CMMC Assessment Day: What Evidence to Prepare

CMMC Assessment Day: What Evidence to Prepare

The most common reason organizations struggle during CMMC assessments isn't missing controls — it's missing evidence. Many teams have implemented the practices but can't prove it on demand.

This guide breaks down what assessors actually ask for, organized by the evidence types that matter most, plus a 48-hour preparation plan you can follow before assessment day.

The Five Evidence Categories Assessors Care About

C3PAO assessors evaluate evidence across five categories. For each practice, they want to see at least one — and usually multiple — types of evidence.

1. Policies and Procedures

Written documentation describing how each control is implemented in your organization.

Examples to prepare:

• Access control policy with role-based access definitions
• Incident response plan with escalation procedures
• Configuration management policy with change control process
• Media protection policy with sanitization requirements
• System security plan (SSP) documenting the CUI boundary

Common gap: Policies exist but haven't been updated since initial creation. Assessors check revision dates and compare against your current environment.

What to do before the assessment:

• Verify every policy has a recent revision date and an identified owner
• Confirm the content matches your current tools, processes, and org structure
• Ensure the SSP clearly defines the CUI boundary and in-scope systems

2. System Configurations

Technical settings that demonstrate controls are enforced by technology, not just policy.

Examples to prepare:

• Active Directory Group Policy settings for password complexity
• MFA enrollment reports showing coverage percentages
• Firewall rules showing CUI boundary enforcement
• Encryption settings on storage volumes and email
• Endpoint protection console showing policy deployment

Common gap: Configuration screenshots from a year ago. Assessors want current-state evidence.

What to do before the assessment:

• Take fresh screenshots from production systems during readiness prep
• Export configuration reports where possible (e.g., GPO reports, firewall configs)
• Label each screenshot/report with system name, date, and relevant practice ID

3. Audit Logs and Monitoring

Records that demonstrate controls are operating and being observed.

Examples to prepare:

• SIEM dashboard showing active monitoring of access events
• Privileged account usage logs with review documentation
• Failed login attempt alerts and response actions
• Change management audit trail showing approval workflow
• Vulnerability scan reports with remediation tracking

Common gap: Logs exist but nobody reviews them. Assessors will ask, "Show me the last time you investigated an alert" — if you can't, the control is NOT MET.

What to do before the assessment:

• Identify at least one recent alert or event and document the investigation
• Capture meeting notes or tickets showing periodic log review
• Ensure log retention settings match your policy and CMMC requirements

4. Training Records

Documentation that personnel have been trained on their security responsibilities.

Examples to prepare:

• Annual security awareness training completion records
• Role-specific training for administrators and privileged users
• Phishing simulation results and follow-up training
• Incident response tabletop exercise participation records
• New hire security orientation documentation

Common gap: Training is completed but not documented. A training platform with exportable completion reports solves this.

What to do before the assessment:

• Export completion reports for the last 12 months (or your defined cycle)
• Ensure role-based training is clearly identified for admins and privileged users
• Keep sign-in sheets or attendance records for live sessions and exercises

5. Test and Exercise Results

Evidence that controls have been tested and validated.

Examples to prepare:

• Penetration test reports with remediation status
• Incident response exercise after-action reports
• Business continuity / disaster recovery test results
• Vulnerability assessment reports with trend analysis
• Configuration compliance scan results

Common gap: Tests performed but not documented as formal exercises. An undocumented test is invisible to an assessor.

What to do before the assessment:

• Collect final reports plus remediation plans and status tracking
• Document scope, date, participants, and outcomes for each exercise
• Highlight how findings were addressed and re-tested where applicable

Domain-Specific Evidence Quick Reference

Use this as a checklist to map evidence to CMMC domains.

Access Control (AC)

Prepare:

• User access review records and sign-offs
• Role definitions and access matrices
• Remote access logs and approvals
• Mobile device management (MDM) compliance reports

Identification & Authentication (IA)

Prepare:

• MFA enrollment reports and coverage metrics
• Password policy enforcement screenshots (e.g., GPO settings)
• Account management procedures (creation, modification, disablement)
• Service account and shared account management documentation

System & Communications Protection (SC)

Prepare:

• Encryption certificates and key management procedures
• Firewall rule sets and boundary protection configs
• VPN settings and access control policies
• Email and data-in-transit encryption configurations

Audit & Accountability (AU)

Prepare:

• SIEM configuration and data source onboarding lists
• Log retention settings and storage locations
• Audit review meeting minutes or tickets
• Alert response documentation and incident links

Configuration Management (CM)

CMMC Evidence Readiness Cheat Sheet

Core Problem: Most CMMC assessment failures are not from missing controls, but from missing or weak evidence. You must be able to produce proof on demand that practices are implemented and operating.

The Five Evidence Categories (and Common Gaps)

1. Policies and Procedures

• What it is: Written documentation describing how each control is implemented.
• Assessor focus: Existence, scope, and current revision dates.
• Common gap: Policies exist but are outdated or not aligned to actual practice.

1. System Configurations

• What it is: Technical settings showing controls are enforced by technology (screenshots, exports, config files).
• Assessor focus: Current-state evidence from in-scope systems.
• Common gap: Old screenshots or configs that don’t match the live environment.

1. Audit Logs and Monitoring

• What it is: Logs and monitoring records showing controls are operating and being reviewed.
• Assessor focus: That logs are generated, retained, and actively reviewed.
• Common gap: Logs exist but no proof of review or investigation. Expect: “Show me the last time you investigated an alert.”

1. Training Records

• What it is: Documentation that personnel completed required training (sign-in sheets, LMS reports, certificates).
• Assessor focus: Who was trained, on what, and when.
• Common gap: Training is done but not recorded or centrally tracked.

1. Test and Exercise Results

• What it is: Evidence that controls were tested (tabletops, incident response tests, backup restores, vulnerability scans, etc.).
• Assessor focus: Formal test plans, results, findings, and remediation tracking.
• Common gap: Activities performed informally but not documented as structured exercises.

Domain-Specific Evidence Quick Reference

Use this as a checklist when building your evidence binder or repository.

Access Control (AC)

• User access review records (periodic entitlement reviews)
• Role definitions and access matrices
• Remote access logs (VPN, remote desktop, jump hosts)
• MDM reports showing device compliance and access restrictions

Identification & Authentication (IA)

• MFA enrollment reports (who is enrolled, enforcement status)
• Password policy screenshots or exports from identity providers / AD
• Account management procedures (provisioning, deprovisioning, privilege changes)

System & Communications Protection (SC)

• Encryption certificates and key management records
• Firewall rule sets and change history
• VPN configuration settings and cipher suites

CMMC Assessment Day Evidence Prep – Condensed Checklist

Use this as a practical, 48‑hour prep guide mapped to the five evidence categories and CMMC domains.

Core Principle

If you can’t produce it in 2 minutes, it effectively doesn’t exist for the assessment.

Organize everything so any artifact can be:

• Located in ≤2 minutes
• Explained in ≤2 minutes
• Mapped to a specific practice in ≤1 minute

The Five Evidence Categories

For each practice, aim to have 2–3 types of evidence from the list below.