Free Practice Questions for the Cyber AB CMMC CMMC-CCP Exam (2026 Updated)

Under the official CMMC Assessment Process (CAP) v2.0 , the OSC contracts directly with a C3PAO to arrange a Level 2 certification assessment, including the practical scope-of-work elements (timing, logistics, and the terms of performance). CAP v2.0 explicitly states that “The C3PAO shall execute a written contractual agreement for the CMMC Level 2 certification assessment with the OSC” and further clarifies that neither the Cyber AB nor DoD are parties to that contract.

Because the C3PAO is the assessment organization that conducts the certification assessment, it is also the entity the OSC coordinates with during the pre-assessment activities that shape the engagement and scope. CAP v2.0 places key Phase 1 responsibilities on the C3PAO/Lead CCA, including validating the OSC’s assessment scope against applicable scoping requirements and coordinating access to evidence and personnel needed for Phase 2.

By contrast, OUSD provides DoD-level oversight/policy, RPOs and the Cyber AB support the ecosystem, but they do not form the contractual relationship for a specific Level 2 certification assessment. CAP v2.0 is unambiguous that the contract (and any mutually agreed scope-of-work terms) is between the OSC and the C3PAO .

===========

The correct document is a Non-Disclosure Agreement (NDA) , because its specific purpose is to restrict a receiving party from disclosing sensitive or confidential information to unauthorized parties. In the official CMMC Assessment Process (CAP) v2.0 , NDAs are called out directly as a required element of the contracting relationship for a Level 2 certification assessment.

CAP v2.0 states that the C3PAO and the OSC must execute a written contractual agreement for the assessment and then specifies that “A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).”

This is important because CMMC assessments can involve access to highly sensitive organizational information, including details about system architectures, security implementations, and potentially CUI handling processes. The CAP’s NDA requirement supports controlling dissemination of that information and reinforces the broader confidentiality expectations placed on assessment participants.

While an “assessment agreement” or generic “legal agreement” might contain confidentiality clauses, CAP v2.0 explicitly identifies the NDA instrument (either embedded or standalone) as the mechanism to protect information exchanged during the assessment engagement. Therefore, the best answer—consistent with CMMC v2.0 official process documentation—is D (Non-disclosure agreement) .

Understanding the Assessment Environment Requirement

During aCMMC Level 2 assessment, assessors requireobjective evidencethat security controls are implementedin the actual operating environmentwhereControlled Unclassified Information (CUI)is handled.

This means thattests or demonstrations must be conducted in the production environment, where the organization’s real systems and security controls are in use.

Why Option B (Production) is Correct

Assessment teams need to validate security controls in the actual environment where they are applied, ensuring that security measures are in effect in thereal-world operating conditions.

Option A (Client)is incorrect because "Client" is not a defined assessment environment.

Option C (Development)is incorrect because testing in a development environmentdoes not accurately represent the production security posture.

Option D (Demonstration)is incorrect becausedemonstrations in a separate test environment do not provide valid evidence for CMMC assessments—actual security implementations must be verified in production.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide – Section 3.5 (Assessment Methods)

NIST SP 800-171 Assessment Procedures(Verification must occur in the actual system where CUI resides.)

Final Verification

SinceCMMC assessments require security controls to be validated in the actual production environment, the correct answer isOption B: Production.

Understanding the Role of Configuration Management (CM) in CMMC 2.0

TheConfiguration Management (CM) domainin CMMC 2.0 ensures that systems aresecurely configured and maintainedto prevent unauthorized or unnecessary changes that could introduce vulnerabilities. One key requirement in CM is torestrict, disable, or prevent the use of nonessential programsto reduce security risks.

Relevant CMMC 2.0 Practice:

CM.L2-3.4.1 – Establish and enforce security configuration settings for information technology products employed in organizational systems.

This practicerequires organizations to control system configurations, including the removal or restriction ofnonessential programs, functions, ports, and servicestoreduce attack surfaces.

The goal is tominimize exposure to cyber threatsby ensuring only necessary and approved software is running on the system.

Why is the Correct Answer CM (D)?

A. Access Control (AC) → Incorrect

Access Control (AC) focuses onmanaging user permissions and accessto systems and data, not restricting programs.

B. Media Protection (MP) → Incorrect

Media Protection (MP) deals withprotecting and controlling removable media(e.g., USBs, hard drives) rather than software or system configurations.

C. Asset Management (AM) → Incorrect

Asset Management (AM) is aboutidentifying and tracking IT assets, not configuring or restricting software.

D. Configuration Management (CM) → Correct

CM explicitly coverssecuring system configurationsbyrestricting nonessential programs, ports, services, and functions, making it the correct answer.

CMMC 2.0 References Supporting this Answer:

CMMC 2.0 Practice CM.L2-3.4.1(Security Configuration Management)

Requires organizations toenforce security configuration settingsandremove unnecessary programsto protect systems.

NIST SP 800-171 Requirement 3.4.1

Supportssecure configuration settingsandrestricting unauthorized applicationsto prevent security risks.

CMMC 2.0 Level 2 Requirement

This practice is aLevel 2 (Advanced) requirement, meaningorganizations handling Controlled Unclassified Information (CUI)must comply with it.

Understanding Restricted Information Systems (IS) in CMMC Scoping

InCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:

Internet of Things (IoT) Devices– Smart or network-connected devices.

Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.

Test Equipment– Devices used for specialized testing or measurement.

Government Property– Equipment owned by theU.S. Governmentbut used by contractors.

Why "B. Restricted IS" is Correct?

The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.

Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.

These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.

Why Other Answers Are Incorrect?

A. IoT (Incorrect)

IoT devices includesmart devices, sensors, and embedded systems, but the contractor's business systems are not classified as IoT.

C. Test Equipment (Incorrect)

The contractor’s systems areused for handling FCI, not for testing or measurement.

D. Government Property (Incorrect)

The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.

Conclusion

The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.

According to the CMMC Assessment Process (CAP), specifically within the Phase 4: Reporting Results requirements, a C3PAO must ensure that every assessment package undergoes a rigorous quality review before it is finalized and submitted to the Department of Defense (DoD).

The Role of the CQAP: The CMMC Quality Assurance Professional (CQAP) is a designated role within a C3PAO responsible for verifying that the assessment was conducted in accordance with the CAP and that the evidence collected (the "Artifacts") supports the findings (Met/Not Met).

Mandatory Inclusion: When generating the Final Recommended Assessment Results, the package is not considered complete or valid without the formal review documentation from the CQAP. This documentation serves as the "stamp of approval" that the internal Quality Management System (QMS) of the C3PAO has validated the assessment team's work.

Why other options are incorrect:

Option A: While the Assessment Plan is a required document during the planning phase, it is an input to the process, not a mandatory component of theFinal Resultsgeneration in the same way quality validation is.

Option B: Daily Checkpoints are administrative tools used during the "Conduct Assessment" phase to keep the OSC informed. While they are part of the assessment record, they are not a mandatory technical component of the final results package.

Option C: The contract is a legal/business requirement handled during the "Plan and Prepare" phase; it is not included in the technical assessment results uploaded to the DoD.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 4.2 (Finalize Assessment Report) and Section 4.3 (C3PAO Quality Review).

C3PAO Authorization Requirements: Specifies the requirement for a Quality Assurance (QA) function to review all assessment outputs to ensure consistency and integrity across the ecosystem.

Interview Selection in CMMC Assessments

During aCMMC assessment, theLead Assessormust work with theOrganization Seeking Certification (OSC)to select personnel for interviews. The goal is to:

✅Verify that personnel understand andperform security-related practices.

✅Ensure that individuals canexplain how they implement CMMC requirements.

✅Gain insight intoactual cybersecurity operationsrather than just documented policies.

The best interviewees are those whodirectly engage with security practicesand canclearly explain how they perform their duties.

Why "Providing Clarity and Understanding" Is Key

CMMC assessmentsrely on interviewsto validate that security practices areimplemented effectively.

Themost valuable intervieweesare those who canexplainhow security measures are appliedin day-to-day operations.

CMMC Assessment Process (CAP)emphasizes that assessors should speak tothose actively involved in security practicesrather than just senior management or policy owners.

Thus,option D is the correct choicebecause the Lead Assessor should prioritizeinterviewing personnel who can clearly explain how CMMC practices are implemented.

Why the Other Answers Are Incorrect

A. Have a security clearance.

❌Incorrect.Security clearance is not a requirementfor CMMC assessments. The focus is onpractical implementation of security controls, not classified work.

B. Be a senior person in the company.

❌Incorrect. Senior executives may not be involved in theactual implementation of security controls. The best interviewees are those whoperform the work, not just oversee it.

C. Demonstrate expertise on the CMMC requirements.

❌Incorrect. Whileunderstanding CMMC is important, expertise alonedoes not guarantee practical knowledgeof security controls. The key is thatinterviewees must provide clarity on how they perform security tasks.

CMMC Official References

CMMC Assessment Process (CAP) Document– Guides interview selection based on personnel who perform security functions.

NIST SP 800-171 & CMMC 2.0– Emphasize that cybersecurity controls must beactively implemented, not just documented.

Thus,option D (Provide clarity and understanding of their practice activities) is the correct answeras per official CMMC assessment guidelines.

Step 1: Define CUI (Controlled Unclassified Information)

CUI is information thatrequires safeguarding or dissemination controlspursuant to and consistent with applicable law, regulations, and government-wide policies, butis not classifiedunder Executive Order 13526 or the Atomic Energy Act.

✅Step 2: Authority over CUI — NARA’s Role

NARA – National Archives and Records Administration, specifically theInformation Security Oversight Office (ISOO), is thegovernment-wide executive agentresponsible for implementing the CUI program.

Source:

32 CFR Part 2002 – Controlled Unclassified Information (CUI)

Executive Order 13556 – Controlled Unclassified Information

CUI Registry – https://www.archives.gov/cui

NARA:

Maintains theCUI Registry,

Issuesmarking and handling guidance,

DefinesCUI categoriesand their authority under law or regulation,

Trains and informs Federal agencies and contractors on CUI policy.

❌Why the Other Options Are Incorrect

B. NIST

✘NIST (National Institute of Standards and Technology) developstechnical standards(e.g., SP 800-171), but it doesnot define or mark CUI. It helps secure CUI once it’s identified.

C. CMMC-AB (now Cyber AB)

✘The Cyber AB is theCMMC ecosystem’s accreditation body, not a government agency, and hasno authority over CUI classification or marking.

