Understanding CMMC Assessment Requirements
CMMC assessments usethree assessment methodsto verify compliance with security practices:
Examine– Reviewing documentation, policies, logs, or records.
Interview– Speaking with personnel to confirm understanding and execution.
Test– Verifying through technical or operational means that the practice is being performed.
Assessment Findings in the Given Scenario
Practice is documented as occurring monthly, but logs show quarterly execution.
Interviews indicate monthly execution, but documentation does not support this claim.
Why the Organization Fails the Practice
Answer A (Incorrect): The work is being performed, but documentation is lacking, so the failure is not purely due to missing execution.
Answer B (Incorrect): The documented frequency does not match the evidence in logs, so the practice is not being done asfully documented.
Answer C (Correct):CMMC requires all three assessment methods (Examine, Interview, Test) to align. Since logs contradict the stated frequency, the practicefailscompliance.
Answer D (Incorrect): Interview responses alone are not enough. The CMMCCAP GuideandNIST SP 800-171Arequire corroboration with logs (Examine) and technical verification (Test).
Conclusion
The correct answer isC: To pass a practice, the organization mustprovide evidence across all three assessment methods.
CMMC Assessment Process (CAP) Guide– Cyber AB
NIST SP 800-171A– Assessing Security Requirements for CUI
DoD CMMC 2.0 Scoping and Assessment Guide
