Mastering the CMMC Assessment Interview: A C3PAO’s Guide to Preparation and Execution

First and foremost: There is too much fear and apprehension associated with Cybersecurity Maturity Model Certification (CMMC) assessments, particularly regarding the interviews conducted during an assessment.

Yes, an assessment is serious, with potential Federal-level enforcement actions for deceptiveness. Yes, it is comprehensive, with 320 objectives spread over 110 practices.

But it is not a “tricked you into failing!” event. It is objective in that the process is defined, published, and available to everyone. It is “open book” in that the Organization Seeking Certification (OSC) has access to both the assessment requirements and its own response to the requirements throughout the entire event, including during interviews. Every Certified CMMC Professional (CCP), CMMC Certified Assessor (CCA), and Lead CCA must follow a Code of Professional Conduct. And, ultimately, every CMMC Third-Party Assessment Organization (C3PAO) must have a documented appeals process that is specific to them (ask your C3PAO for it!) with an allowance for third-party intervention if the OSC thinks the C3PAO is wrong.

This guide is intended to help the OSC—and specifically the people to be interviewed as part of a CMMC assessment—to mitigate assessment “fear and apprehension” to focus instead on complying with the CMMC and passing the assessment.

Part 1: The CMMC Interview – Understanding the Field of Play

The CMMC assessment is a formal, high-stakes evaluation that determines an organization’s ability to protect sensitive but unclassified government information. A critical component of this evaluation is the series of interviews conducted by a C3PAO with the personnel of the OSC.

This process is often misunderstood as a simple question-and-answer session. In reality, it is a formal, evidence-based proceeding. An interviewee’s performance can be the deciding factor between a “MET” and “NOT MET” finding for a given CMMC control. This article provides a guide for any individual—from system administrator to HR personnel—on how to prepare for and successfully execute a CMMC assessment interview from the interviewee’s viewpoint. The methodology described herein is designed to ensure responses are complete, accurate, and strategically aligned with the assessor’s objectives, thereby preventing the confusion, contradictions, and simple errors that lead to failed assessments.

This guide provides everything that Business Transformation Institute, Inc. (BTI), as a C3PAO, can think of to help the OSC and its interviewees prepare for a CMMC assessment. If the reader follows everything, they will be exceedingly well prepared to have a minimum-cost, minimum-duration assessment. But please do not view everything described in this guide as “must-do” but rather as recommendations and advice.

1.1 The Assessor’s Mandate: The ‘Examine, Interview, Test’ Triad

The CMMC assessment is not a single activity but a formal methodology built upon three distinct evidence-collection methods, as defined by the National Institute of Standards and Technology (NIST) and adopted by the CMMC program. The assessor’s entire mandate is to collect sufficient evidence using this triad:

Examine: The “process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities)”. This is the assessor’s review of the OSC’s documentation: the System Security Plan (SSP), policies, procedures, system design documents, and configuration settings.
Interview: The “process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence”. “Interview” is often combined with “test”.
Test: The “process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior”. This is the “show me” portion of the assessment, where an assessor observes a mechanism in action or asks the interviewee to run a command. “Test” is often combined with “interview”.

The three evidence collection methods are not standalone. Each method supports and is used in combination with the others. In the context of “examine” and “test”, a CMMC assessor interviews personnel to (a) clarify what was written in the documentation (Examine) and (b) understand what they are about to see, or have just seen, in the technical demonstration (Test).

The most common and severe pitfall for an interviewee is to create a contradiction between these three points of evidence. The “Examine, Interview, Test” (E-I-T) triad must be in perfect alignment. Any deviation is a finding. Findings, depending on where they fall, are failure.

Consider this common failure scenario for control IA.L2-3.5.3 (Multifactor Authentication):

Examine: The assessor reviews the SSP, which states, “All network access to the CUI environment for all users requires multifactor authentication.”
Interview: The assessor asks a system administrator, “Is MFA used for all network access?” The administrator replies, “Yes, all our remote users use MFA… except for the administrators. We use a separate VPN that just has a complex password, but it’s okay because only we have access.”
Test: The assessor asks to see this “separate VPN” and confirms it is single-factor.

The interviewee has just single-handedly created a “NOT MET” finding. The verbal testimony (Interview) contradicted the official documentation (Examine) and was then proven false by the technical review (Test). The primary goal of the interviewee is to serve as the consistent, truthful-to-fact connective tissue for all three evidence types. The interview is the place to confirm that the policy is being implemented as written and that the technical mechanisms match the policy.

