🤖 AI Summary
This study addresses the lack of a standardized evidence sampling protocol in Cybersecurity Maturity Model Certification (CMMC) assessments, which undermines the reliability and consistency of evaluation outcomes. Through an anonymous survey of 17 certified assessors combined with qualitative analysis, the research systematically reveals—for the first time—that current sampling practices are heavily reliant on assessors’ subjective experience and risk perception, with little grounding in statistical principles. The work proposes the development of a standardized, risk-based sampling framework that eschews rigid proportional rules in favor of flexible, context-sensitive guidelines. Such an approach would enhance assessment consistency while preserving essential professional judgment, thereby offering both empirical support and a novel pathway toward the formalization and improvement of the CMMC evaluation ecosystem.
📝 Abstract
The Cybersecurity Maturity Model Certification (CMMC) framework provides a common standard for protecting sensitive unclassified information in defense contracting. While CMMC defines assessment objectives and control requirements, limited formal guidance exists regarding evidence sampling, the process by which assessors select, review, and validate artifacts to substantiate compliance. Analyzing data collected through an anonymous survey of CMMC-certified assessors and lead assessors, this exploratory study investigates whether inconsistencies in evidence sampling practices exist within the CMMC assessment ecosystem and evaluates the need for a risk-informed standardized sampling methodology. Across 17 usable survey responses, results indicate that evidence sampling practices are predominantly driven by assessor judgment, perceived risk, and environmental complexity rather than formalized standards, with formal statistical sampling models rarely referenced. Participants frequently reported inconsistencies across assessments and expressed broad support for the development of standardized guidance, while generally opposing rigid percentage-based requirements. The findings support the conclusion that the absence of a uniform evidence sampling framework introduces variability that may affect assessment reliability and confidence in certification outcomes. Recommendations are provided to inform future CMMC assessment methodology development and further empirical research.