Evidence Adequacy, Sufficiency, and characteristics
This term refers to the body of data or “proof” collected during a CMMC assessment—artifacts, interview responses, or test results—that must be directly applicable to the specific practice, process, or control under evaluation, so the team can determine whether objectives are met.
What is evidence?
This Assessment method involves holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence.
What is interview method?
These fundamental components of an information system assessment encompass various forms, from foundational written guidelines to specialized protective measures, active operational tasks involving human input, and the very individuals executing these functions, all serving as the direct focal points of an evaluation process.
What are Assessment Objects?
This specific CMMC Level 2 requirement mandates that an organization employ documented policies, implemented technical safeguards, and demonstrable practices to ensure that only explicitly approved human users, processes running with authorized privileges, and approved devices—including interconnected systems—can gain access to any part of the information system, thereby preventing unauthorized entities from entering or interacting with system resources
What is AC.L2-3.1.1?
Assessors must determine if:
[a] user functionality is identified;
[b] system management functionality is identified; and
[c] user functionality is separated from system management functionality
ensuring that general users are not permitted to perform system administration functions; and system administrators only perform system administration functions from their privileged account.
What are the assessment objectives for SC.L2-3.13.3 that assessors must determine their implementation?
This criterion asks whether a submitted artifact, interview response, or test demonstration effectively meets the intent of a specific CMMC practice by verifying that it is the appropriate form of proof needed to confirm that practice is performed, ensuring the assessment team has the right evidence before scoring the practice as MET.
What is adequacy of evidence?
Per NIST SP 800-171A, this consists of an assessment objective and a set of potential assessment methods and assessment objects that can be used to conduct the assessment.
What is an Assessment Procedure?
Comprising a specific type of assessment object, these artifacts include official, finalized document-based evidence such as organizational policies, detailed procedures, system security plans, and architectural schematics, all of which are thoroughly reviewed to ascertain compliance with established security requirements.
What are Specifications?
This CMMC Level 2 practice requires OSCs and OSAs employ the principle of least privilege, including for specific security functions and privileged accounts.
What is AC.L2-3.1.5?
To prove that an organization’s cryptographic safeguards for CUI meet the CMMC requirement, assessors look for evidence showing the use of NIST-validated modules (not just approved algorithms), proper system configuration, recent cryptographic module validation certificates from NIST CMVP, active enforcement logs, and personnel confirmations.
What constitutes sufficient, adequate, current, and relevant evidence for SC.L2-3.13.11 FIPS-validated cryptography compliance?
This concept evaluates whether a presented artifact, interview response, or test demonstration provides the assessment team with enough of the “right data,” covering all in-scope systems, processes, and personnel, so that the team can confidently verify comprehensive implementation of the practice across the defined CMMC scope.
What is sufficiency of evidence?
According to CMMC Assessment Guide – Level 2, these standardized approaches defined in NIST SP 800-171A define the nature and extent of the assessor’s actions necessary to gather objective evidence and verify the implementation of security requirements during compliance evaluations.
What are assessment methods (examine, test, interview)?
This collaborative tool is developed jointly between the Assessment Team and the OSC to map CMMC practice requirements to related policies, plans, procedures, and configuration items using a many-to-many relationship comparison. It assists in determining the completeness of relationships by correlating two sources, ensures that evidence presented by the OSC is properly mapped to Assessment Objectives, and establishes mutual understanding of collected evidence.
What is a Document Traceability Matrix?
This practice mandates contractors to perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
What is SI.L2-3.14.5?
When assessing an organization's adherence to the SI.L2-3.14.4 practice, which mandates the timely updating of malicious code protection mechanisms, and utilizing the Examine assessment method through a review of system audit logs, this type of log data demonstrates that antivirus or endpoint protection mechanisms are updated according to vendor-recommended timelines.
What are log entries showing recent malicious code protection signature or definition updates?
These three criteria must be satisfied by all accepted evidence in a CMMC assessment to ensure that each artifact, interview response, or test: (1) is directly relevant to the domain or practice being evaluated, (2) fully satisfies the practice’s objectives, and (3) completely reflects actual performance of the control or process.
What are relevance, objective satisfaction, and full representation?
This assessment method involves exercising activities or mechanisms under defined conditions in order to observe whether actual outcomes align with expected behavior, helping to verify the implementation of security practices.
What is the test method?
Representing another distinct type of assessment object, these involve the execution of protection-oriented tasks where human interaction is central, such as conducting regular system backups, practicing a contingency plan, or actively observing network traffic for anomalies, all of which are examined for effective security implementation.
What are Activities?
Fully implementing this practice requires Establishing and maintaining baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
What is CM.L2-3.4.1?
This NIST SP 800-171 physical security control requires organizations to demonstrate through multiple forms of evidence that unauthorized individuals cannot move unaccompanied through areas containing CUI. Sufficient evidence includes CCTV footage showing consistent accompaniment by authorized personnel, physical access control logs documenting entry and exit times, visitor badge issuance records, and interviews with security personnel to verify policy enforcement and monitoring procedures.
What evidence is sufficient to meet PE.L2-3.10.3?
The process by which assessors analyze and categorize collected evidence to determine its adequacy, relevance, currency, and sufficiency in supporting assessment findings and determining level of implementation of an assessment objective.
What is characterization of evidence?
This refers to the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities) aiming to facilitate understanding, achieve clarification, or obtain evidence.
What is Examine Method?
This essential assessment document enables the Lead Assessor to identify OSC roles and responsibilities while providing a comprehensive list of all personnel who play a role in the procedures within scope. During the CMMC assessment process, this document becomes critical for ensuring that interview affirmations are obtained from the correct individuals - specifically those who actually implement, perform, or support the cybersecurity practices being evaluated.
What is an Organizational Chart?
This CMMC L2 practice mandates that OSCs develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
What is CA.L2-3.12.4?
To definitively determine if an organization has successfully implemented the requirement for protecting CUI on system media, an assessor would systematically examine an OSCs sanitization policies, verified disposal records, and relevant audit logs, alongside interviewing personnel accountable for media handling, and potentially performing tests on the operational processes or technical mechanisms used to thoroughly sanitize or destroy both digital and non-digital media prior to its disposal or release for reuse.
What is MP.L2-3.8.3 – Media Disposal?