Most defense contractors approaching a CMMC Level 2 assessment believe their evidence is ready. They’ve written the policies, documented the procedures, and uploaded everything to the portal. Then Kevin Schaaff starts asking questions — and the gaps appear fast.
We look at what you wrote, what you do, and what you tell us. Those three have to line up.
Kevin is a Lead CMMC Assessor at Business Transformation Institute (BTI) who helped write the CMMC Assessment Process itself. In a recent training session with the PreVeil team, he shared lessons from the dozens of assessments he’s led. He noted those who stumbled in their assessments did so not because they weren’t doing the work, but because their documentation, interviews, and systems told three different stories.
If you’re heading into a CMMC assessment, here’s what Kevin actually looks for — and how to make sure your evidence holds up when he does.
The Three-Part Evidence Test: Examine, Interview, Test
“Without looking at the system, it’s hard to tell if they’ve actually done it. So I’ll read your document, you’ll tell me about it, and then I’ll say show me.” – Kevin
Every CMMC control gets evaluated using at least two of three methods — and often all three. The assessor will examine your documentation and system settings, interview the people responsible for those controls, and test that the systems actually behave as documented. Most evidence packages don’t fall apart because documentation is missing. They fall apart because the three don’t align.
Here’s a real example. An SSP stated that all network access required multi-factor authentication — administrators included. During the interview, the system admin mentioned a separate VPN for admin access that “just has a complex password.” During testing, the assessor watched the admin log in. Single factor. Compliance not met, despite documentation that said all the right things.
In this case, the documentation was aspirational. It didn’t reflect the current operational process.
What Makes Evidence Valid
“Think of it just like a court case. You’re the prosecuting attorney, we’re the judge, you’re trying to prove your case. Your evidence has to be verifiable and objective.” – Kevin
Understanding the EIT (Examine, Interview, Test) framework is step one. Step two is knowing what makes evidence actually hold up. Kevin evaluates every piece of evidence against six criteria — and solid documentation alone won’t save you if the others aren’t met.
Two things determine whether evidence clears this bar in practice.
Specificity. Vague statements like “access is restricted as needed” or “training is provided regularly” give an assessor nothing to verify. Specific statements — “three unsuccessful login attempts within a 30-minute window” or “insider threat training completed within 30 days of hire” — are measurable and testable. Precision closes questions. Ambiguity opens investigations.
Currency. Evidence needs to reflect how things work today. Documents marked “Draft” are disqualified on the spot. Policies with no review dates, screenshots from years ago, references to systems you no longer use — all red flags. If it doesn’t reflect your current environment, it doesn’t count.
Here’s how fast things can unravel, even with strong documentation. An organization’s SOP clearly stated that all employees with CUI access must complete security awareness training — including insider threat training — and that completions are tracked in a dedicated tracker. During the interview, the assessor asked an employee about their insider threat training. The employee had no idea what it was. The assessor pulled the tracker. The employee had been with the company for three years and had never taken it. Not met.
Kevin calls awareness and training “almost a gimme.” It should have been an easy pass. But no one had verified that people were actually completing the training. The documentation was right. The follow-through wasn’t. That’s the difference between conforming on paper and conforming in practice.
How PreVeil can help: Most companies don’t know which controls they need to meet CMMC requirements — let alone how to document them in a way an assessor can verify. The PreVeil Compliance Accelerator walks you through both. Take log retention — it guides you to document your retention period in your SSP, configure it correctly, and store the proof so your admin can pull it up on the spot. When the assessor examines, interviews, and tests, the answer is the same every time.
Keeping track of all six criteria across every control is harder than it sounds. We built a one-page checklist to help. Download our CMMC Evidence Checklist.
The Interview: Where Evidence Proves Itself or Falls Apart
“A dead giveaway: I ask the person I’m interviewing to show me a setting — and they don’t even know how to log into the application, much less find it. That immediately becomes a not met.” -Kevin
Documentation can be perfect, and the interview can still sink you. There’s a real difference between a poor answer, a passable answer, and an expert answer — and assessors know the difference immediately.
