Free and Premium Cyber AB CMMC-CCP Dumps Questions Answers

Understanding SI.L2-3.14.6: Monitor Communications for Attacks

The practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:

✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)

✅Log analysis and network monitoring

✅Incident response planningfor detected threats

As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.

Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?

TheCCA must collect sufficient objective evidenceto determine compliance.

Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.

Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.

Breakdown of Answer Choices

Option

Description

Correct?

A. Conduct a penetration test

❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.

B. Interview the intrusion detection system's supplier.

❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.

C. Upload known malicious code and observe the system response.

❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.

D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.

Official References from CMMC 2.0 and NIST SP 800-171 Documentation

NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.

CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.

Final Verification and Conclusion

The correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.

The core protection principle for OSC-provided assessment information (including PCI/CUI, assessment workpapers/notes, and the assessment results package ) is confidentiality / non-disclosure . The CMMC rules require assessors not to disclose OSC information outside the assessment participants, except as required by law. For example, CMMC assessor requirements include not sharing information about an OSC obtained during pre-assessment and assessment activities with anyone not involved in that specific assessment .

For retention, the authoritative requirement in the CMMC Program rule (32 CFR Part 170) is that assessment-related records are maintained for six (6) years , unless disposition is otherwise authorized by the CMMC PMO. This record set includes assessment materials and working papers generated during Level 2 certification assessments, and it also includes contractual agreements.

Important correction to the multiple-choice options: none of the answers list the official six-year retention period. The best available option is therefore B because it correctly captures the required confidentiality/non-disclosure principle—but the “ 3 years ” duration in the option does not match the official CMMC v2.0 retention requirement (which is 6 years ).

===========

Understanding CMMC Asset Categorization

TheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).

In this scenario:

Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-scopefor CMMC Level 1.

Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-Scope Assets.

CMMC 2.0 Definition of Out-of-Scope Assets

As per theCMMC Scoping Guide, assets that:

✅Do not store, process, or transmit FCI/CUI

✅Do not directly impact the security of in-scope assets

✅Are completely segregated from the FCI/CUI environment

are classified asOut-of-Scope Assets.

Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.

Why the Other Answers Are Incorrect

A. FCI Assets

❌Incorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify.

B. Specialized Assets

❌Incorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division.

D. Operational Technology Assets

❌Incorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.

CMMC Official References

CMMC 2.0 Scoping Guide – Level 1 & Level 2

CMMC Assessment Process (CAP) Document

Thus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.

The best resource for identifying the category of Controlled Unclassified Information (CUI) is NARA , because NARA is the CUI Executive Agent for the federal CUI Program and maintains the authoritative CUI Registry . The Registry is specifically where the government publishes the approved CUI categories (and related markings and handling guidance) used across the Executive Branch.

NARA’s own CUI FAQs explicitly point users to the CUI Registry as the place that “lists all authorized CUI Categories (basic and specified).” Likewise, NIST’s CUI-related FAQ page also points to the NARA CUI Registry for CUI categories, reinforcing that the Registry is the correct source for determining which category applies to a given type of information.

By contrast, DFARS Part 252 (including clauses like 252.204-7012) addresses contractual safeguarding and cyber reporting requirements, not the authoritative categorization list itself. The CMMC Assessment Guide is about how to assess controls for CMMC levels, not how to determine CUI categories. And the Cyber AB (formerly CMMC-AB) administers the ecosystem and assessment processes, not the federal CUI category taxonomy. Therefore, NARA is the best answer.

Scoping Requirements in CMMC Assessments

TheCMMC 2.0 Scoping GuideandCMMC Assessment Process (CAP) Documentclearly define what should be included in the scope of an assessment.

The assessment scope must cover:

All assets that process, store, or transmit FCI/CUI

Security Protection Assets (ESP)– these assets help protect FCI/CUI, such as firewalls, endpoint detection systems, and encryption mechanisms.

Thus, thecorrect scope includes both:

✅FCI/CUI Assets(Data storage, processing, or transmission assets)

✅Security Protection Assets (ESP)(Firewalls, security tools, etc.)

Why the Other Answers Are Incorrect

A. All assets documented in the business plan

❌Incorrect.Business plans may include assets unrelated to FCI/CUI, making this scopetoo broad. Only assets relevant to FCI/CUI should be assessed.

B. All assets regardless if they do or do not process, store, or transmit FCI/CUI

❌Incorrect. CMMC doesnotrequire organizations to include assets thathave no connection to FCI/CUI.

C. All entities, regardless of the line of business, associated with the organization

❌Incorrect.Only the assets relevant to FCI/CUI or security protection should be assessed. Unrelated business divisions (like a non-federal commercial division) areout-of-scope.

CMMC Official References

CMMC 2.0 Scoping Guide – Level 1 & Level 2

CMMC Assessment Process (CAP) Document

Thus,option D (All assets processing, storing, or transmitting FCI/CUI and security protection assets) is the correct answeras per official CMMC assessment scoping requirements.

Understanding Ethical Responsibility in the CMMC Ecosystem

Ethics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.

Key Ethical Responsibilities Include:

CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.

CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.

Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.

Why is the Correct Answer "CMMC-AB and Members of the CMMC Ecosystem" (C)?

A. DoD and CMMC-AB → Incorrect

TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.

B. OSC and Sponsors → Incorrect

TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.

C. CMMC-AB and Members of the CMMC Ecosystem → Correct

Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.

D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect

Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.

CMMC 2.0 References Supporting this Answer:

CMMC-AB Code of Professional Conduct

Defines ethical responsibilities forassessors, consultants, and ecosystem members.

CMMC Ecosystem Governance Policies

Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.

CMMC Assessment Process (CAP) Document

Outlines ethical expectations forassessors and consultantsduring certification assessments.

According to the CMMC Assessment Process (CAP), the Lead Assessor must use the CMMC Findings Brief to formally present assessment results to the Organization Seeking Certification (OSC). The Findings Brief ensures consistency across assessments and provides the OSC with an official, standardized presentation of results, including observed strengths, weaknesses, and any non-conformities.

Other options are incorrect because:

POA & M Brief is not part of the official CAP presentation.

CMMC Assessment Tracker Tool is an internal tool used by assessors, not for presentation to the OSC.

Recommended Findings template is not a recognized deliverable in CAP.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Understanding the Best Source for CMMC Practice Descriptions

TheCMMC Assessment Guide (Levels 1 and 2)is theprimaryandmost authoritativedocument for detailed descriptions of each practice and process within the variousCMMC domains.

Step-by-Step Breakdown:

✅1. What is the CMMC Assessment Guide?

TheCMMC Assessment Guideprovides detailed explanations of:

EachCMMC practicewithin its respectivedomain.

Theassessment objectivesfor verifying implementation.

Examples ofevidence requiredto demonstrate compliance.

CMMC 2.0 includes two levels:

Level 1: 17 basic cybersecurity practices.

Level 2: 110 practices aligned withNIST SP 800-171.

TheAssessment Guidedefines howassessorsevaluate compliance.

✅2. Why the Other Answer Choices Are Incorrect:

(A) CMMC Glossary❌

TheGlossaryprovidesdefinitions of termsused in CMMC but does not describe specific practices in detail.

(B) CMMC Appendices❌

Appendicesinclude supplementary information likereferences and scoping guidance, but they do not provide full descriptions of practices.

(C) CMMC Assessment Process❌

TheAssessment Process Guideexplainshowassessments are conducted, but it doesnot describe each practicein detail.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guide (Levels 1 and 2)is theofficialsource for descriptions of eachCMMC practice and process, making it thebest referencefor understanding compliance requirements.

Understanding RA.L2-3.11.2: Vulnerability Scanning

TheRA.L2-3.11.2practice requires organizations to:

✔Regularly scan for vulnerabilitiesin systems and applications.

✔Perform scans when new vulnerabilities are identified.

✔Use vulnerability scanning tools or servicesto proactively detect security weaknesses.

Why Is an Incident Monitoring Report Irrelevant?

Anincident monitoring reporttrackssecurity incidents, notvulnerability scanning activities.

Vulnerability scanning reportsshould include:

✔A list of vulnerabilities detected.

✔Remediation actions taken.

✔Scan frequency and schedule.

Theabsence of reported security incidentsdoesnotconfirm that vulnerability scans were performed.

Why is the Correct Answer "A. Inadequate because it is irrelevant to the practice"?

A. Inadequate because it is irrelevant to the practice → Correct

Alack of reported security incidents does not confirm that vulnerability scanning was performed.

B. Adequate because it fits well for expected artifacts → Incorrect

Incident monitoring reportsare not expected artifactsfor this control.Vulnerability scan reportsare required instead.

C. Adequate because no security incidents were reported → Incorrect

The absence of incidents does not mean the OSC is performing vulnerability scanning. This isnot valid evidence.

D. Inadequate because the OSC's service provider should be interviewed → Incorrect

While interviewing the provider may be useful, themain issue is that the provided evidence is irrelevant. Thecorrect evidence (vulnerability scan reports) is missing.

CMMC 2.0 References Supporting This Answer:

NIST SP 800-171 (Requirement 3.11.2 – Vulnerability Scanning)

Defines the requirement toscan for vulnerabilities periodically and when new threats emerge.

CMMC Assessment Guide for Level 2

Specifies that evidence for RA.L2-3.11.2 should includevulnerability scan reports, not incident monitoring reports.

CMMC 2.0 Model Overview

Confirms that organizationsmust proactively identify vulnerabilities through scanning, not just rely on incident detection.

Under NIST SP 800-171, Personnel Security (PS) family, requirement PS.L2-3.9.1, organizations must screen individuals prior to granting access to CUI. The screening is intended to evaluate conduct, integrity, and loyalty to ensure that individuals can be trusted with sensitive information.

Supporting Extracts from Official Content:

NIST SP 800-171 Rev. 2, PS.L2-3.9.1: “Screen individuals prior to authorizing access to organizational systems containing CUI… Screening is intended to assess an individual’s conduct, integrity, judgment, loyalty, and reliability.”

CMMC Level 2 Assessment Guide (Personnel Security practices): confirms that screening covers conduct, integrity, and loyalty.

Why Option C is Correct:

The key attributes explicitly listed are conduct, integrity, and loyalty.

Options A and B describe subjective or informal measures, not compliance criteria.

Option D uses terms not aligned with the official requirement.

References (Official CMMC v2.0 Content):

NIST SP 800-171 Rev. 2, Personnel Security controls.

CMMC Assessment Guide, Level 2 – PS.L2-3.9.1.

===========

The correct answer isA. CMMC Assessment Reporting Requirementsbecause this document specifically outlines thestructured processthat Certified Third-Party Assessment Organizations (C3PAOs) must follow when conducting and reporting CMMC assessments.

