What Evidence is Needed for a CMMC Level 2 Assessment?
What Evidence Do You Need for a CMMC Level 2 Assessment?
Key Takeaways
Evidence for CMMC Level 2 means more than just having documented policies; it requires concrete proof that controls are implemented, monitored, and reviewed regularly.
Assessors expect a mix of documentary, demonstrative, and operational evidence including policies, system screenshots, logs, training records, and periodic review documentation.
Efficient evidence management using structured organization and SaaS tools can simplify compliance and make passing assessments more achievable.
Introduction
Preparing for a Cybersecurity Maturity Model Certification (CMMC) Level 2 assessment often hits a major roadblock: understanding what constitutes acceptable evidence. Many contractors mistakenly believe that merely having written policies is enough. However, evidence in the CMMC context is proof that you not only have policies and procedures but actively implement, monitor, and periodically review them.
Without credible evidence, assessors cannot verify your compliance, no matter how diligent your security efforts. This article unpacks exactly what evidence assessors look for, the types of proof required, examples of strong versus weak supporting materials, and practical tips to organize and manage evidence efficiently.
To better understand how these evidence requirements tie with your overall CMMC compliance journey and contract readiness, consider exploring our detailed guide on When Is CMMC Required for DoD Contracts? Timeline & Key Requirements Explained. It provides essential context on certification timing and compliance level expectations.
What Does “Evidence” Actually Mean in a CMMC Level 2 Assessment?
According to the official CMMC rule under 32 CFR Part 170, evidence is known as objective evidence—reliable, verifiable information used to validate whether each of the 110 NIST SP 800-171 controls has been effectively implemented.
Key Terms to Understand
Objective Evidence: Concrete, verifiable information such as records, system outputs, or observed practices that prove a requirement is met.
Documentary Evidence: Written policies, plans, procedures, and reports.
Demonstrative Evidence: Screenshots, live demos, or system queries showing controls are in place and functioning correctly.
Assessors rely on a combination of these evidence types to gain confidence that your security controls are real, consistently applied, and repeatable over time.
For deeper insights into effective evidence gathering and audit readiness, you may also find valuable information in our post on Mastering Audit and Accountability in CMMC: Essential Practices for Compliance.
Why Policies Alone Are Not Enough
While documented policies are foundational, assessors want to see the whole story:
Are policies followed in day-to-day operations?
Can you prove your security processes actually work in practice?
Do you maintain a history of periodic reviews and updates?
For example, consider a password policy:
A written password policy is documentary evidence.
A system screenshot showing enforced password complexity settings is demonstrative evidence.
System logs documenting password changes over time provide operational evidence.
Only by combining these elements can you fully demonstrate effective control implementation.
Types of Evidence Assessors Expect to See
Assessors are skilled at matching evidence to the purpose behind each control. The common categories include:
1. Policies and Procedures
Comprehensive documented policies aligned to NIST SP 800-171 requirements.
Step-by-step procedures illustrating how policies are carried out daily.
Example: An access control policy accompanied by a Standard Operating Procedure (SOP) outlining how users are provisioned and deprovisioned.
2. System Configurations and Screenshots
Proof that security settings are technically enforced on systems.
Screenshots of Group Policies, firewall configurations, or endpoint protection dashboards.
Strong Example: A timestamped screenshot confirming Multi-Factor Authentication (MFA) is enabled and enforced.
Weak Example: A simple Word document stating “We use MFA” without further proof.
3. Logs, Audit Trails, and Monitoring Reports
Security Incident and Event Management (SIEM) exports showing security events and system activity.
Audit logs capturing user access, administrative changes, or patching activities.
Proof that logs are regularly reviewed by security personnel.
Tip: Provide representative samples instead of overwhelming assessors with massive raw log dumps.
4. Training Records and Awareness Proof
Sign-in sheets or Learning Management System (LMS) reports confirming user security training completion.
Phishing simulation results and records of remedial training if needed.
5. Evidence of Periodic Reviews
Minutes from change control or security review meetings.
Risk assessment documentation.
Periodic updates to the System Security Plan (SSP) and Plan of Actions & Milestones (POA&M).
The Importance of Periodic Reviews
Many Level 2 controls explicitly require ongoing or periodic validation procedures. Assessors will want dated proof to confirm these activities happen as scheduled.
Controls Commonly Requiring Periodic Reviews Include:
| Control ID | Description |
|---|---|
| Control ID: 3.1.7 | Description: Review and update privileged access accounts regularly |
| Control ID: 3.1.20 | Description: Identify and disable inactive user accounts |
| Control ID: 3.3.1 | Description: Conduct periodic reviews of audit and security logs |
| Control ID: 3.12.1 | Description: Perform regular security control assessments |
| Control ID: 3.12.3 | Description: Monitor and review security incidents continuously |
| Control ID: 3.12.4 | Description: Update SSP documents on a scheduled basis |
| Control ID: 3.13.11 | Description: Manage and verify cryptographic module integrity |
Examples of Acceptable Evidence:
Meeting notes documenting quarterly privileged account reviews.
Signed checklists confirming log reviews completed with dates.
An SSP with an update history indicating revisions every 12 months.
Using Hashing and Chain of Custody to Strengthen Evidence Integrity
Though not formally required by 32 CFR Part 170, many organizations follow emerging best practices by applying cryptographic hashing (e.g., SHA-256 hashes) to evidence files. This approach:
Assures evidence has not been altered or tampered with.
