Cyber AB CMMC-CCP Dumps

In Phase 3 (Post-Assessment), the assessor’s responsibility is to archive or dispose of assessment artifacts according to the C3PAO’s policies and retention requirements. By this point, final findings and results have already been delivered, so the only remaining step is ensuring proper handling of assessment materials.

Supporting Extracts from Official Content:

CAP v2.0, Post-Assessment Activities (§3.17): “The assessor must archive or dispose of any assessment artifacts in accordance with the C3PAO’s retention and destruction policy.”

Why Option D is Correct:

Determining practice pass/fail results and level recommendations occurs earlier in Phases 2 and 3.

The final step left for the assessor is the proper archiving or destruction of artifacts.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 3: Post-Assessment (§3.17).

===========

TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.

TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:

"Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI."

This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:

✅Organizational operations(e.g., mission, business continuity, functions)

✅Organizational assets(e.g., data, IT systems, intellectual property)

✅Individuals(e.g., employees, contractors, customers affected by security risks)

Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.

A. Organizational operations, business assets, and employees❌Incorrect."Business assets"is not the correct terminology used in CMMC/NIST SP 800-171. Instead,"organizational assets"is the proper term.

B. Organizational operations, business processes, and employees❌Incorrect."Business processes"is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.

D. Organizational operations, organizational processes, and individuals❌Incorrect. While processes are important,organizational assetsmust be considered in the assessment, not just processes.

Why the Other Answers Are Incorrect

CMMC 2.0 Model (Level 2 - RA.3.144)– Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.

NIST SP 800-171 (3.11.1)– Reinforces the same risk assessment scope.

CMMC Official ReferencesThus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.

Understanding the False Claims Act (FCA) and Whistleblower ProtectionsTheFalse Claims Act (FCA)(31 U.S.C. §§ 3729–3733) is aU.S. federal lawthat allowswhistleblowers (also known as "relators")to sue on behalf of the federal government if they believe a company issubmitting fraudulent claimsfor government funds.

The FCA includes a"qui tam" provision, which:

✅Allows private individuals to file lawsuits on behalf of the U.S. government.

✅Provides financial rewards to whistleblowersif the lawsuit results in recovered funds.

✅Protects whistleblowers from employer retaliation.

In the context ofCMMC and cybersecurity compliance, theFCA has been used to hold companies accountableformisrepresenting their cybersecurity compliancewhen working with federal contracts.

For example:

If a companyfalsely claimscompliance withCMMC, NIST SP 800-171, or DFARS 252.204-7012butfails to meet security requirements, it could beliable under the FCA.

TheDepartment of Justice (DOJ)has pursued cases under theCyber-Fraud Initiative, using theFCA against defense contractorsfor cybersecurity noncompliance.

Thus, the correct answer isC. False Claims Actbecause it specifically allows whistleblowers tosue on behalf of the federal government.

A. NIST SP 800-53❌Incorrect.NIST SP 800-53provides security controls for federal agencies butdoes notcontain whistleblower provisions.

B. NIST SP 800-171❌Incorrect.NIST SP 800-171outlines security requirements for protectingCUI, but itdoes not have legal mechanismsfor whistleblower lawsuits.

D. Code of Professional Conduct❌Incorrect. TheCMMC Code of Professional Conductapplies toC3PAOs and assessorsbut doesnot provide a legal basis for whistleblower lawsuits.

Why the Other Answers Are Incorrect

False Claims Act (31 U.S.C. §§ 3729–3733)– Establishes whistleblower protections and qui tam lawsuits.

DOJ Cyber-Fraud Initiative– Uses the FCA to enforce cybersecurity compliance in government contracts.

DFARS 252.204-7012 & CMMC– Require accurate reporting of cybersecurity compliance, which can lead to FCA violations if misrepresented.

CMMC Official ReferencesThus,option C (False Claims Act) is the correct answeras per official legal guidance.

During a Readiness Review (Phase 1), the purpose is to validate whether an OSC is prepared to move forward with a formal assessment. The CAP specifies that the Lead Assessor must collect sufficient evidence for each practice to make a preliminary determination of readiness.

Supporting Extracts from Official Content:

CAP v2.0, Readiness Review (§2.14): “The Lead Assessor must collect a sufficient amount of evidence for each practice to determine the OSC’s readiness.”

Why Option A is Correct:

The requirement is for sufficient evidence; CAP does not mandate a set number of assessment objects or methods.

Options B, C, and D incorrectly suggest minimum counts or methods that are not part of the readiness review requirements.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 1 Readiness Review.

===========

This question pertains to theminimum evidence requirementsneeded by a CMMCAssessment Teamto score a practice asMETduring aLevel 2 Assessment.

The CMMC Level 2 assessment must align withNIST SP 800-171and follow the procedures outlined in theCMMC Assessment Process (CAP) Guide v1.0, particularly aroundevidence collection and scoring methodology.

✅Step 1: Refer to the CMMC Assessment Process (CAP) Guide v1.0CAP v1.0 – Section 3.5.4: Evaluate Evidence and Score Practices“To assign a MET determination, the Assessment Team must collect and corroborate at least two types of objective evidence: either through examination of artifacts, interviews (affirmation), or testing (demonstration).”

This meansat least two typesof the following evidence are required:

Examine(documentation/artifacts),

Interview(affirmation from personnel),

Test(demonstration of implementation).

✅Step 2: Clarify the Official Minimum Standard for a Practice to be Scored METThe CAP explicitly states:

“A practice can only be scored MET when a minimum oftwo types of evidencefrom the E-I-T (Examine, Interview, Test) triad are successfully collected and evaluated.”

Theevidence types must come from two different categories, for example:

An artifact(Examine)+ an interview affirmation(Interview),

A demonstration(Test)+ an interview(Interview),

Etc.

This cross-validation ensures that the control isimplemented, documented, and understoodby personnel — a core principle in assessing effective cybersecurity implementation.

❌Why the Other Options Are IncorrectA. All three types of evidence are documented for every control✘Incorrect:While collecting all three types (E-I-T) strengthens the assessment, theminimum requirementis onlytwo. Collecting all three isnot requiredfor a practice to be scoredMET.

B. Examine and accept evidence from one of the three evidence types✘Incorrect:This fails to meet theminimum two-evidence-type requirementset by the CAP. Single-source evidence is not sufficient to score a practice as MET.

C. Complete one of the following; examine two artifacts, observe one demonstration, or receive one affirmation✘Incorrect:Even if two artifacts are examined,this is still only one type of evidence(Examine). The CAP requires twotypes— not two instances of the same type.

✅Why D is CorrectD. Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.

✔ This directly reflects theCAP’s requirement for collecting two different types of objective evidenceto determine a practice is MET.

BLUF (Bottom Line Up Front):To score a CMMC Level 2 practice asMET, the Assessment Team must collecta minimum of two distinct types of evidence— from theExamine, Interview, Test (E-I-T)categories. This requirement is clearly stated in the CMMC Assessment Process (CAP) v1.0.

nderstanding Objectivity in CMMC-AB ActivitiesObjectivityin CMMC-AB activities refers to therequirement that assessors and C3PAOs remain impartial, unbiased, and free from conflicts of interestwhile conducting assessments and providing CMMC-related services.

Key Aspects of Objectivity in CMMC Assessments:✔No conflicts of interest—Assessors must not assess organizations they havefinancial, professional, or personal ties to.

✔Unbiased reporting—Findings must bebased solely on evidence, with no external influence.

✔Avoiding even the appearance of a conflict—If there isany perception of bias, it must be addressed.

A. Ensuring full disclosure → Incorrect

Full disclosure is importantbut doesnot define objectivity. Objectivity meansremaining neutral and free from conflicts.

B. Reporting results of CMMC services completely → Incorrect

Whileaccurate reporting is required,objectivity focuses on impartiality, not just completeness.

C. Avoiding the appearance of or actual, conflicts of interest → Correct

Objectivity in CMMC-AB activities is primarily about preventing bias and ensuring fair assessments.

Avoiding conflicts of interest ensures thatassessments are credible and trustworthy.

D. Demonstrating integrity in the use of materials as described in policy → Incorrect

Integrity is important, butobjectivity is specifically about avoiding bias and conflicts of interest.

Why is the Correct Answer "C. Avoiding the appearance of or actual, conflicts of interest"?

CMMC-AB Code of Professional Conduct

Requiresassessors and C3PAOs to avoid conflicts of interestand maintainimpartiality.

CMMC Assessment Process (CAP) Document

Emphasizes that assessments must befree from external influence and conflicts of interest.

ISO/IEC 17020 Requirements for Inspection Bodies

Definesobjectivity as avoiding conflicts of interest in the assessment process.

CMMC 2.0 References Supporting This Answer:

Understanding Restricted Information Systems (IS) in CMMC ScopingInCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:

Internet of Things (IoT) Devices– Smart or network-connected devices.

Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.

Test Equipment– Devices used for specialized testing or measurement.

Government Property– Equipment owned by theU.S. Governmentbut used by contractors.

The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.

Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.

These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.

A. IoT (Incorrect)

IoT devices includesmart devices, sensors, and embedded systems, but the contractor's business systems are not classified as IoT.

C. Test Equipment (Incorrect)

The contractor’s systems areused for handling FCI, not for testing or measurement.

D. Government Property (Incorrect)

The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.

The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.

DoDI 5200.48 specifies that Authorized Holders of CUI are responsible for applying appropriate CUI markings. An authorized holder is an individual who has lawful government purpose access to the information. This ensures that responsibility for correctly marking information rests with those who create or handle the material, not only with original classification authorities (which apply to classified information, not CUI).

Reference Documents:

DoDI 5200.48, Controlled Unclassified Information (CUI)

Understanding CMMC Assessment MethodsTheCybersecurity Maturity Model Certification (CMMC) 2.0follows theNIST SP 800-171A assessment methodology, which includesthree primary assessment methods:

Examine– Reviewing policies, procedures, system configurations, and documentation.