D. Department of Homeland Security (DHS)

✘While DHS mayhandle and protect CUI internally, it is not the executive agent for the CUI program.

NARAis theofficial U.S. government authorityresponsible for defining, categorizing, and marking CUI via theCUI Registryand associated policies underExecutive Order 13556.

The correct answer is C because the CMMC physical protection requirement focuses on protecting areas where in-scope information systems, equipment, and controlled environments are located. CMMC Level 2 requirement PE.L2-3.10.3, Escort Visitors , requires the organization to “escort visitors and monitor visitor activity.” The official CMMC Level 2 Assessment Guide states that the assessment objectives include determining whether visitors are escorted, visitor activity is monitored, physical access audit logs are maintained, and physical access devices are controlled and managed. The same guide explains that individuals with permanent physical access authorization credentials are not considered visitors, and that audit logs can be used to monitor visitor activity.

For CMMC purposes, the key issue is whether the visitor could physically access organizational systems, equipment, FCI, CUI, or the respective operating environment. A general corporate area that is outside the controlled environment may not require the same escort rule unless it provides access to in-scope assets. However, the controlled environment must be protected from unauthorized physical access. Therefore, visitors should be escorted in the controlled environment, where FCI/CUI systems or related assets may be present. Option A is incorrect because CMMC requires visitor escorting. Option B reverses the protection priority. Option D is overly broad for this question because it does not distinguish between a general corporate area and the controlled environment defined in the DAP.

===========

Understanding Training Requirements in CMMC

The requirement for ensuring thatpersonnel are trained to carry out their assigned information security-related duties and responsibilitiesfirst appears inCMMC Level 2as part ofNIST SP 800-171 control AT.L2-3.2.1.

Key Details on the Training Requirement:

✔AT.L2-3.2.1: "Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities."

✔This control is derived fromNIST SP 800-171and applies toCMMC Level 2 (Advanced).

✔It ensures that employees handlingControlled Unclassified Information (CUI)understand theircybersecurity responsibilities.

Why is the Correct Answer "B. Level 2"?

A. Level 1 → Incorrect

CMMC Level 1 does not include this training requirement.Level 1 focuses on basic safeguarding ofFederal Contract Information (FCI)but doesnot require formal cybersecurity training.

B. Level 2 → Correct

The training requirement (AT.L2-3.2.1) first appears in CMMC Level 2, which aligns withNIST SP 800-171.

C. Level 3 → Incorrect

The training requirementalready exists in Level 2. Level 3 builds on Level 2 with additionalrisk management and advanced cybersecurity controls, but training is introduced at Level 2.

D. All levels → Incorrect

CMMC Level 1 does not include this requirement—it is first introduced in Level 2.

CMMC 2.0 References Supporting This Answer:

NIST SP 800-171 (Requirement 3.2.1)

Defines themandatory training requirementfor personnel handling CUI.

CMMC Assessment Guide for Level 2

ListsAT.L2-3.2.1as a required practice under Level 2.

CMMC 2.0 Model Overview

Confirms thatCMMC Level 2 aligns with NIST SP 800-171, which includes security training requirements.

Understanding CMMC Asset Categorization

TheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).

In this scenario:

Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-scopefor CMMC Level 1.

Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-Scope Assets.

CMMC 2.0 Definition of Out-of-Scope Assets

As per theCMMC Scoping Guide, assets that:

✅Do not store, process, or transmit FCI/CUI

✅Do not directly impact the security of in-scope assets

✅Are completely segregated from the FCI/CUI environment

are classified asOut-of-Scope Assets.

Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.

Why the Other Answers Are Incorrect

A. FCI Assets

❌Incorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify.

B. Specialized Assets

❌Incorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division.

D. Operational Technology Assets

❌Incorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.

CMMC Official References

CMMC 2.0 Scoping Guide – Level 1 & Level 2

CMMC Assessment Process (CAP) Document

Thus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.

According to the CMMC Assessment Process (CAP) and the CMMC Level 2 Assessment Guide, an assessment finding is built upon evidence collected through three primary methods: Examine, Interview, and Test. The term "affirmation" in this context refers to the verbal or written statements provided by the Organization Seeking Certification (OSC) personnel to confirm that a practice is implemented as described.

Broad Definition of Evidence: The CAP allows for a wide variety of artifacts to be used as evidence. "Affirmations" are typically captured during the Interview process or found within Examine objects.

Validity of Formats:

Interviews: Direct verbal affirmations from subject matter experts (SMEs).

Emails and Messaging (Chat/Slack/Teams): These are considered valid "Examine" objects (records/artifacts) that serve as written affirmations or evidence of an activity (e.g., an email chain approving a firewall change or a message confirming a system update).

Presentations and Demonstrations: These fall under "Examine" (the presentation slides) and "Test/Examine" (the demonstration of a mechanism).

Why Option C is correct: The CMMC framework does not disqualify digital communications like emails or messaging as evidence. In fact, these are often the primary artifacts used to prove that a process (like an approval workflow or notification) is occurring in practice. As long as the assessor can verify the authenticity and integrity of these communications, they are appropriate for collecting affirmations.

Why Option D is less accurate: While screenshots are indeed used as evidence, the core question asks if thespecificlist (interviews, demonstrations, emails, messaging, presentations) is appropriate. Option C directly validates the list provided in the prompt without introducing extraneous elements like screenshots, which—while valid—are not the focus of the "appropriate" determination for the items listed.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4 (Collect and Verify Evidence), which discusses the types of artifacts and "human evidence" (interviews) that support findings.

CMMC Level 2 Assessment Guide: "Assessment Methods" section, clarifying that evidence can include any records (electronic or physical) that demonstrate the implementation of a practice.

NIST SP 800-171A: The underlying standard for assessment procedures, which encourages the use of various evidence types to satisfy assessment objectives.

The correct answer is B , 3 Levels. The official CMMC 2.0 Model Overview states that there are three levels within CMMC: Level 1, Level 2, and Level 3 . It explains that the model measures implementation of cybersecurity requirements at three levels, with each level containing a defined set of CMMC practices. Level 1 is focused on basic safeguarding of Federal Contract Information, Level 2 is focused on protection of Controlled Unclassified Information using requirements aligned to NIST SP 800-171, and Level 3 is intended for higher-risk programs requiring enhanced protection.

This is a major difference between CMMC 2.0 and the earlier CMMC 1.0 structure. CMMC 1.0 used five maturity levels, but CMMC 2.0 simplified the model to three cybersecurity levels. Therefore, option C , 5 Levels, reflects the older CMMC 1.0 structure and is not correct for CMMC 2.0. Option A , 2 Levels, is incorrect because it omits one of the three official levels. Option D , 4 Levels, is also incorrect because the official CMMC 2.0 model does not contain four levels. The bottom line is that CMMC 2.0 contains three cybersecurity levels: Level 1 Foundational, Level 2 Advanced, and Level 3 Expert .

Who Do DoD Contractors Report CUI Breaches To?

PerDFARS 252.204-7012, all DoD contractors handlingControlled Unclassified Information (CUI)must report cyber incidents to theDoD Cyber Crime Center (DC3).

Key Reporting Requirements

✅Cyber incidents involving CUI must be reported toDC3 within 72 hours.

✅Reports must be submitted via theDoD's Cyber Incident Reporting Portal.

✅Contractors mustpreserve forensic evidencefor potential investigation.

Why "DoD Cyber Crime Center" is Correct?

The FBI (Option A) handles criminal investigations, but DoD contractorsmust report cyber incidents to DC3.

NARA (Option B) oversees the CUI Registry, butis not responsible for breach reporting.

The Under Secretary of Defense for Intelligence and Security (Option D) is responsible for intelligence operations, not incident reporting.

Breakdown of Answer Choices

Option

Description

Correct?

A. FBI

❌Incorrect–The FBI handlescriminal cases, not CUI breach reporting.

B. NARA

❌Incorrect–NARA manages theCUI Registry, butdoes not handle breaches.

C. DoD Cyber Crime Center

✅Correct – Per DFARS 252.204-7012, cyber incidents involving CUI must be reported to DC3.

D. Under Secretary of Defense for Intelligence and Security

❌Incorrect–This office doesnothandle cyber incident reports.

Official References from CMMC 2.0 and DFARS Documentation

DFARS 252.204-7012– Requires DoD contractors to report CUI-related cyber incidents toDC3.

DoD Cyber Crime Center (DC3) Website– The official platform forcyber incident reporting.

Final Verification and Conclusion

The correct answer isC. DoD Cyber Crime Center, as perDFARS 252.204-7012, which mandates that all DoD contractors reportCUI breaches to DC3 within 72 hours.

What Happens in Phase 4 of the CMMC Assessment Process?

Phase 4 of theCMMC Assessment Process (CAP)is theFinal Reporting and Decision Phase. During this phase, theLead Assessormust:

Review all assessment findings

Determine the Organization Seeking Certification’s (OSC) eligibility for certification

Make a recommendation to the C3PAO (Certified Third-Party Assessment Organization)

Key Responsibilities of the Lead Assessor in Phase 4:

Ensure that the OSC hasmet the required practices and processes.

Confirm that anydeficiencieshave been corrected or appropriately documented.

Recommendwhether the OSC is eligible for certificationbased on assessment results.

Since theLead Assessor must determine and recommend the OSC’s eligibilityto the C3PAO, the correct answer isB. Eligibility.

Why the Other Answers Are Incorrect

A. Ability

❌Incorrect. While assessing an OSC’s ability to meet CMMC requirements is part of the process, the final determination in Phase 4 is abouteligibilityfor certification.

C. Capability

❌Incorrect. Capability refers to an organization'stechnical and operational readiness. The Lead Assessor is making a recommendation oneligibility, not just capability.

D. Suitability

❌Incorrect. Suitability is not a defined term in theCMMC CAP processfor final assessment recommendations. The correct term iseligibility.

CMMC Official References

CMMC Assessment Process (CAP) Document– Specifies that the Lead Assessor must determine and recommend theeligibilityof the OSC in Phase 4.

CMMC 2.0 Model– Defines the assessment process, including certification decision-making.

Thus,option B (Eligibility) is the correct answer, as per official CMMC guidance.

A Certified CMMC Instructor (CCI) is only authorized to deliver CMMC-AB (now The Cyber AB) approved training courses through a Licensed Training Provider (LTP). CCI instructors do not deliver DFARS or NARA CUI training under CMMC authorization—only formally approved CMMC courses.

Supporting Extracts from Official Content:

CMMC Ecosystem Roles: “CCIs are authorized to deliver CMMC-AB approved training courses through an LTP.”

Why Option A is Correct:

CCIs teach only CMMC-AB approved training.

Options B, C, and D include external trainings (DFARS or NARA CUI) that are not within the CCI’s scope.

References (Official CMMC v2.0 Content):

CMMC Ecosystem documentation – Roles and Responsibilities of LTPs and CCIs.

===========

Step 1: Understanding the Role of the DoD in CMMC

TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.

This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.

Understanding CMMC Assessment Procedures

ACMMC assessment procedureconsists of:

Assessment Objective– Defines what is being evaluated and the expected outcome.

Assessment Methods– Specifies how the evaluation is conducted (e.g.,examination, interviews, testing).

Assessment Objects– Identifies what is being evaluated, such as policies, systems, or people.

Why the Correct Answer is "C"?

Assessment Objectivesincludedetermination statementsthat describe the expected outcome for each CMMC security practice.

These statements define whether a practice has beenadequately implementedbased ondocumented evidence and assessment findings.

TheCMMC Assessment Process (CAP) GuideandNIST SP 800-171Aspecify that each practice has a determination statement guiding assessment decisions.

Why Not the Other Options?

A. Specifications and mechanisms→Incorrect

These belong toassessment objects, which refer to the systems, policies, and mechanisms being evaluated.

B. Examination, interviews, and testing→Incorrect

These areassessment methods, which describe how assessorsverifycompliance (e.g., through interviews or testing).

D. Exercising assessment objects under specified conditions→Incorrect

This refers toassessment testing, which is a method, not an assessment objective.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– Describes determination statements as the core of assessment objectives.

NIST SP 800-171A– Defines determination statements as a key element of evaluating security controls.

Final Justification:

Since anassessment objectiveincludes adetermination statementthat describes whether a practice is implemented properly, the correct answer isC.

The correct answer is D because CMMC Level 1 is based on the basic safeguarding requirements in FAR Clause 52.204-21 , not on the full NIST SP 800-171 or DFARS 252.204-7012 requirements. The official CMMC Model Overview states that Level 1 focuses on protecting Federal Contract Information (FCI) and consists of security requirements that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 , commonly referred to as the FAR Clause. It also states that Level 2 is the level that incorporates the 110 security requirements from NIST SP 800-171 Rev. 2 for protection of Controlled Unclassified Information (CUI) .

FAR 52.204-21 applies to covered contractor information systems that process, store, or transmit Federal Contract Information. The clause requires contractors to apply basic safeguarding requirements and procedures, including limiting system access to authorized users, controlling external connections, protecting information on publicly accessible systems, identifying and authenticating users, and sanitizing or destroying media containing FCI before disposal or reuse.

Option A is incorrect because NIST SP 800-171 is associated with CMMC Level 2, not Level 1. Option B is incorrect because the cited DFARS clause number is not the CMMC Level 1 source. Option C is incorrect because DFARS 252.204-7012 is tied to safeguarding covered defense information and implementing NIST SP 800-171 for CUI, not the Level 1 basic safeguarding baseline.

In a CMMC Level 2 Assessment, an assessor must achieve a high level of confidence that a practice is both implemented and institutionalized. This is determined through the Examine, Interview, and Test (E-I-T) methods as outlined in NIST SP 800-171A and the CMMC Assessment Process (CAP).

Conflict of Evidence: The scenario presents a direct conflict between the three pillars of evidence. The Policy/Documentation (Examine) states the practice occurs monthly. The Logs/Artifacts (Examine/Test) show it occurs quarterly. The Interviews claim it happens monthly but is only recorded quarterly.

The "Not Met" Determination: Under the CAP, if the evidence collected does not consistently support the assessment objective, the practice cannot be marked as "Met." Specifically:

Adequacy and Sufficiency: The logs (the primary proof of performance) are insufficient to prove the monthly requirement stated in the documentation.

Inconsistency: Assessors look for "corroboration." When interviews contradict the physical artifacts (the logs), the objective evidence (the logs) carries significant weight. If a practice is required monthly but only recorded quarterly, the assessor cannot verify that it was actually performed during the missing months.

Why other options are incorrect:

Option B: The practice isnotbeing done as documented because the documentation says "monthly" and the logs only show "quarterly."

Option C: This is a common misconception. Not all three methods (E, I, and T) are required foreverysingle practice (the Assessment Guide specifies which are required), but allusedmethods must yield consistent "Met" results.

Option D: Interviews alone are almost never sufficient to pass a practice that requires technical or administrative artifacts (logs).

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4 (Collect and Verify Evidence) and Section 3.5 (Determine Findings).

CMMC Level 2 Assessment Guide: Introduction to Assessment Methods, emphasizing that findings must be supported by the "preponderance of evidence."

NIST SP 800-171A: Chapter 2, "Assessment Procedures," regarding the necessity of artifacts to prove implementation over time.

Understanding the Role of NIST SP 800-171 in CMMC

NIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.

This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.

Breakdown of Answer Choices

NIST SP

Title

Relevance to CMMC

NIST SP 800-37

Risk Management Framework (RMF)

Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.

NIST SP 800-53

Security and Privacy Controls for Federal Systems

Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.

NIST SP 800-88

Guidelines for Media Sanitization

Covers secure data destruction and disposal, not overall CUI protection.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

✅Correct Answer – Directly addresses CUI protection in contractor systems.

Key Requirements from NIST SP 800-171

The document outlines110 security controlsgrouped into14 families, including:

Access Control (AC)– Restrict access to authorized users.

Audit and Accountability (AU)– Maintain system logs and monitor activity.

Incident Response (IR)– Establish an incident response plan.

System and Communications Protection (SC)– Encrypt CUI in transit and at rest.

These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.

Official Reference from CMMC 2.0 Documentation

CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.

DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.

Final Verification and Conclusion

The correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.

For a practice to beadequately implementedin aCMMC Level 2 assessment, theresponsible personnel must demonstrate knowledge of deployment, maintenance, and operationof security tools such asantivirus programs. Simply having the tool in place isnot sufficient—there must be evidence that it isproperly configured, updated, and monitoredto protect against threats.

Step-by-Step Breakdown:

✅1. Relevant CMMC and NIST SP 800-171 Requirements

CMMC Level 2 aligns with NIST SP 800-171, which includes:

Requirement 3.14.5 (System and Information Integrity - SI-3):

"Employautomatedmechanisms toidentify, report, and correctsystem flaws in a timely manner."

Requirement 3.14.6 (SI-3(2)):

"Employautomated toolsto detect and prevent malware execution."

These requirements imply that theperson responsible for antivirus must understand how it is deployed and maintainedto ensure compliance.

✅2. Why the Team Member’s Knowledge is Insufficient

Antivirus tools requireregular updates,configuration adjustments, andmonitoringto function properly.

The responsible team member must:

Knowhow the antivirus was deployedacross systems.

Be able toconfirm updates, logs, and alerts are monitored.

Understand how torespond to malware detectionsand failures.

If the team member lacks this knowledge, assessors maydetermine the practice is not fully implemented.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Yes, the antivirus program is available, so it is sufficient.❌

Incorrect:Just having antivirus softwareinstalleddoes not prove compliance. It must bemanaged and maintained.

(B) Yes, antivirus programs are automated to run independently.❌

Incorrect:While automation helps, security toolsrequire oversight, updates, and configuration.

(D) No, the team member's interview answers about deployment and maintenance are insufficient.❌

Partially correct but incomplete:Themain issueis that the team membermust have sufficient knowledge, not just that their answers are weak.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guide for SI-3 and SI-3(2)states that personnel mustunderstand the function, deployment, and maintenance of security toolsto ensure proper implementation.

Thus, the correct answer is:

CMMC v2.0 scoping defines “in-scope” assets for Level 1 (FCI protection) based on whether the asset processes, stores, or transmits FCI . The DoD CMMC Assessment Scope – Level 1 (v2.13) states: “Assets in scope … are all assets that **process, store, or transmit Federal Contract Information (FCI).” It then defines these terms. Critically for this question, Store is defined as when “FCI is inactive or at rest on an asset (e.g., located on electronic media…).”

A flash drive is “electronic media.” If the program manager places contract-relevant FCI onto the flash drive, the flash drive is now an asset that stores FCI (FCI at rest). Under the scoping guidance, that alone is enough to classify it as an in-scope FCI asset for Level 1 purposes, meaning it falls within the Level 1 assessment scope and must be protected by applicable Level 1 requirements.

The other answer choices do not align to the scoping definitions. “Testing FCI” (B) is not one of the scope-determining criteria in the Level 1 scoping guide. “Distributing FCI” (C) is not the formal criterion either (the guide uses Transmit , not “distribute”). Finally, being “properly marked” (D) does not determine whether something is in scope; the decisive factor is whether the asset processes, stores, or transmits FCI.

Under CMMC 2.0 Level 2, which aligns with the requirements of NIST SP 800-171, maintaining robust control over nonlocal maintenance sessions is critical. While multifactor authentication (MFA) is a required safeguard for secure access, additional measures must be implemented to fully meet the maintenance requirements as outlined in Control 3.3.5:

Key Requirements for Nonlocal Maintenance:

Termination of Nonlocal Maintenance Sessions:

To reduce the attack surface and prevent unauthorized access, nonlocal maintenance connections must be terminated immediately after the maintenance activity is completed. This is a direct requirement to mitigate risks associated with lingering remote sessions that could be exploited by threat actors.

Supporting Reference: NIST SP 800-171, Control 3.3.5 states: "Ensure that remote maintenance is conducted in a controlled manner and disable connections immediately after use."

Multifactor Authentication (MFA):

OSCs are required to implement MFA for nonlocal remote maintenance sessions. MFA must include at least two factors (e.g., something you know, something you have, or something you are).

While the OSC’s use of MFA satisfies part of the requirement, it does not complete the control unless proper termination procedures are in place.

Policy and Procedure Adherence:

The OSC must also document a maintenance policy and ensure it reflects the need for terminating connections post-maintenance. The policy should outline roles, responsibilities, and steps for ensuring secure nonlocal maintenance practices.

Incorrect Options:

B. Unlimited connections: Allowing unrestricted nonlocal maintenance sessions is a significant security risk and violates the principle of least privilege.

C. Removing restrictions: Removing restrictions for convenience directly undermines compliance and security.

D. Multifactor authentication details: While MFA is necessary, the question states the OSC already uses it. Termination of sessions is the missing requirement.

Conclusion:

The requirement to terminate nonlocal maintenance sessions after maintenance is complete (Option A) is critical for compliance with CMMC 2.0 Level 2 and NIST SP 800-171, Control 3.3.5. This ensures that nonlocal maintenance activities are secured against unauthorized access and potential vulnerabilities.

Understanding NIST SP 800-88 Rev. 1 and Media Sanitization

TheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.

Three Categories of Data Disposal in NIST SP 800-88 Rev. 1

Clear

Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.

Example:Overwriting all datawith binary zeros or ones on a hard drive.

Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.

Purge

Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.

Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).

Applies to:Media that is leaving organizational control or requires a higher level of assurance than "Clear".

Destroy

Physicallydamages the mediaso that data recovery isimpossible.

Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.

Applies to:Highly sensitive data that must be permanently eliminated.

Why "A. Clear, Purge, Destroy" is Correct?

B. Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata disposal.

C. Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level categoryin NIST SP 800-88.

D. Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is missing, making this incorrect.

Conclusion

The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.

Understanding SI.L1-3.14.2: Provide Protection from Malicious Code

The CMMC Level 1 practiceSI.L1-3.14.2is based onNIST SP 800-171 Requirement 3.14.2, which requires organizations to:

Implement malicious code protection(e.g., antivirus, endpoint security software).

Ensure coverage across all appropriate locations(e.g., workstations, servers, network entry points).

Keep protection mechanisms updated(e.g., regular signature updates, policy enforcement).

Assessment Criteria for a "MET" Rating:

To determine whether the practice isMET, the Lead Assessor must confirm that:

✔Antivirus or endpoint protection software is installedon all workstations and servers.

✔The solution is centrally managed, ensuring consistent policy enforcement.

✔Signature updates are current, meaning systems are protected against new threats.

✔Logs or reports demonstrate active monitoring and updates.

Why is the Correct Answer "A. It is sufficient, and the audit finding can be rated as MET"?

The provided evidenceconfirms all necessary requirementsfor SI.L1-3.14.2:

✔All workstations and servers have antivirus installed→Meets installation requirement.

✔A centralized management console is in place→Ensures consistent enforcement.

✔Records show antivirus signatures are up to date→Confirms system protection is current.

Because the evidencemeets the requirement, the practice should berated as MET.

Why Are the Other Answers Incorrect?

B. It is insufficient, and the audit finding can be rated NOT MET → Incorrect

The evidence providedmeets all necessary requirements, so the practiceshould not be rated as NOT MET.

C. It is sufficient, and the Lead Assessor should seek more evidence → Incorrect

Ifadequate evidence already exists,additional evidence is unnecessary.

D. It is insufficient, and the Lead Assessor should seek more evidence → Incorrect

The evidence providedmeets the control requirements, making itsufficient.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

Specifies that a practice can be marked asMET if sufficient evidence is provided.

NIST SP 800-171 (Requirement 3.14.2)

Defines the standard formalicious code protection, which ismet by antivirus with active updates.

CMMC 2.0 Level 1 (Foundational) Requirements

Clarifies that basic cybersecurity measures likeantivirus installation and updatesmeet compliance forSI.L1-3.14.2.

Final Answer:

✔A. It is sufficient, and the audit finding can be rated as MET.

Understanding the Role of "Discussion" and "Further Discussion" Sections in CMMC Assessments

When assessing anOrganization Seeking Certification (OSC)forCMMC compliance, theLead Assessorrelies on various sources of guidance.

Eachpracticein the CMMC model includes:

The Practice Statement– The official requirement the OSC must meet.

Discussion Section– Providesclarifications, interpretations, and guidancefor implementation.

Further Discussion Section– Expands on the practice,offering additional details, best practices, and examples.

These sections arenot mandatory, but they help assessorsinterpret and evaluatewhether an OSC has met the practice requirements.

Why "Provides Additional Information to Facilitate the Assessment" is Correct?

TheDiscussion and Further Discussion sectionsprovidecontext, explanations, and examplesto assist theLead Assessorin understanding how an OSC might demonstrate compliance.

Theyhelp guide the assessment processbut arenot prescriptiveormandatoryfor an OSC.

Theassessor uses these sectionsto verify whether theOSC's implementation meets the intent of the requirement.

Breakdown of Answer Choices

Option

Description

Correct?

A. Is normative for an OSC to follow.

❌Incorrect–The sections areguidance, notnormative (mandatory)requirements.

B. Contains examples that an OSC must implement.

❌Incorrect–Examples aresuggestions, notmandatory implementations.

C. Is mandatory and aligns with FAR Clause 52.204-21.

❌Incorrect–The "Discussion" sections arenot mandatoryand arenot tied directlyto FAR 52.204-21.

D. Provides additional information to facilitate the assessment of the practice.

✅Correct – These sections help the assessor evaluate compliance but do not mandate specific implementations.

Official References from CMMC 2.0 Documentation

TheCMMC Assessment Guidestates that theDiscussion and Further Discussion sections provide clarificationsto help both assessors and OSCs.

These sections arenot bindingbut serve asinterpretive guidanceto assist in assessments.

Final Verification and Conclusion

The correct answer isD. Provides additional information to facilitate the assessment of the practice.This aligns withCMMC 2.0 documentation and assessment guidelines.

TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.

Analysis of the Given Options:

A. Level 1→Incorrect

CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.

B. Level 2→Correct

TheAU domain is required at Level 2, which aligns withNIST SP 800-171.

CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.

C. Levels 1 and 2→Incorrect

Level 1 does not requireaudit and accountability practices.

D. Levels 1 and 3→Incorrect

CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.

Official References Supporting the Correct Answer:

NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3)

TheAU domainconsists of security controls3.3.1 – 3.3.8, focusing on audit log generation, retention, and accountability.

CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171)

AU practices (Audit and Accountability) are only required at Level 2.

Conclusion:

TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:

✅B. Level 2.

The Controlled Unclassified Information (CUI) Program, established by Executive Order 13556, standardizes the handling and marking of unclassified information that requires safeguarding or dissemination controls across federal agencies and their contractors. The National Archives and Records Administration (NARA) serves as the Executive Agent responsible for implementing the CUI Program.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to protect CUI by adhering to the security requirements outlined in NIST Special Publication 800-171. This includes proper marking of CUI to ensure that all personnel recognize and handle such information appropriately.

The NARA CUI Introduction to Marking provides comprehensive guidance on the correct procedures for marking documents and communications containing CUI. This resource is essential for training purposes, as it offers detailed instructions and examples to help personnel understand and implement proper CUI markings. By referring the sales team to the NARA CUI Introduction to Marking, the director of sales ensures that the team receives authoritative and standardized training on how to appropriately mark emails and other documents containing CUI, thereby maintaining compliance with federal regulations and CMMC requirements.

During a Readiness Review (Phase 1), the purpose is to validate whether an OSC is prepared to move forward with a formal assessment. The CAP specifies that the Lead Assessor must collect sufficient evidence for each practice to make a preliminary determination of readiness.

Supporting Extracts from Official Content:

CAP v2.0, Readiness Review (§2.14): “The Lead Assessor must collect a sufficient amount of evidence for each practice to determine the OSC’s readiness.”

Why Option A is Correct:

The requirement is for sufficient evidence; CAP does not mandate a set number of assessment objects or methods.

Options B, C, and D incorrectly suggest minimum counts or methods that are not part of the readiness review requirements.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 1 Readiness Review.

===========

Under the CMMC Assessment Process (CAP) v2.0 , the C3PAO holds the initial (and ultimate) responsibility to identify and manage conflicts of interest (COI) related to a CMMC Level 2 certification assessment. CAP v2.0 includes an explicit pre-assessment activity titled “Identify and Manage Initial Conflicts of Interest (COI)” and states that C3PAOs are ultimately responsible for managing impartiality and identifying conflicts of interest for the assessment.

CAP v2.0 further clarifies that this responsibility cannot be delegated to the assessment team (including the Lead Assessor/Lead CCA) or to the OSC. In other words, while the Lead Assessor participates in executing the process and the OSC must cooperate (e.g., disclose relationships or prior services that could create COI), CAP places the duty to run the COI identification/mitigation process squarely on the C3PAO as the assessment organization.

This aligns with the intent of impartiality controls in certification programs: the certification body (here, the C3PAO) must ensure objective assessments by identifying conflicts early, applying mitigation (or avoidance), and documenting the resolution before the assessment proceeds. Since the question asks who has the initial responsibility , the CAP’s direct assignment of COI management to the C3PAO makes B the correct answer.

===========

Understanding the Reporting Process in a CMMC 2.0 Level 2 Assessment

ACMMC Level 2 Assessmentconducted by aCertified Third-Party Assessor Organization (C3PAO)follows a structured approach to gathering evidence, evaluating compliance, and reporting findings to theOrganization Seeking Certification (OSC). The reporting process is outlined in theCMMC Assessment Process (CAP) Guide, which specifies how findings should be communicated.

Assessment Communication Structure

Daily Checkpoints:

Throughout the assessment, the assessor team holdsdaily checkpoint meetingswith the OSC to provide updates on progress, observations, and preliminary findings.

These checkpoints help ensure transparency and allow the OSC to address minor issues as they arise.

Final Results Delivery:

Thefinal assessment resultsare typically shared during thefinal daily checkpointOR in aseparately scheduled findings and recommendations reviewmeeting.

This ensures that the OSC receives a structured and complete summary of the assessment findings before the official report is submitted.

Why Option C is Correct

TheCMMC Assessment Process (CAP) Guide, Section 4.5clearly states that assessment findings should be presentedeither at the last daily checkpoint or during a separately scheduled final review.

This aligns with best practices formaintaining transparency and ensuring the OSC has clarity on their assessment resultsbefore the final report submission.

Option A (End of every day)is incorrect because while assessors do provide updates, they do not deliver the "final results" daily.

Option B (Daily and a separate final review)is misleading, as the CAP Guide allows assessors tochoosebetween the final daily checkpoint OR a separate findings review—not both.

Option D (After C3PAO approval)is incorrect because theC3PAO does not approve findings before they are communicated to the OSC. The assessment team directly presents the results first.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide, Section 4.5: Reporting and Findings Communication

CMMC 2.0 Level 2 Assessment Process Overview

CMMC Assessment Final Report Guidelines

Final Verification

Based on officialCMMC 2.0 documentation, thefinal assessment results should be presented to the OSC either at the last daily checkpoint or in a separately scheduled review session, making Option C the correct answer.

Understanding RA.L2-3.11.1 Risk Assessment Scope in CMMC Level 2

TheCMMC Level 2 control RA.L2-3.11.1aligns withNIST SP 800-171, Requirement 3.11.1, which mandates that organizationsperiodically assess risks to operations, assets, and individuals arising from the processing, storage, or transmission of CUI.

What is Required for Compliance?

The organization must performrisk assessments on all assets and entities involved in handling CUI.

Risk assessments mustevaluate potential threats, vulnerabilities, and impacts on CUI security.

The scopemust include people, processes, physical locations, and IT systemsto ensure comprehensive risk management.

Why the Correct Answer is "Processes, people, physical entities, and IT systems in which CUI is processed, stored, or transmitted":

CUIcan be exposed to risk in multiple ways—not just IT systems but also human error, physical security gaps, and process weaknesses.

Risk assessmentsmust evaluate all areas that could impact CUI security, including:

Personnel security risks(e.g., insider threats, phishing attacks).

Process vulnerabilities(e.g., mishandling of CUI, policy weaknesses).

Physical security risks(e.g., unauthorized access to servers, storage rooms).

IT systems(e.g., networks, servers, cloud environments processing CUI).

Clarification of Incorrect Options:

A. "IT systems"→Too narrow.Risk assessmentmust cover more than just IT systems, includingpeople, physical assets, and processesaffecting CUI.

B. "Enterprise systems"→Too broad.While enterprise systems might be assessed, thefocus is specifically on areas handling CUI, not all enterprise operations.

C. "CUI Marking processes"→Incorrect focus.While marking CUI correctly is important,RA.L2-3.11.1 pertains to risk assessments, not data classification.

Understanding Evidence Sufficiency in CMMC Level 2 Assessments

During aCMMC Level 2 Assessment, theLead Assessormust determine whether the evidence collected for each practice issufficientto support an assessment finding. This aligns with theCMMC Assessment Process (CAP) Guide, which requires assessors to evaluate:

Examinations– Reviewing documents, configurations, and system records.

Interviews– Speaking with personnel to confirm implementation and understanding.

Testing– Observing security controls in action to validate effectiveness.

To determine whether evidence issufficient, the assessor ensures that it:

Directly supports the assessment objective.

Demonstrates that the practice is consistently implemented.

Can be independently verified.

Why Option B (Sufficiency) is Correct

Sufficiencyrefers to whetherenoughevidence has been collected to make an accurate determination about compliance.

Option A (Adequacy)is incorrect because adequacy relates tothe qualityof evidence, while sufficiency focuses on whetherenoughevidence exists.

Option C (Process Mapping)is incorrect because process mapping is used for understanding workflows but is not an assessment verification method.

Option D (Assessment Scope)is incorrect because defining the scope happensbeforeevidence collection, during the planning phase.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide – Section 3.6 (Determining Sufficiency of Evidence)

CMMC Level 2 Assessment Guide – Evidence Collection and Evaluation

Final Verification

Since theLead Assessor is ensuring enough evidence is available to verify compliance, the correct answer isOption B: Sufficiency.

PerDFARS 252.204-7021, contractors must achieve the requiredCMMC certification levelbefore contract awardif the solicitation specifies it.

Key Requirements:

✔Contractorsmust be certified at the required CMMC levelprior to contract award.

✔Thecertification must be conducted by a C3PAO(for Level 2) orthrough self-assessment(for Level 1).

✔The certification must bevalid and registered in the Supplier Performance Risk System (SPRS)before award.

Why is the Correct Answer "At the Time of Award" (A)?

A. At the time of award → Correct

DFARS 252.204-7021requires CMMC certification before a contract can be awardedif the solicitation includes CMMC requirements.

B. Upon solicitation submission → Incorrect

Contractorsdo notneed to be CMMC-certified at thetime of bid submission, only by the time of award.

C. Thirty days from the award date → Incorrect

Contractorsmust already be certified before the award is granted. There isno grace period.

D. Before the due date of submission → Incorrect

While compliance planning is important,CMMC certification is only required before contract award, not before bid submission.

CMMC 2.0 References Supporting This Answer:

DFARS 252.204-7021 (CMMC Requirement Clause)

CMMC certification is required prior to contract awardif specified in the solicitation.

CMMC 2.0 Program Overview

States that certificationis not needed at bid submission but is required before award.

DoD Interim Rule & SPRS Guidance

Contractors must havea valid CMMC certification recorded in SPRSbefore award.

In theCMMC 2.0 Assessment Process, after theAssessment Final Recommended Findings Brief, theLead Assessor and Assessment Team Membersmustreview the accuracy and validity of the Organization Seeking Certification (OSC)’s updated Plan of Action & Milestones (POA & M) and any accompanying evidence or scheduled collectionswithin180 days.

Relevant CMMC 2.0 Reference:

TheCMMC Assessment Process (CAP)outlines that organizations haveup to 180 daysto address identifieddeficienciesafter their initial assessment.

During this time, the OSC can update itsPOA & M with additional evidenceto demonstrate compliance.

Why is the Correct Answer 180 Days (B)?

A. 90 days → Incorrect

The CMMC CAP does not impose a90-day limiton POA & M updates; instead,180 daysis the standard timeframe.

B. 180 days → Correct

PerCMMC Assessment Process guidelines, theLead Assessor and Teammust review updateswithin 180 days.

C. 270 days → Incorrect

No official CMMC documentation mentions a270-dayreview period.

D. 360 days → Incorrect

The process must be completedfar sooner than 360 daysto maintain compliance.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines the180-day windowfor the OSC to update itsPOA & M and submit evidencefor review.

CMMC 2.0 Official Guidelines

Specifies that organizations are givenup to 180 daysto remediate deficiencies before reassessment.

A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.

Supporting Extracts from Official Content:

CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”

Why Option B is Correct:

The Windows 95 system is an example of a restricted IS, so it can be scoped out.

Option A is incorrect — the asset is not handling CUI in this case.

Option C is incorrect — government property designation does not define scope.

Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.

===========

UnderDFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), if acontractoruses acloud-based serviceto store, process, or transmitControlled Unclassified Information (CUI), the cloud providermustmeet the security requirements ofFedRAMP Moderate or equivalent.

Key Requirements from DFARS 252.204-7012 (c)(1):

CUI stored in the cloud must be protected according to FedRAMP Moderate (or higher) requirements.

The cloud provider must meetFedRAMP Moderate baseline security controls, which align withNIST SP 800-53moderate impact level requirements.

The cloud provider must also ensure compliance withincident reportingandcyber incident response requirementsin DFARS 252.204-7012.

Why is the Correct Answer "FedRAMP Moderate" (B)?

A. FedRAMP Low → Incorrect

FedRAMP Lowis intended for systems withlow confidentiality, integrity, and availability risks, making itinadequate for CUI protection.

B. FedRAMP Moderate → Correct

FedRAMP Moderate is the minimum required level for CUIunder DFARS 252.204-7012.

It provides a security baseline for protectingsensitive but unclassified government data.

C. FedRAMP High → Incorrect

FedRAMP Highapplies to systems handlinghighly sensitive information (e.g., classified or national security data), which is not necessarily required for CUI.

D. FedRAMP Secure → Incorrect

There isno official FedRAMP Secure categoryin FedRAMP guidelines.

CMMC 2.0 References Supporting this Answer:

DFARS 252.204-7012(c)(1)

Specifies thatcontractors using external cloud services for CUI must meet FedRAMP Moderate or equivalent.

CMMC 2.0 Level 2 Requirements

CUI must be protected using NIST SP 800-171 security requirements, whichalign with FedRAMP Moderate controls.

FedRAMP Security Baselines

FedRAMP Moderateis designed for systems that handlesensitive government data, including CUI.

The CMMC Assessment Process (CAP) requires that sufficient evidence must:

Cover the sampled organization,

Cover the defined model scope of the assessment (Target CMMC Level), and

Correspond to the evidence collection approach.

Evidence is always required, even if the organization holds other certifications such as ISO. External certifications cannot replace CMMC evidence requirements. Thus, the statement that “Evidence is not required if the practice is ISO certified” is not valid.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

The CMMC Code of Professional Conduct applies to all CMMC assessors, practitioners, and ecosystem participants. Its guiding principles are: Objectivity, Information Integrity, and Higher Accountability.

Supporting Extracts from Official Content:

CMMC Code of Professional Conduct: “Guiding principles… include Objectivity, Information Integrity, and Higher Accountability.”

Why Option A is Correct:

These three principles are the official guiding values documented in the Code of Professional Conduct.

Options B, C, and D insert terms (“proper use of methods”) that are not part of the official guiding principles.

References (Official CMMC v2.0 Content):

CMMC Code of Professional Conduct.

===========

In the CMMC assessment process, conflicts of interest must be identified early to ensure an impartial and objective evaluation of an organization's compliance with CMMC 2.0 requirements. The appropriate phase for identifying conflicts of interest is during the"Verify Readiness to Conduct Assessment"phase.

Step-by-Step Explanation:

Assessment Planning & Conflict of Interest Consideration

Before an assessment begins, theC3PAO (Certified Third-Party Assessment Organization)or theDIBCAC (Defense Industrial Base Cybersecurity Assessment Center) for DOD-led assessmentsmust confirm that there are no conflicts of interest between assessors and the organization being assessed.

A conflict of interest may arise if an assessor haspreviously worked for, consulted with, or provided direct assistance tothe organization under review.

CMMC Assessment Process and Phases

The CMMC assessment process involves multiple steps, and the verification of readiness is acritical early phaseto ensure that the assessment is unbiased:

Analyze Requirements:This phase focuses on defining the assessment scope, but it does not include conflict of interest verification.

Develop Assessment Plan:This phase focuses on structuring the assessment methodology, not on identifying conflicts.

Verify Readiness to Conduct Assessment (Correct Answer):

At this stage, theC3PAO or assessment team must review potential conflicts of interest.

TheDefense Industrial Base Cybersecurity Assessment Center (DIBCAC)also ensures assessors do not have any prior relationships that could compromise the objectivity of the evaluation.

Generate Final Recommended Assessment Results:This phase occurs at the end of the process, after the assessment is complete, so conflict of interest identification is too late by this stage.

