Home Resources Evidence Library
Documentation · 12-minute read · Reference

Evidence Library Guide

Policies declare your intent. Procedures describe how the work is done. Evidence proves it actually happens. This is the guide to assembling the artifacts that demonstrate each of the 110 NIST 800-171 requirements is operationally implemented — what evidence types matter, what assessors expect by control family, and how to organize the package.

What Counts as Evidence

An evidence artifact is anything that allows an assessor to confirm that a control is implemented as the SSP describes. Evidence answers questions an assessor cannot answer from the SSP alone: Is this actually happening? At the cadence the SSP claims? Across the systems the SSP scopes? With the rigor the requirement demands?

NIST SP 800-171A — the assessment companion to 800-171 Rev 2 — defines three assessment objectives for every requirement: examine (review documents and configurations), interview (talk to people who perform the work), and test (observe the control in action). Evidence supports the examine and test objectives. The interview objective is supported by personnel who can describe what they do — but their description must be backed by examinable artifacts.

Evidence is not a paperwork exercise. It is the record of operational practice. A configuration screenshot evidences a configuration; a quarterly access review record evidences an access review; an audit log sample evidences logging coverage. The artifact must reflect what is actually true in the environment at the time the assessor reviews it.

Evidence Categories

Most evidence falls into one of seven categories. Building the library means having artifacts in each category, mapped to specific requirements.

  • Policy and procedure documents. The written rules. Cross-reference each policy to the requirements it supports. See the policy library guide.
  • Configuration screenshots and exports. Evidence that a system is configured as the SSP describes. Examples: Group Policy Object exports showing password policy enforcement, firewall rule listings, conditional access policy screenshots, audit log retention configuration.
  • System-generated reports. Reports the in-scope systems produce automatically — vulnerability scan reports, patch compliance reports, MFA enrollment reports, antivirus update reports, audit log summary reports.
  • Records of periodic activities. Artifacts showing that a recurring activity actually recurred. Examples: quarterly access review records (with dates and reviewer signatures), annual SSP review records, monthly vulnerability scan summaries, weekly audit log review sign-offs.
  • Training and awareness records. Completion records for required training, with dates, topic, and personnel. Often pulled from a learning management system.
  • Change records. Tickets or change requests showing security review of significant changes — new system additions, configuration changes, software approvals, user access provisioning, equipment disposal.
  • Incident records. Documented security incidents (real or tabletop), the response taken, and the lessons-learned outcome. Even an organization with no real incidents should have tabletop exercise records demonstrating the IR plan is exercised.

The Freshness Question

Every evidence artifact has an implicit shelf life. Assessors look at the date on the evidence and ask: does this prove the control is currently effective? A vulnerability scan report from two years ago demonstrates that a scan once happened — it does not demonstrate that scanning is currently part of operational practice.

Evidence typeUseful withinStale beyond
Audit log samplesLast 30 days90 days
Vulnerability scan reportsLast 30 days90 days
Patch compliance reportsLast 30 days60 days
Quarterly access reviewsLast quarter (3 months)6 months
Annual security training recordsLast 12 months15 months
Annual risk assessmentLast 12 months18 months
Annual SSP reviewLast 12 months15 months
Annual IR plan tabletopLast 12 months18 months
Network architecture diagramsLast 12 months or post-significant-change18 months without change
Asset inventoryLast 90 days6 months
Hardware/software baselinesAligned to current OS/app versionsMajor version behind
Policy documentsWithin annual review cyclePast next review date
POA&MUpdated within last 30 days3+ months without update

The freshness question is the simplest evidence flaw to fix and the most common to fail. Before any assessment, walk through every evidence artifact and confirm it is current. Stale evidence in an evidence package signals to assessors that the control is not actively maintained — even if it is.

Evidence by Control Family

The breakdown below describes the evidence patterns assessors typically expect for each of the 14 control families. This is a starting point — the specific evidence will vary based on your environment, but the categories should map closely.

3.1 Access Control · 22 requirements

Access Control (AC)

Configuration evidence

  • Active Directory or IAM exports showing user accounts, roles, and group memberships
  • Conditional access policies (screenshots or exports)
  • Privileged access management configuration showing separation between standard and admin accounts
  • Session control settings (timeout, concurrent session limits)
  • Wireless network configuration showing WPA3-Enterprise or equivalent for in-scope wireless

Activity evidence

  • Quarterly access review records — list of users reviewed, decisions made, signed by reviewer
  • Termination records showing access revoked within the policy timeframe
  • New user provisioning tickets with manager approval and access justification
  • Privileged access request and approval records
  • Mobile device enrollment records and conditional access enforcement logs
3.2 Awareness and Training · 3 requirements

Awareness and Training (AT)

Configuration evidence

  • Training catalog showing required courses by role
  • Learning Management System (LMS) configuration showing assignment rules