Interview– Engaging with personnel to validate their understanding and execution of security practices.

Test– Conducting actual technical or operational tests to determine whether security controls function as expected.

"Test" is the method that compares actual-specified conditions with expected behavior.

It involvesexecuting procedures, configurations, or automated toolsto see if thesystem behaves as required.

For example, if a policy states that multi-factor authentication (MFA) must be enforced, a test would involveattempting to log in without MFAto confirm whether access is blocked as expected.

TheNIST SP 800-171A Guide (Assessment Procedures for CUI)defines testing as an assessment method that:

Actively verifies a security control is functioning

Simulates real-world attack scenarios

Checks compliance through system actions rather than documentation

B. Examine (Incorrect)

Examining only involvesreviewing policies, procedures, or configurationsbut does not actively test system behavior.

C. Compile (Incorrect)

"Compile" is not an assessment method in CMMC 2.0 or NIST SP 800-171A.

D. Interview (Incorrect)

Interviews are used to gather insights from personnel, but they do not compare actual conditions with expected behavior.

The correct answer isA. Testbecause itactively verifies system performance against expected security conditions.

The Lead Assessor has the authority to make the final determination in situations where assessors cannot agree on a rating. CAP specifies that the Lead Assessor ensures consistency, resolves disputes, and provides the authoritative interpretation during the assessment process. Escalation to the CMMC-AB or Quality Assurance would only occur in rare post-assessment review cases, not during an active assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.

Defines the Security Requirements for Protecting CUI:

NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.

These controls are categorized under14 families, including access control, incident response, and risk management.

Establishes the Baseline for CMMC Level 2 Compliance:

CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.

Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.

Provides Guidance for Implementation & Assessment:

TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.

It helps define the scope of an assessment by clarifying how each control should be implemented and verified.

Referenced in CMMC and DFARS Regulations:

DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.

TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.

A. NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")

This documentapplies to federal systems, not nonfederal entities handling CUI.

While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.

B. NIST SP 800-88 ("Guidelines for Media Sanitization")

This documentfocuses on secure data destructionand media sanitization techniques.

While data disposal is important, this standarddoes not define security controls for protecting CUI.

D. NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")

This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).

It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.

NIST SP 800-171 Rev. 2(NIST Official Site)

NIST SP 800-171A (Assessment Guide)(NIST Official Site)

CMMC 2.0 Level 2 Scoping Guide(Cyber AB)

Why NIST SP 800-171 is Essential for Level 2 Scoping:Explanation of Incorrect Answers:Key References for CMMC Level 2 Scoping:Conclusion:SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:

✅C. NIST SP 800-171

Under theCMMC Assessment Process (CAP)andCMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed throughthree primary assessment methods:

Examination– Reviewing documents, records, system configurations, and other artifacts.

Interviews– Speaking with personnel to verify processes, responsibilities, and understanding of security controls.

Testing– Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.

TheCMMC Assessment Process (CAP)states that an assessor must use acombinationof evidence-gathering methods (examinations, interviews, and tests) to determine compliance.

CMMC 2.0 Level 2(Aligned withNIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.

Solely relying ononemethod (like interviews in Option A) is insufficient.

Testing all practices or objectives (Option B)is unnecessary, as assessors followscoping guidanceto determine which objectives need deeper examination.

Testing only "certain" objectives (Option C)does not fully align with the requirement of gatheringsufficient evidencefrom multiple methods.

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methodsexplicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.

CMMC 2.0 Level 2 Practices and NIST SP 800-171require assessors to validate the presence, implementation, and effectiveness of security controls.

CMMC Appendix E: Assessment Proceduresstates that an assessor should use multiple sources of evidence to determine compliance.

Why Option D is CorrectCMMC 2.0 and Official Documentation ReferencesFinal VerificationTo ensure compliance withCMMC 2.0 guidelines and official documentation, an assessor must useexaminations, interviews, and teststo gather evidence effectively, makingOption D the correct answer.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework categorizes assets based on their interaction with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In a CMMC Level 1 self-assessment, assets are classified based on whether they process, store, or transmit FCI.

FCI Assets– These assets process, store, or transmit FCI and must meet CMMC Level 1 security requirements (17 practices from FAR 52.204-21).

CUI Assets– These assets handle Controlled Unclassified Information (CUI) and are subject to CMMC Level 2 requirements, aligned with NIST SP 800-171.

Specialized Assets– Includes IoT devices, Operational Technology (OT), Government-Furnished Equipment (GFE), and test equipment. These are often categorized separately due to their specific cybersecurity requirements.

Out-of-Scope Assets– Assets that do not process, store, or transmit FCI or CUI. These do not require compliance with CMMC practices.

Government-Issued Assets– These are assets provided by the government for contract-specific purposes, often requiring compliance based on government policies.

The question specifies that the identified assetdoes not process, store, or transmit FCI.

According to CMMC 2.0 guidelines,only assets that handle FCI or CUI are subject to security controls.

Assets that are physically located within an OSC’s facility but do not interact with FCI or CUI fall into the"Out-of-Scope Assets"category.

These assets do not require CMMC-specific cybersecurity controls, as they have no impact on the security of FCI or CUI.

CMMC Scoping Guide (Nov 2021)– Definesout-of-scope assetsas those that are within an OSC’s environment but have no interaction with FCI or CUI.

CMMC 2.0 Level 1 Guide– Only requires security controls on FCI assets, meaning assets that do not process, store, or transmit FCI are out of scope.

CMMC Assessment Process (CAP) Guide– Identifies the classification of assets in an OSC’s environment to determine compliance requirements.

Asset Categories as per CMMC 2.0:Why the Correct Answer is C. Out-of-Scope Assets?Relevant CMMC 2.0 References:Final Justification:Since the assetdoes not process, store, or transmit FCI, it does not fall under "FCI Assets" or "Specialized Assets." It is also not a government-issued asset. Therefore, the correct classification under CMMC 2.0 isOut-of-Scope Assets (C).

In the context of a Cybersecurity Maturity Model Certification (CMMC) assessment, the roles and responsibilities of individuals involved are clearly delineated to ensure a structured and effective evaluation process. The term "applicable staff" refers to personnel within the Organization Seeking Certification (OSC) who possess specific knowledge or expertise pertinent to the assessment. These individuals are integral to the assessment process as they provide essential information, demonstrate the implementation of security practices, and facilitate the assessment team's understanding of the organization's cybersecurity posture.

In this scenario, the employee serving as the primary system administrator is responsible for managing and maintaining the organization's systems. Given their comprehensive understanding of the system configurations, security controls, and operational procedures, this individual is best categorized as "applicable staff." Their involvement is crucial during the assessment, as they can provide detailed insights, demonstrate compliance measures, and address technical inquiries from the assessment team.

The other options can be delineated as follows:

Analyzer:Typically refers to individuals who analyze data or security incidents, often as part of a security operations center. This role is not specifically defined within the CMMC assessment context.

Inspector:Generally denotes a person who examines or inspects systems and processes, possibly as part of an internal audit or compliance check. This term is not a standard designation within the CMMC assessment framework.

Demonstration staff:While this could imply personnel responsible for demonstrating systems or processes, it is not a recognized role within the CMMC assessment process.

Therefore, the primary system administrator, by virtue of their role and responsibilities, aligns with the "applicable staff" category, playing a pivotal role in facilitating a successful CMMC assessment.

The National Archives and Records Administration (NARA) serves as the authoritative body overseeing the Controlled Unclassified Information (CUI) program within the United States federal government. NARA maintains the CUI Registry, which is the definitive resource for all categories, subcategories, and associated markings of CUI. This registry provides comprehensive guidance on the identification and handling of CUI, ensuring standardized practices across federal agencies and their contractors.

The other options are delineated as follows:

CMMC-AB:The Cybersecurity Maturity Model Certification Accreditation Body is responsible for overseeing the CMMC program but does not manage CUI classifications.

DoD Contractors FAQ:While it may offer guidance to Department of Defense contractors, it is not an authoritative source for CUI data classifications.

OSC's privacy policies:An Organization Seeking Certification's internal policies pertain to its own data handling practices and are not authoritative for CUI classifications.

Therefore, for authoritative information on CUI data classifications, the NARA's CUI Registry is the appropriate resource.

Understanding RA.L2-3.11.1 Risk Assessment Scope in CMMC Level 2TheCMMC Level 2 control RA.L2-3.11.1aligns withNIST SP 800-171, Requirement 3.11.1, which mandates that organizationsperiodically assess risks to operations, assets, and individuals arising from the processing, storage, or transmission of CUI.

What is Required for Compliance?

The organization must performrisk assessments on all assets and entities involved in handling CUI.

Risk assessments mustevaluate potential threats, vulnerabilities, and impacts on CUI security.

The scopemust include people, processes, physical locations, and IT systemsto ensure comprehensive risk management.

Why the Correct Answer is "Processes, people, physical entities, and IT systems in which CUI is processed, stored, or transmitted":

CUIcan be exposed to risk in multiple ways—not just IT systems but also human error, physical security gaps, and process weaknesses.

Risk assessmentsmust evaluate all areas that could impact CUI security, including:

Personnel security risks(e.g., insider threats, phishing attacks).

Process vulnerabilities(e.g., mishandling of CUI, policy weaknesses).

Physical security risks(e.g., unauthorized access to servers, storage rooms).

IT systems(e.g., networks, servers, cloud environments processing CUI).

A. "IT systems"→Too narrow.Risk assessmentmust cover more than just IT systems, includingpeople, physical assets, and processesaffecting CUI.

