Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

Documenting Evidence for CMMC Assessment

Policies describe what you should do. Evidence proves you actually do it. For CMMC assessment, evidence is what transforms your claims into verified compliance. Assessors will not take your word that controls are implemented—they need to see proof.

CMMC stands for Cybersecurity Maturity Model Certification—the DoD’s mandatory cybersecurity verification program.

This guide explains what evidence assessors expect, how to collect it effectively, and how to organize your documentation for a smooth assessment.

What Counts as Evidence

Evidence comes in many forms:

Configuration Evidence

Screenshots and exports showing how systems are configured:

  • Group policy settings
  • Firewall rules
  • Access control lists
  • Security tool configurations
  • System settings

Process Evidence

Records showing processes operate as documented:

  • Change request tickets
  • Access approval forms
  • Incident reports
  • Training completion records
  • Audit logs

Testing Evidence

Results from security testing activities:

  • Vulnerability scan reports
  • Penetration test results
  • Backup restoration tests
  • Disaster recovery exercises
  • Phishing simulation results

Attestation Evidence

Documented statements confirming activities occurred:

  • Signed acknowledgments
  • Interview notes
  • Management attestations
  • Third-party certifications

Physical Evidence

During on-site assessment, direct observation:

  • Locked server rooms
  • Badge readers
  • Clean desk compliance
  • Visitor logs

Evidence Types by Control Category

Different controls require different evidence:

Technical Controls

Controls implemented through technology:

Evidence examples:

  • Configuration screenshots
  • System exports (group policies, settings files)
  • Log samples
  • Security tool reports
  • Network diagrams

Administrative Controls

Controls implemented through policies and procedures:

Evidence examples:

  • Policy documents
  • Procedure documentation
  • Training records
  • Approval forms
  • Meeting minutes

Operational Controls

Controls implemented through ongoing processes:

Evidence examples:

  • Log review records
  • Incident reports
  • Change tickets
  • Maintenance records
  • Assessment reports

Collecting Evidence Effectively

Capture Point-in-Time Snapshots

Evidence should show the current state:

  • Date screenshots and exports
  • Note when evidence was collected
  • Update evidence regularly

Include Context

Raw data without context is hard to interpret:

  • Annotate screenshots to highlight relevant settings
  • Explain what evidence demonstrates
  • Map evidence to specific requirements

Maintain Chain of Custody

Evidence should be trustworthy:

  • Collect evidence from actual production systems
  • Document who collected the evidence and when
  • Protect evidence from modification

Collect Ongoing Evidence

Some controls require evidence of ongoing operation:

  • Log review records (not just logging configuration)
  • Completed access reviews (not just the policy)
  • Closed incident reports (not just incident procedures)
  • Patch records over time (not just current patch status)

Evidence Mapping to Requirements

For each CMMC requirement, identify what evidence demonstrates compliance:

Example: IA.L2-3.5.3 (Multi-Factor Authentication)

Evidence TypeSpecific Evidence
ConfigurationAzure AD Conditional Access policy requiring MFA
ConfigurationScreenshot showing MFA enforcement for all users
ProcessMFA enrollment records
TestingLogin test demonstrating MFA prompt
PolicyAuthentication policy requiring MFA

Example: AU.L2-3.3.1 (System Auditing)

Evidence TypeSpecific Evidence
ConfigurationWindows audit policy settings
ConfigurationSIEM collection configuration
LogsSample audit logs showing required events
ProcessLog review records from the past 90 days
PolicyAudit and accountability policy

Organizing Your Evidence

Create a logical structure that assessors can navigate:

Option 1: By Control Family

/Evidence
├── Access Control
│   ├── AC.L2-3.1.1
│   │   ├── AD_User_Groups.png
│   │   ├── Access_Request_Form_Sample.pdf
│   │   └── Evidence_Description.txt
│   ├── AC.L2-3.1.2
│   └── [Additional AC controls]
├── Audit and Accountability
├── [Additional families]

Option 2: By Evidence Type

/Evidence
├── Configuration
│   ├── Active_Directory
│   ├── Firewall
│   ├── SIEM
│   └── [Additional systems]
├── Policies
├── Procedures
├── Logs_and_Records
├── Test_Results

Option 3: Hybrid Approach

Organize by control family with consistent evidence types within each:

/Evidence
├── Access Control
│   ├── Configurations
│   ├── Policies
│   ├── Procedures
│   └── Records
├── [Additional families]

Creating an Evidence Matrix

Track what evidence you have for each requirement:

RequirementPolicyConfigurationProcess RecordsTestingStatus
AC.L2-3.1.1Complete
AC.L2-3.1.2Missing records
AC.L2-3.1.3Complete

This matrix helps identify gaps before assessment.

