The Evidence page helps you collect and organise the artifacts that prove your CMMC practices are implemented and your controls are operating effectively.
Evidence Types
| Type | Description | Examples |
|---|
| Policy | Formal documents establishing rules | Access Control Policy, IR Policy |
| Procedure | Step-by-step instructions | Account provisioning, patch management |
| Configuration | System settings and configs | GPO exports, firewall rules, MFA settings |
| Record | Logs and historical data | Audit logs, access reviews, scan reports |
| Plan | Forward-looking documents | SSP, POA&M, Contingency Plan |
| Certificate | Third-party attestations | FedRAMP authorisations, pen test reports |
Assessment-Ready Documentation
| Method | What assessors do | Evidence to prepare |
|---|
| Examine | Review documentation and configurations | Policies, SSP, config exports, audit logs |
| Interview | Discuss with responsible personnel | Org charts, role descriptions, training records |
| Test | Exercise controls and observe results | Test plans, screenshots of controls in operation |
Best Practices
- Date your evidence — Assessors need to see that evidence is current
- Cover all assessment objectives — Each NIST SP 800-171 requirement has specific objectives
- Show ongoing operation — Include records demonstrating policies are being followed
- Use consistent naming — Include domain, practice ID, and artifact type
- Refresh regularly — Set review dates for evidence artifacts