B. "Enterprise systems"→Too broad.While enterprise systems might be assessed, thefocus is specifically on areas handling CUI, not all enterprise operations.

C. "CUI Marking processes"→Incorrect focus.While marking CUI correctly is important,RA.L2-3.11.1 pertains to risk assessments, not data classification.

Understanding the "Examine" Assessment Method in CMMC 2.0CMMC 2.0 usesthree assessment methodsto evaluate security compliance:

Examine– Reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., policies, system documentation).

Interview– Speaking with personnel to verify knowledge and responsibilities.

Test– Performing technical validation to check system configurations.

TheCMMC Assessment Process (CAP)definesExamineas the method used toreview or analyze assessment objects, such as policies, procedures, configurations, and logs.

Relevant CMMC 2.0 Reference:

A. Test → Incorrect

"Test" involvesexecutinga function to validate its security (e.g., verifying access controls through a live system test).

B. Assess → Incorrect

"Assess" is a broad term; CMMC explicitly defines "Examine" as the method for reviewing documentation.

C. Examine → Correct

"Examine" is the official term forreviewing policies, procedures, configurations, or logs.

D. Interview → Incorrect

"Interview" involvesverbal discussions with personnel, not document analysis.

Why is the Correct Answer "Examine" (C)?

CMMC Assessment Process (CAP) Document

Defines "Examine" asanalyzing assessment objects (e.g., policies, procedures, logs, documentation).

NIST SP 800-171A

Specifies "Examine" as a method toreview security controls and configurations.

CMMC 2.0 References Supporting this Answer:

A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.

Supporting Extracts from Official Content:

CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”

Why Option B is Correct:

The Windows 95 system is an example of a restricted IS, so it can be scoped out.

Option A is incorrect — the asset is not handling CUI in this case.

Option C is incorrect — government property designation does not define scope.

Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.

===========

Understanding Ethical Responsibility in the CMMC EcosystemEthics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.

CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.

CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.

Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.

Key Ethical Responsibilities Include:

A. DoD and CMMC-AB → Incorrect

TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.

B. OSC and Sponsors → Incorrect

TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.

C. CMMC-AB and Members of the CMMC Ecosystem → Correct

Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.

D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect

Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.

Why is the Correct Answer "CMMC-AB and Members of the CMMC Ecosystem" (C)?

CMMC-AB Code of Professional Conduct

Defines ethical responsibilities forassessors, consultants, and ecosystem members.

CMMC Ecosystem Governance Policies

Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.

CMMC Assessment Process (CAP) Document

Outlines ethical expectations forassessors and consultantsduring certification assessments.

CMMC 2.0 References Supporting this Answer:

AC3PAO (Certified Third-Party Assessment Organization)is responsible for conductingCMMC Level 2 assessments.

After completing theassessment, theC3PAO generates the Final Recommended Assessment Results, which include key documentation reviewed by theCMMC Quality Assurance Professional (CQAP)for quality control.

Understanding the Role of a CCP in CMMC AssessmentsACertified CMMC Professional (CCP)is responsible for assistingCertified CMMC Assessors (CCA)in evaluating anOrganization Seeking Certification (OSC)during a CMMC assessment. One key aspect of this process isconducting interviewswith Subject Matter Experts (SMEs) to verify security practices.

Ensuring that interviewees canspeak freely without fear of retaliationiscriticalto obtainingaccurate and unbiased informationabout the implementation of security controls.

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide (Level 2)outlines that interviews are conducted to confirm that security practices are effectively implemented.

Interviewees mustfeel comfortable sharing candid responseswithout concern that their statements will lead tonegative consequenceswithin the organization.

Ensuring Confidentiality and Non-Attribution

DoD Assessment Methodologyspecifies that interviews should be conductedconfidentiallytoprotect the identity of interviewees.

TheCMMC Code of Professional Conduct (CoPC)for assessors and professionals reinforces the requirement to maintain theconfidentialityof assessment participants.

Non-attributionensures that responses are used for evaluation purposeswithout linking statements to specific individuals.

Why the Other Answer Choices Are Incorrect:

(A) Performed in groups for more efficient use of resources:

Group interviews may prevent individuals from speaking openly.

Employees might be hesitant to contradict leadership or peers.

(B) Recorded for inclusion in the Final Recommended Findings report:

Interviews arenot directly recorded or attributedin assessment reports.

Instead, findings are documentedwithout identifying specific individuals.

(D) Mapped to specific CMMC practices to clearly delineate which practice is being evaluated:

While responsesinformwhich practices are being assessed, theprimary goalof an interview is to ensure accurate,unbiased information gathering.

Step-by-Step Breakdown:Final Validation from CMMC Documentation:According to theCMMC Assessment Guide and DoD Assessment Methodology, interview confidentiality iscrucialto gatheringaccurateandunbiasedresponses. This makesconfidentiality and non-attributionthe correct answer.

Thus, the correct answer is:

C. Confidential and non-attributable so interviewees can speak without fear of reprisal.

Understanding Multi-Function Device (MFD) Security in CMMCMulti-function devices (MFDs), such asscanners, printers, and copiers,process, store, and transmit FCI, making them apotential attack surfacefor unauthorized access.

Thebest technical controlto limit MFD access to only authorized systems isVirtual LAN (VLAN) restrictions, whichsegment and isolate network traffic.

VLAN Restrictions Provide Network Segmentation

VLANsisolate the MFDfrom unauthorized systems, ensuringonly approved devicescan communicate with it.

Prevents unauthorized network access bylimiting connectionsto specific IPs or subnets.

Meets CMMC 2.0 Network Security Controls

Aligns withCMMC System and Communications Protection (SC) Practicesfor network segmentation and access control.

Reducesthe risk of unauthorized access to scanned and printed FCI.

B. Single administrative account→Incorrect

Asingle admin accountdoes not restrict accessbetween devices, only controlswho can configurethe MFD.

C. Documentation showing MFD configuration→Incorrect

Documentation helps with compliance butdoes not actively restrict access.

D. Access lists only known to the IT administrator→Incorrect

Access lists should besystem-enforced, not just "known" to the administrator.

CMMC Practice SC.3.192 (Network Segmentation)– Requires restricting access usingnetwork segmentation techniques such as VLANs.

NIST SP 800-171 (SC Family)– Supportsisolation of sensitive devicesusing VLANs and other segmentation controls.

Why the Correct Answer is "A. Virtual LAN (VLAN) Restrictions"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:SinceVirtual LAN (VLAN) restrictions enforce access control at the network level, the correct answer isA. Virtual LAN (VLAN) restrictions.

Key References for a Lead Assessor in a CMMC AssessmentALead Assessorconducting aCMMC assessmentmust rely onofficial CMMC guidance documentsto evaluate whether anOrganization Seeking Certification (OSC)meets the required cybersecurity practices.

TheCMMC Assessment Guideprovidesdetailed descriptionsof eachpractice and processat the specificCMMC level being assessed.

It defines:✔Theassessment objectivesfor each practice.✔Therequired evidencefor compliance.✔Thescoring criteriato determine if a practice isMET or NOT MET.

Most Relevant Reference: CMMC Assessment Guide

A. DoD adequate security checklist for covered defense information → Incorrect

TheDoD adequate security checklistis related toDFARS 252.204-7012 compliance, butCMMC assessmentsfollow theCMMC Assessment Guide.

B. CMMC Model Overview as it provides assessment methods and objects → Incorrect

TheCMMC Model Overviewprovideshigh-level guidance, butdoes not contain specific assessment criteria.

C. Safeguarding requirements from FAR Clause 52.204-21 for a Level 2 Assessment → Incorrect

FAR 52.204-21is relevant toCMMC Level 1 (FCI protection), butCMMC Level 2 follows NIST SP 800-171and requiresCMMC Assessment Guidesfor validation.

D. Published CMMC Assessment Guide practice descriptions for the desired certification level → Correct

TheCMMC Assessment Guideis theofficial documentused to determine if anOSC meets the required security practices for certification.

Why is the Correct Answer "D. Published CMMC Assessment Guide practice descriptions for the desired certification level"?

CMMC Assessment Process (CAP) Document

Specifies thatLead Assessors must use the CMMC Assessment Guidefor official scoring.

CMMC Assessment Guide for Level 1 & Level 2

Providesdetailed descriptions, assessment methods, and scoring criteriafor each practice.

CMMC-AB Guidance for Certified Third-Party Assessment Organizations (C3PAOs)

Confirms thatCMMC assessments must follow the Assessment Guide, not general DoD security policies.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔D. Published CMMC Assessment Guide practice descriptions for the desired certification level.

TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.

If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.

When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.

No assessment procedures are neededsince there is no VoIP system to evaluate.

Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14—only VoIP is within scope.

Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.

Option C (VoIP in scope but using FIPS-validated encryption, so it doesn’t need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.

CMMC 2.0 Level 2 Assessment Guide – SC.L2-3.13.14

NIST SP 800-171, Security Requirement 3.13.14

CMMC Scoping Guidance – Determining Not Applicable (N/A) Practices

Understanding SC.L2-3.13.14 – Control and Monitor the Use of VoIP TechnologiesWhy Option D is CorrectOfficial CMMC Documentation ReferencesFinal VerificationIfVoIP is not used within the OSC’s system boundary, the control does not require assessment, making Option D the correct answer.

TheCMMC 2.0 framework applies to nonfederal systemsthat process, store, or transmitCUI.

Scoping determineswhich system components must comply with CMMC practices.

If a systemprocesses, stores, or transmits CUI, orprovides security for those systems, itmust be included in the assessment scope.

CMMC Applies to Contractors, Not Federal Systems

CMMC isdesigned for Department of Defense (DoD) contractors, notfederal systems.

Federal systems arealready governed by NIST SP 800-53and other regulations.

Scope Includes Systems That Process CUI AND Those That Protect Them

Systemsprocessing, storing, or transmitting CUIare in scope.

