Who makes the final determination of the assessment method used for each practice?
CCP
osc
Site Manager
Lead Assessor
Who Determines the Assessment Method for Each Practice?In aCMMC Level 2 Assessment, theLead Assessorhas thefinal authorityin determining theassessment methodused to evaluate each practice.
Key Responsibilities of the Lead Assessor✅Ensures theCMMC Assessment Process (CAP) Guideis followed.
✅Determines whether a practice is evaluated usinginterviews, demonstrations, or document reviews.
✅Directs theCertified CMMC Professionals (CCPs)and other assessors on themethodologyfor gathering evidence.
✅Works under aCertified Third-Party Assessment Organization (C3PAO)to ensure proper assessment execution.
CCP (Option A) assists in the assessment but does not make final decisionson methods.
OSC (Option B) is the Organization Seeking Certification, and they do not control assessment methodology.
Site Manager (Option C) may coordinate logistics but has no authority over assessment decisions.
Why "Lead Assessor" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A. CCP
❌Incorrect–A CCPassistsbut doesnot determine assessment methods.
B. OSC
❌Incorrect–The OSC is beingassessedand does not decide assessment methods.
C. Site Manager
❌Incorrect–The Site Manager handles logistics butdoes not control assessment methods.
D. Lead Assessor
✅Correct – The Lead Assessor has the final say on the assessment method used.
CMMC Assessment Process Guide (CAP)– Defines theLead Assessor’s rolein determining assessment methods.
Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Lead Assessor, as they havefinal decision-making authority over the assessment methodology.
Which assessment method compares actual-specified conditions with expected behavior?
Test
Examine
Compile
Interview
Understanding CMMC Assessment MethodsTheCybersecurity Maturity Model Certification (CMMC) 2.0follows theNIST SP 800-171A assessment methodology, which includesthree primary assessment methods:
Examine– Reviewing policies, procedures, system configurations, and documentation.
Interview– Engaging with personnel to validate their understanding and execution of security practices.
Test– Conducting actual technical or operational tests to determine whether security controls function as expected.
"Test" is the method that compares actual-specified conditions with expected behavior.
It involvesexecuting procedures, configurations, or automated toolsto see if thesystem behaves as required.
For example, if a policy states that multi-factor authentication (MFA) must be enforced, a test would involveattempting to log in without MFAto confirm whether access is blocked as expected.
TheNIST SP 800-171A Guide (Assessment Procedures for CUI)defines testing as an assessment method that:
Actively verifies a security control is functioning
Simulates real-world attack scenarios
Checks compliance through system actions rather than documentation
B. Examine (Incorrect)
Examining only involvesreviewing policies, procedures, or configurationsbut does not actively test system behavior.
C. Compile (Incorrect)
"Compile" is not an assessment method in CMMC 2.0 or NIST SP 800-171A.
D. Interview (Incorrect)
Interviews are used to gather insights from personnel, but they do not compare actual conditions with expected behavior.
The correct answer isA. Testbecause itactively verifies system performance against expected security conditions.
The Audit and Accountability (AU) domain has practices in:
Level 1.
Level 2.
Levels 1 and 2.
Levels 1 and 3.
TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.
A. Level 1→Incorrect
CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.
B. Level 2→Correct
TheAU domain is required at Level 2, which aligns withNIST SP 800-171.
CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.
C. Levels 1 and 2→Incorrect
Level 1 does not requireaudit and accountability practices.
D. Levels 1 and 3→Incorrect
CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.
NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3)
TheAU domainconsists of security controls3.3.1 – 3.3.8, focusing on audit log generation, retention, and accountability.
CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171)
AU practices (Audit and Accountability) are only required at Level 2.
Analysis of the Given Options:Official References Supporting the Correct Answer:Conclusion:TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:
✅B. Level 2.
A C3PAO has completed a Limited Practice Deficiency Correction Evaluation following an assessment of an OSC. The Lead Assessor has recommended moving deficiencies to a POA&M. but the OSC will remain on an Interim Certification. What is the MINIMUM number of practices that must be scored as MET to initiate this course of action?
80 practices
88 practices
100 practices
110 practices
TheLimited Practice Deficiency Correction Evaluationprocess occurs when anOrganization Seeking Certification (OSC)has undergone aCMMC Level 2 Assessmentby aCertified Third-Party Assessment Organization (C3PAO)and hasunresolved deficienciesin some security practices.
According toCMMC 2.0 policy and DFARS 252.204-7021, OSCs can still achieveInterim Certificationif they meet theminimum thresholdof security practices while addressing deficiencies through aPlan of Action & Milestones (POA&M).
TheCMMC 2.0 Interim Rulestates that an OSCmust meet at least 100 out of 110 practicesto qualify for aPOA&M-based remediation.
A maximum of 10 practices can be listed in the POA&Mfor later correction.
Failure to meet at least 100 practices results in failing the assessment outright, requiring a full reassessment after remediation.
The Lead Assessor can recommend POA&M placementonly if the OSC meets at least 100 practices.
Less than 100 practices scored as MET means the OSC does not qualify for a POA&Mand mustretest completely.
DFARS 252.204-7021 and CMMC 2.0 policiesconfirm the100-practice thresholdfor conditional certification.
A. 80 practices (Incorrect)– Falls well below the 100-practice requirement.
B. 88 practices (Incorrect)– Still below the POA&M eligibility threshold.
D. 110 practices (Incorrect)– While meeting 110 practices would be ideal,CMMC allows a POA&M option at 100 practices.
The correct answer isC. 100 practices, as this meets theminimum threshold for POA&M-based Interim Certification.
Ethics is a shared responsibility between:
DoD and CMMC-AB.
OSC and sponsors.
CMMC-AB and members of the CMMC Ecosystem.
members of the CMMC Ecosystem and Lead Assessors.
Understanding Ethical Responsibility in the CMMC EcosystemEthics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.
CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.
CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.
Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.
Key Ethical Responsibilities Include:
A. DoD and CMMC-AB → Incorrect
TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.
B. OSC and Sponsors → Incorrect
TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.
C. CMMC-AB and Members of the CMMC Ecosystem → Correct
Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.
D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect
Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.
Why is the Correct Answer "CMMC-AB and Members of the CMMC Ecosystem" (C)?
CMMC-AB Code of Professional Conduct
Defines ethical responsibilities forassessors, consultants, and ecosystem members.
CMMC Ecosystem Governance Policies
Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.
CMMC Assessment Process (CAP) Document
Outlines ethical expectations forassessors and consultantsduring certification assessments.
CMMC 2.0 References Supporting this Answer:
During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?
Host Unit
Organization
Coordinating Unit
Supporting Organization/Unit
In the context of the Cybersecurity Maturity Model Certification (CMMC) Assessment Process, understanding the roles of various entities associated with an Organization Seeking Certification (OSC) is crucial during the planning phase. When a Certified Third-Party Assessment Organization (C3PAO) staff reviews these entities for a CMMC Level 2 Assessment, it's essential to distinguish between internal components and external participants.
Step-by-Step Explanation:
Definition of the HQ Organization:
The HQ Organization refers to the entire legal entity delivering services under the terms of a Department of Defense (DoD) contract. This entity is responsible for ensuring compliance with CMMC requirements.
Identification of External Entities:
External entities encompass people, processes, and technology that are not part of the HQ Organization but support its operations. These entities participate in the assessment process due to their involvement in handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) related to the DoD contract.
Role of Supporting Organizations/Units:
According to the CMMC Assessment Process documentation, Supporting Organizations are defined as "the people, procedures, and technology external to the HQ Organization that support the Host Unit." These external entities are integral to the operations of the Host Unit but are not encompassed within the HQ Organization's immediate structure.
Assessment Implications:
While Supporting Organizations/Units play a vital role in supporting the Host Unit, they do not receive a separate CMMC Level certification unless an enterprise assessment is conducted. In such cases, the assessment would encompass both the HQ Organization and its Supporting Organizations to ensure comprehensive compliance across all associated entities.
A CMMC Assessment is being conducted at an OSC's HQ. which is a shared workspace in a multi-tenant building. The OSC is renting four offices on the first floor that can be locked individually. The first-floor conference room is shared with other tenants but has been reserved to conduct the assessment. The conference room has a desk with a drawer that does not lock. At the end of the day, an evidence file that had been sent by email is reviewed. What is the BEST way to handle this file?
Review it. print it, and put it in the desk drawer.
Review it, and make notes on the computer provided by the client.
Review it, print it, make notes, and then shred it in cross-cut shredder in the print room.
Review it. print it, and leave it in a folder on the table together with the other documents.
In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to implement stringent controls to protect Controlled Unclassified Information (CUI). This includes adhering to specific practices related to media protection and physical security.
Media Protection (MP):
MP.L2-3.8.1 – Media Protection:Organizations must protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. This ensures that sensitive information is not accessible to unauthorized individuals.
Defense Innovation Unit
MP.L2-3.8.3 – Media Disposal:It is imperative to sanitize or destroy information system media containing CUI before disposal or release for reuse. This practice prevents potential data breaches from discarded or repurposed media.
Defense Innovation Unit
Physical Protection (PE):
PE.L2-3.10.2 – Monitor Facility:Organizations are required to protect and monitor the physical facility and support infrastructure for organizational systems. This includes ensuring that areas where CUI is processed or stored are secure and access is controlled.
Defense Innovation Unit
Application to the Scenario:
Given that the Organization Seeking Certification (OSC) operates within a shared, multi-tenant building and utilizes a common conference room for assessments, the following considerations are crucial:
Reviewing the Evidence File:The evidence file, which contains CUI, should be reviewed on a secure, authorized device to prevent unauthorized access or potential data leakage.