Common Evidence for Key Requirements

Access Control Evidence

  • User account lists with roles
  • Group membership documentation
  • Access approval records
  • Privileged account inventory
  • Remote access configurations
  • VPN settings and logs

Audit and Accountability Evidence

  • Logging configuration screenshots
  • Sample log exports
  • Log review records (dated and signed)
  • SIEM dashboards and alerts
  • Retention configuration settings

Configuration Management Evidence

  • Baseline configuration documentation
  • Change management tickets
  • Configuration scan results
  • Software inventory
  • Patch management records

Identification and Authentication Evidence

  • Password policy configuration
  • MFA configuration and enrollment
  • Account lockout settings
  • Authentication logs

Incident Response Evidence

  • Incident response plan
  • Incident reports (if any occurred)
  • Tabletop exercise records
  • Contact lists and escalation procedures

System and Information Integrity Evidence

  • Antivirus/EDR configuration
  • Malware scan logs
  • Patch status reports
  • Vulnerability scan results
  • Alert configurations

Preparing Evidence for Assessment

Before Assessment:

  1. Complete evidence collection for all requirements
  2. Verify evidence is current (within the past 90 days for dynamic evidence)
  3. Organize evidence logically
  4. Create an evidence index or matrix
  5. Verify you can locate evidence quickly
  6. Test that files open and are readable

During Assessment:

  • Have evidence readily accessible
  • Be prepared to provide additional evidence on request
  • Explain the context when presenting evidence
  • Note any evidence assessors request that you do not have

Evidence Presentation Tips:

  • Annotate complex screenshots
  • Provide brief descriptions explaining what evidence shows
  • Cross-reference evidence to specific requirements
  • Have both digital and printed options available

Common Evidence Mistakes

Mistake 1: Configuration Only

Showing that logging is configured does not prove that logs are reviewed. Include evidence of ongoing activities, not just settings.

Mistake 2: Outdated Evidence

Evidence from two years ago does not demonstrate current compliance. Keep evidence current.

Mistake 3: Disorganized Documentation

If you cannot find evidence quickly, assessors may conclude it does not exist. Organize before assessment.

Mistake 4: Missing Context

A screenshot without explanation may not clearly demonstrate compliance. Add annotations and descriptions.

Mistake 5: Generic Evidence

Evidence should be from your actual systems, not vendor documentation or generic examples.

Mistake 6: Incomplete Coverage

Having evidence for some requirements but not others creates gaps. Systematically cover all requirements.

Tools for Evidence Management

Compliance Platforms

Dedicated tools help manage evidence:

  • Centralized evidence repository
  • Mapping to requirements built in
  • Version tracking
  • Expiration reminders

Document Management Systems

SharePoint, Google Drive, or similar:

  • Folder structure for organization
  • Version history
  • Access controls
  • Search capability

Spreadsheet Tracking

Excel or Google Sheets for evidence matrix:

  • Track what evidence exists
  • Note collection dates
  • Identify gaps
  • Map to requirements

Key Takeaways

Evidence proves your CMMC controls actually work. Collect configuration evidence, process records, testing results, and attestations for each requirement. Organize evidence logically so you can locate it quickly during assessment.

Keep evidence current—configuration from years ago does not demonstrate today’s compliance. Create an evidence matrix to track what you have and identify gaps.

Prepare before the assessment by verifying that all evidence is collected, organized, and accessible. Annotate complex evidence to help assessors understand what they are seeing.

Related Articles:

Official Sources: This article is based on NIST SP 800-171A assessment procedures and the DoD CMMC Assessment Guides.

Evidence collection is easier with the right tools. Contact Greypike for help organizing your CMMC documentation and evidence. For Level 1 certification, Obolix guides you through exactly what evidence you need and helps you collect it—so you can get compliant in a week or less.

Table of Contents