Certified CMMC Professional (CCP) Exam Questions and Answers
Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI are sanitized or destroyed before disposal or release for reuse. After a thorough review, the CCP tells the Lead Assessor that all supporting documents fully reflect the performance of the practice and should be accepted because the evidence is:
Options:
official.
adequate.
compliant.
subjective.
Answer:
BExplanation:
CMMC Level 1 includes 17 practices derived fromFAR 52.204-21. Among them, theMedia Protection (MP) practicerequires organizations to ensure thatmedia containing FCI is sanitized or destroyed before disposal or release for reuseto prevent unauthorized access.
This requirement ensures that any storage devices, hard drives, USBs, or physical documents containingFederal Contract Information (FCI)areproperly disposed of or sanitizedto prevent data leakage.
The evidence collected for this practice should demonstrate that an organization has established and followed propermedia sanitization or destruction procedures.
Why the Correct Answer is " B. Adequate " ?
TheCMMC Assessment Process (CAP) Guideoutlines that for an assessment to be considered complete, all submitted evidence must meet the standard ofadequacybefore it is accepted by the Lead Assessor.
Definition of " Adequate " Evidence in CMMC:
Evidence isadequatewhen itfully demonstrates that a practice has been performed as requiredby CMMC guidelines.
TheLead Assessorevaluates whether the submitted documentation meets the CMMC 2.0 Level 1 requirements.
If the evidenceaccurately and completely demonstrates the sanitization or destruction of media containing FCI, then it meets the standard ofadequacy.
Why Not the Other Options?
A. Official– While the evidence may come from an official source, the CMMCdoes not require evidence to be " official " , only that it beadequateto confirm compliance.
C. Compliant– Compliance is the final result of an assessment, but before compliance is determined, the evidence must first beadequatefor evaluation.
D. Subjective– CMMC evidence isobjective, meaning it should be based on verifiable documents, policies, logs, and procedures—not opinions or interpretations.
Relevant CMMC 2.0 References:
CMMC 2.0 Scoping Guide (Nov 2021)– Specifies that Media Protection (MP) at Level 1 applies only to assets that process, store, or transmit FCI.
CMMC Assessment Process (CAP) Guide– Definesadequate evidenceas documentation that completely and clearly supports the implementation of a required security practice.
FAR 52.204-21– The source of the Level 1 requirements, which includessanitization and destruction of media containing FCI.
Final Justification:
The CCP’s statement that the evidence " fully reflects the performance of the practice " aligns with the definition ofadequate evidenceunder CMMC. Since adequacy is the key standard used before final compliance decisions are made, the correct answer isB. Adequate.
An assessment is being completed at a client site that is not far from the Lead Assessor ' s home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?
Options:
Log into the secure cloud storage service to save copies of the documents on both the work and client laptops.
Log into the client VPN from the client laptop and retrieve the documents from the secure cloud storage service.
Log into the client VPN from the assessor ' s laptop and retrieve the documents from the secure cloud storage service.
Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick.
Answer:
BExplanation:
Best Practices for Handling Sensitive Assessment Information
CMMC assessments involve handlingsensitive and potentially CUI-related documents. Assessors must follow strictsecurity policiesto avoid unauthorized access, data leaks, or non-compliance withCMMC 2.0 and NIST SP 800-171 requirements.
Why Logging into the Client VPN on the Client Laptop is the Best Approach:
Ensures Data Protection:The client laptop is likely configured to meet security controls required for handling assessment-related materials.
Prevents Data Spillage:Keeping all assessment-related activities within the client’s secured environment reduces the risk ofdata leakage or unauthorized storage.
Maintains Compliance with CMMC/NIST Guidelines:Using aproperly configured client laptop and secured connectionensures compliance withNIST SP 800-171 controls on secure remote access(Requirement3.13.12).
Clarification of Incorrect Options:
A. " Log into the secure cloud storage service to save copies of the documents on both the work and client laptops. "
Incorrect→Sensitive data should not be duplicated across multiple systems, especially a non-client-approved laptop. Storing it on an unauthorized systemviolates data handling best practices.
C. " Log into the client VPN from the assessor ' s laptop and retrieve the documents from the secure cloud storage service. "
Incorrect→ Theassessor’s laptop may not be authorizedorsecuredto handle client data. CMMC guidelines emphasizeusing approved, secured systemsfor assessment-related information.
D. " Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick. "
Incorrect→
Transferring sensitive documents via USBintroduces security risks, including unauthorized data storage and potential malware contamination.
Home office workstationsare unlikely to be authorized for handling CMMC-sensitive data.
The director of cybersecurity is considering which company offices and data centers store FCI to ensure an accurate scope for their CMMC Level 1 Self-Assessment . Which asset type is the director considering?
Options:
ESP
People
Facilities
Technology
Answer:
CExplanation:
For CMMC Level 1 scoping , the DoD’s CMMC Scoping Guide – Level 1 (v2.13) instructs an organization performing a Level 1 self-assessment to consider what is in scope for protecting Federal Contract Information (FCI) . Specifically, it states that to appropriately scope a Level 1 self-assessment, the OSA should consider the people, technology, facilities, and external service providers (ESPs) within its environment that process, store, or transmit FCI .
In this scenario, the director is evaluating company offices and data centers where FCI is stored. These are physical locations and physical environments—exactly what the scoping guidance categorizes under Facilities . Facilities in a Level 1 context include physical sites and spaces that may house systems or media containing FCI (e.g., offices, server rooms, data centers), because those locations affect physical access controls, environmental protections, and overall safeguarding of where FCI is handled and stored.
This is distinct from Technology (devices/systems), People (personnel who handle FCI), and ESPs (external providers delivering IT/cyber services). Since the question is explicitly about which offices and data centers store FCI —a physical boundary and location question—the correct asset type is Facilities .
When assessing SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems, evidence shows that all of the OSC ' s workstations and servers have antivirus software installed for malicious code protection. A centralized console for the antivirus software management is in place and records show that all devices have received the most updated antivirus patterns. What is the BEST determination that the Lead Assessor should reach regarding the evidence?
Options:
It is sufficient, and the audit finding can be rated as MET.
It is insufficient, and the audit finding can be rated NOT MET.
It is sufficient, and the Lead Assessor should seek more evidence.
It is insufficient, and the Lead Assessor should seek more evidence.
Answer:
AExplanation:
Understanding SI.L1-3.14.2: Provide Protection from Malicious Code
The CMMC Level 1 practiceSI.L1-3.14.2is based onNIST SP 800-171 Requirement 3.14.2, which requires organizations to:
Implement malicious code protection(e.g., antivirus, endpoint security software).
Ensure coverage across all appropriate locations(e.g., workstations, servers, network entry points).
Keep protection mechanisms updated(e.g., regular signature updates, policy enforcement).
Assessment Criteria for a " MET " Rating:
To determine whether the practice isMET, the Lead Assessor must confirm that:
✔Antivirus or endpoint protection software is installedon all workstations and servers.
✔The solution is centrally managed, ensuring consistent policy enforcement.
✔Signature updates are current, meaning systems are protected against new threats.
✔Logs or reports demonstrate active monitoring and updates.
Why is the Correct Answer " A. It is sufficient, and the audit finding can be rated as MET " ?
The provided evidenceconfirms all necessary requirementsfor SI.L1-3.14.2:
✔All workstations and servers have antivirus installed→Meets installation requirement.
✔A centralized management console is in place→Ensures consistent enforcement.
✔Records show antivirus signatures are up to date→Confirms system protection is current.
Because the evidencemeets the requirement, the practice should berated as MET.
Why Are the Other Answers Incorrect?
B. It is insufficient, and the audit finding can be rated NOT MET → Incorrect
The evidence providedmeets all necessary requirements, so the practiceshould not be rated as NOT MET.
C. It is sufficient, and the Lead Assessor should seek more evidence → Incorrect
Ifadequate evidence already exists,additional evidence is unnecessary.
D. It is insufficient, and the Lead Assessor should seek more evidence → Incorrect
The evidence providedmeets the control requirements, making itsufficient.
CMMC 2.0 References Supporting This Answer:
CMMC Assessment Process (CAP) Document
Specifies that a practice can be marked asMET if sufficient evidence is provided.
NIST SP 800-171 (Requirement 3.14.2)
Defines the standard formalicious code protection, which ismet by antivirus with active updates.
CMMC 2.0 Level 1 (Foundational) Requirements
Clarifies that basic cybersecurity measures likeantivirus installation and updatesmeet compliance forSI.L1-3.14.2.
Final Answer:
✔A. It is sufficient, and the audit finding can be rated as MET.
Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?
Options:
Organizational operations, business assets, and employees
Organizational operations, business processes, and employees
Organizational operations, organizational assets, and individuals
Organizational operations, organizational processes, and individuals
Answer:
CExplanation:
TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.
TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:
" Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. "
This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:
✅Organizational operations(e.g., mission, business continuity, functions)
✅Organizational assets(e.g., data, IT systems, intellectual property)
✅Individuals(e.g., employees, contractors, customers affected by security risks)
Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.
Why the Other Answers Are Incorrect
A. Organizational operations, business assets, and employees
❌Incorrect. " Business assets " is not the correct terminology used in CMMC/NIST SP 800-171. Instead, " organizational assets " is the proper term.
B. Organizational operations, business processes, and employees
❌Incorrect. " Business processes " is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.
D. Organizational operations, organizational processes, and individuals
❌Incorrect. While processes are important,organizational assetsmust be considered in the assessment, not just processes.
CMMC Official References
CMMC 2.0 Model (Level 2 - RA.3.144)– Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.
NIST SP 800-171 (3.11.1)– Reinforces the same risk assessment scope.
Thus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.
An OSC performing a CMMC Level 1 Self-Assessment uses a legacy Windows 95 computer, which is the only system that can run software that the government contract requires. Why can this asset be considered out of scope?
Options:
It handles CUI
It is a restricted IS
It is government property
It is operational technology
Answer:
BExplanation:
A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.
Supporting Extracts from Official Content:
CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”
Why Option B is Correct:
The Windows 95 system is an example of a restricted IS, so it can be scoped out.
Option A is incorrect — the asset is not handling CUI in this case.
Option C is incorrect — government property designation does not define scope.
Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.
References (Official CMMC v2.0 Content):
CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.
===========
During the planning phase of a CMMC Level 2 Assessment, the Lead Assessor is considering what would constitute the right evidence for each practice. What is the Assessor attempting to verify?
Options:
Adequacy
Sufficiency
Process mapping
Assessment scope
Answer:
BExplanation:
Understanding Evidence Sufficiency in CMMC Level 2 Assessments
During aCMMC Level 2 Assessment, theLead Assessormust determine whether the evidence collected for each practice issufficientto support an assessment finding. This aligns with theCMMC Assessment Process (CAP) Guide, which requires assessors to evaluate:
Examinations– Reviewing documents, configurations, and system records.
Interviews– Speaking with personnel to confirm implementation and understanding.
Testing– Observing security controls in action to validate effectiveness.
To determine whether evidence issufficient, the assessor ensures that it:
Directly supports the assessment objective.
Demonstrates that the practice is consistently implemented.
Can be independently verified.
Why Option B (Sufficiency) is Correct
Sufficiencyrefers to whetherenoughevidence has been collected to make an accurate determination about compliance.
Option A (Adequacy)is incorrect because adequacy relates tothe qualityof evidence, while sufficiency focuses on whetherenoughevidence exists.
Option C (Process Mapping)is incorrect because process mapping is used for understanding workflows but is not an assessment verification method.
Option D (Assessment Scope)is incorrect because defining the scope happensbeforeevidence collection, during the planning phase.
Official CMMC Documentation References
CMMC Assessment Process (CAP) Guide – Section 3.6 (Determining Sufficiency of Evidence)
CMMC Level 2 Assessment Guide – Evidence Collection and Evaluation
Final Verification
Since theLead Assessor is ensuring enough evidence is available to verify compliance, the correct answer isOption B: Sufficiency.
Which resource contains authoritative data classifications of CUI?
Options:
NARA
CMMC-AB
DoD Contractors FAQ
OSC ' s privacy policies
Answer:
AExplanation:
The National Archives and Records Administration (NARA) serves as the authoritative body overseeing the Controlled Unclassified Information (CUI) program within the United States federal government. NARA maintains the CUI Registry, which is the definitive resource for all categories, subcategories, and associated markings of CUI. This registry provides comprehensive guidance on the identification and handling of CUI, ensuring standardized practices across federal agencies and their contractors.
The other options are delineated as follows:
CMMC-AB:The Cybersecurity Maturity Model Certification Accreditation Body is responsible for overseeing the CMMC program but does not manage CUI classifications.
DoD Contractors FAQ:While it may offer guidance to Department of Defense contractors, it is not an authoritative source for CUI data classifications.
OSC ' s privacy policies:An Organization Seeking Certification ' s internal policies pertain to its own data handling practices and are not authoritative for CUI classifications.
Therefore, for authoritative information on CUI data classifications, the NARA ' s CUI Registry is the appropriate resource.
A Lead Assessor is presenting an assessment kickoff and opening briefing. What topic MUST be included?
Options:
Gathering evidence
Review of the OSC ' s SSP
Overview of the assessment process
Examination of the artifacts for sufficiency
Answer:
CExplanation:
What is Required in the CMMC Assessment Kickoff and Opening Briefing?
Before starting aCMMC assessment, theLead Assessormust present anopening briefingto ensure that theOrganization Seeking Certification (OSC)understands the assessment process.
Step-by-Step Breakdown:
✅1. Overview of the Assessment Process
The Lead Assessormust explain the CMMC assessment methodology, including:
Theassessment objectives and scope
How theassessment team will review security controls
What to expectduring interviews, testing, and document review
This ensurestransparency and alignmentbetween the assessors and the OSC.
✅2. Why the Other Answer Choices Are Incorrect:
(A) Gathering Evidence❌
Evidence collection is part of the assessment butnot the primary topic of the opening briefing.
(B) Review of the OSC ' s SSP❌
While theSSP is a key document, reviewing it is part of the assessment,not the kickoff briefing.