1.2 The Courtroom Philosophy: You Have the Burden of Proof

To succeed, the interviewee must adopt the correct psychological framework. The core CMMC philosophy is that “the burden of proof that your security controls meet expectations is on you”. The assessment is not a passive activity where the interviewee simply reacts to questions. It is an active process of building a case for compliance. A finding of “MET” is earned, not gifted.

This philosophy is reflected in this analogy: “You are in court … you are presumed to be innocent of CMMC compliance until proved otherwise… you are trying to prove yourself guilty of implementing all of the required security controls!” The C3PAO assessment team is the “jury”.

To convince the C3PAO “jury”, the interviewee must meet two expectations:

Avoid contradicting any of the insights the assessors have gained from “examine” and “test” and
Act as an expert witness to support the insights from “examine” and “test”.

Avoiding contradiction means that the interviewee should speak only to topics of which the interviewee has direct knowledge. Speculation, assumptions, guesses, or “making it up” are all invitations to adverse findings. Again, a CMMC assessment is not a “memory test”. The interviewee does not have to know every word and phrase of the documents and artifacts being presented to the assessor. But the interviewee does need to know they do not know and (nicely) refuse to provide an answer on those topics.

Being an expert witness—a guide for the assessors to the evidence—means being proactive, confident, and helpful. They are the “lead prosecutor’s expert witness,” actively helping the “jury” (the assessor) arrive at the only logical conclusion: that the organization is “guilty of CMMC compliance”.

This “Guide” mentality fundamentally influences the interviewee’s behavior. Instead of reacting passively, the interviewee learns to anticipate the C3PAO’s need for evidence, based on what has been shared (or will be shared) from “examine” or “test”, and proactively lead the assessor to the evidence. A well-prepared interviewee will respond to a question by stating, ” Our process for that CMMC control is defined in our Configuration Management Plan, section 4.2. Let me pull that up for you, and then I can show you the corresponding approval settings in our ticketing system.” This is key to proving the case.

Part 2: The Preparation Phase – Building Your “Assurance Case” Before Day One

Success or failure in an assessment begins before the C3PAO arrives. The preparation phase is where the “assurance case” is built. This is not an optional activity; it is a formal prerequisite validated by the assessors.

2.1 Understand the Assessment Process and Your Role

The CMMC assessment is a formal, four-phase process as defined in the CMMC Assessment Process (CAP). Interviews occur during Phase 2: “Assess Conformity to Security Requirements”.

However, the OSC’s preparation is validated in Phase 1: “Conduct the Pre-Assessment”. During this initial phase, the C3PAO’s Lead CCA makes a formal “Determine Readiness for Assessment” decision. This readiness check explicitly includes:

Reviewing the System Security Plan (SSP) for “completeness, accuracy, and consistency”.
Confirming the “Availability of Evidence”.

If the SSP is found to be incomplete, or if personnel are unable to produce the required evidence upon request, the C3PAO may issue an “Adverse Determination of Assessment Readiness”. This stops the assessment before it even begins, resulting in significant contractual and financial setbacks for the OSC. Building the interviewee’s confidence and knowledge alongside completing the SSP and identifying is therefore the most effective and efficient approach to assessment success.

2.2 Know the Questions in Advance: Decode the Assessor’s Script

The most critical preparation activity is to understand that the C3PAO assessor is not inventing questions. They are following a pre-defined script. That script is publicly available in two key documents:

NIST SP 800-171A: This document provides the high-level “Assessment Objective” for each requirement.
CMMC Assessment Guide – Level 2: This is the assessor’s playbook. It provides the specific, granular “Determine if…” statements for every single control.

An interviewee does not need to guess what they will be asked. For example, for control AC.L2-3.1.5 (Least Privilege), the assessor’s script, as published in the CMMC Assessment Guide L2, is to “Determine if:

[a] privileged accounts are identified;
[b] access to privileged accounts is authorized in accordance with the principle of least privilege;
[c] security functions are identified; and
[d] access to security functions is authorized in accordance with the principle of least privilege”.

The actionable task for every potential interviewee is clear:

Obtain the list of CMMC controls for which they have primary or supporting responsibility.
Open the CMMC Assessment Guide L2.
Find each control and read and understand the specific “Determine if…” assessment objectives associated with the control and the interviewee’s assigned role or job.

