Rev. 2 prohibits SHA-1 for generating digital signatures and hash-only applications. FIPS 140-2 and FIPS 140-3 approve the SHA-2 family for integrity verification. A C3PAO reviewer encountering an MD5-based hash manifest will flag it as a deficiency, potentially triggering additional scrutiny of the entire control implementation.

The Artifact Lifecycle

Phase 1
Collection
Generate the hash at the moment of artifact creation, before any other handling. Hash first, then file. Run the hash command in the same session that exports the file. Never open, move, or rename a file before hashing.
Phase 2
Storage
Store manifests in the same access-controlled repository as the artifacts. Restrict write access to the designated evidence custodian. Use write-once or append-only storage where possible. Retain for six years per 32 CFR § 170.17(c)(4).
Phase 3
Presentation
Deliver the artifact files, the Artifact Hash List, and the Master Hash (a SHA-256 digest of the manifest itself). The Master Hash enters the Hash Value field in the CMMC instantiation of eMASS.

The Hash Manifest

A properly structured hash manifest is the bridge between internal evidence management and the C3PAO's verification workflow. It must include the following fields for each artifact:

FieldDescription
Artifact IDUnique identifier using a consistent scheme (e.g., CMMC-AC-001)
FilenameExact filename including extension, as it exists in the repository
CMMC ControlThe practice(s) this artifact supports (e.g., SI.L2-3.14.2)
Collection TimestampDate and time in ISO 8601 format, UTC (e.g., 2025-03-14T14:32:00Z)
Hash AlgorithmAlways SHA-256. Document explicitly so reviewers do not have to guess.
SHA-256 DigestThe full 64-character hexadecimal string
Collected ByName and role of the individual who collected the artifact and generated the hash
Verified ByName and role of the second reviewer who independently verified (if applicable)

The Master Hash, a single SHA-256 digest of the entire manifest file, is the value the C3PAO enters into the Hash Value field in eMASS under 32 CFR § 170.17(c)(4). This creates a cryptographically verifiable chain from individual artifacts up to the final eMASS record.

Native OS Tooling

# Windows PowerShell
Get-FileHash .\policy_v3.pdf -Algorithm SHA256

# Batch hashing to CSV
Get-FileHash .\Evidence\* -Algorithm SHA256 | Export-Csv .\manifest.csv -NoTypeInformation

# Linux
sha256sum evidence_file.log
sha256sum /evidence/* > manifest.sha256

# Verify a manifest (Linux)
sha256sum --check manifest.sha256

Every Windows, macOS, and Linux system ships with native hashing capability. These tools require no additional software, create no vendor dependencies, and produce universally verifiable output. Your team should be able to hash a file, record the digest, and verify it later using nothing more than the operating system already on their workstation.

The GRC Platform Gap

Many GRC platforms offer automated hashing, but none of the major CMMC-focused platforms have publicly addressed what security professionals call the collection-to-hash gap, formally known as a Time of Check to Time of Use (TOCTOU) condition. The gap exists between when a file leaves its source system and when the GRC platform computes its digest. During that window, the file passes through a user's local machine before being uploaded. Any modification in that window goes undetected by the platform.

If an organization cannot explain what SHA-256 is, cannot demonstrate how to run Get-FileHash or sha256sum, and has no independently maintained hash manifest outside their GRC platform, they have a gap in their evidence-integrity posture regardless of how polished their platform exports look. GRC platforms are an efficiency layer on top of manual hashing capability. They are not a replacement for it.

Control Mapping

Control How Hashing Supports It
SI.L2-3.14.1 Hashing verifies that system-generated flaw reports and scan outputs have not been modified between collection and review.
SI.L2-3.14.2 Hash manifests for antimalware configuration exports and scan logs demonstrate that protection records are authentic and unmodified.
CM.L2-3.4.1 Hashing baseline configuration files creates a cryptographic record at a specific point in time. Drift detection is enabled by comparing current hashes against the baseline.
CM.L2-3.4.3 Change management artifacts should each be hashed to prove the change record is complete and unmodified.
AU.L2-3.3.1 Exported audit log files hashed at export prove to a reviewer that log contents have not been selectively edited.
AU.L2-3.3.2 Hash verification of audit logs supports non-repudiation of user actions. A hash mismatch breaks the chain of accountability.
MP.L2-3.8.6 When CUI-containing artifacts are transmitted to a reviewer, hashing provides end-to-end integrity verification.
SC.L2-3.13.10 Documentation of approved algorithm lists specifying SHA-256 supports cryptographic key management compliance. The hash manifest demonstrates operational use of approved mechanisms.

Download the Full White Paper

Includes the complete technical standards analysis, the nine-step evidence repository workflow, PowerShell and terminal command reference, GRC platform TOCTOU analysis, hash manifest template specifications, SSP documentation language, and the compliance readiness checklist.

Download PDF →
Related

The CMMC Decision, Second Edition

Chapter 8 ("Assessment Day") addresses the evidence presentation process during formal C3PAO Assessment Certification. Chapter 9 ("Your SPRS Score") covers the attestation risk when documented evidence does not match reported compliance posture.

Free Download →