(D) Examination of the artifacts for sufficiency❌
Artifact review happens laterin the assessment process,not during the kickoff.
Final Validation from CMMC Documentation:
TheCMMC Assessment Process Guidestates that theopening briefing must include an overview of the assessment process, ensuring the OSC understands the expectations and methodology.
Thus, the correct answer is:
✅C. Overview of the assessment process.
At which CMMC Level do the Security Assessment (CA) practices begin?
Options:
Level 1
Level 2
Level 3
Level 4
Answer:
BExplanation:
Step 1: Understand the “CA” Domain – Security Assessment
TheCA (Security Assessment)domain includes practices related to:
Planning security assessments,
Performing periodic reviews,
Managing plans of action and milestones (POA & Ms).
These practices derive fromNIST SP 800-171, specifically:
CA.2.157– Develop, document, and periodically update security plans,
CA.2.158– Periodically assess security controls,
CA.2.159– Develop and implement POA & Ms.
✅Step 2: Review CMMC Levels
Level 1 (Foundational):
Implements only the17 practicesfromFAR 52.204-21
Doesnot include the CA domain
Level 2 (Advanced):
Implements110 practicesfromNIST SP 800-171, including CA.2.157–159
First levelwhereSecurity Assessment (CA)practices are required
Level 3:
Not yet finalized but intended to include selected controls fromNIST SP 800-172
❌Why the Other Options Are Incorrect
A. Level 1
✘No CA domain practices are present at Level 1.
C. Level 3 / D. Level 4
✘These levels build on CA practices but do not represent thestarting point.
TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.
As part of CMMC 2.0, the change to Level 1 Self-Assessments supports " reduced assessment costs " allows all companies at Level 1 (Foundational) to:
Options:
to conduct self-assessments.
opt out of CMMC Assessments.
have assessment costs reimbursed by the DoD.
pay no more than $500.00 for their annual assessment.
Answer:
AExplanation:
Step 1: Review CMMC 2.0 Reforms (Level 1 – Foundational)
As part ofCMMC 2.0, the DoD announced changes toreduce burden and costsfor companies that only handleFederal Contract Information (FCI):
DoD Statement (CMMC 2.0 Overview):
“Level 1 (Foundational) will only require an annual self-assessment, affirming implementation of the 17 FAR 52.204-21 controls.”
✅Step 2: Intent of “Reduced Assessment Costs”
The move to allowself-assessments at Level 1was explicitly designed toeliminate the costof hiring third-party assessors for organizations that only handle FCI.
Level 1 self-assessments are:
Conductedinternally by the OSC,
Affirmed annuallyby a senior company official,
Submitted via SPRS(Supplier Performance Risk System).
❌Why the Other Options Are Incorrect
B. Opt out of CMMC Assessments
✘Incorrect. Organizations must still perform aself-assessmentannually — they cannot opt out entirely.
C. Have assessment costs reimbursed by the DoD
✘No such reimbursement mechanism exists.
D. Pay no more than $500.00…
✘No such fixed cost is set or guaranteed in CMMC documentation.
UnderCMMC 2.0, all companies atLevel 1 (Foundational)are permitted toconduct self-assessmentsannually to demonstrate compliance, supporting the DoD’s goal ofreducing assessment costsfor low-risk contractors.
Ethics is a shared responsibility between:
Options:
DoD and CMMC-AB.
OSC and sponsors.
CMMC-AB and members of the CMMC Ecosystem.
members of the CMMC Ecosystem and Lead Assessors.
Answer:
CExplanation:
Understanding Ethical Responsibility in the CMMC Ecosystem
Ethics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.
Key Ethical Responsibilities Include:
CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.
CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.
Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.
Why is the Correct Answer " CMMC-AB and Members of the CMMC Ecosystem " (C)?
A. DoD and CMMC-AB → Incorrect
TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.
B. OSC and Sponsors → Incorrect
TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.
C. CMMC-AB and Members of the CMMC Ecosystem → Correct
Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.
D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect
Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.
CMMC 2.0 References Supporting this Answer:
CMMC-AB Code of Professional Conduct
Defines ethical responsibilities forassessors, consultants, and ecosystem members.
CMMC Ecosystem Governance Policies
Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.
CMMC Assessment Process (CAP) Document
Outlines ethical expectations forassessors and consultantsduring certification assessments.
When are data and documents with legacy markings from or for the DoD required to be re-marked or redacted?
Options:
When under the control of the DoD
When the document is considered secret
When a document is being shared outside of the organization
When a derivative document ' s original information is not CUI
Answer:
CExplanation:
Background on Legacy Markings and CUI
Legacy markings refer to classification labels used before the implementation of the Controlled Unclassified Information (CUI) Program under DoD Instruction 5200.48.
Documents with legacy markings (such as “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU)) must be reviewed for re-marking or redaction to align with CUI requirements.
When Must Legacy Markings Be Updated?
If the document is retained internally (Answer A - Incorrect): Documents under DoD control do not require immediate re-marking unless they are being shared externally.
If the document is classified as Secret (Answer B - Incorrect): This question is about CUI, not classified information. Secret-level documents follow different marking rules under DoD Manual 5200.01.
If a document is being shared externally (Answer C - Correct):
According to DoD Instruction 5200.48, Section 3.6(a), organizations must review legacy markings before sharing documents outside the organization.
The document must be re-marked in compliance with the CUI Program before dissemination.
If the original document does not contain CUI (Answer D - Incorrect): The original source document ' s status does not affect the requirement to re-mark a derivative document if it contains CUI.
Conclusion
The correct answer is C: Documents with legacy markings must be re-marked or redacted when being shared outside the organization to comply with DoD CUI guidelines.
An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?
Options:
OSC and Sponsor
OSC and CMMC-AB
Lead Assessor and C3PAO
C3PAO and Assessment Official
Answer:
CExplanation:
Understanding the CMMC Level 2 Assessment Process
When anOrganization Seeking Certification (OSC)engages aCertified Third-Party Assessment Organization (C3PAO)to conduct aCMMC Level 2 Assessment, anAssessment Planis developed to outline the scope, methodology, and logistics of the assessment.
Who Signs Off on the Assessment Plan?
According to theCMMC Assessment Process (CAP) Guide, theAssessment Plan must be formally agreed upon and signed off by:
Lead Assessor– The individual responsible for overseeing the execution of the assessment.
C3PAO (Certified Third-Party Assessment Organization)– The entity conducting the assessment.
Why " C. Lead Assessor and C3PAO " is Correct?
TheLead Assessorensures that theAssessment Plan aligns with CMMC-AB and DoD requirements, including methodology, objectives, and evidence collection.
TheC3PAOprovides organizational approval, confirming that the assessment is conducted according toCMMC-AB rules and contractual agreements.
Why Other Answers Are Incorrect?
A. OSC and Sponsor (Incorrect)
TheOSC (Organization Seeking Certification)is involved in planning but does not sign off on the plan.
Asponsoris not part of the sign-off process in CMMC assessments.
B. OSC and CMMC-AB (Incorrect)
TheOSCdoes not formally approve theAssessment Plan—this responsibility belongs to the assessment team.
TheCMMC-ABdoes not sign off on individualAssessment Plans.
D. C3PAO and Assessment Official (Incorrect)
" Assessment Official " isnot a defined rolein the CMMC assessment process.
TheC3PAOis involved, but it must be theLead Assessorwho signs off, not an unspecified official.
Conclusion
The correct answer isC. Lead Assessor and C3PAO.
TheLead Assessorensures assessment integrity, while theC3PAOprovides official authorization.
The practices in CMMC Level 2 consists of the security requirements specified in:
Options:
NISTSP 800-53.
NISTSP 800-171.
48 CFR 52.204-21.
DFARS 252.204-7012.
Answer:
BExplanation:
The Cybersecurity Maturity Model Certification (CMMC) Level 2 is designed to ensure that organizations can adequately protect Controlled Unclassified Information (CUI). To achieve this, CMMC Level 2 incorporates specific security requirements.
Step-by-Step Explanation:
Alignment with NIST SP 800-171:
CMMC Level 2 aligns directly with the security requirements outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). This publication, titled " Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, " provides a comprehensive framework for safeguarding CUI.
Incorporation of Security Requirements:
The practices required for CMMC Level 2 certification encompass all 110 security requirements specified in NIST SP 800-171. These requirements are organized into 14 families, each addressing different aspects of cybersecurity, such as access control, incident response, and risk assessment.
Purpose of Alignment:
By integrating the NIST SP 800-171 requirements, CMMC Level 2 aims to standardize the implementation of cybersecurity practices across organizations handling CUI, ensuring a consistent and robust approach to protecting sensitive information.
During Phase 4 of the Assessment process, what MUST the Lead Assessor determine and recommend to the C3PAO concerning the OSC?
Options:
Ability
Eligibility
Capability
Suitability
Answer:
BExplanation:
What Happens in Phase 4 of the CMMC Assessment Process?
Phase 4 of theCMMC Assessment Process (CAP)is theFinal Reporting and Decision Phase. During this phase, theLead Assessormust:
Review all assessment findings
Determine the Organization Seeking Certification’s (OSC) eligibility for certification
Make a recommendation to the C3PAO (Certified Third-Party Assessment Organization)
Key Responsibilities of the Lead Assessor in Phase 4:
Ensure that the OSC hasmet the required practices and processes.
Confirm that anydeficiencieshave been corrected or appropriately documented.
Recommendwhether the OSC is eligible for certificationbased on assessment results.
Since theLead Assessor must determine and recommend the OSC’s eligibilityto the C3PAO, the correct answer isB. Eligibility.
Why the Other Answers Are Incorrect
A. Ability
❌Incorrect. While assessing an OSC’s ability to meet CMMC requirements is part of the process, the final determination in Phase 4 is abouteligibilityfor certification.
C. Capability
❌Incorrect. Capability refers to an organization ' stechnical and operational readiness. The Lead Assessor is making a recommendation oneligibility, not just capability.
D. Suitability
❌Incorrect. Suitability is not a defined term in theCMMC CAP processfor final assessment recommendations. The correct term iseligibility.
CMMC Official References
CMMC Assessment Process (CAP) Document– Specifies that the Lead Assessor must determine and recommend theeligibilityof the OSC in Phase 4.
CMMC 2.0 Model– Defines the assessment process, including certification decision-making.
Thus,option B (Eligibility) is the correct answer, as per official CMMC guidance.
A C3PAO Assessment Plan document captures the names of the interviewees, the facilities that will utilized, along with estimated costs and schedule of the assessment. What part of the assessment plan is this?
Options:
Identify resources and schedule.
Select Assessment Team members.
Identify and manage assessment risks.
Select and develop the evidence collection approach.
Answer:
AExplanation:
ACertified Third-Party Assessor Organization (C3PAO)is responsible for conductingCMMC Level 2 Assessments. Before the assessment begins, the C3PAO must develop anAssessment Plan, which includes several key elements.
The part of the plan that captures:
✅Names of interviewees
✅Facilities to be utilized
✅Estimated costs
✅Assessment schedule
falls under the " Identify Resources and Schedule " section of the plan.
Step-by-Step Breakdown:
✅1. Identify Resources and Schedule
This section of theCMMC Assessment Planoutlines:
Thepersonnelinvolved (e.g., interviewees, assessors).
Thelocationswhere the assessment will take place.
Thetimeline and scheduling details.
Theestimated costsassociated with the assessment.
This ensures that all necessaryresourcesare allocated and that the assessment proceeds as planned.
✅2. Why the Other Answer Choices Are Incorrect:
(B) Select Assessment Team Members❌
This section focuses onchoosing the assessorswho will conduct the evaluation, not listing interviewees and facilities.
(C) Identify and Manage Assessment Risks❌
This part of the plandocuments risks(e.g., scheduling conflicts, data access issues), but it doesnot outline names, facilities, or costs.
(D) Select and Develop the Evidence Collection Approach❌
This step defineshowevidence will be gathered (e.g., document reviews, interviews, system testing) but doesnot focus on logistics.
Final Validation from CMMC Documentation:
TheCMMC Assessment Process Guidestates thatresource identification and schedulingare essential for organizing the assessment. Since this sectioncaptures interviewees, facilities, costs, and the schedule, the correct answer is:
✅A. Identify resources and schedule.
Within the CMMC Ecosystem which organization ultimately will manage and oversee the training, testing, authorization, and certification of candidate assessors and instructors?
Options:
DoD OUSD
DIB Collaborative Information Sharing Environment
Committee on National Security Systems Instructions
CMMC Assessors and Instructors Certification Organization
Answer:
DExplanation:
Understanding the Role of CAICO in the CMMC Ecosystem
TheCMMC Ecosystemconsists of multiple organizations that manage, implement, and oversee different aspects of theCybersecurity Maturity Model Certification (CMMC)program.
One of the key organizations is theCMMC Assessors and Instructors Certification Organization (CAICO), which is responsible for:
Training and certifying assessors and instructors.
Managing testing, authorization, and certificationfor CMMC professionals.
Ensuring assessors meet qualification and compliance standards.
Why Option D (CAICO) is Correct
TheCAICO is explicitly taskedwith thetraining, testing, authorization, and certification of candidate assessors and instructors.
Option A (DoD OUSD)is incorrect because theDoD Office of the Under Secretary of Defense(OUSD) provides policy oversight butdoes not handle certification of assessors.
Option B (DIB Collaborative Information Sharing Environment)is incorrect because theDIB CISfocuses on information sharing within the Defense Industrial Base, not assessor certification.
Option C (Committee on National Security Systems Instructions)is incorrect because CNSSI provides security standards butdoes not manage assessor training or certification.
Official CMMC Documentation References
CMMC Ecosystem Overview – Role of the CAICO
CMMC Assessment Process (CAP) Guide – Assessor Certification and Training
Final Verification
SinceCAICO is responsible for training, testing, and certifying CMMC assessors and instructors, the correct answer isOption D: CMMC Assessors and Instructors Certification Organization.
After completing a Level 2 Assessment, a C3PAO is preparing to upload the Assessment Results Package to Enterprise Mission Assurance Support Service. Which document MUST be included as part of the final assessment results package?
