🛡️ CMMC Evidence Guide

Interactive guide to understanding evidence types, documentation requirements, and assessment methods for DoD CMMC program audits. Click on any evidence type to learn more about its importance and usage.

📋Examine Method

The process of reviewing, inspecting, observing, studying, or analyzing assessment objects (specifications, mechanisms, activities). Used to review documents, policies, configurations, and artifacts that demonstrate compliance.

👥Interview Method

Conducting discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. Interviews must be with personnel who implement, perform, or support the practices.

Test Method

The process of exercising assessment objects under specified conditions to compare actual with expected behavior. Includes live demonstrations, penetration tests, and system validations.

📝 Organizational Documents

Policies, procedures, standards, and governance documents

System Security Plan (SSP) Critical
Cybersecurity Policies Critical
Security Procedures High
Incident Response Plan High
Risk Assessment Reports High
Plan of Action & Milestones (POA&M) Critical
Security Training Records Medium

🔧 Technical Test Results

Firewall configs, penetration tests, and system validations

Penetration Test Results High
Vulnerability Scan Reports High
Firewall Configurations Critical
Access Control Lists (ACLs) Critical
System Hardening Evidence Medium
Backup and Recovery Tests Medium

📊 Logs & Monitoring

Audit logs, error reports, and continuous monitoring evidence

Audit Logs Critical
Security Event Logs High
Error Reports Medium
Continuous Monitoring Reports High
SIEM System Outputs High
Network Traffic Analysis Medium

👥 Personnel & Interviews

Interview summaries, training records, and personnel documentation

Interview Summaries High
Personnel Screening Records Medium
Role & Responsibility Definitions Medium
Access Review Documentation High
Security Awareness Surveys Low

🔐 Access Control Evidence

User management, authentication, and authorization documentation

User Account Management Critical
Privileged Access Management Critical
Authentication Configuration High
Session Management Evidence Medium

🏢 Physical Security

Physical access controls, environmental protections, and facility security

Physical Access Controls High
Visitor Access Logs Medium
Environmental Controls Medium
Surveillance System Evidence Medium