When preparing for a CMMC assessment, its critical to understand what adequacy and sufficiency mean in the context of your evidence. These terms guide assessors in determining whether your submitted evidence appropriately and completely supports that you meet the security requirements and assessment objectives.
TL;DR (Too Long; Didnt Read)
This is your quick summary of what matters most.
- Adequacy means youre showing the right thing. Your evidence must align with the security requirement it is being provided for.
- Sufficiency means youre showing enough. You must provide enough proof that the requirement is fully implemented across all applicable in-scope assets and that it is operationalnot just documented.
- You need both adequacy and sufficiency to pass.
- Quick Self-Test:
- Adequate? Is this the right evidence? Does this evidence directly align with the control and the requirement it is being provided for?
- Sufficient? Does this evidence fully prove the control/requirement is properly implemented across all in-scope assets and is working as intended?
If youre short on time, this is the bottom line up front (BLUF)but keep reading for detailed examples, common pitfalls, and best practices for reviewing your CMMC evidence.
Understanding Controls, Requirements, and Evidence
Before we dive into adequacy and sufficiency, its important to understand the difference between controls and requirements.
- Requirement: What you are required to do.
- Control: The system, process, or combination of both that you put in place to meet the requirement.
Example:
Your company requires limiting system access to only authorized users.
To meet this requirement, you:
- Deploy access control software.
- Implement system settings that require username, password, and multi-factor authentication.
- Establish administrative processes to:
- Request, review, approve, and document authorized access.
- Create and deactivate user accounts.
- Periodically review active accounts to ensure no stale or unauthorized access exists.
Together, these processes and tools make up the control.
What is Evidence?
Evidence is the proof that your controls are implemented and working. It demonstrates that you are meeting the requirementnot just in documentation, but in actual operations.
Evidence typically comes from:
- Documents: Policies, procedures, screenshots, system logs, configurations, completed forms.
- Interviews: Conversations with staff who perform the security activities.
- Demonstrations: Showing the control in action (e.g., logging in, system settings, security scans).
Key Principle:
If you tell an assessor youre doing something, you need to prove it.
Example: Linking Evidence to Controls and Requirements
| Requirement: | |
| Limit logical access to an information system to only authorized users. | |
| Control: | |
|
To meet the above requirement, your organization chooses to restrict logical access to the information system to only authorized users of that system (Ref #1). To enforce this, you implement access control software (Ref #2) and deploy security configuration settings (Ref #3) that require users to authenticate using an account, username, password, and multi-factor authentication. You also establish several administrative processes to manage access:
|
|
| Ref # | Evidence - Proof That You Have: |
| #1 |
Successfully restricted logical access to that information system to only authorized users of that information system. Potential evidence:
|
| #2 |
Access Control Software - implemented and working as intended. Potential evidence:
|
| #3 |
Deployed security configuration settings. Potential evidence:
|
| #4 |
A process of using a form to request, review, approve, and document authorized access, a process for granting access and that you are using and following that process. Potential evidence:
|
| #5 |
A process for creating the information system accounts. Potential evidence:
|
| #6 |
A process to deactivate accounts and that you are using and following that process. Potential evidence:
|
| #7 |
A process to audit the account creation and deactivation processes by reviewing all active accounts on a defined frequency and that you are using and following that process. Potential evidence:
|
Adequacy and Sufficiency Explained
Adequacy
Adequacy means you are showing the right thing.
The evidence you provide must directly relate to the requirement and the control you have implemented.
- Does the evidence directly support the requirement?
- Does it prove the control that you say is in place?
Sufficiency
Sufficiency means you are showing enough.
The evidence must fully demonstrate that the control is fully implemented across all in-scope assets and is operational.
- Does the evidence cover all applicable system types, locations, and assets?
-
Does it show the control is consistently enforcednot just documented?
Easy-to-Understand Examples
Example #1: Security Configuration Enforcement (CM-3.4.2)
Requirement: Establish and enforce security configuration settings for information technology products employed in organizational systems.
Adequate Evidence:
A current and approved baseline configuration document that:
- Covers all system types in scope for the CMMC assessment (e.g., Windows servers, Linux servers, network devices).
- Specifies security configuration settings for each system type.