Printing the Evidence File:If printing is necessary, ensure that the printer is located in a secure area, and the printed documents are retrieved immediately to prevent unauthorized viewing.
Making Notes:Any notes derived from the evidence file should be treated with the same level of security as the original document, especially if they contain CUI.
Disposal of Printed Materials:After the assessment, all printed materials and notes containing CUI must be destroyed using a cross-cut shredder. Cross-cut shredding ensures that the information cannot be reconstructed, thereby maintaining confidentiality.
totem.tech
Options A and D are inadequate as they involve leaving sensitive information in unsecured locations, which violates CMMC physical security requirements. Option B, while secure in terms of digital handling, does not address the proper disposal of any physical copies that may have been made. Therefore, Option C is the best practice, aligning with CMMC 2.0 guidelines by ensuring that all physical media containing CUI are properly reviewed, securely stored during use, and thoroughly destroyed when no longer needed.
Which statement BEST describes a LTP?
Creates DoD-licensed training
Instructs a curriculum approved by CMMC-AB
May market itself as a CMMC-AB Licensed Provider for testing
Delivers training using some CMMC body of knowledge objectives
Understanding Licensed Training Providers (LTPs) in CMMCALicensed Training Provider (LTP)is an entity that is authorized by theCybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)todeliver CMMC trainingbased on anapproved curriculum.
Provides CMMC-AB-approved training programsfor individuals seeking CMMC certifications.
Uses an official CMMC curriculumthat aligns with theCMMC Body of Knowledge (BoK)and other CMMC-AB guidance.
Prepares students for CMMC roles, such asCertified CMMC Assessors (CCA) and Certified CMMC Professionals (CCP).
Key Responsibilities of an LTP:
A. Creates DoD-licensed training → Incorrect
TheCMMC-AB, not the DoD, manages LTP licensing. LTPsdo not create new training contentbut mustfollow an approved curriculum.
B. Instructs a curriculum approved by CMMC-AB → Correct
LTPsteacha curriculum that has beenapproved by the CMMC-AB, ensuring consistency in CMMC training.
C. May market itself as a CMMC-AB Licensed Provider for testing → Incorrect
LTPs provide training, not testing. Testing is handled byLicensed Partner Publishers (LPPs)and exam bodies.
D. Delivers training using some CMMC body of knowledge objectives → Incorrect
LTPs mustfully adhereto theCMMC-AB-approved curriculum, not just "some" objectives.
Why is the Correct Answer "Instructs a curriculum approved by CMMC-AB" (B)?
CMMC-AB Licensed Training Provider (LTP) Program Guidelines
Defines LTPs as entities thatdeliver CMMC-AB-approved training programs.
CMMC Body of Knowledge (BoK)
Specifies that training must follow theCMMC-AB-approved curriculumto ensure standardization.
CMMC-AB Training & Certification Framework
Requires LTPs todeliver structured training that meets CMMC-AB guidelines.
CMMC 2.0 References Supporting This Answer:
Final Answer:✔B. Instructs a curriculum approved by CMMC-AB
In many organizations, the protection of FCI includes devices that are used to scan physical documentation into digital form and print physical copies of digital FCI. What technical control can be used to limit multi-function device (MFD) access to only the systems authorized to access the MFD?
Virtual LAN restrictions
Single administrative account
Documentation showing MFD configuration
Access lists only known to the IT administrator
Understanding Multi-Function Device (MFD) Security in CMMCMulti-function devices (MFDs), such asscanners, printers, and copiers,process, store, and transmit FCI, making them apotential attack surfacefor unauthorized access.
Thebest technical controlto limit MFD access to only authorized systems isVirtual LAN (VLAN) restrictions, whichsegment and isolate network traffic.
VLAN Restrictions Provide Network Segmentation
VLANsisolate the MFDfrom unauthorized systems, ensuringonly approved devicescan communicate with it.
Prevents unauthorized network access bylimiting connectionsto specific IPs or subnets.
Meets CMMC 2.0 Network Security Controls
Aligns withCMMC System and Communications Protection (SC) Practicesfor network segmentation and access control.
Reducesthe risk of unauthorized access to scanned and printed FCI.
B. Single administrative account→Incorrect
Asingle admin accountdoes not restrict accessbetween devices, only controlswho can configurethe MFD.
C. Documentation showing MFD configuration→Incorrect
Documentation helps with compliance butdoes not actively restrict access.
D. Access lists only known to the IT administrator→Incorrect
Access lists should besystem-enforced, not just "known" to the administrator.
CMMC Practice SC.3.192 (Network Segmentation)– Requires restricting access usingnetwork segmentation techniques such as VLANs.
NIST SP 800-171 (SC Family)– Supportsisolation of sensitive devicesusing VLANs and other segmentation controls.
Why the Correct Answer is "A. Virtual LAN (VLAN) Restrictions"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:SinceVirtual LAN (VLAN) restrictions enforce access control at the network level, the correct answer isA. Virtual LAN (VLAN) restrictions.
The IT manager is scoping the company's CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI. Which asset type is being considered by the IT manager?
ESP
People
Facilities
Technology
Understanding Asset Types in CMMC 2.0In CMMC 2.0, assets are categorized based on their role in handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI). TheCybersecurity Maturity Model Certification (CMMC) Scoping GuidanceforLevel 1andLevel 2provides asset definitions to help organizations identify what needs protection.
According toCMMC Scoping Guidance, there are five primary asset types:
Security Protection Assets (ESP - External Service Providers & Security Systems)
People (Personnel who interact with FCI/CUI)
Facilities (Physical locations housing FCI/CUI)
Technology (Hardware, software, and networks that store, process, or transmit FCI/CUI)
CUI Assets (For Level 2 assessments, assets specifically storing CUI)
Why "Technology" Is the Correct AnswerThe IT manager is evaluatingservers, laptops, databases, and applications—all of which aretechnology assetsused to store, process, or transmit FCI.
According toCMMC Scoping Guidance,Technology assetsinclude:
✅Endpoints(Laptops, Workstations, Mobile Devices)
✅Servers(On-premise or cloud-based)
✅Networking Devices(Routers, Firewalls, Switches)
✅Applications(Software, Cloud-based tools)
✅Databases(Storage of FCI or CUI)
Since the IT manager is focusing on these components, the correct asset category isTechnology (Option D).
A. ESP (Security Protection Assets)❌Incorrect. ESPs refer tosecurity-related assets(e.g., firewalls, monitoring tools, managed security services) thathelp protectFCI/CUI but do notstore, process, or transmitit directly.
B. People❌Incorrect. While employees play a role in handling FCI, the question focuses onhardware and software—which falls underTechnology, not People.
C. Facilities❌Incorrect. Facilities refer tophysical buildingsor secured areas where FCI/CUI is stored or processed. The question explicitly mentionsservers, laptops, and applications, which arenot physical facilities.
Why the Other Answers Are Incorrect
CMMC Level 1 Scoping Guide (CMMC-AB)– Defines asset categories, including Technology.
CMMC 2.0 Scoping Guidance for Assessors– Provides clarification on FCI assets.
CMMC Official ReferencesThus,option D (Technology) is the most correct choiceas per official CMMC 2.0 guidance.
The director of sales, in a meeting, stated that the sales team received feedback on some emails that were sent, stating that the emails were not marked correctly. Which training should the director of sales refer the sales team to regarding information as to how to mark emails?
FBI CUI Introduction to Marking
NARA CUI Introduction to Marking
C3PAO CUI Introduction to Marking
CMMC-AB CUI Introduction to Marking
The Controlled Unclassified Information (CUI) Program, established by Executive Order 13556, standardizes the handling and marking of unclassified information that requires safeguarding or dissemination controls across federal agencies and their contractors. The National Archives and Records Administration (NARA) serves as the Executive Agent responsible for implementing the CUI Program.
In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to protect CUI by adhering to the security requirements outlined in NIST Special Publication 800-171. This includes proper marking of CUI to ensure that all personnel recognize and handle such information appropriately.
The NARA CUI Introduction to Marking provides comprehensive guidance on the correct procedures for marking documents and communications containing CUI. This resource is essential for training purposes, as it offers detailed instructions and examples to help personnel understand and implement proper CUI markings. By referring the sales team to the NARA CUI Introduction to Marking, the director of sales ensures that the team receives authoritative and standardized training on how to appropriately mark emails and other documents containing CUI, thereby maintaining compliance with federal regulations and CMMC requirements.
In the CMMC Model, how many practices are included in Level 2?
17 practices
72 practices
110 practices
180 practices
CMMC Level 2is designed to alignfullywithNIST SP 800-171, which consists of110 security controls (practices).
This meansall 110 practicesfrom NIST SP 800-171 are required for aCMMC Level 2 certification.
How Many Practices Are Included in CMMC Level 2?Breakdown of Practices in CMMC 2.0CMMC Level
Number of Practices
Level 1
17 practices(Basic Cyber Hygiene)
Level 2
110 practices(Aligned with NIST SP 800-171)
Level 3
Not yet finalized but expected to exceed 110
Since CMMC Level 2 mandatesall 110 NIST SP 800-171 practices, the correct answer isC. 110 practices.
A. 17 practices❌Incorrect.17 practicesapply only toCMMC Level 1, not Level 2.
B. 72 practices❌Incorrect. There is no CMMC level with72 practices.
D. 180 practices❌Incorrect. CMMC Level 2only requires 110 practices, not 180.
Why the Other Answers Are Incorrect
CMMC 2.0 Model– Confirms thatLevel 2 includes 110 practicesaligned withNIST SP 800-171.
NIST SP 800-171 Rev. 2– Outlines the110 security controlsrequired for handlingControlled Unclassified Information (CUI).