Systems thatprovide protection for CUI systems(e.g., firewalls, monitoring tools, security appliances) arealso in scope.

A. Federal systems that process, store, or transmit CUI.→Incorrect

CMMCdoes not apply to federal systems.

B. Nonfederal systems that process, store, or transmit CUI.→Partially correct but incomplete

Itexcludes security systemsthat protect CUI assets, whichare also in scope.

C. Federal systems that process, store, or transmit CUI, or that provide protection for the system components.→Incorrect

CMMConly applies to nonfederal systems.

CMMC Scoping Guide (Nov 2021)– Confirms that CMMCapplies to nonfederal systemsprocessingCUI.

NIST SP 800-171 Rev. 2– Specifies security requirements fornonfederal systemshandling CUI.

DFARS 252.204-7012– Requires DoD contractors to implementNIST SP 800-171onnonfederal systemshandling CUI.

Understanding Scoping in CMMC 2.0Why the Correct Answer is "D. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:SinceCMMC applies to nonfederal systems that process CUI or protect those systems, the correct answer isD. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.

Understanding the Concept of Security in CMMC 2.0CMMC 2.0 aligns with federal cybersecurity standards, particularlyFISMA (Federal Information Security Modernization Act), NIST SP 800-171, and FAR 52.204-21. One key principle in these frameworks is the implementation of security measures that are appropriate for the risk level associated with the data being protected.

The question describes security measures that are proportionate to therisk of loss, misuse, unauthorized access, or modificationof information. This matches the definition of"Adequate Security."

A. Adopted security→ Incorrect

The term"adopted security"is not officially recognized in CMMC, NIST, or FISMA. Organizations adopt security policies, but the concept does not directly align with the question’s definition.

B. Adaptive security→ Incorrect

Adaptive securityrefers to adynamic cybersecurity modelwhere security measures continuously evolve based on real-time threats. While important, it does not directly match the definition in the question.

C. Adequate security→Correct

The term"adequate security"is defined inNIST SP 800-171, DFARS 252.204-7012, and FISMAas the level of protection that isproportional to the consequences and likelihood of a security incident.

This aligns perfectly with the definition in the question.

D. Advanced security→ Incorrect

Advanced securitytypically refers tohighly sophisticated cybersecurity mechanisms, such as AI-driven threat detection. However, the term does not explicitly relate to the concept of risk-based proportional security.

FISMA (44 U.S.C. § 3552(b)(3))

Definesadequate securityas"protective measures commensurate with the risk and potential impact of unauthorized access, use, disclosure, disruption, modification, or destruction of information."

This directly matches the question's wording.

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)

Mandates that contractors apply"adequate security"to protect Controlled Unclassified Information (CUI).

NIST SP 800-171 Rev. 2, Requirement 3.1.1

States that organizations must "limit system access to authorized users and implement adequate security protections to prevent unauthorized disclosure."

CMMC 2.0 Documentation (Level 1 and Level 2 Requirements)

Requires that organizationsapply adequate security measures in accordance with NIST SP 800-171to meet compliance standards.

Analyzing the Given OptionsOfficial References Supporting the Correct AnswerConclusionThe term"adequate security"is the correct answer because it is explicitly defined in federal cybersecurity frameworks asprotection proportional to risk and potential consequences. Thus, the verified answer is:

Best Practices for Handling Sensitive Assessment InformationCMMC assessments involve handlingsensitive and potentially CUI-related documents. Assessors must follow strictsecurity policiesto avoid unauthorized access, data leaks, or non-compliance withCMMC 2.0 and NIST SP 800-171 requirements.

Why Logging into the Client VPN on the Client Laptop is the Best Approach:

Ensures Data Protection:The client laptop is likely configured to meet security controls required for handling assessment-related materials.

Prevents Data Spillage:Keeping all assessment-related activities within the client’s secured environment reduces the risk ofdata leakage or unauthorized storage.

Maintains Compliance with CMMC/NIST Guidelines:Using aproperly configured client laptop and secured connectionensures compliance withNIST SP 800-171 controls on secure remote access(Requirement3.13.12).

A. "Log into the secure cloud storage service to save copies of the documents on both the work and client laptops."

Incorrect→Sensitive data should not be duplicated across multiple systems, especially a non-client-approved laptop. Storing it on an unauthorized systemviolates data handling best practices.

C. "Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service."

Incorrect→ Theassessor’s laptop may not be authorizedorsecuredto handle client data. CMMC guidelines emphasizeusing approved, secured systemsfor assessment-related information.

D. "Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick."

Incorrect→

Transferring sensitive documents via USBintroduces security risks, including unauthorized data storage and potential malware contamination.

Home office workstationsare unlikely to be authorized for handling CMMC-sensitive data.

Understanding "Adequate Evidence" in the CMMC Assessment ProcessIn aCMMC assessment,adequate evidencerefers to the proof required to demonstrate that a specific cybersecurity practice has been implemented correctly. Evidence can come from:

Artifacts(e.g., security policies, system configurations, logs).

Interview responses(e.g., verbal confirmation from personnel about their responsibilities).

Demonstrations(e.g., showing how a security control is implemented in real time).

Testing(e.g., verifying technical security mechanisms such as multi-factor authentication).

Thegoalof evidence collection is to determinewhether a CMMC practice is met—not just whether the organization operates within the assessment scope.

A. Verify, based on an assessment and organizational scope → Incorrect

Theassessment scopedefineswhat is evaluated, but adequacy of evidence is based oncompliance with specific CMMC practices.

B. Verify, based on an assessment and organizational practice → Incorrect

CMMC assessments focus on cybersecurity practices defined in the CMMC framework, not just general organizational practices.

C. Determine if a given artifact, interview response, demonstration, or test meets the CMMC scope → Incorrect

Thescopedefines the assessment boundaries, but theassessment team's job is to confirm whether CMMC practices are satisfied.

D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice → Correct

TheCMMC assessment process focuses on ensuring that required practices are implemented, making this the correct answer.

Why is the Correct Answer "Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice" (D)?

CMMC Assessment Process (CAP) Document

Defines "adequate evidence" asproof that a CMMC practice has been correctly implemented.

CMMC 2.0 Assessment Criteria

Specifies that evidence must beevaluated against specific cybersecurity practices.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Provides guidance on evaluating artifacts, interviews, demonstrations, and testing to confirm compliance with required practices.

CMMC 2.0 References Supporting this Answer:

Final Answer:✔D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.

Understanding the Final Review Process in a CMMC AssessmentDuring aCMMC Level 2 Assessment, theAssessment Teamand theOrganization Seeking Certification (OSC)holddaily checkpoint meetingsto discuss progress, review evidence, and ensure transparency.

At theend of the assessment, afinal review meetingis conducted, during which theLead Assessor presents the results. Therecorded Daily Checkpoint logserves as theofficial document summarizing:

Theattendee list

Time, date, and locationof the final review

Final MET or NOT MET ratingsfor all practices

Discussion points, resulting actions, and due datesfor both the OSC and Assessment Team

TheCMMC Assessment Process (CAP) Guidespecifies that all assessment findings and discussions must bedocumented throughout the assessment in daily checkpoint logs.

TheFinal and Recorded Daily Checkpoint Logincludes all necessary details, such as attendee lists, discussion topics, and action items.

This document isused to ensure all discussed topics and agreed-upon actions are properly tracked and recordedbefore submission.

A. Final log report (Incorrect)

There isno specific "Final Log Report"required in CMMC assessments.

B. Final CMMC report (Incorrect)

TheFinal CMMC Reportdocuments the overall assessment results butdoes not serve as the official meeting logfor the final review discussion.

C. Final and recorded OSC CMMC report (Incorrect)

This documentdoes not include detailed discussion points from the daily checkpoint meetings.

The correct answer isD. Final and recorded Daily Checkpoint log, as this is the official document that captures thefinal meeting details, discussions, and action items.

Understanding the Role of the Lead Assessor in CMMC AssessmentsTheLead Assessoris responsible for managing theAssessment Teamand ensuring that all team members meet the required qualifications as defined by theCMMC Accreditation Body (CMMC-AB)and theCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) Guide.

Lead Assessor’s Key Responsibilities (Per CAP Guide)

Verify team member qualificationsto ensure compliance with CMMC-AB guidelines.

Assignappropriate assessment tasksbased on team members’ expertise.

Ensure that theassessment is conducted in accordance with CMMC procedures.

Why Not the Other Options?

A. C3PAO (Certified Third-Party Assessor Organization)→Incorrect

AC3PAOis responsible fororganizing assessmentsand ensuring their execution, but itdoes not verify individual team member qualifications—that responsibility belongs to theLead Assessor.

B. CMMC-AB (CMMC Accreditation Body)→Incorrect

TheCMMC-ABestablishestraining and certification requirements, but itdoes not verify individual assessment team members—that responsibility is given to theLead Assessor.

D. CMMC Marketplace→Incorrect

TheCMMC Marketplacelists authorizedC3PAOs, Registered Practitioners (RPs), and Certified Professionals (CCPs)butdoes not verify assessment team qualifications.

CMMC Assessment Process (CAP) Guide– Defines theLead Assessor’s responsibilityfor verifying assessment team qualifications.

CMMC-AB Certification Guide– Specifies that the Lead Assessor must ensure all assessment team members meet CMMC-AB qualification standards.

Why the Correct Answer is "C. Lead Assessor"?Relevant CMMC 2.0 References:Final Justification:Since theLead Assessor is responsible for verifying assessment team member qualifications, the correct answer isC. Lead Assessor.

In the context of CMMC 2.0 assessments, thesufficiency criteriaare used to determine whether the assessment team has gathered enough evidence to support their conclusions about compliance with a given requirement.