Options:
Final Report
Certification rating
Summary-level findings
All Daily Checkpoint logs
Answer:
AExplanation:
Understanding the Assessment Results Package Submission
After completing aCMMC Level 2 Assessment, theCertified Third-Party Assessment Organization (C3PAO)mustsubmit the final assessment results packageto theEnterprise Mission Assurance Support Service (eMASS)system.
Key Required Document: Final Report
TheFinal Reportis themandatory documentthatcontains all assessment details, findings, and scoring.
It serves as theofficial record of the assessmentanddetermines certification eligibility.
Why is the Correct Answer " Final Report " (A)?
A. Final Report → Correct
TheFinal Report is requiredin the submission package todocument assessment results officially.
It includes asummary of findings, scoring, and recommendations.
B. Certification rating → Incorrect
The C3PAO does not issue certification ratings—theDoDandCMMC-ABdetermine certification status after reviewing the Final Report.
C. Summary-level findings → Incorrect
While the Final Reportincludessummary findings, astandalone summary-level findings document is not a required upload.
D. All Daily Checkpoint logs → Incorrect
Checkpoint logsare part of the internal assessment process butare not required in the final eMASS submission.
CMMC 2.0 References Supporting This Answer:
CMMC Assessment Process (CAP) Document
Specifies that theFinal Report must be submitted to eMASSafter a Level 2 assessment.
CMMC-AB Guidelines for C3PAOs
States that theFinal Report is the key document used to determine certification status.
DFARS 252.204-7021 (CMMC Requirements Clause)
Requires the assessment results to be documented in an official report and submitted via eMASS.
Final Answer:
✔A. Final Report
A C3PAO has conducted a CMMC Level 2 Assessment for an OSC. The results have been reviewed by a CMMC Quality Assurance Professional. What is the final step in the process of submitting assessment results?
Options:
The C3PAO submits the results to the CMMC-AB.
The OSC submits the results, as provided by the Lead Assessor, to the CMMC-AB.
The C3PAO submits the results to Enterprise Mission Assurance Support Service.
The Lead Assessor submits the results to the CMMC-AB.
Answer:
CExplanation:
The correct answer is C . Under the official CMMC Assessment Process, the C3PAO is responsible for submitting CMMC Level 2 certification assessment results into CMMC eMASS , which is the Enterprise Mission Assurance Support Service environment used for CMMC assessment result submission. The CMMC Assessment Process Version 2.0 states that CMMC Level 2 certification assessment results are uploaded to CMMC eMASS by the C3PAO, and that the user workspace used for upload must exist within the scope of the C3PAO’s DIBCAC-assessed environment.
This means the OSC does not submit the final certification assessment package directly, and the Lead Assessor does not independently submit final results to the CMMC-AB. The Lead Assessor leads assessment execution, prepares findings, supports the out-brief, and works with the assessment team, but the formal assessment-result submission function belongs to the authorized C3PAO. The CMMC Quality Assurance Professional review occurs before final submission to help ensure assessment completeness, consistency, and quality. After that review, the C3PAO submits the assessment results into the official CMMC eMASS environment. Therefore, options A , B , and D are incorrect because they identify the wrong receiving entity or the wrong submitting party. Option C correctly identifies both the submitting organization and the official submission system.
===========
Which MINIMUM Level of certification must a contractor successfully achieve to receive a contract award requiring the handling of CUI?
Options:
Level 1
Level 2
Level 3
Any level
Answer:
BExplanation:
1. Understanding CMMC 2.0 Levels and CUI Handling Requirements
UnderCMMC 2.0, contractors handlingControlled Unclassified Information (CUI)must meet aminimumcertification level to be eligible for contract awards involving CUI.
CMMC 2.0 Levels:
Level 1 (Foundational) – 17 Practices
Covers onlyFederal Contract Information (FCI)security.
Does NOT meet CUI handling requirements.
Level 2 (Advanced) – 110 Practices✅
REQUIRED for handling CUI.
Aligns withNIST SP 800-171, which establishes security controls for protecting CUI.
Contractorsmust achieve Level 2for contracts requiring CUI protection.
Level 3 (Expert) – 110+ Practices
Required for contracts involvinghigh-value CUIandcritical national security information.
Includesadditionalprotections fromNIST SP 800-172.
2. Official CMMC 2.0 References Confirming Level 2 for CUI
TheCMMC 2.0 Model Overviewclearly states that Level 2 is required for contractorshandling CUI.
DFARS 252.204-7012mandates that contractors protecting CUI must implementNIST SP 800-171, which is thefoundation of CMMC Level 2.
TheDoD’s CMMC Assessment Guidefor Level 2 specifies thatorganizations handling CUI must demonstrate full implementation of 110 practices from NIST SP 800-171to qualify for contract awards.
3. Why the Other Options Are Incorrect
A. Level 1❌
Only covers FCI, not CUI.
Does notmeet DoD requirements for protectingCUI.
C. Level 3❌
While Level 3 offersadditional protectionsfor high-risk CUI, it isnot the minimumrequirement.
Level 2 is the minimumneeded to handle CUI.
D. Any level❌
OnlyLevel 2 and higherare eligible for contracts requiring CUI protection.
Level 1 doesnotmeet CUI security standards.
What is objectivity as it applies to activities with the CMMC-AB?
Options:
Ensuring full disclosure
Reporting results of CMMC services completely
Avoiding the appearance of or actual, conflicts of interest
Demonstrating integrity in the use of materials as described in policy
Answer:
CExplanation:
nderstanding Objectivity in CMMC-AB Activities
Objectivityin CMMC-AB activities refers to therequirement that assessors and C3PAOs remain impartial, unbiased, and free from conflicts of interestwhile conducting assessments and providing CMMC-related services.
Key Aspects of Objectivity in CMMC Assessments:
✔No conflicts of interest—Assessors must not assess organizations they havefinancial, professional, or personal ties to.
✔Unbiased reporting—Findings must bebased solely on evidence, with no external influence.
✔Avoiding even the appearance of a conflict—If there isany perception of bias, it must be addressed.
Why is the Correct Answer " C. Avoiding the appearance of or actual, conflicts of interest " ?
A. Ensuring full disclosure → Incorrect
Full disclosure is importantbut doesnot define objectivity. Objectivity meansremaining neutral and free from conflicts.
B. Reporting results of CMMC services completely → Incorrect
Whileaccurate reporting is required,objectivity focuses on impartiality, not just completeness.
C. Avoiding the appearance of or actual, conflicts of interest → Correct
Objectivity in CMMC-AB activities is primarily about preventing bias and ensuring fair assessments.
Avoiding conflicts of interest ensures thatassessments are credible and trustworthy.
D. Demonstrating integrity in the use of materials as described in policy → Incorrect
Integrity is important, butobjectivity is specifically about avoiding bias and conflicts of interest.
CMMC 2.0 References Supporting This Answer:
CMMC-AB Code of Professional Conduct
Requiresassessors and C3PAOs to avoid conflicts of interestand maintainimpartiality.
CMMC Assessment Process (CAP) Document
Emphasizes that assessments must befree from external influence and conflicts of interest.
ISO/IEC 17020 Requirements for Inspection Bodies
Definesobjectivity as avoiding conflicts of interest in the assessment process.
Which assessment method describes the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specification, mechanisms, activities)?
Options:
Test
Assess
Examine
Interview
Answer:
CExplanation:
Understanding the " Examine " Assessment Method in CMMC 2.0
CMMC 2.0 usesthree assessment methodsto evaluate security compliance:
Examine– Reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., policies, system documentation).
Interview– Speaking with personnel to verify knowledge and responsibilities.
Test– Performing technical validation to check system configurations.
Relevant CMMC 2.0 Reference:
TheCMMC Assessment Process (CAP)definesExamineas the method used toreview or analyze assessment objects, such as policies, procedures, configurations, and logs.
Why is the Correct Answer " Examine " (C)?
A. Test → Incorrect
" Test " involvesexecutinga function to validate its security (e.g., verifying access controls through a live system test).
B. Assess → Incorrect
" Assess " is a broad term; CMMC explicitly defines " Examine " as the method for reviewing documentation.
C. Examine → Correct
" Examine " is the official term forreviewing policies, procedures, configurations, or logs.
D. Interview → Incorrect
" Interview " involvesverbal discussions with personnel, not document analysis.
CMMC 2.0 References Supporting this Answer:
CMMC Assessment Process (CAP) Document
Defines " Examine " asanalyzing assessment objects (e.g., policies, procedures, logs, documentation).
NIST SP 800-171A
Specifies " Examine " as a method toreview security controls and configurations.
Which NIST SP defines the Assessment Procedure leveraged by the CMMC?
Options:
NIST SP 800-53
NISTSP800-53a
NIST SP 800-171
NISTSP800-171a
Answer:
DExplanation:
Which NIST SP Defines the Assessment Procedures for CMMC?
CMMC Level 2 isdirectly based on NIST SP 800-171, and the assessment procedures used in CMMC assessments are derived fromNIST SP 800-171A.
Step-by-Step Breakdown:
✅1. NIST SP 800-171A Defines Assessment Procedures
NIST SP 800-171Ais titled " Assessing Security Requirements for Controlled Unclassified Information (CUI) " .
It providesdetailed assessment objectives and test proceduresfor evaluating compliance withNIST SP 800-171 security requirements, whichCMMC Level 2 is fully aligned with.
CMMC Assessors use 800-171Aas abaseline for assessing the effectiveness of security controls.
✅2. Why the Other Answer Choices Are Incorrect:
(A) NIST SP 800-53❌
800-53 defines security controlsfor federal information systems, but it doesnot provide assessment procedures specific to CMMC.
(B) NIST SP 800-53A❌
800-53A provides assessment procedures for 800-53 controls, butCMMC is based on NIST SP 800-171, not 800-53.
(C) NIST SP 800-171❌
800-171 defines security requirements, butit does not provide assessment procedures. Theassessment proceduresare in800-171A.
Final Validation from CMMC Documentation:
TheCMMC Assessment Guide (Level 2)explicitly states that assessment procedures are derived fromNIST SP 800-171A.
Thus, the correct answer is:
In accordance with NARA directives and Chapter 33 of Title 44 (Records Management Directive), which types of data MUST have policies and procedures for disposal?
Options:
All recorded digital documents
All digital and recorded paper documents
All digital documents and recorded media
All recorded information, regardless of form or characteristics
Answer:
DExplanation:
Under Title 44 U.S.C. Chapter 33 (Records Management) and NARA directives, agencies and organizations must establish policies and procedures for the disposal of all recorded information, regardless of form or characteristics. This includes paper records, electronic documents, digital media, audiovisual files, and any other information format. The requirement ensures consistent handling, retention, and lawful disposal of both federal records and CUI.
Reference Documents:
Title 44, U.S. Code, Chapter 33: Records Management
NARA Records Management Directive
While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users. processes acting on behalf of users, and devices?
Options:
Procedures for implementing access control lists
List of unauthorized users that identifies their identities and roles
User names associated with system accounts assigned to those individuals
Physical access policy that states. " All non-employees must wear a special visitor pass or be escorted. "
Answer:
CExplanation:
Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)
TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.
To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:
A unique identifier (username) for each system user
Mapping of system accounts to specific individuals
Identification of devices and automated processes that access systems
Why " C. User names associated with system accounts assigned to those individuals " is Correct?
This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.
Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.
It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.
Why Other Answers Are Incorrect?
A. Procedures for implementing access control lists (Incorrect)
While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.
B. List of unauthorized users that identifies their identities and roles (Incorrect)
Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.
D. Physical access policy stating " All non-employees must wear a special visitor pass or be escorted " (Incorrect)
This pertains tophysical security, not system-baseduser identification and authentication.
Conclusion
The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.
The IT manager is scoping the company ' s CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI. Which asset type is being considered by the IT manager?
Options:
ESP
People
Facilities
Technology
Answer:
DExplanation:
Understanding Asset Types in CMMC 2.0
In CMMC 2.0, assets are categorized based on their role in handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The Cybersecurity Maturity Model Certification (CMMC) Scoping Guidance for Level 1 and Level 2 provides asset definitions to help organizations identify what needs protection.
According to CMMC Scoping Guidance, there are five primary asset types:
Security Protection Assets (ESP - External Service Providers & Security Systems)
People (Personnel who interact with FCI/CUI)
Facilities (Physical locations housing FCI/CUI)
Technology (Hardware, software, and networks that store, process, or transmit FCI/CUI)
CUI Assets (For Level 2 assessments, assets specifically storing CUI)
Why " Technology " Is the Correct Answer
The IT manager is evaluating servers, laptops, databases, and applications—all of which are technology assets used to store, process, or transmit FCI.
According to CMMC Scoping Guidance, Technology assets include:
✅Endpoints (Laptops, Workstations, Mobile Devices)
✅Servers (On-premise or cloud-based)
✅Networking Devices (Routers, Firewalls, Switches)
✅Applications (Software, Cloud-based tools)
✅Databases (Storage of FCI or CUI)
Since the IT manager is focusing on these components, the correct asset category is Technology (Option D).
Why the Other Answers Are Incorrect
A. ESP (Security Protection Assets)
❌Incorrect. ESPs refer to security-related assets (e.g., firewalls, monitoring tools, managed security services) that help protect FCI/CUI but do not store, process, or transmit it directly.
B. People
❌Incorrect. While employees play a role in handling FCI, the question focuses on hardware and software—which falls under Technology, not People.
C. Facilities
❌Incorrect. Facilities refer to physical buildings or secured areas where FCI/CUI is stored or processed. The question explicitly mentions servers, laptops, and applications, which are not physical facilities.
CMMC Official References
CMMC Level 1 Scoping Guide (CMMC-AB) – Defines asset categories, including Technology.
CMMC 2.0 Scoping Guidance for Assessors – Provides clarification on FCI assets.
Thus, option D (Technology) is the most correct choice as per official CMMC 2.0 guidance.
Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?