Step-by-Step Breakdown:

Understanding the CMMC Assessment Process

TheLead Assessorbriefs the team on theassessment requirementsand theevaluation criteriabefore the assessment begins.

Throughout the assessment,findings summaries, practice ratings, and level recommendationsare documented and reported.

These findings are internally reviewed by theC3PAObefore they are formally submitted forquality review and final rating approval.

Key Document Stipulating Reporting Requirements: CMMC Assessment Reporting Requirements

This documentspecifically details how assessments must be reportedwithin theCMMC ecosystem.

It describes the structured process for assessment submission, internalC3PAO reviews, andquality checks by the CMMC-ABbefore an organization can receive a final certification decision.

It ensures thatresults are consistent, transparent, and aligned with DoD cybersecurity compliance expectations.

Why Other Options Are Incorrect:

B. DFARS 52.204-21 Assessment Reporting Requirements

This clause only specifiesbasic safeguardingof Federal Contract Information (FCI) but doesnotdictate the reporting process for CMMC assessments.

C. NIST SP 800-171 Revision 2 Assessment Reporting Requirements

WhileNIST SP 800-171 Rev. 2outlines security controls, it doesnotdefine how CMMC assessments must be conducted and reported.

D. DFARS Clause 252.204-7012 Assessment Reporting Requirements

This DFARS clause focuses onincident reportingandcyber incident response requirementsbut does not detail theCMMC assessment reporting process.

Official Reference:

CMMC Assessment Reporting Requirements, issued byThe Cyber ABandDoD, governs how C3PAOs must report assessment results.

CMMC Assessment Process (CAP)also outlines reporting workflows for certification.

Thus, theCMMC Assessment Reporting Requirementsdocument is the authoritative source that dictates the reporting procedures for CMMC assessments.

In CMMC v2.0, the closeout activity for remediating previously unmet requirements is handled through the POA & M closeout process described in the CMMC Assessment Process (CAP) v2.0 . CAP v2.0 makes clear that the C3PAO must follow DoD’s POA & M closeout procedures and that the Assessment Team performs the closeout work, with the assessment results then undergoing a required quality assurance (QA) review .

Operationally, the person who must ensure that each previously failed requirement is adequately addressed during the closeout assessment is the Lead Assessor (Lead CCA) , because the Lead CCA is the individual designated to oversee and manage the Assessment Team on behalf of the C3PAO for the conduct of the certification assessment. In other words, while team members may test controls and collect evidence, the Lead CCA is accountable for directing the assessment effort and ensuring that remediation evidence supports updated determinations.

CAP v2.0 also states that a QA individual performs a quality assurance review of the POA & M closeout “upon completion by the Assessment Team,” including checks on the accuracy and completeness of evaluation of POA & M security requirements before upload to eMASS. This reinforces that verification occurs through the assessment team’s work, led by the Lead Assessor , and then independently quality-checked by QA.

===========

Understanding the Media Protection (MP) Domain

TheMedia Protection (MP) domaininCMMC 2.0focuses on the security requirements needed to handlephysical or digital mediacontainingControlled Unclassified Information (CUI).

This domain includes controls for:

Protecting digital and physical mediathat store CUI.

Sanitizing and destroying mediabefore disposal or reuse.

Restricting access to CUI mediato authorized personnel only.

Why the Correct Answer is "A. Media Protection (MP)"?

TheMP domaindirectly addresses the requirements for handlingCUI media, includingencryption, access control, storage, and disposal.

CMMC 2.0Level 2aligns withNIST SP 800-171, which includesMP controlsfor managing media containing CUI.

Why Not the Other Options?

B. Physical Protection (PE)→Incorrect

PEfocuses onphysical security(e.g., facility access, visitor logs, physical barriers),not the handling of CUI on media.

C. System and Information Integrity (SI)→Incorrect

SIdeals withsystem monitoring, vulnerability management, and incident response, not media protection.

D. System and Communications Protection (SC)→Incorrect

SCcoversnetwork security, encryption, and secure communications, but does not specifically focus on media handling.

Relevant CMMC 2.0 References:

CMMC Level 2 Practice MP.3.125– Protects CUI by ensuring proper handling ofmedia containing CUI.

NIST SP 800-171 (MP Family)– Establishes security requirements for handlingdigital and physical mediacontaining CUI.

CMMC Scoping Guide (Nov 2021)– ConfirmsMP controls apply to all media that store, process, or transmit CUI.

Final Justification:

SinceMedia Protection (MP) directly addresses the handling of assets containing CUI, the correct answer isA. Media Protection (MP).

Step 1: Understand the Definitions of Evidence Evaluation Criteria

TheCMMC Assessment Process (CAP)introduces two key criteria for evaluating evidence:

Adequacy– Does the evidencealign with the practice?

Sufficiency– Is the evidencecomprehensive enoughin terms ofcoverage across systems, users, and scope?

CAP v1.0 – Section 3.5.4:

“Evidence must be evaluated for bothadequacy(is it the right evidence?) andsufficiency(is there enough of it across all in-scope assets and areas?) to score a practice as MET.”

✅Step 2: Applying to the Scenario

In the question, the Lead Assessor is asking the team toverify that evidence is sufficient across:

Domains

Practices

Host Units

Supporting Organizations

Enclaves

➡️This is adirect reference to sufficiency, which evaluates whether thebreadth and depthof evidence is enough to make an informed judgment that the control is truly implemented across theentire assessed environment.

❌Why the Other Options Are Incorrect

A. Adequacy

✘Adequacy refers to therelevanceof the evidence to the specific practice — not itscoverageacross scope.

B. Capability

✘Not a term used in evidence validation within CMMC CAP documentation.

D. Objectivity

✘While objectivity is important, it refers to theunbiased nature of assessment activities, not to theextent of evidence coverage.

When an assessor evaluates whether the evidence is broad enough across all necessary systems, units, and enclaves to score a practice as MET, they are evaluatingsufficiency— one of the two core criteria for evidence validity in a CMMC assessment.

Understanding DFARS Clause 252.204-7012

TheDefense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012is a mandatory cybersecurity clause required inall DoD contracts and solicitationsthat involveControlled Unclassified Information (CUI).

Key Requirements of DFARS 252.204-7012

✅Implements NIST SP 800-171security controls for contractors handlingCUI.

✅Requirescyber incident reportingto theDoD Cyber Crime Center (DC3)within72 hours.

✅Mandatesadequate security measuresto protectDoD information systems.

✅Applies toall DoD contracts, except for those exclusively acquiring COTS items.

Why "All DoD Solicitations and Contracts" is Correct?

Option A (Correct):DFARS 252.204-7012must be included in all DoD contracts and solicitationswhen CUI is involved.

Option B (Incorrect):FAR Part 12 procedures apply tocommercial item acquisitions, but DFARS 7012 appliesregardless of procurement procedures.

Option C (Incorrect):Contractssolely for COTS (Commercial Off-the-Shelf) productsare exemptfrom DFARS 7012.

Option D (Incorrect):COTS itemssold without modificationsarenot requiredto include DFARS 7012.

Official References from DoD and DFARS Documentation

DFARS Clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)

NIST SP 800-171– The required cybersecurity standard for contractors under DFARS 7012.

Final Verification and Conclusion

According to the CMMC Scoping Guidance, Level 1, the scope of an assessment includes all assets that process, store, or transmit Federal Contract Information (FCI). CMMC is "information-centric," meaning the security requirements apply to the information itself, regardless of the media it resides on (digital or physical).

Asset Identification: In a Level 1 assessment, assets are categorized as either FCI Assets or Out-of-Scope Assets. Since the file cabinet is explicitly identified as containing paper FCI, it meets the definition of an asset that stores the protected information.

Basic Safeguarding (FAR 52.204-21): The 17 practices of CMMC Level 1 are derived from the FAR clause for the "Basic Safeguarding of Covered Contractor Information Systems." However, the physical protection requirements within that set (such as PE.L1-3.10.1, which requires limiting physical access to organizational information systems and equipment) extend to the physical storage locations of that data.

Media Neutrality: CMMC documentation emphasizes that "information systems" include the physical components and the information processed by them. If FCI is printed and stored in a cabinet, that cabinet becomes a physical storage asset within the assessment boundary.

Why other options are incorrect:

Option B: Physical location alone does not bring an asset into scope. For example, a coffee machine in the same room as an FCI computer remains out of scope because it doesn't handle FCI. Thecontent(FCI) makes the cabinet in-scope, not its proximity.

Option C: CMMC and the underlying FAR clause do not exempt paper-based information. Protected data must be secured whether it is on a hard drive or a printed sheet.

Option D: While a file cabinet may not "process" or "transmit" data like a computer does, it absolutely stores it. The definition of the scope includes all three functions (process, store, or transmit).

Reference Documents:

CMMC Scoping Guidance, Level 1: Section 2.0 (CMMC Level 1 Asset Categories), which defines FCI Assets as those that process, store, or transmit FCI.

CMMC Assessment Guide, Level 1: Discussion on Physical Protection (PE) practices and their application to physical media.

32 CFR Part 170 (CMMC Program Rule): Definitions of FCI and the requirements for contractor self-assessments.

The Controlled Unclassified Information (CUI) Program, established by Executive Order 13556, standardizes the handling and marking of unclassified information that requires safeguarding or dissemination controls across federal agencies and their contractors. The National Archives and Records Administration (NARA) serves as the Executive Agent responsible for implementing the CUI Program.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to protect CUI by adhering to the security requirements outlined in NIST Special Publication 800-171. This includes proper marking of CUI to ensure that all personnel recognize and handle such information appropriately.

The NARA CUI Introduction to Marking provides comprehensive guidance on the correct procedures for marking documents and communications containing CUI. This resource is essential for training purposes, as it offers detailed instructions and examples to help personnel understand and implement proper CUI markings. By referring the sales team to the NARA CUI Introduction to Marking, the director of sales ensures that the team receives authoritative and standardized training on how to appropriately mark emails and other documents containing CUI, thereby maintaining compliance with federal regulations and CMMC requirements.

Understanding CMMC 2.0 Levels and Their Descriptions

TheCybersecurity Maturity Model Certification (CMMC) 2.0consists ofthree levels, each representing increasing cybersecurity maturity:

Level 1 – Foundational

Focuses onbasic cyber hygiene

Implements17 practicesaligned withFAR 52.204-21

Primarily protectsFederal Contract Information (FCI)

Level 2 – Advanced(Correct Answer)

Focuses onprotecting Controlled Unclassified Information (CUI)

Implements110 practicesaligned withNIST SP 800-171

Requirestriennial third-party assessments for critical programs

Level 3 – Expert

Focuses onadvanced cybersecurityagainstAPT (Advanced Persistent Threats)

ImplementsNIST SP 800-171 and additional NIST SP 800-172 controls

Requirestriennial government-led assessments

Why "B. Advanced" is Correct?

