During aCMMC assessment, organizations must provide evidence to demonstrate compliance with requiredpractices and processes. Assessors evaluate this evidence based on two key criteria:
Adequacy– Does the evidence meet the intent of the security requirement?
Sufficiency– Is there enough evidence to reasonably conclude that the practice/process is effectively implemented?
These principles are outlined in theCMMC Assessment Process Guide, which provides a structured approach for evaluating compliance.
Step-by-Step Breakdown:
✅1. Adequacy – Does the evidence fully meet the requirement?
Adequacyrefers to whether the evidence properly demonstrates that the security practice has been implemented as required.
Example: If an organization claims to enforceMulti-Factor Authentication (MFA), an assessor would checksystem configurations, login policies, and user authentication logsto confirm that MFA is actually in use.
✅2. Sufficiency – Is there enough evidence to support the claim?
Sufficiencymeans that there isenough supporting evidenceto prove compliance.
Example: If an organization providesonly one screenshot of an MFA login screen, that alone may not besufficient—additional logs, policies, and user records would help strengthen the case.
Why the Other Answer Choices Are Incorrect:
(B) Adequacy and Thoroughness❌
Thoroughnessis not a defined metric in CMMC evidence evaluation.
The focus is onwhether the evidence meets the requirement (adequacy)and if there isenough of it (sufficiency).
(C) Sufficiency and Thoroughness❌
Thoroughnessis not a recognized term in CMMC compliance validation.
Evidence must beadequate and sufficient, not just thorough.
(D) Sufficiency and Appropriateness❌
Appropriatenessis not a CMMC-defined criterion.
Thecorrect terms used in CMMC assessmentsareAdequacy(Does it meet the requirement?) andSufficiency(Is there enough proof?).
Final Validation from CMMC Documentation:
CMMC Assessment Process Guideexplicitly states that evidence must be evaluated based onadequacyandsufficiencyto confirm compliance with security practices.