Options:
CMMC Glossary
CMMC Appendices
CMMC Assessment Process
CMMC Assessment Guide Levels 1 and 2
Answer:
DExplanation:
Understanding the Best Source for CMMC Practice Descriptions
TheCMMC Assessment Guide (Levels 1 and 2)is theprimaryandmost authoritativedocument for detailed descriptions of each practice and process within the variousCMMC domains.
Step-by-Step Breakdown:
✅1. What is the CMMC Assessment Guide?
TheCMMC Assessment Guideprovides detailed explanations of:
EachCMMC practicewithin its respectivedomain.
Theassessment objectivesfor verifying implementation.
Examples ofevidence requiredto demonstrate compliance.
CMMC 2.0 includes two levels:
Level 1: 17 basic cybersecurity practices.
Level 2: 110 practices aligned withNIST SP 800-171.
TheAssessment Guidedefines howassessorsevaluate compliance.
✅2. Why the Other Answer Choices Are Incorrect:
(A) CMMC Glossary❌
TheGlossaryprovidesdefinitions of termsused in CMMC but does not describe specific practices in detail.
(B) CMMC Appendices❌
Appendicesinclude supplementary information likereferences and scoping guidance, but they do not provide full descriptions of practices.
(C) CMMC Assessment Process❌
TheAssessment Process Guideexplainshowassessments are conducted, but it doesnot describe each practicein detail.
Final Validation from CMMC Documentation:
TheCMMC Assessment Guide (Levels 1 and 2)is theofficialsource for descriptions of eachCMMC practice and process, making it thebest referencefor understanding compliance requirements.
What is the BEST document to find the objectives of the assessment of each practice?
Options:
CMMC Glossary
CMMC Appendices
CMMC Assessment Process
CMMC Assessment Guide Levels 1 and 2
Answer:
DExplanation:
1. Understanding the Role of Assessment Objectives in CMMC 2.0
Theassessment objectivesfor each CMMC practice define thespecific criteriathat an assessor uses to evaluate whether a practice is implemented correctly. These objectives break down each control into measurable components, ensuring a structured and consistent assessment process.
To determine where these objectives are best documented, we need to consider theofficial CMMC documentation sources.
2. Why Answer Choice " D " is Correct – CMMC Assessment Guide Levels 1 and 2
TheCMMC Assessment Guide (Levels 1 & 2)is theprimary documentthat provides:
✅The detailedassessment objectivesfor each practice
✅A breakdown of the expectedevidence and implementation details
✅Step-by-stepassessment criteriafor assessors to verify compliance
Each CMMC practice in the Assessment Guide is aligned with the correspondingNIST SP 800-171 or FAR 52.204-21 control, and the guide specifies:
How to assess compliancewith each practice
What evidenceis required for validation
What stepsan assessor should follow
???? Reference from Official CMMC Documentation:
CMMC Assessment Guide – Level 2 (Aligned with NIST SP 800-171)explicitly states:
" Each practice is assessed based on defined assessment objectives to determine if the practice is MET or NOT MET. "
CMMC Assessment Guide – Level 1 (Aligned with FAR 52.204-21)provides similar objectives tailored for foundational cybersecurity requirements.
Thus,CMMC Assessment Guide Levels 1 & 2 are the BEST sources for assessment objectives.
3. Why Other Answer Choices Are Incorrect
Option
Reason for Elimination
A. CMMC Glossary
❌The glossary only defines terminology used in CMMC but does not provide assessment objectives.
B. CMMC Appendices
❌The appendices contain supplementary details, but they do not comprehensively list assessment objectives for each practice.
C. CMMC Assessment Process (CAP)
❌While the CAP document describes the assessmentworkflow and methodology, it does not outline the specific objectives for each practice.
4. Conclusion
To locate thebest reference for assessment objectives, theCMMC Assessment Guide Levels 1 & 2are the most authoritative and detailed sources. They contain step-by-step assessment criteria, ensuring that practices are evaluated correctly.
✅Final Answer:
D. CMMC Assessment Guide Levels 1 and 2
A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?
Options:
Host Unit
Branch Office
Coordinating Unit
Supporting Organization/Units
Answer:
AExplanation:
According to the CMMC Assessment Process (CAP), specifically in the context of scoping and organizational structure, the term Host Unit is used to define the specific entity within an Organization Seeking Certification (OSC) that is the primary subject of the assessment.
Definition of Host Unit: Within the CAP, the Host Unit represents the specific people, processes, and technology that process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) for the contract in scope. It is the " anchor " for the assessment boundary.
Context in High-Level Scoping: During the initial phases of an assessment, a C3PAO must distinguish between the entire corporation (the OSC) and the specific parts of that corporation that are actually performing the DoD work. The Host Unit is that functional or logical division that will be evaluated against the CMMC practices.
Relationship to other units:
Supporting Organization/Units (Option D): These are entities that provide services to the Host Unit (such as an enterprise IT department or a separate HR branch) but are not the primary " Host " of the CUI/FCI. They are in-scope because they provide " Security Protection " or " Administrative " functions to the Host Unit.
Coordinating Unit (Option C): This term is often used in broader organizational contexts but is not a defined scoping term for the " people, processes, and technology " being assessed under the CMMC CAP.
Reference Documents:
CMMC Assessment Process (CAP) v1.0: Glossary and Section 1 (Plan and Prepare Assessment), which defines the relationship between the OSC, the Host Unit, and Supporting Units.
CMMC Level 2 Scoping Guidance: Provides the framework for identifying the " assets " (people, technology, facilities) that reside within the Host Unit boundary.
CCP Study Guide: Section on " Scoping the Assessment, " which explains how to identify the Host Unit versus External Service Providers (ESPs).
How many cybersecurity levels does the CMMC Model structure contain?
Options:
2 Levels.
3 Levels.
5 Levels.
4 Levels.
Answer:
BExplanation:
The correct answer is B , 3 Levels. The official CMMC 2.0 Model Overview states that there are three levels within CMMC: Level 1, Level 2, and Level 3 . It explains that the model measures implementation of cybersecurity requirements at three levels, with each level containing a defined set of CMMC practices. Level 1 is focused on basic safeguarding of Federal Contract Information, Level 2 is focused on protection of Controlled Unclassified Information using requirements aligned to NIST SP 800-171, and Level 3 is intended for higher-risk programs requiring enhanced protection.
This is a major difference between CMMC 2.0 and the earlier CMMC 1.0 structure. CMMC 1.0 used five maturity levels, but CMMC 2.0 simplified the model to three cybersecurity levels. Therefore, option C , 5 Levels, reflects the older CMMC 1.0 structure and is not correct for CMMC 2.0. Option A , 2 Levels, is incorrect because it omits one of the three official levels. Option D , 4 Levels, is also incorrect because the official CMMC 2.0 model does not contain four levels. The bottom line is that CMMC 2.0 contains three cybersecurity levels: Level 1 Foundational, Level 2 Advanced, and Level 3 Expert .
The Assessment Team has completed Phase 2 of the Assessment Process. In conducting Phase 3 of the Assessment Process, the Assessment Team is reviewing evidence to address Limited Practice Deficiency Corrections. How should the team score practices in which the evidence shows the deficiencies have been corrected?
Options:
MET
POA & M
NOT MET
NOT APPLICABLE
Answer:
AExplanation:
Understanding the CMMC Assessment Process (CAP) Phases
TheCMMC Assessment Process (CAP)consists ofthree primary phases:
Phase 1 - Planning(Pre-assessment activities)
Phase 2 - Conducting the Assessment(Evidence collection and analysis)
Phase 3 - Reporting and Finalizing Results
DuringPhase 3, the Assessment Teamreviews evidenceto confirm if anyLimited Practice Deficiency Correctionshave been successfully implemented.
Scoring Practices in Phase 3
The CAP document specifies that a practice can bescored as METif:
✅The deficiency identified in Phase 2 has been fully corrected before final scoring.
✅Sufficient evidence is provided to demonstrate compliance with the CMMC requirement.
✅The correction is notmerely plannedbutfully implemented and validatedby the assessors.
Since the evidence shows thatdeficiencies have been corrected, the correct score isMET.
Why the Other Answers Are Incorrect
B. POA & M (Plan of Action & Milestones)
❌Incorrect. APOA & M (Plan of Action and Milestones)is usedonly when a deficiency remains unresolved. Since the deficiency is already corrected, this option does not apply.
C. NOT MET
❌Incorrect. A practice is scoredNOT METonly if the deficiency hasnotbeen corrected by the end of the assessment.
D. NOT APPLICABLE
❌Incorrect. A practice is markedNOT APPLICABLE (N/A)only if it doesnot apply to the organization’s environment, which is not the case here.
CMMC Official References
CMMC Assessment Process (CAP) Document– Defines scoring criteria for MET, NOT MET, and POA & M.
Thus,option A (MET) is the correct answer, as the deficiencies have been corrected before final scoring.
Which statement is NOT a requirement for a Licensed Partner Publisher?
Options:
Must have at least two years of history in publishing
Must possess a Dun and Bradstreet number and background check
Must receive CMMC Level 3 certification
Must be approved by CMMC-AB or authorized organization
Answer:
CExplanation:
The correct answer is C because a Licensed Partner Publisher is an ecosystem participant that produces or distributes approved CMMC-related learning or publishing content; it is not the same thing as an Organization Seeking Assessment or a Defense Industrial Base contractor pursuing a CMMC Level 3 certification status. CMMC certification levels apply to organizations handling FCI or CUI in connection with DoD contract performance, not to every training, publishing, or ecosystem-support organization. The CMMC Assessment Process describes CMMC as the DoD initiative for assessing and certifying conformance by companies and organizations in the Defense Industrial Base, specifically to safeguard CUI and FCI processed, stored, or transmitted during DoD contract performance. A publisher may need business validation, authorization, background checks, and approval by the CMMC Accreditation Body or authorized program entity, but requiring CMMC Level 3 certification would be misaligned with the role. Level 3 is an advanced contractor cybersecurity status, not a publishing-partner qualification. Reference/topics: CMMC Ecosystem, Licensed Partner Publisher, Cyber AB ecosystem roles, CMMC certification applicability.
What is a PRIMARY activity that is performed while conducting an assessment?
Options:
Develop assessment plan.
Collect and examine evidence.
Verify readiness to conduct assessment.
Deliver recommended assessment results.
Answer:
BExplanation:
Step 1: Understand the Assessment Phases (CAP v1.0)
TheCMMC Assessment Process (CAP)outlines a structured lifecycle for assessments, including:
Plan and Prepare Phase– Develop the assessment plan (before the assessment starts).
Conduct Assessment Phase– Execute the actual assessment activities.
Report Results Phase– Finalize and deliver the assessment outcomes.
CAP v1.0 – Section 3.5 (Conduct Assessment):
“The assessment team collects, examines, and evaluates evidence to determine if practices are MET or NOT MET.”
✅Step 2: Why “Collect and Examine Evidence” Is the Primary Activity
During the“Conduct Assessment” phase, the main activity is to:
Collect evidence(documentation, interviews, testing),
Validate adequacy and sufficiency,
Score practicesas MET/NOT MET.
This is thecore responsibilityof assessorswhile conductingan assessment.
❌Why the Other Options Are Incorrect
A. Develop assessment plan
✘This occurs in thePlan and Preparephasebeforeconducting the assessment.
C. Verify readiness to conduct assessment
✘Readiness verification is part ofpre-assessment activities, not during the assessment itself.
D. Deliver recommended assessment results
✘This is done during theReport Resultsphase after the assessment has been conducted.
Theprimary activity performed during the actual executionof a CMMC assessment iscollecting and examining evidenceto determine compliance with practices.
During a Level 2 Assessment, the OSC has provided an inventory list of all hardware. The list includes servers, workstations, and network devices. Why should this evidence be sufficient for making a scoring determination for AC.L2-3.1.19: Encrypt CUI on mobile devices and mobile computing platforms?
Options:
The inventory list does not specify mobile devices.
The interviewee attested to encrypting all data at rest.
The inventory list does not include Bring Your Own Devices.
The DoD has accepted an alternative safeguarding measure for mobile devices.
Answer:
AExplanation:
In the context of a Cybersecurity Maturity Model Certification (CMMC) Level 2 Assessment, specific practices must be evaluated to ensure compliance with established security requirements. One such practice is AC.L2-3.1.19, which mandates the encryption of Controlled Unclassified Information (CUI) on mobile devices and mobile computing platforms.
Step-by-Step Explanation:
Requirement Overview:
Practice AC.L2-3.1.19 requires organizations to " Encrypt CUI on mobile devices and mobile computing platforms. " This ensures that any CUI accessed, stored, or transmitted via mobile devices is protected through encryption, mitigating risks associated with data breaches or unauthorized access.
Assessment of Provided Evidence:
During the assessment, the Organization Seeking Certification (OSC) provided an inventory list encompassing servers, workstations, and network devices. Notably, this list lacks any mention of mobile devices or mobile computing platforms.
Implications of the Omission:
The absence of mobile devices in the inventory suggests that the OSC may not have accounted for all assets that process, store, or transmit CUI. Without a comprehensive inventory that includes mobile devices, it ' s challenging to verify whether the OSC has implemented the necessary encryption measures for CUI on these platforms.
Assessment Determination:
Given the incomplete inventory, the evidence is insufficient to make a definitive scoring determination for practice AC.L2-3.1.19. The OSC must provide a detailed inventory that encompasses all relevant devices, including mobile devices and computing platforms, to demonstrate compliance with the encryption requirements for CUI.
The evidence needed for each practice and/or process is weighed for:
Options:
Adequacy and sufficiency
Adequacy and thoroughness
Sufficiency and thoroughness
Sufficiency and appropriateness
Answer:
AExplanation:
The CAP makes clear that evidence collected during the assessment is evaluated for both adequacy (does the evidence align with the requirement) and sufficiency (is there enough evidence to make a confident determination).
Supporting Extracts from Official Content:
CAP v2.0, Evidence Collection Guidance: “Evidence must be evaluated for adequacy… and for sufficiency, to ensure enough information is available to support the assessor’s determination.”