Definition of Sufficiency Criteria:

Sufficiency refers to thequantityandcompletenessof the evidence collected during an assessment.

This ensures that the evidence collected isenough to support an objective and valid determinationof compliance.

Why Sufficiency Matters in CMMC 2.0:

Assessors must ensure that the amount of evidence collected isadequate to substantiate findingswithout doubt or gaps.

This prevents situations where an organization might claim compliance but lacks thenecessary documentation, technical evidence, or procedural validationto prove it.

Official CMMC 2.0 References:

TheCMMC Assessment Process (CAP) Guidedefines sufficiency as a key factor in validating assessment findings.

According toCMMC 2.0 Level 2 Scoping Guidance, assessors must apply sufficiency criteria when reviewingartifacts, documentation, interviews, and system configurations.

TheDoD CMMC Assessment Guide(aligned with NIST SP 800-171A) emphasizes that compliance decisions must besupported by a sufficient amount of verifiable evidence.

Comparison with Other Criteria:

Adequacy Criteria→ Focuses onqualityof the evidence, not the quantity.

Objectivity Criteria→ Ensures evidence isunbiased and impartial, not necessarily complete.

Subjectivity Criteria→ Not applicable in CMMC since assessments must beobjective and based on factual evidence.

Step-by-Step Breakdown:Conclusion:To verify compliance in CMMC 2.0 assessments, the assessment team must ensuresufficientevidence is available to support a determination. This makes"Sufficiency Criteria" (Option C)the correct answer.

Understanding Asset Categorization in CMMC 2.0InCMMC 2.0, assets are categorized into different types based on their function, connectivity, and whether they process, store, or transmitFederal Contract Information (FCI) or Controlled Unclassified Information (CUI).

TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT classificationsbut still exist within the organizational environment.

Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined in CMMC.

A. FCI Asset (Incorrect)

FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does not.

B. CUI Asset (Incorrect)

CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.

C. In-scope Asset (Incorrect)

In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.

The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into theSpecialized Assetcategory.

Understanding High-Level Scoping in a CMMC AssessmentDuringHigh-Level Scoping, aCertified Third-Party Assessment Organization (C3PAO)determines thepeople, processes, and technologythat are within scope for theCMMC Level 1 or Level 2 assessment.

Supporting Organization/Unitsrefer to thespecific groups, departments, or teamsthat handleControlled Unclassified Information (CUI)orFederal Contract Information (FCI)and are responsible for applyingCMMC security practices.

These units aredirectly involved in the contract's executionand are included in the CMMC assessment scope.

Key Term: Supporting Organization/Units

A. Host Unit → Incorrect

This term is not used inCMMC assessment scoping.

B. Branch Office → Incorrect

Abranch officemay or may not be in scope; scoping is based onwhether the unit handles CUI or FCI, not its physical location.

C. Coordinating Unit → Incorrect

No official CMMC term refers to a "Coordinating Unit."

D. Supporting Organization/Units → Correct

This termcorrectly describes the entities that apply security controls for the contract and are within the CMMC assessment scope.

Why is the Correct Answer "D. Supporting Organization/Units"?

CMMC Scoping Guidance for Level 1 & Level 2 Assessments

DefinesSupporting Organization/Unitsasin-scope entities responsible for implementing cybersecurity controls.

CMMC Assessment Process (CAP) Document

Specifies that theC3PAO must identify and document the units responsible for security compliance.

DoD CMMC 2.0 Guidance on Scoping

Requires theassessment team to define the people, processes, and technology that fall within the scopeof the assessment.

CMMC 2.0 References Supporting This Answer:

Understanding CMMC 2.0 Levels and Their DescriptionsTheCybersecurity Maturity Model Certification (CMMC) 2.0consists ofthree levels, each representing increasing cybersecurity maturity:

Level 1 – Foundational

Focuses onbasic cyber hygiene

Implements17 practicesaligned withFAR 52.204-21

Primarily protectsFederal Contract Information (FCI)

Level 2 – Advanced(Correct Answer)

Focuses onprotecting Controlled Unclassified Information (CUI)

Implements110 practicesaligned withNIST SP 800-171

Requirestriennial third-party assessments for critical programs

Level 3 – Expert

Focuses onadvanced cybersecurityagainstAPT (Advanced Persistent Threats)

ImplementsNIST SP 800-171 and additional NIST SP 800-172 controls

Requirestriennial government-led assessments

TheCMMC 2.0 framework explicitly describes Level 2 as "Advanced."

Italigns with NIST SP 800-171to ensure robustCUI protection.

A. Expert (Incorrect)– This describesLevel 3, not Level 2.

C. Optimizing (Incorrect)– Not a defined CMMC level description.

D. Continuously Improved (Incorrect)– CMMC does not use this terminology.

The correct answer isB. Advanced, which accurately describesCMMC Level 2.

The term that describes"the prevention of damage to, protection of, and restoration of computers and electronic communication systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation"isCybersecurity.

Step-by-Step Breakdown:✅1. Cybersecurity Defined

Cybersecurityfocuses onprotecting networks, systems, and datafrom cyber threats.

It includes measures to ensure:

Availability(data is accessible when needed).

Integrity(data is accurate and unaltered).

Authentication(verifying users' identities).

Confidentiality(ensuring only authorized access).

Non-repudiation(preventing denial of actions).

The definition in the questionaligns directly with cybersecurity principles, making it the best answer.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Data Security❌

Data securityfocusesspecificallyon protectingstored information(e.g., encryption, access controls), but cybersecurity is broader—it includesnetworks, systems, and communication services.

(C) Network Security❌

Network securityis asubset of cybersecuritythat focuses on protectingnetwork infrastructure(e.g., firewalls, intrusion detection systems).

The definition in the question includesmore than just networks, so cybersecurity is the better choice.

(D) Information Security❌

Information security (InfoSec)is related but broader than cybersecurity.

InfoSeccoversphysical and organizational security(e.g., policies, procedures) in addition todigital protections.

CMMC and NIST SP 800-171 define cybersecurityas the protection ofsystems, networks, and data from cyber threats.

DoD Cybersecurity Definitions(aligned with NIST) confirm that cybersecurity is the term thatbest fits the definition in the question.

Final Validation from CMMC Documentation:

During aCMMC Level 2 assessment, assessors requireobjective evidencethat security controls are implementedin the actual operating environmentwhereControlled Unclassified Information (CUI)is handled.

This means thattests or demonstrations must be conducted in the production environment, where the organization’s real systems and security controls are in use.

Assessment teams need to validate security controls in the actual environment where they are applied, ensuring that security measures are in effect in thereal-world operating conditions.

Option A (Client)is incorrect because "Client" is not a defined assessment environment.

Option C (Development)is incorrect because testing in a development environmentdoes not accurately represent the production security posture.

Option D (Demonstration)is incorrect becausedemonstrations in a separate test environment do not provide valid evidence for CMMC assessments—actual security implementations must be verified in production.

CMMC Assessment Process (CAP) Guide – Section 3.5 (Assessment Methods)

NIST SP 800-171 Assessment Procedures(Verification must occur in the actual system where CUI resides.)

Understanding the Assessment Environment RequirementWhy Option B (Production) is CorrectOfficial CMMC Documentation ReferencesFinal VerificationSinceCMMC assessments require security controls to be validated in the actual production environment, the correct answer isOption B: Production.

The CMMC Assessment Process (CAP) requires that sufficient evidence must:

Cover the sampled organization,

Cover the defined model scope of the assessment (Target CMMC Level), and

Correspond to the evidence collection approach.

Evidence is always required, even if the organization holds other certifications such as ISO. External certifications cannot replace CMMC evidence requirements. Thus, the statement that “Evidence is not required if the practice is ISO certified” is not valid.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Understanding SI.L1-3.14.2: Provide Protection from Malicious CodeThe CMMC Level 1 practiceSI.L1-3.14.2is based onNIST SP 800-171 Requirement 3.14.2, which requires organizations to:

Implement malicious code protection(e.g., antivirus, endpoint security software).

Ensure coverage across all appropriate locations(e.g., workstations, servers, network entry points).

Keep protection mechanisms updated(e.g., regular signature updates, policy enforcement).

Assessment Criteria for a "MET" Rating:To determine whether the practice isMET, the Lead Assessor must confirm that:

✔Antivirus or endpoint protection software is installedon all workstations and servers.

✔The solution is centrally managed, ensuring consistent policy enforcement.

✔Signature updates are current, meaning systems are protected against new threats.

✔Logs or reports demonstrate active monitoring and updates.

Why is the Correct Answer "A. It is sufficient, and the audit finding can be rated as MET"?The provided evidenceconfirms all necessary requirementsfor SI.L1-3.14.2:

✔All workstations and servers have antivirus installed→Meets installation requirement.

✔A centralized management console is in place→Ensures consistent enforcement.

✔Records show antivirus signatures are up to date→Confirms system protection is current.

Because the evidencemeets the requirement, the practice should berated as MET.

B. It is insufficient, and the audit finding can be rated NOT MET → Incorrect

The evidence providedmeets all necessary requirements, so the practiceshould not be rated as NOT MET.

C. It is sufficient, and the Lead Assessor should seek more evidence → Incorrect

Ifadequate evidence already exists,additional evidence is unnecessary.

D. It is insufficient, and the Lead Assessor should seek more evidence → Incorrect

The evidence providedmeets the control requirements, making itsufficient.

Why Are the Other Answers Incorrect?

CMMC Assessment Process (CAP) Document

Specifies that a practice can be marked asMET if sufficient evidence is provided.

NIST SP 800-171 (Requirement 3.14.2)

Defines the standard formalicious code protection, which ismet by antivirus with active updates.

CMMC 2.0 Level 1 (Foundational) Requirements

Clarifies that basic cybersecurity measures likeantivirus installation and updatesmeet compliance forSI.L1-3.14.2.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔A. It is sufficient, and the audit finding can be rated as MET.