CMMC Official ReferencesThus,option C (110 practices) is the correct answer, as per official CMMC guidance.
Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?
Organizational operations, business assets, and employees
Organizational operations, business processes, and employees
Organizational operations, organizational assets, and individuals
Organizational operations, organizational processes, and individuals
TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.
TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:
"Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI."
This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:
✅Organizational operations(e.g., mission, business continuity, functions)
✅Organizational assets(e.g., data, IT systems, intellectual property)
✅Individuals(e.g., employees, contractors, customers affected by security risks)
Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.
A. Organizational operations, business assets, and employees❌Incorrect."Business assets"is not the correct terminology used in CMMC/NIST SP 800-171. Instead,"organizational assets"is the proper term.
B. Organizational operations, business processes, and employees❌Incorrect."Business processes"is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.
D. Organizational operations, organizational processes, and individuals❌Incorrect. While processes are important,organizational assetsmust be considered in the assessment, not just processes.
Why the Other Answers Are Incorrect
CMMC 2.0 Model (Level 2 - RA.3.144)– Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.
NIST SP 800-171 (3.11.1)– Reinforces the same risk assessment scope.
CMMC Official ReferencesThus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.
Which code or clause requires that a contractor is meeting the basic safeguarding requirements for FCI during a Level 1 Self-Assessment?
FAR 52.204-21
22CFR 120-130
DFARS 252.204-7011
DFARS 252.204-7021
1. Understanding Basic Safeguarding Requirements for FCI in CMMC Level 1
Federal Contract Information (FCI) is defined as information provided by or generated for the government under a contract that isnot intended for public release.
CMMCLevel 1is designed to ensurebasic safeguardingof FCI, aligning with15 security requirementsfound inFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).
Contractors handlingonly FCImust meetCMMC Level 1, which alignsdirectlywith the safeguarding requirements set inFAR 52.204-21.
2. FAR 52.204-21 and Its Role in CMMC Level 1 Compliance
FAR 52.204-21establishes the baseline cybersecurity controls that contractors must implement to protectFCI.
The15 basic safeguarding requirementsinclude:
Limiting information accessto authorized users.
Identifying and authenticating usersbefore allowing system access.
Protecting transmitted FCIfrom unauthorized disclosure.
Monitoring and controlling connectionsto external systems.
Applying boundary protectionand cybersecurity measures.
Sanitizing mediabefore disposal.
Updating security configurationsto reduce vulnerabilities.
Providing physical securityprotections.
Controlling physical accessto systems that process FCI.
Enforcing multi-factor authentication (MFA) where applicable.
Patching vulnerabilitiesin software and hardware.
Limiting the use of removable media.
Creating and retaining system audit logs.
Performing risk-based security assessments.
Developing an incident response plan.
These 15 practices form thefoundationof CMMCLevel 1 Self-Assessment, ensuring contractorsmeet minimum cybersecurity expectationsfor handling FCI.
3. Why the Other Options Are Incorrect
B. 22 CFR 120-130:
This refers toInternational Traffic in Arms Regulations (ITAR), which controls the export of defense-related articles and services,notFCI safeguarding requirements.
C. DFARS 252.204-7011:
This clause refers toalternative line item structuresand does not pertain to cybersecurity or safeguarding FCI.
D. DFARS 252.204-7021:
This clause enforcesCMMC requirementsbut doesnot definebasic safeguarding controls. It requires compliance with CMMC but does not specify the foundational requirements (which come fromFAR 52.204-21for Level 1).
4. Official CMMC 2.0 Reference & Study Guide Alignment
TheCMMC 2.0 model documentationconfirms that Level 1 is focused on the15 practices from FAR 52.204-21.
TheDoD’s official CMMC Assessment Guidefor Level 1 explicitly states that meeting FAR 52.204-21 is therequirement for passing a Level 1 Self-Assessment.
TheCMMC 2.0 Scoping Guideclarifies that contractors handling onlyFCIand seekingLevel 1 certificationmust implementonly FAR 52.204-21security controls.
Final Confirmation:The correct answer isA. FAR 52.204-21, as it directly governs the basic safeguarding ofFCIand is the foundational requirement for aLevel 1 Self-Assessmentin CMMC 2.0.
An Assessment Team is conducting a Level 2 Assessment at the request of an OSC. The team has begun to score practices based on the evidence provided. At a MINIMUM what is required of the Assessment Team to determine if a practice is scored as MET?
All three types of evidence are documented for every control.
Examine and accept evidence from one of the three evidence types.
Complete one of the following; examine two artifacts, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.
Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.
This question pertains to theminimum evidence requirementsneeded by a CMMCAssessment Teamto score a practice asMETduring aLevel 2 Assessment.
The CMMC Level 2 assessment must align withNIST SP 800-171and follow the procedures outlined in theCMMC Assessment Process (CAP) Guide v1.0, particularly aroundevidence collection and scoring methodology.
✅Step 1: Refer to the CMMC Assessment Process (CAP) Guide v1.0CAP v1.0 – Section 3.5.4: Evaluate Evidence and Score Practices“To assign a MET determination, the Assessment Team must collect and corroborate at least two types of objective evidence: either through examination of artifacts, interviews (affirmation), or testing (demonstration).”
This meansat least two typesof the following evidence are required:
Examine(documentation/artifacts),
Interview(affirmation from personnel),
Test(demonstration of implementation).
✅Step 2: Clarify the Official Minimum Standard for a Practice to be Scored METThe CAP explicitly states:
“A practice can only be scored MET when a minimum oftwo types of evidencefrom the E-I-T (Examine, Interview, Test) triad are successfully collected and evaluated.”
Theevidence types must come from two different categories, for example:
An artifact(Examine)+ an interview affirmation(Interview),
A demonstration(Test)+ an interview(Interview),
Etc.
This cross-validation ensures that the control isimplemented, documented, and understoodby personnel — a core principle in assessing effective cybersecurity implementation.
❌Why the Other Options Are IncorrectA. All three types of evidence are documented for every control✘Incorrect:While collecting all three types (E-I-T) strengthens the assessment, theminimum requirementis onlytwo. Collecting all three isnot requiredfor a practice to be scoredMET.
B. Examine and accept evidence from one of the three evidence types✘Incorrect:This fails to meet theminimum two-evidence-type requirementset by the CAP. Single-source evidence is not sufficient to score a practice as MET.
C. Complete one of the following; examine two artifacts, observe one demonstration, or receive one affirmation✘Incorrect:Even if two artifacts are examined,this is still only one type of evidence(Examine). The CAP requires twotypes— not two instances of the same type.
✅Why D is CorrectD. Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.
✔ This directly reflects theCAP’s requirement for collecting two different types of objective evidenceto determine a practice is MET.
BLUF (Bottom Line Up Front):To score a CMMC Level 2 practice asMET, the Assessment Team must collecta minimum of two distinct types of evidence— from theExamine, Interview, Test (E-I-T)categories. This requirement is clearly stated in the CMMC Assessment Process (CAP) v1.0.
A machining company has been awarded a contract with the DoD to build specialized parts. Testing of the parts will be done by the company using in-house staff and equipment. For a Level 1 Self-Assessment, what type of asset is this?
CUI Asset
In-scope Asset
Specialized Asset
Contractor Risk Managed Asset
This question deals withasset categorizationduring aCMMC Level 1 Self-Assessment. The organization is manufacturingspecialized partsfor the DoD, butLevel 1of CMMC only concernsFederal Contract Information (FCI)—notControlled Unclassified Information (CUI). Therefore, asset categorization should follow theCMMC Scoping Guidance for Level 1.
✅Step 1: Understand CMMC Level 1 and FCI
Level 1 Objective:
Implement basic safeguarding requirements as perFAR 52.204-21.
Applies to systems thatstore, process, or transmit FCI.
Self-assessments are permitted and required annually.
Source Reference:
CMMC Scoping Guidance – Level 1 (v1.0)
https://dodcio.defense.gov/CMMC
✅Step 2: What is an “In-scope Asset”?
CMMC Scoping Guidance – Level 1definesIn-scope assetsas:
“Assets that process, store, or transmit FCI or provide security protection for such assets.”
In this scenario:
The machining company isperforming contract work(manufacturing DoD parts).
Thetesting is done internally, implying the systems and equipment used in testing and documentation aredirectly supporting the contract.
These systems likely handleFCIsuch as technical specifications, purchase orders, or test reports.
➡️Therefore, the equipment and systems used in testing are consideredIn-scope Assetsunder Level 1.
❌Why the Other Options Are Incorrect
A. CUI Asset
✘Incorrect forLevel 1:
CUI is only in scope atCMMC Level 2 and Level 3.
Level 1 is concerned withFCI, not CUI.
C. Specialized Asset
✘Incorrect definition:
Specialized assets(defined inCMMC Level 2 Scoping) include IoT, OT, ICS, GFE, and similar types of non-enterprise assets that may require alternative treatment.
This classification isnot used in Level 1 Scoping.
D. Contractor Risk Managed Asset
✘Incorrect:
Also defined underCMMC Level 2 Scopingonly.
These are assets that are not security-protected but are managed via risk-based decisions.
This term isnot applicableforCMMC Level 1 assessments.
✅Step 3: Alignment with Official Documentation
According to theCMMC Scoping Guidance for Level 1:
“The assets within the self-assessment scope are those that process, store, or transmit FCI. These assets are considered ‘in-scope.’”
No other asset categorization (such as CUI asset, specialized asset, or contractor risk managed asset) is used atLevel 1.
BLUF (Bottom Line Up Front):
For aCMMC Level 1 Self-Assessment, theonlyasset category officially recognized is theIn-scope Asset— any asset that handles or protects FCI. Since the company's internal testing operations are part of fulfilling the DoD contract, the systems and staff involved arein scope.
Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?
Access control
Physical access control
Mandatory access control
Discretionary access control
Understanding Access Control in CMMCAccess control refers to the process ofgranting or denyingspecific requests to:
Obtain and use information
Access information processing services
Enter specific physical locations
TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:
✅Implement policies for granting and revoking access.
✅Restrict access to authorized personnel only.
✅Protect physical and digital assets from unauthorized access.
Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.
B. Physical access control❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.
C. Mandatory access control (MAC)❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.
D. Discretionary access control (DAC)❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.
Why the Other Answers Are Incorrect
CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.
NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.
CMMC Official ReferencesThus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.
A CMMC Level 1 Self-Assessment identified an asset in the OSC's facility that does not process, store, or transmit FCI. Which type of asset is this considered?
FCI Assets
Specialized Assets
Out-of-Scope Assets
Government-Issued Assets
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework categorizes assets based on their interaction with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In a CMMC Level 1 self-assessment, assets are classified based on whether they process, store, or transmit FCI.
FCI Assets– These assets process, store, or transmit FCI and must meet CMMC Level 1 security requirements (17 practices from FAR 52.204-21).
CUI Assets– These assets handle Controlled Unclassified Information (CUI) and are subject to CMMC Level 2 requirements, aligned with NIST SP 800-171.
Specialized Assets– Includes IoT devices, Operational Technology (OT), Government-Furnished Equipment (GFE), and test equipment. These are often categorized separately due to their specific cybersecurity requirements.
Out-of-Scope Assets– Assets that do not process, store, or transmit FCI or CUI. These do not require compliance with CMMC practices.
Government-Issued Assets– These are assets provided by the government for contract-specific purposes, often requiring compliance based on government policies.
The question specifies that the identified assetdoes not process, store, or transmit FCI.
According to CMMC 2.0 guidelines,only assets that handle FCI or CUI are subject to security controls.
Assets that are physically located within an OSC’s facility but do not interact with FCI or CUI fall into the"Out-of-Scope Assets"category.
These assets do not require CMMC-specific cybersecurity controls, as they have no impact on the security of FCI or CUI.
CMMC Scoping Guide (Nov 2021)– Definesout-of-scope assetsas those that are within an OSC’s environment but have no interaction with FCI or CUI.
CMMC 2.0 Level 1 Guide– Only requires security controls on FCI assets, meaning assets that do not process, store, or transmit FCI are out of scope.
CMMC Assessment Process (CAP) Guide– Identifies the classification of assets in an OSC’s environment to determine compliance requirements.
Asset Categories as per CMMC 2.0:Why the Correct Answer is C. Out-of-Scope Assets?Relevant CMMC 2.0 References:Final Justification:Since the assetdoes not process, store, or transmit FCI, it does not fall under "FCI Assets" or "Specialized Assets." It is also not a government-issued asset. Therefore, the correct classification under CMMC 2.0 isOut-of-Scope Assets (C).
A Lead Assessor is performing a CMMC readiness review. The Lead Assessor has already recorded the assessment risk status and the overall assessment feasibility. At MINIMUM, what remaining readiness review criteria should be verified?
Determine the practice pass/fail results.
Determine the preliminary recommended findings.
Determine the initial model practice ratings and record them.
Determine the logistics. Assessment Team, and the evidence readiness.
Understanding the CMMC Readiness Review ProcessALead Assessorconducting aCMMC Readiness Reviewevaluates whether anOrganization Seeking Certification (OSC)is prepared for a formal assessment.
After recording theassessment risk statusandoverall assessment feasibility, theminimum remaining criteriato be verified include:
Logistics Planning– Ensuring that the assessment timeline, locations, and necessary resources are in place.
Assessment Team Preparation– Confirming that assessors and required personnel are available and briefed.
Evidence Readiness– Ensuring the OSC has gathered all required artifacts and documentation for review.
Breakdown of Answer ChoicesOption
Description
Correct?
A. Determine the practice pass/fail results.
Happensduringthe formal assessment, not the readiness review.
❌Incorrect
B. Determine the preliminary recommended findings.
Findings are only madeafterthe full assessment.
❌Incorrect
C. Determine the initial model practice ratings and record them.
Ratings are assigned during theassessment, not readiness review.
❌Incorrect
D. Determine the logistics, Assessment Team, and the evidence readiness.
✅Essential readiness criteria that must be confirmedbeforeassessment starts.
✅Correct
TheCMMC Assessment Process Guide (CAP)states that readiness review ensureslogistics, assessment team availability, and evidence readinessare verified.
Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Determine the logistics, Assessment Team, and the evidence readiness.This aligns withCMMC readiness review requirements.
According to the Configuration Management (CM) domain, which principle is the basis for defining essential system capabilities?
Least privilege
Essential concern
Least functionality
Separation of duties
Understanding the Principle of Least Functionality in the CM DomainTheConfiguration Management (CM) domainin CMMC 2.0 focuses on maintaining the security and integrity of an organization’s systems through controlled configurations and restrictions on system capabilities.
The principle ofLeast Functionalityrefers to limiting a system’s features, services, and applications to only those necessary for its intended purpose. This principle reduces the attack surface by minimizing unnecessary components that could be exploited by attackers.
CMMC Practice CM.L2-3.4.6 (Use Least Functionality)explicitly states:"Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities."
Thegoalis to prevent unauthorized or unnecessary applications, services, and ports from running on the system.
Examples of Implementation:
Disabling unnecessary services, such as remote desktop access if not required.
Restricting software installation to approved applications.
Blocking unused network ports and protocols.
A. Least Privilege
This principle (associated with Access Control) ensures that users and processes have only the minimum level of access necessary to perform their jobs.
It is relevant to CMMC PracticeAC.L2-3.1.5 (Least Privilege)but does not define system capabilities.
B. Essential Concern
There is no officially recognized cybersecurity principle called "Essential Concern" in CMMC, NIST, or related frameworks.
D. Separation of Duties
This principle (covered under CMMCAC.L2-3.1.4) ensures that no single individual has unchecked control over critical functions, reducing the risk of fraud or abuse.
While important for security, it does not define essential system capabilities.
CMMC 2.0 Level 2 Assessment Guide – Configuration Management (CM) Domain
CM.L2-3.4.6 mandatesleast functionalityto enhance security by removing unnecessary features.
NIST SP 800-171 (which CMMC is based on) – Requirement 3.4.6
States:"Limit system functionality to only the essential capabilities required for organizational missions or business functions."
NIST SP 800-53 – Control CM-7 (Least Functionality)
Provides detailed recommendations on configuring systems to operate with only necessary features.
Justification for the Correct Answer: Least Functionality (C)Why Other Options Are IncorrectOfficial CMMC and NIST ReferencesConclusionTheprinciple of Least Functionality (C)is the basis for defining essential system capabilities in theConfiguration Management (CM) domainof CMMC 2.0. By applying this principle, organizations reduce security risks by ensuring that only the necessary functions, services, and applications are enabled.
Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1. Guidelines for Media Sanitation?
Clear, purge, destroy
Clear redact, destroy
Clear, overwrite, purge
Clear, overwrite, destroy
Understanding NIST SP 800-88 Rev. 1 and Media SanitizationTheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.
Clear
Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.
Example:Overwriting all datawith binary zeros or ones on a hard drive.
Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.
Purge
Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.
Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).
Applies to:Media that is leaving organizational control or requires a higher level of assurance than "Clear".
Destroy
Physicallydamages the mediaso that data recovery isimpossible.
Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.
Applies to:Highly sensitive data that must be permanently eliminated.
B. Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata disposal.
C. Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level categoryin NIST SP 800-88.
D. Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is missing, making this incorrect.
The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.
When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?
Conduct a penetration test
Interview the intrusion detection system's supplier.
Upload known malicious code and observe the system response.
Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
Understanding SI.L2-3.14.6: Monitor Communications for AttacksThe practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:
✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)
✅Log analysis and network monitoring
✅Incident response planningfor detected threats
As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.
TheCCA must collect sufficient objective evidenceto determine compliance.
Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.
Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.
Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A. Conduct a penetration test
❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.
B. Interview the intrusion detection system's supplier.
❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.
C. Upload known malicious code and observe the system response.
❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.
D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.
NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.
CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.
Official References from CMMC 2.0 and NIST SP 800-171 DocumentationFinal Verification and ConclusionThe correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.
A CCP is part of a CMMC Assessment Team interviewing a subject-matter expert on Access Control (AC) within an OSC. During the interview process, what will the CCP ensure about the information exchanged during the interview?
Performed in groups for more efficient use of resources
Recorded for inclusion in the Final Recommended Findings report
Confidential and non-attributable so interviewees can speak without fear of reprisal
Mapped to specific CMMC practices to clearly delineate which practice is being evaluated
Understanding the Role of a CCP in CMMC AssessmentsACertified CMMC Professional (CCP)is responsible for assistingCertified CMMC Assessors (CCA)in evaluating anOrganization Seeking Certification (OSC)during a CMMC assessment. One key aspect of this process isconducting interviewswith Subject Matter Experts (SMEs) to verify security practices.
Ensuring that interviewees canspeak freely without fear of retaliationiscriticalto obtainingaccurate and unbiased informationabout the implementation of security controls.
CMMC Assessment Process and the Role of Interviews
TheCMMC Assessment Guide (Level 2)outlines that interviews are conducted to confirm that security practices are effectively implemented.
Interviewees mustfeel comfortable sharing candid responseswithout concern that their statements will lead tonegative consequenceswithin the organization.
Ensuring Confidentiality and Non-Attribution
DoD Assessment Methodologyspecifies that interviews should be conductedconfidentiallytoprotect the identity of interviewees.
TheCMMC Code of Professional Conduct (CoPC)for assessors and professionals reinforces the requirement to maintain theconfidentialityof assessment participants.
Non-attributionensures that responses are used for evaluation purposeswithout linking statements to specific individuals.
Why the Other Answer Choices Are Incorrect:
(A) Performed in groups for more efficient use of resources:
Group interviews may prevent individuals from speaking openly.
Employees might be hesitant to contradict leadership or peers.
(B) Recorded for inclusion in the Final Recommended Findings report:
Interviews arenot directly recorded or attributedin assessment reports.
Instead, findings are documentedwithout identifying specific individuals.
(D) Mapped to specific CMMC practices to clearly delineate which practice is being evaluated:
While responsesinformwhich practices are being assessed, theprimary goalof an interview is to ensure accurate,unbiased information gathering.
Step-by-Step Breakdown:Final Validation from CMMC Documentation:According to theCMMC Assessment Guide and DoD Assessment Methodology, interview confidentiality iscrucialto gatheringaccurateandunbiasedresponses. This makesconfidentiality and non-attributionthe correct answer.
Thus, the correct answer is:
C. Confidential and non-attributable so interviewees can speak without fear of reprisal.
Contractor scoping requirements for a CMMC Level 2 Assessment to document the asset in an inventory, in the SSP and on the network diagram apply to:
GUI Assets.
CUI and Security Protection Asset categories.
all asset categories except for the Out-of-scope Assets.
Contractor Risk Managed Assets and Specialized Assets.
UnderCMMC Level 2, contractors are required toidentify, document, and categorize assetsinvolved in handlingControlled Unclassified Information (CUI). This is part of thescoping process, which ensures that all security-relevant assets are properly protected and accounted for in the System Security Plan (SSP), asset inventory, and network diagram.
CMMC Scoping Requirements for Level 2 Assessments:
TheCMMC Scoping Guide(CMMC v2.0) identifies four asset categories:
CUI Assets:Systems that store, process, or transmit CUI.
Security Protection Assets (SPA):Systems providing security functions for CUI Assets (e.g., firewalls, SIEMs).
Contractor Risk Managed Assets (CRMA):Assets that interact with CUI but arenot directly controlledby the organization (e.g., personal devices).
Specialized Assets:These include IoT devices, OT systems, and Government Furnished Equipment (GFE) thatmay require specific security controls.
Where Documentation is Required:
The contractor mustdocument all assets (except out-of-scope assets)in:
The System Security Plan (SSP):A key document detailing security controls and asset categorization.
An asset inventory:Lists all in-scope assets (CUI Assets, SPAs, CRMA, and Specialized Assets).
The network diagram:Provides a visual representation of system connectivity and security boundaries.
Why Out-of-Scope Assets Are Excluded:
TheCMMC Scoping Guidespecifically states that Out-of-Scope Assets arenot required to be documentedin these compliance artifacts because they haveno direct or indirect interaction with CUI.
These assets do not require CMMC controls because they are completely isolated from CUI handling environments.
Why the Other Answer Choices Are Incorrect:
(A) GUI Assets:There is no specific "GUI Asset" category in CMMC scoping.
(B) CUI and Security Protection Asset categories:While these are included, this answerexcludesContractor Risk Managed and Specialized Assets, which are also required.
(D) Contractor Risk Managed Assets and Specialized Assets:These assetsare included in scopingbut this answer excludes CUI Assets and Security Protection Assets, making it incomplete.
Step-by-Step Breakdown:Final Validation from CMMC Documentation:According to theCMMC Assessment Scope Level 2 Guide, allin-scope assetsmust be documented in the SSP, inventory, and network diagram.The only assets excluded are Out-of-Scope Assets.
Thus, the correct answer is:
C. All asset categories except for the Out-of-Scope Assets.
A company has a government services division and a commercial services division. The government services division interacts exclusively with federal clients and regularly receives FCI. The commercial services division interacts exclusively with non-federal clients and processes only publicly available information. For this company's CMMC Level 1 Self-Assessment, how should the assets supporting the commercial services division be categorized?
FCI Assets
Specialized Assets
Out-of-Scope Assets
Operational Technology Assets
Understanding CMMC Asset CategorizationTheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).
In this scenario:
Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-scopefor CMMC Level 1.
Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-Scope Assets.
CMMC 2.0 Definition of Out-of-Scope AssetsAs per theCMMC Scoping Guide, assets that:
✅Do not store, process, or transmit FCI/CUI
✅Do not directly impact the security of in-scope assets
✅Are completely segregated from the FCI/CUI environment
are classified asOut-of-Scope Assets.
Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.
A. FCI Assets❌Incorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify.
B. Specialized Assets❌Incorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division.
D. Operational Technology Assets❌Incorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.
Why the Other Answers Are Incorrect
CMMC 2.0 Scoping Guide – Level 1 & Level 2
CMMC Assessment Process (CAP) Document
CMMC Official ReferencesThus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.
A Lead Assessor is presenting an assessment kickoff and opening briefing. What topic MUST be included?
Gathering evidence
Review of the OSC's SSP
Overview of the assessment process
Examination of the artifacts for sufficiency
What is Required in the CMMC Assessment Kickoff and Opening Briefing?Before starting aCMMC assessment, theLead Assessormust present anopening briefingto ensure that theOrganization Seeking Certification (OSC)understands the assessment process.
Step-by-Step Breakdown:✅1. Overview of the Assessment Process
The Lead Assessormust explain the CMMC assessment methodology, including:
Theassessment objectives and scope
How theassessment team will review security controls
What to expectduring interviews, testing, and document review
This ensurestransparency and alignmentbetween the assessors and the OSC.
✅2. Why the Other Answer Choices Are Incorrect:
(A) Gathering Evidence❌
Evidence collection is part of the assessment butnot the primary topic of the opening briefing.
(B) Review of the OSC's SSP❌
While theSSP is a key document, reviewing it is part of the assessment,not the kickoff briefing.
(D) Examination of the artifacts for sufficiency❌
Artifact review happens laterin the assessment process,not during the kickoff.
TheCMMC Assessment Process Guidestates that theopening briefing must include an overview of the assessment process, ensuring the OSC understands the expectations and methodology.
Final Validation from CMMC Documentation:Thus, the correct answer is:
✅C. Overview of the assessment process.
During a CMMC readiness review, the OSC proposes that an associated enclave should not be applicable in the scope. Who is responsible for verifying this request?
CCP
C3PAO
Lead Assessor
Advisory Board
During aCMMC readiness review, anOrganization Seeking Certification (OSC)may argue that a specificenclave (network segment or system) is out of scopefor assessment. TheLead Assessor is responsible for verifying and approving this request.
Certified CMMC Professional (CCP)
A CCP supports OSCs inpreparing for assessmentsbutdoes not make final scope determinations.
Certified Third-Party Assessment Organization (C3PAO)
The C3PAOoversees the assessmentbut doesnot personally verify scope exclusions—that falls under theLead Assessor’s role.
Lead Assessor (Correct Answer)
TheLead Assessor has the authorityto determine if anenclave is out of scopebased on OSC-provided evidence.
The Lead Assessor followsCMMC Assessment Process (CAP) guidelinesto ensure proper scoping.
Advisory Board
TheCMMC-AB (Advisory Board) does not make scope determinations. It focuses onprogram oversightandcertification processes.
CMMC Assessment Process (CAP) v1.0
TheLead Assessor is responsible for confirming the assessment scopeand determining enclave applicability.
CMMC Scoping Guidance for Level 2 Assessments
Requires theLead Assessor to review and approve any enclave exclusionsbefore finalizing the assessment scope.
Roles and Responsibilities in CMMC Assessments:Official References Supporting the Correct Answer:Conclusion:TheLead Assessoris the correct answer because they have the authority to verify scope determinations during the assessment.
✅Correct Answer: C. Lead Assessor
During the assessment process, who is the final interpretation authority for recommended findings?
C3PAO
CMMC-AB
OSC sponsor
Assessment Team Members
Final Interpretation Authority in the CMMC Assessment ProcessDuring aCMMC Level 2 assessment, several entities are involved in the process, including theOrganization Seeking Certification (OSC), Certified Third-Party Assessment Organization (C3PAO), Assessment Team Members, and the CMMC Accreditation Body (CMMC-AB).
Role of the C3PAO and Assessment Team:
TheCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting the assessment and makinginitial recommended findingsbased on NIST SP 800-171 security requirements.
Assessment Team Members(Lead Assessor and support staff) conduct evaluations and submit theirrecommendationsto the C3PAO.
Final Interpretation Authority – CMMC-AB:
TheCMMC Accreditation Body (CMMC-AB)is responsible for ensuring consistency and accuracy in assessments.
If there is any dispute or need for clarification regarding findings, CMMC-AB provides the final interpretation and guidance.
This ensures uniformity in certification decisions across different C3PAOs.
Why CMMC-AB is the Correct Answer:
CMMC-AB has the ultimate authority over thequality assurance processfor assessments.
It reviewsremediation requests, challenges, or disputesfrom the OSC or C3PAO and makes final determinations.
The CMMC-AB maintains oversight to ensure assessmentsalign with CMMC 2.0 policies and DFARS 252.204-7021 requirements.
A. C3PAO– The C3PAO conducts the assessment and submits findings, butit does not have the final interpretation authority. Findings must pass through theCMMC-AB quality assurance process.
C. OSC Sponsor– The OSC (Organization Seeking Certification)cannot interpret findings; they can only respond to identified deficiencies and appeal assessments through CMMC-AB channels.
