Understanding Evidence Sufficiency in CMMC Level 2 AssessmentsDuring aCMMC Level 2 Assessment, theLead Assessormust determine whether the evidence collected for each practice issufficientto support an assessment finding. This aligns with theCMMC Assessment Process (CAP) Guide, which requires assessors to evaluate:
Examinations– Reviewing documents, configurations, and system records.
Interviews– Speaking with personnel to confirm implementation and understanding.
Testing– Observing security controls in action to validate effectiveness.
To determine whether evidence issufficient, the assessor ensures that it:
Directly supports the assessment objective.
Demonstrates that the practice is consistently implemented.
Can be independently verified.
Sufficiencyrefers to whetherenoughevidence has been collected to make an accurate determination about compliance.
Option A (Adequacy)is incorrect because adequacy relates tothe qualityof evidence, while sufficiency focuses on whetherenoughevidence exists.
Option C (Process Mapping)is incorrect because process mapping is used for understanding workflows but is not an assessment verification method.
Option D (Assessment Scope)is incorrect because defining the scope happensbeforeevidence collection, during the planning phase.
CMMC Assessment Process (CAP) Guide – Section 3.6 (Determining Sufficiency of Evidence)
CMMC Level 2 Assessment Guide – Evidence Collection and Evaluation
Why Option B (Sufficiency) is CorrectOfficial CMMC Documentation ReferencesFinal VerificationSince theLead Assessor is ensuring enough evidence is available to verify compliance, the correct answer isOption B: Sufficiency.
