If you’re getting ready for a CMMC assessment, the hard part usually isn’t turning on MFA or writing a policy. It’s proving, with CMMC assessment evidence, that what you say you do is real, repeatable, and happening inside the scoped environment.
That’s the core job of a C3PAO assessor: confirm your controls by examining artifacts, interviewing people, and testing systems. If you’re a small business IT lead running Microsoft 365, cloud apps, and a lean help desk, this can feel like an audit tornado unless you prepare.
In this post, I’ll show clear examples of what to gather before the assessment so it moves faster and feels less stressful, especially in a Microsoft 365 and cloud-first setup.
How CMMC assessors judge proof: examine, interview, and test (and what counts as evidence)
I think about a CMMC assessment like a home inspection. You can tell the inspector the roof is new, but they’ll still look, ask questions, and climb up to verify. CMMC works the same way.
Examine means the assessor reviews things you can hand over or display: policies, diagrams, the SSP, tickets, exports, reports, and settings. Interview means they talk to the people doing the work, not just leadership. Test means they verify controls in action, often live, in the tools you actually use.
Here’s the catch: screenshots alone usually aren’t enough. A screenshot is a moment in time. Assessors want evidence that your process is consistent across tools, settings, tickets, and user behavior. If your policy says “access requires approval,” but you can’t show approval tickets for multiple users, the story falls apart.
A practical way to prep is to build “evidence packets” per control area. Each packet should include:
- A short document that defines the rule (policy, procedure, or standard)
- A record that shows you follow it (tickets, reports, logs, training completion)
- A live demo plan (what admin page, what query, what report you’ll pull)
For more context on what assessors consider objective evidence, I like the official DoD CMMC Assessment Guide Level 2 (v2.13) as a reality check, and this practical write-up on building an evidence trail: how to build an evidence trail that streamlines CMMC certification.
Examine: documents and artifacts that show the work is defined and repeatable
When I’m building “examine” evidence, I focus on artifacts that show scope, rules, and repeatability:
Common items assessors expect to examine include your SSP, network and boundary diagrams, asset inventory, data inventory (where CUI lives), CUI marking and handling rules, configuration standards, change control records, risk assessments, vendor contracts (including flowdown clauses), and sample tickets (onboarding, offboarding, access requests, incidents, changes).
I keep the vocabulary simple:
- Policy: the rule and why it exists.
- Procedure: how my team follows the rule, step-by-step.
- Standard: the exact settings we choose (for example, MFA required for admins).
- Record: proof it happened (ticket, log entry, report, meeting notes).
Quick tip that saves time: keep evidence dated, versioned, and tied to the scope (system name, tenant, enclave). Unlabeled evidence becomes a guessing game, and guessing slows everything down.
Interview and test: what assessors ask people to do, and what they verify live
Interviews often include admins, help desk, HR, a regular user, and leadership. The questions are usually plain: How is access approved? How do leavers get removed? How do users report incidents? How is CUI shared with subs?
Testing is where a lot of teams get surprised. An assessor might ask me to log into Microsoft 365 admin portals to verify MFA coverage, show conditional access, confirm encryption, review audit log settings, pull a sample of onboarding and offboarding tickets, and prove backups can restore. They may also validate vulnerability scan cadence and ask how alerts are handled in real life.
Assessors often sample evidence. That means one perfect ticket isn’t enough. I make sure the process works across multiple users and systems, because consistency is what “repeatable” looks like.
What evidence changes by CMMC level: Level 1 vs Level 2 (and when Level 3 matters)
The level drives the depth of proof. Level 1 is basic cyber hygiene and the evidence is usually direct. Level 2 is where the assessment gets more detailed and the evidence needs to connect people, process, and tech. Level 2 also maps to the 110 requirements in NIST SP 800-171, so your artifacts need to show broad coverage, not a few strong settings.
(Level 3 matters for a smaller set of higher-risk environments and is typically government-led. For most small contractors handling CUI, the real work is Level 2.)
Level 1 evidence: basic cyber hygiene that I can show quickly
For Level 1, I focus on quick proof from the tools I already run: user lists and roles, MFA enabled for email and admin access, device inventory, anti-malware status, patching proof, backups, and basic incident reporting steps.
In practice, that means exporting reports from Microsoft 365 admin centers and endpoint tools, then pairing those reports with a few tickets. A policy by itself is weak; a policy plus portal proof plus a real ticket is strong.