Activity evidence

  • Completion records for all in-scope personnel for the most recent annual training cycle
  • Records of role-based training for privileged users, IR team, ISSO
  • Insider threat awareness completion records
  • Records of consequences enforced when training was not completed (escalation emails, access suspension)
3.3 Audit and Accountability · 9 requirements

Audit and Accountability (AU)

Configuration evidence

  • Audit logging configuration on each in-scope system type — what events are logged, retention duration, where logs are stored
  • NTP configuration and time source verification
  • SIEM or log aggregation platform configuration showing source coverage
  • Log access control configuration showing read-only access for general users, no delete privilege

Activity evidence

  • Sample audit log records covering all required event categories
  • Audit log review records (who, when, what was examined, what was found)
  • Records demonstrating cross-system event correlation during a real or simulated investigation
  • Audit log retention validation — the assessor will ask to see logs from at least 12 months ago
3.4 Configuration Management · 9 requirements

Configuration Management (CM)

Configuration evidence

  • Documented baseline configuration for each system type (typically referencing CIS Benchmarks or DISA STIGs)
  • Group Policy Objects, MDM configuration profiles, or equivalent enforcement mechanisms
  • Software allowlist or denylist configuration
  • Asset inventory (hardware and software) with last-update timestamp

Activity evidence

  • Recent change tickets for in-scope system changes, with security impact analysis recorded
  • Change advisory board meeting minutes covering recent significant changes
  • Baseline drift reports (where supported by tooling)
  • Software request and approval records, with rejected exception requests
3.5 Identification and Authentication · 11 requirements

Identification and Authentication (IA)

Configuration evidence

  • MFA enforcement configuration with proof MFA is required for privileged and remote access
  • Password policy configuration showing length, complexity, history, age, lockout
  • Account lockout configuration and unlock procedure
  • Service account inventory with credential storage method documented
  • Certificate management configuration if PKI-based authentication is used

Activity evidence

  • MFA enrollment report showing 100% coverage of users in MFA-required scope
  • Password history database showing the policy is enforced (not just declared)
  • Recent service account credential rotation evidence
3.6 Incident Response · 3 requirements

Incident Response (IR)

Configuration evidence

  • Incident Response Plan document with current revision date and senior approval
  • IR team roster with contact information and escalation order
  • DIBNet account confirmation (named individuals with active access)

Activity evidence

  • Annual tabletop exercise records — scenario used, participants, lessons learned, plan updates resulting
  • Records of any real incidents and the response taken (including DIBNet reports if applicable)
  • IR team training completion records
3.7 Maintenance · 6 requirements

Maintenance (MA)

Configuration evidence

  • List of authorized maintenance personnel and authorized maintenance vendors
  • Vendor contracts with security clauses for those performing in-scope maintenance
  • Remote maintenance access controls (MFA, session monitoring, approval gating)

Activity evidence

  • Recent maintenance records showing supervision of uncleared personnel
  • Equipment sanitization records before maintenance off-site
  • Tools and media inspection records before use on in-scope systems
3.8 Media Protection · 9 requirements

Media Protection (MP)

Configuration evidence

  • USB and removable media policy enforcement (DLP configuration, USB blocking, allowlisting)
  • Encryption configuration for portable media handling CUI
  • Document marking policy and template documents showing CUI banner application

Activity evidence

  • Recent media transport records with destination and chain of custody
  • Media sanitization or destruction records (NIST 800-88 method, verification)
  • Sample CUI documents showing markings applied per policy
3.9 Personnel Security · 2 requirements

Personnel Security (PS)

Configuration evidence

  • Pre-employment screening policy and procedure
  • Personnel offboarding procedure showing access revocation steps

Activity evidence

  • Screening records for personnel with CUI access (sample, redacted as needed)
  • Offboarding records showing immediate access revocation timestamps
  • Equipment return records for departing personnel
3.10 Physical Protection · 6 requirements

Physical Protection (PE)

Configuration evidence

  • Facility access control system configuration (badge access, zones)
  • Visitor management procedure
  • Server room and network closet access controls
  • Alternate work site (home office) policy

Activity evidence

  • Recent physical access logs showing review for anomalies
  • Visitor logs with escort and badge return records
  • After-hours access logs (rare; should be reviewed)
3.11 Risk Assessment · 3 requirements

Risk Assessment (RA)

Configuration evidence

  • Vulnerability scanning tool configuration with authenticated scan settings
  • Scan schedule (typically monthly authenticated scans)
  • Risk assessment methodology document

Activity evidence

  • Most recent annual risk assessment report
  • Recent vulnerability scan reports with authenticated coverage
  • Vulnerability remediation tracking — open vulnerabilities, target remediation dates, closed vulnerabilities with closure evidence
3.12 Security Assessment · 4 requirements

Security Assessment (CA)

Configuration evidence

  • Current System Security Plan with annual review record
  • Current Plan of Action and Milestones (POA&M)
  • Continuous monitoring program description
  • SPRS posting confirmation showing the most recent self-assessment date and score

