Skip to content
  • There are no suggestions because the search field is empty.

Using FutureFeed During a CMMC Assessment and Evidence Export Guidance

When preparing for and participating in a Cybersecurity Maturity Model Certification (CMMC) assessment, you can decide how to best leverage FutureFeed based on your team’s workflow and assessment approach. This article provides recommendations for using FutureFeed during an assessment, guidance on assessor access, and important considerations for evidence export and hashing.

TL;DR (Too Long; Didn’t Read)

This is your quick summary of what matters most.

  • Recommended to keep FutureFeed open during your CMMC assessment to quickly answer questions, present evidence, and keep the assessment moving efficiently.
  • FutureFeed’s Assessor Role can give your assessor read-only access to your compliance records, making evidence review easier and faster (optional, but helpful).
  • When exporting evidence from FutureFeed, hashing must be performed outside the tool. Follow the official DoD CMMC Hashing Guide.
  • The quality of your evidence export depends on how well you’ve linked your artifacts to your requirements in FutureFeed. Always double-check for accuracy and sufficiency.
  • Adequacy means you’re showing the right thing. Sufficiency means you’re showing enough. You need both to pass.

If you’re short on time, this is the bottom line up front (BLUF)—but if you want to optimize your assessment workflow, dive into the full article below.

 

 

Recommended Use of FutureFeed During an Assessment
Screenshot 2025-07-01 at 3.49.23 PM

We recommend keeping FutureFeed open and accessible to your team throughout the assessment. This allows you to follow along in real time and quickly reference your compliance records as needed.

 

For example, if the C3PAO assessment team is interviewing you about a specific requirement (e.g., AC-3.1.1), your personnel can easily navigate to that requirement in the Assess page to refresh their memory on how it was implemented. The Summary Notes and Assessment Objective Statements provide a quick, at-a-glance reference to review implementation details and methods.

 

Additional Benefits of Having FutureFeed Open During an Active Assessment:

  • Visual Aids for Discussions: If you need to present or display supporting artifacts and evidence during the interview, you can access them immediately from the Assess page—keeping the assessment efficient, organized, and on track.
  • Quick Navigation for Follow-Up Questions: If the assessor moves from one requirement to another or requests deeper insight into related controls, you can quickly pivot within FutureFeed to pull up connected controls, artifacts, or associated teams without delay.
  • Compliance Program Storytelling: Showing the assessor how your evidence is linked within FutureFeed helps you tell a clear, structured story about how your organization manages compliance. This also demonstrates your maturity and confidence in your system of record.

  • Real-Time Delivery of Additional Evidence: If the assessor requests additional evidence during the assessment, you can locate and display it immediately within FutureFeed, closing out requests in real time. This reduces follow-up and helps keep the assessment moving smoothly.'

     

 

Assessor Access to FutureFeed

 

You may want to ask your assessors if they are comfortable accessing your FutureFeed environment directly.

  • Assessor Role: You can provide them with an Assessor Role account, which grants:
    • Read-only access to the Compliance Dashboard and the System Security Plan (SSP) section.
    • No ability to edit, delete, or modify anything in your FutureFeed environment.

This optional access allows assessors to navigate your SSP and Body of Evidence in a clean, intuitive interface, helping them efficiently locate connected evidence and artifacts.

 

For more information about the Assessor Role in FutureFeed, please see: Introducing the Assessor Role in FutureFeed

 

 

Evidence Export and Hashing Guidance

 

ChatGPT Image Jul 1, 2025, 03_55_17 PM

 

Hashing Evidence:

At this time, FutureFeed does not include a built-in evidence file or folder hashing capability. Hashing must be performed outside of FutureFeed.

To meet CMMC hashing requirements:

  1. Perform an Evidence Export (for Files and Data) from the Deliverables section in FutureFeed.
  2. Review the export’s layout, file naming, and content to ensure it meets your expectations. Adjust if needed.
  3. Follow the hashing procedures outlined in the official DoD CIO CMMC Hashing Guide:
    ?? DoD CMMC Hashing Guide v2

 

Important Assumption for Evidence Export:

The Evidence Export (for Files and Data) supports exporting all evidence and artifact records housed in FutureFeed. However, the quality and completeness of the export directly reflect the level of evidence that has been:

  • Properly uploaded into FutureFeed
  • Connected to the relevant security requirements
  • Mapped to the appropriate assessment objectives

If your organization has not consistently linked all evidence to the corresponding requirements and objectives within FutureFeed, the export may not represent a complete Body of Evidence.

 

Best Practices:

  • Carefully review the export contents to ensure all required artifacts are present, organized, titled appropriately, and aligned with your assessment scope.
  • Use the Assess page to validate that each control has properly connected evidence and that no critical artifacts are missing from your FutureFeed environment.

  • Review the export for both accuracy and sufficiency. See below for definition.

     

 

Understanding Adequacy and Sufficiency in CMMC Evidence

 

When preparing for a CMMC assessment, it’s critical to understand what adequacy and sufficiency mean in the context of your evidence. These terms guide assessors in determining whether your submitted evidence appropriately and completely supports that you meet the security requirements and assessment objectives.

 

CMMC Definitions:

  • Adequacy: The evidence directly aligns with and correctly supports the specific security requirement and associated assessment objectives. Adequate evidence demonstrates that the correct policy, process, procedure, configuration, or activity is in place for the requirement being assessed.
  • Sufficiency: The evidence is complete and adequate to demonstrate that the security requirement is fully implemented within the assessment scope or compliance boundary and is operating as intended. Sufficient evidence typically includes multiple sources of proof across all in-scope system types to show the requirement is met in practice—not just on paper.

 

Key Distinction:

  • Adequacy answers: "Am I showing the right thing?"
  • Sufficiency answers: "Am I showing enough of the right thing, to fully prove it is real, active, and implemented across all in-scope assets?"

 

Learn more about Evidence Accuracy and Sufficiency here: Understanding Adequacy and Sufficiency in CMMC Evidence

 

 

Closing Thoughts

Leveraging FutureFeed throughout your CMMC assessment not only helps streamline your workflow but also demonstrates your organization’s commitment to managing cybersecurity in an organized, transparent, and efficient way. By staying actively engaged with your evidence, ensuring proper mapping to security requirements, and verifying both the accuracy and sufficiency of your documentation, you can position your team for a smoother assessment experience. With thoughtful preparation and effective use of FutureFeed, you can confidently support your compliance journey and maintain a strong, defensible Body of Evidence.

 

 

Need Further Assistance?

 

📌Join Our Weekly Group Meeting

If you need additional assistance, register for our weekly group meeting, where we address all FutureFeed and compliance related questions:

👉Register here

 

FutureFeed Footer – Newest