This question pertains to theminimum evidence requirementsneeded by a CMMCAssessment Teamto score a practice asMETduring aLevel 2 Assessment.

The CMMC Level 2 assessment must align withNIST SP 800-171and follow the procedures outlined in theCMMC Assessment Process (CAP) Guide v1.0, particularly aroundevidence collection and scoring methodology.

✅Step 1: Refer to the CMMC Assessment Process (CAP) Guide v1.0

CAP v1.0 – Section 3.5.4: Evaluate Evidence and Score Practices

“To assign a MET determination, the Assessment Team must collect and corroborate at least two types of objective evidence: either through examination of artifacts, interviews (affirmation), or testing (demonstration).”

This meansat least two typesof the following evidence are required:

Examine(documentation/artifacts),

Interview(affirmation from personnel),

Test(demonstration of implementation).

✅Step 2: Clarify the Official Minimum Standard for a Practice to be Scored MET

The CAP explicitly states:

“A practice can only be scored MET when a minimum oftwo types of evidencefrom the E-I-T (Examine, Interview, Test) triad are successfully collected and evaluated.”

Theevidence types must come from two different categories, for example:

An artifact(Examine)+ an interview affirmation(Interview),

A demonstration(Test)+ an interview(Interview),

Etc.

This cross-validation ensures that the control isimplemented, documented, and understoodby personnel — a core principle in assessing effective cybersecurity implementation.

❌Why the Other Options Are Incorrect

A. All three types of evidence are documented for every control

✘Incorrect:While collecting all three types (E-I-T) strengthens the assessment, theminimum requirementis onlytwo. Collecting all three isnot requiredfor a practice to be scoredMET.

B. Examine and accept evidence from one of the three evidence types

✘Incorrect:This fails to meet theminimum two-evidence-type requirementset by the CAP. Single-source evidence is not sufficient to score a practice as MET.

C. Complete one of the following; examine two artifacts, observe one demonstration, or receive one affirmation

✘Incorrect:Even if two artifacts are examined,this is still only one type of evidence(Examine). The CAP requires twotypes— not two instances of the same type.

✅Why D is Correct

D. Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.

✔This directly reflects theCAP’s requirement for collecting two different types of objective evidenceto determine a practice is MET.

BLUF (Bottom Line Up Front):

To score a CMMC Level 2 practice asMET, the Assessment Team must collecta minimum of two distinct types of evidence— from theExamine, Interview, Test (E-I-T)categories. This requirement is clearly stated in the CMMC Assessment Process (CAP) v1.0.