CMMC Level 2Assessment PrepJune 20, 2026· 16 min read
CMMC Level 2 Evidence Guide: What Assessors Actually Want to See
Most organizations fail CMMC Level 2 assessments not because their controls are bad, but because they can't quickly produce the evidence that proves the controls work. This guide breaks down exactly what a C3PAO assessor looks for in each domain - so you arrive prepared instead of scrambling.
How a CMMC Level 2 Assessment Actually Works
Before you can prepare evidence, you need to understand how assessors use it. CMMC assessments use three methods drawn from NIST SP 800-171A:
Examine - the assessor reviews documentation: policies, procedures, configuration reports, logs, screenshots, and records. This is where most of your evidence preparation effort goes. Think of it as the assessor going through your filing cabinet, except the filing cabinet is a SharePoint site and the assessor has a clipboard.
Interview - the assessor asks your personnel to describe how practices are implemented. Answers need to match what the documentation says. Inconsistency between what people say and what documents show is an immediate flag. (This is why "just tell them everything is fine" is not a viable interview prep strategy.)
Test - the assessor watches a live demonstration or runs a technical verification. They may ask you to show an account lockout triggering, demonstrate an MFA prompt, or show a vulnerability scan running. If your MFA is configured correctly, this is a two-minute conversation. If it is not, this is a longer conversation.
Strong evidence satisfies all three methods. A policy document alone satisfies Examine but leaves Interview and Test exposed. A live system demonstration without supporting policy leaves Examine unsatisfied. You need both. A useful mental model: the policy is the promise, the configuration is the delivery, and the log is the receipt.
Assessment reality check: Assessors are looking for evidence that a practice is actually implemented and operating, not just that a policy exists saying it should be. "We have a policy requiring MFA" and "here is the MFA enrollment report showing 100% coverage" are very different answers. One closes the practice; the other opens an interview.
Evidence Organization Before Your Assessment
The organizations that move through assessments fastest are the ones that pre-map evidence to practices before the assessor arrives. The standard approach:
Create a shared folder structure mirroring the 14 CMMC domains (AC, AU, AT, CM, IA, IR, MA, MP, PE, PS, RA, CA, SC, SI)
Within each domain folder, store evidence artifacts by practice ID (3.1.1, 3.1.2, etc.)
Name files clearly: "3.1.8 - Account Lockout GPO Configuration Export - June 2026.pdf" is far more useful than "settings_screenshot.png" (which tells an assessor nothing except that you took a screenshot at some point)
Maintain a master tracker mapping each practice to its evidence file location - assessors will ask "can you show me the evidence for 3.5.3?" and you need to pull it up in under a minute
Evidence that exists but can't be found quickly creates the same impression as evidence that doesn't exist. Assessors work on a schedule. Watching someone search three different shared drives for a screenshot they took in February is not a good look and does not build confidence in your compliance program.
Domain-by-Domain Evidence Guide
AC - Access Control (22 practices)
Access Control is the largest CMMC domain and typically generates the most evidence requests. Assessors focus heavily on privileged access, MFA, and remote access controls.
Key evidence to prepare:
Access Control Policy document
User account list with roles and privilege levels (export from Active Directory or Entra ID)
MFA enrollment report showing coverage for all privileged and non-privileged accounts
Group Policy Object (GPO) exports or Intune configuration profiles showing lockout settings, session timeout, and screen lock
VPN configuration and authentication logs showing remote access enforcement
Network diagram identifying the CUI boundary and access control points
Quarterly access review records with documented reviewer and date
MDM enrollment report for mobile devices accessing CUI systems
Separate admin account documentation (showing IT staff have both admin and standard accounts)
Most common AC gap: MFA enrollment report showing less than 100% coverage. Assessors will pull this report live if you do not have it ready - so if you are at 94% MFA enrollment right now, that is the first thing to fix before your assessment date. Also common: access reviews that happened but were never documented. If you reviewed access and did not write it down, it did not happen in the eyes of an assessor.