The interviewee’s entire preparation should be focused on preparing a “prosecutor’s case” to prove each of those specific objectives, one by one.

2.3 Master Your Foundational Script: The System Security Plan (SSP)

The SSP is formally defined as the document that describes “how security requirements are implemented”. As established in the CMMC Assessment Process, the C3PAO Lead CCA begins the pre-assessment by reviewing this SSP for “completeness, accuracy, and consistency”.

The SSP is the OSC’s official, written story. The assessor’s primary job in the interview is to verify that what is written in the SSP is actually what personnel are doing in practice.

This creates the “SSP Contradiction” trap. The interviewee’s job during the assessment is “telling the story of your implemented security controls”. The SSP is that story, committed to writing. If an interviewee’s verbal “story” during the interview contradicts the written “story” in the SSP, they have created a direct and undeniable finding.

For example, for control CM.L2-3.4.8 (Application Execution Policy):

SSP (Examine): “We use AppLocker in ‘Allow’ mode (whitelisting) to control all software execution in the CUI enclave.”
Assessor (Interview): “How does your organization control the execution of software?”
Interviewee (Contradiction): “Oh, we don’t really use AppLocker, it was too complicated. We just use our anti-virus to block known bad applications (blacklisting) and tell users not to install unauthorized software.”

This interviewee has just created a guaranteed “NOT MET” finding. The verbal testimony not only contradicts the SSP but also describes an implementation (blacklisting) that is different from the one documented (whitelisting).

The actionable task is mandatory: The interviewee must read, understand, and implement the exact sections of the SSP that apply to their duties and domain. If the SSP is wrong, outdated, or inaccurate, this must be reported to the OSC’s compliance leadership immediately so the SSP can be corrected before the assessment begins.

2.4 Prepare Your Evidence: The “Good CMMC Answer”

OSCs that successfully complete a CMMC assessment have a clear model for what constitutes a “good” versus a “poor” answer.

A poor description is vague: “The Secure Software Development Management Plan explains how the Vendor Payables Development Project assigns action items”.
A good description is precise and acts as a guide: “Section 2.1.3, paragraphs 2 and 3, page 27 of the Secure Software Development Management Plan explains… As described, action items are assigned by… This assignment activity was tailored from the company’s standard procedure PMC-3”.

A CMMC interviewee should learn to provide this “good” answer. This is achieved by mapping every response to the formal Assessment Objects that the assessor is required to collect. These objects are:

Specifications: These are document-based artifacts. The answer should point to them directly. Example: “My answer is based on our Access Control Policy, Section 3.1…”
Mechanisms: These are specific hardware, software, or firmware safeguards. Example: “I can show you the GPO that enforces this setting…”
Activities: These are protection-related actions performed by people. Example: “Our process is to review these logs daily. Here is the log review from this morning…”
Individuals: These are people applying the specifications, mechanisms, or activities. Example: “I am responsible for creating the account, but ‘Jane’ in the networking team is responsible for assigning the firewall rule…”

For each assessment objective that falls within their assigned role or job, the interviewee should prepare an answer that precisely points to this evidence. A successful pre-assessment approach is for the OSC to practice interviews by “pairing up people who know the OSC’s security controls” with “people who know the CMMC” as the recommended method for practicing this skill through mock interviews. This pairs the technical expert (the interviewee) with an OSC’s internal compliance lead to refine the “story” and ensure the evidence is readily available.

2.5 Rise to the “Focused” Standard of Detail

The CMMC Assessment Process mandates a specific level of rigor. For CMMC Level 2 certification assessments, the Assessment Team “shall employ the FOCUSED value for both depth and coverage in evaluating all Level 2 security requirements”.

To understand what this means, one must consult the definition of “Focused” in NIST SP 800-171A rev 2, Appendix D, Table D-1. (Important Note: 800-171A rev 2 has been withdrawn and NIST SP 800-171A rev 3 is now in effect. However, rev 2 provides a clearer discussion of how the assessor is being guided to think about evidence and is therefore useful for the OSC in understanding the assessor’s approach.) This table defines the “Depth” attribute for the “Examine” method and provides a clear contrast:

Basic: “Examination that consists of high-level reviews… This type of examination is conducted using a limited body of evidence… Examples include functional-level descriptions… [and] high-level process descriptions…”.
Focused: “Examination that consists of high-level reviews… and more in-depth studies and analyses… This type of examination is conducted using a substantial body of evidence… Examples include functional-level descriptions and where appropriate and available, high-level design information… [and] high-level process descriptions and detailed implementation procedures“.