Why Option A is Correct:
Evidence is assessed based on two qualities only: adequacy and sufficiency.
“Thoroughness” and “appropriateness” are not official CAP terms for evidence evaluation.
References (Official CMMC v2.0 Content):
CMMC Assessment Process (CAP) v2.0, Evidence Evaluation section.
===========
An OSC receives an email with " CUI//SP-PRVCY//FED Only " in the body of the message Which organization ' s website should the OSC go to identify what this marking means?
Options:
NARA
CMMC-AB
DoD Contractors FAQ page
DoD 239.7601 Definitions page
Answer:
AExplanation:
Understanding CUI Markings and the Role of NARA
What Does " CUI//SP-PRVCY//FED Only " Mean?
The email containsControlled Unclassified Information (CUI)withspecific categories and dissemination controls.
CUI//SP-PRVCY//FED Onlybreaks down as follows:
CUI→ Controlled Unclassified Information designation.
SP-PRVCY→Specifiedcategory forPrivacy Information(SP stands for " Specified " ).
FED Only→ Restriction forFederal Government use only(not for contractors or the public).
Who Maintains the Official CUI Registry?
TheNational Archives and Records Administration (NARA) oversees the CUI Programand maintains the officialCUI
The CUI Registry providesdefinitions, marking guidance, and categoriesfor all CUI labels, including " SP-PRVCY " and dissemination controls like " FED Only. "
Why NARA is the Correct Answer:
NARA is the governing body responsible for defining and managing CUI markings.
Any organization handling CUI shouldrefer to the NARA CUI Registryfor official marking interpretations.
DoD contractors and other organizationsmust comply with NARA guidelines when handling, marking, and disseminating CUI.
Clarification of Incorrect Options:
B. CMMC-AB– TheCMMC Accreditation Bodymanages certification assessments butdoes not define or interpret CUI markings.
C. DoD Contractors FAQ Page– The DoD may provide general contractor guidance, butCUI markings are governed by NARA, not an FAQ page.
D. DoD 239.7601 Definitions Page– This refers to generalDoD acquisition definitions, butCUI categories and markings fall under NARA’s authority.
When scoping a Level 2 assessment, which document is useful for understanding the process to successfully implement practices required for the various Levels of CMMC?
Options:
NISTSP 800-53
NISTSP 800-88
NISTSP 800-171
NISTSP 800-172
Answer:
CExplanation:
CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, " Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. " Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.
Why NIST SP 800-171 is Essential for Level 2 Scoping:
Defines the Security Requirements for Protecting CUI:
NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.
These controls are categorized under14 families, including access control, incident response, and risk management.
Establishes the Baseline for CMMC Level 2 Compliance:
CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.
Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.
Provides Guidance for Implementation & Assessment:
TheNIST SP 800-171A " Assessment Guide " provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.
It helps define the scope of an assessment by clarifying how each control should be implemented and verified.
Referenced in CMMC and DFARS Regulations:
DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.
TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.
Explanation of Incorrect Answers:
A. NIST SP 800-53 ( " Security and Privacy Controls for Federal Information Systems and Organizations " )
This documentapplies to federal systems, not nonfederal entities handling CUI.
While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.
B. NIST SP 800-88 ( " Guidelines for Media Sanitization " )
This documentfocuses on secure data destructionand media sanitization techniques.
While data disposal is important, this standarddoes not define security controls for protecting CUI.
D. NIST SP 800-172 ( " Enhanced Security Requirements for Protecting CUI " )
This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).
It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.
Key References for CMMC Level 2 Scoping:
NIST SP 800-171 Rev. 2(NIST Official Site)
NIST SP 800-171A (Assessment Guide)(NIST Official Site)
CMMC 2.0 Level 2 Scoping Guide(Cyber AB)
Conclusion:
SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:
✅C. NIST SP 800-171
An organization that manufactures night vision cameras is looking for help to address the gaps identified in physical access control systems. Which certified individual should they approach for implementation support?
Options:
CCA of the C3PAO performing the assessment
RP of an organization not part of the assessment
Practitioner of the organization performing the assessment LTP
DoD Contract Official of the organization performing the assessment
Answer:
BExplanation:
Anorganization seeking helpto address security gaps—such asphysical access control deficiencies—needs acertified professional who can provide implementation supportwithoutbeing involved in the actual CMMC assessment.
Role of a Registered Practitioner (RP)
A Registered Practitioner (RP)is a CMMC-certified individualwho provides consulting and implementation supportto organizations butdoes not perform assessments.
RPs work independently from C3PAOsand canassist in fixing gapsin security controlsbeforeorafteran assessment.
Since RPs are not assessors, they can provide direct remediation supportwithout any conflict of interest.
Why " B. RP of an Organization Not Part of the Assessment " is Correct?
The OSC needs assistance in implementing security controls(not assessment).
An RP is trained and authorized to provide remediation and advisory services.
Conflict of interest rules prevent the assessing C3PAO from providing implementation support.
Why Other Answers Are Incorrect?
A. CCA of the C3PAO performing the assessment (Incorrect)
ACertified CMMC Assessor (CCA)is responsible for conducting the assessmentonly.
TheC3PAO performing the assessment cannot also provide remediationdue to aconflict of interest.
C. Practitioner of the Organization Performing the Assessment LTP (Incorrect)
The assessmentLead Technical Practitioner (LTP)cannot provide remediation support for an OSC they are assessing.
D. DoD Contract Official of the Organization Performing the Assessment (Incorrect)
DoD Contract Officialsoversee contract compliance butdo not provide cybersecurity implementation support.
Conclusion
The correct answer isB. RP of an organization not part of the assessment, asonly independent RPs can assist with remediation and implementation support.
When scoping the organizational system, the scope of applicability for the cybersecurity CUI practices applies to the components of:
Options:
federal systems that process, store, or transmit CUI.
nonfederal systems that process, store, or transmit CUI.
federal systems that process, store, or transmit CUI. or that provide protection for the system components.
nonfederal systems that process, store, or transmit CUI. or that provide protection for the system components.
Answer:
DExplanation:
Understanding Scoping in CMMC 2.0
TheCMMC 2.0 framework applies to nonfederal systemsthat process, store, or transmitCUI.
Scoping determineswhich system components must comply with CMMC practices.
If a systemprocesses, stores, or transmits CUI, orprovides security for those systems, itmust be included in the assessment scope.
Why the Correct Answer is " D. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components " ?
CMMC Applies to Contractors, Not Federal Systems
CMMC isdesigned for Department of Defense (DoD) contractors, notfederal systems.
Federal systems arealready governed by NIST SP 800-53and other regulations.
Scope Includes Systems That Process CUI AND Those That Protect Them
Systemsprocessing, storing, or transmitting CUIare in scope.
Systems thatprovide protection for CUI systems(e.g., firewalls, monitoring tools, security appliances) arealso in scope.
Why Not the Other Options?
A. Federal systems that process, store, or transmit CUI.→Incorrect
CMMCdoes not apply to federal systems.
B. Nonfederal systems that process, store, or transmit CUI.→Partially correct but incomplete
Itexcludes security systemsthat protect CUI assets, whichare also in scope.
C. Federal systems that process, store, or transmit CUI, or that provide protection for the system components.→Incorrect
CMMConly applies to nonfederal systems.
Relevant CMMC 2.0 References:
CMMC Scoping Guide (Nov 2021)– Confirms that CMMCapplies to nonfederal systemsprocessingCUI.
NIST SP 800-171 Rev. 2– Specifies security requirements fornonfederal systemshandling CUI.
DFARS 252.204-7012– Requires DoD contractors to implementNIST SP 800-171onnonfederal systemshandling CUI.
Final Justification:
SinceCMMC applies to nonfederal systems that process CUI or protect those systems, the correct answer isD. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.
Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope by categorizing all assets. Which two asset categories are always assessed against CMMC practices?
Options:
CUI Assets and Specialized Assets
Security Protection Assets and CUI Assets
Specialized Assets and Contractor Risk Managed Assets
Security Protection Assets and Contractor Risk Managed Assets
Answer:
BExplanation:
Understanding CMMC Asset Scoping Requirements
Before conducting aCMMC Level 2 Assessment, anOrganization Seeking Certification (OSC)must define theassessment scopeby categorizing all assets. This ensures that only relevant systems are assessed againstCMMC practices, reducing unnecessary compliance burdens.
According to theCMMC Scoping Guide for Level 2, there are four asset categories:
CUI Assets– Assets that process, store, or transmitControlled Unclassified Information (CUI).
Security Protection Assets (SPA)– Assets that providesecurity functions(e.g., firewalls, intrusion detection systems, identity management systems).
Contractor Risk Managed Assets (CRMA)– Assets thatdo not directly store/process CUIbut interact with CUI environments (e.g., BYOD devices, personal computers used for remote access).
Specialized Assets– Unique systems such asOperational Technology (OT), IoT, and Government Furnished Equipment (GFE), which may requirelimitedCMMC assessment.
Which Asset Categories Are Always Assessed?
✅1. CUI Assets(ALWAYS ASSESSED)
These are theprimary focusof CMMC Level 2 since they handleCUI.
All110 NIST SP 800-171 controlsapply to these assets.
✅2. Security Protection Assets (SPA)(ALWAYS ASSESSED)
Security tools that protectCUI Assetsarealways includedin the assessment.
Examples includefirewalls, antivirus, endpoint detection and response (EDR) tools, and identity management systems.
Why the Other Answer Choices Are Incorrect:
(A) CUI Assets and Specialized Assets❌
CUI Assets are assessed, butSpecialized Assets are only assessed in a limited manner, depending on their role inCUI security.
(C) Specialized Assets and Contractor Risk Managed Assets❌
Specialized Assets and CRMAsare typicallynot fully assessedagainst CMMC controls unless they directly impactCUI security.
(D) Security Protection Assets and Contractor Risk Managed Assets❌
SPAs are always assessed, butCRMAs are not necessarily assessedunless they directly impact CUI.
Final Validation from CMMC Documentation:
TheCMMC Scoping Guide (Level 2)clearly states thatCUI Assets and Security Protection Assetsarealways assessedagainst CMMC practices.
Thus, the correct answer is:
B. Security Protection Assets and CUI Assets.
What service is the MOST comprehensive that the RPO provides?
Options:
Training services
Education services
Consulting services
Assessment services
Answer:
CExplanation:
Understanding the Role of a Registered Provider Organization (RPO)
ARegistered Provider Organization (RPO)is an entity recognized by theCMMC Accreditation Body (CMMC-AB)to provideconsulting servicesto organizations seekingCMMC certification.
Key Functions of an RPO
✅Consulting servicesto help companies prepare for CMMC assessments.
✅Guidance on security controlsrequired for compliance.
✅Assistance with documentation, policy development, and gap analysis.
✅Preparation for third-party CMMC assessmentsbutdoes not conduct official CMMC assessments(this is the role of a C3PAO).
Why " Consulting Services " is the Correct Answer?
Consulting servicesare thebroadest and most comprehensivefunction of an RPO.
RPOs do not conduct assessments(eliminating option D).
Training and educationmay be part of consulting but arenot the primary function(eliminating A and B).
Consulting includes training, guidance, documentation assistance, and security readiness, making it themost comprehensive service offered.
Breakdown of Answer Choices
Option
Description
Correct?
A. Training services
❌Incorrect–RPOs may provide training, but this isnot their primary function.
B. Education services
❌Incorrect–Similar to training, butnot the most comprehensive service.
C. Consulting services
✅Correct – The core function of an RPO is consulting, which includes various readiness services.
D. Assessment services
❌Incorrect–Only aC3PAO (Certified Third-Party Assessment Organization)can conductofficial CMMC assessments.
Official References from CMMC 2.0 Documentation
TheCMMC-AB RPO Programdefines an RPO as aconsulting organization that assists companies in preparing for CMMC certificationbutdoes not perform assessments.
Final Verification and Conclusion
The correct answer isC. Consulting services, asRPOs primarily provide advisory and readiness supportto organizations preparing forCMMC compliance.
Which CMMC Levels focus on protecting CUI from exfiltration?
Options:
Levels 1 and 2
Levels 1 and 3
Levels 2 and 3
Levels 1, 2, and 3
Answer:
CExplanation:
Level 1 only addresses the protection of Federal Contract Information (FCI) and does not include requirements for safeguarding Controlled Unclassified Information (CUI).
Level 2 is explicitly designed to protect Controlled Unclassified Information (CUI). It requires implementation of all 110 security requirements from NIST SP 800-171 Rev. 2, which directly support the safeguarding of CUI and help prevent its unauthorized disclosure or exfiltration.
Level 3 builds on Level 2 by including a subset of requirements from NIST SP 800-172. These additional practices are designed to enhance the protection of CUI against advanced persistent threats (APTs), further strengthening defenses against exfiltration.
Therefore, the levels that focus on protecting CUI from exfiltration are Levels 2 and 3.
Reference Documents:
CMMC Model v2.0 Overview (DoD, December 2021)
NIST SP 800-171 Rev. 2,Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
NIST SP 800-172,Enhanced Security Requirements for Protecting Controlled Unclassified Information
A CCP is working as an Assessment Team Member on a CMMC Level 2 Assessment. The Lead Assessor has assigned the CCP to assess the OSC ' s Configuration Management (CM) domain. The CCP ' s first interview is with a subject-matter expert for user-installed software. With respect to user-installed software, what facet should the CCP ' s interview focus on?
Options:
Controlled and monitored
Removed from the system
Scanned for malicious code
Limited to mission-essential use only
Answer:
AExplanation:
Understanding Configuration Management (CM) in CMMC Level 2
InCMMC Level 2, theConfiguration Management (CM) domainis critical for ensuring that systems aresecurely configured, maintained, and monitoredto prevent unauthorized changes. One key aspect of CM is managinguser-installed software, which can introducesecurity risksif not properly controlled.
The correct approach to managinguser-installed softwarealigns withCM.3.068fromNIST SP 800-171, which requires organizations to:
✅Establish and enforce configuration settingsto ensure security.
✅Monitor and control user-installed softwareto prevent unauthorized or insecure applications from running on organizational systems.
Why " Controlled and Monitored " is Correct?
The CCP (Certified CMMC Professional) conducting theinterviewshould focus on whether theuser-installed softwareiscontrolled and monitoredto align withCMMC Level 2 requirements. This means verifying:
Approval processesfor user-installed software.
Monitoring mechanisms(e.g., system logs, audits) to track software changes.
Policies that restrict unauthorized installationsto prevent security risks.
Breakdown of Answer Choices
Option
Description
Correct?
A. Controlled and monitored
✅Ensures compliance with CM.3.068, verifying that user-installed software ismanaged securely.
✅Correct
B. Removed from the system
Software isnot always removed—only unauthorized or risky software should be.
❌Incorrect
C. Scanned for malicious code
While scanning isimportant(covered in SI.3.218), it isnot the primary focusof Configuration Management.
❌Incorrect
D. Limited to mission-essential use only
While limiting software is useful,monitoring and controllingis the key security measure.
❌Incorrect
Official Reference from CMMC 2.0 Documentation
NIST SP 800-171, CM.3.068– " Control and monitor user-installed software. "
CMMC 2.0 Level 2 Requirements– Directly aligned withNIST SP 800-171 security controls.
Final Verification and Conclusion
The correct answer isA. Controlled and monitored, as perCM.3.068inNIST SP 800-171andCMMC 2.0documentation.
An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice. What can the assessor do?
Options:
Notify the CMMC-AB.
Cancel the assessment.
Postpone the assessment.
Contact the C3PAO for guidance.
Answer:
CExplanation:
CAP v2.0 makes “assessment readiness” a formal gate in Phase 1 (Conduct the Pre-Assessment) . The purpose of Phase 1 is for the C3PAO to evaluate whether the OSC has adequately prepared for the assessment of its Level 2 security requirements. If evidence submitted ahead of the assessment is found to be insufficient such that the OSC is not prepared to proceed, CAP describes an Adverse Determination of Assessment Readiness : the Lead CCA should inform the Affirming Official and provide a written explanation for recommending the assessment be suspended —without giving remedial advice.
CAP then addresses what happens next: if the OSC decides to cancel or postpone the assessment, both parties should settle affairs per the agreement (including return of proprietary information), and they may discuss revisiting the assessment when the OSC is fully prepared. This maps directly to “Postpone the assessment” as the best answer.
The other options don’t match CAP’s prescribed handling. CAP does not require notifying the Cyber AB for routine evidence insufficiency (A). “Cancel” (B) is an OSC decision path, but CAP explicitly calls out postponement/suspension as the appropriate procedural response to lack of readiness. “Contact the C3PAO for guidance” (D) is unnecessary framing here because the assessor/Lead CCA is acting on behalf of the C3PAO under CAP’s Phase 1 readiness determination and suspension process.
===========
What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?
Options:
CDI
CTI
CUI
FCI
Answer:
DExplanation:
Understanding Federal Contract Information (FCI)
Federal Contract Information (FCI) is defined by48 CFR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems). FCI refers to information that:
Is NOT intended for public release.
Is provided by or generated for the government under a contract.
Is necessary to develop or deliver a product or service to the government.
Excludes publicly available government information(such as information on public websites).
Excludes simple transactional information(e.g., necessary to process payments).
In the context ofCMMC 2.0, organizations thatprocess, store, or transmit FCImust meetCMMC Level 1 (Foundational), which requires implementing17 basic safeguarding practicesoutlined inFAR 52.204-21.
Why is the Correct Answer FCI (D)?
A. CDI (Controlled Defense Information)→ Incorrect
This term was used inDFARS 252.204-7012but has been replaced byCUI (Controlled Unclassified Information)in CMMC discussions.
B. CTI (Cyber Threat Intelligence)→ Incorrect
This refers to intelligence on cyber threats, tactics, and indicators, not contractual data.
C. CUI (Controlled Unclassified Information)→ Incorrect
CUI is sensitive information requiring additional safeguarding but is a separate category from FCI.
D. FCI (Federal Contract Information)→Correct
The definition of FCI explicitly matches the description given in the question.
CMMC 2.0 References Supporting this Answer:
FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)
Defines FCI and the required safeguards.
Establishes17 cybersecurity practicesfor FCI protection.
CMMC 2.0 Framework
Level 1 (Foundational)is required for contractors handlingFCI.
Ensures compliance withbasic safeguarding requirementsoutlined inFAR 52.204-21.
NIST SP 800-171 and DFARS 252.204-7012
FCI doesnotrequire compliance withNIST SP 800-171, butCUI does.
A Lead Assessor and an OSC ' s Assessment Official have agreed to have the Assessment results presented during the final Daily Checkpoint of the OSC ' s CMMC Level 2 Assessment. Which document MUST the Lead Assessor use to present assessment findings to the OSC?
Options:
CMMC POA & M Brief
CMMC Findings Brief
CMMC Assessment Tracker Tool
CMMC Recommended Findings template
Answer:
BExplanation:
According to the CMMC Assessment Process (CAP), the Lead Assessor must use the CMMC Findings Brief to formally present assessment results to the Organization Seeking Certification (OSC). The Findings Brief ensures consistency across assessments and provides the OSC with an official, standardized presentation of results, including observed strengths, weaknesses, and any non-conformities.
Other options are incorrect because:
POA & M Brief is not part of the official CAP presentation.
CMMC Assessment Tracker Tool is an internal tool used by assessors, not for presentation to the OSC.
Recommended Findings template is not a recognized deliverable in CAP.
Reference Documents:
CMMC Assessment Process (CAP), v1.0
In the CMMC Model, how many practices are included in Level 1?
Options:
15 practices
17 practices
72 practices
110 practices
Answer:
BExplanation:
CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 1 is designed to protectFederal Contract Information (FCI)and consists of17 foundational cybersecurity practices. These practices are directly derived fromFAR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems), which outlines minimum security requirements for contractors handling FCI.
Breakdown of CMMC Level 1 Practices
The17 practicesin Level 1 focus on basic cybersecurity hygiene and fall under the following6 domains:
Access Control (AC)– 4 practices
AC.L1-3.1.1: Limit system access to authorized users
AC.L1-3.1.2: Limit user access to authorized transactions and functions
AC.L1-3.1.20: Verify and control connections to external systems
AC.L1-3.1.22: Control information posted or processed on publicly accessible systems
Identification and Authentication (IA)– 2 practices
IA.L1-3.5.1: Identify and authenticate system users
IA.L1-3.5.2: Use multifactor authentication for local and network access
Media Protection (MP)– 1 practice
MP.L1-3.8.3: Sanitize media before disposal or reuse
Physical Protection (PE)– 4 practices
PE.L1-3.10.1: Limit physical access to systems containing FCI
PE.L1-3.10.3: Escort visitors and monitor visitor activity
PE.L1-3.10.4: Maintain audit logs of physical access
PE.L1-3.10.5: Control and manage physical access devices
System and Communications Protection (SC)– 2 practices
SC.L1-3.13.1: Monitor and control communications at system boundaries
SC.L1-3.13.5: Implement subnetworks for publicly accessible system components
System and Information Integrity (SI)– 4 practices
SI.L1-3.14.1: Identify, report, and correct system flaws in a timely manner
SI.L1-3.14.2: Provide protection from malicious code at designated locations
SI.L1-3.14.4: Update malicious code protection mechanisms periodically
SI.L1-3.14.5: Perform scans of system components and real-time file scans
Official Reference from CMMC 2.0 Documentation
The 17 practices forCMMC Level 1are explicitly listed in theCMMC 2.0 Appendices and Assessment Guide for Level 1, as well as in theFAR 52.204-21 requirements. These practices representbasic safeguarding measuresthat all DoD contractors handlingFCImust implement.
???? CMMC 2.0 Level 1 Summary:
Focus:Basic safeguarding of FCI
Total Practices:17
Derived From:FAR 52.204-21
Assessment Type:Self-assessment (annual)
Final Verification and Conclusion
The correct answer isB. 17 practicesas verified from theCMMC 2.0 official documentsandFAR 52.204-21 requirements.
The results package for a Level 2 Assessment is being submitted. What MUST a Final Report. CMMC Assessment Results include?
Options:
Affirmation for each practice or control
Documented rationale for each failed practice
Suggested improvements for each failed practice
Gaps or deltas due to any reciprocity model are recorded as met
Answer:
BExplanation:
Understanding the CMMC Level 2 Final Report Requirements
For aCMMC Level 2 Assessment, theFinal CMMC Assessment Results Reportmust include:
Assessment findings for each practice
Final ratings (MET or NOT MET) for each practice
A detailed rationale for each practice rated as NOT MET
Why " B. Documented rationale for each failed practice " is Correct?
The CMMC Assessment Process (CAP) Guidestates that if a practice is markedNOT MET, theassessors must provide a rationale explaining why it failed.
This rationale helps theOSC understand what needs remediationand, if applicable, whether the deficiency can be addressed via aPlan of Action & Milestones (POA & M).
TheFinal Report serves as an official recordand must be submitted as part of theresults package.
Why Other Answers Are Incorrect?
A. Affirmation for each practice or control (Incorrect)
While the report includes aMET/NOT MET ratingfor each practice,affirmation is not a required component.
C. Suggested improvements for each failed practice (Incorrect)
Assessors do not provide recommendations for improvement—they only document findings and rationale.
Providing suggestions would create aconflict of interestperCMMC-AB Code of Professional Conduct.
D. Gaps or deltas due to any reciprocity model are recorded as met (Incorrect)
If an organization isleveraging reciprocity (e.g., FedRAMP, Joint Surveillance Voluntary Assessments), gapsmust still be documented—not automatically marked as " MET. "
Conclusion
The correct answer isB. Documented rationale for each failed practice, as this is amandatory requirement in the Final CMMC Assessment Results Report.
Which regulation allows for whistleblowers to sue on behalf of the federal government?
Options:
NISTSP 800-53
NISTSP 800-171
False Claims Act
Code of Professional Conduct
Answer:
CExplanation:
Understanding the False Claims Act (FCA) and Whistleblower Protections
TheFalse Claims Act (FCA)(31 U.S.C. §§ 3729–3733) is aU.S. federal lawthat allowswhistleblowers (also known as " relators " )to sue on behalf of the federal government if they believe a company issubmitting fraudulent claimsfor government funds.
The FCA includes a " qui tam " provision, which:
✅Allows private individuals to file lawsuits on behalf of the U.S. government.
✅Provides financial rewards to whistleblowersif the lawsuit results in recovered funds.
✅Protects whistleblowers from employer retaliation.
In the context ofCMMC and cybersecurity compliance, theFCA has been used to hold companies accountableformisrepresenting their cybersecurity compliancewhen working with federal contracts.
For example:
If a companyfalsely claimscompliance withCMMC, NIST SP 800-171, or DFARS 252.204-7012butfails to meet security requirements, it could beliable under the FCA.
TheDepartment of Justice (DOJ)has pursued cases under theCyber-Fraud Initiative, using theFCA against defense contractorsfor cybersecurity noncompliance.
Thus, the correct answer isC. False Claims Actbecause it specifically allows whistleblowers tosue on behalf of the federal government.
Why the Other Answers Are Incorrect
A. NIST SP 800-53
❌Incorrect.NIST SP 800-53provides security controls for federal agencies butdoes notcontain whistleblower provisions.
B. NIST SP 800-171
❌Incorrect.NIST SP 800-171outlines security requirements for protectingCUI, but itdoes not have legal mechanismsfor whistleblower lawsuits.
D. Code of Professional Conduct
❌Incorrect. TheCMMC Code of Professional Conductapplies toC3PAOs and assessorsbut doesnot provide a legal basis for whistleblower lawsuits.
CMMC Official References
False Claims Act (31 U.S.C. §§ 3729–3733)– Establishes whistleblower protections and qui tam lawsuits.
DOJ Cyber-Fraud Initiative– Uses the FCA to enforce cybersecurity compliance in government contracts.
DFARS 252.204-7012 & CMMC– Require accurate reporting of cybersecurity compliance, which can lead to FCA violations if misrepresented.
Thus,option C (False Claims Act) is the correct answeras per official legal guidance.
According to the Configuration Management (CM) domain, which principle is the basis for defining essential system capabilities?
Options:
Least privilege
Essential concern
Least functionality
Separation of duties
Answer:
CExplanation:
Understanding the Principle of Least Functionality in the CM Domain
TheConfiguration Management (CM) domainin CMMC 2.0 focuses on maintaining the security and integrity of an organization’s systems through controlled configurations and restrictions on system capabilities.
The principle ofLeast Functionalityrefers to limiting a system’s features, services, and applications to only those necessary for its intended purpose. This principle reduces the attack surface by minimizing unnecessary components that could be exploited by attackers.
Justification for the Correct Answer: Least Functionality (C)
CMMC Practice CM.L2-3.4.6 (Use Least Functionality)explicitly states:
" Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. "
Thegoalis to prevent unauthorized or unnecessary applications, services, and ports from running on the system.
Examples of Implementation:
Disabling unnecessary services, such as remote desktop access if not required.
Restricting software installation to approved applications.
Blocking unused network ports and protocols.
Why Other Options Are Incorrect
A. Least Privilege
This principle (associated with Access Control) ensures that users and processes have only the minimum level of access necessary to perform their jobs.
It is relevant to CMMC PracticeAC.L2-3.1.5 (Least Privilege)but does not define system capabilities.
B. Essential Concern
There is no officially recognized cybersecurity principle called " Essential Concern " in CMMC, NIST, or related frameworks.
D. Separation of Duties
This principle (covered under CMMCAC.L2-3.1.4) ensures that no single individual has unchecked control over critical functions, reducing the risk of fraud or abuse.
While important for security, it does not define essential system capabilities.
Official CMMC and NIST References
CMMC 2.0 Level 2 Assessment Guide – Configuration Management (CM) Domain
CM.L2-3.4.6 mandatesleast functionalityto enhance security by removing unnecessary features.