This document demonstrates that your organization has formally defined baseline configurations and baseline security configuration settingsso its adequate.
Sufficient Evidence:
To be sufficient, you need to show the baseline configurations are actually applied and maintained across all system types in scope:
- System screenshots or configuration exports from both Windows and Linux servers showing the baseline settings are implemented.
- Change control records showing that baseline deviations were formally reviewed and approved.
- Configuration audit logs or system inventory scans demonstrating that baseline configurations are enforced across the environment.
If your assessment scope includes multiple system types (e.g., Windows, Linux, Cisco routers), evidence must exist for each. Providing evidence from only one system type is insufficient.
Incomplete (Insufficient) Example:
- If you provide the baseline configuration document but no operational proof, the evidence is adequate but insufficient.
- If you provide screenshots only from Windows systems but your environment also includes Linux servers, the evidence is insufficient.
- If you provide an outdated baseline document that no longer matches your current systems, the evidence is inadequate and insufficient.
Example #2: Physical Access Control (PE-3.10.1)
Requirement: Limit physical access to organizational systems, equipment, and operating environments to authorized individuals.
Adequate Evidence:
A current physical security policy that:
- Requires all employees and visitors to use badge access to enter the facility.
- States that visitors must sign in and be escorted at all times.
This is the right type of evidence because it directly supports the requirement and describes the control you've put in place to protect physical access.
Sufficient Evidence:
- Badge access logs showing who entered the building over the past 30 days.
- A completed visitor log showing escorted visitor activity.
- Photos or video demonstrating that badge readers are installed and in use.
- An interview with the security officer explaining how badge access is managed and how visitor escort requirements are enforced.
This shows the control is actively enforced, operating across the entire facility, and consistently followed.
Insufficient Example:
Providing only the written security policy: Adequate but not sufficient. (It shows what you say you do but not that you actually do it.)
Providing outdated security procedures that no longer match your current badge system: Not adequate and Not sufficient.
Best Practices for Evidence Review
When gathering evidence, ask yourself:
✔️ Adequacy Checklist "Am I showing the right thing?"
For each piece of evidence:
- Does the evidence directly map to the specific CMMC security requirement and its assessment objectives?
- Is the evidence current (reflects the present process, system configuration, or activity)?
- Is the evidence specific to the systems and processes in the assessment scope or compliance boundary?
- Does the evidence demonstrate the correct policy, process, procedure, configuration, or activity required by the control?
- If its a policy or procedure, is it approved, version-controlled, and assigned to the appropriate owner?
- If screenshots, logs, or system exports are provided, do they correctly identify the systems in scope?
- Is the evidence free of unrelated information that could cause confusion or misalignment?
✔️ Sufficiency Checklist "Am I showing enough to fully prove its real and working?"
For each requirement:
- Do I have operational evidence (not just policies or procedures) showing the control is actively in place?
- Is there evidence showing the control is implemented across all applicable system types in scope?
(Example: If you have Windows, Linux, and Cisco devices, evidence must exist for each.) - Does the evidence include multiple proof points (e.g., screenshots, logs, records, system settings) as appropriate?
- Does the evidence cover the full timeframe being assessed?
(For example: account reviews or system scans must reflect recurring or recent activities, not just one-time events.) - Are there records of enforcement and maintenance, such as approvals, reviews, or audit trails?
- If there are processes that apply to people, are there completed forms, approvals, or training records showing the process was followed?
- Have I reviewed the entire assessment scope and compliance boundary to ensure no system, location, or asset was missed?
✔️ Final Self-Test
- Adequate? ✔️ Does this evidence correctly match the control and assessment objective?
- Sufficient? ✔️ Does this evidence fully prove the control is in place, working, and covers all in-scope systems?
Takeaway
You need both adequate and sufficient evidence to pass a CMMC assessment. Adequate evidence shows youre presenting the right information that directly maps to the control. Sufficient evidence shows that the control is fully implemented, enforced, and proven across the assessment scope.
By focusing on both elements, you will build a strong, defensible body of evidence that stands up to assessor scrutiny.
Need Further Assistance?
📌 Join Our Weekly Group Meeting
If you need additional assistance, register for our weekly group meeting, where we address all FutureFeed and compliance related questions: