Pass CMMC-CCP Exam Guide

The correct answer is D because CMMC Level 1 is based on the basic safeguarding requirements in FAR Clause 52.204-21 , not on the full NIST SP 800-171 or DFARS 252.204-7012 requirements. The official CMMC Model Overview states that Level 1 focuses on protecting Federal Contract Information (FCI) and consists of security requirements that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 , commonly referred to as the FAR Clause. It also states that Level 2 is the level that incorporates the 110 security requirements from NIST SP 800-171 Rev. 2 for protection of Controlled Unclassified Information (CUI) .

FAR 52.204-21 applies to covered contractor information systems that process, store, or transmit Federal Contract Information. The clause requires contractors to apply basic safeguarding requirements and procedures, including limiting system access to authorized users, controlling external connections, protecting information on publicly accessible systems, identifying and authenticating users, and sanitizing or destroying media containing FCI before disposal or reuse.

Option A is incorrect because NIST SP 800-171 is associated with CMMC Level 2, not Level 1. Option B is incorrect because the cited DFARS clause number is not the CMMC Level 1 source. Option C is incorrect because DFARS 252.204-7012 is tied to safeguarding covered defense information and implementing NIST SP 800-171 for CUI, not the Level 1 basic safeguarding baseline.

Step 1: Responsibility for Subcontractor Compliance

The prime contractor (contractor organization)is responsible for ensuring thatits subcontractorshave the requiredCMMC certification levelbefore engaging them inDoD contracts that involve FCI or CUI.

This requirement is enforced throughflow-down clausesinDFARS 252.204-7021, which mandates that subcontractors handlingCUImeet the necessaryCMMC Level 2 or Level 3 requirements.

Per DoDI 5200.48, Controlled Unclassified Information (CUI), the minimum marking requirement is that the word “CUI” must appear in the header and footer of each page of a document containing CUI. Additional markings such as portion markings or cover sheets may be applied depending on the situation, but the minimum baseline requirement is header and footer placement of "CUI".

Reference Documents:

DoDI 5200.48,Controlled Unclassified Information (CUI)

Step 1: Define Roles – CCP and CCA

CCP (Certified CMMC Professional):

Entry-level certification in the CMMC ecosystem.

Supports assessment activities under the supervision of a CCA.

May assist in consulting roles outside of formal assessments.

CCA (Certified CMMC Assessor):

Certified tolead assessmentsunder the CMMC model.

Requiredfor conductingLevel 2 formal assessments.

Can be part of a C3PAO assessment team or lead it.

Source: CMMC Assessment Process (CAP) v1.0, Section 2.3 – Assessment Team Composition

“Level 2 assessments must be led by a Certified CMMC Assessor (CCA), who may be supported by one or more CCPs.”

✅Step 2: Citizenship Requirements

CAP v1.0 – Appendix B: Team Composition and Clearance Requirements

“All team members performing Level 2 assessments must be U.S. citizens when handling CUI, regardless of role.”

But forsupporting team members who do not handle CUIor inFCI-only scoping, there is no automatic exclusion based on citizenship.

So:

TheCCA leadsthe team.

CCPs can be team membersregardless of citizenship,unless restricted by contract or CUI handling needs.

❌Why the Other Options Are Incorrect

A. The CCP leads the Level 2 Assessment Team…

✘Incorrect. CCPscannot leadLevel 2 assessments.

B. The CCA leads… includes 3 CCP with US Citizenship.

✘Incorrect. Citizenship is requiredonly when handling CUI, not a universal requirement.

D. The CCP leads…

✘Again, CCPs donot have the authority to leadformal CMMC assessments.

Only aCertified CMMC Assessor (CCA)may lead aLevel 2 Assessment Team, and theymay include CCPs, evennon-U.S. citizens, if citizenship is not a requirement based on contractual or data sensitivity scope.