NIST SP 800-171 (which CMMC is based on) – Requirement 3.4.6
States: " Limit system functionality to only the essential capabilities required for organizational missions or business functions. "
NIST SP 800-53 – Control CM-7 (Least Functionality)
Provides detailed recommendations on configuring systems to operate with only necessary features.
Conclusion
Theprinciple of Least Functionality (C)is the basis for defining essential system capabilities in theConfiguration Management (CM) domainof CMMC 2.0. By applying this principle, organizations reduce security risks by ensuring that only the necessary functions, services, and applications are enabled.
During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC ' s WiFi network. What type of asset is this?
Options:
FCI Asset
CUI Asset
In-scope Asset
Specialized Asset
Answer:
DExplanation:
Understanding Asset Categorization in CMMC 2.0
InCMMC 2.0, assets are categorized into different types based on their function, connectivity, and whether they process, store, or transmitFederal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Why " D. Specialized Asset " is Correct?
TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT classificationsbut still exist within the organizational environment.
Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined in CMMC.
Why Other Answers Are Incorrect?
A. FCI Asset (Incorrect)
FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does not.
B. CUI Asset (Incorrect)
CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.
C. In-scope Asset (Incorrect)
In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.
Conclusion
The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into theSpecialized Assetcategory.
Which organization is the governmental authority responsible for identifying and marking CUI?
Options:
NARA
NIST
CMMC-AB
Department of Homeland Security
Answer:
AExplanation:
Step 1: Define CUI (Controlled Unclassified Information)
CUI is information thatrequires safeguarding or dissemination controlspursuant to and consistent with applicable law, regulations, and government-wide policies, butis not classifiedunder Executive Order 13526 or the Atomic Energy Act.
✅Step 2: Authority over CUI — NARA’s Role
NARA – National Archives and Records Administration, specifically theInformation Security Oversight Office (ISOO), is thegovernment-wide executive agentresponsible for implementing the CUI program.
Source:
32 CFR Part 2002 – Controlled Unclassified Information (CUI)
Executive Order 13556 – Controlled Unclassified Information
CUI Registry –
NARA:
Maintains theCUI Registry,
Issuesmarking and handling guidance,
DefinesCUI categoriesand their authority under law or regulation,
Trains and informs Federal agencies and contractors on CUI policy.
❌Why the Other Options Are Incorrect
B. NIST
✘NIST (National Institute of Standards and Technology) developstechnical standards(e.g., SP 800-171), but it doesnot define or mark CUI. It helps secure CUI once it’s identified.
C. CMMC-AB (now Cyber AB)
✘The Cyber AB is theCMMC ecosystem’s accreditation body, not a government agency, and hasno authority over CUI classification or marking.
D. Department of Homeland Security (DHS)
✘While DHS mayhandle and protect CUI internally, it is not the executive agent for the CUI program.
NARAis theofficial U.S. government authorityresponsible for defining, categorizing, and marking CUI via theCUI Registryand associated policies underExecutive Order 13556.
Who is responsible for ensuring that subcontractors have a valid CMMC Certification?
Options:
CMMC-AB
OUSDA & S
DoD agency or client
Contractor organization
Answer:
DExplanation:
Step 1: Responsibility for Subcontractor Compliance
The prime contractor (contractor organization)is responsible for ensuring thatits subcontractorshave the requiredCMMC certification levelbefore engaging them inDoD contracts that involve FCI or CUI.
This requirement is enforced throughflow-down clausesinDFARS 252.204-7021, which mandates that subcontractors handlingCUImeet the necessaryCMMC Level 2 or Level 3 requirements.
A program manager for a defense contractor saves all FCI data relevant to a contract on a flash drive. Why is the flash drive categorized as an FCI Asset ?
Options:
It is storing FCI.
It is testing FCI.
It is distributing FCI.
It is properly marked as FCI.
Answer:
AExplanation:
CMMC v2.0 scoping defines “in-scope” assets for Level 1 (FCI protection) based on whether the asset processes, stores, or transmits FCI . The DoD CMMC Assessment Scope – Level 1 (v2.13) states: “Assets in scope … are all assets that **process, store, or transmit Federal Contract Information (FCI).” It then defines these terms. Critically for this question, Store is defined as when “FCI is inactive or at rest on an asset (e.g., located on electronic media…).”
A flash drive is “electronic media.” If the program manager places contract-relevant FCI onto the flash drive, the flash drive is now an asset that stores FCI (FCI at rest). Under the scoping guidance, that alone is enough to classify it as an in-scope FCI asset for Level 1 purposes, meaning it falls within the Level 1 assessment scope and must be protected by applicable Level 1 requirements.
The other answer choices do not align to the scoping definitions. “Testing FCI” (B) is not one of the scope-determining criteria in the Level 1 scoping guide. “Distributing FCI” (C) is not the formal criterion either (the guide uses Transmit , not “distribute”). Finally, being “properly marked” (D) does not determine whether something is in scope; the decisive factor is whether the asset processes, stores, or transmits FCI.
As defined in the CMMC-AB Code of Professional Conduct, what term describes any contract between two legal entities?
Options:
Union
Accord
Alliance
Agreement
Answer:
DExplanation:
Understanding the Definition of an Agreement in the CMMC-AB Code of Professional Conduct
TheCMMC-AB Code of Professional Conductdefines anagreementasany contract between two legal entities. This includes:
✔Contracts between an OSC and a C3PAOfor CMMC assessments.
✔Service agreements between cybersecurity providers and defense contractors.
✔Any formal, legally binding arrangement related to CMMC compliance.
Why is the Correct Answer " D. Agreement " ?
A. Union → Incorrect
Auniontypically refers to anorganization representing workersand is not used to describe acontractual relationship.
B. Accord → Incorrect
While anaccordcan mean an agreement, it isnot the standard legal term for a binding contractin CMMC documentation.
C. Alliance → Incorrect
Analliancerefers to astrategic partnership, but does not necessarily imply alegally binding contract.
D. Agreement → Correct
TheCMMC-AB Code of Professional Conductdefines anagreementas anylegally binding contract between two entities.
CMMC 2.0 References Supporting This Answer:
CMMC-AB Code of Professional Conduct
Defines " Agreement " as alegally binding contract between two parties.
CMMC-AB Licensed Training and Assessment Provider Guidelines
Requires that all engagementsbe governed by a formal agreement (contract) between the parties.
DFARS and CMMC Certification Contracts
States thatOSC-C3PAO relationships must be formalized through a legal agreement.
For a scoping a CMMC Level 1 Self-Assessment, which asset types are assessed against CMMC practices?
Options:
Any IoT or Industrial Internet of Things devices
Any restricted IS
Any test equipment hardware
Any asset transmitting FCI
Answer:
DExplanation:
The correct answer is D because CMMC Level 1 scoping is driven by whether an asset processes, stores, or transmits Federal Contract Information (FCI). The Level 1 Scoping Guide states that in-scope assets for a Level 1 self-assessment are all assets that process, store, or transmit FCI, and that these assets are part of the CMMC Assessment Scope and assessed against all Level 1 requirements. The guide also defines transmitting as FCI being transferred from one asset to another through physical or digital transport methods. The other options are attractive but incorrect because IoT, Industrial Internet of Things, Restricted Information Systems, and test equipment are treated as Specialized Assets when they can process, store, or transmit FCI but cannot be fully secured. Specialized Assets are documented and managed but are not assessed against CMMC Level 1 requirements in the same way as ordinary in-scope FCI assets. Therefore, the best answer is the general rule: any non-specialized asset transmitting FCI is assessed against CMMC Level 1 practices. Reference/topics: CMMC Level 1 Scoping, FCI assets, Specialized Assets, process/store/transmit.
A machining company has been awarded a contract with the DoD to build specialized parts. Testing of the parts will be done by the company using in-house staff and equipment. For a Level 1 Self-Assessment, what type of asset is this?
Options:
CUI Asset
In-scope Asset
Specialized Asset
Contractor Risk Managed Asset
Answer:
BExplanation:
According to the CMMC Scoping Guidance, Level 1, the categorization of assets is much simpler than at Level 2. At Level 1, there are only two primary categories for assets within the Organization Seeking Certification (OSC): In-Scope Assets (FCI Assets) and Out-of-Scope Assets.
FCI Asset Definition: An asset is considered " In-Scope " for Level 1 if it processes, stores, or transmits Federal Contract Information (FCI). Since the company is building specialized parts under a DoD contract and using in-house staff and equipment for testing, the information related to that contract (the specifications, schedules, and test results) constitutes FCI.
The Level 1 Universe:
Level 1 does not use the complex sub-categories found in Level 2 scoping, such as " Specialized Assets " (OT/IoT/Test Equipment) or " Contractor Risk Managed Assets. " Those distinctions are specific to CMMC Level 2 Scoping.
In a Level 1 environment, any piece of equipment or software that handles the contract ' s information is simply termed an FCI Asset, which falls under the broader umbrella of In-Scope Assets.
Why other options are incorrect:
Option A (CUI Asset): Level 1 is focused exclusively on FCI. CUI (Controlled Unclassified Information) is the focus of Level 2 and Level 3.
Option C (Specialized Asset) and Option D (Contractor Risk Managed Asset): These are specific scoping categories defined in the CMMC Level 2 Scoping Guidance. In Level 1, these categories do not exist; an asset either handles FCI (In-Scope) or it does not (Out-of-Scope).
Reference Documents:
CMMC Scoping Guidance, Level 1 (Version 2.0): Section 2.0 (CMMC Level 1 Asset Categories), which defines FCI Assets and Out-of-Scope Assets.
32 CFR Part 170 (CMMC Program Rule): Establishes the simplified scoping requirements for Level 1 self-assessments.
CMMC Level 1 Assessment Guide: Clarifies that the scope includes all " information systems " (including test equipment) used by the contractor to process, store, or transmit FCI.
Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?
Options:
Phase 1: Plan and Prepare Assessment
Phase 2: Conduct Assessment
Phase 3: Report Recommended Assessment Results
Phase 4: Remediation of Outstanding Assessment Issues
Answer:
BExplanation:
Understanding the CMMC Assessment Process
TheCMMC Assessment Process (CAP)consists offour phases, each with specific tasks and objectives.
Phase 1: Plan and Prepare Assessment– Planning, scheduling, and preparing for the assessment.
Phase 2: Conduct Assessment–Gathering and verifying evidence, conducting interviews, and evaluating compliance.
Phase 3: Report Recommended Assessment Results– Documenting findings and reporting results.
Phase 4: Remediation of Outstanding Assessment Issues– Allowing the organization to address any deficiencies.
Why " Phase 2: Conduct Assessment " is Correct?
DuringPhase 2: Conduct Assessment, theAssessment Teamperforms key activities, including:
✅Identifying required evidencefor compliance verification.
✅Obtaining and reviewing artifacts(e.g., security policies, configurations, logs).
✅Verifying the sufficiency of evidenceagainst CMMC practice requirements.
✅Interviewing key personneland observing cybersecurity implementations.
Since the question specifically mentions " identify, obtain inventory, and verify evidence, " this task directly falls underPhase 2: Conduct Assessment.
Breakdown of Answer Choices
Option
Description
Correct?
A. Phase 1: Plan and Prepare Assessment
❌Incorrect–This phase focuses onscheduling, logistics, and planning, not evidence collection.
B. Phase 2: Conduct Assessment
✅Correct – This phase involves gathering, verifying, and reviewing evidence.
C. Phase 3: Report Recommended Assessment Results
❌Incorrect–This phasedocumentsresults but doesnotcollect evidence.
D. Phase 4: Remediation of Outstanding Assessment Issues
❌Incorrect–This phase focuses oncorrective actions, not evidence collection.
Official References from CMMC 2.0 Documentation
CMMC Assessment Process Guide (CAP)–Phase 2: Conduct Assessmentexplicitly includes tasks such asgathering and verifying evidence.
Final Verification and Conclusion
The correct answer isB. Phase 2: Conduct Assessment, as this phase includesidentifying, obtaining, and verifying evidence, which is critical for determining CMMC compliance.
The Advanced Level in CMMC will contain Access Control {AC) practices from:
Options:
Level 1.
Level 3.
Levels 1 and 2.
Levels 1,2, and 3.
Answer:
CExplanation:
In the CMMC 2.0 framework, the " Advanced " level is synonymous with CMMC Level 2 . The model is designed to be cumulative , meaning each higher level incorporates the requirements of the level(s) below it.
Cumulative Structure : For an organization to achieve a Level 2 Certification, it must demonstrate that it meets all 17 practices from Level 1 (Foundational) plus the additional 93 practices introduced at Level 2, totaling 110 practices (aligned with NIST SP 800-171 ).
Access Control (AC) Domain Breakdown :
Level 1 : Contains 4 AC practices (e.g., limiting system access to authorized users).
Level 2 : Contains 22 AC practices total. This includes the original 4 from Level 1 and 18 additional practices (e.g., controlling the use of privileged functions, limiting unsuccessful logon attempts).
Level 3 (Expert) : This level adds even more practices from NIST SP 800-172 . While Level 3 " contains " Level 2, the question asks specifically about what the Advanced Level (Level 2) contains. Therefore, it contains Level 1 and Level 2 practices.
Why other options are incorrect :
Option A : Level 2 is not just Level 1; it includes the additional NIST 800-171 requirements.
Option B : Level 3 practices are part of the " Expert " level, not the " Advanced " level.
Option D : The " Advanced " level (Level 2) does not include the " Expert " (Level 3) practices.
Reference Documents :
CMMC Model Overview (v2.0/v2.1) : Section 3.2, " Level 2: Advanced, " which explicitly states the level consists of the 110 practices from NIST SP 800-171, which includes the Level 1 requirements.
32 CFR Part 170 (CMMC Program Rule) : Defines the mapping of the 14 domains and the cumulative nature of the certification levels.
CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment.
The practices in CMMC Level 2 consist of the security requirements specified in:
Options:
NIST SP 800-53
NIST SP 800-171
48 CFR 52.204-21
DFARS 252.204-7012
Answer:
BExplanation:
CMMC Level 2 requires full implementation of the 110 security requirements specified in NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. These practices form the foundation for safeguarding CUI across defense contractor systems.