Activity evidence

  • POA&M update history showing items being worked and closed
  • Internal assessment reports between formal C3PAO assessments
  • Annual senior official affirmation in SPRS
3.13 System and Communications Protection · 16 requirements

System and Communications Protection (SC)

Configuration evidence

  • Network architecture diagram showing segmentation, boundary controls, DMZ structure
  • Firewall rule exports for in-scope segments
  • Encryption configuration for data in transit (TLS versions, cipher suites) and at rest (FIPS-validated modules in use)
  • FIPS 140-2 or 140-3 module validation certificates for cryptographic implementations
  • VPN concentrator configuration with required encryption and MFA settings
  • Email gateway configuration showing inbound/outbound filtering

Activity evidence

  • Recent firewall rule review records
  • Cryptographic key rotation records
  • Boundary protection effectiveness evidence (penetration test results, attack surface monitoring)
3.14 System and Information Integrity · 7 requirements

System and Information Integrity (SI)

Configuration evidence

  • Patch management configuration with severity-based deployment timelines
  • Antivirus / EDR configuration with signature update settings
  • Email attachment scanning configuration
  • SIEM or monitoring platform configuration showing IOC ingestion sources

Activity evidence

  • Recent patch compliance reports showing in-scope systems are within policy
  • Recent antivirus update reports
  • Records of recent security alerts received and the response taken
  • Records demonstrating monitoring actually catches anomalies (recent investigations)

Organizing the Package

An evidence package is a navigable, indexed collection — not a folder of dumped files. A well-organized package speeds the assessment, reduces back-and-forth, and signals discipline to the assessor team.

  • Folder per family. Top-level folders organized by the 14 NIST families (3.1 AC, 3.2 AT, etc.). Within each, subfolders by requirement (3.1.1, 3.1.2, etc.) or by evidence type.
  • Index document. A spreadsheet or document mapping each of the 110 requirements to the specific evidence artifact(s) supporting it. This is the cross-reference assessors actually use during fieldwork.
  • Naming conventions. Date-stamped filenames (YYYY-MM-DD prefix) for time-sensitive evidence. Descriptive names (not "Document1.pdf") for ad-hoc artifacts.
  • Evidence collection date. Each artifact should clearly indicate when it was generated or captured. For configuration screenshots, this means the date in the filename plus a date visible in the screenshot.
  • Excluded evidence. Items collected but determined not to be useful as evidence — keep in a separate "rejected" folder rather than mixed with the active package.
  • Access control on the package. The evidence package itself contains sensitive information about your security posture — restrict access appropriately, encrypt at rest, and version-control changes.

A common organizational pattern is to use the SSP's outline as the spine: each control implementation statement in the SSP includes a footnote or reference pointing to the specific evidence file(s) that support it. The evidence index then provides the mapping.

Common Mistakes

  • Document-only evidence. An evidence package consisting entirely of policies and procedures — no configurations, no activity records — proves intent but not implementation. Add the configuration and activity evidence.
  • Stale artifacts. Already covered above; the most common single failure mode. Audit freshness before assessment.
  • Evidence that doesn't match the SSP. The SSP says quarterly access reviews; the evidence package contains an access review record from 14 months ago. Either the SSP or the operational practice needs to change.
  • Missing the high-weight controls. The 5-point and 3-point requirements in the DoD Assessment Methodology receive disproportionate scrutiny. Confirm that high-weight controls have especially complete evidence.
  • Unredacted PII. Evidence containing PII (training records with employee names, screenshots showing user accounts) should be appropriately handled. Some C3PAOs prefer redacted samples; check before sending.
  • Configuration screenshots without context. A screenshot of a Group Policy setting with no annotation showing what GPO it's from, what OU it applies to, when the screenshot was captured, is hard to interpret. Annotate or include source metadata.
  • Evidence stored only on individual workstations. Evidence on the ISSO's laptop that no one else can produce when the ISSO is unavailable creates fragility. Centralize in a controlled repository.
  • Mock or fabricated evidence. Forging evidence — backdating documents, fabricating training completion records, doctoring screenshots — is the most serious failure possible. It is also a False Claims Act exposure for the senior official affirming the SPRS posting. Walk away from any consultant or staff member who suggests it.

Authoritative References

NIST SP 800-171A
Assessment objectives and procedures for each 800-171 requirement — defines the examine, interview, and test objectives evidence supports
NIST SP 800-171 Rev 2
The 110 requirements your evidence must demonstrate
CIS Benchmarks
Configuration baselines commonly referenced as evidence of secure baseline configurations
DISA STIGs
DoD-published Security Technical Implementation Guides; the higher-rigor alternative to CIS Benchmarks for many systems
FIPS 140 Validated Modules
Authoritative list of FIPS-validated cryptographic modules — used to evidence SC family encryption requirements
CMMC Assessment Process (CAP)
The methodology assessors follow — describes how evidence is examined during fieldwork

Related resources: See the policy library guide for the document architecture that supports the evidence package, and the Assessment Day Playbook for how evidence is examined during fieldwork.