During aCMMC Level 2 assessment, assessors requireobjective evidencethat security controls are implementedin the actual operating environmentwhereControlled Unclassified Information (CUI)is handled.
This means thattests or demonstrations must be conducted in the production environment, where the organization’s real systems and security controls are in use.
Assessment teams need to validate security controls in the actual environment where they are applied, ensuring that security measures are in effect in thereal-world operating conditions.
Option A (Client)is incorrect because "Client" is not a defined assessment environment.
Option C (Development)is incorrect because testing in a development environmentdoes not accurately represent the production security posture.
Option D (Demonstration)is incorrect becausedemonstrations in a separate test environment do not provide valid evidence for CMMC assessments—actual security implementations must be verified in production.
CMMC Assessment Process (CAP) Guide – Section 3.5 (Assessment Methods)
NIST SP 800-171 Assessment Procedures(Verification must occur in the actual system where CUI resides.)
Understanding the Assessment Environment RequirementWhy Option B (Production) is CorrectOfficial CMMC Documentation ReferencesFinal VerificationSinceCMMC assessments require security controls to be validated in the actual production environment, the correct answer isOption B: Production.
