Pearson CMMC-CCP New Attempt

Understanding the Role of NIST SP 800-171 in CMMC

NIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.

This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.

Breakdown of Answer Choices

NIST SP

Title

Relevance to CMMC

NIST SP 800-37

Risk Management Framework (RMF)

Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.

NIST SP 800-53

Security and Privacy Controls for Federal Systems

Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.

NIST SP 800-88

Guidelines for Media Sanitization

Covers secure data destruction and disposal, not overall CUI protection.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

✅Correct Answer – Directly addresses CUI protection in contractor systems.

Key Requirements from NIST SP 800-171

The document outlines110 security controlsgrouped into14 families, including:

Access Control (AC)– Restrict access to authorized users.

Audit and Accountability (AU)– Maintain system logs and monitor activity.

Incident Response (IR)– Establish an incident response plan.

System and Communications Protection (SC)– Encrypt CUI in transit and at rest.

These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.

Official Reference from CMMC 2.0 Documentation

CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.

DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.

Final Verification and Conclusion

The correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.

Anorganization seeking helpto address security gaps—such asphysical access control deficiencies—needs acertified professional who can provide implementation supportwithoutbeing involved in the actual CMMC assessment.

Role of a Registered Practitioner (RP)

A Registered Practitioner (RP)is a CMMC-certified individualwho provides consulting and implementation supportto organizations butdoes not perform assessments.

RPs work independently from C3PAOsand canassist in fixing gapsin security controlsbeforeorafteran assessment.

Since RPs are not assessors, they can provide direct remediation supportwithout any conflict of interest.

Why "B. RP of an Organization Not Part of the Assessment" is Correct?

The OSC needs assistance in implementing security controls(not assessment).

An RP is trained and authorized to provide remediation and advisory services.

Conflict of interest rules prevent the assessing C3PAO from providing implementation support.

Why Other Answers Are Incorrect?

A. CCA of the C3PAO performing the assessment (Incorrect)

ACertified CMMC Assessor (CCA)is responsible for conducting the assessmentonly.

TheC3PAO performing the assessment cannot also provide remediationdue to aconflict of interest.

C. Practitioner of the Organization Performing the Assessment LTP (Incorrect)

The assessmentLead Technical Practitioner (LTP)cannot provide remediation support for an OSC they are assessing.

D. DoD Contract Official of the Organization Performing the Assessment (Incorrect)

DoD Contract Officialsoversee contract compliance butdo not provide cybersecurity implementation support.

Conclusion

The correct answer isB. RP of an organization not part of the assessment, asonly independent RPs can assist with remediation and implementation support.

According to the CMMC Scoping Guidance, Level 1, the scope of an assessment includes all assets that process, store, or transmit Federal Contract Information (FCI). CMMC is "information-centric," meaning the security requirements apply to the information itself, regardless of the media it resides on (digital or physical).

Asset Identification: In a Level 1 assessment, assets are categorized as either FCI Assets or Out-of-Scope Assets. Since the file cabinet is explicitly identified as containing paper FCI, it meets the definition of an asset that stores the protected information.

Basic Safeguarding (FAR 52.204-21): The 17 practices of CMMC Level 1 are derived from the FAR clause for the "Basic Safeguarding of Covered Contractor Information Systems." However, the physical protection requirements within that set (such as PE.L1-3.10.1, which requires limiting physical access to organizational information systems and equipment) extend to the physical storage locations of that data.

Media Neutrality: CMMC documentation emphasizes that "information systems" include the physical components and the information processed by them. If FCI is printed and stored in a cabinet, that cabinet becomes a physical storage asset within the assessment boundary.

Why other options are incorrect:

Option B: Physical location alone does not bring an asset into scope. For example, a coffee machine in the same room as an FCI computer remains out of scope because it doesn't handle FCI. Thecontent(FCI) makes the cabinet in-scope, not its proximity.

Option C: CMMC and the underlying FAR clause do not exempt paper-based information. Protected data must be secured whether it is on a hard drive or a printed sheet.

Option D: While a file cabinet may not "process" or "transmit" data like a computer does, it absolutely stores it. The definition of the scope includes all three functions (process, store, or transmit).

Reference Documents:

CMMC Scoping Guidance, Level 1: Section 2.0 (CMMC Level 1 Asset Categories), which defines FCI Assets as those that process, store, or transmit FCI.

CMMC Assessment Guide, Level 1: Discussion on Physical Protection (PE) practices and their application to physical media.

32 CFR Part 170 (CMMC Program Rule): Definitions of FCI and the requirements for contractor self-assessments.

The Lead Assessor has the authority to make the final determination in situations where assessors cannot agree on a rating. CAP specifies that the Lead Assessor ensures consistency, resolves disputes, and provides the authoritative interpretation during the assessment process. Escalation to the CMMC-AB or Quality Assurance would only occur in rare post-assessment review cases, not during an active assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0