CMMC-CCP Certified CMMC Professional (CCP) Exam Questions and Answers

The presence of badge readers, PIN code pads, and keys directly corresponds to controlling and managing physical access devices, which maps to PE.L1-3.10.5 under the Physical Protection (PE) domain. This practice ensures that only authorized individuals have access to physical areas containing information systems.

The other options address unrelated requirements:

MP.L2-3.8.5 addresses marking CUI media,

SI.L2-3.14.3 addresses monitoring security alerts,

PS.L2-3.9.2 addresses protections during personnel changes.

Reference Documents:

CMMC Model v2.0, Level 1–3 Practices

NIST SP 800-171 Rev. 2, Control PE-3

TheLimited Practice Deficiency Correction Evaluationprocess occurs when anOrganization Seeking Certification (OSC)has undergone aCMMC Level 2 Assessmentby aCertified Third-Party Assessment Organization (C3PAO)and hasunresolved deficienciesin some security practices.

According toCMMC 2.0 policy and DFARS 252.204-7021, OSCs can still achieveInterim Certificationif they meet theminimum thresholdof security practices while addressing deficiencies through aPlan of Action & Milestones (POA & M).

Minimum Number of Practices Required

TheCMMC 2.0 Interim Rulestates that an OSCmust meet at least 100 out of 110 practicesto qualify for aPOA & M-based remediation.

A maximum of 10 practices can be listed in the POA & Mfor later correction.

Failure to meet at least 100 practices results in failing the assessment outright, requiring a full reassessment after remediation.

Why "C. 100 Practices" is Correct?

The Lead Assessor can recommend POA & M placementonly if the OSC meets at least 100 practices.

Less than 100 practices scored as MET means the OSC does not qualify for a POA & Mand mustretest completely.

DFARS 252.204-7021 and CMMC 2.0 policiesconfirm the100-practice thresholdfor conditional certification.

Why Other Answers Are Incorrect?

A. 80 practices (Incorrect)– Falls well below the 100-practice requirement.

B. 88 practices (Incorrect)– Still below the POA & M eligibility threshold.

D. 110 practices (Incorrect)– While meeting 110 practices would be ideal,CMMC allows a POA & M option at 100 practices.

Conclusion

The correct answer isC. 100 practices, as this meets theminimum threshold for POA & M-based Interim Certification.

According to the CMMC Model and Assessment Guides, specifically the rules governing Plan of Action and Milestones (POA & M) and the remediation period, an Organization Seeking Certification (OSC) is allowed a limited opportunity to remediate certain "Not Met" practices to achieve a "Met" status without failing the assessment entirely.

Here is the breakdown based on CMMC Ecosystem protocols:

The 180-Day POA & M Rule: CMMC Level 2 allows for the use of POA & Ms for specific practices, provided they are not high-priority items (typically 5-point values in the scoring methodology). If an OSC has "Not Met" practices that are eligible for a POA & M, they have up to 180 days to remediate them.

The Remediation Period (Assessment Closeout): During the assessment process itself, there is a "remediation period" (often referred to within the 1-90 day window depending on the specific C3PAO methodology and the CMMC assessment process) where an OSC can fix minor issues identified by the assessor before the final report is submitted.

Eligibility Criteria: The question states there are 15 practices "Not Met." While this is a high number, the CMMC rule does not automatically disqualify an OSC based solely on thequantityof practices, but rather thetype(weight) of the practices and the resulting score. To be eligible for a conditional "Met" (via POA & M), the OSC must achieve a minimum score (often 80% of the total points) and none of the "Not Met" practices can be those designated as mandatory "Met" (no POA & M allowed) in the CMMC rule.

Why "C" is correct: Because we do not know the specific weights of the 15 "Not Met" practices or the total score, we cannot definitively say theywillbe remediated (A) or that they areineligible(B). However, under the CMMC assessment framework, the OSC may be eligible to enter a remediation phase or utilize a POA & M to bridge the gap, provided they meet the scoring threshold and the specific practices allow for it.

Reference Documents:

CMMC Assessment Process (CAP): Defines the phases of assessment including the "Remediation Period."

32 CFR Part 170 (CMMC Program Rule): Outlines the specific requirements for POA & Ms, the 180-day timeline, and the scoring parameters required to be eligible for a Conditional Certification.

ThePhysical Protection (PE) domaininCMMC 2.0 Level 1includes the requirementPE.L1-3.10.3, which mandates that organizationsescort visitors and monitor their activity.

Breaking Down the Scenario:

TheCMMC Assessment Teamarrives at the OSC.

Thereceptionist acknowledges their arrival but does not verify credentials or escort themto the appropriate location.

Failing to verify visitor identity and failing to escort them is a violation of PE.L1-3.10.3.

Analysis of the Given Options:

A. PE.L1-3.10.3: Escort visitors and monitor visitor activity→✅Correct

This requirement ensures that visitorsdo not have unsupervised access to sensitive areas.

The receptionistshould have checked credentials and escorted the assessment team.

B. PE.L1-3.10.5: Control and manage physical access devices→❌Incorrect

This requirement refers to managingkeys, access badges, and security devices, which isnot the issue in this scenario.

C. PS.L2-3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI→❌Incorrect

This control applies to personnel screeningsbefore granting access to CUI systems, not physical visitor access.

D. PS.L2-3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers→❌Incorrect

This requirement deals withoffboarding employees and ensuring they no longer have system access. It isnot relevant to visitor escorting.

Official References Supporting the Correct Answer:

CMMC 2.0 Level 1 - PE.L1-3.10.3 (Physical Protection)

Requires organizations toescort visitors and monitor visitor activityat facilities containingFCI or CUI.

NIST SP 800-171 Rev. 2, Control 3.10.3

States thatvisitors must be escorted and monitored at all timesto prevent unauthorized access.

Conclusion:

Since the receptionist failed to verify credentials and escort the visitors, this violatesPE.L1-3.10.3.

✅Correct Answer: A. PE.L1-3.10.3: Escort visitors and monitor visitor activity

Understanding Restricted Information Systems (IS) in CMMC Scoping

InCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:

Internet of Things (IoT) Devices– Smart or network-connected devices.

Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.

Test Equipment– Devices used for specialized testing or measurement.

Government Property– Equipment owned by theU.S. Governmentbut used by contractors.

Why "B. Restricted IS" is Correct?

The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.

Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.

These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.

Why Other Answers Are Incorrect?

A. IoT (Incorrect)

IoT devices includesmart devices, sensors, and embedded systems, but the contractor's business systems are not classified as IoT.

C. Test Equipment (Incorrect)

The contractor’s systems areused for handling FCI, not for testing or measurement.

D. Government Property (Incorrect)

The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.

Conclusion

The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.

Understanding Multi-Function Device (MFD) Security in CMMC

Multi-function devices (MFDs), such asscanners, printers, and copiers,process, store, and transmit FCI, making them apotential attack surfacefor unauthorized access.

Thebest technical controlto limit MFD access to only authorized systems isVirtual LAN (VLAN) restrictions, whichsegment and isolate network traffic.

Why the Correct Answer is "A. Virtual LAN (VLAN) Restrictions"?

VLAN Restrictions Provide Network Segmentation

VLANsisolate the MFDfrom unauthorized systems, ensuringonly approved devicescan communicate with it.

Prevents unauthorized network access bylimiting connectionsto specific IPs or subnets.

Meets CMMC 2.0 Network Security Controls

Aligns withCMMC System and Communications Protection (SC) Practicesfor network segmentation and access control.

Reducesthe risk of unauthorized access to scanned and printed FCI.

Why Not the Other Options?

B. Single administrative account→Incorrect

Asingle admin accountdoes not restrict accessbetween devices, only controlswho can configurethe MFD.

C. Documentation showing MFD configuration→Incorrect

Documentation helps with compliance butdoes not actively restrict access.

D. Access lists only known to the IT administrator→Incorrect

Access lists should besystem-enforced, not just "known" to the administrator.

Relevant CMMC 2.0 References:

CMMC Practice SC.3.192 (Network Segmentation)– Requires restricting access usingnetwork segmentation techniques such as VLANs.

NIST SP 800-171 (SC Family)– Supportsisolation of sensitive devicesusing VLANs and other segmentation controls.

Final Justification:

SinceVirtual LAN (VLAN) restrictions enforce access control at the network level, the correct answer isA. Virtual LAN (VLAN) restrictions.

Understanding CUI Protection Responsibilities

Controlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.

Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.

Why "D. Safeguarding" is Correct?

TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.

CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.

DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.

Why Other Answers Are Incorrect?

A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.

B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.

C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.

Conclusion

The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.

Under the CMMC Assessment Process (CAP) v2.0 , the C3PAO holds the initial (and ultimate) responsibility to identify and manage conflicts of interest (COI) related to a CMMC Level 2 certification assessment. CAP v2.0 includes an explicit pre-assessment activity titled “Identify and Manage Initial Conflicts of Interest (COI)” and states that C3PAOs are ultimately responsible for managing impartiality and identifying conflicts of interest for the assessment.

CAP v2.0 further clarifies that this responsibility cannot be delegated to the assessment team (including the Lead Assessor/Lead CCA) or to the OSC. In other words, while the Lead Assessor participates in executing the process and the OSC must cooperate (e.g., disclose relationships or prior services that could create COI), CAP places the duty to run the COI identification/mitigation process squarely on the C3PAO as the assessment organization.

This aligns with the intent of impartiality controls in certification programs: the certification body (here, the C3PAO) must ensure objective assessments by identifying conflicts early, applying mitigation (or avoidance), and documenting the resolution before the assessment proceeds. Since the question asks who has the initial responsibility , the CAP’s direct assignment of COI management to the C3PAO makes B the correct answer.

===========

The CMMC Assessment Process (CAP) requires that sufficient evidence must:

Cover the sampled organization,

Cover the defined model scope of the assessment (Target CMMC Level), and

Correspond to the evidence collection approach.

Evidence is always required, even if the organization holds other certifications such as ISO. External certifications cannot replace CMMC evidence requirements. Thus, the statement that “Evidence is not required if the practice is ISO certified” is not valid.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

According to the CMMC Scoping Guidance, Level 2, assets are categorized to determine the level of assessment rigor required. The requirement to document an asset in the Asset Inventory, the System Security Plan (SSP), and on the Network Diagram is a specific administrative requirement for high-priority asset classes.

CUI Assets: These are assets that process, store, or transmit Controlled Unclassified Information (CUI). They are part of the "Assessed" group and must be fully documented in the inventory, SSP, and network diagram.

Security Protection Assets (SPA): These are assets that provide security functions or capabilities to the assessment scope (e.g., firewalls, log servers, or AV management consoles), even if they do not process CUI themselves. Because they are critical to the security of CUI, they must also be documented in the inventory, SSP, and network diagram.

Why other options are incorrect:

Option A: "GUI Assets" is likely a typo or misnomer in this context (possibly meant to refer to CUI assets or a distractor).

Option C: This is incorrect because Contractor Risk Managed Assets (CRMA) and Specialized Assets have different documentation requirements. For instance, while CRMA are documented in the inventory and SSP, they are often not required to be on the network diagram in the same detail as CUI assets, depending on the specific assessment boundary. Out-of-Scope Assets are not documented at all.

Option D: Contractor Risk Managed Assets (CRMA) and Specialized Assets (like IoT, OT, or Restricted Information Systems) are required to be in the Asset Inventory and SSP, but the CMMC Scoping Guidance specifies that the most stringent documentation (Inventory + SSP + Network Diagram) is the primary mandate for those assets directly handling CUI or protecting it (SPAs).

Reference Documents:

CMMC Scoping Guidance, Level 2 (Version 2.0/2.1): Section 3.0, Table 1 (CUI Assets) and Table 2 (Security Protection Assets), which explicitly list the "Documentation Requirements" for each category.

CMMC Assessment Process (CAP): Section on Scoping Boundaries and Evidence Validation.

The correct answer isA. CMMC Assessment Reporting Requirementsbecause this document specifically outlines thestructured processthat Certified Third-Party Assessment Organizations (C3PAOs) must follow when conducting and reporting CMMC assessments.

Step-by-Step Breakdown:

Understanding the CMMC Assessment Process

TheLead Assessorbriefs the team on theassessment requirementsand theevaluation criteriabefore the assessment begins.

Throughout the assessment,findings summaries, practice ratings, and level recommendationsare documented and reported.

These findings are internally reviewed by theC3PAObefore they are formally submitted forquality review and final rating approval.

Key Document Stipulating Reporting Requirements: CMMC Assessment Reporting Requirements

This documentspecifically details how assessments must be reportedwithin theCMMC ecosystem.

It describes the structured process for assessment submission, internalC3PAO reviews, andquality checks by the CMMC-ABbefore an organization can receive a final certification decision.

It ensures thatresults are consistent, transparent, and aligned with DoD cybersecurity compliance expectations.

Why Other Options Are Incorrect:

B. DFARS 52.204-21 Assessment Reporting Requirements

This clause only specifiesbasic safeguardingof Federal Contract Information (FCI) but doesnotdictate the reporting process for CMMC assessments.

C. NIST SP 800-171 Revision 2 Assessment Reporting Requirements

WhileNIST SP 800-171 Rev. 2outlines security controls, it doesnotdefine how CMMC assessments must be conducted and reported.

D. DFARS Clause 252.204-7012 Assessment Reporting Requirements

This DFARS clause focuses onincident reportingandcyber incident response requirementsbut does not detail theCMMC assessment reporting process.

Official Reference:

CMMC Assessment Reporting Requirements, issued byThe Cyber ABandDoD, governs how C3PAOs must report assessment results.

CMMC Assessment Process (CAP)also outlines reporting workflows for certification.

Thus, theCMMC Assessment Reporting Requirementsdocument is the authoritative source that dictates the reporting procedures for CMMC assessments.

Step 1: Understanding AC.L1-3.1.22

AC.L1-3.1.22states:"Control information posted or processed on publicly accessible systems."

This control requires organizations toensure that FCI (Federal Contract Information) is not publicly postedor made accessible in an uncontrolled manner.

FCI must beprotected from unauthorized disclosure, even if it is not classified or CUI.

Understanding CMMC 2.0 Incident Response Practices

TheIncident Response (IR) domaininCMMC 2.0 Level 2aligns withNIST SP 800-171, Section 3.6, which defines requirements forestablishing and maintaining an incident response capability.

Why "A. IR.L2-3.6.1: Incident Handling" is Correct?

The documentation provideddescribes an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities.

IR.L2-3.6.1specifically requires organizations toestablish an incident handling processcovering:

Preparation

Detection & Analysis

Containment

Eradication & Recovery

Post-Incident Response

Why Other Answers Are Incorrect?

B. IR.L2-3.6.2: Incident Reporting (Incorrect)

Incident reporting focuses on reporting incidents to external parties (e.g., DoD, DIBNet),which isnot what the provided documentation describes.

C. IR.L2-3.6.3: Incident Response Testing (Incorrect)

Incident response testing ensures that the response process is regularly tested and evaluated,which isnot the primary focus of the documentation provided.

D. IR.L2-3.6.4: Incident Spillage (Incorrect)

Incident spillage specifically refers to CUI exposure or handling unauthorized CUI incidents,which isnot the scenario described.

Conclusion

The correct answer isA. IR.L2-3.6.1: Incident Handling, as the documentationattests to the establishment of an incident response capability.

Understanding Scoping in CMMC 2.0

TheCMMC 2.0 framework applies to nonfederal systemsthat process, store, or transmitCUI.

Scoping determineswhich system components must comply with CMMC practices.

If a systemprocesses, stores, or transmits CUI, orprovides security for those systems, itmust be included in the assessment scope.

Why the Correct Answer is "D. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components"?

CMMC Applies to Contractors, Not Federal Systems

CMMC isdesigned for Department of Defense (DoD) contractors, notfederal systems.

Federal systems arealready governed by NIST SP 800-53and other regulations.

Scope Includes Systems That Process CUI AND Those That Protect Them

Systemsprocessing, storing, or transmitting CUIare in scope.

Systems thatprovide protection for CUI systems(e.g., firewalls, monitoring tools, security appliances) arealso in scope.

Why Not the Other Options?

A. Federal systems that process, store, or transmit CUI.→Incorrect

CMMCdoes not apply to federal systems.

B. Nonfederal systems that process, store, or transmit CUI.→Partially correct but incomplete

Itexcludes security systemsthat protect CUI assets, whichare also in scope.

C. Federal systems that process, store, or transmit CUI, or that provide protection for the system components.→Incorrect

CMMConly applies to nonfederal systems.

Relevant CMMC 2.0 References:

CMMC Scoping Guide (Nov 2021)– Confirms that CMMCapplies to nonfederal systemsprocessingCUI.

NIST SP 800-171 Rev. 2– Specifies security requirements fornonfederal systemshandling CUI.

DFARS 252.204-7012– Requires DoD contractors to implementNIST SP 800-171onnonfederal systemshandling CUI.

Final Justification:

SinceCMMC applies to nonfederal systems that process CUI or protect those systems, the correct answer isD. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.

Understanding CUI Markings and the Role of NARA

What Does "CUI//SP-PRVCY//FED Only" Mean?

The email containsControlled Unclassified Information (CUI)withspecific categories and dissemination controls.

CUI//SP-PRVCY//FED Onlybreaks down as follows:

CUI→ Controlled Unclassified Information designation.

SP-PRVCY→Specifiedcategory forPrivacy Information(SP stands for "Specified").

FED Only→ Restriction forFederal Government use only(not for contractors or the public).

Who Maintains the Official CUI Registry?

TheNational Archives and Records Administration (NARA) oversees the CUI Programand maintains the officialCUI Registry(https://www.archives.gov/cui).

The CUI Registry providesdefinitions, marking guidance, and categoriesfor all CUI labels, including "SP-PRVCY" and dissemination controls like "FED Only."

Why NARA is the Correct Answer:

NARA is the governing body responsible for defining and managing CUI markings.

Any organization handling CUI shouldrefer to the NARA CUI Registryfor official marking interpretations.

DoD contractors and other organizationsmust comply with NARA guidelines when handling, marking, and disseminating CUI.

Clarification of Incorrect Options:

B. CMMC-AB– TheCMMC Accreditation Bodymanages certification assessments butdoes not define or interpret CUI markings.

C. DoD Contractors FAQ Page– The DoD may provide general contractor guidance, butCUI markings are governed by NARA, not an FAQ page.

D. DoD 239.7601 Definitions Page– This refers to generalDoD acquisition definitions, butCUI categories and markings fall under NARA’s authority.

TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.

TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:

"Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI."

This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:

✅Organizational operations(e.g., mission, business continuity, functions)

✅Organizational assets(e.g., data, IT systems, intellectual property)

✅Individuals(e.g., employees, contractors, customers affected by security risks)

Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.

Why the Other Answers Are Incorrect

A. Organizational operations, business assets, and employees

❌Incorrect."Business assets"is not the correct terminology used in CMMC/NIST SP 800-171. Instead,"organizational assets"is the proper term.

B. Organizational operations, business processes, and employees

❌Incorrect."Business processes"is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.

D. Organizational operations, organizational processes, and individuals

❌Incorrect. While processes are important,organizational assetsmust be considered in the assessment, not just processes.

CMMC Official References

CMMC 2.0 Model (Level 2 - RA.3.144)– Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.

NIST SP 800-171 (3.11.1)– Reinforces the same risk assessment scope.

Thus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.

Background on Legacy Markings and CUI

Legacy markings refer to classification labels used before the implementation of the Controlled Unclassified Information (CUI) Program under DoD Instruction 5200.48.

Documents with legacy markings (such as “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU)) must be reviewed for re-marking or redaction to align with CUI requirements.

When Must Legacy Markings Be Updated?

If the document is retained internally (Answer A - Incorrect): Documents under DoD control do not require immediate re-marking unless they are being shared externally.

If the document is classified as Secret (Answer B - Incorrect): This question is about CUI, not classified information. Secret-level documents follow different marking rules under DoD Manual 5200.01.

If a document is being shared externally (Answer C - Correct):

According to DoD Instruction 5200.48, Section 3.6(a), organizations must review legacy markings before sharing documents outside the organization.

The document must be re-marked in compliance with the CUI Program before dissemination.

If the original document does not contain CUI (Answer D - Incorrect): The original source document's status does not affect the requirement to re-mark a derivative document if it contains CUI.

Conclusion

The correct answer is C: Documents with legacy markings must be re-marked or redacted when being shared outside the organization to comply with DoD CUI guidelines.

Understanding the Concept of Security in CMMC 2.0

CMMC 2.0 aligns with federal cybersecurity standards, particularlyFISMA (Federal Information Security Modernization Act), NIST SP 800-171, and FAR 52.204-21. One key principle in these frameworks is the implementation of security measures that are appropriate for the risk level associated with the data being protected.

The question describes security measures that are proportionate to therisk of loss, misuse, unauthorized access, or modificationof information. This matches the definition of"Adequate Security."

Analyzing the Given Options

A. Adopted security→ Incorrect

The term"adopted security"is not officially recognized in CMMC, NIST, or FISMA. Organizations adopt security policies, but the concept does not directly align with the question’s definition.

B. Adaptive security→ Incorrect

Adaptive securityrefers to adynamic cybersecurity modelwhere security measures continuously evolve based on real-time threats. While important, it does not directly match the definition in the question.

C. Adequate security→Correct

The term"adequate security"is defined inNIST SP 800-171, DFARS 252.204-7012, and FISMAas the level of protection that isproportional to the consequences and likelihood of a security incident.

This aligns perfectly with the definition in the question.

D. Advanced security→ Incorrect

Advanced securitytypically refers tohighly sophisticated cybersecurity mechanisms, such as AI-driven threat detection. However, the term does not explicitly relate to the concept of risk-based proportional security.

Official References Supporting the Correct Answer

FISMA (44 U.S.C. § 3552(b)(3))

Definesadequate securityas"protective measures commensurate with the risk and potential impact of unauthorized access, use, disclosure, disruption, modification, or destruction of information."

This directly matches the question's wording.

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)

Mandates that contractors apply"adequate security"to protect Controlled Unclassified Information (CUI).

NIST SP 800-171 Rev. 2, Requirement 3.1.1

States that organizations must "limit system access to authorized users and implement adequate security protections to prevent unauthorized disclosure."

CMMC 2.0 Documentation (Level 1 and Level 2 Requirements)

Requires that organizationsapply adequate security measures in accordance with NIST SP 800-171to meet compliance standards.

Conclusion

The term"adequate security"is the correct answer because it is explicitly defined in federal cybersecurity frameworks asprotection proportional to risk and potential consequences. Thus, the verified answer is:

Understanding Federal Contract Information (FCI) and Publicly Accessible Information

Federal Contract Information (FCI)isnon-public informationprovided by or generated for the U.S. governmentunder a contractthat isnot intended for public release.

Key Characteristics of FCI:

✔FCI includesdetails related togovernment contracts, project specifics, and performance data.

✔It must be protected under FAR 52.204-21, which requiresbasic safeguarding measuresto prevent unauthorized access.

✔Posting FCI on a public site is a security violationsince it ismeant to be restrictedfrom public disclosure.

Why is the Correct Answer "A. FCI (Federal Contract Information)"?

A. FCI → Correct

FCI must be protected from unauthorized access, and if it wasincorrectly published online, it should have been restricted.

B. Change of leadership in the organization → Incorrect

Leadership changes are typically public informationand do not require restriction unless they involve sensitive government-related security clearances.

C. Launching of their new business service line → Incorrect

Marketing and business announcementsare generallypublicly availableandnot restricted information.

D. Public releases identifying major deals signed with commercial entities → Incorrect

Commercial contracts and business deals are not considered FCIunless they involvegovernment contracts.

CMMC 2.0 References Supporting This Answer:

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

DefinesFCI as sensitive but unclassified informationthat must beprotected from public disclosure.

CMMC 2.0 Level 1 Requirements

Requires contractors toprotect FCI under basic cybersecurity standardsto prevent unauthorized exposure.

DoD Guidance on FCI Protection

States thatpublishing FCI on public websites violates federal cybersecurity requirements.

Understanding Asset Types in CMMC 2.0

In CMMC 2.0, assets are categorized based on their role in handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The Cybersecurity Maturity Model Certification (CMMC) Scoping Guidance for Level 1 and Level 2 provides asset definitions to help organizations identify what needs protection.

According to CMMC Scoping Guidance, there are five primary asset types:

Security Protection Assets (ESP - External Service Providers & Security Systems)

People (Personnel who interact with FCI/CUI)

Facilities (Physical locations housing FCI/CUI)

Technology (Hardware, software, and networks that store, process, or transmit FCI/CUI)

CUI Assets (For Level 2 assessments, assets specifically storing CUI)

Why "Technology" Is the Correct Answer

The IT manager is evaluating servers, laptops, databases, and applications—all of which are technology assets used to store, process, or transmit FCI.

According to CMMC Scoping Guidance, Technology assets include:

✅Endpoints (Laptops, Workstations, Mobile Devices)

✅Servers (On-premise or cloud-based)

✅Networking Devices (Routers, Firewalls, Switches)

✅Applications (Software, Cloud-based tools)

✅Databases (Storage of FCI or CUI)

Since the IT manager is focusing on these components, the correct asset category is Technology (Option D).

Why the Other Answers Are Incorrect

A. ESP (Security Protection Assets)

❌Incorrect. ESPs refer to security-related assets (e.g., firewalls, monitoring tools, managed security services) that help protect FCI/CUI but do not store, process, or transmit it directly.

B. People

❌Incorrect. While employees play a role in handling FCI, the question focuses on hardware and software—which falls under Technology, not People.

C. Facilities

❌Incorrect. Facilities refer to physical buildings or secured areas where FCI/CUI is stored or processed. The question explicitly mentions servers, laptops, and applications, which are not physical facilities.

CMMC Official References

CMMC Level 1 Scoping Guide (CMMC-AB) – Defines asset categories, including Technology.

CMMC 2.0 Scoping Guidance for Assessors – Provides clarification on FCI assets.

Thus, option D (Technology) is the most correct choice as per official CMMC 2.0 guidance.

NIST SP 800-88 Rev. 1 is the authoritative guide for media sanitization. It defines three categories of data disposal: Clear, Purge, and Destroy.

Supporting Extracts from Official Content:

NIST SP 800-88 Rev. 1: “Media sanitization techniques are divided into three categories: Clear, Purge, and Destroy.”

Why Option A is Correct:

“Clear, Purge, Destroy” are the exact three categories named.

Redact and Overwrite are not categories; Overwriting is a technique that may fall under Clear.

References (Official CMMC v2.0 Content and Source Documents):

NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization.

===========

CAP v2.0 makes “assessment readiness” a formal gate in Phase 1 (Conduct the Pre-Assessment) . The purpose of Phase 1 is for the C3PAO to evaluate whether the OSC has adequately prepared for the assessment of its Level 2 security requirements. If evidence submitted ahead of the assessment is found to be insufficient such that the OSC is not prepared to proceed, CAP describes an Adverse Determination of Assessment Readiness : the Lead CCA should inform the Affirming Official and provide a written explanation for recommending the assessment be suspended —without giving remedial advice.

CAP then addresses what happens next: if the OSC decides to cancel or postpone the assessment, both parties should settle affairs per the agreement (including return of proprietary information), and they may discuss revisiting the assessment when the OSC is fully prepared. This maps directly to “Postpone the assessment” as the best answer.

The other options don’t match CAP’s prescribed handling. CAP does not require notifying the Cyber AB for routine evidence insufficiency (A). “Cancel” (B) is an OSC decision path, but CAP explicitly calls out postponement/suspension as the appropriate procedural response to lack of readiness. “Contact the C3PAO for guidance” (D) is unnecessary framing here because the assessor/Lead CCA is acting on behalf of the C3PAO under CAP’s Phase 1 readiness determination and suspension process.

===========

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.

Why NIST SP 800-171 is Essential for Level 2 Scoping:

Defines the Security Requirements for Protecting CUI:

NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.

These controls are categorized under14 families, including access control, incident response, and risk management.

Establishes the Baseline for CMMC Level 2 Compliance:

CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.

Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.

Provides Guidance for Implementation & Assessment:

TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.

It helps define the scope of an assessment by clarifying how each control should be implemented and verified.

Referenced in CMMC and DFARS Regulations:

DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.

TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.

Explanation of Incorrect Answers:

A. NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")

This documentapplies to federal systems, not nonfederal entities handling CUI.

While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.

B. NIST SP 800-88 ("Guidelines for Media Sanitization")

This documentfocuses on secure data destructionand media sanitization techniques.

While data disposal is important, this standarddoes not define security controls for protecting CUI.

D. NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")

This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).

It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.

Key References for CMMC Level 2 Scoping:

NIST SP 800-171 Rev. 2(NIST Official Site)

NIST SP 800-171A (Assessment Guide)(NIST Official Site)

CMMC 2.0 Level 2 Scoping Guide(Cyber AB)

Conclusion:

SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:

✅C. NIST SP 800-171

Understanding the CMMC Readiness Review Process

ALead Assessorconducting aCMMC Readiness Reviewevaluates whether anOrganization Seeking Certification (OSC)is prepared for a formal assessment.

After recording theassessment risk statusandoverall assessment feasibility, theminimum remaining criteriato be verified include:

Logistics Planning– Ensuring that the assessment timeline, locations, and necessary resources are in place.

Assessment Team Preparation– Confirming that assessors and required personnel are available and briefed.

Evidence Readiness– Ensuring the OSC has gathered all required artifacts and documentation for review.

Breakdown of Answer Choices

Option

Description

Correct?

A. Determine the practice pass/fail results.

Happensduringthe formal assessment, not the readiness review.

❌Incorrect

B. Determine the preliminary recommended findings.

Findings are only madeafterthe full assessment.

❌Incorrect

C. Determine the initial model practice ratings and record them.

Ratings are assigned during theassessment, not readiness review.

❌Incorrect

D. Determine the logistics, Assessment Team, and the evidence readiness.

✅Essential readiness criteria that must be confirmedbeforeassessment starts.

✅Correct

Official Reference from CMMC 2.0 Documentation

TheCMMC Assessment Process Guide (CAP)states that readiness review ensureslogistics, assessment team availability, and evidence readinessare verified.

Final Verification and Conclusion

The correct answer isD. Determine the logistics, Assessment Team, and the evidence readiness.This aligns withCMMC readiness review requirements.

Assets that store, process, or transmit FCI or CUI are always in scope for CMMC. If a server with a cloud provider is used for long-term storage of FCI, that server is considered in scope because it directly holds covered data.

Supporting Extracts from Official Content:

CMMC Scoping Guide for Level 1: “Assets that store, process, or transmit FCI are in scope.”

CMMC Scoping Guide for Level 2: confirms the same rule applies for CUI.

Why Option A is Correct:

The server stores FCI, making it automatically in scope.

Option B is incorrect because long-term storage does not make an asset out of scope.

Option C is incorrect — Level 1 (FCI) does not require a Level 2 certified provider.

Option D is incorrect because encryption does not remove scope requirements.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1.

CMMC Model v2.0, Scoping and Implementation guidance.

===========

Understanding the Role of the Lead Assessor in CMMC Assessments

TheLead Assessoris responsible for managing theAssessment Teamand ensuring that all team members meet the required qualifications as defined by theCMMC Accreditation Body (CMMC-AB)and theCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) Guide.

Why the Correct Answer is "C. Lead Assessor"?

Lead Assessor’s Key Responsibilities (Per CAP Guide)

Verify team member qualificationsto ensure compliance with CMMC-AB guidelines.

Assignappropriate assessment tasksbased on team members’ expertise.

Ensure that theassessment is conducted in accordance with CMMC procedures.

Why Not the Other Options?

A. C3PAO (Certified Third-Party Assessor Organization)→Incorrect

AC3PAOis responsible fororganizing assessmentsand ensuring their execution, but itdoes not verify individual team member qualifications—that responsibility belongs to theLead Assessor.

B. CMMC-AB (CMMC Accreditation Body)→Incorrect

TheCMMC-ABestablishestraining and certification requirements, but itdoes not verify individual assessment team members—that responsibility is given to theLead Assessor.

D. CMMC Marketplace→Incorrect

TheCMMC Marketplacelists authorizedC3PAOs, Registered Practitioners (RPs), and Certified Professionals (CCPs)butdoes not verify assessment team qualifications.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– Defines theLead Assessor’s responsibilityfor verifying assessment team qualifications.

CMMC-AB Certification Guide– Specifies that the Lead Assessor must ensure all assessment team members meet CMMC-AB qualification standards.

Final Justification:

Since theLead Assessor is responsible for verifying assessment team member qualifications, the correct answer isC. Lead Assessor.

Understanding Licensed Training Providers (LTPs) in CMMC

ALicensed Training Provider (LTP)is an entity that is authorized by theCybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)todeliver CMMC trainingbased on anapproved curriculum.

Key Responsibilities of an LTP:

Provides CMMC-AB-approved training programsfor individuals seeking CMMC certifications.

Uses an official CMMC curriculumthat aligns with theCMMC Body of Knowledge (BoK)and other CMMC-AB guidance.

Prepares students for CMMC roles, such asCertified CMMC Assessors (CCA) and Certified CMMC Professionals (CCP).

Why is the Correct Answer "Instructs a curriculum approved by CMMC-AB" (B)?

A. Creates DoD-licensed training → Incorrect

TheCMMC-AB, not the DoD, manages LTP licensing. LTPsdo not create new training contentbut mustfollow an approved curriculum.

B. Instructs a curriculum approved by CMMC-AB → Correct

LTPsteacha curriculum that has beenapproved by the CMMC-AB, ensuring consistency in CMMC training.

C. May market itself as a CMMC-AB Licensed Provider for testing → Incorrect

LTPs provide training, not testing. Testing is handled byLicensed Partner Publishers (LPPs)and exam bodies.

D. Delivers training using some CMMC body of knowledge objectives → Incorrect

LTPs mustfully adhereto theCMMC-AB-approved curriculum, not just "some" objectives.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Licensed Training Provider (LTP) Program Guidelines

Defines LTPs as entities thatdeliver CMMC-AB-approved training programs.

CMMC Body of Knowledge (BoK)

Specifies that training must follow theCMMC-AB-approved curriculumto ensure standardization.

CMMC-AB Training & Certification Framework

Requires LTPs todeliver structured training that meets CMMC-AB guidelines.

Final Answer:

✔B. Instructs a curriculum approved by CMMC-AB

Understanding CMMC Asset Scoping Requirements

Before conducting aCMMC Level 2 Assessment, anOrganization Seeking Certification (OSC)must define theassessment scopeby categorizing all assets. This ensures that only relevant systems are assessed againstCMMC practices, reducing unnecessary compliance burdens.

According to theCMMC Scoping Guide for Level 2, there are four asset categories:

CUI Assets– Assets that process, store, or transmitControlled Unclassified Information (CUI).

Security Protection Assets (SPA)– Assets that providesecurity functions(e.g., firewalls, intrusion detection systems, identity management systems).

Contractor Risk Managed Assets (CRMA)– Assets thatdo not directly store/process CUIbut interact with CUI environments (e.g., BYOD devices, personal computers used for remote access).

Specialized Assets– Unique systems such asOperational Technology (OT), IoT, and Government Furnished Equipment (GFE), which may requirelimitedCMMC assessment.

Which Asset Categories Are Always Assessed?

✅1. CUI Assets(ALWAYS ASSESSED)

These are theprimary focusof CMMC Level 2 since they handleCUI.

All110 NIST SP 800-171 controlsapply to these assets.

✅2. Security Protection Assets (SPA)(ALWAYS ASSESSED)

Security tools that protectCUI Assetsarealways includedin the assessment.

Examples includefirewalls, antivirus, endpoint detection and response (EDR) tools, and identity management systems.

Why the Other Answer Choices Are Incorrect:

(A) CUI Assets and Specialized Assets❌

CUI Assets are assessed, butSpecialized Assets are only assessed in a limited manner, depending on their role inCUI security.

(C) Specialized Assets and Contractor Risk Managed Assets❌

Specialized Assets and CRMAsare typicallynot fully assessedagainst CMMC controls unless they directly impactCUI security.

(D) Security Protection Assets and Contractor Risk Managed Assets❌

SPAs are always assessed, butCRMAs are not necessarily assessedunless they directly impact CUI.

Final Validation from CMMC Documentation:

TheCMMC Scoping Guide (Level 2)clearly states thatCUI Assets and Security Protection Assetsarealways assessedagainst CMMC practices.

Thus, the correct answer is:

B. Security Protection Assets and CUI Assets.

The Cyber AB (formerly CMMC-AB) Code of Professional Conduct (CoPC) is a mandatory agreement that all CMMC ecosystem members—including Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs)—must adhere to. This code ensures the reliability and trustworthiness of the assessment process.

The fundamental principles that form the foundation of the CoPC include:

Responsibility: This refers to the obligation of the CMMC professional to act in the best interest of the CMMC program, the Department of Defense (DoD), and the public. It includes maintaining professional competence and performing duties with due care.

Confidentiality: Assessors and professionals are granted access to sensitive information, including Controlled Unclassified Information (CUI) and proprietary business data of the Organization Seeking Certification (OSC). They must ensure this information is protected from unauthorized disclosure.

Information Integrity: This principle requires that all data, findings, and reports generated during the assessment are accurate, complete, and have not been tampered with. It ensures that the "Met" or "Not Met" determinations are based on honest evidence.

Why other options are incorrect:

Options A and B (Objectivity): While "Objectivity" is a crucialbehavioralrequirement for an assessor (remaining unbiased), the specific high-level triad often emphasized in the CMMC Professional training and the formal CoPC documentation focuses on the Responsibility-Confidentiality-Integrity framework to align with standard professional ethics and information security pillars.

Options A and C (Classification): "Classification" is a process used for National Security Information (Classified info), whereas CMMC is primarily focused on unclassified information (CUI and FCI). Classification is not a core principle of the professional code of conduct.

Options A and C (Information Accuracy): While accuracy is vital, it is considered a subset of Information Integrity within the formal definitions provided in the CCP curriculum.

Reference Documents:

CMMC-AB (The Cyber AB) Code of Professional Conduct: The official ethical framework for all credentialed individuals.

CMMC Professional (CCP) Study Guide: Section on "Ethics and the Code of Professional Conduct."

CMMC Assessment Process (CAP): References the ethical standards required to maintain the integrity of the assessment ecosystem.

Understanding CMMC Assessment Methods

TheCybersecurity Maturity Model Certification (CMMC) 2.0follows theNIST SP 800-171A assessment methodology, which includesthree primary assessment methods:

Examine– Reviewing policies, procedures, system configurations, and documentation.

Interview– Engaging with personnel to validate their understanding and execution of security practices.

Test– Conducting actual technical or operational tests to determine whether security controls function as expected.

Why "Test" is the Correct Answer?

"Test" is the method that compares actual-specified conditions with expected behavior.

It involvesexecuting procedures, configurations, or automated toolsto see if thesystem behaves as required.

For example, if a policy states that multi-factor authentication (MFA) must be enforced, a test would involveattempting to log in without MFAto confirm whether access is blocked as expected.

TheNIST SP 800-171A Guide (Assessment Procedures for CUI)defines testing as an assessment method that:

Actively verifies a security control is functioning

Simulates real-world attack scenarios

Checks compliance through system actions rather than documentation

Why Other Answers Are Incorrect?

B. Examine (Incorrect)

Examining only involvesreviewing policies, procedures, or configurationsbut does not actively test system behavior.

C. Compile (Incorrect)

"Compile" is not an assessment method in CMMC 2.0 or NIST SP 800-171A.

D. Interview (Incorrect)

Interviews are used to gather insights from personnel, but they do not compare actual conditions with expected behavior.

Conclusion

The correct answer isA. Testbecause itactively verifies system performance against expected security conditions.

Understanding the Role of a Registered Provider Organization (RPO)

ARegistered Provider Organization (RPO)is an entity recognized by theCMMC Accreditation Body (CMMC-AB)to provideconsulting servicesto organizations seekingCMMC certification.

Key Functions of an RPO

✅Consulting servicesto help companies prepare for CMMC assessments.

✅Guidance on security controlsrequired for compliance.

✅Assistance with documentation, policy development, and gap analysis.

✅Preparation for third-party CMMC assessmentsbutdoes not conduct official CMMC assessments(this is the role of a C3PAO).

Why "Consulting Services" is the Correct Answer?

Consulting servicesare thebroadest and most comprehensivefunction of an RPO.

RPOs do not conduct assessments(eliminating option D).

Training and educationmay be part of consulting but arenot the primary function(eliminating A and B).

Consulting includes training, guidance, documentation assistance, and security readiness, making it themost comprehensive service offered.

Breakdown of Answer Choices

Option

Description

Correct?

A. Training services

❌Incorrect–RPOs may provide training, but this isnot their primary function.

B. Education services

❌Incorrect–Similar to training, butnot the most comprehensive service.

C. Consulting services

✅Correct – The core function of an RPO is consulting, which includes various readiness services.

D. Assessment services

❌Incorrect–Only aC3PAO (Certified Third-Party Assessment Organization)can conductofficial CMMC assessments.

Official References from CMMC 2.0 Documentation

TheCMMC-AB RPO Programdefines an RPO as aconsulting organization that assists companies in preparing for CMMC certificationbutdoes not perform assessments.

Final Verification and Conclusion

The correct answer isC. Consulting services, asRPOs primarily provide advisory and readiness supportto organizations preparing forCMMC compliance.

Who Has the Final Authority Over Assessment Results?

During aCMMC Level 2 assessment, theCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting and finalizing the assessment results.

Key Responsibilities of a C3PAO

✅Leads the assessmentand ensures it follows the CMMC Assessment Process (CAP).

✅Validates compliancewith CMMC Level 2 requirements based onNIST SP 800-171controls.

✅Finalizes the assessment resultsand submits them to theCMMC-ABand theDoD.

✅Handles disagreementsfrom the OSC but hasfinal decision-making authorityon results.

Why "C3PAO" is Correct?

The C3PAO has final authority over the assessment resultsafter considering all evidence and findings.

TheCMMC-AB (Option B) does not finalize assessments—it accredits C3PAOs and manages the certification ecosystem.

TheAssessment Team (Option C) supports the C3PAO but does not have final decision authority.

TheAssessment Sponsor (Option D) is a representative from the OSC and does not control the results.

Breakdown of Answer Choices

Option

Description

Correct?

A. C3PAO

✅Correct – C3PAOs finalize and submit assessment results.

B. CMMC-AB

❌Incorrect–The CMMC-AB accredits C3PAOs but doesnot finalize results.

C. Assessment Team

❌Incorrect–They conduct the assessment, but the C3PAO makes final decisions.

D. Assessment Sponsor

❌Incorrect–This is arepresentative of the OSC, not the assessment authority.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– DefinesC3PAO authorityover final assessment results.

Final Verification and Conclusion

The correct answer isA. C3PAO, as theC3PAO has final decision-making authority over CMMC assessment results.

Understanding RA.L2-3.11.1 Risk Assessment Scope in CMMC Level 2

TheCMMC Level 2 control RA.L2-3.11.1aligns withNIST SP 800-171, Requirement 3.11.1, which mandates that organizationsperiodically assess risks to operations, assets, and individuals arising from the processing, storage, or transmission of CUI.

What is Required for Compliance?

The organization must performrisk assessments on all assets and entities involved in handling CUI.

Risk assessments mustevaluate potential threats, vulnerabilities, and impacts on CUI security.

The scopemust include people, processes, physical locations, and IT systemsto ensure comprehensive risk management.

Why the Correct Answer is "Processes, people, physical entities, and IT systems in which CUI is processed, stored, or transmitted":

CUIcan be exposed to risk in multiple ways—not just IT systems but also human error, physical security gaps, and process weaknesses.

Risk assessmentsmust evaluate all areas that could impact CUI security, including:

Personnel security risks(e.g., insider threats, phishing attacks).

Process vulnerabilities(e.g., mishandling of CUI, policy weaknesses).

Physical security risks(e.g., unauthorized access to servers, storage rooms).

IT systems(e.g., networks, servers, cloud environments processing CUI).

Clarification of Incorrect Options:

A. "IT systems"→Too narrow.Risk assessmentmust cover more than just IT systems, includingpeople, physical assets, and processesaffecting CUI.

B. "Enterprise systems"→Too broad.While enterprise systems might be assessed, thefocus is specifically on areas handling CUI, not all enterprise operations.

C. "CUI Marking processes"→Incorrect focus.While marking CUI correctly is important,RA.L2-3.11.1 pertains to risk assessments, not data classification.

Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)

TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.

To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:

A unique identifier (username) for each system user

Mapping of system accounts to specific individuals

Identification of devices and automated processes that access systems

Why "C. User names associated with system accounts assigned to those individuals" is Correct?

This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.

Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.

It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.

Why Other Answers Are Incorrect?

A. Procedures for implementing access control lists (Incorrect)

While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.

B. List of unauthorized users that identifies their identities and roles (Incorrect)

Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.

D. Physical access policy stating "All non-employees must wear a special visitor pass or be escorted" (Incorrect)

This pertains tophysical security, not system-baseduser identification and authentication.

Conclusion

The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.

Understanding FAR Clause 52.204-21

TheFederal Acquisition Regulation (FAR) Clause 52.204-21is titled"Basic Safeguarding of Covered Contractor Information Systems."This clause establishesminimum cybersecurity requirementsforfederal contractorsthat handleFederal Contract Information (FCI).

Key Purpose of FAR Clause 52.204-21

Theprimary objectiveof FAR 52.204-21 is to ensure that contractors applybasic cybersecurity protectionsto theirinformation systemsthat process, store, or transmitFCI. Theseminimum safeguarding requirementsserve as abaseline security standardfor contractors doing business with theU.S. government.

Why "Minimum Standard of Care" is Correct?

FAR 52.204-21 doesnotrequire contractors to install specific cybersecurity tools (eliminating option A).

Itoutlines only the minimum safeguards, notallcybersecurity controls needed for complete security (eliminating option B).

CMMC certification isnotmandated by this clause alone (eliminating option D).

Instead, it establishesa baseline "standard of care"that all federal contractorsmust followto protectFCI(making option C correct).

Breakdown of Answer Choices

Option

Description

Correct?

A. It directs all covered contractors to install the cybersecurity systems listed in that clause.

❌Incorrect–The clause doesnotspecify tools or require specific cybersecurity systems.

B. It describes all of the safeguards that contractors must take to secure covered contractor IS.

❌Incorrect–It only setsminimumrequirements, notall possiblesecurity measures.

C. It describes the minimum standard of care that contractors must take to secure covered contractor IS.

✅Correct – The clause defines basic safeguards as a minimum security standard.

D. It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts.

❌Incorrect–FAR 52.204-21 doesnot mandateCMMC certification; that requirement comes from DFARS 252.204-7012 and 7021.

Minimum Safeguarding Requirements Under FAR 52.204-21

The clause defines15 basic security controls, which align withCMMC Level 1. Some examples include:

✅Access Control– Limit access to authorized users.

✅Identification & Authentication– Authenticate system users.

✅Media Protection– Sanitize media before disposal.

✅System & Communications Protection– Monitor and control network connections.

Official References from CMMC 2.0 and FAR Documentation

FAR 52.204-21– Establishes thebasic safeguarding requirementsfor FCI.

CMMC 2.0 Level 1– Directly aligns withFAR 52.204-21 controls.

Final Verification and Conclusion

The correct answer isC. It describes the minimum standard of care that contractors must take to secure covered contractor IS.This aligns withFAR 52.204-21 requirementsas abaseline security standard for FCI.

A Certified CMMC Instructor (CCI) is only authorized to deliver CMMC-AB (now The Cyber AB) approved training courses through a Licensed Training Provider (LTP). CCI instructors do not deliver DFARS or NARA CUI training under CMMC authorization—only formally approved CMMC courses.

Supporting Extracts from Official Content:

CMMC Ecosystem Roles: “CCIs are authorized to deliver CMMC-AB approved training courses through an LTP.”

Why Option A is Correct:

CCIs teach only CMMC-AB approved training.

Options B, C, and D include external trainings (DFARS or NARA CUI) that are not within the CCI’s scope.

References (Official CMMC v2.0 Content):

CMMC Ecosystem documentation – Roles and Responsibilities of LTPs and CCIs.

===========

Under the CMMC Assessment Process (CAP) and CMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed through three primary assessment methods:

Examination – Reviewing documents, records, system configurations, and other artifacts.

Interviews – Speaking with personnel to verify processes, responsibilities, and understanding of security controls.

Testing – Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.

Why Option D is Correct

The CMMC Assessment Process (CAP) states that an assessor must use a combination of evidence-gathering methods (examinations, interviews, and tests) to determine compliance.

CMMC 2.0 Level 2 (Aligned with NIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.

Solely relying on one method (like interviews in Option A) is insufficient.

Testing all practices or objectives (Option B) is unnecessary, as assessors follow scoping guidance to determine which objectives need deeper examination.

Testing only "certain" objectives (Option C) does not fully align with the requirement of gathering sufficient evidence from multiple methods.

CMMC 2.0 and Official Documentation References

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods explicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.

CMMC 2.0 Level 2 Practices and NIST SP 800-171 require assessors to validate the presence, implementation, and effectiveness of security controls.

CMMC Appendix E: Assessment Procedures states that an assessor should use multiple sources of evidence to determine compliance.

Final Verification

To ensure compliance with CMMC 2.0 guidelines and official documentation, an assessor must use examinations, interviews, and tests to gather evidence effectively, making Option D the correct answer.

ACertified CMMC Professional (CCP)advising anOrganization Seeking Certification (OSC)must ensure thatFederal Contract Information (FCI)andControlled Unclassified Information (CUI)are properly documented within required security documents.

Step-by-Step Breakdown:

✅1. System Security Plan (SSP)

CMMC Level 2requires anSSPto documenthow CUI is protected, including:

Security controlsimplemented

Asset categorization(CUI Assets, Security Protection Assets, etc.)

Policies and proceduresfor handling CUI

✅2. Asset Inventory

Anasset inventorylistsall relevant IT systems, applications, and hardwarethat store, process, or transmitCUI or FCI.

TheCMMC Scoping Guiderequires OSCs to identifyCUI-relevant assetsas part of their compliance.

✅3. Network Diagram

Anetwork diagramvisually representshow data flows across systems, showing:

WhereCUI is transmitted and stored

Security boundaries protectingCUI Assets

Connectivity betweenCUI Assets and Security Protection Assets

✅4. Why the Other Answer Choices Are Incorrect:

(B) Within the hardware inventory, data flow diagram, and in the network diagram❌

While adata flow diagramis useful,hardware inventory alone is insufficientto document CUI.

(C) Within the asset inventory, in the proposal response, and in the network diagram❌

Aproposal responseis not a required document for CMMC assessments.

(D) In the network diagram, in the SSP, within the base inventory, and in the proposal response❌

Base inventoryis not a specific CMMC documentation requirement.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guideconfirms that FCI and CUI must be documented in:

The SSP

The asset inventory

The network diagram

Thus, the correct answer is:

✅A. "In the SSP, within the asset inventory, and in the network diagram."

According to the CMMC Assessment Process (CAP), the Lead Assessor must use the CMMC Findings Brief to formally present assessment results to the Organization Seeking Certification (OSC). The Findings Brief ensures consistency across assessments and provides the OSC with an official, standardized presentation of results, including observed strengths, weaknesses, and any non-conformities.

Other options are incorrect because:

POA & M Brief is not part of the official CAP presentation.

CMMC Assessment Tracker Tool is an internal tool used by assessors, not for presentation to the OSC.

Recommended Findings template is not a recognized deliverable in CAP.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

In theCMMC 2.0 Assessment Process, after theAssessment Final Recommended Findings Brief, theLead Assessor and Assessment Team Membersmustreview the accuracy and validity of the Organization Seeking Certification (OSC)’s updated Plan of Action & Milestones (POA & M) and any accompanying evidence or scheduled collectionswithin180 days.

Relevant CMMC 2.0 Reference:

TheCMMC Assessment Process (CAP)outlines that organizations haveup to 180 daysto address identifieddeficienciesafter their initial assessment.

During this time, the OSC can update itsPOA & M with additional evidenceto demonstrate compliance.

Why is the Correct Answer 180 Days (B)?

A. 90 days → Incorrect

The CMMC CAP does not impose a90-day limiton POA & M updates; instead,180 daysis the standard timeframe.

B. 180 days → Correct

PerCMMC Assessment Process guidelines, theLead Assessor and Teammust review updateswithin 180 days.

C. 270 days → Incorrect

No official CMMC documentation mentions a270-dayreview period.

D. 360 days → Incorrect

The process must be completedfar sooner than 360 daysto maintain compliance.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines the180-day windowfor the OSC to update itsPOA & M and submit evidencefor review.

CMMC 2.0 Official Guidelines

Specifies that organizations are givenup to 180 daysto remediate deficiencies before reassessment.

Understanding Scoping in CMMC Level 1 Self-Assessments

Federal Contract Information (FCI)is any informationnot intended for public releasethat is provided or generated under aU.S. Government contracttodevelop or deliver a product or service.

Enhanced Security Personnel (ESP)refers to employees, contractors, or third parties whohave access to FCIwithin anOrganization Seeking Certification (OSC).

UnderCMMC 2.0 Scoping Guidance, anypersonnel, system, or asset with access to FCI is considered in scopefor a CMMC Level 1 assessment.

Why Option A (In scope) is Correct

Since theESP employee has access to FCI, theymustbe included in the assessment scope.

Option B (Out of scope)is incorrect because anyone with access to FCI is automatically considered part of theCMMC Level 1 boundary.

Option C (OSC point of contact)is incorrect because thepoint of contactis typically an administrative or compliance representative, not necessarily someone with FCI access.

Option D (Assessment Team Member)is incorrect because anESP employee is not part of the assessment team but rather a subject of the assessment.

Official CMMC Documentation References

CMMC Level 1 Scoping Guide, Section 2 – Defining Scope for FCI

CMMC Assessment Process (CAP) Guide – Roles and Responsibilities

Federal Acquisition Regulation (FAR) 52.204-21(Basic Safeguarding of FCI)

Final Verification

Since theESP employee has access to FCI, they are consideredin scopefor the CMMC Level 1 self-assessment, makingOption A the correct answer.

Understanding the Final Review Process in a CMMC Assessment

During aCMMC Level 2 Assessment, theAssessment Teamand theOrganization Seeking Certification (OSC)holddaily checkpoint meetingsto discuss progress, review evidence, and ensure transparency.

At theend of the assessment, afinal review meetingis conducted, during which theLead Assessor presents the results. Therecorded Daily Checkpoint logserves as theofficial document summarizing:

Theattendee list

Time, date, and locationof the final review

Final MET or NOT MET ratingsfor all practices

Discussion points, resulting actions, and due datesfor both the OSC and Assessment Team

Why "D. Final and recorded Daily Checkpoint log" is Correct?

TheCMMC Assessment Process (CAP) Guidespecifies that all assessment findings and discussions must bedocumented throughout the assessment in daily checkpoint logs.

TheFinal and Recorded Daily Checkpoint Logincludes all necessary details, such as attendee lists, discussion topics, and action items.

This document isused to ensure all discussed topics and agreed-upon actions are properly tracked and recordedbefore submission.

Why Other Answers Are Incorrect?

A. Final log report (Incorrect)

There isno specific "Final Log Report"required in CMMC assessments.

B. Final CMMC report (Incorrect)

TheFinal CMMC Reportdocuments the overall assessment results butdoes not serve as the official meeting logfor the final review discussion.

C. Final and recorded OSC CMMC report (Incorrect)

This documentdoes not include detailed discussion points from the daily checkpoint meetings.

Conclusion

The correct answer isD. Final and recorded Daily Checkpoint log, as this is the official document that captures thefinal meeting details, discussions, and action items.

Per DoDI 5200.48, Controlled Unclassified Information (CUI), the minimum marking requirement is that the word “CUI” must appear in the header and footer of each page of a document containing CUI. Additional markings such as portion markings or cover sheets may be applied depending on the situation, but the minimum baseline requirement is header and footer placement of "CUI".

Reference Documents:

DoDI 5200.48,Controlled Unclassified Information (CUI)

This question aligns to the CMMC requirement to control information posted or processed on publicly accessible information systems , which appears in the CMMC Model Overview as AC.L1-3.1.22 (Control Public Information) and maps to FAR 52.204-21(b)(1)(iv) and NIST SP 800-171 Rev. 2 / r2 requirement 3.1.22 .

NIST explains that publicly accessible systems are typically those accessible to the public without identification or authentication , and that individuals authorized to post nonpublic information (including CUI/FCI and proprietary information) are designated . It also emphasizes controlling what gets posted and ensuring nonpublic information is not exposed.

The most direct technical way to “limit individuals who are authorized to post or process information” is to implement role-based administrative access (least privilege) to the website/CMS/admin console—granting publish/edit privileges only to approved roles (e.g., “Web Publisher,” “Content Approver”), and keeping all other users read-only or without access to posting functions. This directly enforces the requirement by using access control to restrict who can post/process content on the public system.

Options B and C are helpful procedural/administrative controls , but the question asks for technical means . Option A (cookies) does not control authorization to post; it’s not an access control mechanism. Therefore, D is best.

Understanding SC.L2-3.13.14 – Control and Monitor the Use of VoIP Technologies

TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.

If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.

Why Option D is Correct

When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.

No assessment procedures are neededsince there is no VoIP system to evaluate.

Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14—only VoIP is within scope.

Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.

Option C (VoIP in scope but using FIPS-validated encryption, so it doesn’t need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.

Official CMMC Documentation References

CMMC 2.0 Level 2 Assessment Guide – SC.L2-3.13.14

NIST SP 800-171, Security Requirement 3.13.14

CMMC Scoping Guidance – Determining Not Applicable (N/A) Practices

Final Verification

IfVoIP is not used within the OSC’s system boundary, the control does not require assessment, making Option D the correct answer.

The correct document is a Non-Disclosure Agreement (NDA) , because its specific purpose is to restrict a receiving party from disclosing sensitive or confidential information to unauthorized parties. In the official CMMC Assessment Process (CAP) v2.0 , NDAs are called out directly as a required element of the contracting relationship for a Level 2 certification assessment.

CAP v2.0 states that the C3PAO and the OSC must execute a written contractual agreement for the assessment and then specifies that “A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).”

This is important because CMMC assessments can involve access to highly sensitive organizational information, including details about system architectures, security implementations, and potentially CUI handling processes. The CAP’s NDA requirement supports controlling dissemination of that information and reinforces the broader confidentiality expectations placed on assessment participants.

While an “assessment agreement” or generic “legal agreement” might contain confidentiality clauses, CAP v2.0 explicitly identifies the NDA instrument (either embedded or standalone) as the mechanism to protect information exchanged during the assessment engagement. Therefore, the best answer—consistent with CMMC v2.0 official process documentation—is D (Non-disclosure agreement) .

Understanding Who Must Perform Tests in a CMMC Assessment

During aCMMC Level 2 Assessment, assessorsmust observe operational activities and security practicesto verify compliance. This process involves:

✔Testing security controls and proceduresas part of the assessment.

✔Observation of standard work practicesto ensure controls are properly implemented.

✔Using operational personnel (OSC employees) who regularly perform the taskto ensure realistic assessment conditions.

Who Performs Tests?

Operational personnel (OSC employees) must conduct the actual work while assessors observe.