In theCMMC 2.0 Assessment Process, after theAssessment Final Recommended Findings Brief, theLead Assessor and Assessment Team Membersmustreview the accuracy and validity of the Organization Seeking Certification (OSC)’s updated Plan of Action & Milestones (POA&M) and any accompanying evidence or scheduled collectionswithin180 days.

TheCMMC Assessment Process (CAP)outlines that organizations haveup to 180 daysto address identifieddeficienciesafter their initial assessment.

During this time, the OSC can update itsPOA&M with additional evidenceto demonstrate compliance.

Relevant CMMC 2.0 Reference:

A. 90 days → Incorrect

The CMMC CAP does not impose a90-day limiton POA&M updates; instead,180 daysis the standard timeframe.

B. 180 days → Correct

PerCMMC Assessment Process guidelines, theLead Assessor and Teammust review updateswithin 180 days.

C. 270 days → Incorrect

No official CMMC documentation mentions a270-dayreview period.

D. 360 days → Incorrect

The process must be completedfar sooner than 360 daysto maintain compliance.

Why is the Correct Answer 180 Days (B)?

CMMC Assessment Process (CAP) Document

Defines the180-day windowfor the OSC to update itsPOA&M and submit evidencefor review.

CMMC 2.0 Official Guidelines

Specifies that organizations are givenup to 180 daysto remediate deficiencies before reassessment.

CMMC 2.0 References Supporting this Answer:

Understanding the Phases of the CMMC Assessment ProcessTheCMMC Assessment Process (CAP)consists of multiple phases, with each phase focusing on a different aspect of the assessment.Developing the assessment planoccurs inPhase 1, which is thePre-Assessment Phase.

Engagement Agreement: TheOSC (Organization Seeking Certification)and theCertified Third-Party Assessment Organization (C3PAO)formalize the assessment contract.

Developing the Assessment Plan: TheLead Assessorand the assessment team create anAssessment Plan, which outlines:

Scope of the assessment

CMMC Level requirements

Assessment methodology

Timeline and logistics

Initial Data Collection: Review of system documentation, policies, and relevant security controls.

Key Activities in Phase 1 – Pre-Assessment Phase

A. Phase 1 → Correct

Phase 1 is where the assessment plan is developed.

It ensuresclarity on scope, methodology, and logistics before the assessment begins.

B. Phase 2 → Incorrect

Phase 2 is theAssessment Conduct Phase, where assessorsexecutethe plan by examining evidence and interviewing personnel.

C. Phase 3 → Incorrect

Phase 3 is thePost-Assessment Phase, which involvesfinalizing findings and submitting reports, not developing the plan.

D. Phase (Incomplete Answer) → Incorrect

The question requires a specific phase, and the correct one isPhase 1.

Why is the Correct Answer "Phase 1" (A)?

CMMC Assessment Process (CAP) Document

DefinesPhase 1as the stage where the assessment plan is developed.

CMMC Accreditation Body (CMMC-AB) Guidelines

Specifies thatplanning and pre-assessment activities occur in Phase 1.

CMMC 2.0 Certification Workflow

Outlines the assessment planning process as part of theinitial engagementbetween theC3PAO and the OSC.

CMMC 2.0 References Supporting this Answer:

Understanding Specialized Assets in CMMCASpecialized Assetis defined asa system, device, or infrastructure component that is not a traditional IT system but still plays a role in cybersecurity or business operations.

Types of Specialized Assets (as per CMMC guidance):✔Operational Technology (OT)– Industrial control systems, SCADA systems.

✔Security Operations Centers (SOCs)– Dedicated cybersecurity monitoring and response centers.

✔IoT Devices– Smart sensors, embedded systems.

✔Restricted IT Systems– Systems with highly controlled access.

A. SOCs → Correct

Security Operations Centers (SOCs) are specialized cybersecurity environmentsused forthreat monitoring, detection, and response.

They oftenoperate outside standard IT infrastructureand are classified asspecialized assetsunder CMMC.

B. Hosted VPN services → Incorrect

VPN services are standard IT infrastructureanddo not qualify as specialized assets.

C. Consultants who provide cybersecurity services → Incorrect

Consultants are personnel, not specialized assets. Specialized assets refer tosystems, devices, or infrastructure.

D. All property owned or leased by the government → Incorrect

Government property is not automatically considered a specialized assetunder CMMC. Specialized assets refer tospecific IT or cybersecurity-related infrastructure.

Why is the Correct Answer "SOCs" (A)?

CMMC 2.0 Assessment Process (CAP) Document

DefinesSpecialized Assetsand includesSOCsin its examples.

CMMC-AB Guidelines

Listssecurity infrastructure like SOCsasSpecialized Assetsdue to their unique cybersecurity function.

NIST SP 800-171 & CMMC 2.0 Security Domains

Recognizesdedicated security monitoring environmentsas part of an organization's cybersecurity posture.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔A. SOCs (Security Operations Centers)

When preparing forCMMC compliance, organizations must ensure that theirnetwork configurations align with required cybersecurity controls. Ifnetwork administratorsdisagree on certain configurations, the mostobjective and accurateway to resolve the disagreement is by referencingofficial CMMC guidanceandNIST SP 800-171 requirements, which form the foundation of CMMC Level 2.

CMMC Assessment Guides as the Primary Reference

TheCMMC Assessment Guides (Level 1 & Level 2)provide clearinterpretationsof security practices.

Theyexplain how each practice should be implemented and assessedduring certification.

NIST SP 800-171 as the Compliance Baseline

CMMC Level 2is based directly onNIST SP 800-171, which outlines the110 security controlsrequired for protectingControlled Unclassified Information (CUI).

Network configurations must complywith NIST-defined security requirements, including:

Access Control (AC) – Ensuring least privilege principles.

Audit and Accountability (AU) – Logging and monitoring network activity.

System and Communications Protection (SC) – Secure network design and encryption.

Why the Other Answer Choices Are Incorrect:

(A) Consult with the CEO of the company:

ACEO is not necessarily a cybersecurity expertand may not be familiar with CMMC technical requirements.

Technical compliance decisions should be based onCMMC and NISTframeworks, not executive opinions.

(C) Go with the network administrator's ideas with the least stringent controls:

Choosingless stringent controls increases security riskand could lead toCMMC non-compliance.

(D) Go with the network administrator's ideas with the most stringent controls:

While security is important,more stringent controlsmay introduceoperational inefficienciesorunnecessary coststhat are not required for compliance.

The correct approach is to implement what is required by CMMC and NIST SP 800-171, no more and no less.

TheCMMC Assessment GuidesandNIST SP 800-171 Rev. 2areofficial sourcesthat provide the most reliable guidance on compliance.

CMMC Level 2 is entirely based on NIST SP 800-171, making it the definitive source for resolving security disagreements.

Step-by-Step Breakdown:Final Validation from CMMC Documentation:Thus, the correct answer is:

B. Consult the CMMC Assessment Guides and NIST SP 800-171.

What Does "CUI//SP-PRVCY//FED Only" Mean?

The email containsControlled Unclassified Information (CUI)withspecific categories and dissemination controls.

CUI//SP-PRVCY//FED Onlybreaks down as follows:

CUI→ Controlled Unclassified Information designation.

SP-PRVCY→Specifiedcategory forPrivacy Information(SP stands for "Specified").

FED Only→ Restriction forFederal Government use only(not for contractors or the public).

Who Maintains the Official CUI Registry?

TheNational Archives and Records Administration (NARA) oversees the CUI Programand maintains the officialCUI

The CUI Registry providesdefinitions, marking guidance, and categoriesfor all CUI labels, including "SP-PRVCY" and dissemination controls like "FED Only."

Why NARA is the Correct Answer:

NARA is the governing body responsible for defining and managing CUI markings.

Any organization handling CUI shouldrefer to the NARA CUI Registryfor official marking interpretations.

DoD contractors and other organizationsmust comply with NARA guidelines when handling, marking, and disseminating CUI.

B. CMMC-AB– TheCMMC Accreditation Bodymanages certification assessments butdoes not define or interpret CUI markings.

C. DoD Contractors FAQ Page– The DoD may provide general contractor guidance, butCUI markings are governed by NARA, not an FAQ page.

D. DoD 239.7601 Definitions Page– This refers to generalDoD acquisition definitions, butCUI categories and markings fall under NARA’s authority.

The Controlled Unclassified Information (CUI) Program, established by Executive Order 13556, standardizes the handling and marking of unclassified information that requires safeguarding or dissemination controls across federal agencies and their contractors. The National Archives and Records Administration (NARA) serves as the Executive Agent responsible for implementing the CUI Program.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to protect CUI by adhering to the security requirements outlined in NIST Special Publication 800-171. This includes proper marking of CUI to ensure that all personnel recognize and handle such information appropriately.

The NARA CUI Introduction to Marking provides comprehensive guidance on the correct procedures for marking documents and communications containing CUI. This resource is essential for training purposes, as it offers detailed instructions and examples to help personnel understand and implement proper CUI markings. By referring the sales team to the NARA CUI Introduction to Marking, the director of sales ensures that the team receives authoritative and standardized training on how to appropriately mark emails and other documents containing CUI, thereby maintaining compliance with federal regulations and CMMC requirements.

In aCMMC Level 2 assessment, theOrganization Seeking Certification (OSC)is responsible for identifying theassessment scopebased on theCMMC Scoping Guidanceprovided by theCyber AB (Cyber Accreditation Body) and DoD.

The OSC must determine which assets and systems handleControlled Unclassified Information (CUI)and categorize them accordingly.