Official CMMC Documentation & References

CMMC Assessment Process (CAP) Guide– The CAP details procedures assessors must follow, including conflict of interest verification.

CMMC 2.0 Scoping and Assessment Guides– Published by the Cyber AB and DoD, these guides reinforce the need for impartiality and independence in assessments.

DoD Instruction 5200.48 (Controlled Unclassified Information Program)– Outlines requirements for ensuring objective cybersecurity assessments.

By ensuring conflicts of interest are identified in the"Verify Readiness to Conduct Assessment"phase, the integrity of the CMMC certification process is maintained, ensuring that assessments are conductedfairly, independently, and in accordance with DoD cybersecurity policies.

Step 1: Understanding CMMC Level 1 Self-Assessment Scope

CMMC Level 1applies toFederal Contract Information (FCI)systems.

Any system or device that is connected to an FCI-handling network is within the assessment scopebecause it canintroduce vulnerabilitiesinto the environment.

Step 2: Why the Thermostat is in Scope

TheWi-Fi-enabled thermostat is connected to the FCI network, meaning it haspotential accessto sensitive contract-related data.

PerCMMC Scoping Guidance, this type of device is classified as aRestricted Information System (Restricted IS)—devices that do not store, process, or transmit FCI but areconnected to networks that do.

Restricted IS must be accounted for in the self-assessment scope to ensure they do not compromise security controls.

Understanding "Adequate Evidence" in the CMMC Assessment Process

In aCMMC assessment,adequate evidencerefers to the proof required to demonstrate that a specific cybersecurity practice has been implemented correctly. Evidence can come from:

Artifacts(e.g., security policies, system configurations, logs).

Interview responses(e.g., verbal confirmation from personnel about their responsibilities).

Demonstrations(e.g., showing how a security control is implemented in real time).

Testing(e.g., verifying technical security mechanisms such as multi-factor authentication).

Thegoalof evidence collection is to determinewhether a CMMC practice is met—not just whether the organization operates within the assessment scope.

Why is the Correct Answer "Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice" (D)?

A. Verify, based on an assessment and organizational scope → Incorrect

Theassessment scopedefineswhat is evaluated, but adequacy of evidence is based oncompliance with specific CMMC practices.

B. Verify, based on an assessment and organizational practice → Incorrect

CMMC assessments focus on cybersecurity practices defined in the CMMC framework, not just general organizational practices.

C. Determine if a given artifact, interview response, demonstration, or test meets the CMMC scope → Incorrect

Thescopedefines the assessment boundaries, but theassessment team's job is to confirm whether CMMC practices are satisfied.

D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice → Correct

TheCMMC assessment process focuses on ensuring that required practices are implemented, making this the correct answer.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines "adequate evidence" asproof that a CMMC practice has been correctly implemented.

CMMC 2.0 Assessment Criteria

Specifies that evidence must beevaluated against specific cybersecurity practices.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Provides guidance on evaluating artifacts, interviews, demonstrations, and testing to confirm compliance with required practices.

Final Answer:

✔D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.

In the CMMC 2.0 Model , the "Advanced Level" specifically refers to Level 2 . The CMMC model is designed to be cumulative , meaning each level builds upon the requirements of the levels beneath it.

Cumulative Framework : To achieve a certification at a specific level, an Organization Seeking Certification (OSC) must demonstrate compliance with all practices at that level and all practices from the lower levels.

Access Control (AC) Domain : The Access Control domain is one of the 14 domains in CMMC Level 2. It consists of a total of 22 practices :

Level 1 (Foundational) : Contains 4 basic safeguarding practices (mapped to FAR 52.204-21).

Level 2 (Advanced) : Adds 18 additional practices (mapped to NIST SP 800-171), totaling 22 practices for the AC domain at this level.

Defining "Advanced" : The DoD defines the levels as Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Therefore, the "Advanced Level" (Level 2) contains the practices from Level 1 and Level 2, but does not include the "Expert" (Level 3) practices, which are derived from NIST SP 800-172.

Why other options are incorrect :

Option A : While it contains Level 1 practices, it also includes Level 2 practices.

Option B : Level 3 is the "Expert" level, which is separate and higher than the "Advanced" level.

Option D : The Advanced level does not reach the requirements of Level 3.

Reference Documents :

CMMC Model Overview (v2.0) : Section 3.2, "Level 2: Advanced," which describes the 110 practices derived from NIST SP 800-171.

32 CFR Part 170 (CMMC Program Rule) : Details the structure of the levels and the requirement for cumulative compliance.

CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment, clearly identifying which are carried over from Level 1.

===========

Understanding the C3PAO Assessment Methodology

ACertified Third-Party Assessment Organization (C3PAO)is an entity authorized by theCMMC Accreditation Body (CMMC-AB)to conduct officialCMMC Level 2 assessmentsfor organizations seeking certification.

Key Requirement: CMMC Assessment Process (CAP)

C3PAOs must follow theCMMC Assessment Process (CAP), which outlines:

✅Theassessment methodologyfor evaluating compliance.

✅Evidence collectionprocedures (interviews, artifacts, testing).

✅Assessment scoring and reportingrequirements.

✅Guidance for assessorson executing standardized assessments.

Why "CMMC Assessment Process" is Correct?

ISO 27001 (Option A)is an international standard forinformation security managementbut isnot the basis for CMMC assessments.

NIST SP 800-53A (Option B)providessecurity control assessments for federal systems, but CMMC assessments arebased on NIST SP 800-171.

GAO Yellow Book (Option D)is agovernment auditing standardused forfinancial and performance audits, not cybersecurity assessments.

CMMC Assessment Process (CAP) (Option C) is the correct answerbecause it defines how C3PAOs conduct CMMC assessments.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– GovernsC3PAO assessment execution.

CMMC 2.0 Model Documentation– RequiresC3PAOs to follow CAP proceduresfor assessments.

Final Verification and Conclusion

The correct answer isC. CMMC Assessment Process, as it is theofficial methodology all C3PAOs must follow when conducting CMMC assessments.

Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.

Why "A. Obtain Evidence" is Correct?

CMMC Assessments Require Evidence Collection

TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:

Examine– Reviewing documentation, policies, and system configurations.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Validating controls through operational or technical tests.

All these methods involve obtaining evidenceto support whether a security requirement has been met.

Alignment with NIST SP 800-171A

CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.

Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.

Why Other Answers Are Incorrect?

B. Define level of effort (Incorrect)

Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.

C. Determine information flow (Incorrect)

While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.

D. Determine value of hardware and software (Incorrect)

Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.

Conclusion

The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.

According to the CMMC Scoping Guidance, Level 2, assets are categorized to determine the level of assessment rigor required. The requirement to document an asset in the Asset Inventory, the System Security Plan (SSP), and on the Network Diagram is a specific administrative requirement for high-priority asset classes.

CUI Assets: These are assets that process, store, or transmit Controlled Unclassified Information (CUI). They are part of the "Assessed" group and must be fully documented in the inventory, SSP, and network diagram.

Security Protection Assets (SPA): These are assets that provide security functions or capabilities to the assessment scope (e.g., firewalls, log servers, or AV management consoles), even if they do not process CUI themselves. Because they are critical to the security of CUI, they must also be documented in the inventory, SSP, and network diagram.

Why other options are incorrect:

Option A: "GUI Assets" is likely a typo or misnomer in this context (possibly meant to refer to CUI assets or a distractor).

Option C: This is incorrect because Contractor Risk Managed Assets (CRMA) and Specialized Assets have different documentation requirements. For instance, while CRMA are documented in the inventory and SSP, they are often not required to be on the network diagram in the same detail as CUI assets, depending on the specific assessment boundary. Out-of-Scope Assets are not documented at all.

Option D: Contractor Risk Managed Assets (CRMA) and Specialized Assets (like IoT, OT, or Restricted Information Systems) are required to be in the Asset Inventory and SSP, but the CMMC Scoping Guidance specifies that the most stringent documentation (Inventory + SSP + Network Diagram) is the primary mandate for those assets directly handling CUI or protecting it (SPAs).

Reference Documents:

CMMC Scoping Guidance, Level 2 (Version 2.0/2.1): Section 3.0, Table 1 (CUI Assets) and Table 2 (Security Protection Assets), which explicitly list the "Documentation Requirements" for each category.

CMMC Assessment Process (CAP): Section on Scoping Boundaries and Evidence Validation.

Per the CMMC Scoping Guidance, External Service Providers (ESPs) must be included in scope if they process, store, or transmit CUI or FCI on behalf of the OSC. However, ESPs do not themselves receive a separate CMMC certification unless they undergo their own assessment or an enterprise-level certification is conducted. Their environment is assessed only as part of the OSC’s scope.

Reference Documents:

CMMC Scoping Guidance for Level 2

CMMC Model v2.0 Overview

In the context of a CMMC Level 2 Assessment, assessors must evaluate the "Institutionalization" of practices, which includes the review of Policies. The validity of a policy document depends on the Organization Seeking Certification (OSC)'s internal governance and administrative procedures.

Internal Governance (The "Why"): CMMC does not dictate exactlyhowa company must authorize its policies (e.g., whether a signature must be refreshed immediately upon a personnel change). Instead, the assessor must verify if the document is considered "active" and "authoritative" by the OSC’s own standards.

The Role of the Assessor: As per the CMMC Assessment Process (CAP) and CCP training materials, an assessor cannot unilaterally declare a policy invalid simply because a signatory has left. The assessor must perform "more research" (typically through Interviews or examining Supplemental Documents) to determine the OSC's internal rules for policy management.

If the OSC's "Policy on Policies" states that a signature is tied to the individual, the document may be expired.

If the OSC's rules state that the authority is tied to the role/position (which is common in most corporate governance), the policy remains in effect until it is formally rescinded or updated.

Distinction from other options:

Option A is too restrictive; it assumes a universal rule that doesn't exist in the CMMC framework.

Option C is incorrect because a signatory (or formal approval)isoften what gives a policy its "authoritative" status in an audit; ignoring it would be a failure of the Examine method.

Option D is a common business assumption, but an assessor must verify this via the OSC's own procedures rather than assuming it is true for every company.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Examine" methods and evaluating evidence integrity.

NIST SP 800-171A: Discussion on "Organizational Policies" as assessment objects and the requirement for policies to be "established and maintained."

CMMC Level 2 Assessment Guide: Clarifies that policies must be "formally documented" and "representative of organizational requirements."