Certified CMMC Professionals (CCPs) or Lead Assessorsoversee and document the testing process.

Why is the Correct Answer "A" (OSC personnel who normally perform that work as the CCP observes)?

A. OSC personnel who normally perform that work as the CCP observes → Correct

CMMC assessments require actual users (OSC personnel) to perform their regular duties while assessors observeto verify security practices.

B. Military personnel and the CCP and/or Lead Assessor to test the adequacy of the written procedure(s) → Incorrect

Military personnel are not responsible for testing contractor security controls.

Assessors observe and evaluate but do not perform testing themselves.

C. Military personnel assigned to the contractor for that contract to ensure the confidentiality of the CUI → Incorrect

Military personnel do not perform the testing.

The contractor (OSC) is responsible for implementing and demonstrating security controls.

D. OSC personnel who do not ordinarily perform that work to evaluate the accuracy of the written procedure(s) → Incorrect

Personnel unfamiliar with the job should not be used for testing.

Theassessment must reflect real-world conditions, so theactual employees who perform the work must demonstrate the process.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

Specifies thatassessments must observe real operational activities to determine compliance.

CMMC-AB Assessment Methodology

Requirestesting of security controls in a realistic operational environment, meaning actual OSC personnel must perform the tasks.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Specifies thatinterviews and observations should be conducted with personnel who regularly perform the work.

Under the official CMMC Assessment Process (CAP) v2.0 , the OSC contracts directly with a C3PAO to arrange a Level 2 certification assessment, including the practical scope-of-work elements (timing, logistics, and the terms of performance). CAP v2.0 explicitly states that “The C3PAO shall execute a written contractual agreement for the CMMC Level 2 certification assessment with the OSC” and further clarifies that neither the Cyber AB nor DoD are parties to that contract.

Because the C3PAO is the assessment organization that conducts the certification assessment, it is also the entity the OSC coordinates with during the pre-assessment activities that shape the engagement and scope. CAP v2.0 places key Phase 1 responsibilities on the C3PAO/Lead CCA, including validating the OSC’s assessment scope against applicable scoping requirements and coordinating access to evidence and personnel needed for Phase 2.

By contrast, OUSD provides DoD-level oversight/policy, RPOs and the Cyber AB support the ecosystem, but they do not form the contractual relationship for a specific Level 2 certification assessment. CAP v2.0 is unambiguous that the contract (and any mutually agreed scope-of-work terms) is between the OSC and the C3PAO .

===========

TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.

Analysis of the Given Options:

A. Level 1→Incorrect

CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.

B. Level 2→Correct

TheAU domain is required at Level 2, which aligns withNIST SP 800-171.

CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.

C. Levels 1 and 2→Incorrect

Level 1 does not requireaudit and accountability practices.

D. Levels 1 and 3→Incorrect

CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.

Official References Supporting the Correct Answer:

NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3)

TheAU domainconsists of security controls3.3.1 – 3.3.8, focusing on audit log generation, retention, and accountability.

CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171)

AU practices (Audit and Accountability) are only required at Level 2.

Conclusion:

TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:

✅B. Level 2.

In Phase 1 (Planning) of the CMMC Assessment Process, the Lead Assessor is responsible for managing the team and identifying conflicts of interest. Assessment team members must also disclose potential conflicts.

Supporting Extracts from Official Content:

CAP v2.0, Planning (§2.5–2.8): “The Lead Assessor and Assessment Team Members must identify and disclose any conflicts of interest prior to conducting the assessment.”

Why Option D is Correct:

Only the Lead Assessor and assessment team are responsible for identifying conflicts of interest during Phase 1.

Options A, B, and C incorrectly assign this role to organizations that do not hold the responsibility.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 1 Planning responsibilities.

===========

Understanding Training Requirements in CMMC

The requirement for ensuring thatpersonnel are trained to carry out their assigned information security-related duties and responsibilitiesfirst appears inCMMC Level 2as part ofNIST SP 800-171 control AT.L2-3.2.1.

Key Details on the Training Requirement:

✔AT.L2-3.2.1: "Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities."

✔This control is derived fromNIST SP 800-171and applies toCMMC Level 2 (Advanced).

✔It ensures that employees handlingControlled Unclassified Information (CUI)understand theircybersecurity responsibilities.

Why is the Correct Answer "B. Level 2"?

A. Level 1 → Incorrect

CMMC Level 1 does not include this training requirement.Level 1 focuses on basic safeguarding ofFederal Contract Information (FCI)but doesnot require formal cybersecurity training.

B. Level 2 → Correct

The training requirement (AT.L2-3.2.1) first appears in CMMC Level 2, which aligns withNIST SP 800-171.

C. Level 3 → Incorrect

The training requirementalready exists in Level 2. Level 3 builds on Level 2 with additionalrisk management and advanced cybersecurity controls, but training is introduced at Level 2.

D. All levels → Incorrect

CMMC Level 1 does not include this requirement—it is first introduced in Level 2.

CMMC 2.0 References Supporting This Answer:

NIST SP 800-171 (Requirement 3.2.1)

Defines themandatory training requirementfor personnel handling CUI.

CMMC Assessment Guide for Level 2

ListsAT.L2-3.2.1as a required practice under Level 2.

CMMC 2.0 Model Overview

Confirms thatCMMC Level 2 aligns with NIST SP 800-171, which includes security training requirements.

Best Practices for Handling Sensitive Assessment Information

CMMC assessments involve handlingsensitive and potentially CUI-related documents. Assessors must follow strictsecurity policiesto avoid unauthorized access, data leaks, or non-compliance withCMMC 2.0 and NIST SP 800-171 requirements.

Why Logging into the Client VPN on the Client Laptop is the Best Approach:

Ensures Data Protection:The client laptop is likely configured to meet security controls required for handling assessment-related materials.

Prevents Data Spillage:Keeping all assessment-related activities within the client’s secured environment reduces the risk ofdata leakage or unauthorized storage.

Maintains Compliance with CMMC/NIST Guidelines:Using aproperly configured client laptop and secured connectionensures compliance withNIST SP 800-171 controls on secure remote access(Requirement3.13.12).

Clarification of Incorrect Options:

A. "Log into the secure cloud storage service to save copies of the documents on both the work and client laptops."

Incorrect→Sensitive data should not be duplicated across multiple systems, especially a non-client-approved laptop. Storing it on an unauthorized systemviolates data handling best practices.

C. "Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service."

Incorrect→ Theassessor’s laptop may not be authorizedorsecuredto handle client data. CMMC guidelines emphasizeusing approved, secured systemsfor assessment-related information.

D. "Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick."

Incorrect→

Transferring sensitive documents via USBintroduces security risks, including unauthorized data storage and potential malware contamination.

Home office workstationsare unlikely to be authorized for handling CMMC-sensitive data.

In CMMC v2.0, the closeout activity for remediating previously unmet requirements is handled through the POA & M closeout process described in the CMMC Assessment Process (CAP) v2.0 . CAP v2.0 makes clear that the C3PAO must follow DoD’s POA & M closeout procedures and that the Assessment Team performs the closeout work, with the assessment results then undergoing a required quality assurance (QA) review .

Operationally, the person who must ensure that each previously failed requirement is adequately addressed during the closeout assessment is the Lead Assessor (Lead CCA) , because the Lead CCA is the individual designated to oversee and manage the Assessment Team on behalf of the C3PAO for the conduct of the certification assessment. In other words, while team members may test controls and collect evidence, the Lead CCA is accountable for directing the assessment effort and ensuring that remediation evidence supports updated determinations.

CAP v2.0 also states that a QA individual performs a quality assurance review of the POA & M closeout “upon completion by the Assessment Team,” including checks on the accuracy and completeness of evaluation of POA & M security requirements before upload to eMASS. This reinforces that verification occurs through the assessment team’s work, led by the Lead Assessor , and then independently quality-checked by QA.

===========

Understanding CMMC Asset Categorization

TheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).

In this scenario:

Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-scopefor CMMC Level 1.

Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-Scope Assets.

CMMC 2.0 Definition of Out-of-Scope Assets

As per theCMMC Scoping Guide, assets that:

✅Do not store, process, or transmit FCI/CUI

✅Do not directly impact the security of in-scope assets

✅Are completely segregated from the FCI/CUI environment

are classified asOut-of-Scope Assets.

Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.

Why the Other Answers Are Incorrect

A. FCI Assets

❌Incorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify.

B. Specialized Assets

❌Incorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division.

D. Operational Technology Assets

❌Incorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.

CMMC Official References

CMMC 2.0 Scoping Guide – Level 1 & Level 2

CMMC Assessment Process (CAP) Document

Thus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.

Step 1: Understanding CMMC Level 1 Self-Assessment Scope

CMMC Level 1applies toFederal Contract Information (FCI)systems.

Any system or device that is connected to an FCI-handling network is within the assessment scopebecause it canintroduce vulnerabilitiesinto the environment.

Step 2: Why the Thermostat is in Scope

TheWi-Fi-enabled thermostat is connected to the FCI network, meaning it haspotential accessto sensitive contract-related data.

PerCMMC Scoping Guidance, this type of device is classified as aRestricted Information System (Restricted IS)—devices that do not store, process, or transmit FCI but areconnected to networks that do.

Restricted IS must be accounted for in the self-assessment scope to ensure they do not compromise security controls.

In a CMMC Level 2 Assessment, an assessor must achieve a high level of confidence that a practice is both implemented and institutionalized. This is determined through the Examine, Interview, and Test (E-I-T) methods as outlined in NIST SP 800-171A and the CMMC Assessment Process (CAP).

Conflict of Evidence: The scenario presents a direct conflict between the three pillars of evidence. The Policy/Documentation (Examine) states the practice occurs monthly. The Logs/Artifacts (Examine/Test) show it occurs quarterly. The Interviews claim it happens monthly but is only recorded quarterly.

The "Not Met" Determination: Under the CAP, if the evidence collected does not consistently support the assessment objective, the practice cannot be marked as "Met." Specifically:

Adequacy and Sufficiency: The logs (the primary proof of performance) are insufficient to prove the monthly requirement stated in the documentation.

