Free CMMC-CCP Cyber AB Updates

Step 1: Define CUI (Controlled Unclassified Information)

CUI is information thatrequires safeguarding or dissemination controlspursuant to and consistent with applicable law, regulations, and government-wide policies, butis not classifiedunder Executive Order 13526 or the Atomic Energy Act.

✅Step 2: Authority over CUI — NARA’s Role

NARA – National Archives and Records Administration, specifically theInformation Security Oversight Office (ISOO), is thegovernment-wide executive agentresponsible for implementing the CUI program.

Source:

32 CFR Part 2002 – Controlled Unclassified Information (CUI)

Executive Order 13556 – Controlled Unclassified Information

CUI Registry –

NARA:

Maintains theCUI Registry,

Issuesmarking and handling guidance,

DefinesCUI categoriesand their authority under law or regulation,

Trains and informs Federal agencies and contractors on CUI policy.

❌Why the Other Options Are Incorrect

B. NIST

✘NIST (National Institute of Standards and Technology) developstechnical standards(e.g., SP 800-171), but it doesnot define or mark CUI. It helps secure CUI once it’s identified.

C. CMMC-AB (now Cyber AB)

✘The Cyber AB is theCMMC ecosystem’s accreditation body, not a government agency, and hasno authority over CUI classification or marking.

D. Department of Homeland Security (DHS)

✘While DHS mayhandle and protect CUI internally, it is not the executive agent for the CUI program.

NARAis theofficial U.S. government authorityresponsible for defining, categorizing, and marking CUI via theCUI Registryand associated policies underExecutive Order 13556.

Step 1: Understanding CMMC Domains

TheCMMC Model consists of 14 domains, which are based on theNIST SP 800-171 control familieswith additional cybersecurity practices.

Eachdomaincontainspractices and processesthat define cybersecurity requirements for organizations seeking CMMC certification.

1. Understanding the Role of Assessment Objectives in CMMC 2.0

Theassessment objectivesfor each CMMC practice define thespecific criteriathat an assessor uses to evaluate whether a practice is implemented correctly. These objectives break down each control into measurable components, ensuring a structured and consistent assessment process.

To determine where these objectives are best documented, we need to consider theofficial CMMC documentation sources.

2. Why Answer Choice "D" is Correct – CMMC Assessment Guide Levels 1 and 2

TheCMMC Assessment Guide (Levels 1 & 2)is theprimary documentthat provides:

✅The detailedassessment objectivesfor each practice

✅A breakdown of the expectedevidence and implementation details

✅Step-by-stepassessment criteriafor assessors to verify compliance

Each CMMC practice in the Assessment Guide is aligned with the correspondingNIST SP 800-171 or FAR 52.204-21 control, and the guide specifies:

How to assess compliancewith each practice

What evidenceis required for validation

What stepsan assessor should follow

???? Reference from Official CMMC Documentation:

CMMC Assessment Guide – Level 2 (Aligned with NIST SP 800-171)explicitly states:

"Each practice is assessed based on defined assessment objectives to determine if the practice is MET or NOT MET."

CMMC Assessment Guide – Level 1 (Aligned with FAR 52.204-21)provides similar objectives tailored for foundational cybersecurity requirements.

Thus,CMMC Assessment Guide Levels 1 & 2 are the BEST sources for assessment objectives.

3. Why Other Answer Choices Are Incorrect

Option

Reason for Elimination

A. CMMC Glossary

❌The glossary only defines terminology used in CMMC but does not provide assessment objectives.

B. CMMC Appendices

❌The appendices contain supplementary details, but they do not comprehensively list assessment objectives for each practice.

C. CMMC Assessment Process (CAP)

❌While the CAP document describes the assessmentworkflow and methodology, it does not outline the specific objectives for each practice.

4. Conclusion

To locate thebest reference for assessment objectives, theCMMC Assessment Guide Levels 1 & 2are the most authoritative and detailed sources. They contain step-by-step assessment criteria, ensuring that practices are evaluated correctly.

✅Final Answer:

D. CMMC Assessment Guide Levels 1 and 2

1. Understanding CMMC 2.0 Levels and CUI Handling Requirements

UnderCMMC 2.0, contractors handlingControlled Unclassified Information (CUI)must meet aminimumcertification level to be eligible for contract awards involving CUI.

CMMC 2.0 Levels:

Level 1 (Foundational) – 17 Practices

Covers onlyFederal Contract Information (FCI)security.

Does NOT meet CUI handling requirements.

Level 2 (Advanced) – 110 Practices✅

REQUIRED for handling CUI.

Aligns withNIST SP 800-171, which establishes security controls for protecting CUI.

Contractorsmust achieve Level 2for contracts requiring CUI protection.

Level 3 (Expert) – 110+ Practices

Required for contracts involvinghigh-value CUIandcritical national security information.

Includesadditionalprotections fromNIST SP 800-172.

2. Official CMMC 2.0 References Confirming Level 2 for CUI

TheCMMC 2.0 Model Overviewclearly states that Level 2 is required for contractorshandling CUI.

DFARS 252.204-7012mandates that contractors protecting CUI must implementNIST SP 800-171, which is thefoundation of CMMC Level 2.

TheDoD’s CMMC Assessment Guidefor Level 2 specifies thatorganizations handling CUI must demonstrate full implementation of 110 practices from NIST SP 800-171to qualify for contract awards.

3. Why the Other Options Are Incorrect

A. Level 1❌

Only covers FCI, not CUI.

Does notmeet DoD requirements for protectingCUI.

C. Level 3❌

While Level 3 offersadditional protectionsfor high-risk CUI, it isnot the minimumrequirement.

Level 2 is the minimumneeded to handle CUI.

D. Any level❌

OnlyLevel 2 and higherare eligible for contracts requiring CUI protection.

Level 1 doesnotmeet CUI security standards.