Skip to content
CMMC Level 2 Reference | Ancitus

What Assessors Do

Assessors use three methods to gather evidence for each requirement. Understanding these methods tells you exactly what to prepare.

Examine

Section titled “Examine”

Review documents, configurations, logs, and system designs. This is where the bulk of evidence comes from and where most preparation effort should focus.

What they examine:

  • Policies and procedures — are they documented, approved, current, and specific to your environment?
  • System configurations — do the settings match what your policy says? Is the GPO applied? Is the Intune profile deployed?
  • Audit logs — do they exist, do they contain the required content, do they go back far enough?
  • Network diagrams — do they match the actual environment? Can the assessor trace CUI flows?
  • Inventories — are they complete and current?
  • Records — training records, access reviews, change tickets, incident reports, patching records, sanitization logs

What “examine” means for your preparation: Every document must be in final form — signed, approved, current. Drafts don’t count. Working papers don’t count. A policy pending approval doesn’t count. Date everything. Make it findable in under a minute. The assessor shouldn’t wait while you search SharePoint.

Interview

Section titled “Interview”

Talk to the people responsible. The assessor asks staff to describe how things work and verifies their answers match the documentation. This is where they find the gap between what the documents say and what actually happens.

Who they interview:

  • System administrators — “Walk me through how you create an account.” “Show me how you patch this server.”
  • Security staff — “Describe your incident response process.” “How do you review access quarterly?”
  • Account managers / HR — “What happens when someone is terminated?” “How do you screen new hires?”
  • Management — “How are security risks communicated to leadership?” “Who approves security investments?”
  • End users — “Do you know how to report a security incident?” “Have you completed security training?”

What “interview” means for your preparation: The people who manage controls must be able to describe them — not read from a script, but explain in their own words how things actually work. If your security lead can’t explain the incident response process without reading the IR plan, the assessor notices. Brief your team, but don’t over-script them. Authentic knowledge matters more than polished answers.

Test

Section titled “Test”

Exercise the actual mechanisms. This is the “show me” phase — the assessor wants to see controls work, not just read about them.

What they test:

  • Log into a system — does MFA trigger? Does the banner appear? Does the screen lock after the specified timeout?
  • Attempt an unauthorized action — plug in an unapproved USB drive, try to access a CUI share without authorization, attempt to install software as a standard user
  • Verify responses — does the SIEM alert fire? Is the account locked after failed attempts? Does the VPN require MFA?
  • Check live configurations — pull up Intune compliance, show Defender coverage, demonstrate a Sentinel query

What “test” means for your preparation: Every control you claim must actually work when demonstrated. The assessor will try things. If your policy says USB storage is blocked and the assessor plugs in a USB drive that mounts, that’s a NOT MET finding — regardless of how good the policy document looks. Test your own controls before the assessor does.

Not every method is used for every requirement — assessors select from the lists in NIST SP 800-171A based on what provides sufficient evidence. But you should be prepared for any combination the assessor chooses. The safest assumption: they’ll examine your documents, interview your people, and test your mechanisms for every significant requirement.