TheCMMC 2.0 framework explicitly describes Level 2 as "Advanced."

Italigns with NIST SP 800-171to ensure robustCUI protection.

Why Other Answers Are Incorrect?

A. Expert (Incorrect)– This describesLevel 3, not Level 2.

C. Optimizing (Incorrect)– Not a defined CMMC level description.

D. Continuously Improved (Incorrect)– CMMC does not use this terminology.

Conclusion

The correct answer isB. Advanced, which accurately describesCMMC Level 2.

DFARS clause 252.204-7012 establishes the safeguarding of Covered Defense Information (CDI), which aligns with CUI categories. The clause specifies that the DoD is responsible for determining whether information is Controlled Unclassified Information (CUI) and marking it accordingly before sharing it with contractors. Contractors do not make determinations about what constitutes CUI; they are responsible for safeguarding information once it is received and marked as CUI.

Reference Documents:

DFARS 252.204-7012,Safeguarding Covered Defense Information and Cyber Incident Reporting

CMMC Model v2.0 Overview, December 2021

A Certified CMMC Instructor (CCI) is only authorized to deliver CMMC-AB (now The Cyber AB) approved training courses through a Licensed Training Provider (LTP). CCI instructors do not deliver DFARS or NARA CUI training under CMMC authorization—only formally approved CMMC courses.

Supporting Extracts from Official Content:

CMMC Ecosystem Roles: “CCIs are authorized to deliver CMMC-AB approved training courses through an LTP.”

Why Option A is Correct:

CCIs teach only CMMC-AB approved training.

Options B, C, and D include external trainings (DFARS or NARA CUI) that are not within the CCI’s scope.

References (Official CMMC v2.0 Content):

CMMC Ecosystem documentation – Roles and Responsibilities of LTPs and CCIs.

===========

In CMMC v2.0, Level 1 is explicitly the level that “focuses on the protection of FCI ” and is composed of the basic safeguarding requirements aligned to FAR 52.204-21 . This directly establishes Level 1 as meeting the standard for protecting FCI.

However, the question asks which levels meet the standard of protecting FCI—not which level is primarily intended for FCI. The official CMMC Model Overview (Version 2.0) states that the CMMC levels and associated sets of practices are cumulative , meaning that to achieve a higher level, an organization must also demonstrate achievement of the preceding lower levels. Because Level 2 and Level 3 certifications require meeting lower-level requirements as part of achieving the higher certification, an organization certified at Level 2 or Level 3 necessarily satisfies the Level 1 requirements that protect FCI.

In addition, the later Model Overview v2.13 reiterates the structure of the model: Level 1 requirements correspond to FAR 52.204-21 safeguards (FCI), while Level 2 and Level 3 focus on CUI protection at increasing rigor. Taken together, the official documents support that Levels 1, 2, and 3 all meet the standard for protecting FCI, with Level 1 being the foundational baseline and Levels 2/3 building on it.

===========

Understanding IA.L2-3.5.3: Multifactor Authentication (MFA) Requirement

TheIA.L2-3.5.3practice, derived fromNIST SP 800-171 (Requirement 3.5.3), requires thatmultifactor authentication (MFA) be implemented for both privileged and standard userswhen accessing:

✔Organizational endpoints(e.g., laptops, desktops, mobile devices).

✔Network resources(e.g., VPNs, internal systems).

✔Cloud services containing Controlled Unclassified Information (CUI).

Key Requirement for a "MET" Rating

For IA.L2-3.5.3 to beMet, the organization must:

Require MFA for all privileged users(e.g., system administrators).

Require MFA for standard users accessing endpoints and network resources.

Implement MFA across all relevant systems.

Sincestandard users do not require MFA in the OSC’s current implementation, the practiceis not fully implementedand must be ratedNOT MET.

Why is the Correct Answer "D" (Practice is NOT MET since the objective was not implemented)?

A. The process is running correctly → Incorrect

MFA isonly applied to privileged users, but it isalso required for standard users. The process isnot fully implemented.

B. It is out of scope as this is a new acquisition → Incorrect

New acquisitionsmust still meet MFA requirementsif they handle CUI or network access.

C. The new acquisition is considered Specialized Assets → Incorrect

Specialized assets (e.g., IoT, legacy systems) may have alternative security controls, but standard users and endpointsmust still comply with MFA.

D. Practice is NOT MET since the objective was not implemented → Correct

MFA must be enabled for both privileged and standard usersaccessing endpoints and network resources. Since standard users are excluded, the practice isNOT MET.

CMMC 2.0 References Supporting This Answer:

CMMC 2.0 Level 2 (Advanced) Requirements

Specifies thatMFA must be applied to all users accessing CUI and network resources.

NIST SP 800-171 (Requirement 3.5.3 – MFA Implementation)

Requires MFA forall user types, including privileged and standard users.

CMMC Assessment Process (CAP) Document

States that a practicemust be fully implemented to be considered MET. Partial implementation meansNOT MET.

Understanding Evidence Sufficiency in CMMC Level 2 Assessments

During aCMMC Level 2 Assessment, theLead Assessormust determine whether the evidence collected for each practice issufficientto support an assessment finding. This aligns with theCMMC Assessment Process (CAP) Guide, which requires assessors to evaluate:

Examinations– Reviewing documents, configurations, and system records.

Interviews– Speaking with personnel to confirm implementation and understanding.

Testing– Observing security controls in action to validate effectiveness.

To determine whether evidence issufficient, the assessor ensures that it:

Directly supports the assessment objective.

Demonstrates that the practice is consistently implemented.

Can be independently verified.

Why Option B (Sufficiency) is Correct

Sufficiencyrefers to whetherenoughevidence has been collected to make an accurate determination about compliance.

Option A (Adequacy)is incorrect because adequacy relates tothe qualityof evidence, while sufficiency focuses on whetherenoughevidence exists.

Option C (Process Mapping)is incorrect because process mapping is used for understanding workflows but is not an assessment verification method.

Option D (Assessment Scope)is incorrect because defining the scope happensbeforeevidence collection, during the planning phase.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide – Section 3.6 (Determining Sufficiency of Evidence)

CMMC Level 2 Assessment Guide – Evidence Collection and Evaluation

Final Verification

Since theLead Assessor is ensuring enough evidence is available to verify compliance, the correct answer isOption B: Sufficiency.

ThePhysical Protection (PE) domaininCMMC 2.0 Level 1includes the requirementPE.L1-3.10.3, which mandates that organizationsescort visitors and monitor their activity.

Breaking Down the Scenario:

TheCMMC Assessment Teamarrives at the OSC.

Thereceptionist acknowledges their arrival but does not verify credentials or escort themto the appropriate location.

Failing to verify visitor identity and failing to escort them is a violation of PE.L1-3.10.3.

Analysis of the Given Options:

A. PE.L1-3.10.3: Escort visitors and monitor visitor activity→✅Correct

This requirement ensures that visitorsdo not have unsupervised access to sensitive areas.

The receptionistshould have checked credentials and escorted the assessment team.

B. PE.L1-3.10.5: Control and manage physical access devices→❌Incorrect

This requirement refers to managingkeys, access badges, and security devices, which isnot the issue in this scenario.

C. PS.L2-3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI→❌Incorrect

This control applies to personnel screeningsbefore granting access to CUI systems, not physical visitor access.

D. PS.L2-3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers→❌Incorrect

This requirement deals withoffboarding employees and ensuring they no longer have system access. It isnot relevant to visitor escorting.

Official References Supporting the Correct Answer:

CMMC 2.0 Level 1 - PE.L1-3.10.3 (Physical Protection)

Requires organizations toescort visitors and monitor visitor activityat facilities containingFCI or CUI.

NIST SP 800-171 Rev. 2, Control 3.10.3

States thatvisitors must be escorted and monitored at all timesto prevent unauthorized access.

Conclusion:

Since the receptionist failed to verify credentials and escort the visitors, this violatesPE.L1-3.10.3.

✅Correct Answer: A. PE.L1-3.10.3: Escort visitors and monitor visitor activity

Understanding the Principle of Least Functionality in the CM Domain

TheConfiguration Management (CM) domainin CMMC 2.0 focuses on maintaining the security and integrity of an organization’s systems through controlled configurations and restrictions on system capabilities.

The principle ofLeast Functionalityrefers to limiting a system’s features, services, and applications to only those necessary for its intended purpose. This principle reduces the attack surface by minimizing unnecessary components that could be exploited by attackers.

Justification for the Correct Answer: Least Functionality (C)

CMMC Practice CM.L2-3.4.6 (Use Least Functionality)explicitly states:

"Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities."

Thegoalis to prevent unauthorized or unnecessary applications, services, and ports from running on the system.

Examples of Implementation:

Disabling unnecessary services, such as remote desktop access if not required.

Restricting software installation to approved applications.

Blocking unused network ports and protocols.

Why Other Options Are Incorrect

A. Least Privilege

This principle (associated with Access Control) ensures that users and processes have only the minimum level of access necessary to perform their jobs.

It is relevant to CMMC PracticeAC.L2-3.1.5 (Least Privilege)but does not define system capabilities.

B. Essential Concern

There is no officially recognized cybersecurity principle called "Essential Concern" in CMMC, NIST, or related frameworks.

D. Separation of Duties

This principle (covered under CMMCAC.L2-3.1.4) ensures that no single individual has unchecked control over critical functions, reducing the risk of fraud or abuse.

While important for security, it does not define essential system capabilities.

Official CMMC and NIST References

CMMC 2.0 Level 2 Assessment Guide – Configuration Management (CM) Domain

CM.L2-3.4.6 mandatesleast functionalityto enhance security by removing unnecessary features.

NIST SP 800-171 (which CMMC is based on) – Requirement 3.4.6

States:"Limit system functionality to only the essential capabilities required for organizational missions or business functions."

NIST SP 800-53 – Control CM-7 (Least Functionality)

Provides detailed recommendations on configuring systems to operate with only necessary features.

Conclusion

Theprinciple of Least Functionality (C)is the basis for defining essential system capabilities in theConfiguration Management (CM) domainof CMMC 2.0. By applying this principle, organizations reduce security risks by ensuring that only the necessary functions, services, and applications are enabled.