The implication for the interviewee is profound. A “Basic” answer (e.g., “We have a policy for that”) is insufficient for a “Focused” response. The assessor is required to dig deeper and find “a substantial body of evidence,” including “implementation procedures” and “high-level design information.”

A well-prepared interviewee will not wait to be asked. Their answer will be pre-loaded with this “Focused” level of detail. They will not just say “we do it”; they will explain how they do it by referencing the specific procedure document (the “implementation procedure”) and the architecture (the “high-level design”), such as: “Our procedure for this is in our Incident Response Plan, Section 5, and our design uses a dedicated, isolated VLAN for forensic analysis…”

Part 3: The Execution Phase – Best Practices for the Live Interview

Once prepared, the interviewee must execute during the live assessment. This section provides a tactical “field manual” for behavior during the interview, focusing on how to provide complete, evidence-based answers while avoiding common, unforced errors.

3.1 The Logistics of the Interview

The formal assessment begins when the Lead CCA convenes an “In-Brief Meeting”. This meeting is used to “Introduce the Assessment Team members” and “Confirm the CMMC Assessment Scope”. The interviewee will be speaking with a “Lead CCA” (CMMC Certified Assessor) and other “Assessment Team members”.

The assessment, including interviews, may be conducted “virtually, using a stable and commercially secure video conference system”. In a virtual setting, all personnel must be aware of the critical rule that “CUI is not shared electronically… unless the assessment is conducted within CMMC Level 2-conforming environments on both sides”. In practice, this means the interviewee must be prepared to show their screen (e.g., via screen sharing) rather than sending files or evidence to the assessor, unless a secure means of transferring the information—one that uses an encryption method with a validated product per FIPS 140 rev 2 or 3. Also, if screen sharing, be sure to document a time-limited exception for the purposes of the CMMC assessment to any policy in the SSP or other document that prohibits screen sharing.

3.2 The Golden Rules of Answering

During the live interview, responses must be precise, deliberate, and controlled. Adherence to the following rules is paramount.

Rule 1: Answer Only the Question Asked. The assessor is following a script based on the CMMC Assessment Guide. The interviewee’s job is to answer the specific objective being assessed. Personnel must be trained to resist the urge to “story-tell,” volunteer context, or discuss unrelated controls because doing so often “opens a new door” for the assessor, leading to an unplanned line of inquiry.

Failure Example: When asked about audit logging (AU.L2-3.3.1), an administrator says, “Yes, we log all that, but it’s really tough because our log server fills up all the time and we have to manually clear it.” This administrator has just volunteered a “NOT MET” finding for a different control, AU.L2-3.3.4 (Alert in the event of an audit logging process failure). A simple “Yes” followed by showing the log configuration would have been sufficient.

Rule 2: Speak in “Objects” (Specifications, Mechanisms, Activities). Every answer should be framed around the assessor’s evidence-gathering objects. This demonstrates mastery of the process and provides the assessor with the exact evidence they need to record.

Assessor (Objective): “Determine if… the execution of privileged functions is captured in audit logs” (from AC.L2-3.1.7).
Expert Answer: “Yes. Our (Specification) Access Control Policy, Section 4.5, requires it. The (Mechanism) GPO on our domain controllers enables ‘Audit Process Creation’ and ‘Audit Command Line’ logging, which are sent to our SIEM. The (Activity) is that our security team reviews these daily. I can show you the GPO setting now if you like.”

Rule 3: Be the “Good Guide”. A good description helps the assessment team understand what they are seeing … and point out where in the artifact to look. The interviewee should embody this principle.

Bad Answer: “It’s in the policy.” This is lazy, unhelpful, and fails the “burden of proof”. It forces the assessor to do the work, which is not their job.
Good Answer: “Yes. That is in our Access Control Policy. Let me open it… it is on page 27, Section 2.1.3, paragraphs 2 and 3.”. This response actively does the work for the assessor, proves the “MET” finding, and builds confidence.

3.3 Table: The Anatomy of an Interview Answer

The following table provides a clear, actionable model for interviewee responses. It translates the “Golden Rules” into a practical example, demonstrating the progression from a poor answer to an expert, evidence-based response.