Supports chain of custody when multiple contributors handle evidence.
Builds assessor confidence in your digital evidence repository's integrity.
Maintaining a manifest file with evidence filenames, hashes, and timestamps is a simple but powerful integrity measure.
Organizing and Presenting Evidence Effectively
A clear, consistent evidence repository minimizes assessment stress and fosters trust. Consider these best practices:
Map each piece of evidence to the relevant NIST SP 800-171 control. Keep one folder per control for easy navigation.
Label files clearly with control IDs, descriptions, and evidence types.
Keep dated versions to demonstrate periodic reviews and updates.
Centralize storage in a SaaS compliance platform that supports metadata tagging, linking, and hashing.
Sample Folder Structure
/Access_Control
├── 3.1.1_Policy.pdf
├── 3.1.1_User_Provisioning_SOP.docx
├── 3.1.1_AD_Config_Screenshot.png
└── 3.1.1_User_Access_Review_2024Q1.pdfMany organizations find value in compliance software to streamline this process. Learn how platforms dedicated to CMMC compliance can help in our article Making CMMC Simpler.
Common Pitfalls and Red Flags to Avoid
Relying solely on policy documents with no proof of real-world implementation.
Using outdated or missing documentation for essential reviews like SSP or risk assessments.
Leaving gaps in demonstrative evidence for specific controls.
Collecting evidence only days before the assessment, which often appears rushed and incomplete.
Strong vs Weak Evidence: Real Examples
| Control | Weak Evidence | Strong Evidence |
|---|---|---|
| Control: 3.1.1 Access Control | Weak Evidence: Policy document only | Strong Evidence: Policy + SOP + AD configuration screenshot + quarterly access review records |
| Control: 3.3.1 Audit Logging | Weak Evidence: Verbal statement “We review logs” | Strong Evidence: SIEM output showing daily log reviews + signed checklists |
| Control: 3.12.4 SSP Updates | Weak Evidence: SSP dated from 2019 | Strong Evidence: SSP with revision history updated in 2023 and 2024 |
| Control: 3.2.1 Awareness Training | Weak Evidence: Employee handbook | Strong Evidence: LMS report showing 98% completion rate for current year |
A Framework for Efficient Evidence Collection
Begin with the SSP to map each NIST 800-171 control to expected evidence.
Categorize evidence into types: policies, procedures, screenshots, logs, or records.
Collect existing materials from IT, HR, and security teams.
Identify missing evidence or controls lacking demonstrable proof.
Assign clear ownership for each control’s evidence.
Upload all evidence into a SaaS tool with metadata, tags, and hashing support.
Review and refresh evidence quarterly to maintain currency and validity.
How SaaS Tools Simplify Compliance and Evidence Management
Manual evidence management can be complex and error-prone. Compliance SaaS platforms help by:
Automating collection of logs and snapshotting system configurations.
Aligning evidence directly with NIST SP 800-171 control requirements.
Offering dashboards that track collection progress and gaps.
Providing one-click export functions for assessors.
Enabling hashing features to guarantee integrity.
Getting started with the right compliance platform can reduce assessment anxiety significantly. If you want to simplify your ongoing CMMC compliance journey, we recommend signing up for the streamlined CMMC dashboard solution at cmmcdashboard.com.
Conclusion
Success in a CMMC Level 2 assessment hinges on robust evidence, which demonstrates that your policies, procedures, and controls are not only documented but are actively implemented and reviewed over time.
Organizations that view evidence as a continuous compliance asset—kept current, validated, and well-organized—stand the best chance of passing. Leveraging SaaS evidence management tools makes these activities scalable and less stressful, enabling your team to focus on maintaining strong cybersecurity practices rather than scrambling for paperwork.
Frequently Asked Questions
What exactly do assessors expect as evidence?
A blend of documents, system outputs, and records proving the implementation of all 110 NIST controls, including policies, technical configurations, logs, training attendance, and review documentation.
Is hashing evidence mandatory?
No, hashing is not required but is increasingly adopted as a best practice to protect evidence integrity. SaaS platforms often automate hashing for you.
Which controls mandate periodic reviews?
Controls like 3.1.7, 3.1.20, 3.3.1, 3.12.1, 3.12.3, 3.12.4, and 3.13.11 require recurring evaluation and proof that reviews occur.
How far back does evidence need to go?
Generally, assessors expect about 12 months of evidence to cover recurring activities within the period relevant to the control.
Are screenshots acceptable or do you need original files?
Screenshots, especially with timestamps, qualify as demonstrative evidence. However, original logs or export files carry more weight when verifying records.
How often should evidence be updated?
Quarterly updates are typical, though controls like log reviews may require much more frequent evidence collection.
Do subcontractors also need to maintain evidence?
Yes. Subcontractors handling Controlled Unclassified Information (CUI) must meet Level 2 requirements and maintain their own compliant evidence repositories.
Sources
32 CFR Part 170 – CMMC Final Rule (Oct. 2024)
NIST SP 800-171 Revision 2 (Feb. 2020)
NIST SP 800-171A Assessment Procedures (Jun. 2018)
DFARS clauses 252.204-7012, 7019, 7020, 7021
Ensuring your evidence is comprehensive and well-maintained transforms your CMMC Level 2 readiness from a daunting audit hurdle into a manageable compliance journey.