AU - Audit & Accountability (9 practices)
Assessors want to see that you're actually collecting logs, retaining them appropriately, and have alerting when logging fails. Showing a SIEM or log aggregator with actual data is far stronger than showing configuration screenshots alone.
Audit and Accountability Policy
SIEM or log management tool configuration showing sources being collected
Sample audit logs from key sources (Windows Security Event Log, VPN auth logs, firewall logs, Entra ID sign-in logs)
Log retention policy and evidence of retention enforcement (retention settings screenshot)
NTP configuration showing time synchronization to an authoritative source
Alert configuration showing notification when logging fails
Evidence that log access is restricted to authorized administrators
Most common AU gap: Logs are being collected but there is no evidence anyone is reading them. Collecting logs and ignoring them is the security equivalent of installing a smoke detector and then removing the batteries. Show that alerts are configured, that someone is receiving them, and that when something triggers, there is a record of what happened next.
AT - Awareness & Training (3 practices)
One of the easier domains to document - but only if you've been tracking completion. Training records without dates and completion percentages are weak evidence.
Security Awareness Training Policy
Training completion records showing all employees with dates (export from your LMS or tracking system)
Training content or curriculum description
Role-specific training records for privileged users covering elevated-risk responsibilities
Phishing simulation records (dates, participation rates, click rates, remediation training for failures)
Threat recognition training content evidence
Most common AT gap: Training happened but was never tracked. "We did security awareness training in March" with nothing to show for it will not satisfy an assessor. Retroactively creating completion records without supporting evidence is worse - that conversation tends to go badly. Your LMS or even a signed attendance sheet works. The bar is not high; you just have to actually clear it.
CM - Configuration Management (9 practices)
Assessors want to see that you have documented baselines and that changes go through a controlled process. The most scrutinized areas are baseline documentation and change approval records.
Configuration Management Policy
System baseline documentation (CIS benchmark assessments, STIG checklists, or equivalent)
Asset inventory or CMDB showing in-scope systems
Change management records showing approval workflow (change tickets, CAB records, or equivalent)
Security impact analysis records for recent changes
Software allowlist or application control configuration
Evidence that unnecessary services/ports are disabled (port scan results, service inventory)
Most common CM gap: A hardening standard exists on paper but no one has checked whether systems actually meet it. Documenting a CIS benchmark and then never running a compliance scan against it is a pattern assessors see constantly - and it is easy to catch, because they can just ask you to pull a scan report. If your configuration management policy says systems will be hardened to CIS Level 1, you need a report that shows they are.
IA - Identification & Authentication (11 practices)
IA is the second-most failed domain in CMMC assessments. MFA gaps and password policy enforcement are where most organizations lose points.
Identification and Authentication Policy
MFA enrollment report (must show 100% for privileged accounts; 100% for all accounts with network access)
Password policy configuration export (showing complexity, history, and lockout settings)
Privileged account inventory showing separate admin accounts
Password hashing configuration evidence (confirming passwords are stored cryptographically)
Service account inventory with documentation of least-privilege assignments
Most common IA gap: Service accounts with excessive privileges and no MFA. Service accounts are the forgotten stepchildren of most MFA rollouts - everyone focuses on user accounts and the service accounts just sit there with broad permissions and passwords that were set in 2019 and never rotated. Assessors specifically ask about non-human accounts. Have your service account inventory ready and be prepared to explain what each one does and why it has the access it has.
IR - Incident Response (3 practices)
Three practices but assessors dig deep here because incident response capability is hard to fake and easy to test. Having a plan that's never been exercised is the most common gap.
IR tool inventory (forensics tools, communication platform, ticketing system)
Most common IR gap: No tabletop exercise record. Practice 3.6.3 specifically requires testing the IR capability. A 50-page incident response plan that has never been exercised is a hypothesis, not a capability - and assessors know the difference. One tabletop per year minimum, documented with the scenario used, who participated, what findings came out of it, and what was done to address those findings. A one-hour tabletop with a written summary is sufficient. An untested plan is not.
MA - Maintenance (6 practices)
Maintenance is often overlooked in preparation but assessors consistently ask about remote maintenance controls and equipment sanitization records.