D. Assessment Team Members– The assessment teamrecommends findingsbut does not make final interpretations. Their role is limited to conducting evaluations, collecting evidence, and submitting reports to the C3PAO.
What is the BEST description of the purpose of FAR clause 52 204-21?
It directs all covered contractors to install the cyber security systems listed in that clause.
It describes all of the safeguards that contractors must take to secure covered contractor IS.
It describes the minimum standard of care that contractors must take to secure covered contractor IS.
It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts.
Understanding FAR Clause 52.204-21TheFederal Acquisition Regulation (FAR) Clause 52.204-21is titled"Basic Safeguarding of Covered Contractor Information Systems."This clause establishesminimum cybersecurity requirementsforfederal contractorsthat handleFederal Contract Information (FCI).
Key Purpose of FAR Clause 52.204-21Theprimary objectiveof FAR 52.204-21 is to ensure that contractors applybasic cybersecurity protectionsto theirinformation systemsthat process, store, or transmitFCI. Theseminimum safeguarding requirementsserve as abaseline security standardfor contractors doing business with theU.S. government.
FAR 52.204-21 doesnotrequire contractors to install specific cybersecurity tools (eliminating option A).
Itoutlines only the minimum safeguards, notallcybersecurity controls needed for complete security (eliminating option B).
CMMC certification isnotmandated by this clause alone (eliminating option D).
Instead, it establishesa baseline "standard of care"that all federal contractorsmust followto protectFCI(making option C correct).
Why "Minimum Standard of Care" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A. It directs all covered contractors to install the cybersecurity systems listed in that clause.
❌Incorrect–The clause doesnotspecify tools or require specific cybersecurity systems.
B. It describes all of the safeguards that contractors must take to secure covered contractor IS.
❌Incorrect–It only setsminimumrequirements, notall possiblesecurity measures.
C. It describes the minimum standard of care that contractors must take to secure covered contractor IS.
✅Correct – The clause defines basic safeguards as a minimum security standard.
D. It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts.
❌Incorrect–FAR 52.204-21 doesnot mandateCMMC certification; that requirement comes from DFARS 252.204-7012 and 7021.
Minimum Safeguarding Requirements Under FAR 52.204-21The clause defines15 basic security controls, which align withCMMC Level 1. Some examples include:
✅Access Control– Limit access to authorized users.
✅Identification & Authentication– Authenticate system users.
✅Media Protection– Sanitize media before disposal.
✅System & Communications Protection– Monitor and control network connections.
FAR 52.204-21– Establishes thebasic safeguarding requirementsfor FCI.
CMMC 2.0 Level 1– Directly aligns withFAR 52.204-21 controls.
Official References from CMMC 2.0 and FAR DocumentationFinal Verification and ConclusionThe correct answer isC. It describes the minimum standard of care that contractors must take to secure covered contractor IS.This aligns withFAR 52.204-21 requirementsas abaseline security standard for FCI.
At which CMMC Level do the Security Assessment (CA) practices begin?
Level 1
Level 2
Level 3
Level 4
Step 1: Understand the “CA” Domain – Security AssessmentTheCA (Security Assessment)domain includes practices related to:
Planning security assessments,
Performing periodic reviews,
Managing plans of action and milestones (POA&Ms).
These practices derive fromNIST SP 800-171, specifically:
CA.2.157– Develop, document, and periodically update security plans,
CA.2.158– Periodically assess security controls,
CA.2.159– Develop and implement POA&Ms.
Level 1 (Foundational):
Implements only the17 practicesfromFAR 52.204-21
Doesnot include the CA domain
Level 2 (Advanced):
Implements110 practicesfromNIST SP 800-171, including CA.2.157–159
First levelwhereSecurity Assessment (CA)practices are required
Level 3:
Not yet finalized but intended to include selected controls fromNIST SP 800-172
✅Step 2: Review CMMC Levels
A. Level 1✘ No CA domain practices are present at Level 1.
C. Level 3 / D. Level 4✘ These levels build on CA practices but do not represent thestarting point.
❌Why the Other Options Are Incorrect
TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.
An assessment is being completed at a client site that is not far from the Lead Assessor's home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?
Log into the secure cloud storage service to save copies of the documents on both the work and client laptops.
Log into the client VPN from the client laptop and retrieve the documents from the secure cloud storage service.
Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service.
Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick.
Best Practices for Handling Sensitive Assessment InformationCMMC assessments involve handlingsensitive and potentially CUI-related documents. Assessors must follow strictsecurity policiesto avoid unauthorized access, data leaks, or non-compliance withCMMC 2.0 and NIST SP 800-171 requirements.
Why Logging into the Client VPN on the Client Laptop is the Best Approach:
Ensures Data Protection:The client laptop is likely configured to meet security controls required for handling assessment-related materials.
Prevents Data Spillage:Keeping all assessment-related activities within the client’s secured environment reduces the risk ofdata leakage or unauthorized storage.
Maintains Compliance with CMMC/NIST Guidelines:Using aproperly configured client laptop and secured connectionensures compliance withNIST SP 800-171 controls on secure remote access(Requirement3.13.12).
A. "Log into the secure cloud storage service to save copies of the documents on both the work and client laptops."
Incorrect→Sensitive data should not be duplicated across multiple systems, especially a non-client-approved laptop. Storing it on an unauthorized systemviolates data handling best practices.
C. "Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service."
Incorrect→ Theassessor’s laptop may not be authorizedorsecuredto handle client data. CMMC guidelines emphasizeusing approved, secured systemsfor assessment-related information.
D. "Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick."
Incorrect→
Transferring sensitive documents via USBintroduces security risks, including unauthorized data storage and potential malware contamination.
Home office workstationsare unlikely to be authorized for handling CMMC-sensitive data.
An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?
OSC and Sponsor
OSC and CMMC-AB
Lead Assessor and C3PAO
C3PAO and Assessment Official
Understanding the CMMC Level 2 Assessment ProcessWhen anOrganization Seeking Certification (OSC)engages aCertified Third-Party Assessment Organization (C3PAO)to conduct aCMMC Level 2 Assessment, anAssessment Planis developed to outline the scope, methodology, and logistics of the assessment.
According to theCMMC Assessment Process (CAP) Guide, theAssessment Plan must be formally agreed upon and signed off by:
Lead Assessor– The individual responsible for overseeing the execution of the assessment.
C3PAO (Certified Third-Party Assessment Organization)– The entity conducting the assessment.
TheLead Assessorensures that theAssessment Plan aligns with CMMC-AB and DoD requirements, including methodology, objectives, and evidence collection.
TheC3PAOprovides organizational approval, confirming that the assessment is conducted according toCMMC-AB rules and contractual agreements.
A. OSC and Sponsor (Incorrect)
TheOSC (Organization Seeking Certification)is involved in planning but does not sign off on the plan.
Asponsoris not part of the sign-off process in CMMC assessments.
B. OSC and CMMC-AB (Incorrect)
TheOSCdoes not formally approve theAssessment Plan—this responsibility belongs to the assessment team.
TheCMMC-ABdoes not sign off on individualAssessment Plans.
D. C3PAO and Assessment Official (Incorrect)
"Assessment Official" isnot a defined rolein the CMMC assessment process.
TheC3PAOis involved, but it must be theLead Assessorwho signs off, not an unspecified official.
The correct answer isC. Lead Assessor and C3PAO.
TheLead Assessorensures assessment integrity, while theC3PAOprovides official authorization.
Which government agency are DoD contractors required to report breaches of CUI to?
FBI
NARA
DoD Cyber Crime Center
Under Secretary of Defense for Intelligence and Security
Who Do DoD Contractors Report CUI Breaches To?PerDFARS 252.204-7012, all DoD contractors handlingControlled Unclassified Information (CUI)must report cyber incidents to theDoD Cyber Crime Center (DC3).
Key Reporting Requirements✅Cyber incidents involving CUI must be reported toDC3 within 72 hours.
✅Reports must be submitted via theDoD's Cyber Incident Reporting Portal.
✅Contractors mustpreserve forensic evidencefor potential investigation.
The FBI (Option A) handles criminal investigations, but DoD contractorsmust report cyber incidents to DC3.
NARA (Option B) oversees the CUI Registry, butis not responsible for breach reporting.
The Under Secretary of Defense for Intelligence and Security (Option D) is responsible for intelligence operations, not incident reporting.
Why "DoD Cyber Crime Center" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A. FBI
❌Incorrect–The FBI handlescriminal cases, not CUI breach reporting.
B. NARA
❌Incorrect–NARA manages theCUI Registry, butdoes not handle breaches.
C. DoD Cyber Crime Center
✅Correct – Per DFARS 252.204-7012, cyber incidents involving CUI must be reported to DC3.
D. Under Secretary of Defense for Intelligence and Security
❌Incorrect–This office doesnothandle cyber incident reports.
DFARS 252.204-7012– Requires DoD contractors to report CUI-related cyber incidents toDC3.
DoD Cyber Crime Center (DC3) Website– The official platform forcyber incident reporting.
Official References from CMMC 2.0 and DFARS DocumentationFinal Verification and ConclusionThe correct answer isC. DoD Cyber Crime Center, as perDFARS 252.204-7012, which mandates that all DoD contractors reportCUI breaches to DC3 within 72 hours.
Which example represents a Specialized Asset?
SOCs
Hosted VPN services
Consultants who provide cybersecurity services
All property owned or leased by the government
Understanding Specialized Assets in CMMCASpecialized Assetis defined asa system, device, or infrastructure component that is not a traditional IT system but still plays a role in cybersecurity or business operations.
Types of Specialized Assets (as per CMMC guidance):✔Operational Technology (OT)– Industrial control systems, SCADA systems.
✔Security Operations Centers (SOCs)– Dedicated cybersecurity monitoring and response centers.
✔IoT Devices– Smart sensors, embedded systems.
✔Restricted IT Systems– Systems with highly controlled access.
A. SOCs → Correct
Security Operations Centers (SOCs) are specialized cybersecurity environmentsused forthreat monitoring, detection, and response.
They oftenoperate outside standard IT infrastructureand are classified asspecialized assetsunder CMMC.
B. Hosted VPN services → Incorrect
VPN services are standard IT infrastructureanddo not qualify as specialized assets.
C. Consultants who provide cybersecurity services → Incorrect
Consultants are personnel, not specialized assets. Specialized assets refer tosystems, devices, or infrastructure.
D. All property owned or leased by the government → Incorrect
Government property is not automatically considered a specialized assetunder CMMC. Specialized assets refer tospecific IT or cybersecurity-related infrastructure.
Why is the Correct Answer "SOCs" (A)?
CMMC 2.0 Assessment Process (CAP) Document
DefinesSpecialized Assetsand includesSOCsin its examples.
CMMC-AB Guidelines
Listssecurity infrastructure like SOCsasSpecialized Assetsdue to their unique cybersecurity function.
NIST SP 800-171 & CMMC 2.0 Security Domains
Recognizesdedicated security monitoring environmentsas part of an organization's cybersecurity posture.
CMMC 2.0 References Supporting This Answer:
Final Answer:✔A. SOCs (Security Operations Centers)
Which document BEST determines the existence of FCI and/or CUI in scoping an assessment with an OSC?
OSC SSP
OSC POA&M
OSC Evidence
OSC Contract with DoD
Understanding DFARS Clause 252.204-7012TheDefense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012is a mandatory cybersecurity clause required inall DoD contracts and solicitationsthat involveControlled Unclassified Information (CUI).
Key Requirements of DFARS 252.204-7012✅Implements NIST SP 800-171security controls for contractors handlingCUI.
✅Requirescyber incident reportingto theDoD Cyber Crime Center (DC3)within72 hours.
✅Mandatesadequate security measuresto protectDoD information systems.
✅Applies toall DoD contracts, except for those exclusively acquiring COTS items.
Option A (Correct):DFARS 252.204-7012must be included in all DoD contracts and solicitationswhen CUI is involved.
Option B (Incorrect):FAR Part 12 procedures apply tocommercial item acquisitions, but DFARS 7012 appliesregardless of procurement procedures.
Option C (Incorrect):Contractssolely for COTS (Commercial Off-the-Shelf) productsare exemptfrom DFARS 7012.
Option D (Incorrect):COTS itemssold without modificationsarenot requiredto include DFARS 7012.
DFARS Clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
NIST SP 800-171– The required cybersecurity standard for contractors under DFARS 7012.
Why "All DoD Solicitations and Contracts" is Correct?Official References from DoD and DFARS DocumentationFinal Verification and ConclusionQUESTION NO: 128
A C3PAO Assessment Plan document captures the names of the interviewees, the facilities that will utilized, along with estimated costs and schedule of the assessment. What part of the assessment plan is this?
A. Identify resources and schedule.
B. Select Assessment Team members.
C. Identify and manage assessment risks.
D. Select and develop the evidence collection approach.
Answer: A
ACertified Third-Party Assessor Organization (C3PAO)is responsible for conductingCMMC Level 2 Assessments. Before the assessment begins, the C3PAO must develop anAssessment Plan, which includes several key elements.
The part of the plan that captures:
✅Names of interviewees
✅Facilities to be utilized
✅Estimated costs
✅Assessment schedule
falls under the"Identify Resources and Schedule"section of the plan.
Step-by-Step Breakdown:✅1. Identify Resources and Schedule
This section of theCMMC Assessment Planoutlines:
Thepersonnelinvolved (e.g., interviewees, assessors).
Thelocationswhere the assessment will take place.
Thetimeline and scheduling details.
Theestimated costsassociated with the assessment.
This ensures that all necessaryresourcesare allocated and that the assessment proceeds as planned.
✅2. Why the Other Answer Choices Are Incorrect:
(B) Select Assessment Team Members❌
This section focuses onchoosing the assessorswho will conduct the evaluation, not listing interviewees and facilities.
(C) Identify and Manage Assessment Risks❌
This part of the plandocuments risks(e.g., scheduling conflicts, data access issues), but it doesnot outline names, facilities, or costs.
(D) Select and Develop the Evidence Collection Approach❌
This step defineshowevidence will be gathered (e.g., document reviews, interviews, system testing) but doesnot focus on logistics.
Final Validation from CMMC Documentation:TheCMMC Assessment Process Guidestates thatresource identification and schedulingare essential for organizing the assessment. Since this sectioncaptures interviewees, facilities, costs, and the schedule, the correct answer is:
✅A. Identify resources and schedule.
Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?
DoD
CISA
NIST
CMMC-AB
TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.
This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.
Which NIST SP discusses protecting CUI in nonfederal systems and organizations?
NIST SP 800-37
NIST SP 800-53
NIST SP 800-88
NIST SP 800-171
Understanding the Role of NIST SP 800-171 in CMMCNIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.
This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.
Breakdown of Answer ChoicesNIST SP
Title
Relevance to CMMC
NIST SP 800-37
Risk Management Framework (RMF)
Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.
NIST SP 800-53
Security and Privacy Controls for Federal Systems
Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.
NIST SP 800-88
Guidelines for Media Sanitization
Covers secure data destruction and disposal, not overall CUI protection.
NIST SP 800-171
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
✅Correct Answer – Directly addresses CUI protection in contractor systems.
Key Requirements from NIST SP 800-171The document outlines110 security controlsgrouped into14 families, including:
Access Control (AC)– Restrict access to authorized users.
Audit and Accountability (AU)– Maintain system logs and monitor activity.
Incident Response (IR)– Establish an incident response plan.
System and Communications Protection (SC)– Encrypt CUI in transit and at rest.
These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.
CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.
DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.
Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.
Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI are sanitized or destroyed before disposal or release for reuse. After a thorough review, the CCP tells the Lead Assessor that all supporting documents fully reflect the performance of the practice and should be accepted because the evidence is:
official.
adequate.
compliant.
subjective.
CMMC Level 1 includes 17 practices derived fromFAR 52.204-21. Among them, theMedia Protection (MP) practicerequires organizations to ensure thatmedia containing FCI is sanitized or destroyed before disposal or release for reuseto prevent unauthorized access.
This requirement ensures that any storage devices, hard drives, USBs, or physical documents containingFederal Contract Information (FCI)areproperly disposed of or sanitizedto prevent data leakage.
The evidence collected for this practice should demonstrate that an organization has established and followed propermedia sanitization or destruction procedures.
Why the Correct Answer is "B. Adequate"?TheCMMC Assessment Process (CAP) Guideoutlines that for an assessment to be considered complete, all submitted evidence must meet the standard ofadequacybefore it is accepted by the Lead Assessor.
Definition of "Adequate" Evidence in CMMC:
Evidence isadequatewhen itfully demonstrates that a practice has been performed as requiredby CMMC guidelines.
TheLead Assessorevaluates whether the submitted documentation meets the CMMC 2.0 Level 1 requirements.
If the evidenceaccurately and completely demonstrates the sanitization or destruction of media containing FCI, then it meets the standard ofadequacy.
Why Not the Other Options?
A. Official– While the evidence may come from an official source, the CMMCdoes not require evidence to be "official", only that it beadequateto confirm compliance.
C. Compliant– Compliance is the final result of an assessment, but before compliance is determined, the evidence must first beadequatefor evaluation.
D. Subjective– CMMC evidence isobjective, meaning it should be based on verifiable documents, policies, logs, and procedures—not opinions or interpretations.
CMMC 2.0 Scoping Guide (Nov 2021)– Specifies that Media Protection (MP) at Level 1 applies only to assets that process, store, or transmit FCI.
CMMC Assessment Process (CAP) Guide– Definesadequate evidenceas documentation that completely and clearly supports the implementation of a required security practice.
FAR 52.204-21– The source of the Level 1 requirements, which includessanitization and destruction of media containing FCI.
Relevant CMMC 2.0 References:Final Justification:The CCP’s statement that the evidence"fully reflects the performance of the practice"aligns with the definition ofadequate evidenceunder CMMC. Since adequacy is the key standard used before final compliance decisions are made, the correct answer isB. Adequate.
The evidence needed for each practice and/or process is weight for:
adequacy and sufficiency.
adequacy and thoroughness.
sufficiency and thoroughness.
sufficiency and appropriateness.
During aCMMC assessment, organizations must provide evidence to demonstrate compliance with requiredpractices and processes. Assessors evaluate this evidence based on two key criteria:
Adequacy– Does the evidence meet the intent of the security requirement?
Sufficiency– Is there enough evidence to reasonably conclude that the practice/process is effectively implemented?
These principles are outlined in theCMMC Assessment Process Guide, which provides a structured approach for evaluating compliance.
Step-by-Step Breakdown:✅1. Adequacy – Does the evidence fully meet the requirement?
Adequacyrefers to whether the evidence properly demonstrates that the security practice has been implemented as required.
Example: If an organization claims to enforceMulti-Factor Authentication (MFA), an assessor would checksystem configurations, login policies, and user authentication logsto confirm that MFA is actually in use.
✅2. Sufficiency – Is there enough evidence to support the claim?
Sufficiencymeans that there isenough supporting evidenceto prove compliance.
Example: If an organization providesonly one screenshot of an MFA login screen, that alone may not besufficient—additional logs, policies, and user records would help strengthen the case.
(B) Adequacy and Thoroughness❌
Thoroughnessis not a defined metric in CMMC evidence evaluation.
