Skip to content
  • There are no suggestions because the search field is empty.

Understanding Adequacy and Sufficiency in CMMC Evidence

When preparing for a CMMC assessment, it’s critical to understand what adequacy and sufficiency mean in the context of your evidence. These terms guide assessors in determining whether your submitted evidence appropriately and completely supports that you meet the security requirements and assessment objectives.

TL;DR (Too Long; Didn’t Read) – Bottom Line Up Front

This is your quick summary of what matters most.

  • Adequacy means you’re showing the right thing. Your evidence must directly align with the security requirement and assessment objectives.
  • Sufficiency means you’re showing enough. You must provide enough proof that the requirement is fully implemented across all applicable in-scope assets and that it is operational—not just documented.
  • You need both adequacy and sufficiency to pass. Having only a policy isn’t enough—you must prove the policy is enforced and fully implemented across all relevant systems.

Quick Self-Test:

✔️ Adequate? Does this evidence directly align with the control?
✔️ Sufficient? Does this evidence fully prove the control is implemented, working, and covers all in-scope systems?

If you’re short on time, this is the bottom line up front (BLUF)—but keep reading for detailed examples, common pitfalls, and best practices for reviewing your CMMC evidence.

Adequacy and Sufficiency

CMMC Definitions:

  • Adequacy: The evidence directly aligns with and correctly supports the specific security requirement and associated assessment objectives. Adequate evidence demonstrates that the correct policy, process, procedure, configuration, or activity is in place for the requirement being assessed.
  • Sufficiency: The evidence is complete and adequate to demonstrate that the security requirement is fully implemented within the assessment scope or compliance boundary and is operating as intended. Sufficient evidence typically includes multiple sources of proof across all in-scope system types to show the requirement is met in practice—not just on paper.

Key Distinction:

  • Adequacy answers: "Am I showing the right thing?"
  • Sufficiency answers: "Am I showing enough to fully prove it is real, active, and implemented across all in-scope assets?"

Example #1: Access Control (AC-3.1.1)

Requirement: Limit system access to authorized users, processes acting on behalf of authorized users, and devices.

Adequate Evidence:

A current and applicable access control procedure that:

  • Lists the systems in scope for the CMMC assessment.
  • Specifies how logical access to in-scope systems is controlled and limited to only authorized users.

This procedure shows that your organization has developed a process that supports the requirement—so it’s adequate.

Sufficient Evidence:

To be sufficient, you need to show the process is actively working across in-scope assets:

  • Completed and approved access request forms for recent hires or changes.
  • System screenshots demonstrating that inactive or unauthorized accounts have been disabled.
  • User account review logs showing that access rights are regularly reviewed across all system types.

Sufficiency requires operational proof across the entire assessment scope.

Incomplete (Insufficient) Example:

  • If you provide only the policy document, the evidence is adequate but insufficient—it shows what you say you do but not that you actually do it.
  • If you provide an outdated policy that doesn’t match your current process or doesn’t apply to in-scope systems, the evidence is inadequate and insufficient.

Example #2: Security Configuration Enforcement (CM-3.4.2)

Requirement: Establish and enforce security configuration settings for information technology products employed in organizational systems.

Adequate Evidence:

A current and approved baseline configuration document that:

  • Covers all system types in scope for the CMMC assessment (e.g., Windows servers, Linux servers, network devices).
  • Specifies configuration standards and security hardening settings for each system type.

This document demonstrates that your organization has formally defined baseline configurations—so it’s adequate.

Sufficient Evidence:

To be sufficient, you need to show the baseline configurations are actually applied and maintained across all system types in scope:

  • System screenshots or configuration exports from both Windows and Linux servers showing the baseline settings are implemented.
  • Change control records showing that baseline deviations were formally reviewed and approved.
  • Configuration audit logs or system inventory scans demonstrating that baseline configurations are enforced across the environment.

If your assessment scope includes multiple system types (e.g., Windows, Linux, Cisco routers), evidence must exist for each. Providing evidence from only one system type is insufficient.

Incomplete (Insufficient) Example:

  • If you provide the baseline configuration document but no operational proof, the evidence is adequate but insufficient.
  • If you provide screenshots only from Windows systems but your environment also includes Linux servers, the evidence is insufficient.
  • If you provide an outdated baseline document that no longer matches your current systems, the evidence is inadequate and insufficient.

Best Practices for Evidence Review

When using FutureFeed’s Evidence Export (or similar tools), ask yourself:

Adequacy Check:

  • Does this evidence directly relate to the requirement?
  • Is it the correct document, screenshot, or log? Is it current?
  • Is the evidence specific to the systems and processes in the assessment scope or compliance boundary?

Sufficiency Check:

  • Does this evidence fully demonstrate that the requirement is implemented and functioning?
  • Does the evidence include proof across all in-scope system types and all applicable assets?
  • Does it show the control is operational—not just documented?

Quick Self-Test:

✔️ Adequate? Is this the right proof for the right control?
✔️ Sufficient? Does this prove it’s real, active, and implemented across all in-scope systems?

Adequacy and Sufficiency Evidence Checklist

✔️ Adequacy Checklist – "Am I showing the right thing?"

For each piece of evidence:

  • Does the evidence directly map to the specific CMMC security requirement and its assessment objectives?
  • Is the evidence current (reflects the present process, system configuration, or activity)?
  • Is the evidence specific to the systems and processes in the assessment scope or compliance boundary?
  • Does the evidence demonstrate the correct policy, process, procedure, configuration, or activity required by the control?
  • If it’s a policy or procedure, is it approved, version-controlled, and assigned to the appropriate owner?
  • If screenshots, logs, or system exports are provided, do they correctly identify the systems in scope?
  • Is the evidence free of unrelated information that could cause confusion or misalignment?

✔️ Sufficiency Checklist – "Am I showing enough to fully prove it’s real and working?"

For each requirement:

  • Do I have operational evidence (not just policies or procedures) showing the control is actively in place?
  • Is there evidence showing the control is implemented across all applicable system types in scope?
    (Example: If you have Windows, Linux, and Cisco devices, evidence must exist for each.)
  • Does the evidence include multiple proof points (e.g., screenshots, logs, records, system settings) as appropriate?
  • Does the evidence cover the full timeframe being assessed?
    (For example: account reviews or system scans must reflect recurring or recent activities, not just one-time events.)
  • Are there records of enforcement and maintenance, such as approvals, reviews, or audit trails?
  • If there are processes that apply to people, are there completed forms, approvals, or training records showing the process was followed?
  • Have I reviewed the entire assessment scope and compliance boundary to ensure no system, location, or asset was missed?

✔️ Final Self-Test

  • Adequate? ✔️ Does this evidence correctly match the control and assessment objective?
  • Sufficient? ✔️ Does this evidence fully prove the control is in place, working, and covers all in-scope systems?

Takeaway

You need both adequate and sufficient evidence to pass a CMMC assessment. Adequate evidence shows you’re presenting the right information that directly maps to the control. Sufficient evidence shows that the control is fully implemented, enforced, and proven across the assessment scope.

By focusing on both elements, you will build a strong, defensible body of evidence that stands up to assessor scrutiny.

Need Further Assistance?

📌 Join Our Weekly Group Meeting
If you need additional assistance, register for our weekly group meeting, where we address all FutureFeed and compliance-related questions:
👉 Register here

FutureFeed Footer – Newest