Control: AC.L2-3.1.8: Limit unsuccessful logon attempts. Assessor Objectives:

[a] the means of limiting unsuccessful logon attempts is defined
[b] the defined means of limiting unsuccessful logon attempts is implemented

Response Quality	Example Answer from Interviewee	C3PAO Conclusion
POOR (Ambiguous)	“Yeah, I think we do that. I’m pretty sure it’s 3 strikes or something.”	Fails “Burden of Proof”. This is speculative and provides zero evidence. The assessor cannot use “I think” to satisfy an objective. This will be marked “NOT MET” pending further investigation.
BAD (Contradictory)	“Well, our policy says 3 attempts, but we had to set it to 10 because the CEO kept locking himself out. So, technically it’s 10.”	Fails the “E-I-T Triad.” The interviewee has just openly stated that the implementation (Test) contradicts the policy (Examine). This is a guaranteed “NOT MET” for objective [b].
GOOD (Basic)	“Yes, we limit unsuccessful logon attempts.”	Fails the “Focused” Standard. This is a “Basic” answer. It provides no “substantial body of evidence” or “implementation procedures.” The assessor must now ask follow-up questions to dig for the real evidence.
EXPERT	“Yes. Our (Specification) Access Control Policy, document AC-8, defines the limit as 5 unsuccessful attempts within 30 minutes, which then locks the account for 30 minutes (proves objective [a]). This is implemented via a (Mechanism) Group Policy Object named ‘CMMC_Account_Lockout’ that is applied to our CUI-scope OU. Our (Activity) is that our team audits this GPO quarterly. I can (Test) show you the GPO settings on my screen right now to prove objective [b].”	Success. This response proves both objectives [a] and [b]. It provides all three evidence types (E-I-T) and acts as the “Good Guide”. The assessor can confidently mark this control “MET” and move on.

3.4 Navigating Difficult Scenarios: How to Avoid Being “Tripped Up”

Even with perfect preparation, unexpected questions arise. How an interviewee handles these scenarios demonstrates the maturity of the organization.

Scenario 1: The “I Don’t Know” Answer.

The Trap: Guessing. A guess is a 50/50 shot at the truth and may well be exposed as incorrect during the “Test” or “Examine” phase, creating a damaging contradiction.
The Correct Response: “That specific task is handled by the Networking Team. I am not the correct person to answer that, but I can get the networking manager or find that section of the network design documentation for you right now.”
Why This Works: The interviewee remains truthful, avoids a contradiction, and demonstrates mature knowledge of organizational roles (which helps satisfy AT.L2-3.2.2, “personnel are trained to carry out their assigned information security-related duties”). They are still acting as a “Good Guide” by helping the assessor build their “assurance case”.

Scenario 2: The “We Don’t Do That” / “NOT MET” Finding.

The Trap: Getting defensive, making excuses, or attempting to hide the deficiency. This immediately destroys the assessor’s trust and signals an immature compliance program.
The Correct Response: “You are correct. That is a known deficiency we identified in our last internal risk assessment. It is documented on our operational Plan of Action (POA&M), as required by CA.L2-3.12.2 , with a remediation milestone set for next quarter.”
Why This Works: This response turns “NOT MET” into “MET.” The CMMC Assessment Guide explicitly states that “Temporary deficiencies that are appropriately addressed in operational plans of action (i.e., include deficiency reviews, milestones, and show progress…) shall be assessed as MET“. By identifying the gap and having it on a formal POA&M, the organization is not failing the assessment; it is demonstrating mature compliance with control CA.L2-3.12.2 (Develop and implement plans of action).

Scenario 3: The “I Messed Up” / Post-Interview Correction.

The Trap: The interviewee realizes 20 minutes after the session that they gave an incorrect or incomplete answer. The natural (and wrong) instinct is to stay silent and hope the assessor does not notice.
The Correct Response: The 10-Day Safety Net. The CMMC Assessment Process contains a formal mechanism for this exact situation: “Assessors may re-evaluate NOT MET security requirements during the assessment and for ten (10) business days following the active assessment period“.
Actionable Task: The interviewee must immediately report their misstatement to their manager or the OSC’s CMMC lead. They must say, “I misspoke. I told the assessor X, but the correct answer is Y, and here is the evidence (e.g., a screenshot, a policy snippet, a log file).” The OSC lead can then formally present this correct evidence to the C3PAO. This is not “cheating”; it is using the assessment process as it was designed.