TheCybersecurity Maturity Model Certification (CMMC) 2.0is primarily based on two key National Institute of Standards and Technology (NIST) Special Publications:

NIST SP 800-171– "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations"

NIST SP 800-172– "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171"

Reference and Breakdown:

NIST SP 800-171

This document is thecore foundationof CMMC 2.0 and establishes the security requirements for protectingControlled Unclassified Information (CUI)in non-federal systems.

The 110 security controls fromNIST SP 800-171 Rev. 2are mapped directly toCMMC Level 2.

NIST SP 800-172

This supplement includesenhanced security requirementsfor organizations handlinghigh-value CUIthat faces advanced persistent threats (APTs).

These enhanced requirements apply toCMMC Level 3under the 2.0 model.

Eliminating Incorrect Answer Choices:

B. DFARS, FIPS 100, and NIST SP 800-171→Incorrect

WhileDFARS 252.204-7012mandates compliance withNIST SP 800-171,FIPS 100 does not existas a relevant cybersecurity standard.

C. DFARS, NIST, and Carnegie Mellon University→Incorrect

CMMC is aligned with DFARS and NIST but isnot developed or directly influenced by Carnegie Mellon University.

D. DFARS, FIPS 100, NIST SP 800-171, and Carnegie Mellon University→Incorrect

Again,FIPS 100 is not relevant, andCarnegie Mellon Universityis not a defining entity in the CMMC framework.

Official CMMC 2.0 References Supporting the Answer:

CMMC 2.0 Scoping Guide (2023)confirms thatCMMC Level 2 is entirely based on NIST SP 800-171.

CMMC 2.0 Level 3 Draft Documentationexplicitly referencesNIST SP 800-172for enhanced security requirements.

DoD Interim Rule (DFARS 252.204-7021)mandates that organizations meetNIST SP 800-171 for CUI protection.

Final Conclusion:

The CMMC 2.0 model is derivedsolely from NIST SP 800-171 and NIST SP 800-172, makingAnswer A the only correct choice.

Step 1: Understanding CMMC Domains

TheCMMC Model consists of 14 domains, which are based on theNIST SP 800-171 control familieswith additional cybersecurity practices.

Eachdomaincontainspractices and processesthat define cybersecurity requirements for organizations seeking CMMC certification.

The Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) outlines strict guidelines regarding conflicts of interest (COI) to ensure the integrity and impartiality of assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs) and Certified Assessors (CAs).

The scenario presented involves a potential conflict of interest due to a prior relationship (former college roommate) between the certified assessor and an individual at the Organization Seeking Certification (OSC). While this prior relationship does not automatically disqualify the assessor, it must be disclosed, documented, and mitigated appropriately.

CMMC Conflict of Interest Handling Process

Inform the OSC and C3PAO of the Potential Conflict of Interest

The CMMC Code of Professional Conduct (CoPC) requires assessors to disclose any potential conflicts of interest.

Transparency ensures that all parties, including the OSC and C3PAO, are aware of the situation.

Document the Conflict and Mitigation Actions in the Assessment Plan

Per CMMC CAP documentation, potential conflicts should be assessed based on their material impact on the objectivity of the assessment.

The conflict and proposed mitigation strategies must be formally recorded in the assessment plan to provide an audit trail.

Determine If the Mitigation Actions Are Acceptable

If the OSC and C3PAO determine that the mitigation actions adequately eliminate or reduce the risk of bias, the assessment may proceed.

Common mitigation strategies include:

Assigning another assessor for interviews with the conflicted individual.

Ensuring that decisions regarding the OSC’s compliance are reviewed independently.

Proceed with the Assessment If Mitigation Is Acceptable

If the mitigation actions sufficiently address the conflict, the assessment may continue under strict adherence to documented procedures.

Why the Other Answers Are Incorrect

A. Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.

❌Incorrect. This violates CMMC’s integrity requirements and could result in disciplinary actions against the assessor or invalidation of the assessment. Transparency is mandatory.

B. Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.

❌Incorrect. The CAP does not mandate immediate reassignment unless the conflict is unresolvable. Instead, mitigation strategies should be considered first.

C. Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.

❌Incorrect. The passage of time alone does not automatically eliminate a conflict of interest. Proper documentation and mitigation are still required.

CMMC Official References

CMMC Assessment Process (CAP) Document – Defines COI requirements and mitigation actions.

CMMC Code of Professional Conduct (CoPC) – Outlines ethical responsibilities of assessors.

CMMC Accreditation Body (Cyber-AB) Guidance – Provides rules on conflict resolution.

Thus, option D is the most correct choice, as it aligns with the official CMMC conflict of interest procedures.

During aCMMC assessment, assessors rely on interviews to validate the implementation of cybersecurity practices within anOrganization Seeking Certification (OSC). Ensuringconfidentiality and non-attributionallows employees to speak freely without fear of retaliation or bias, leading to more accurate and candid responses.

Step-by-Step Breakdown:

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide(Level 2) states thatinterviews are a key methodto verify compliance with security controls.

Employees may hesitate to provide truthful information if they fear negative consequences.

To obtain accurate information, assessors must create an environment where team members feel safe.

Ensuring Non-Attribution for Accurate Responses

DoD Assessment Methodologyhighlights thatinterviewees should remain anonymousin reports.

Non-attribution reduces the risk of OSC leadership influencing responses or retaliating against employees.

Employees are more likely to provideaccurateandhonestdescriptions of their responsibilities when confidentiality is guaranteed.

Why the Other Answer Choices Are Incorrect:

(A) Interview groups of people to get collective answers:

Group interviews may limit honest responses due topeer pressure or management presence.

Employees mayhesitate to contradictsupervisors or peers in a group setting.

(B) Understand that testing is more important than interviews:

While testing (e.g., reviewing logs, configurations, and security settings) is crucial, interviews providecontexton how security practices are implemented and followed.

Interviewscomplementtesting rather than being less important.

(D) Let team members know the questions prior to the assessment:

Advanced notice may allow employees toprepare rehearsed answers, which might not reflect actual practices.

This couldreduce the effectivenessof the interview process.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guideand DoDAssessment Methodologyemphasize the importance of confidentiality in interviews to ensure accuracy.Non-attribution protects employees and ensures assessors get honest, unfiltered answers.

Thus, the correct answer is:

C. Ensure confidentiality and non-attribution of team members.

Understanding the Official CUI Registry

TheControlled Unclassified Information (CUI) Registryis theauthoritative sourcefor all federal agencies'CUI categories and indices. It is maintained by theNational Archives and Records Administration (NARA)and provides:

✅Acomprehensive listof CUI categories and subcategories.

✅Details onwho can handle, store, and share CUI.

✅Guidance onCUI marking and safeguarding requirements.

Why "Official CUI Registry" is Correct?

TheOfficial CUI Registryis theonly federal resourcethat listsall CUI categories and agencies that use them.

32 CFR Section 2002(Option A) definesCUI policiesbut doesnotprovide a full listing of CUI categories.

Executive Order 13556(Option C) established theCUI Programbut doesnotmaintain an active list of categories.

The "Official CMMC Registry" (Option D) does not exist—CMMC is a security framework, not a CUI classification system.

Breakdown of Answer Choices

Option

Description

Correct?

A. 32 CFR Section 2002

❌Incorrect–Defines CUI program rules butdoes not listcategories.

B. Official CUI Registry

✅Correct – The registry contains the full list of CUI categories.

C. Executive Order 13556

❌Incorrect–Established the CUI program butdoes not maintain a category list.

D. Official CMMC Registry

❌Incorrect–No such registry exists; CMMC is a cybersecurity framework, not a CUI classification system.

Official References from CMMC 2.0 and Federal Documentation

National Archives (NARA) CUI Registry– The authoritative source forall federal agency CUI categories.

32 CFR 2002– Provides CUIpolicy guidancebut refers agencies to theOfficial CUI Registryfor classification.

Final Verification and Conclusion

The correct answer isB. Official CUI Registry, as it is theonly official source listing all federal agencies' CUI indices and categories.

TheCMMC Scoping Guide for Level 2outlines thatCUI assetsinclude systems, applications, and services thatstore, process, or transmitControlled Unclassified Information (CUI). These are the three core functions that defineCUI handlingwithin anOrganization Seeking Certification (OSC).

Step-by-Step Breakdown:

✅1. CUI Assets Defined in CMMC

Stored:CUI is saved on hard drives, cloud storage, or databases.

Processed:CUI is actively used, modified, or analyzed by applications and users.

Transmitted:CUI is sent between systems via email, file transfers, or network communication.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Received and transferred❌

Whilereceiving and transferring CUIis part of handling CUI, it does not fully cover all CUI asset responsibilities.

(C) Entered, edited, manipulated, printed, and viewed❌

These arespecific actionswithinprocessingbut do not coverstorage or transmission, which are also required for CMMC scoping.

(D) Located on electronic media, on system component memory, and on paper❌

While CUI can exist inelectronic and physical forms, CMMC scoping focuses onhow CUI is actively managed (stored, processed, transmitted)rather than where it physically resides.

Final Validation from CMMC Documentation:

TheCMMC Level 2 Scoping Guideconfirms thatCUI Assets are categorized based on their role in storing, processing, or transmitting CUI.

NIST SP 800-171also defines these three functions as key components of CUI protection.

The Lead Assessor is responsible for protecting and maintaining all assessment records, notes, and information gathered during the assessment process. This includes working papers and supplemental documentation that may be needed for auditability or dispute resolution.

Supporting Extracts from Official Content:

CAP v2.0, Post-Assessment Responsibilities (§3.17): “The Lead Assessor must ensure that all assessment artifacts, notes, and information are archived or disposed of in accordance with C3PAO policy.”

Why Option A is Correct:

The CAP specifies that notes and information from the assessment must be preserved or disposed of according to policy.

Options B, C, and D list items not required in the CAP. The “letter” and “quality control report” are not part of the Lead Assessor’s required maintained materials.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 3 Post-Assessment (§3.17).

===========

Step 1: Responsibility for Subcontractor Compliance

The prime contractor (contractor organization)is responsible for ensuring thatits subcontractorshave the requiredCMMC certification levelbefore engaging them inDoD contracts that involve FCI or CUI.

This requirement is enforced throughflow-down clausesinDFARS 252.204-7021, which mandates that subcontractors handlingCUImeet the necessaryCMMC Level 2 or Level 3 requirements.