Understanding SI.L1-3.14.2: Provide Protection from Malicious Code

The CMMC Level 1 practiceSI.L1-3.14.2is based onNIST SP 800-171 Requirement 3.14.2, which requires organizations to:

Implement malicious code protection(e.g., antivirus, endpoint security software).

Ensure coverage across all appropriate locations(e.g., workstations, servers, network entry points).

Keep protection mechanisms updated(e.g., regular signature updates, policy enforcement).

Assessment Criteria for a "MET" Rating:

To determine whether the practice isMET, the Lead Assessor must confirm that:

✔Antivirus or endpoint protection software is installedon all workstations and servers.

✔The solution is centrally managed, ensuring consistent policy enforcement.

✔Signature updates are current, meaning systems are protected against new threats.

✔Logs or reports demonstrate active monitoring and updates.

Why is the Correct Answer "A. It is sufficient, and the audit finding can be rated as MET"?

The provided evidenceconfirms all necessary requirementsfor SI.L1-3.14.2:

✔All workstations and servers have antivirus installed→Meets installation requirement.

✔A centralized management console is in place→Ensures consistent enforcement.

✔Records show antivirus signatures are up to date→Confirms system protection is current.

Because the evidencemeets the requirement, the practice should berated as MET.

Why Are the Other Answers Incorrect?

B. It is insufficient, and the audit finding can be rated NOT MET → Incorrect

The evidence providedmeets all necessary requirements, so the practiceshould not be rated as NOT MET.

C. It is sufficient, and the Lead Assessor should seek more evidence → Incorrect

Ifadequate evidence already exists,additional evidence is unnecessary.

D. It is insufficient, and the Lead Assessor should seek more evidence → Incorrect

The evidence providedmeets the control requirements, making itsufficient.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

Specifies that a practice can be marked asMET if sufficient evidence is provided.

NIST SP 800-171 (Requirement 3.14.2)

Defines the standard formalicious code protection, which ismet by antivirus with active updates.

CMMC 2.0 Level 1 (Foundational) Requirements

Clarifies that basic cybersecurity measures likeantivirus installation and updatesmeet compliance forSI.L1-3.14.2.

Final Answer:

✔A. It is sufficient, and the audit finding can be rated as MET.

Step 1: Understanding CMMC Level 1 Self-Assessment Scope

CMMC Level 1applies toFederal Contract Information (FCI)systems.

Any system or device that is connected to an FCI-handling network is within the assessment scopebecause it canintroduce vulnerabilitiesinto the environment.

Step 2: Why the Thermostat is in Scope

TheWi-Fi-enabled thermostat is connected to the FCI network, meaning it haspotential accessto sensitive contract-related data.

PerCMMC Scoping Guidance, this type of device is classified as aRestricted Information System (Restricted IS)—devices that do not store, process, or transmit FCI but areconnected to networks that do.

Restricted IS must be accounted for in the self-assessment scope to ensure they do not compromise security controls.

Control Reference: CA.L2-3.12.1

CA.L2-3.12.1:"Periodically assess the security controls in organizational systems to determine if the controls are effective in their application."

This control is derived fromNIST SP 800-171, Requirement 3.12.1, which mandates organizations to performregular security control assessmentsto ensure compliance and effectiveness.

Assessment Criteria & Justification for the Correct Answer:

Evidence Review & Assessment Timeline:

The organization's procedureexplicitly statesthat security control assessments must be conductedquarterly(every three months).

Since the Lead Assessor only has access to thefirst-quarter report, the second-quarter report is missing at the time of assessment.

CMMC Audit Requirements:

For an assessor to rate a control asMET, sufficient evidence must bereadily availableat the time of evaluation.

Since the second-quarter report is missingat the time of assessment, the Lead Assessorcannot verify compliancewith the organization's own stated frequency of assessment.

Why the Answer is NOT A, C, or D:

A (Sufficient, MET)→Incorrect: The control assessment frequency is quarterly, but the evidence for Q2 is not available. Compliance cannot be confirmed.

C (Sufficient, and re-rate later)→Incorrect: If evidence is not available during the audit, the controlcannot be rated as MET initially. There is no provision in CMMC 2.0 to "conditionally" pass a control pending future evidence.

D (Insufficient, but re-rate later)→Incorrect: Once a control is ratedNOT MET, it staysNOT METuntil a re-assessment is conducted in a new audit cycle. The assessordoes not adjust ratings retroactivelybased on future evidence.

Official CMMC 2.0 References Supporting the Answer:

CMMC Assessment Process (CAP) Guide (2023):

"For a control to be rated as MET, the assessed organization must provide sufficient evidence at the time of the assessment."

"If evidence is missing or incomplete, the finding shall be rated as NOT MET."

NIST SP 800-171A (Security Requirement Assessment Guide):

"Evidence must be current, relevant, and sufficient to demonstrate compliance with stated periodicity requirements."

Since the procedure mandatesquarterly assessments, missing evidence means compliancecannot be validated.

DoD CMMC Scoping Guidance:

"Assessors shall base their determination on the evidence provided at the time of assessment. If required evidence is not available, the control shall be rated as NOT MET."

Final Conclusion:

Thecorrect answer is Bbecause the required evidence (the second-quarter report) is not availableat the time of assessment, making itinsufficientto validate compliance. The Lead Assessormust rate the control as NOT METin accordance with CMMC 2.0 assessment rules.

Understanding the C3PAO Assessment Methodology

ACertified Third-Party Assessment Organization (C3PAO)is an entity authorized by theCMMC Accreditation Body (CMMC-AB)to conduct officialCMMC Level 2 assessmentsfor organizations seeking certification.

Key Requirement: CMMC Assessment Process (CAP)

C3PAOs must follow theCMMC Assessment Process (CAP), which outlines:

✅Theassessment methodologyfor evaluating compliance.

✅Evidence collectionprocedures (interviews, artifacts, testing).

✅Assessment scoring and reportingrequirements.

✅Guidance for assessorson executing standardized assessments.

Why "CMMC Assessment Process" is Correct?

ISO 27001 (Option A)is an international standard forinformation security managementbut isnot the basis for CMMC assessments.

NIST SP 800-53A (Option B)providessecurity control assessments for federal systems, but CMMC assessments arebased on NIST SP 800-171.

GAO Yellow Book (Option D)is agovernment auditing standardused forfinancial and performance audits, not cybersecurity assessments.

CMMC Assessment Process (CAP) (Option C) is the correct answerbecause it defines how C3PAOs conduct CMMC assessments.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– GovernsC3PAO assessment execution.

CMMC 2.0 Model Documentation– RequiresC3PAOs to follow CAP proceduresfor assessments.

Final Verification and Conclusion

The correct answer isC. CMMC Assessment Process, as it is theofficial methodology all C3PAOs must follow when conducting CMMC assessments.

According to the CMMC Scoping Guidance, Level 2, assets are categorized to determine the level of assessment rigor required. The requirement to document an asset in the Asset Inventory, the System Security Plan (SSP), and on the Network Diagram is a specific administrative requirement for high-priority asset classes.

CUI Assets: These are assets that process, store, or transmit Controlled Unclassified Information (CUI). They are part of the "Assessed" group and must be fully documented in the inventory, SSP, and network diagram.

Security Protection Assets (SPA): These are assets that provide security functions or capabilities to the assessment scope (e.g., firewalls, log servers, or AV management consoles), even if they do not process CUI themselves. Because they are critical to the security of CUI, they must also be documented in the inventory, SSP, and network diagram.

Why other options are incorrect:

Option A: "GUI Assets" is likely a typo or misnomer in this context (possibly meant to refer to CUI assets or a distractor).

Option C: This is incorrect because Contractor Risk Managed Assets (CRMA) and Specialized Assets have different documentation requirements. For instance, while CRMA are documented in the inventory and SSP, they are often not required to be on the network diagram in the same detail as CUI assets, depending on the specific assessment boundary. Out-of-Scope Assets are not documented at all.

Option D: Contractor Risk Managed Assets (CRMA) and Specialized Assets (like IoT, OT, or Restricted Information Systems) are required to be in the Asset Inventory and SSP, but the CMMC Scoping Guidance specifies that the most stringent documentation (Inventory + SSP + Network Diagram) is the primary mandate for those assets directly handling CUI or protecting it (SPAs).

Reference Documents:

CMMC Scoping Guidance, Level 2 (Version 2.0/2.1): Section 3.0, Table 1 (CUI Assets) and Table 2 (Security Protection Assets), which explicitly list the "Documentation Requirements" for each category.

CMMC Assessment Process (CAP): Section on Scoping Boundaries and Evidence Validation.

Understanding the False Claims Act (FCA) and Whistleblower Protections

TheFalse Claims Act (FCA)(31 U.S.C. §§ 3729–3733) is aU.S. federal lawthat allowswhistleblowers (also known as "relators")to sue on behalf of the federal government if they believe a company issubmitting fraudulent claimsfor government funds.

The FCA includes a"qui tam" provision, which:

✅Allows private individuals to file lawsuits on behalf of the U.S. government.

✅Provides financial rewards to whistleblowersif the lawsuit results in recovered funds.

✅Protects whistleblowers from employer retaliation.

In the context ofCMMC and cybersecurity compliance, theFCA has been used to hold companies accountableformisrepresenting their cybersecurity compliancewhen working with federal contracts.

For example:

If a companyfalsely claimscompliance withCMMC, NIST SP 800-171, or DFARS 252.204-7012butfails to meet security requirements, it could beliable under the FCA.

TheDepartment of Justice (DOJ)has pursued cases under theCyber-Fraud Initiative, using theFCA against defense contractorsfor cybersecurity noncompliance.

Thus, the correct answer isC. False Claims Actbecause it specifically allows whistleblowers tosue on behalf of the federal government.

Why the Other Answers Are Incorrect

A. NIST SP 800-53

❌Incorrect.NIST SP 800-53provides security controls for federal agencies butdoes notcontain whistleblower provisions.

B. NIST SP 800-171

❌Incorrect.NIST SP 800-171outlines security requirements for protectingCUI, but itdoes not have legal mechanismsfor whistleblower lawsuits.

D. Code of Professional Conduct

❌Incorrect. TheCMMC Code of Professional Conductapplies toC3PAOs and assessorsbut doesnot provide a legal basis for whistleblower lawsuits.

CMMC Official References

False Claims Act (31 U.S.C. §§ 3729–3733)– Establishes whistleblower protections and qui tam lawsuits.

DOJ Cyber-Fraud Initiative– Uses the FCA to enforce cybersecurity compliance in government contracts.

DFARS 252.204-7012 & CMMC– Require accurate reporting of cybersecurity compliance, which can lead to FCA violations if misrepresented.

