Interview Selection in CMMC Assessments
During aCMMC assessment, theLead Assessormust work with theOrganization Seeking Certification (OSC)to select personnel for interviews. The goal is to:
✅Verify that personnel understand andperform security-related practices.
✅Ensure that individuals canexplain how they implement CMMC requirements.
✅Gain insight intoactual cybersecurity operationsrather than just documented policies.
The best interviewees are those whodirectly engage with security practicesand canclearly explain how they perform their duties.
Why "Providing Clarity and Understanding" Is Key
CMMC assessmentsrely on interviewsto validate that security practices areimplemented effectively.
Themost valuable intervieweesare those who canexplainhow security measures are appliedin day-to-day operations.
CMMC Assessment Process (CAP)emphasizes that assessors should speak tothose actively involved in security practicesrather than just senior management or policy owners.
Thus,option D is the correct choicebecause the Lead Assessor should prioritizeinterviewing personnel who can clearly explain how CMMC practices are implemented.
Why the Other Answers Are Incorrect
A. Have a security clearance.
❌Incorrect.Security clearance is not a requirementfor CMMC assessments. The focus is onpractical implementation of security controls, not classified work.
B. Be a senior person in the company.
❌Incorrect. Senior executives may not be involved in theactual implementation of security controls. The best interviewees are those whoperform the work, not just oversee it.
C. Demonstrate expertise on the CMMC requirements.
❌Incorrect. Whileunderstanding CMMC is important, expertise alonedoes not guarantee practical knowledgeof security controls. The key is thatinterviewees must provide clarity on how they perform security tasks.
CMMC Official References
CMMC Assessment Process (CAP) Document– Guides interview selection based on personnel who perform security functions.
NIST SP 800-171 & CMMC 2.0– Emphasize that cybersecurity controls must beactively implemented, not just documented.
Thus,option D (Provide clarity and understanding of their practice activities) is the correct answeras per official CMMC assessment guidelines.
