CMMC Evidence Collection: What Assessors Actually Want to See

Evidence Is Where Assessments Are Won or Lost

You can have every control implemented perfectly, but if you can't prove it, it doesn't count. C3PAO assessors evaluate evidence against the 320 assessment objectives in NIST SP 800-171A. Each objective requires demonstrable evidence that a control is operating effectively.

Evidence Types

NIST SP 800-171A defines three assessment methods:

Examine

Review of documents, records, and configurations:

• Policies and procedures
• System configuration settings
• Access control lists
• Audit logs
• Network diagrams
• Training records

Interview

Conversations with personnel:

• Can they describe their security responsibilities?
• Do they know the incident reporting process?
• Can they explain CUI handling procedures?
• Do they understand their role in the security program?

Test

Active verification of security controls:

• Attempt access with revoked credentials (should fail)
• Verify MFA is enforced (test a login)
• Check that audit logs capture required events
• Validate that encryption is active on CUI in transit

Evidence by Control Family

Access Control (AC) — 22 Controls

What assessors want:

• Screenshots of user access lists and permission groups
• Role-based access control (RBAC) documentation
• Remote access policy and VPN configuration
• Wireless access point configurations
• Mobile device management (MDM) policy and enrollment screenshots
• Session timeout configuration screenshots

Common failures:

• Generic admin accounts still active
• No documented process for access revocation when employees leave
• Remote access without MFA

Awareness & Training (AT) — 3 Controls

What assessors want:

• Training completion records with dates and scores
• Training content/curriculum documentation
• Insider threat awareness training records
• New hire training evidence
• Annual refresher training evidence

Common failures:

• No documented training for contractors/subcontractors
• Training records missing for recently hired employees
• No evidence of insider threat-specific training

Audit & Accountability (AU) — 9 Controls

What assessors want:

• Audit log samples showing required events (login/logout, file access, privilege escalation)
• Log retention policy and evidence of 90+ day retention
• Log protection mechanisms (write-once, separate storage)
• Evidence of regular log review (weekly/monthly reports)
• Time synchronization configuration (NTP settings)

Common failures:

• Logs exist but nobody reviews them
• Log retention less than 90 days
• No alerting on suspicious events

Identification & Authentication (IA) — 11 Controls

What assessors want:

• MFA enrollment screenshots for all CUI-access accounts
• Password policy configuration screenshots (complexity, length, history)
• Account lockout settings
• Service account inventory and justification
• Certificate-based authentication evidence (if applicable)

Common failures:

• MFA not enforced for all CUI-access accounts
• Shared or generic accounts without justification
• Password policy doesn't meet NIST requirements

Incident Response (IR) — 3 Controls

What assessors want:

• Incident response plan document
• IR team roster with roles and contact information
• Tabletop exercise or drill documentation (annually)
• Incident tracking log (even if empty — shows the process exists)
• Evidence of IR plan distribution to relevant personnel

Common failures:

• IR plan exists but was never tested
• No evidence of annual IR exercises
• IR team members unaware of their roles

System & Communications Protection (SC) — 16 Controls

What assessors want:

• Network diagrams showing CUI boundary segmentation
• Firewall rules and configurations
• Encryption settings for data in transit (TLS, VPN)
• Encryption settings for data at rest
• DNS filtering or web proxy configuration
• VOIP security settings (if applicable)

Common failures:

• CUI boundary not clearly defined in network diagrams
• Encryption not enabled for all CUI transmission paths
• No network segmentation between CUI and general systems

Evidence Organization Strategy

By Control Family

Organize evidence in folders matching NIST control families:

/Evidence
  /AC - Access Control
    /3.1.1 - Authorized Access
    /3.1.2 - Transaction Types
    ...
  /AT - Awareness Training
    /3.2.1 - Security Awareness
    ...

Naming Convention

Use descriptive names with dates:

AC-3.1.1-AD-Group-Membership-Screenshot-2026-03-01.png
AU-3.3.1-SIEM-Audit-Log-Sample-2026-02-15.pdf
IR-3.6.1-Incident-Response-Plan-v2.3.pdf

Freshness Requirements

• Screenshots and configs: Within 90 days of assessment
• Policies: Reviewed within 12 months
• Training records: Current year + previous year
• Audit logs: Continuous, minimum 90-day retention
• Vulnerability scans: Within 30 days

Using an Evidence Vault

A centralized evidence vault (like CMMC Command's) provides:

• Expiration tracking: Know when evidence needs refreshing
• Control mapping: Evidence linked directly to controls
• CUI scanning: Ensure evidence files don't contain actual CUI
• Audit trail: Track who uploaded what and when
• Quick retrieval: Find any evidence in seconds during assessment

The Golden Rule

If it's not documented, it didn't happen. Assessors can only evaluate what they can see. Every control implementation should be backed by at least one piece of evidence that proves it's operational.

Build your evidence vault — centralized evidence management with expiration tracking and CUI scanning.