Thus,option C (False Claims Act) is the correct answeras per official legal guidance.

Understanding Federal Contract Information (FCI)

Federal Contract Information (FCI) is defined by48 CFR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems). FCI refers to information that:

Is NOT intended for public release.

Is provided by or generated for the government under a contract.

Is necessary to develop or deliver a product or service to the government.

Excludes publicly available government information(such as information on public websites).

Excludes simple transactional information(e.g., necessary to process payments).

In the context ofCMMC 2.0, organizations thatprocess, store, or transmit FCImust meetCMMC Level 1 (Foundational), which requires implementing17 basic safeguarding practicesoutlined inFAR 52.204-21.

Why is the Correct Answer FCI (D)?

A. CDI (Controlled Defense Information)→ Incorrect

This term was used inDFARS 252.204-7012but has been replaced byCUI (Controlled Unclassified Information)in CMMC discussions.

B. CTI (Cyber Threat Intelligence)→ Incorrect

This refers to intelligence on cyber threats, tactics, and indicators, not contractual data.

C. CUI (Controlled Unclassified Information)→ Incorrect

CUI is sensitive information requiring additional safeguarding but is a separate category from FCI.

D. FCI (Federal Contract Information)→Correct

The definition of FCI explicitly matches the description given in the question.

CMMC 2.0 References Supporting this Answer:

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

Defines FCI and the required safeguards.

Establishes17 cybersecurity practicesfor FCI protection.

CMMC 2.0 Framework

Level 1 (Foundational)is required for contractors handlingFCI.

Ensures compliance withbasic safeguarding requirementsoutlined inFAR 52.204-21.

NIST SP 800-171 and DFARS 252.204-7012

FCI doesnotrequire compliance withNIST SP 800-171, butCUI does.

During aCMMC assessment, assessors rely on interviews to validate the implementation of cybersecurity practices within anOrganization Seeking Certification (OSC). Ensuringconfidentiality and non-attributionallows employees to speak freely without fear of retaliation or bias, leading to more accurate and candid responses.

Step-by-Step Breakdown:

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide(Level 2) states thatinterviews are a key methodto verify compliance with security controls.

Employees may hesitate to provide truthful information if they fear negative consequences.

To obtain accurate information, assessors must create an environment where team members feel safe.

Ensuring Non-Attribution for Accurate Responses

DoD Assessment Methodologyhighlights thatinterviewees should remain anonymousin reports.

Non-attribution reduces the risk of OSC leadership influencing responses or retaliating against employees.

Employees are more likely to provideaccurateandhonestdescriptions of their responsibilities when confidentiality is guaranteed.

Why the Other Answer Choices Are Incorrect:

(A) Interview groups of people to get collective answers:

Group interviews may limit honest responses due topeer pressure or management presence.

Employees mayhesitate to contradictsupervisors or peers in a group setting.

(B) Understand that testing is more important than interviews:

While testing (e.g., reviewing logs, configurations, and security settings) is crucial, interviews providecontexton how security practices are implemented and followed.

Interviewscomplementtesting rather than being less important.

(D) Let team members know the questions prior to the assessment:

Advanced notice may allow employees toprepare rehearsed answers, which might not reflect actual practices.

This couldreduce the effectivenessof the interview process.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guideand DoDAssessment Methodologyemphasize the importance of confidentiality in interviews to ensure accuracy.Non-attribution protects employees and ensures assessors get honest, unfiltered answers.

Thus, the correct answer is:

C. Ensure confidentiality and non-attribution of team members.

This question aligns to the CMMC requirement to control information posted or processed on publicly accessible information systems , which appears in the CMMC Model Overview as AC.L1-3.1.22 (Control Public Information) and maps to FAR 52.204-21(b)(1)(iv) and NIST SP 800-171 Rev. 2 / r2 requirement 3.1.22 .

NIST explains that publicly accessible systems are typically those accessible to the public without identification or authentication , and that individuals authorized to post nonpublic information (including CUI/FCI and proprietary information) are designated . It also emphasizes controlling what gets posted and ensuring nonpublic information is not exposed.

The most direct technical way to “limit individuals who are authorized to post or process information” is to implement role-based administrative access (least privilege) to the website/CMS/admin console—granting publish/edit privileges only to approved roles (e.g., “Web Publisher,” “Content Approver”), and keeping all other users read-only or without access to posting functions. This directly enforces the requirement by using access control to restrict who can post/process content on the public system.

Options B and C are helpful procedural/administrative controls , but the question asks for technical means . Option A (cookies) does not control authorization to post; it’s not an access control mechanism. Therefore, D is best.

TheLimited Practice Deficiency Correction Evaluationprocess occurs when anOrganization Seeking Certification (OSC)has undergone aCMMC Level 2 Assessmentby aCertified Third-Party Assessment Organization (C3PAO)and hasunresolved deficienciesin some security practices.

According toCMMC 2.0 policy and DFARS 252.204-7021, OSCs can still achieveInterim Certificationif they meet theminimum thresholdof security practices while addressing deficiencies through aPlan of Action & Milestones (POA & M).

Minimum Number of Practices Required

TheCMMC 2.0 Interim Rulestates that an OSCmust meet at least 100 out of 110 practicesto qualify for aPOA & M-based remediation.

A maximum of 10 practices can be listed in the POA & Mfor later correction.

Failure to meet at least 100 practices results in failing the assessment outright, requiring a full reassessment after remediation.

Why "C. 100 Practices" is Correct?

The Lead Assessor can recommend POA & M placementonly if the OSC meets at least 100 practices.

Less than 100 practices scored as MET means the OSC does not qualify for a POA & Mand mustretest completely.

DFARS 252.204-7021 and CMMC 2.0 policiesconfirm the100-practice thresholdfor conditional certification.

Why Other Answers Are Incorrect?

A. 80 practices (Incorrect)– Falls well below the 100-practice requirement.

B. 88 practices (Incorrect)– Still below the POA & M eligibility threshold.

D. 110 practices (Incorrect)– While meeting 110 practices would be ideal,CMMC allows a POA & M option at 100 practices.

Conclusion

The correct answer isC. 100 practices, as this meets theminimum threshold for POA & M-based Interim Certification.

In Phase 3 (Post-Assessment), the assessor’s responsibility is to archive or dispose of assessment artifacts according to the C3PAO’s policies and retention requirements. By this point, final findings and results have already been delivered, so the only remaining step is ensuring proper handling of assessment materials.

Supporting Extracts from Official Content:

CAP v2.0, Post-Assessment Activities (§3.17): “The assessor must archive or dispose of any assessment artifacts in accordance with the C3PAO’s retention and destruction policy.”

Why Option D is Correct:

Determining practice pass/fail results and level recommendations occurs earlier in Phases 2 and 3.

The final step left for the assessor is the proper archiving or destruction of artifacts.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 3: Post-Assessment (§3.17).

===========

According to the CMMC Assessment Process (CAP), specifically in the context of scoping and organizational structure, the term Host Unit is used to define the specific entity within an Organization Seeking Certification (OSC) that is the primary subject of the assessment.

Definition of Host Unit: Within the CAP, the Host Unit represents the specific people, processes, and technology that process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) for the contract in scope. It is the "anchor" for the assessment boundary.

Context in High-Level Scoping: During the initial phases of an assessment, a C3PAO must distinguish between the entire corporation (the OSC) and the specific parts of that corporation that are actually performing the DoD work. The Host Unit is that functional or logical division that will be evaluated against the CMMC practices.

Relationship to other units:

Supporting Organization/Units (Option D): These are entities that provide services to the Host Unit (such as an enterprise IT department or a separate HR branch) but are not the primary "Host" of the CUI/FCI. They are in-scope because they provide "Security Protection" or "Administrative" functions to the Host Unit.

Coordinating Unit (Option C): This term is often used in broader organizational contexts but is not a defined scoping term for the "people, processes, and technology" being assessed under the CMMC CAP.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Glossary and Section 1 (Plan and Prepare Assessment), which defines the relationship between the OSC, the Host Unit, and Supporting Units.

CMMC Level 2 Scoping Guidance: Provides the framework for identifying the "assets" (people, technology, facilities) that reside within the Host Unit boundary.

CCP Study Guide: Section on "Scoping the Assessment," which explains how to identify the Host Unit versus External Service Providers (ESPs).

Understanding Access Control in CMMC

Access control refers to the process ofgranting or denyingspecific requests to:

Obtain and use information

Access information processing services

Enter specific physical locations

TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:

✅Implement policies for granting and revoking access.

✅Restrict access to authorized personnel only.

✅Protect physical and digital assets from unauthorized access.

Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.

Why the Other Answers Are Incorrect

B. Physical access control

❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.

C. Mandatory access control (MAC)

❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.

D. Discretionary access control (DAC)

❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.

CMMC Official References

CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.

NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.

Thus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.

Which NIST SP Defines the Assessment Procedures for CMMC?

CMMC Level 2 isdirectly based on NIST SP 800-171, and the assessment procedures used in CMMC assessments are derived fromNIST SP 800-171A.

Step-by-Step Breakdown:

✅1. NIST SP 800-171A Defines Assessment Procedures

NIST SP 800-171Ais titled"Assessing Security Requirements for Controlled Unclassified Information (CUI)".

It providesdetailed assessment objectives and test proceduresfor evaluating compliance withNIST SP 800-171 security requirements, whichCMMC Level 2 is fully aligned with.

CMMC Assessors use 800-171Aas abaseline for assessing the effectiveness of security controls.

✅2. Why the Other Answer Choices Are Incorrect:

(A) NIST SP 800-53❌

800-53 defines security controlsfor federal information systems, but it doesnot provide assessment procedures specific to CMMC.

(B) NIST SP 800-53A❌

800-53A provides assessment procedures for 800-53 controls, butCMMC is based on NIST SP 800-171, not 800-53.

(C) NIST SP 800-171❌

800-171 defines security requirements, butit does not provide assessment procedures. Theassessment proceduresare in800-171A.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guide (Level 2)explicitly states that assessment procedures are derived fromNIST SP 800-171A.

Thus, the correct answer is:

Contractors that handle Covered Defense Information (CDI) are required to report cyber incidents to the Department of Defense within 72 hours of discovery.

Supporting Extracts from Official Content:

DFARS 252.204-7012(c)(1): “When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, the Contractor shall conduct a review… and rapidly report the cyber incident to DoD within 72 hours of discovery.”

Why Option C is Correct:

The regulation explicitly specifies 72 hours.

Options A (24 hrs), B (48 hrs), and D (96 hrs) do not align with DFARS requirements.

