The Evidence page helps you collect and organise the artifacts that prove your CMMC practices are implemented and your controls are operating effectively.
Evidence Types
Type
Description
Examples
Policy
Formal documents establishing rules
Access Control Policy, IR Policy
Procedure
Step-by-step instructions
Account provisioning, patch management
Configuration
System settings and configs
GPO exports, firewall rules, MFA settings
Record
Logs and historical data
Audit logs, access reviews, scan reports
Plan
Forward-looking documents
SSP, POA&M, Contingency Plan
Certificate
Third-party attestations
FedRAMP authorisations, pen test reports
Assessment-Ready Documentation
Method
What assessors do
Evidence to prepare
Examine
Review documentation and configurations
Policies, SSP, config exports, audit logs
Interview
Discuss with responsible personnel
Org charts, role descriptions, training records
Test
Exercise controls and observe results
Test plans, screenshots of controls in operation
Best Practices
Date your evidence — Assessors need to see that evidence is current
Cover all assessment objectives — Each NIST SP 800-171 requirement has specific objectives
Show ongoing operation — Include records demonstrating policies are being followed
Use consistent naming — Include domain, practice ID, and artifact type
Refresh regularly — Set review dates for evidence artifacts