Understanding CMMC Assessment MethodsTheCybersecurity Maturity Model Certification (CMMC) 2.0follows theNIST SP 800-171A assessment methodology, which includesthree primary assessment methods:
Examine– Reviewing policies, procedures, system configurations, and documentation.
Interview– Engaging with personnel to validate their understanding and execution of security practices.
Test– Conducting actual technical or operational tests to determine whether security controls function as expected.
"Test" is the method that compares actual-specified conditions with expected behavior.
It involvesexecuting procedures, configurations, or automated toolsto see if thesystem behaves as required.
For example, if a policy states that multi-factor authentication (MFA) must be enforced, a test would involveattempting to log in without MFAto confirm whether access is blocked as expected.
TheNIST SP 800-171A Guide (Assessment Procedures for CUI)defines testing as an assessment method that:
Actively verifies a security control is functioning
Simulates real-world attack scenarios
Checks compliance through system actions rather than documentation
B. Examine (Incorrect)
Examining only involvesreviewing policies, procedures, or configurationsbut does not actively test system behavior.
C. Compile (Incorrect)
"Compile" is not an assessment method in CMMC 2.0 or NIST SP 800-171A.
D. Interview (Incorrect)
Interviews are used to gather insights from personnel, but they do not compare actual conditions with expected behavior.
The correct answer isA. Testbecause itactively verifies system performance against expected security conditions.
[References:, NIST SP 800-171A, "Assessing Security Requirements for CUI", CMMC 2.0 Assessment Process (CAP) Guide, DoD CMMC Scoping and Assessment Guidelines, , , ]