References (Official CMMC v2.0 Content and Source Documents):

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

CMMC v2.0 Governance – Source Documents list includes DFARS 252.204-7012.

===========

According to the CMMC Assessment Process (CAP) and the C3PAO Authorization Requirements, every assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) must undergo a formal Quality Management System (QMS) review before the results are finalized and uploaded to the eMASS (Enterprise Mission Assurance Support Service) or the SPRS (Supplier Performance Risk System).

The Quality Review Requirement: The CAP explicitly states that the C3PAO is responsible for the accuracy and integrity of the assessment findings. Before the Assessment Team Lead can formally submit the package, a person or team within the C3PAO (who was ideally not part of the active assessment team to ensure objectivity) must conduct an internal review. This review ensures that the evidence collected supports the "Met" or "Not Met" determinations and that all CMMC methodology requirements were followed.

Why other options are incorrect:

Option A: While there may be administrative costs associated with maintaining C3PAO status, paying a specific "per-submission fee" is not a mandatory procedural stepwithin the assessment lifecyclethat governs the validity of the results.

Option C: The Cyber AB (CMMC-AB) provides the platform and oversight, but a "forthcoming notification" is not a formal requirement in the CAP; the act of submission itself serves as the notification.

Option D: While a final briefing is a "best practice" and usually occurs during the "Post-Assessment" phase, the internal quality review (Option B) is the regulatory mandate that must be completed to ensure the C3PAO's certification of the results is valid and defensible.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Phase 4: Reporting Results," specifically the sub-section on C3PAO Quality Assurance Review.

C3PAO Quality Management System (QMS) Requirements: Outlines the necessity for internal validation of assessment packages to maintain accreditation.

Understanding the Role of NIST SP 800-171 in CMMC

NIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.

This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.

Breakdown of Answer Choices

NIST SP

Title

Relevance to CMMC

NIST SP 800-37

Risk Management Framework (RMF)

Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.

NIST SP 800-53

Security and Privacy Controls for Federal Systems

Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.

NIST SP 800-88

Guidelines for Media Sanitization

Covers secure data destruction and disposal, not overall CUI protection.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

✅Correct Answer – Directly addresses CUI protection in contractor systems.

Key Requirements from NIST SP 800-171

The document outlines110 security controlsgrouped into14 families, including:

Access Control (AC)– Restrict access to authorized users.

Audit and Accountability (AU)– Maintain system logs and monitor activity.

Incident Response (IR)– Establish an incident response plan.

System and Communications Protection (SC)– Encrypt CUI in transit and at rest.

These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.

Official Reference from CMMC 2.0 Documentation

CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.

DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.

Final Verification and Conclusion

The correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.

Understanding the Reporting Process in a CMMC 2.0 Level 2 Assessment

ACMMC Level 2 Assessmentconducted by aCertified Third-Party Assessor Organization (C3PAO)follows a structured approach to gathering evidence, evaluating compliance, and reporting findings to theOrganization Seeking Certification (OSC). The reporting process is outlined in theCMMC Assessment Process (CAP) Guide, which specifies how findings should be communicated.

Assessment Communication Structure

Daily Checkpoints:

Throughout the assessment, the assessor team holdsdaily checkpoint meetingswith the OSC to provide updates on progress, observations, and preliminary findings.

These checkpoints help ensure transparency and allow the OSC to address minor issues as they arise.

Final Results Delivery:

Thefinal assessment resultsare typically shared during thefinal daily checkpointOR in aseparately scheduled findings and recommendations reviewmeeting.

This ensures that the OSC receives a structured and complete summary of the assessment findings before the official report is submitted.

Why Option C is Correct

TheCMMC Assessment Process (CAP) Guide, Section 4.5clearly states that assessment findings should be presentedeither at the last daily checkpoint or during a separately scheduled final review.

This aligns with best practices formaintaining transparency and ensuring the OSC has clarity on their assessment resultsbefore the final report submission.

Option A (End of every day)is incorrect because while assessors do provide updates, they do not deliver the "final results" daily.

Option B (Daily and a separate final review)is misleading, as the CAP Guide allows assessors tochoosebetween the final daily checkpoint OR a separate findings review—not both.

Option D (After C3PAO approval)is incorrect because theC3PAO does not approve findings before they are communicated to the OSC. The assessment team directly presents the results first.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide, Section 4.5: Reporting and Findings Communication

CMMC 2.0 Level 2 Assessment Process Overview

CMMC Assessment Final Report Guidelines

Final Verification

Based on officialCMMC 2.0 documentation, thefinal assessment results should be presented to the OSC either at the last daily checkpoint or in a separately scheduled review session, making Option C the correct answer.

According to the CMMC Assessment Process (CAP) and the roles defined within the CMMC Ecosystem, the responsibility for the final determination of assessment findings rests with the C3PAO (Certified Third-Party Assessment Organization).

While the Assessment Team (Lead Assessor and Assessor) performs the legwork—conducting interviews, examining documents, and testing mechanisms—the C3PAO is the legal entity contracted by the OSC (Organization Seeking Certification) to conduct the assessment and issue the recommendation for certification.

Role of the C3PAO: The C3PAO provides the quality assurance and oversight. Once the Assessment Team completes the draft findings, the C3PAO performs a quality or "peer" review to ensure the findings are consistent with CMMC requirements. They hold the final authority over the Recommended Finding (Met, Not Met, or N/A) before it is uploaded to the eMASS (Enterprise Mission Assurance Support Service) or the designated DoD database.

Role of the Cyber AB (formerly CMMC-AB): The Board provides the accreditation for the C3PAOs and manages the ecosystem, but they do not participate in individual assessments or overrule specific technical findings of an assessment unless there is a formal appeal or ethics complaint.

Role of the Assessment Team Members: They collect evidence and make initial determinations, but their findings are subject to the C3PAO’s internal quality management system (QMS) review.

Role of the OSC Sponsor: The OSC is the entity being assessed; they have no authority over the interpretation of findings, though they may provide additional evidence during the remediation period.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Phase 3: Conduct Assessment" and "Phase 4: Reporting Results," which details the C3PAO’s responsibility for the final package.

C3PAO Authorization Requirements: Outlines the requirement for a quality management review of all assessment findings by the C3PAO before submission to the DoD.

The Lead Assessor is responsible for protecting and maintaining all assessment records, notes, and information gathered during the assessment process. This includes working papers and supplemental documentation that may be needed for auditability or dispute resolution.

Supporting Extracts from Official Content:

CAP v2.0, Post-Assessment Responsibilities (§3.17): “The Lead Assessor must ensure that all assessment artifacts, notes, and information are archived or disposed of in accordance with C3PAO policy.”

Why Option A is Correct:

The CAP specifies that notes and information from the assessment must be preserved or disposed of according to policy.

Options B, C, and D list items not required in the CAP. The “letter” and “quality control report” are not part of the Lead Assessor’s required maintained materials.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 3 Post-Assessment (§3.17).

===========

Understanding the Role of "Discussion" and "Further Discussion" Sections in CMMC Assessments

When assessing anOrganization Seeking Certification (OSC)forCMMC compliance, theLead Assessorrelies on various sources of guidance.

Eachpracticein the CMMC model includes:

The Practice Statement– The official requirement the OSC must meet.

Discussion Section– Providesclarifications, interpretations, and guidancefor implementation.

Further Discussion Section– Expands on the practice,offering additional details, best practices, and examples.

These sections arenot mandatory, but they help assessorsinterpret and evaluatewhether an OSC has met the practice requirements.

Why "Provides Additional Information to Facilitate the Assessment" is Correct?

TheDiscussion and Further Discussion sectionsprovidecontext, explanations, and examplesto assist theLead Assessorin understanding how an OSC might demonstrate compliance.

Theyhelp guide the assessment processbut arenot prescriptiveormandatoryfor an OSC.

Theassessor uses these sectionsto verify whether theOSC's implementation meets the intent of the requirement.

Breakdown of Answer Choices

Option

Description

Correct?

A. Is normative for an OSC to follow.

❌Incorrect–The sections areguidance, notnormative (mandatory)requirements.

B. Contains examples that an OSC must implement.

❌Incorrect–Examples aresuggestions, notmandatory implementations.

C. Is mandatory and aligns with FAR Clause 52.204-21.

❌Incorrect–The "Discussion" sections arenot mandatoryand arenot tied directlyto FAR 52.204-21.

D. Provides additional information to facilitate the assessment of the practice.

✅Correct – These sections help the assessor evaluate compliance but do not mandate specific implementations.

Official References from CMMC 2.0 Documentation

TheCMMC Assessment Guidestates that theDiscussion and Further Discussion sections provide clarificationsto help both assessors and OSCs.

These sections arenot bindingbut serve asinterpretive guidanceto assist in assessments.

Final Verification and Conclusion

The correct answer isD. Provides additional information to facilitate the assessment of the practice.This aligns withCMMC 2.0 documentation and assessment guidelines.

According to the CMMC Assessment Process (CAP) v2.0, assessors are required to conduct Daily Checkpoint Meetings at the end of each day to summarize progress with the OSC (Organization Seeking Certification). The final Daily Checkpoint is where preliminary practice ratings are shared, before the quality assurance review and Out-Brief. The Out-Brief is reserved for the presentation of final results. Additionally, Department of Defense regulations (32 CFR §170.17(c)(2)) provide a 10-business-day re-evaluation window for requirements marked NOT MET before the final report is delivered, which necessitates that the OSC see preliminary ratings during the assessment process itself.

Supporting Extracts from Official Content:

CAP v2.0, §2.23: “The assessment team shall host a Daily Checkpoint Meeting with the OSC at the end of each assessment day to summarize progress.”

CAP v2.0, §3.7: “The C3PAO shall conduct the quality assurance review… prior to the conduct of the Out-Brief Meeting.”

CAP v2.0, §3.10: “The purpose of the Out-Brief Meeting is to convey the results of the assessment to the OSC.”

32 CFR §170.17(c)(2): “A security requirement assessed as NOT MET may be re-evaluated… for 10 business days… if the CMMC Assessment Findings Report has not been delivered.”

Why Option A is Correct:

The CAP specifies that Daily Checkpoint Meetings are the formal, structured mechanism for assessors to communicate progress and preliminary findings to the OSC.

The final Daily Checkpoint provides the OSC with visibility into the preliminary practice ratings before they are finalized, ensuring transparency and alignment.

The Out-Brief is explicitly for conveying the final assessment results after the C3PAO has completed QA.

Federal regulation (32 CFR §170.17(c)(2)) requires the OSC to have access to preliminary results so they can provide additional evidence for re-evaluation before the report is locked, further confirming that this exchange must occur at the final Daily Checkpoint.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0: Sections 2.23 (Daily Checkpoints), 3.7–3.10 (QA and Out-Brief).