Level 2 evidence: scoped, documented, and proven across people, process, and tech
Level 2 raises the bar. I need an SSP that matches reality, a clear boundary, and a CUI flow story that makes sense. I also need operational records: access approval workflow, log retention and review proof, vulnerability management cadence, incident response plan plus tabletop notes, training records, supplier management evidence, and configuration baselines.
POA&Ms can come up at Level 2, but I treat them carefully. I use a POA&M to track gaps with owners and dates, and I confirm what’s allowed for the contract and assessment type before I assume anything can wait.
Evidence checklist by NIST SP 800-171 family: what I should have ready (with a quick table)
I keep my evidence binder organized by scope first, then by control families. If scope is fuzzy, everything else turns into rework.
For plain-English background on the standard itself, this overview of NIST SP 800-171 and Controlled Unclassified Information can help non-security leaders understand why the evidence is so detailed.
Scoping evidence first: asset inventory, CUI flows, and boundary diagrams
Scope drives everything. I prepare an inventory of users, endpoints, servers, network gear, cloud services, and shared mailboxes in scope. I also document where CUI lives (SharePoint sites, Teams, OneDrive, line-of-business apps), plus a simple CUI data flow map and an enclave or boundary diagram that shows external connections.
When scope and evidence don’t match, assessments slow down. The assessor can’t verify what they can’t clearly see.
Common control families and the evidence assessors look for
Here’s what I typically stage for each family:
Access Control: account lists, role groups, approvals, offboarding tickets, least privilege reviews.
Awareness and Training: training logs, signed acknowledgments, phishing results if used.
Audit and Accountability: log sources, retention settings, sample alerts, log review notes.
Configuration Management: baselines, secure settings, change tickets, exception approvals.
Identification and Authentication: SSO and MFA coverage, password rules, lockout settings.
Incident Response: plan, contact list, tabletop notes, incident tickets and lessons learned.
Maintenance: remote support approvals, session logs, vendor access controls.
Media Protection: USB controls, wipe or disposal records, encryption proof for portable media.
Physical Protection: server room list, badge access, visitor logs if applicable.
Risk and Security Assessment: risk register, scan results, remediation tickets and retests.
System and Communications Protection: encryption, firewall rules, email security settings.
System and Information Integrity: patch reports, EDR status, vuln scans and remediation.
POA&Ms: what I can track as a gap, and what usually can’t wait
A POA&M is a written list of gaps with an owner and target dates. It’s useful when the control intent is understood and the fix is in motion.
In my experience, items that usually can’t wait are outcome-based basics like MFA enabled where required, logging turned on and retained, access removed for leavers, and backups that actually restore. I always confirm current DoD rules and assessor guidance for what can be planned versus what must be met at assessment time. One more tip: don’t put missing scope work into a POA&M. Fix scope first.
Quick checklist table: the most requested CMMC assessment evidence artifacts
| Area | Common evidence to show |
|---|---|
| SSP | Current SSP that matches your actual cloud and network setup |
| Asset inventory | Users, endpoints, servers, cloud services, shared mailboxes |
| Boundary diagram | In-scope systems and external connections |
| CUI flow diagram | Where CUI enters, lives, moves, and exits |
| Access approvals | Access request tickets and approval records |
| MFA proof | Tenant settings, conditional access, admin MFA coverage |
| Privileged reviews | Admin group membership review notes and actions |
| Onboarding/offboarding | Joiner and leaver tickets showing timing and steps |
| Secure baselines | Config standards plus exports or screenshots of settings |
| Patch and vuln | Patch reports, scan results, remediation tickets, retest proof |
| EDR status | Coverage report and policy settings for endpoints |
| Logging | Log sources list, retention settings, and sample events |
| Log review | Review schedule and evidence of review (notes, tickets) |
| Backup and restore | Backup status plus a restore test record |
| IR and training | IR plan, tabletop notes, training completion logs |
Conclusion
CMMC assessors don’t want perfect paperwork. They want CMMC assessment evidence that your controls work in the real world, with people following the process and systems enforcing the rules.
When I prep clients, I build an evidence binder aligned to scope, then I map every artifact to examine, interview, and test. That approach cuts last-minute scrambling and keeps the assessment days focused.
If you want help scoping your CUI environment, building an SSP that matches Microsoft 365 reality, and collecting evidence that a C3PAO can verify quickly, I can help you get it done with less stress and fewer surprises.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.