.svg){kind=logo}
On day one of a CMMC Level 2 assessment, the C3PAO assessor sat down at the conference table. The compliance lead slid the System Security Plan across. The assessor read the first section, set the binder aside, and asked the IT administrator sitting across from them a single question.
'Walk me through how you handle account provisioning when an employee leaves.'
The administrator paused. The SSP documents it clearly in Section 3.1.1. But the assessor was not reading the SSP. The assessor was asking a person.
That moment is the Interview method. It is one of three required assessment methods under the DoD CMMC Assessment Guide Level 2 (Version 2.13, September 2024). The other two are Examine, which your SSP satisfies, and Test, which requires the live system to match what the SSP documents. All three apply to all 110 practices under CMMC Level 2. Most contractors preparing for a Level 2 assessment have built strong answers to one of the three questions. The other two require something the SSP cannot produce.
The distinction between Examine, Interview, and Test is not a matter of depth or sequencing. These are three structurally different tests, each requiring a different category of evidence, applied to every practice under assessment.
Examine checks your documentation. Interview checks your people. Test checks your actual system. Your SSP only answers the first question. The C3PAO assessor will ask all three.
Examine is the method your SSP satisfies. An assessor applying the Examine method reviews documentation: policies, procedures, the system security plan, configuration specifications. If your SSP describes a control and your policy formalizes it, Examine has something to work with.
Interview is different. It requires designated personnel to demonstrate procedural knowledge. Not recite policy language. Show that they understand what the documented control requires and can describe how they execute it in their day-to-day work. A well-written SSP does not prepare your system administrator to answer questions about how account provisioning works in the actual environment. The assessor is testing whether the person in the chair knows what the document on the table says they do.
Test is where the SSP stops being relevant entirely. The Test method requires the live system state to match what the SSP documents. The assessor is not reading your configuration description. They are observing the configuration in operation and comparing what they find to what your documentation says you implemented.
A 280-person defense communications contractor had a clean SPRS self-assessment score and a thoroughly reviewed SSP when their pre-assessment review began. In the first three days, the review team pulled the live user account list for the CUI system. The SSP documented access restricted to authorized users by role. The live list showed 14 dormant contractor accounts that had not been deprovisioned following contract completions, three service accounts without role assignments, and two administrator accounts whose access had expanded beyond what the SSP described.
The SSP was accurate about intent. The system reflected a different reality. The Test method surfaces that gap. The self-assessment did not.
What practitioners who have worked through C3PAO assessment cycles consistently find: the most common evidence failures are not failed controls. They are controls that were implemented correctly at one point and have since drifted as the environment changed. The SSP describes the original intent. The live system reflects what has actually happened since.
The Identification and Authentication family follows the same pattern. An SSP may document MFA as implemented across the environment. The Test method checks actual coverage: which accounts, which systems, and which access paths are covered, and which are not. MFA scope gaps are among the most consistently recurring findings in pre-assessment reviews because the SSP describes MFA as a general posture, while the Test method checks every relevant access path individually.
Audit log configuration is a third common divergence point. An SSP documents log retention periods and coverage scope. The Test method checks the actual log configuration. Retention settings that do not match documented periods, or log coverage that excludes systems in scope, are findable in minutes under Test. They do not appear in a policy review.
The SPRS self-assessment process asks whether each of the 110 controls is implemented. A careful compliance manager who reviews the SSP, confirms that policies cover each practice, and verifies that documented procedures are complete can produce an accurate SPRS score. That process is doing exactly what it is designed to do.
The C3PAO assessment is designed to do something different. The self-assessment is documentation-anchored. It checks whether the control is described and whether the description is complete. The Test method starts where documentation ends.
This is not a failure of effort or rigor. It is a structural difference between two processes built for different purposes. A contractor who has done a careful, accurate self-assessment may still carry substantive evidence gaps in the Access Control and Identification and Authentication families that will surface under Test. Not because the self-assessment was wrong, but because it was answering a different question.
Evidence readiness means your documentation, your people, and your live systems all answer the same question the same way. Building it requires working through all three methods before the assessment.
A contractor who enters the C3PAO assessment with all three methods addressed does not surprise the assessor. The assessor confirms what the evidence already demonstrates. The administrator's account of the access provisioning process matches the SSP because the interview preparation was based on how the process actually works, not how it was documented two years ago. The live system matches the documented controls because the Test pre-check found the drift and remediated it before day one.
The 280-person contractor who found 14 dormant accounts in the pre-assessment review closed all 14 before the C3PAO arrived. The assessor ran the same live account list check on day one and found what the SSP documented. The gap that would have been a scored deficiency became a clean control.
Finding a misconfigured permission structure in a pre-assessment review is a remediable finding. Finding it during the C3PAO assessment is a scored gap. The gap is identical. The moment of discovery is what changes the outcome.
Per the DoD CMMC Assessment Guide Level 2 (Version 2.13), C3PAO assessors apply three required methods across all 110 practices: Examine, Interview, and Test. Examine reviews documentation such as the SSP and policies. Interview requires personnel to demonstrate procedural knowledge. Test requires the live system state to match documented controls. All three methods apply to all 110 practices.
No. A completed SSP satisfies the Examine method only. The Interview method requires personnel to demonstrate knowledge and process execution that the SSP cannot provide on their behalf. The Test method requires live system verification that no policy document can substitute for. Documentation readiness and evidence readiness are different states, and the gap between them is where most Level 2 assessment deficiencies originate.
The Access Control and Identification and Authentication families are most consistently where the gap between documented intent and live system state appears. Their controls require observable system behavior: account permissions, MFA coverage, and audit log configuration. These areas are subject to configuration drift as environments change after the SSP is written, and that drift is exactly what the Test method is designed to find.
Documentation readiness means the SSP is written, policies are in place, and the SPRS self-assessment score is submitted. Evidence readiness means the live system state, personnel knowledge, and documentation all align to satisfy Examine, Interview, and Test methods as defined in the DoD CMMC Assessment Guide Level 2. The gap between the two states is where most Level 2 assessment deficiencies originate and where pre-assessment reviews produce the most remediation value.
InterSec's pre-assessment readiness reviews work through all three assessment methods before the C3PAO engagement begins. Examine, Interview, and Test checks run against your specific environment. Findings are remediation items, not scored deficiencies.
Contact InterSec to schedule a pre-assessment readiness review before your C3PAO assessment date.
Expert Cybersecurity Solutions for Federal, State and Commercial Organizations
.png)