Understanding the “Verify Evidence and Record Gaps” Activity in a CMMC AssessmentDuring aCMMC Level 2 Assessment, theAssessment Teamfollows a structured methodology toverify evidenceand determine whether theOrganization Seeking Certification (OSC)has met all required practices. One of the key activities in this process is"Verify Evidence and Record Gaps", which ensures that the assessment findings accurately reflect any missing or inadequate compliance evidence.

Step-by-Step Breakdown:✅1. Primary Intent: Identifying Gaps Between Required and Collected Evidence

TheAssessment Teamcompares the evidence provided by the OSC against theCMMC practice requirements.

If evidence ismissing, insufficient, or inconsistent, assessors mustdocument the gapand describe what is lacking.

This ensures that compliance deficiencies are clearly identified, allowing the OSC to understand what must be corrected.

✅2. How This Process Works in a CMMC Assessment

Assessorsreview collected documentation, system configurations, policies, and interview responses.

They verify that the evidencematches the expected implementationof a practice.

If gaps exist, they arerecordedfor discussion and potential remediation before assessment completion.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Map test and demonstration responses to CMMC practices.❌

Incorrect:While mapping evidence to CMMC practices is part of the assessment, theprimary intentof the "Verify Evidence and Record Gaps" step is toidentify deficiencies, not just mapping responses.

(B) Conduct interviews to test process implementation knowledge.❌

Incorrect:Interviews are a method used during evidence collection, but they arenot the primary focusof the verification and gap analysis step.

(C) Determine the one-to-one relationship between a practice and an assessment object.❌

Incorrect:The assessment teamreviews multiple sources of evidencefor each practice, and some practices require multiple assessment objects. The goal isnot a strict one-to-one mappingbut rathera holistic validation of compliance.

Final Validation from CMMC Documentation:TheCMMC Assessment Process Guidestates that"Verify Evidence and Record Gaps"is the step where assessorscompare expected evidence against what has been provided and document discrepancies. This ensurestransparent assessment findings and remediation planning.

Thus, the correct answer is:

D. Identify and describe differences between what the Assessment Team required and the evidence collected.

Understanding FAR Clause 52.204-21TheFederal Acquisition Regulation (FAR) Clause 52.204-21is titled"Basic Safeguarding of Covered Contractor Information Systems."This clause establishesminimum cybersecurity requirementsforfederal contractorsthat handleFederal Contract Information (FCI).

Key Purpose of FAR Clause 52.204-21Theprimary objectiveof FAR 52.204-21 is to ensure that contractors applybasic cybersecurity protectionsto theirinformation systemsthat process, store, or transmitFCI. Theseminimum safeguarding requirementsserve as abaseline security standardfor contractors doing business with theU.S. government.

FAR 52.204-21 doesnotrequire contractors to install specific cybersecurity tools (eliminating option A).

Itoutlines only the minimum safeguards, notallcybersecurity controls needed for complete security (eliminating option B).

CMMC certification isnotmandated by this clause alone (eliminating option D).

Instead, it establishesa baseline "standard of care"that all federal contractorsmust followto protectFCI(making option C correct).

Why "Minimum Standard of Care" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. It directs all covered contractors to install the cybersecurity systems listed in that clause.

❌Incorrect–The clause doesnotspecify tools or require specific cybersecurity systems.

B. It describes all of the safeguards that contractors must take to secure covered contractor IS.

❌Incorrect–It only setsminimumrequirements, notall possiblesecurity measures.

C. It describes the minimum standard of care that contractors must take to secure covered contractor IS.

✅Correct – The clause defines basic safeguards as a minimum security standard.

D. It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts.

❌Incorrect–FAR 52.204-21 doesnot mandateCMMC certification; that requirement comes from DFARS 252.204-7012 and 7021.

Minimum Safeguarding Requirements Under FAR 52.204-21The clause defines15 basic security controls, which align withCMMC Level 1. Some examples include:

✅Access Control– Limit access to authorized users.

✅Identification & Authentication– Authenticate system users.

✅Media Protection– Sanitize media before disposal.

✅System & Communications Protection– Monitor and control network connections.

FAR 52.204-21– Establishes thebasic safeguarding requirementsfor FCI.

CMMC 2.0 Level 1– Directly aligns withFAR 52.204-21 controls.

Official References from CMMC 2.0 and FAR DocumentationFinal Verification and ConclusionThe correct answer isC. It describes the minimum standard of care that contractors must take to secure covered contractor IS.This aligns withFAR 52.204-21 requirementsas abaseline security standard for FCI.

A Certified CMMC Instructor (CCI) is only authorized to deliver CMMC-AB (now The Cyber AB) approved training courses through a Licensed Training Provider (LTP). CCI instructors do not deliver DFARS or NARA CUI training under CMMC authorization—only formally approved CMMC courses.

Supporting Extracts from Official Content:

CMMC Ecosystem Roles: “CCIs are authorized to deliver CMMC-AB approved training courses through an LTP.”

Why Option A is Correct:

CCIs teach only CMMC-AB approved training.

Options B, C, and D include external trainings (DFARS or NARA CUI) that are not within the CCI’s scope.

References (Official CMMC v2.0 Content):

CMMC Ecosystem documentation – Roles and Responsibilities of LTPs and CCIs.

===========

In the Cybersecurity Maturity Model Certification (CMMC) assessment process, the presentation of the Final Recommended Assessment Findings is a critical step. According to the CMMC Assessment Process guidelines, the Lead Assessor is responsible for compiling and presenting these findings. The prescribed method for this presentation is the utilization of the standardized CMMC Findings Brief template.

Step-by-Step Explanation:

Responsibility of the Lead Assessor:

The Lead Assessor oversees the assessment process and is tasked with compiling the Final Recommended Assessment Findings.

Utilization of the CMMC Findings Brief Template:

To ensure consistency and adherence to CMMC standards, the Lead Assessor must use the official CMMC Findings Brief template when presenting the assessment findings.

Presentation of Findings:

The findings, documented in the CMMC Findings Brief template, are then presented to the Organization Seeking Certification (OSC). This presentation ensures that the OSC receives a clear and standardized report of the assessment outcomes.

Understanding the C3PAO Assessment MethodologyACertified Third-Party Assessment Organization (C3PAO)is an entity authorized by theCMMC Accreditation Body (CMMC-AB)to conduct officialCMMC Level 2 assessmentsfor organizations seeking certification.

C3PAOs must follow theCMMC Assessment Process (CAP), which outlines:✅Theassessment methodologyfor evaluating compliance.✅Evidence collectionprocedures (interviews, artifacts, testing).✅Assessment scoring and reportingrequirements.✅Guidance for assessorson executing standardized assessments.

ISO 27001 (Option A)is an international standard forinformation security managementbut isnot the basis for CMMC assessments.

NIST SP 800-53A (Option B)providessecurity control assessments for federal systems, but CMMC assessments arebased on NIST SP 800-171.

GAO Yellow Book (Option D)is agovernment auditing standardused forfinancial and performance audits, not cybersecurity assessments.

CMMC Assessment Process (CAP) (Option C) is the correct answerbecause it defines how C3PAOs conduct CMMC assessments.

CMMC Assessment Process Guide (CAP)– GovernsC3PAO assessment execution.

CMMC 2.0 Model Documentation– RequiresC3PAOs to follow CAP proceduresfor assessments.

Key Requirement: CMMC Assessment Process (CAP)Why "CMMC Assessment Process" is Correct?Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isC. CMMC Assessment Process, as it is theofficial methodology all C3PAOs must follow when conducting CMMC assessments.

Understanding the Definition of a "Practice" in CMMC 2.0In CMMC 2.0, the term"practice"refers to specific cybersecurity activities that organizations must implement to achieve compliance with defined security objectives.

Definition from CMMC Documentation:

According to theCMMC Model Overview, apracticeis defined as:

Step-by-Step Breakdown:"An activity or activities performed to meet defined CMMC objectives."

This means that practices are theactions and implementations required to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

How Practices Fit into CMMC 2.0:

CMMC 2.0 Level 1 consists of17 practices, which align withFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

CMMC 2.0 Level 2 consists of110 practices, aligned directly withNIST SP 800-171 Rev. 2.

Each practice has anobjectivethat must be met to demonstrate compliance.

Official CMMC 2.0 References:

TheCMMC 2.0 Model Documentationdefines practices as "the fundamental cybersecurity activities necessary to achieve security objectives."

TheCMMC Assessment Process (CAP) Guideoutlines how assessors verify the implementation of these practices during an assessment.

TheNIST SP 800-171A Guideprovidesassessment objectivesfor each practice to ensure they are implemented effectively.

Comparison with Other Answer Choices:

A. A business transaction→ Incorrect. CMMC practices focus on cybersecurity activities, not financial or operational transactions.

B. A condition arrived at by experience or exercise→ Incorrect. While practices evolve over time, they are defined activities, not just experience-based conditions.

C. A series of changes taking place in a defined manner→ Incorrect. A practice is a set of security actions, not just a process of change.

Conclusion:ACMMC practicerefers to specificcybersecurity activities performed to meet defined CMMC objectives. This makesOption Dthe correct answer.

Understanding Access Control (AC) in CMMC Advanced (Level 3)TheCMMC Advanced Level (Level 3)is designed for organizations handlinghigh-value Controlled Unclassified Information (CUI)and aligns with a subset ofNIST SP 800-172for advanced cybersecurity protections.

Access Control (AC) Practices in CMMC Level 3✅CMMC Level 1 includesbasic AC practices fromFAR 52.204-21(e.g., restricting access to authorized users).

✅CMMC Level 2 includesallAccess Control (AC) practices from NIST SP 800-171(e.g., managing privileged access).

✅CMMC Level 3 expands on Levels 1 and 2, incorporatingadditional protections from NIST SP 800-172, such as enhanced monitoring and adversary deception techniques.