The focus is onwhether the evidence meets the requirement (adequacy)and if there isenough of it (sufficiency).
(C) Sufficiency and Thoroughness❌
Thoroughnessis not a recognized term in CMMC compliance validation.
Evidence must beadequate and sufficient, not just thorough.
(D) Sufficiency and Appropriateness❌
Appropriatenessis not a CMMC-defined criterion.
Thecorrect terms used in CMMC assessmentsareAdequacy(Does it meet the requirement?) andSufficiency(Is there enough proof?).
Why the Other Answer Choices Are Incorrect:
CMMC Assessment Process Guideexplicitly states that evidence must be evaluated based onadequacyandsufficiencyto confirm compliance with security practices.
Final Validation from CMMC Documentation:
What are CUI protection responsibilities?
Shielding
Governing
Correcting
Safeguarding
Understanding CUI Protection ResponsibilitiesControlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.
Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.
TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.
CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.
DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.
A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.
B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.
C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.
The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.
Plan of Action defines the clear goal or objective for the plan. What information is generally NOT a part of a plan of action?
Completion dates
Milestones to measure progress
Ownership of who is accountable for ensuring plan performance
Budget requirements to implement the plan's remediation actions
Under the Cybersecurity Maturity Model Certification (CMMC) 2.0, a Plan of Action (POA) is a critical document that outlines the specific actions a contractor needs to take to remediate cybersecurity deficiencies. While POAs serve as a roadmap for achieving compliance with required controls, the inclusion of certain elements is standardized.
Key Elements of a Plan of Action (POA)
According to the CMMC guidelines and NIST SP 800-171, which underpins many CMMC requirements, a POA typically includes:
Completion Dates: Identifies target deadlines for resolving deficiencies.
Milestones to Measure Progress: Includes interim steps or markers to ensure progress is monitored over time.
Ownership or Accountability: Clearly assigns responsibility for each action item to specific personnel or teams.
What is Generally NOT Part of a POA?
Budget requirements to implement the plan's remediation actions (Option D) are generally not included in a POA. While budgeting is critical for ensuring the plan's success, it is considered a part of the broaderproject management or resource planning process, not the POA itself. This distinction is intentional to keep the POA focused on actionable items rather than resource allocation.
Supporting Reference
NIST SP 800-171A, Appendix D: Provides an overview of POA components, emphasizing the prioritization of corrective actions, responsibility, and measurable outcomes.
CMMC Level 2 Practices (Aligned with NIST SP 800-171): Specifically, the focus is on actions, timelines, and accountability rather than financial planning.
By excluding budget details, the POA remains a tactical document that supports immediate action and compliance tracking, separate from financial considerations.
During Phase 4 of the Assessment process, what MUST the Lead Assessor determine and recommend to the C3PAO concerning the OSC?
Ability
Eligibility
Capability
Suitability
What Happens in Phase 4 of the CMMC Assessment Process?Phase 4 of theCMMC Assessment Process (CAP)is theFinal Reporting and Decision Phase. During this phase, theLead Assessormust:
Review all assessment findings
Determine the Organization Seeking Certification’s (OSC) eligibility for certification
Make a recommendation to the C3PAO (Certified Third-Party Assessment Organization)
Ensure that the OSC hasmet the required practices and processes.
Confirm that anydeficiencieshave been corrected or appropriately documented.
Recommendwhether the OSC is eligible for certificationbased on assessment results.
Key Responsibilities of the Lead Assessor in Phase 4:Since theLead Assessor must determine and recommend the OSC’s eligibilityto the C3PAO, the correct answer isB. Eligibility.
A. Ability❌Incorrect. While assessing an OSC’s ability to meet CMMC requirements is part of the process, the final determination in Phase 4 is abouteligibilityfor certification.
C. Capability❌Incorrect. Capability refers to an organization'stechnical and operational readiness. The Lead Assessor is making a recommendation oneligibility, not just capability.
D. Suitability❌Incorrect. Suitability is not a defined term in theCMMC CAP processfor final assessment recommendations. The correct term iseligibility.
Why the Other Answers Are Incorrect
CMMC Assessment Process (CAP) Document– Specifies that the Lead Assessor must determine and recommend theeligibilityof the OSC in Phase 4.
CMMC 2.0 Model– Defines the assessment process, including certification decision-making.
CMMC Official ReferencesThus,option B (Eligibility) is the correct answer, as per official CMMC guidance.
Within the CMMC Ecosystem which organization ultimately will manage and oversee the training, testing, authorization, and certification of candidate assessors and instructors?
DoD OUSD
DIB Collaborative Information Sharing Environment
Committee on National Security Systems Instructions
CMMC Assessors and Instructors Certification Organization
Understanding the Role of CAICO in the CMMC EcosystemTheCMMC Ecosystemconsists of multiple organizations that manage, implement, and oversee different aspects of theCybersecurity Maturity Model Certification (CMMC)program.
One of the key organizations is theCMMC Assessors and Instructors Certification Organization (CAICO), which is responsible for:
Training and certifying assessors and instructors.
Managing testing, authorization, and certificationfor CMMC professionals.
Ensuring assessors meet qualification and compliance standards.
TheCAICO is explicitly taskedwith thetraining, testing, authorization, and certification of candidate assessors and instructors.
Option A (DoD OUSD)is incorrect because theDoD Office of the Under Secretary of Defense(OUSD) provides policy oversight butdoes not handle certification of assessors.
Option B (DIB Collaborative Information Sharing Environment)is incorrect because theDIB CISfocuses on information sharing within the Defense Industrial Base, not assessor certification.
Option C (Committee on National Security Systems Instructions)is incorrect because CNSSI provides security standards butdoes not manage assessor training or certification.
CMMC Ecosystem Overview – Role of the CAICO
CMMC Assessment Process (CAP) Guide – Assessor Certification and Training
Why Option D (CAICO) is CorrectOfficial CMMC Documentation ReferencesFinal VerificationSinceCAICO is responsible for training, testing, and certifying CMMC assessors and instructors, the correct answer isOption D: CMMC Assessors and Instructors Certification Organization.
During an assessment, the Lead Assessor reviews the evidence for each CMMC in-scope practice that has been reviewed, verified, rated, and discussed with the OSC during the daily reviews. The Assessment Team records the final recommended MET or NOT MET rating and prepares to present the results to the assessment participants during the final review with the OSC and sponsor. As a part of this presentation, which document MUST include the attendee list, time/date, location/meeting link, results from all discussed topics, including any resulting actions, and due dates from the OSC or Assessment Team?
Final log report
Final CMMC report
Final and recorded OSC CMMC report
Final and recorded Daily Checkpoint log
Understanding the Final Review Process in a CMMC AssessmentDuring aCMMC Level 2 Assessment, theAssessment Teamand theOrganization Seeking Certification (OSC)holddaily checkpoint meetingsto discuss progress, review evidence, and ensure transparency.
At theend of the assessment, afinal review meetingis conducted, during which theLead Assessor presents the results. Therecorded Daily Checkpoint logserves as theofficial document summarizing:
Theattendee list
Time, date, and locationof the final review
Final MET or NOT MET ratingsfor all practices
Discussion points, resulting actions, and due datesfor both the OSC and Assessment Team
TheCMMC Assessment Process (CAP) Guidespecifies that all assessment findings and discussions must bedocumented throughout the assessment in daily checkpoint logs.
TheFinal and Recorded Daily Checkpoint Logincludes all necessary details, such as attendee lists, discussion topics, and action items.
This document isused to ensure all discussed topics and agreed-upon actions are properly tracked and recordedbefore submission.
A. Final log report (Incorrect)
There isno specific "Final Log Report"required in CMMC assessments.
B. Final CMMC report (Incorrect)
TheFinal CMMC Reportdocuments the overall assessment results butdoes not serve as the official meeting logfor the final review discussion.
C. Final and recorded OSC CMMC report (Incorrect)
This documentdoes not include detailed discussion points from the daily checkpoint meetings.
The correct answer isD. Final and recorded Daily Checkpoint log, as this is the official document that captures thefinal meeting details, discussions, and action items.
During assessment planning, the OSC recommends a person to interview for a certain practice. The person being interviewed MUST be the person who:
funds that practice.
audits that practice.
supports, audits, and performs that practice.
implements, performs, or supports that practice.
Who Should Be Interviewed During a CMMC Assessment?During assessment planning, theOrganization Seeking Certification (OSC)may suggest personnel for interviews. However, the person interviewedmustbe someone who:
✅Implementsthe practice (directly responsible for executing it).
✅Performsthe practice (carries out day-to-day security operations).
✅Supportsthe practice (provides necessary resources or oversight).
Theassessor needs direct insightsfrom individuals actively involved in the practice.
Funding (Option A)does not providetechnical or operationalinsight into practice execution.
Auditing (Option B)focuses on compliance checks, but auditorsdo not implementthe practice.
Supporting, auditing, and performing (Option C)includesauditors, who arenot necessarily the right interviewees.
Why "Implements, Performs, or Supports That Practice" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A. Funds that practice.
❌Incorrect–Funding is important but doesnot mean direct involvement.
B. Audits that practice.
❌Incorrect–Auditors check compliance but donot implementpractices.
C. Supports, audits, and performs that practice.
❌Incorrect–Auditing isnot a requirementfor interviewees.
D. Implements, performs, or supports that practice.
✅Correct – The interviewee must have direct involvement in execution.
CMMC Assessment Process Guide (CAP)– Requires that interviewees bedirectly responsiblefor implementing, performing, or supporting the practice.
Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Implements, performs, or supports that practice, as the interviewee mustactively contribute to the execution of the practice.
TESTED 16 Jun 2025