Under theCMMC Assessment Process (CAP)andCMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed throughthree primary assessment methods:
Examination– Reviewing documents, records, system configurations, and other artifacts.
Interviews– Speaking with personnel to verify processes, responsibilities, and understanding of security controls.
Testing– Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.
TheCMMC Assessment Process (CAP)states that an assessor must use acombinationof evidence-gathering methods (examinations, interviews, and tests) to determine compliance.
CMMC 2.0 Level 2(Aligned withNIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.
Solely relying ononemethod (like interviews in Option A) is insufficient.
Testing all practices or objectives (Option B)is unnecessary, as assessors followscoping guidanceto determine which objectives need deeper examination.
Testing only "certain" objectives (Option C)does not fully align with the requirement of gatheringsufficient evidencefrom multiple methods.
CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methodsexplicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.
CMMC 2.0 Level 2 Practices and NIST SP 800-171require assessors to validate the presence, implementation, and effectiveness of security controls.
CMMC Appendix E: Assessment Proceduresstates that an assessor should use multiple sources of evidence to determine compliance.
Why Option D is CorrectCMMC 2.0 and Official Documentation ReferencesFinal VerificationTo ensure compliance withCMMC 2.0 guidelines and official documentation, an assessor must useexaminations, interviews, and teststo gather evidence effectively, makingOption D the correct answer.
