CMMC EIT Methodology

For organizations in the Defense Industrial Base (DIB), the CMMC Level 2 assessment is a critical hurdle. This article provides an in-depth look at the CMMC EIT methodology, featuring strategic insights from one of KLC Consulting’s Lead CMMC Certified Assessors, Layla Paoletti. At KLC Consulting, we understand that this is more than just a document review – it’s a comprehensive evaluation of how your cybersecurity posture functions in the real world.

The core of every CMMC Level 2 assessment is the Examine, Interview, Test (EIT) methodology. This isn’t a C3PAO invention; it is the Department of Defense’s (DoD) approved standard for verifying NIST SP 800-171 compliance, as formalized in the CMMC Assessment Process (CAP). Our role at KLC Consulting is to apply this methodology with precision, transparency, and a focus on predictable outcomes for your Organization Seeking Certification (OSC).

What is EIT Methodology?

The EIT method ensures that compliance is not just theoretical (what you say you do) but practical (what you can prove you do). For every one of the 110 practices in CMMC Level 2, our assessors use a combination of these three methods to make a “MET” or “NOT MET” determination, based on the assessment procedures outlined in NIST SP 800-171A.

CMMC Assessment Requirement: For a practice to be marked as MET, the assessor must use at least two out of the three EIT methods to confirm compliance. For example, the assessor may Examine your policy and then Test the control’s function to verify it is implemented.

1. Examine (E): Reviewing the Artifacts

The Examine phase is where KLC Consulting begins by reviewing your documented security practices. This is the evidence of intent.

Artifact Type	What We Examine (Per NIST 800-171A)	The KLC Consulting Focus (Evidence of Intent)
Specifications (Policies & SSP)	System Security Plan (SSP), Scope Definition, and Policy documents detailing how the organization plans to meet each practice.	We look for alignment between your policies and the specific assessment objectives in NIST 800-171A. The documentation must clearly articulate the “who, what, and how” for your unique environment and define the CUI Boundary.
Mechanisms (Configurations)	Configuration standards (e.g., baselines), network diagrams, asset inventory, and system logs.	We verify the technical documentation (e.g., GPOs, cloud policies) enforces the stated policy. This checks the documented state of the security controls.
Activities (Records)	Training records, maintenance logs, security incident reports, and system change requests.	We verify that required activities (like log reviews or security training) have documented records of completion, ensuring ongoing operation.

2. Interview (I): Validating the Process

The Interview phase provides context and confirmation. This is where your Subject Matter Experts (SMEs) explain how the controls are implemented and who is responsible.

• The Goal: Our Certified CMMC Assessors (CCAs) interview the personnel responsible for a control (e.g., IT staff, HR, management). This validates the process implementation and confirms personnel knowledge.
• A Critical Step: The interview verifies that the practices described in the documentation (Examine) are known and followed by the staff who execute the security function.
• Personnel: Prepare for interviews with the System Owner, Security Officer, and Specific SMEs (e.g., Network Admins, Help Desk).

“A key differentiator in successful assessments is personnel readiness. Your SMEs need to be able to articulate the ‘why’ behind a policy and the ‘how’ of the procedure without relying on reading the documentation. This shows the assessor the practice is ingrained in your operations.”

— Layla Paoletti, LCCA at KLC Consulting

3. Test (T): Observing the Implementation

The Test phase is the final and most decisive step. This is the evidence of function. We are watching your team actively demonstrate that the security controls are operating correctly.

Observation & Demonstration: This involves live screen-sharing or in-person observation of your systems. For example, for CM.L2-3.4.5 (Control and Monitor Remote Access), we will observe a live demonstration of the Multi-Factor Authentication (MFA) sign-on process and verify system timeout configurations and monitoring logs in real-time.

Common Test Points:

• Access Enforcement: Demonstrating that a non-authorized user is blocked from a CUI-containing resource.
• Vulnerability Scanning: Demonstrating the execution of a scan and reviewing the resulting report.
• Incident Handling: Reviewing a past incident and demonstrating how it was logged and addressed according to the Incident Response Plan.
  

“When it comes to the Test phase, remember that ‘screenshare proof’ is king. You need to provide the clear, objective evidence we’re looking for, whether it’s an audit log, a firewall rule, or a system demonstration. If the evidence isn’t readily available and clearly traceable, it’s difficult for us to mark the practice as MET.”

— Layla Paoletti, LCCA at KLC Consulting

KLC Consulting’s Strategic Approach to EIT Success

KLC Consulting utilizes the EIT method to give your team the best chance at success while ensuring the integrity of the CAP.

• Control Pairing: We group practices based on the personnel responsible. We complete all Access Control (AC) practices with the relevant SME before moving on to the next domain. This strategy optimizes time and personnel usage.
• Pre-Assessment Review: We highly recommend a Readiness Assessment where we simulate the EIT for your most common high-failure practices. This removes assessment-day surprises by identifying gaps in documentation and evidence before the formal assessment.
• Focus on the Objective: Our CCAs are trained to assess the assessment objectives (the required security outcome) of the control, as defined in NIST SP 800-171A, not just the literal wording of the practice. We work with you to confirm objective evidence that meets the security requirement.

“Many organizations fail not because of a technical gap, but because they have an improperly defined CUI boundary. The CMMC assessment begins and ends with your scope definition and CUI flow map. You must plan your evidence collection around a clearly identified and secured scope, or you will fail to meet the objective.”

— Layla Paoletti, LCCA at KLC Consulting

Strategic Priorities for DIB Contractors

By preparing for the CMMC EIT methodology, you transition from hoping you are compliant to knowing you can prove it. As a lead assessor for KLC Consulting, Layla Paoletti, LCCA, offers her final strategic recommendation for any DIB contractor: elevate your CMMC preparation from a compliance exercise to a strategic priority using the EIT structure:

• Priority 1: Lock Down Your Scope (Examine). The assessment begins and ends with your CUI boundary. Ensure your System Security Plan (SSP) and CUI flow diagrams are flawless, detailed, and directly align with the infrastructure you plan to present. An improperly defined scope is the most common reason for a NOT MET outcome, regardless of technical maturity.
• Priority 2: Master the ‘Show Me’ Phase (Test). Remember that two out of three EIT elements are required, and the Test (live demonstration) provides the least subjective evidence. Focus your final prep time not on polishing documentation, but on rehearsing live screen-shares of your system logs, access controls, and security configurations. If you can’t demonstrate it in 30 seconds, it’s not ready.
• Priority 3: Empower Your Personnel (Interview). Your subject matter experts must be able to articulate the why and how of your security policies without hesitation. This confirms the practice is operational and ingrained in your culture. Personnel readiness is often the final hurdle that determines a successful validation.

This structured preparation turns your CMMC assessment with KLC Consulting into an effective validation, rather than an unnecessary challenge for your OSC.