Part 4: Applied Strategies – Sample Interview Dialogues by Domain

This section provides scripted dialogues for high-stakes CMMC domains. These dialogues are based directly on the assessor’s script (the “Determine if…” objectives) found in the CMMC Assessment Guide L2. They model the “Expert” answer from the table in section 3.3.

4.1 Scenario 1: The Configuration Management (CM) Interview

Control: CM.L2-3.4.3: Track, review, approve or disapprove, and log changes to organizational systems.
Assessor’s Objectives:
- [a] changes to the system are tracked
- [b] changes to the system are reviewed
- [c] changes to the system are approved or disapproved
- [d] changes to the system are logged

The Interview Dialogue:

Assessor: “How does your organization handle changes to systems in the CUI environment, such as firewall patches or server updates?”
Interviewee (Expert Response): “We follow a formal change control process, which is defined in our (Specification) Configuration Management Plan, Section 3.
(Proving Objective [a] – tracked): All changes, no matter how small, must be initiated and are tracked via a ticket in our change management system.
(Proving Objective [b] – reviewed): That ticket is then automatically routed to the relevant system owner and a member of our Information Security team for a formal review of the security impact, which satisfies control CM.L2-3.4.4.
(Proving Objective [c] – approved): No change can be implemented until that ticket is formally approved or disapproved by both of those individuals in the system.
(Proving Objective [d] – logged): After the change is implemented, the administrator who performed the work is required to enter the implementation details and close the ticket. This closure creates the final, time-stamped log of the change.
The “Test” (Show Me): “I can show you this process live. Here is a ‘Closed’ ticket from last week for a firewall patch. You can see the initial request, the review comments from the security team [proves b], the formal digital approval from the manager [proves c], and the final implementation notes from the admin. The system tracks this entire lifecycle [proves a] and the ticket itself is the permanent log [proves d].”

4.2 Scenario 2: The Audit & Accountability (AU) Interview

Control: AU.L2-3.3.8: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Assessor’s Objectives:
- [a] audit information is protected from unauthorized access
- [b] audit information is protected from unauthorized modification
- [c] audit information is protected from unauthorized deletion
- [d-f] audit logging tools are protected…

The Interview Dialogue:

Assessor: “How do you ensure that your audit logs themselves are protected from tampering, especially from privileged users like other system administrators?”
Interviewee (Expert Response): “That is a key part of our ‘separation of duties’ design [AC.L2-3.1.4]. We use a ‘pull’ model for all CUI-scope systems.
(Proving Objectives [a, d-f] – Access): Our (Mechanism) SIEM server is configured with a read-only service account that ‘pulls’ logs from our servers. The local audit logging tools on the servers themselves are protected by standard OS permissions, but the real protection is that no administrator—including me—has any access to the SIEM’s log repository. Access is restricted to two members of the dedicated ‘Security’ group, which is enforced by ‘Least Privilege’ [AC.L2-3.1.5] and a specific GPO.
(Proving Objectives [b, c] – Modification/Deletion): To protect against modification or deletion, the SIEM repository is configured as ‘write-once, read-many’ (WORM). Even the Security team cannot modify or delete log entries; they can only run queries and generate reports. As an additional (Activity), we have file integrity monitoring enabled on the log repository itself, which would alert us to any attempt to change the log files at the OS level.”
The “Test” (Show Me): “I can demonstrate this. First, I’ll show you the Active Directory security group for the SIEM, and you can see my own privileged admin account is not a member. Now, I will try to navigate to the log repository’s file share from my admin workstation… and as you can see, I am ‘Access Denied.’ This proves objective [a].”

4.3 Scenario 3: The Awareness & Training (AT) Interview

(Note: This interview would likely be with an HR representative, IT manager, or security officer.)

