Changed CMMC-CCP Exam Questions

1. Understanding Basic Safeguarding Requirements for FCI in CMMC Level 1

Federal Contract Information (FCI) is defined as information provided by or generated for the government under a contract that isnot intended for public release.

CMMCLevel 1is designed to ensurebasic safeguardingof FCI, aligning with15 security requirementsfound inFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

Contractors handlingonly FCImust meetCMMC Level 1, which alignsdirectlywith the safeguarding requirements set inFAR 52.204-21.

2. FAR 52.204-21 and Its Role in CMMC Level 1 Compliance

FAR 52.204-21establishes the baseline cybersecurity controls that contractors must implement to protectFCI.

The15 basic safeguarding requirementsinclude:

Limiting information accessto authorized users.

Identifying and authenticating usersbefore allowing system access.

Protecting transmitted FCIfrom unauthorized disclosure.

Monitoring and controlling connectionsto external systems.

Applying boundary protectionand cybersecurity measures.

Sanitizing mediabefore disposal.

Updating security configurationsto reduce vulnerabilities.

Providing physical securityprotections.

Controlling physical accessto systems that process FCI.

Enforcing multi-factor authentication (MFA) where applicable.

Patching vulnerabilitiesin software and hardware.

Limiting the use of removable media.

Creating and retaining system audit logs.

Performing risk-based security assessments.

Developing an incident response plan.

These 15 practices form thefoundationof CMMCLevel 1 Self-Assessment, ensuring contractorsmeet minimum cybersecurity expectationsfor handling FCI.

3. Why the Other Options Are Incorrect

B. 22 CFR 120-130:

This refers toInternational Traffic in Arms Regulations (ITAR), which controls the export of defense-related articles and services,notFCI safeguarding requirements.

C. DFARS 252.204-7011:

This clause refers toalternative line item structuresand does not pertain to cybersecurity or safeguarding FCI.

D. DFARS 252.204-7021:

This clause enforcesCMMC requirementsbut doesnot definebasic safeguarding controls. It requires compliance with CMMC but does not specify the foundational requirements (which come fromFAR 52.204-21for Level 1).

4. Official CMMC 2.0 Reference & Study Guide Alignment

TheCMMC 2.0 model documentationconfirms that Level 1 is focused on the15 practices from FAR 52.204-21.

TheDoD’s official CMMC Assessment Guidefor Level 1 explicitly states that meeting FAR 52.204-21 is therequirement for passing a Level 1 Self-Assessment.

TheCMMC 2.0 Scoping Guideclarifies that contractors handling onlyFCIand seekingLevel 1 certificationmust implementonly FAR 52.204-21security controls.

Final Confirmation:The correct answer isA. FAR 52.204-21, as it directly governs the basic safeguarding ofFCIand is the foundational requirement for aLevel 1 Self-Assessmentin CMMC 2.0.

Background on Legacy Markings and CUI

Legacy markings refer to classification labels used before the implementation of theControlled Unclassified Information (CUI) ProgramunderDoD Instruction 5200.48.

Documents with legacy markings (such as “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU)) must be reviewed for re-marking or redaction to align withCUI requirements.

When Must Legacy Markings Be Updated?

If the document is retained internally (Answer A - Incorrect): Documents under DoD control do not require immediate re-marking unless they are being shared externally.

If the document is classified as Secret (Answer B - Incorrect): This question is aboutCUI, not classified information. Secret-level documents follow different marking rules underDoD Manual 5200.01.

If a document is being shared externally (Answer C - Correct):

According toDoD Instruction 5200.48, Section 3.6(a), organizations mustreview legacy markings before sharing documents outside the organization.

The document must bere-markedin compliance with the CUI Program before dissemination.

If the original document does not contain CUI (Answer D - Incorrect): The original source document's status does not affect the requirement to re-mark a derivative document if it contains CUI.

Conclusion

The correct answer isC: Documents with legacy markings must bere-marked or redacted when being shared outside the organizationto comply with DoD CUI guidelines.

Understanding High-Level Scoping in a CMMC AssessmentDuringHigh-Level Scoping, aCertified Third-Party Assessment Organization (C3PAO)determines thepeople, processes, and technologythat are within scope for theCMMC Level 1 or Level 2 assessment.

Supporting Organization/Unitsrefer to thespecific groups, departments, or teamsthat handleControlled Unclassified Information (CUI)orFederal Contract Information (FCI)and are responsible for applyingCMMC security practices.

These units aredirectly involved in the contract's executionand are included in the CMMC assessment scope.

Key Term: Supporting Organization/Units

A. Host Unit → Incorrect

This term is not used inCMMC assessment scoping.

B. Branch Office → Incorrect

Abranch officemay or may not be in scope; scoping is based onwhether the unit handles CUI or FCI, not its physical location.

C. Coordinating Unit → Incorrect

No official CMMC term refers to a "Coordinating Unit."

D. Supporting Organization/Units → Correct

This termcorrectly describes the entities that apply security controls for the contract and are within the CMMC assessment scope.

Why is the Correct Answer "D. Supporting Organization/Units"?

CMMC Scoping Guidance for Level 1 & Level 2 Assessments

DefinesSupporting Organization/Unitsasin-scope entities responsible for implementing cybersecurity controls.

CMMC Assessment Process (CAP) Document

Specifies that theC3PAO must identify and document the units responsible for security compliance.

DoD CMMC 2.0 Guidance on Scoping

Requires theassessment team to define the people, processes, and technology that fall within the scopeof the assessment.

CMMC 2.0 References Supporting This Answer: