What Evidence Do CMMC Assessors Actually Look For? A Domain-by-Domain Breakdown

What CMMC Assessors Are Really Evaluating

There is a significant difference between believing your organization is CMMC-compliant and being able to prove it to a Certified Third-Party Assessment Organization (C3PAO). When assessors walk through your environment, they are not looking for your best intentions or a polished presentation. They are looking for objective evidence — documentation, configurations, logs, and demonstrated behaviors — that confirm your security practices are real, repeatable, and consistently applied.

Understanding what that evidence looks like, domain by domain, is the foundation of effective CMMC evidence preparation. This breakdown is designed to help compliance managers and executives focus their preparation on what actually matters during an assessment.

Before diving into specifics, it is worth noting that CMMC Level 2 maps directly to the 110 practices in NIST SP 800-171. If you have not already reviewed our post on NIST SP 800-171 Revision 3 and its implications for CUI protection, that is a strong starting point for understanding the underlying requirements assessors will test against.

Access Control (AC)

Access Control is one of the most heavily scrutinized domains. Assessors want to see that your organization enforces least privilege and limits access to Controlled Unclassified Information (CUI) on a need-to-know basis.

Expect assessors to examine:

• Active Directory or identity management configurations showing role-based access assignments
• User access review records demonstrating periodic recertification of permissions
• Multi-factor authentication (MFA) configurations for remote access and privileged accounts
• Documented policies governing access to CUI systems and data
• Remote access session logs and VPN configuration evidence

A common gap here is the existence of stale accounts or overly broad permissions that have never been formally reviewed. Assessors will pull account lists and compare them against HR records. Discrepancies are findings.

Identification and Authentication (IA)

This domain builds directly on Access Control. Assessors want to confirm that users and devices are properly authenticated before accessing CUI environments.

Key evidence includes:

• Password policy configurations meeting minimum complexity and length requirements
• MFA enrollment records for all users with access to CUI
• System configurations showing authenticator management controls
• Procedures for managing and revoking credentials when personnel depart

Audit and Accountability (AU)

Assessors frequently spend significant time in this domain because logging is both technically complex and organizationally neglected. The core question is whether your organization can detect and reconstruct security events.

Evidence assessors look for:

• SIEM or centralized logging configurations that capture login events, privileged actions, and file access
• Log retention policies with evidence of enforcement
• Demonstrated alert response procedures, including documented examples of alerts reviewed and acted upon
• Evidence that audit logs are protected from unauthorized modification or deletion

Organizations that have logs configured but never reviewed them operationally will struggle here. Assessors may ask personnel to walk them through how an alert is handled, not just show them a configuration screenshot.

Configuration Management (CM)

Configuration Management requires organizations to establish a baseline and control changes to that baseline. Assessors are looking for structured change control, not ad hoc IT management.

Evidence in this domain includes:

• A documented baseline configuration for servers, endpoints, and network devices
• Change management records showing approval workflows for system changes
• Evidence of security configuration benchmarks applied (such as CIS or DISA STIGs)
• Software inventory demonstrating control over authorized and unauthorized software

Incident Response (IR)

Assessors in this domain want to confirm your organization can detect, respond to, and recover from security incidents involving CUI. Having a policy is not enough — they want to see operationalization.

Evidence includes:

• A written Incident Response Plan with roles, responsibilities, and notification procedures
• Tabletop exercise records or after-action reports from prior exercises
• Evidence that personnel have been trained on IR procedures
• Any actual incident records demonstrating the process was followed

Our post on how to prepare for your CMMC audit covers incident response readiness in additional detail and is worth reviewing as you build this evidence set.

Risk Assessment (RA)

This domain requires demonstrating that your organization systematically identifies, analyzes, and responds to cybersecurity risk — not just reacts to incidents after the fact.

Assessors examine:

• A documented risk assessment methodology and completed risk assessment reports
• Risk register or risk tracking documentation showing identified risks and treatment decisions
• Evidence that vulnerabilities are scanned for periodically and remediated within defined timeframes
• Documented risk acceptance decisions for any unmitigated risks

Organizations working with our team through Federal risk assessment services often discover that their informal risk processes, while functional, lack the documentation trail assessors need to confirm compliance.