Maintenance Policy
Maintenance schedule and completed maintenance records
Remote maintenance MFA configuration evidence
Maintenance personnel authorization records (who is approved to perform maintenance)
Media sanitization records for equipment removed for off-site maintenance
Diagnostic media scanning records (showing pre-use malware scans)
MP - Media Protection (9 practices)
Media protection generates surprisingly detailed evidence requests, especially around portable media controls and sanitization records.
Media Protection Policy
Media inventory showing CUI-bearing media and storage locations
Media access authorization records
Certificate of Destruction or sanitization records for disposed media
USB control configuration (GPO, endpoint tool, or MDM policy showing restriction)
Backup encryption configuration evidence
Portable media transport procedures and chain of custody records
Most common MP gap: No Certificate of Destruction for decommissioned equipment. When an assessor asks "what happened to the server you retired last year," "we gave it to IT surplus" is not an acceptable answer without accompanying sanitization documentation.
PE - Physical Protection (6 practices)
Physical evidence is some of the easiest to prepare but also the easiest to overlook. Assessors may ask for a facility walkthrough or request badge access logs.
Physical Protection Policy
Authorized personnel access list for CUI areas
Badge access configuration and recent access logs
Visitor log records
Security monitoring evidence (camera coverage, alarm system, access control hardware)
Remote work security policy and signed remote work agreements
Physical access device inventory (keys, badges, access cards in circulation)
PS - Personnel Security (2 practices)
Only two practices but assessors pay close attention to offboarding - it is a common control failure with significant security implications.
Personnel Security Policy
Background check records or verification that screening occurred (HR records)
Recent offboarding records demonstrating the process was followed
Account termination log showing timely revocation upon separation
Most common PS gap: Accounts that weren't disabled within the required timeframe after employee termination. Pull an AD report of disabled accounts and compare dates with HR separation dates before your assessment.
RA - Risk Assessment (3 practices)
Assessors want to see an actual risk assessment document, not just a statement that risk assessments are performed. The vulnerability scanning evidence is often tested live.
Risk Assessment Policy
Most recent risk assessment report with date, scope, methodology, findings, and risk ratings
Risk register or risk tracking documentation
Vulnerability scan reports (authenticated scans, must cover all in-scope systems)
Vulnerability remediation tracking showing how findings were addressed
Scan tool configuration evidence (showing scan frequency and target coverage)
Most common RA gap: Unauthenticated vulnerability scans. Practice 3.11.2 requires scanning for vulnerabilities in systems, and an unauthenticated scan misses a significant portion of findings. Assessors specifically ask whether scans are authenticated.
CA - Security Assessment (4 practices)
CA includes the SSP, which is typically the first document an assessor requests and the document they use to structure the entire assessment.
System Security Plan (SSP) - must be complete, current, and describe all 110 practices
POA&M document listing any open deficiencies with target remediation dates
Continuous monitoring plan and evidence of ongoing monitoring activities
Security assessment records showing independent review of controls
Evidence that the SSP has been reviewed and updated within the past year
Most common CA gap: SSP describes planned controls, not implemented ones. The SSP must describe how practices are currently implemented, not aspirationally. Assessors will test whether what the SSP says is actually true of the current environment.
SC - System & Communications Protection (16 practices)
SC is technically the most complex domain. Network segmentation, encryption, and boundary protection generate the most assessor questions and live technical verification requests.
System and Communications Protection Policy
Network diagram showing CUI boundary, DMZ, segmentation, and all external connections
Firewall ruleset showing default-deny posture (assessors may review this in detail)
FIPS 140-2/3 validation documentation for encryption products in use
TLS configuration evidence (showing TLS 1.2+ enforcement for data in transit)
Most common SC gap: Non-FIPS-validated encryption. If your VPN, encryption tool, or communication platform isn't FIPS 140-2 or 140-3 validated, Practice 3.13.11 is a finding. This is a frequent gap in organizations using consumer-grade tools for CUI environments.
