Understanding Assessment Methods in CMMC 2.0
According to theCMMC Assessment Process (CAP) Guide, assessors usethree primary assessment methodsto determine compliance with security practices:
Examine– Reviewing documents, policies, configurations, and system records.
Interview– Speaking with personnel to gather insights into security processes.
Test– Performing technical validation of system functions and security controls.
Why Option C (Examine) is Correct
TheAssessment Team Memberis inspectingAssessment Objects(e.g., system configurations, user access control settings, policies) to determine if the OSC's evidence is sufficient forAC.L1-3.1.1 (Access Control – Authorized Users).
This activity aligns directly with theExaminemethod, which involves reviewing artifacts such as:
Access control lists (ACLs)
System user authentication logs
Account management policies
Role-based access control settings
"Observe" (Option B)is incorrect because "observing" is not an official assessment method in CMMC.
"Test" (Option A)is incorrect because the assessment is not actively executing a function but ratherreviewingevidence.
"Interview" (Option D)is incorrect because no personnel are being questioned—only documentation is being reviewed.
Official CMMC Documentation References
CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods
CMMC Level 2 Assessment Guide – Access Control Practices (AC.L1-3.1.1)
Final Verification
Since the activity involves reviewing documents and records to verify access control measures, it falls under theExaminemethod, makingOption C the correct answer.