“I think we do that” fails the burden of proof on the spot. “Yes, we limit unsuccessful login attempts” is technically fine but invites follow-up. “Yes, here’s our access control policy — we limit to five attempts within 30 minutes, applied through GPO. Let me show you” closes the question before the assessor has to ask another one.
If a question falls outside your area, redirect rather than guess. “That’s handled by the networking team — let me get them for you” is a perfectly good answer. It shows you understand your organization’s roles, and it avoids the worst outcome: contradicting documentation you’ve never seen. Your answer must never sound like a guess. The moment someone starts hedging, the assessor starts digging.
How PreVeil can help: The Compliance Accelerator helps your POC understand the assessor framework, ensuring the right people are in the room. An IT admin’s interview looks very different from a customer account rep’s — knowing who belongs where and what they need to demonstrate is half the battle. Pro tip: only answer the question asked. Nothing more, nothing less.
How Many Examples Do You Actually Need?
“It’s up to the lead assessor’s discretion on how many examples we need to see. The more vague you are, the deeper we’re going to start going.” – Kevin
It depends — mostly on how the interview goes. Plan for three to five examples across different systems, users, or scenarios. One carefully prepared demo on one carefully configured system won’t cut it.
For MFA, that means demonstrating a standard user login, an admin login with their standard account, admin elevation, and remote VPN access. For training records, it means pulling records for employees hired at different times — not just one recent hire — and showing no systematic gaps.
The assessor controls the threshold, and it rises the moment answers get vague or inconsistent. A precise, confident interview often means the assessor moves on quickly. A hesitant one means they keep asking — until they’re satisfied, or until they’re not.
How PreVeil can help: The PreVeil Compliance Accelerator tells you not just what evidence you need, but where to store it — audit logs, configuration settings, training records, all of it. So when an assessor says “show me,” you know exactly where to go. That’s the difference between an answer that closes the question and one that opens an investigation.
Not sure if you have everything you need? The CMMC Evidence Checklist walks you through documentation, scope, interview prep, and more — one page, no fluff. Download our CMMC Evidence Checklist
What Happens When Evidence Falls Short
“If your scope is wrong in the formal assessment, the assessment’s over. The whole thing begins and ends with scope.” – Kevin
Not every evidence failure is fatal. Kevin debriefs the organization at the end of each assessment day, which means there’s often a window to address findings before the assessment wraps up. How wide that window is depends on what went wrong.
Scope errors are in a category of their own. If the assessor finds mid-assessment that systems touching CUI aren’t in your boundary, the assessment stops — no remediation, no second chance. For a deeper look at how scoping errors happen and how to avoid them, see our companion post, 7 Reasons Your CMMC Assessment Fails.
One thing most organizations don’t realize until it’s too late: you’re required to retain all assessment artifacts for six years after the assessment concludes. Losing them isn’t just an administrative headache — if the government comes looking, it can constitute fraud.
How PreVeil can help: By working through the PreVeil Compliance Accelerator’s modules and documentation templates, you’ll surface gaps weeks before an assessor does — with time to fix them. The ones that come in best prepared aren’t lucky — they just did the work ahead of time.
The Bottom Line
Good evidence isn’t about volume. It’s about alignment, specificity, and demonstrability. Your evidence is good enough when Kevin can examine it, interview about it, and test it—and get the same answer each time.
The organizations that pass aren’t the ones with the most documentation. They’re the ones whose documentation reflects reality, whose people can speak confidently to what they actually do, and whose systems are configured exactly as written. That’s it. That’s the whole game.
How PreVeil can help: PreVeil is built around the exact standards Kevin and other lead assessors use — so your documentation is assessment-grade before the assessment starts.
PreVeil is the leading CMMC compliance solution for small and mid-sized defense contractors. Trusted by 3,000+ organizations, PreVeil’s proven platform is secure, easy to use, and saves SMEs 75% compared to GCC High.
Business Transformation Institute (BTI) is a CMMC Assessor (C3PAO) and performance improvement firm whose staff includes Lead Assessors, appraisers, and systems engineering professionals with deep DoD experience. Kevin Schaaff is Chief Engineer at BTI and a Lead CMMC Assessor. Learn more at biztransform.net.