32 CFR §170.17(c)(2): Security Requirement Re-evaluation Window.

DoD CMMC Assessment Guide – Level 2 (v2.13): Guidance on MET/NOT MET determinations and findings.

Understanding the Final Review Process in a CMMC Assessment

During aCMMC Level 2 Assessment, theAssessment Teamand theOrganization Seeking Certification (OSC)holddaily checkpoint meetingsto discuss progress, review evidence, and ensure transparency.

At theend of the assessment, afinal review meetingis conducted, during which theLead Assessor presents the results. Therecorded Daily Checkpoint logserves as theofficial document summarizing:

Theattendee list

Time, date, and locationof the final review

Final MET or NOT MET ratingsfor all practices

Discussion points, resulting actions, and due datesfor both the OSC and Assessment Team

Why "D. Final and recorded Daily Checkpoint log" is Correct?

TheCMMC Assessment Process (CAP) Guidespecifies that all assessment findings and discussions must bedocumented throughout the assessment in daily checkpoint logs.

TheFinal and Recorded Daily Checkpoint Logincludes all necessary details, such as attendee lists, discussion topics, and action items.

This document isused to ensure all discussed topics and agreed-upon actions are properly tracked and recordedbefore submission.

Why Other Answers Are Incorrect?

A. Final log report (Incorrect)

There isno specific "Final Log Report"required in CMMC assessments.

B. Final CMMC report (Incorrect)

TheFinal CMMC Reportdocuments the overall assessment results butdoes not serve as the official meeting logfor the final review discussion.

C. Final and recorded OSC CMMC report (Incorrect)

This documentdoes not include detailed discussion points from the daily checkpoint meetings.

Conclusion

The correct answer isD. Final and recorded Daily Checkpoint log, as this is the official document that captures thefinal meeting details, discussions, and action items.

During a Readiness Review (Phase 1), the purpose is to validate whether an OSC is prepared to move forward with a formal assessment. The CAP specifies that the Lead Assessor must collect sufficient evidence for each practice to make a preliminary determination of readiness.

Supporting Extracts from Official Content:

CAP v2.0, Readiness Review (§2.14): “The Lead Assessor must collect a sufficient amount of evidence for each practice to determine the OSC’s readiness.”

Why Option A is Correct:

The requirement is for sufficient evidence; CAP does not mandate a set number of assessment objects or methods.

Options B, C, and D incorrectly suggest minimum counts or methods that are not part of the readiness review requirements.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 1 Readiness Review.

===========

When a company usesthird-party IT providersto manage their infrastructure, these organizations are classified asExternal Service Providers (ESPs)underCMMC scoping guidelines.

Step-by-Step Breakdown:

✅1. What is an ESP?

External Service Providers (ESPs)arethird-party organizationsthat:

ProvideIT services, cloud hosting, and managed security solutions.

Process, store, or transmit FCI or CUIon behalf of a contractor.

Mustmeet the same security requirementsas the OSC if they handle FCI or CUI.

If a company relies ona hosting provider to manage IT infrastructure, that provider is anESPunderCMMC scoping guidelines.

✅2. Why the Other Answer Choices Are Incorrect:

(B) People❌

Incorrect:ESPs areorganizations, not individual people.

(C) Facilities❌

Incorrect:Facilities refer tophysical locationslike office buildings or data centers, not third-partyservice providers.

(D) Technology❌

Incorrect:While ESPs provide technology services, the correct term forthird-party IT providersunder CMMC isESPs, not just "Technology."

Final Validation from CMMC Documentation:

TheCMMC Level 1 Scoping GuidedefinesExternal Service Providers (ESPs)asthird-party organizations that manage IT infrastructure and security services.

Thus, the correct answer is:

✅A. ESPs (External Service Providers).

PerDFARS 252.204-7021, contractors must achieve the requiredCMMC certification levelbefore contract awardif the solicitation specifies it.

Key Requirements:

✔Contractorsmust be certified at the required CMMC levelprior to contract award.

✔Thecertification must be conducted by a C3PAO(for Level 2) orthrough self-assessment(for Level 1).

✔The certification must bevalid and registered in the Supplier Performance Risk System (SPRS)before award.

Why is the Correct Answer "At the Time of Award" (A)?

A. At the time of award → Correct

DFARS 252.204-7021requires CMMC certification before a contract can be awardedif the solicitation includes CMMC requirements.

B. Upon solicitation submission → Incorrect

Contractorsdo notneed to be CMMC-certified at thetime of bid submission, only by the time of award.

C. Thirty days from the award date → Incorrect

Contractorsmust already be certified before the award is granted. There isno grace period.

D. Before the due date of submission → Incorrect

While compliance planning is important,CMMC certification is only required before contract award, not before bid submission.

CMMC 2.0 References Supporting This Answer:

DFARS 252.204-7021 (CMMC Requirement Clause)

CMMC certification is required prior to contract awardif specified in the solicitation.

CMMC 2.0 Program Overview

States that certificationis not needed at bid submission but is required before award.

DoD Interim Rule & SPRS Guidance

Contractors must havea valid CMMC certification recorded in SPRSbefore award.

The False Claims Act (31 U.S.C. §§ 3729–3733) imposes liability on companies that knowingly misrepresent compliance in order to receive or retain federal contracts. Penalties include treble damages (three times the government’s losses) plus additional penalties per claim.

Supporting Extracts from Official Content:

False Claims Act: “Any person who knowingly submits false claims to the Government is liable for three times the Government’s damages plus a penalty.”

DOJ Cyber-Fraud Initiative (2021): confirms the FCA is applied to cases of misrepresenting compliance with cybersecurity requirements.

Why Option D is Correct:

The applicable law is the False Claims Act, not a “Cyber Claims Act” (which does not exist).

The FCA specifies treble damages plus penalties, which exactly matches Option D.

References (Official CMMC v2.0 Governance and Source Documents):

False Claims Act (31 U.S.C. §§ 3729–3733).

DOJ Cyber-Fraud Initiative (2021), applied to CMMC-related compliance misrepresentation.

===========

During aCMMC assessment, organizations must provide evidence to demonstrate compliance with requiredpractices and processes. Assessors evaluate this evidence based on two key criteria:

Adequacy– Does the evidence meet the intent of the security requirement?

Sufficiency– Is there enough evidence to reasonably conclude that the practice/process is effectively implemented?

These principles are outlined in theCMMC Assessment Process Guide, which provides a structured approach for evaluating compliance.

Step-by-Step Breakdown:

✅1. Adequacy – Does the evidence fully meet the requirement?

Adequacyrefers to whether the evidence properly demonstrates that the security practice has been implemented as required.

Example: If an organization claims to enforceMulti-Factor Authentication (MFA), an assessor would checksystem configurations, login policies, and user authentication logsto confirm that MFA is actually in use.

✅2. Sufficiency – Is there enough evidence to support the claim?

Sufficiencymeans that there isenough supporting evidenceto prove compliance.

Example: If an organization providesonly one screenshot of an MFA login screen, that alone may not besufficient—additional logs, policies, and user records would help strengthen the case.

Why the Other Answer Choices Are Incorrect:

(B) Adequacy and Thoroughness❌

Thoroughnessis not a defined metric in CMMC evidence evaluation.

The focus is onwhether the evidence meets the requirement (adequacy)and if there isenough of it (sufficiency).

(C) Sufficiency and Thoroughness❌

Thoroughnessis not a recognized term in CMMC compliance validation.

Evidence must beadequate and sufficient, not just thorough.

(D) Sufficiency and Appropriateness❌

Appropriatenessis not a CMMC-defined criterion.

Thecorrect terms used in CMMC assessmentsareAdequacy(Does it meet the requirement?) andSufficiency(Is there enough proof?).

Final Validation from CMMC Documentation:

CMMC Assessment Process Guideexplicitly states that evidence must be evaluated based onadequacyandsufficiencyto confirm compliance with security practices.

ACertified CMMC Professional (CCP)advising anOrganization Seeking Certification (OSC)must ensure thatFederal Contract Information (FCI)andControlled Unclassified Information (CUI)are properly documented within required security documents.

Step-by-Step Breakdown:

✅1. System Security Plan (SSP)

CMMC Level 2requires anSSPto documenthow CUI is protected, including:

Security controlsimplemented

Asset categorization(CUI Assets, Security Protection Assets, etc.)

Policies and proceduresfor handling CUI

✅2. Asset Inventory

Anasset inventorylistsall relevant IT systems, applications, and hardwarethat store, process, or transmitCUI or FCI.

TheCMMC Scoping Guiderequires OSCs to identifyCUI-relevant assetsas part of their compliance.

✅3. Network Diagram

Anetwork diagramvisually representshow data flows across systems, showing:

WhereCUI is transmitted and stored

Security boundaries protectingCUI Assets

Connectivity betweenCUI Assets and Security Protection Assets

✅4. Why the Other Answer Choices Are Incorrect:

(B) Within the hardware inventory, data flow diagram, and in the network diagram❌

While adata flow diagramis useful,hardware inventory alone is insufficientto document CUI.

(C) Within the asset inventory, in the proposal response, and in the network diagram❌

Aproposal responseis not a required document for CMMC assessments.

(D) In the network diagram, in the SSP, within the base inventory, and in the proposal response❌

Base inventoryis not a specific CMMC documentation requirement.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guideconfirms that FCI and CUI must be documented in:

The SSP

The asset inventory

The network diagram

Thus, the correct answer is:

✅A. "In the SSP, within the asset inventory, and in the network diagram."

1. Understanding CMMC 2.0 Levels and CUI Handling Requirements

UnderCMMC 2.0, contractors handlingControlled Unclassified Information (CUI)must meet aminimumcertification level to be eligible for contract awards involving CUI.

CMMC 2.0 Levels:

Level 1 (Foundational) – 17 Practices

Covers onlyFederal Contract Information (FCI)security.

Does NOT meet CUI handling requirements.

Level 2 (Advanced) – 110 Practices✅

REQUIRED for handling CUI.

Aligns withNIST SP 800-171, which establishes security controls for protecting CUI.

Contractorsmust achieve Level 2for contracts requiring CUI protection.

Level 3 (Expert) – 110+ Practices

Required for contracts involvinghigh-value CUIandcritical national security information.

Includesadditionalprotections fromNIST SP 800-172.

2. Official CMMC 2.0 References Confirming Level 2 for CUI

TheCMMC 2.0 Model Overviewclearly states that Level 2 is required for contractorshandling CUI.

DFARS 252.204-7012mandates that contractors protecting CUI must implementNIST SP 800-171, which is thefoundation of CMMC Level 2.