SI - System & Information Integrity (7 practices)
SI generates straightforward but specific evidence requests. Patch management records and EDR deployment coverage are the most commonly tested.
System and Information Integrity Policy
Patch management records showing recent patches applied with dates
EDR deployment coverage report (must cover all in-scope endpoints)
IDS/IPS or SIEM monitoring configuration and alert records
Security advisory subscription records (US-CERT, vendor advisories, threat intel feeds)
Most common SI gap: EDR coverage gaps. Assessors may ask for a device inventory and cross-reference it against EDR enrollment. Any in-scope device without EDR is an immediate finding. Devices that are "in transition" or "being evaluated" are still findings if they're in scope.
The Five Most Common Evidence Failures
Across all 14 domains, five patterns account for the majority of evidence-related findings in CMMC Level 2 assessments:
Policy exists, implementation doesn't match. The access control policy says quarterly access reviews are required. The last access review was 18 months ago. Assessors verify both.
Evidence exists but can't be produced quickly. Spending 20 minutes searching for a log file during an assessment creates the impression that your security program isn't managed - even if the file eventually surfaces.
Scope not defined clearly in the SSP. Systems handling CUI that aren't documented in the SSP become surprises during assessment. Assessors look for undocumented systems during network discovery.
People say different things than documents say. The HR manager says background checks are done "for some roles." The policy says all employees handling CUI require screening. Interview inconsistency is a finding.
No evidence of testing or exercising controls. Tabletop exercises, DR tests, access reviews, and vulnerability scan records all need documented dates. "We do this quarterly" without records does not satisfy the requirement.
Track Every Evidence Artifact Before Your Assessment
Our CMMC Level 2 Evidence Tracker maps all 110 NIST SP 800-171 Rev 2 practices to the specific evidence artifacts assessors request. Assign owners, track status, link to your evidence files, and monitor readiness by domain on a live dashboard. Built by practitioners who have been through actual C3PAO assessments.
Instant download - .xlsx - works in Excel and Google Sheets
Frequently Asked Questions
A self-assessment allows the organization to evaluate their own compliance against NIST SP 800-171 and submit a score to SPRS. A C3PAO assessment is conducted by an independent, DoD-accredited organization and is required for contracts with critical programs or higher CUI sensitivity. The evidence requirements are similar, but the C3PAO assessment involves independent examiner judgment on whether evidence actually demonstrates the required outcomes - self-attestation is not available in a C3PAO engagement.
Plan for a 3-6 month process from initial scoping to final report. The on-site or virtual assessment itself typically runs 2-5 days for small organizations and longer for larger ones. Organizations that arrive with evidence pre-mapped to practices consistently move through assessments faster than those retrieving evidence reactively during the review.
CMMC Level 2 allows a limited number of practices to be in POA&M status at assessment time, subject to specific conditions: the practice cannot be high-risk, a credible remediation plan with a specific timeline must exist, and the POA&M must be closed within 180 days of conditional authorization. Not all practices are eligible for POA&M - consult the CMMC Assessment Process documentation for the current eligibility list.
Both, and the assessor decides which method applies. For examine activities, they review policy documents, configuration exports, screenshots, and records. For test activities, they may request live demonstrations - showing account lockout triggering, demonstrating MFA prompts, or watching a scan run. Having policy documents AND the ability to demonstrate live systems is the strongest position.
The single most common failure is a gap between documented policy and actual implementation - the policy says MFA is required but coverage is 70%, or the policy requires quarterly access reviews but none have been completed. Assessors examine, interview, and test - they verify that what the policy says matches what the systems actually do. The second most common failure is scope creep: CUI systems discovered during assessment that weren't in the SSP.
Yes, but cloud services that process, store, or transmit CUI must be FedRAMP Authorized at Moderate or higher, or assessed using an equivalent standard. Microsoft 365 GCC High, Azure Government, and similar DoD-aligned cloud services are the most common compliant path. Commercial versions of Microsoft 365 or Google Workspace do not satisfy the cloud requirement for in-scope CUI systems. Your SSP must document all cloud services in scope and their authorization status.