Inconsistency: Assessors look for "corroboration." When interviews contradict the physical artifacts (the logs), the objective evidence (the logs) carries significant weight. If a practice is required monthly but only recorded quarterly, the assessor cannot verify that it was actually performed during the missing months.

Why other options are incorrect:

Option B: The practice isnotbeing done as documented because the documentation says "monthly" and the logs only show "quarterly."

Option C: This is a common misconception. Not all three methods (E, I, and T) are required foreverysingle practice (the Assessment Guide specifies which are required), but allusedmethods must yield consistent "Met" results.

Option D: Interviews alone are almost never sufficient to pass a practice that requires technical or administrative artifacts (logs).

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4 (Collect and Verify Evidence) and Section 3.5 (Determine Findings).

CMMC Level 2 Assessment Guide: Introduction to Assessment Methods, emphasizing that findings must be supported by the "preponderance of evidence."

NIST SP 800-171A: Chapter 2, "Assessment Procedures," regarding the necessity of artifacts to prove implementation over time.

For SI.L2-3.14.7 (Identify Unauthorized Use) , the assessment objectives focus on two outcomes: (a) the organization has defined authorized use of the system, and (b) the organization identifies unauthorized use when it occurs. The strongest evidence is therefore evidence that the organization actively monitors systems and can detect and recognize activity outside the defined authorized-use baseline.

In the DoD CMMC Assessment Guide – Level 2 (v2.13) , the “Potential Assessment Methods and Objects” for SI.L2-3.14.7 emphasize artifacts that are directly tied to monitoring and detection—such as a continuous monitoring strategy , system and information integrity policy , procedures addressing system monitoring tools and techniques , and technical monitoring capabilities (e.g., tools/techniques like IDS/IPS , audit record monitoring , and network monitoring ).

These artifacts are exactly what demonstrate that unauthorized use is being identified in practice (alerts, logs, correlation, and review processes) and that authorized use is defined (policies/standards that establish what “authorized” looks like so “unauthorized” can be recognized).

By contrast, risk assessment/response and incident response may be related program elements, but they are not the primary evidence that the organization is continuously detecting unauthorized use. The assessment guide’s focus on monitoring artifacts makes System monitoring the best evidence.

Understanding Specialized Assets in a CMMC Self-Assessment

DuringCMMC Level 1 Self-Assessments, organizations must classify theirassetsin theSystem Security Plan (SSP).

Specialized Asset Type: Operational Technology (OT)

Operational Technology (OT)includesmachine controllers, industrial control systems (ICS), and assembly machines.

Thesesystems control physical processesin manufacturing, energy, and industrial environments.

OT assets are distinct from traditional IT systemsbecause they haveunique security considerations(e.g., real-time control, legacy system constraints).

Why is the Correct Answer "D. Operational Technology"?

A. IoT (Internet of Things) → Incorrect

IoT devicesinclude smart home systems, connected sensors, and networked appliances, butmachine controllers and assembly machines fall under OT, not IoT.

B. Restricted IS → Incorrect

Restricted Information Systems (IS) refer to classified or highly controlled systems, whichdoes not apply to standard industrial machines.

C. Test Equipment → Incorrect

Test equipment includes diagnostic tools or measurement devicesused forquality assurance, not industrial machine controllers.

D. Operational Technology → Correct

Machine controllers and assembly machinesare part ofindustrial automation and control systems, which are classified asOperational Technology (OT).

CMMC 2.0 References Supporting This Answer:

CMMC Scoping Guidance for Level 1 & Level 2 Assessments

DefinesOperational Technology (OT) as a category of Specialized Assetsthat requirespecific security considerations.

NIST SP 800-82 (Guide to Industrial Control Systems Security)

Identifiesmachine controllers and assembly machinesas part ofOperational Technology (OT).

CMMC 2.0 Asset Classification Guidelines

Specifies thatOT systems should be documented separately in an organization's SSP.

A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.

Supporting Extracts from Official Content:

CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”

Why Option B is Correct:

The Windows 95 system is an example of a restricted IS, so it can be scoped out.

Option A is incorrect — the asset is not handling CUI in this case.

Option C is incorrect — government property designation does not define scope.

Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.

===========

The term that describes"the prevention of damage to, protection of, and restoration of computers and electronic communication systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation"isCybersecurity.

Step-by-Step Breakdown:

✅1. Cybersecurity Defined

Cybersecurityfocuses onprotecting networks, systems, and datafrom cyber threats.

It includes measures to ensure:

Availability(data is accessible when needed).

Integrity(data is accurate and unaltered).

Authentication(verifying users' identities).

Confidentiality(ensuring only authorized access).

Non-repudiation(preventing denial of actions).

The definition in the questionaligns directly with cybersecurity principles, making it the best answer.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Data Security❌

Data securityfocusesspecificallyon protectingstored information(e.g., encryption, access controls), but cybersecurity is broader—it includesnetworks, systems, and communication services.

(C) Network Security❌

Network securityis asubset of cybersecuritythat focuses on protectingnetwork infrastructure(e.g., firewalls, intrusion detection systems).

The definition in the question includesmore than just networks, so cybersecurity is the better choice.

(D) Information Security❌

Information security (InfoSec)is related but broader than cybersecurity.

InfoSeccoversphysical and organizational security(e.g., policies, procedures) in addition todigital protections.

Final Validation from CMMC Documentation:

CMMC and NIST SP 800-171 define cybersecurityas the protection ofsystems, networks, and data from cyber threats.

DoD Cybersecurity Definitions(aligned with NIST) confirm that cybersecurity is the term thatbest fits the definition in the question.

Understanding the False Claims Act (FCA) and Whistleblower Protections

TheFalse Claims Act (FCA)(31 U.S.C. §§ 3729–3733) is aU.S. federal lawthat allowswhistleblowers (also known as "relators")to sue on behalf of the federal government if they believe a company issubmitting fraudulent claimsfor government funds.

The FCA includes a"qui tam" provision, which:

✅Allows private individuals to file lawsuits on behalf of the U.S. government.

✅Provides financial rewards to whistleblowersif the lawsuit results in recovered funds.

✅Protects whistleblowers from employer retaliation.

In the context ofCMMC and cybersecurity compliance, theFCA has been used to hold companies accountableformisrepresenting their cybersecurity compliancewhen working with federal contracts.

For example:

If a companyfalsely claimscompliance withCMMC, NIST SP 800-171, or DFARS 252.204-7012butfails to meet security requirements, it could beliable under the FCA.

TheDepartment of Justice (DOJ)has pursued cases under theCyber-Fraud Initiative, using theFCA against defense contractorsfor cybersecurity noncompliance.

Thus, the correct answer isC. False Claims Actbecause it specifically allows whistleblowers tosue on behalf of the federal government.

Why the Other Answers Are Incorrect

A. NIST SP 800-53

❌Incorrect.NIST SP 800-53provides security controls for federal agencies butdoes notcontain whistleblower provisions.

B. NIST SP 800-171

❌Incorrect.NIST SP 800-171outlines security requirements for protectingCUI, but itdoes not have legal mechanismsfor whistleblower lawsuits.

D. Code of Professional Conduct

❌Incorrect. TheCMMC Code of Professional Conductapplies toC3PAOs and assessorsbut doesnot provide a legal basis for whistleblower lawsuits.

CMMC Official References

False Claims Act (31 U.S.C. §§ 3729–3733)– Establishes whistleblower protections and qui tam lawsuits.

DOJ Cyber-Fraud Initiative– Uses the FCA to enforce cybersecurity compliance in government contracts.

DFARS 252.204-7012 & CMMC– Require accurate reporting of cybersecurity compliance, which can lead to FCA violations if misrepresented.

Thus,option C (False Claims Act) is the correct answeras per official legal guidance.

Understanding the Role of NIST SP 800-171 in CMMC

NIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.

This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.

Breakdown of Answer Choices

NIST SP

Title

Relevance to CMMC

NIST SP 800-37

Risk Management Framework (RMF)

Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.

NIST SP 800-53

Security and Privacy Controls for Federal Systems

Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.

NIST SP 800-88

Guidelines for Media Sanitization

Covers secure data destruction and disposal, not overall CUI protection.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

✅Correct Answer – Directly addresses CUI protection in contractor systems.

Key Requirements from NIST SP 800-171

The document outlines110 security controlsgrouped into14 families, including:

Access Control (AC)– Restrict access to authorized users.

Audit and Accountability (AU)– Maintain system logs and monitor activity.

Incident Response (IR)– Establish an incident response plan.

System and Communications Protection (SC)– Encrypt CUI in transit and at rest.

These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.

Official Reference from CMMC 2.0 Documentation

CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.

DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.

Final Verification and Conclusion

The correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.

According to the CMMC Assessment Process (CAP), specifically in the context of scoping and organizational structure, the term Host Unit is used to define the specific entity within an Organization Seeking Certification (OSC) that is the primary subject of the assessment.

Definition of Host Unit: Within the CAP, the Host Unit represents the specific people, processes, and technology that process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) for the contract in scope. It is the "anchor" for the assessment boundary.

Context in High-Level Scoping: During the initial phases of an assessment, a C3PAO must distinguish between the entire corporation (the OSC) and the specific parts of that corporation that are actually performing the DoD work. The Host Unit is that functional or logical division that will be evaluated against the CMMC practices.

Relationship to other units:

Supporting Organization/Units (Option D): These are entities that provide services to the Host Unit (such as an enterprise IT department or a separate HR branch) but are not the primary "Host" of the CUI/FCI. They are in-scope because they provide "Security Protection" or "Administrative" functions to the Host Unit.

Coordinating Unit (Option C): This term is often used in broader organizational contexts but is not a defined scoping term for the "people, processes, and technology" being assessed under the CMMC CAP.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Glossary and Section 1 (Plan and Prepare Assessment), which defines the relationship between the OSC, the Host Unit, and Supporting Units.

CMMC Level 2 Scoping Guidance: Provides the framework for identifying the "assets" (people, technology, facilities) that reside within the Host Unit boundary.

CCP Study Guide: Section on "Scoping the Assessment," which explains how to identify the Host Unit versus External Service Providers (ESPs).