TheDoD’s CMMC Assessment Guidefor Level 2 specifies thatorganizations handling CUI must demonstrate full implementation of 110 practices from NIST SP 800-171to qualify for contract awards.

3. Why the Other Options Are Incorrect

A. Level 1❌

Only covers FCI, not CUI.

Does notmeet DoD requirements for protectingCUI.

C. Level 3❌

While Level 3 offersadditional protectionsfor high-risk CUI, it isnot the minimumrequirement.

Level 2 is the minimumneeded to handle CUI.

D. Any level❌

OnlyLevel 2 and higherare eligible for contracts requiring CUI protection.

Level 1 doesnotmeet CUI security standards.

Step 1: Review CMMC 2.0 Reforms (Level 1 – Foundational)

As part ofCMMC 2.0, the DoD announced changes toreduce burden and costsfor companies that only handleFederal Contract Information (FCI):

DoD Statement (CMMC 2.0 Overview):

“Level 1 (Foundational) will only require an annual self-assessment, affirming implementation of the 17 FAR 52.204-21 controls.”

✅Step 2: Intent of “Reduced Assessment Costs”

The move to allowself-assessments at Level 1was explicitly designed toeliminate the costof hiring third-party assessors for organizations that only handle FCI.

Level 1 self-assessments are:

Conductedinternally by the OSC,

Affirmed annuallyby a senior company official,

Submitted via SPRS(Supplier Performance Risk System).

❌Why the Other Options Are Incorrect

B. Opt out of CMMC Assessments

✘Incorrect. Organizations must still perform aself-assessmentannually — they cannot opt out entirely.

C. Have assessment costs reimbursed by the DoD

✘No such reimbursement mechanism exists.

D. Pay no more than $500.00…

✘No such fixed cost is set or guaranteed in CMMC documentation.

UnderCMMC 2.0, all companies atLevel 1 (Foundational)are permitted toconduct self-assessmentsannually to demonstrate compliance, supporting the DoD’s goal ofreducing assessment costsfor low-risk contractors.

The Lead Assessor has the authority to make the final determination in situations where assessors cannot agree on a rating. CAP specifies that the Lead Assessor ensures consistency, resolves disputes, and provides the authoritative interpretation during the assessment process. Escalation to the CMMC-AB or Quality Assurance would only occur in rare post-assessment review cases, not during an active assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.

Analysis of the Given Options:

A. Level 1→Incorrect

CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.

B. Level 2→Correct

TheAU domain is required at Level 2, which aligns withNIST SP 800-171.

CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.

C. Levels 1 and 2→Incorrect

Level 1 does not requireaudit and accountability practices.

D. Levels 1 and 3→Incorrect

CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.

Official References Supporting the Correct Answer:

NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3)

TheAU domainconsists of security controls3.3.1 – 3.3.8, focusing on audit log generation, retention, and accountability.

CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171)

AU practices (Audit and Accountability) are only required at Level 2.

Conclusion:

TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:

✅B. Level 2.

In the context of the Cybersecurity Maturity Model Certification (CMMC) Assessment Process, understanding the roles of various entities associated with an Organization Seeking Certification (OSC) is crucial during the planning phase. When a Certified Third-Party Assessment Organization (C3PAO) staff reviews these entities for a CMMC Level 2 Assessment, it's essential to distinguish between internal components and external participants.

Step-by-Step Explanation:

Definition of the HQ Organization:

The HQ Organization refers to the entire legal entity delivering services under the terms of a Department of Defense (DoD) contract. This entity is responsible for ensuring compliance with CMMC requirements.

Identification of External Entities:

External entities encompass people, processes, and technology that are not part of the HQ Organization but support its operations. These entities participate in the assessment process due to their involvement in handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) related to the DoD contract.

Role of Supporting Organizations/Units:

According to the CMMC Assessment Process documentation, Supporting Organizations are defined as "the people, procedures, and technology external to the HQ Organization that support the Host Unit." These external entities are integral to the operations of the Host Unit but are not encompassed within the HQ Organization's immediate structure.

Assessment Implications:

While Supporting Organizations/Units play a vital role in supporting the Host Unit, they do not receive a separate CMMC Level certification unless an enterprise assessment is conducted. In such cases, the assessment would encompass both the HQ Organization and its Supporting Organizations to ensure comprehensive compliance across all associated entities.

Understanding Training Requirements in CMMC

The requirement for ensuring thatpersonnel are trained to carry out their assigned information security-related duties and responsibilitiesfirst appears inCMMC Level 2as part ofNIST SP 800-171 control AT.L2-3.2.1.

Key Details on the Training Requirement:

✔AT.L2-3.2.1: "Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities."

✔This control is derived fromNIST SP 800-171and applies toCMMC Level 2 (Advanced).

✔It ensures that employees handlingControlled Unclassified Information (CUI)understand theircybersecurity responsibilities.

Why is the Correct Answer "B. Level 2"?

A. Level 1 → Incorrect

CMMC Level 1 does not include this training requirement.Level 1 focuses on basic safeguarding ofFederal Contract Information (FCI)but doesnot require formal cybersecurity training.

B. Level 2 → Correct

The training requirement (AT.L2-3.2.1) first appears in CMMC Level 2, which aligns withNIST SP 800-171.

C. Level 3 → Incorrect

The training requirementalready exists in Level 2. Level 3 builds on Level 2 with additionalrisk management and advanced cybersecurity controls, but training is introduced at Level 2.

D. All levels → Incorrect

CMMC Level 1 does not include this requirement—it is first introduced in Level 2.

CMMC 2.0 References Supporting This Answer:

NIST SP 800-171 (Requirement 3.2.1)

Defines themandatory training requirementfor personnel handling CUI.

CMMC Assessment Guide for Level 2

ListsAT.L2-3.2.1as a required practice under Level 2.

CMMC 2.0 Model Overview

Confirms thatCMMC Level 2 aligns with NIST SP 800-171, which includes security training requirements.

The CAP makes clear that evidence collected during the assessment is evaluated for both adequacy (does the evidence align with the requirement) and sufficiency (is there enough evidence to make a confident determination).

Supporting Extracts from Official Content:

CAP v2.0, Evidence Collection Guidance: “Evidence must be evaluated for adequacy… and for sufficiency, to ensure enough information is available to support the assessor’s determination.”

Why Option A is Correct:

Evidence is assessed based on two qualities only: adequacy and sufficiency.

“Thoroughness” and “appropriateness” are not official CAP terms for evidence evaluation.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Evidence Evaluation section.

===========

Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.

Why "A. Obtain Evidence" is Correct?

CMMC Assessments Require Evidence Collection

TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:

Examine– Reviewing documentation, policies, and system configurations.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Validating controls through operational or technical tests.

All these methods involve obtaining evidenceto support whether a security requirement has been met.

Alignment with NIST SP 800-171A

CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.

Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.

Why Other Answers Are Incorrect?

B. Define level of effort (Incorrect)

Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.

C. Determine information flow (Incorrect)

While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.

D. Determine value of hardware and software (Incorrect)

Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.

Conclusion

The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.

How Many Practices Are Included in CMMC Level 2?

CMMC Level 2is designed to alignfullywithNIST SP 800-171, which consists of110 security controls (practices).

This meansall 110 practicesfrom NIST SP 800-171 are required for aCMMC Level 2 certification.

Breakdown of Practices in CMMC 2.0

CMMC Level

Number of Practices

Level 1

17 practices(Basic Cyber Hygiene)

Level 2

110 practices(Aligned with NIST SP 800-171)

Level 3

Not yet finalized but expected to exceed 110

Since CMMC Level 2 mandatesall 110 NIST SP 800-171 practices, the correct answer isC. 110 practices.

Why the Other Answers Are Incorrect

A. 17 practices

❌Incorrect.17 practicesapply only toCMMC Level 1, not Level 2.

B. 72 practices

❌Incorrect. There is no CMMC level with72 practices.

D. 180 practices

❌Incorrect. CMMC Level 2only requires 110 practices, not 180.

CMMC Official References

CMMC 2.0 Model– Confirms thatLevel 2 includes 110 practicesaligned withNIST SP 800-171.

NIST SP 800-171 Rev. 2– Outlines the110 security controlsrequired for handlingControlled Unclassified Information (CUI).

Thus,option C (110 practices) is the correct answer, as per official CMMC guidance.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to implement stringent controls to protect Controlled Unclassified Information (CUI). This includes adhering to specific practices related to media protection and physical security.

Media Protection (MP):

MP.L2-3.8.1 – Media Protection: Organizations must protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. This ensures that sensitive information is not accessible to unauthorized individuals.

Defense Innovation Unit

MP.L2-3.8.3 – Media Disposal: It is imperative to sanitize or destroy information system media containing CUI before disposal or release for reuse. This practice prevents potential data breaches from discarded or repurposed media.

Defense Innovation Unit

Physical Protection (PE):

PE.L2-3.10.2 – Monitor Facility: Organizations are required to protect and monitor the physical facility and support infrastructure for organizational systems. This includes ensuring that areas where CUI is processed or stored are secure and access is controlled.

Defense Innovation Unit

Application to the Scenario:

Given that the Organization Seeking Certification (OSC) operates within a shared, multi-tenant building and utilizes a common conference room for assessments, the following considerations are crucial:

Reviewing the Evidence File: The evidence file, which contains CUI, should be reviewed on a secure, authorized device to prevent unauthorized access or potential data leakage.

Printing the Evidence File: If printing is necessary, ensure that the printer is located in a secure area, and the printed documents are retrieved immediately to prevent unauthorized viewing.

Making Notes: Any notes derived from the evidence file should be treated with the same level of security as the original document, especially if they contain CUI.

Disposal of Printed Materials: After the assessment, all printed materials and notes containing CUI must be destroyed using a cross-cut shredder. Cross-cut shredding ensures that the information cannot be reconstructed, thereby maintaining confidentiality.

totem.tech

Options A and D are inadequate as they involve leaving sensitive information in unsecured locations, which violates CMMC physical security requirements. Option B, while secure in terms of digital handling, does not address the proper disposal of any physical copies that may have been made. Therefore, Option C is the best practice, aligning with CMMC 2.0 guidelines by ensuring that all physical media containing CUI are properly reviewed, securely stored during use, and thoroughly destroyed when no longer needed.

A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.

Supporting Extracts from Official Content:

CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”

Why Option B is Correct:

The Windows 95 system is an example of a restricted IS, so it can be scoped out.

Option A is incorrect — the asset is not handling CUI in this case.

Option C is incorrect — government property designation does not define scope.

Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.

===========