Control: AT.L2-3.2.3: Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Assessor’s Objectives:
- [a] potential indicators associated with insider threats are identified
- [b] security awareness training on recognizing and reporting… is provided to managers and employees

The Interview Dialogue:

Assessor: “How do you make your employees aware of insider threats?”
Interviewee (Expert Response): “We address this in two main ways, as documented in our (Specification) Awareness and Training Policy. This is reflected in our Insider Threat Plan, which also incorporates our compliance with 32 CFR Part 117.”
(Proving Objective [a] – Identified): First, our (Specification) Insider Threat Policy, which is available to all employees, formally identifies the potential indicators we require personnel to watch for. This includes behaviors mentioned in the CMMC guidance, such as ‘attempts to gain access to information that is not required for job performance’ or ‘unexplained access to financial resources’.
(Proving Objective [b] – Trained): Second, this policy is trained on. This (Activity) is mandatory for all new hires during onboarding, and all personnel must complete an annual refresher training module. This training explicitly covers how to recognize those indicators from the policy and how to report them securely and, if desired, anonymously to our designated security officer.
The “Examine” (Show Me): “I can show you the evidence for this. Here is our (Specification) training curriculum slide deck from last month’s annual refresher. You can see on slides 12 and 13, we cover ‘Insider Threat Indicators’ (proves [a]) and ‘Secure Reporting Procedures’ (proves [b]). I also have the (Specification) training completion records exported from our Learning Management System showing that all 114 employees have completed this training as of last week.”

4.4 Table: Interviewee Preparation Checklist

This table operationalizes the entire preparation process into an actionable checklist for every potential interviewee.

Phase	Task	Done?
Phase 1: Preparation (Before Assessment Day)	Identify all CMMC controls for which the interviewee has primary or supporting responsibility.	[ ]
	Read the “Assessment Objectives” (the “Determine if…” statements) for every assigned control.	[ ]
	Read the corresponding sections of the System Security Plan (SSP) that describe how those controls are implemented.	[ ]
	Report any and all discrepancies between the SSP and real-world activities to management immediately.	[ ]
	Assemble the “evidence” package: a list of policy sections, procedure documents, and system settings to “show” the assessor.	[ ]
	Practice the “Expert” answer for each objective, referencing the evidence package.	[ ]
Phase 2: Execution (During the Interview)	Confirm the evidence package (links, documents, etc.) is open and ready.	[ ]
	Adopt the “Burden of Proof” mindset: the job is to proactively guide the assessor to a “MET” finding.	[ ]
	Listen for the specific objective the assessor is asking about.	[ ]
	Answer by referencing Specifications, Mechanisms, and Activities.	[ ]
	DO NOT guess, speculate, or volunteer negative information.	[ ]
	Use the “I don’t know, but I will find out” response if needed.	[ ]
	Use the “That is on our operational POA&M” response if a gap is identified.	[ ]
Phase 3: Follow-Up (After the Interview)	Debrief with the internal CMMC lead. Note any questions that were difficult or required follow-up.	[ ]
Phase 3: Follow-Up (After the Interview)	Immediately provide any corrected answers or missing evidence to the internal lead for formal submission to the C3PAO.	[ ]

Part 5: Conclusion – The Post-Interview Mindset and Final Steps

The interviewee’s responsibilities do not end when they leave the conference room. The final phases of the assessment are critical for solidifying the “MET” findings.

5.1 The Out-Brief Meeting

After Phase 2 is complete, the Lead CCA will “Convene Out-Brief Meeting” with the OSC’s leadership. This is where the assessment team will present its preliminary findings, including any potential “NOT MET” requirements that were identified during the interviews or technical tests.

5.2 The 10-Day Window: The Final Chance to Provide Evidence

The most important post-interview concept is the 10-day re-evaluation window. The CMMC Assessment Process explicitly states that “Assessors may re-evaluate NOT MET security requirements… for ten (10) business days following the active assessment period”.

This is the formal safety net. If an interviewee misspoke, or if an assessor noted a “NOT MET” finding because a piece of evidence could not be located in time, the OSC has 10 business days to provide that “missing” evidence.

The final responsibility of every interviewee is to work quickly with their team to provide any clarifying documentation, screenshots, or log files to their leadership. This allows the OSC to formally submit the correct evidence to the C3PAO, turning a potential “NOT MET” into a “MET.”

5.3 Final Takeaway: Confidence Through Competence

The CMMC assessment interview is not a memory test. It does not measure who is the most charming interviewee. It is a formal, open-book test of the organization’s CMMC compliance. The “test questions” are not secret; they are published for everyone to see in the CMMC Assessment Guide.

By understanding the “rules of the game”—the E-I-T triad, the “Burden of Proof”, and the “Focused” standard —and by rigorously preparing, the interviewee transforms from a nervous suspect into a confident and competent guide. This preparation allows the interviewee to master the process, demonstrate maturity, and lead the assessor to the only possible, evidence-based conclusion: MET.