Security Assessment (CA)

The Security Assessment domain is about evaluating your own controls and managing a Plan of Action and Milestones (POA&M) for any deficiencies. Assessors look closely here because this domain reveals how self-aware an organization is about its security posture.

Evidence includes:

• A completed System Security Plan (SSP) that accurately describes all CUI systems and applicable controls
• A current POA&M with realistic milestones and evidence of progress
• Internal or third-party assessment records supporting the SSP's control statements
• Evidence that the SSP is reviewed and updated regularly

The SSP and POA&M relationship is critical. For a deeper look at these documents, see our post on SSP and POA&M as components of a strong security program.

System and Communications Protection (SC)

This domain addresses how CUI is protected as it moves across and between networks. Assessors examine both technical configurations and architectural documentation.

Evidence includes:

• Network architecture diagrams showing segmentation between CUI and non-CUI environments
• Firewall and router configurations demonstrating traffic filtering controls
• Encryption configurations for data in transit (TLS settings, VPN protocols)
• Mobile device management (MDM) configurations controlling CUI access from endpoints

System and Information Integrity (SI)

Integrity controls ensure that CUI systems remain protected from malware, vulnerabilities, and unauthorized modifications. Assessors want to see that security tooling is deployed, configured, and actively managed — not just installed and forgotten.

Evidence includes:

• Endpoint protection platform (EPP) or EDR configurations and coverage reports
• Patch management records showing timely remediation of critical vulnerabilities
• Malware alert and response logs
• Vulnerability scan results with documented remediation tracking

For a deeper understanding of endpoint security controls assessors evaluate in this domain, our post on endpoint security fundamentals provides useful context.

Personnel Security and Physical Protection

These domains are sometimes underestimated during preparation, but assessors treat them with the same rigor as technical controls. Physical access to areas where CUI is processed or stored must be documented and controlled.

Evidence includes:

• Background check records and personnel security screening documentation
• Physical access control logs for server rooms and CUI work areas
• Visitor control logs demonstrating escort procedures
• Security awareness training completion records for all personnel with CUI access

Our post on meeting CMMC 2.0 and NIST SP 800-171 physical security requirements walks through what adequate physical controls look like in practice.

Media Protection (MP)

Media Protection addresses how CUI is handled on portable media, how that media is sanitized, and how it is disposed of when no longer needed. Assessors frequently find gaps here because organizations focus on digital controls and overlook physical media handling.

Evidence includes:

• Media handling and sanitization policies
• Sanitization or destruction logs for retired hard drives, USB drives, and printed materials
• Records of media marking and tracking for portable devices that store CUI

Awareness and Training (AT)

No technical control operates in a vacuum. Assessors evaluate whether your people understand their role in protecting CUI and whether that training is documented and recurring.

Evidence includes:

• Security awareness training completion records, including dates and personnel covered
• Role-based training records for personnel with elevated privileges or CUI handling responsibilities
• Training content demonstrating coverage of insider threat, phishing, and CUI handling procedures

How to Approach Evidence Preparation Strategically

The most effective approach to CMMC evidence preparation is to treat each practice not as a checkbox but as a question an assessor will ask: Can you show me? Every control statement in your SSP must be supported by evidence an assessor can independently examine — not just your word that it exists.

Start by mapping your existing documentation against the 110 practices, identify gaps, and build a structured evidence repository organized by domain. Our post on how to organize your CMMC documentation so assessors can navigate it easily provides a practical framework for structuring that evidence library.

Organizations preparing for Level 2 certification should also consider the value of a formal gap assessment before scheduling a C3PAO audit. Understanding where your deficiencies lie — and having a credible remediation timeline — makes a material difference in assessment outcomes. Our CMMC, CUI, and DFARS compliance services are designed to support organizations at every stage of that process, from initial gap analysis through assessment readiness.

Ready to Close Your Evidence Gaps Before Your Assessment?

Cleared Systems works directly with defense contractors and federal suppliers to build the documentation, policies, and technical controls that CMMC assessors actually look for. Whether you are months away from a scheduled assessment or just beginning to understand your obligations, our team can help you identify what you have, what you need, and how to close the gap efficiently. Request a quote today or explore our engagement models to find the right level of support for your organization.