NIST SP 800-53 is a broader catalog of security controls for federal systems, not specific to CUI in the defense contractor environment.
48 CFR 52.204-21 establishes basic safeguarding requirements for Federal Contract Information (FCI) and corresponds to CMMC Level 1.
DFARS 252.204-7012 defines safeguarding and incident reporting obligations but does not enumerate the specific security practices required.
Thus, Level 2 practices are aligned to NIST SP 800-171.
Reference Documents:
CMMC Model v2.0 Overview, December 2021
NIST SP 800-171 Rev. 2
When assessing an OSC for CMMC: the Lead Assessor should use the information from the Discussion and Further Discussion sections in each practice because it:
Options:
is normative for an OSC to follow.
contains examples that an OSC must implement.
is mandatory and aligns with FAR Clause 52.204-21.
provides additional information to facilitate the assessment of the practice.
Answer:
DExplanation:
Understanding the Role of " Discussion " and " Further Discussion " Sections in CMMC Assessments
When assessing anOrganization Seeking Certification (OSC)forCMMC compliance, theLead Assessorrelies on various sources of guidance.
Eachpracticein the CMMC model includes:
The Practice Statement– The official requirement the OSC must meet.
Discussion Section– Providesclarifications, interpretations, and guidancefor implementation.
Further Discussion Section– Expands on the practice,offering additional details, best practices, and examples.
These sections arenot mandatory, but they help assessorsinterpret and evaluatewhether an OSC has met the practice requirements.
Why " Provides Additional Information to Facilitate the Assessment " is Correct?
TheDiscussion and Further Discussion sectionsprovidecontext, explanations, and examplesto assist theLead Assessorin understanding how an OSC might demonstrate compliance.
Theyhelp guide the assessment processbut arenot prescriptiveormandatoryfor an OSC.
Theassessor uses these sectionsto verify whether theOSC ' s implementation meets the intent of the requirement.
Breakdown of Answer Choices
Option
Description
Correct?
A. Is normative for an OSC to follow.
❌Incorrect–The sections areguidance, notnormative (mandatory)requirements.
B. Contains examples that an OSC must implement.
❌Incorrect–Examples aresuggestions, notmandatory implementations.
C. Is mandatory and aligns with FAR Clause 52.204-21.
❌Incorrect–The " Discussion " sections arenot mandatoryand arenot tied directlyto FAR 52.204-21.
D. Provides additional information to facilitate the assessment of the practice.
✅Correct – These sections help the assessor evaluate compliance but do not mandate specific implementations.
Official References from CMMC 2.0 Documentation
TheCMMC Assessment Guidestates that theDiscussion and Further Discussion sections provide clarificationsto help both assessors and OSCs.
These sections arenot bindingbut serve asinterpretive guidanceto assist in assessments.
Final Verification and Conclusion
The correct answer isD. Provides additional information to facilitate the assessment of the practice.This aligns withCMMC 2.0 documentation and assessment guidelines.
Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?
Options:
DoD
CISA
NIST
CMMC-AB
Answer:
AExplanation:
Step 1: Understanding the Role of the DoD in CMMC
TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.
This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.
Which term describes the prevention of damage to. protection of, and restoration of computers and electronic communications systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation?
Options:
Cybersecurity
Data security
Network security
Information security
Answer:
AExplanation:
The term that describes " the prevention of damage to, protection of, and restoration of computers and electronic communication systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation " isCybersecurity.
Step-by-Step Breakdown:
✅1. Cybersecurity Defined
Cybersecurityfocuses onprotecting networks, systems, and datafrom cyber threats.
It includes measures to ensure:
Availability(data is accessible when needed).
Integrity(data is accurate and unaltered).
Authentication(verifying users ' identities).
Confidentiality(ensuring only authorized access).
Non-repudiation(preventing denial of actions).
The definition in the questionaligns directly with cybersecurity principles, making it the best answer.
✅2. Why the Other Answer Choices Are Incorrect:
(B) Data Security❌
Data securityfocusesspecificallyon protectingstored information(e.g., encryption, access controls), but cybersecurity is broader—it includesnetworks, systems, and communication services.
(C) Network Security❌
Network securityis asubset of cybersecuritythat focuses on protectingnetwork infrastructure(e.g., firewalls, intrusion detection systems).
The definition in the question includesmore than just networks, so cybersecurity is the better choice.
(D) Information Security❌
Information security (InfoSec)is related but broader than cybersecurity.
InfoSeccoversphysical and organizational security(e.g., policies, procedures) in addition todigital protections.
Final Validation from CMMC Documentation:
CMMC and NIST SP 800-171 define cybersecurityas the protection ofsystems, networks, and data from cyber threats.
DoD Cybersecurity Definitions(aligned with NIST) confirm that cybersecurity is the term thatbest fits the definition in the question.
The Assessment Team has completed the assessment and determined the preliminary practice ratings. The preliminary practice ratings must be shared with the OSC prior to being finalized for submission. Based on this information, the assessor should present the preliminary practice ratings:
Options:
During the final Daily Checkpoint
After discussing with the CMMC-AB
Via email after the final Daily Checkpoint
Over the phone after the final Daily Checkpoint
Answer:
AExplanation:
According to the CMMC Assessment Process (CAP) v2.0, assessors are required to conduct Daily Checkpoint Meetings at the end of each day to summarize progress with the OSC (Organization Seeking Certification). The final Daily Checkpoint is where preliminary practice ratings are shared, before the quality assurance review and Out-Brief. The Out-Brief is reserved for the presentation of final results. Additionally, Department of Defense regulations (32 CFR §170.17(c)(2)) provide a 10-business-day re-evaluation window for requirements marked NOT MET before the final report is delivered, which necessitates that the OSC see preliminary ratings during the assessment process itself.
Supporting Extracts from Official Content:
CAP v2.0, §2.23: “The assessment team shall host a Daily Checkpoint Meeting with the OSC at the end of each assessment day to summarize progress.”
CAP v2.0, §3.7: “The C3PAO shall conduct the quality assurance review… prior to the conduct of the Out-Brief Meeting.”
CAP v2.0, §3.10: “The purpose of the Out-Brief Meeting is to convey the results of the assessment to the OSC.”
32 CFR §170.17(c)(2): “A security requirement assessed as NOT MET may be re-evaluated… for 10 business days… if the CMMC Assessment Findings Report has not been delivered.”
Why Option A is Correct:
The CAP specifies that Daily Checkpoint Meetings are the formal, structured mechanism for assessors to communicate progress and preliminary findings to the OSC.
The final Daily Checkpoint provides the OSC with visibility into the preliminary practice ratings before they are finalized, ensuring transparency and alignment.
The Out-Brief is explicitly for conveying the final assessment results after the C3PAO has completed QA.
Federal regulation (32 CFR §170.17(c)(2)) requires the OSC to have access to preliminary results so they can provide additional evidence for re-evaluation before the report is locked, further confirming that this exchange must occur at the final Daily Checkpoint.
References (Official CMMC v2.0 Content):
CMMC Assessment Process (CAP) v2.0: Sections 2.23 (Daily Checkpoints), 3.7–3.10 (QA and Out-Brief).
32 CFR §170.17(c)(2): Security Requirement Re-evaluation Window.
DoD CMMC Assessment Guide – Level 2 (v2.13): Guidance on MET/NOT MET determinations and findings.
Companies that knowingly defraud the government by not being in compliance with cybersecurity regulations are at risk of being held liable for:
Options:
The contract value plus a penalty as stated in the Cyber Claims Act
The contract value plus a penalty as stated in the False Claims Act
Three times the contract value plus a penalty as stated in the Cyber Claims Act
Three times the contract value plus a penalty as stated in the False Claims Act
Answer:
DExplanation:
The False Claims Act (31 U.S.C. §§ 3729–3733) imposes liability on companies that knowingly misrepresent compliance in order to receive or retain federal contracts. Penalties include treble damages (three times the government’s losses) plus additional penalties per claim.
Supporting Extracts from Official Content:
False Claims Act: “Any person who knowingly submits false claims to the Government is liable for three times the Government’s damages plus a penalty.”
DOJ Cyber-Fraud Initiative (2021): confirms the FCA is applied to cases of misrepresenting compliance with cybersecurity requirements.
Why Option D is Correct:
The applicable law is the False Claims Act, not a “Cyber Claims Act” (which does not exist).
The FCA specifies treble damages plus penalties, which exactly matches Option D.
References (Official CMMC v2.0 Governance and Source Documents):
False Claims Act (31 U.S.C. §§ 3729–3733).
DOJ Cyber-Fraud Initiative (2021), applied to CMMC-related compliance misrepresentation.
===========
A C3PAO is near completion of a Level 2 Assessment for an OSC. The CMMC Findings Brief and CMMC Assessment Results documents have been developed. The Final Recommended Assessment Results are being generated. When generating these results, what MUST be included?
Options:
An updated Assessment Plan
Recorded and final updated Daily Checkpoint
Fully executed CMMC Assessment contract between the C3PAO and the OSC
Review documentation for the CMMC Quality Assurance Professional (CQAP)
Answer:
DExplanation:
According to the CMMC Assessment Process (CAP), specifically within the Phase 4: Reporting Results requirements, a C3PAO must ensure that every assessment package undergoes a rigorous quality review before it is finalized and submitted to the Department of Defense (DoD).
The Role of the CQAP: The CMMC Quality Assurance Professional (CQAP) is a designated role within a C3PAO responsible for verifying that the assessment was conducted in accordance with the CAP and that the evidence collected (the " Artifacts " ) supports the findings (Met/Not Met).
Mandatory Inclusion: When generating the Final Recommended Assessment Results, the package is not considered complete or valid without the formal review documentation from the CQAP. This documentation serves as the " stamp of approval " that the internal Quality Management System (QMS) of the C3PAO has validated the assessment team ' s work.
Why other options are incorrect:
Option A: While the Assessment Plan is a required document during the planning phase, it is an input to the process, not a mandatory component of theFinal Resultsgeneration in the same way quality validation is.
Option B: Daily Checkpoints are administrative tools used during the " Conduct Assessment " phase to keep the OSC informed. While they are part of the assessment record, they are not a mandatory technical component of the final results package.
Option C: The contract is a legal/business requirement handled during the " Plan and Prepare " phase; it is not included in the technical assessment results uploaded to the DoD.
Reference Documents:
CMMC Assessment Process (CAP) v1.0: Section 4.2 (Finalize Assessment Report) and Section 4.3 (C3PAO Quality Review).
C3PAO Authorization Requirements: Specifies the requirement for a Quality Assurance (QA) function to review all assessment outputs to ensure consistency and integrity across the ecosystem.
During a POA & M closeout assessment , the Lead Assessor and team members verified all evidence provided by the OSC and passed those that satisfied the requirements. Who MUST verify that every failed practice from the initial original assessment has been adequately addressed?
Options:
OSC
CCA
OSC sponsor
Lead Assessor
Answer:
DExplanation:
In CMMC v2.0, the closeout activity for remediating previously unmet requirements is handled through the POA & M closeout process described in the CMMC Assessment Process (CAP) v2.0 . CAP v2.0 makes clear that the C3PAO must follow DoD’s POA & M closeout procedures and that the Assessment Team performs the closeout work, with the assessment results then undergoing a required quality assurance (QA) review .
Operationally, the person who must ensure that each previously failed requirement is adequately addressed during the closeout assessment is the Lead Assessor (Lead CCA) , because the Lead CCA is the individual designated to oversee and manage the Assessment Team on behalf of the C3PAO for the conduct of the certification assessment. In other words, while team members may test controls and collect evidence, the Lead CCA is accountable for directing the assessment effort and ensuring that remediation evidence supports updated determinations.
CAP v2.0 also states that a QA individual performs a quality assurance review of the POA & M closeout “upon completion by the Assessment Team,” including checks on the accuracy and completeness of evaluation of POA & M security requirements before upload to eMASS. This reinforces that verification occurs through the assessment team’s work, led by the Lead Assessor , and then independently quality-checked by QA.
===========
A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?
Options:
" The OSC determines the CMMC Assessment Scope, and the CCP validates the CMMC Assessment Scope. "
" The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope. "
" The CMMC Lead Assessor determines the CMMC Assessment Scope, and the OSC validates the CMMC Assessment Scope. "
" The CMMC C3PAO determines the CMMC Assessment Scope, and the Lead Assessor validates the CMMC Assessment Scope. "
Answer:
BExplanation:
Step 1: Understanding CMMC Assessment Scope Determination
In a CMMC Level 2 assessment, the Organization Seeking Certification (OSC) is responsible for identifying the assessment scope based on the CMMC Scoping Guidance provided by the Cyber AB (Cyber Accreditation Body) and DoD.
The OSC must determine which assets and systems handle Controlled Unclassified Information (CUI) and categorize them accordingly.
How are the Final Recommended Assessment Findings BEST presented?
Options:
Using the CMMC Findings Brief template
Using a C3PAO-provided template that is preferred by the OSC
Using a C3PAO-branded version of the CMMC Findings Brief template
Using the proprietary template created by the Lead Assessor after approval from the C3PAO
Answer:
AExplanation:
In the Cybersecurity Maturity Model Certification (CMMC) assessment process, the presentation of the Final Recommended Assessment Findings is a critical step. According to the CMMC Assessment Process guidelines, the Lead Assessor is responsible for compiling and presenting these findings. The prescribed method for this presentation is the utilization of the standardized CMMC Findings Brief template.
Step-by-Step Explanation:
Responsibility of the Lead Assessor:
The Lead Assessor oversees the assessment process and is tasked with compiling the Final Recommended Assessment Findings.
Utilization of the CMMC Findings Brief Template:
To ensure consistency and adherence to CMMC standards, the Lead Assessor must use the official CMMC Findings Brief template when presenting the assessment findings.
Presentation of Findings:
The findings, documented in the CMMC Findings Brief template, are then presented to the Organization Seeking Certification (OSC). This presentation ensures that the OSC receives a clear and standardized report of the assessment outcomes.