Understanding the Role of an FCI Asset in CMMC

Adedicated local printer used to print Federal Contract Information (FCI)is considered anFCI Asset. UnderCMMC Level 1, FCI assets are required to meetbasic cybersecurity controlsto ensure that FCI is properlyprotected from unauthorized access.

Step-by-Step Breakdown:

✅1. Why "Process" is the Best Answer

The printerreceives digital FCI, converts it into a physical format (paper), and outputs the document.

This aligns with thedefinition of "processing" in CMMC, which includes:

Transforming or modifying data

Generating output (e.g., printed documents)

Using systems to interpret or manipulate information

✅2. Why the Other Answer Choices Are Incorrect:

(A) Encrypt❌

Aprinter does not encryptFCI—it simply prints it. Encryption applies todigital storage and transmission, not printing.

(B) Manage❌

Managing FCI typically refers togovernance, access control, and oversight, which is not the function of a printer.

(D) Distribute❌

While a printed documentcould be distributed, theprinter itself is not responsible for distributing FCI—it only processes the data for output.

Final Validation from CMMC Documentation:

CMMC Assessment Guide (Level 1)confirms thatprocessing FCI includes using systems that convert or transform information, such as printers.

NIST SP 800-171definesprocessingas an action thatchanges or manipulates information, which applies to printing.

CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 1 is designed to protectFederal Contract Information (FCI)and consists of17 foundational cybersecurity practices. These practices are directly derived fromFAR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems), which outlines minimum security requirements for contractors handling FCI.

Breakdown of CMMC Level 1 Practices

The17 practicesin Level 1 focus on basic cybersecurity hygiene and fall under the following6 domains:

Access Control (AC)– 4 practices

AC.L1-3.1.1: Limit system access to authorized users

AC.L1-3.1.2: Limit user access to authorized transactions and functions

AC.L1-3.1.20: Verify and control connections to external systems

AC.L1-3.1.22: Control information posted or processed on publicly accessible systems

Identification and Authentication (IA)– 2 practices

IA.L1-3.5.1: Identify and authenticate system users

IA.L1-3.5.2: Use multifactor authentication for local and network access

Media Protection (MP)– 1 practice

MP.L1-3.8.3: Sanitize media before disposal or reuse

Physical Protection (PE)– 4 practices

PE.L1-3.10.1: Limit physical access to systems containing FCI

PE.L1-3.10.3: Escort visitors and monitor visitor activity

PE.L1-3.10.4: Maintain audit logs of physical access

PE.L1-3.10.5: Control and manage physical access devices

System and Communications Protection (SC)– 2 practices

SC.L1-3.13.1: Monitor and control communications at system boundaries

SC.L1-3.13.5: Implement subnetworks for publicly accessible system components

System and Information Integrity (SI)– 4 practices

SI.L1-3.14.1: Identify, report, and correct system flaws in a timely manner

SI.L1-3.14.2: Provide protection from malicious code at designated locations

SI.L1-3.14.4: Update malicious code protection mechanisms periodically

SI.L1-3.14.5: Perform scans of system components and real-time file scans

Official Reference from CMMC 2.0 Documentation

The 17 practices forCMMC Level 1are explicitly listed in theCMMC 2.0 Appendices and Assessment Guide for Level 1, as well as in theFAR 52.204-21 requirements. These practices representbasic safeguarding measuresthat all DoD contractors handlingFCImust implement.

???? CMMC 2.0 Level 1 Summary:

Focus:Basic safeguarding of FCI

Total Practices:17

Derived From:FAR 52.204-21

Assessment Type:Self-assessment (annual)

Final Verification and Conclusion

The correct answer isB. 17 practicesas verified from theCMMC 2.0 official documentsandFAR 52.204-21 requirements.

In CMMC scoping terminology, an HQ Organization is the entity legally responsible for contract performance and delivery of products or services.

Supporting Extracts from Official Content:

CMMC Scoping Guide: “HQ Organization is the legal entity responsible for the performance and delivery of contract requirements.”

Why Option D is Correct:

The HQ Org is legally accountable, while Host Units (option A/B) are subordinate entities.

Option C refers to shared services, not the HQ.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, High-Level Scoping Definitions.

===========

According to the CMMC Assessment Process (CAP), specifically during the Phase 3: Conduct Assessment (Evidence Collection and Verification), the Assessment Team must evaluate all collected artifacts, interview notes, and test results against two primary dimensions: Adequacy and Sufficiency.

Adequacy (The "Right" Evidence): This criterion focuses on the quality, relevance, and validity of the evidence. It addresses whether the evidence actually maps to the specific CMMC practice being assessed and whether it is authoritative (e.g., signed, current, and from a trusted source). If an assessor asks, "Is this therightpiece of information to prove this practice is met?" they are testing for Adequacy.

Sufficiency (The "Enough" Evidence): This criterion focuses on the quantity and scope of the evidence. It addresses whether the Assessment Team has collected enough data points (across the required number of assets and using the required methods of Examine, Interview, and Test) to reach a confident conclusion. If an assessor asks, "Do I haveenoughexamples of this practice in action across the entire enclave?" they are testing for Sufficiency.

Why other options are incorrect:

B and D (Objectivity/Subjectivity): While assessors must remain objective, these are not the formal "criteria" used to categorize the evidence collection quality within the CAP framework.

C (Sufficiency): As noted above, Sufficiency is about theamountof evidence, not whether it is thecorrect type(the "right" evidence).

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4, "Collect and Verify Evidence," which explicitly defines the requirement for evidence to be both adequate and sufficient.

CMMC Level 2 Assessment Guide: Guidance on the application of the Examine, Interview, and Test (E-I-T) methods to ensure evidence quality.

NIST SP 800-171A: The foundation for CMMC assessment procedures, which emphasizes the need for relevant (adequate) evidence to support findings.

Understanding the CMMC Level 2 Assessment Process

When anOrganization Seeking Certification (OSC)engages aCertified Third-Party Assessment Organization (C3PAO)to conduct aCMMC Level 2 Assessment, anAssessment Planis developed to outline the scope, methodology, and logistics of the assessment.

Who Signs Off on the Assessment Plan?

According to theCMMC Assessment Process (CAP) Guide, theAssessment Plan must be formally agreed upon and signed off by:

Lead Assessor– The individual responsible for overseeing the execution of the assessment.

C3PAO (Certified Third-Party Assessment Organization)– The entity conducting the assessment.

Why "C. Lead Assessor and C3PAO" is Correct?

TheLead Assessorensures that theAssessment Plan aligns with CMMC-AB and DoD requirements, including methodology, objectives, and evidence collection.

TheC3PAOprovides organizational approval, confirming that the assessment is conducted according toCMMC-AB rules and contractual agreements.

Why Other Answers Are Incorrect?

A. OSC and Sponsor (Incorrect)

TheOSC (Organization Seeking Certification)is involved in planning but does not sign off on the plan.

Asponsoris not part of the sign-off process in CMMC assessments.

B. OSC and CMMC-AB (Incorrect)

TheOSCdoes not formally approve theAssessment Plan—this responsibility belongs to the assessment team.

TheCMMC-ABdoes not sign off on individualAssessment Plans.

D. C3PAO and Assessment Official (Incorrect)

"Assessment Official" isnot a defined rolein the CMMC assessment process.

TheC3PAOis involved, but it must be theLead Assessorwho signs off, not an unspecified official.

Conclusion

The correct answer isC. Lead Assessor and C3PAO.

TheLead Assessorensures assessment integrity, while theC3PAOprovides official authorization.

The term that describes"the prevention of damage to, protection of, and restoration of computers and electronic communication systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation"isCybersecurity.

Step-by-Step Breakdown:

✅1. Cybersecurity Defined

Cybersecurityfocuses onprotecting networks, systems, and datafrom cyber threats.

It includes measures to ensure:

Availability(data is accessible when needed).

Integrity(data is accurate and unaltered).

Authentication(verifying users' identities).

Confidentiality(ensuring only authorized access).

Non-repudiation(preventing denial of actions).

The definition in the questionaligns directly with cybersecurity principles, making it the best answer.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Data Security❌

Data securityfocusesspecificallyon protectingstored information(e.g., encryption, access controls), but cybersecurity is broader—it includesnetworks, systems, and communication services.

(C) Network Security❌

Network securityis asubset of cybersecuritythat focuses on protectingnetwork infrastructure(e.g., firewalls, intrusion detection systems).

The definition in the question includesmore than just networks, so cybersecurity is the better choice.

(D) Information Security❌

Information security (InfoSec)is related but broader than cybersecurity.

InfoSeccoversphysical and organizational security(e.g., policies, procedures) in addition todigital protections.

Final Validation from CMMC Documentation:

CMMC and NIST SP 800-171 define cybersecurityas the protection ofsystems, networks, and data from cyber threats.

DoD Cybersecurity Definitions(aligned with NIST) confirm that cybersecurity is the term thatbest fits the definition in the question.

Understanding Federal Contract Information (FCI) and Publicly Accessible Information

Federal Contract Information (FCI)isnon-public informationprovided by or generated for the U.S. governmentunder a contractthat isnot intended for public release.

Key Characteristics of FCI:

✔FCI includesdetails related togovernment contracts, project specifics, and performance data.

✔It must be protected under FAR 52.204-21, which requiresbasic safeguarding measuresto prevent unauthorized access.

✔Posting FCI on a public site is a security violationsince it ismeant to be restrictedfrom public disclosure.

Why is the Correct Answer "A. FCI (Federal Contract Information)"?

A. FCI → Correct

FCI must be protected from unauthorized access, and if it wasincorrectly published online, it should have been restricted.

B. Change of leadership in the organization → Incorrect

Leadership changes are typically public informationand do not require restriction unless they involve sensitive government-related security clearances.

C. Launching of their new business service line → Incorrect

Marketing and business announcementsare generallypublicly availableandnot restricted information.

D. Public releases identifying major deals signed with commercial entities → Incorrect

Commercial contracts and business deals are not considered FCIunless they involvegovernment contracts.

CMMC 2.0 References Supporting This Answer:

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

DefinesFCI as sensitive but unclassified informationthat must beprotected from public disclosure.

CMMC 2.0 Level 1 Requirements

Requires contractors toprotect FCI under basic cybersecurity standardsto prevent unauthorized exposure.

DoD Guidance on FCI Protection

States thatpublishing FCI on public websites violates federal cybersecurity requirements.