CMMC Level 3 builds upon all previous levels, includingAccess Control (AC) practices from Levels 1 and 2.

Options A, B, and C are incorrectbecause Level 3 includesallprevious AC practices fromLevels 1 and 2, plus additional ones.

Why "Levels 1, 2, and 3" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Level 1

❌Incorrect–Level 3 includes AC practices fromLevels 1 and 2, not just Level 1.

B. Level 3

❌Incorrect – Level 3 builds onLevels 1 and 2, not just Level 3 practices.

C. Levels 1 and 2

❌Incorrect–Level 3 containsadditionalAC practices beyond Levels 1 and 2.

D. Levels 1, 2, and 3

✅Correct – Level 3 contains all AC practices from Levels 1 and 2, plus additional ones.

CMMC Model Framework– Outlines howLevel 3 builds upon Level 1 and 2 practices.

NIST SP 800-172– Definesadvanced cybersecurity controlsrequired inCMMC Level 3.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Levels 1, 2, and 3, as CMMC Level 3 includesAccess Control (AC) practices from all previous levels plus additional enhancements.

Understanding the Role of Configuration Management (CM) in CMMC 2.0TheConfiguration Management (CM) domainin CMMC 2.0 ensures that systems aresecurely configured and maintainedto prevent unauthorized or unnecessary changes that could introduce vulnerabilities. One key requirement in CM is torestrict, disable, or prevent the use of nonessential programsto reduce security risks.

Relevant CMMC 2.0 Practice:CM.L2-3.4.1 – Establish and enforce security configuration settings for information technology products employed in organizational systems.

This practicerequires organizations to control system configurations, including the removal or restriction ofnonessential programs, functions, ports, and servicestoreduce attack surfaces.

The goal is tominimize exposure to cyber threatsby ensuring only necessary and approved software is running on the system.

A. Access Control (AC) → Incorrect

Access Control (AC) focuses onmanaging user permissions and accessto systems and data, not restricting programs.

B. Media Protection (MP) → Incorrect

Media Protection (MP) deals withprotecting and controlling removable media(e.g., USBs, hard drives) rather than software or system configurations.

C. Asset Management (AM) → Incorrect

Asset Management (AM) is aboutidentifying and tracking IT assets, not configuring or restricting software.

D. Configuration Management (CM) → Correct

CM explicitly coverssecuring system configurationsbyrestricting nonessential programs, ports, services, and functions, making it the correct answer.

Why is the Correct Answer CM (D)?

CMMC 2.0 Practice CM.L2-3.4.1(Security Configuration Management)

Requires organizations toenforce security configuration settingsandremove unnecessary programsto protect systems.

NIST SP 800-171 Requirement 3.4.1

Supportssecure configuration settingsandrestricting unauthorized applicationsto prevent security risks.

CMMC 2.0 Level 2 Requirement

This practice is aLevel 2 (Advanced) requirement, meaningorganizations handling Controlled Unclassified Information (CUI)must comply with it.

CMMC 2.0 References Supporting this Answer:

PerDFARS 252.204-7021, contractors must achieve the requiredCMMC certification levelbefore contract awardif the solicitation specifies it.

Key Requirements:✔Contractorsmust be certified at the required CMMC levelprior to contract award.

✔Thecertification must be conducted by a C3PAO(for Level 2) orthrough self-assessment(for Level 1).

✔The certification must bevalid and registered in the Supplier Performance Risk System (SPRS)before award.

A. At the time of award → Correct

DFARS 252.204-7021requires CMMC certification before a contract can be awardedif the solicitation includes CMMC requirements.

B. Upon solicitation submission → Incorrect

Contractorsdo notneed to be CMMC-certified at thetime of bid submission, only by the time of award.

C. Thirty days from the award date → Incorrect

Contractorsmust already be certified before the award is granted. There isno grace period.

D. Before the due date of submission → Incorrect

While compliance planning is important,CMMC certification is only required before contract award, not before bid submission.

Why is the Correct Answer "At the Time of Award" (A)?

DFARS 252.204-7021 (CMMC Requirement Clause)

CMMC certification is required prior to contract awardif specified in the solicitation.

CMMC 2.0 Program Overview

States that certificationis not needed at bid submission but is required before award.

DoD Interim Rule & SPRS Guidance

Contractors must havea valid CMMC certification recorded in SPRSbefore award.

CMMC 2.0 References Supporting This Answer:

Understanding the Official CUI RegistryTheControlled Unclassified Information (CUI) Registryis theauthoritative sourcefor all federal agencies'CUI categories and indices. It is maintained by theNational Archives and Records Administration (NARA)and provides:

✅Acomprehensive listof CUI categories and subcategories.

✅Details onwho can handle, store, and share CUI.

✅Guidance onCUI marking and safeguarding requirements.

TheOfficial CUI Registryis theonly federal resourcethat listsall CUI categories and agencies that use them.

32 CFR Section 2002(Option A) definesCUI policiesbut doesnotprovide a full listing of CUI categories.

Executive Order 13556(Option C) established theCUI Programbut doesnotmaintain an active list of categories.

The "Official CMMC Registry" (Option D) does not exist—CMMC is a security framework, not a CUI classification system.

Why "Official CUI Registry" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. 32 CFR Section 2002

❌Incorrect–Defines CUI program rules butdoes not listcategories.

B. Official CUI Registry

✅Correct – The registry contains the full list of CUI categories.

C. Executive Order 13556

❌Incorrect–Established the CUI program butdoes not maintain a category list.

D. Official CMMC Registry

❌Incorrect–No such registry exists; CMMC is a cybersecurity framework, not a CUI classification system.

National Archives (NARA) CUI Registry– The authoritative source forall federal agency CUI categories.

32 CFR 2002– Provides CUIpolicy guidancebut refers agencies to theOfficial CUI Registryfor classification.

Official References from CMMC 2.0 and Federal DocumentationFinal Verification and ConclusionThe correct answer isB. Official CUI Registry, as it is theonly official source listing all federal agencies' CUI indices and categories.

The CMMC Assessment Process uses three methods: Examine, Interview, and Test. The method that involves analyzing artifacts (documents, system configurations, records, logs, etc.) is Examine.

Supporting Extracts from Official Content:

CMMC Assessment Guide: “Examine consists of reviewing, inspecting, or analyzing assessment objects such as documents, system configurations, or other artifacts to evaluate compliance.”

Why Option B is Correct:

Examine = analyzing artifacts.

Interview = discussions with personnel.

Test = executing technical checks.

Behavior is not an assessment method.

References (Official CMMC v2.0 Content):

CMMC Assessment Guide, Levels 1 and 2 — Assessment Methods (Examine, Interview, Test).

===========

The Certified Third-Party Assessment Organization (C3PAO) enters into a contractual relationship with the OSC. As part of that contract, the C3PAO maintains a non-disclosure agreement (NDA) to protect sensitive and proprietary information reviewed during the assessment.

Supporting Extracts from Official Content:

CAP v2.0, Roles and Responsibilities (§2.8): “The C3PAO maintains a non-disclosure agreement with the OSC to protect all sensitive information disclosed during the assessment.”

Why Option B is Correct:

Only the C3PAO contracts directly with the OSC and is bound to protect assessment data.

NIST, The Cyber AB (formerly CMMC-AB), and OUSD A&S do not enter NDAs directly with OSCs.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Section on OSC–C3PAO agreements.

===========

The requirement to exercise due care in protecting information gathered during an assessment aligns with the principle ofConfidentialityunder theCMMC Code of Professional Conduct (CoPC). This ensures that sensitive assessment data, findings, and any Controlled Unclassified Information (CUI) remain protected even after the engagement concludes.

Definition of Confidentiality in CMMC Context:

Confidentiality refers to protecting sensitive information from unauthorized disclosure.

In the context of a CMMC assessment, it includes safeguarding assessment artifacts, findings, and other sensitive data collected during the evaluation process.

CMMC Code of Professional Conduct (CoPC) References:

TheCMMC Code of Professional Conductstates that assessors and organizations must handle all collected information with discretion andensure its protection post-engagement.

Clause on"Maintaining Confidentiality"specifies that assessors must:

Not disclose sensitive information to unauthorized parties.

Secure data in storage and transmission.

Retain and dispose of data securely in accordance with federal regulations.

Alignment with NIST 800-171 & CMMC Practices:

CMMC Level 2 incorporates NIST SP 800-171 controls, which include:

Requirement 3.1.3:“Control CUI at rest and in transit” to ensure unauthorized individuals do not gain access.

Requirement 3.1.4:“Separate the duties of individuals to reduce risk” ensures that assessment findings are only shared with authorized personnel.

These requirements align with the duty toexercise due carein protecting assessment-related information.

Why the Other Options Are Incorrect:

(A) Availability:This refers to ensuring data is accessible when needed but does not directly relate to protecting gathered information post-assessment.

(C) Information Integrity:This focuses on preventing unauthorized modifications rather than restricting disclosure.

(D) Respect for Intellectual Property:While related to ethical handling of proprietary data, it does not directly cover post-engagement confidentiality requirements.

TheCMMC Code of Professional ConductandNIST SP 800-171control requirements confirm thatConfidentialityis the correct answer, as it directly pertains to protecting information post-assessment.

Step-by-Step Breakdown:Final Validation from CMMC Documentation:Thus, the correct answer isB. Confidentiality.

Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.

To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:

A unique identifier (username) for each system user

Mapping of system accounts to specific individuals

Identification of devices and automated processes that access systems

This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.

Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.

It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.

A. Procedures for implementing access control lists (Incorrect)

While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.

B. List of unauthorized users that identifies their identities and roles (Incorrect)

Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.

D. Physical access policy stating "All non-employees must wear a special visitor pass or be escorted" (Incorrect)

This pertains tophysical security, not system-baseduser identification and authentication.

The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.