CMMC-CCP Certified CMMC Professional (CCP) Exam Questions and Answers

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.

Why NIST SP 800-171 is Essential for Level 2 Scoping:

Defines the Security Requirements for Protecting CUI:

NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.

These controls are categorized under14 families, including access control, incident response, and risk management.

Establishes the Baseline for CMMC Level 2 Compliance:

CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.

Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.

Provides Guidance for Implementation & Assessment:

TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.

It helps define the scope of an assessment by clarifying how each control should be implemented and verified.

Referenced in CMMC and DFARS Regulations:

DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.

TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.

Explanation of Incorrect Answers:

A. NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")

This documentapplies to federal systems, not nonfederal entities handling CUI.

While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.

B. NIST SP 800-88 ("Guidelines for Media Sanitization")

This documentfocuses on secure data destructionand media sanitization techniques.

While data disposal is important, this standarddoes not define security controls for protecting CUI.

D. NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")

This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).

It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.

Key References for CMMC Level 2 Scoping:

NIST SP 800-171 Rev. 2(NIST Official Site)

NIST SP 800-171A (Assessment Guide)(NIST Official Site)

CMMC 2.0 Level 2 Scoping Guide(Cyber AB)

Conclusion:

SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:

✅C. NIST SP 800-171

Under the CMMC Assessment Process (CAP) v2.0 , the assessment results are not supposed to be delivered to the OSC as “initial” or unchecked findings. Instead, CAP v2.0 requires that the C3PAO conducts a formal quality assurance (QA) review of the certification assessment results prior to the Out-Brief Meeting with the OSC . This QA step is mandatory and is explicitly sequenced before results are conveyed to the OSC.

After the results are compiled and quality-reviewed, the Lead CCA convenes the Out-Brief Meeting specifically “to convey the results of the assessment to the OSC.” CAP v2.0 further requires the team to prepare and deliver an “Assessment Results Briefing” for the Out-Brief, and it lists the required contents (including final MET/NOT MET/NA determinations for each security requirement , POA & M status (if applicable), and the certificate determination).

Therefore, the best answer is D because CAP v2.0 makes clear that results must undergo C3PAO QA review before they are formally presented to the OSC during the Out-Brief.

ThePhysical Protection (PE) domaininCMMC 2.0 Level 1includes the requirementPE.L1-3.10.3, which mandates that organizationsescort visitors and monitor their activity.

Breaking Down the Scenario:

TheCMMC Assessment Teamarrives at the OSC.

Thereceptionist acknowledges their arrival but does not verify credentials or escort themto the appropriate location.

Failing to verify visitor identity and failing to escort them is a violation of PE.L1-3.10.3.

Analysis of the Given Options:

A. PE.L1-3.10.3: Escort visitors and monitor visitor activity→✅Correct

This requirement ensures that visitorsdo not have unsupervised access to sensitive areas.

The receptionistshould have checked credentials and escorted the assessment team.

B. PE.L1-3.10.5: Control and manage physical access devices→❌Incorrect

This requirement refers to managingkeys, access badges, and security devices, which isnot the issue in this scenario.

C. PS.L2-3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI→❌Incorrect

This control applies to personnel screeningsbefore granting access to CUI systems, not physical visitor access.

D. PS.L2-3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers→❌Incorrect

This requirement deals withoffboarding employees and ensuring they no longer have system access. It isnot relevant to visitor escorting.

Official References Supporting the Correct Answer:

CMMC 2.0 Level 1 - PE.L1-3.10.3 (Physical Protection)

Requires organizations toescort visitors and monitor visitor activityat facilities containingFCI or CUI.

NIST SP 800-171 Rev. 2, Control 3.10.3

States thatvisitors must be escorted and monitored at all timesto prevent unauthorized access.

Conclusion:

Since the receptionist failed to verify credentials and escort the visitors, this violatesPE.L1-3.10.3.

✅Correct Answer: A. PE.L1-3.10.3: Escort visitors and monitor visitor activity

Who is Responsible for Marking CUI?

According toDoDI 5200.48 (Controlled Unclassified Information (CUI)), the responsibility for marking CUI falls on theauthorized holder of the information.

Step-by-Step Breakdown:

Definition of an Authorized Holder

PerDoDI 5200.48, Section 3.4, anauthorized holderis anyone who has beengranted accessto CUI and is responsible for handling, safeguarding, and marking it according toDoD CUI policy.

The authorized holder may be:

ADoD employee

Acontractorhandling CUI

Anyorganization or individual authorizedto access and manage CUI

DoD Guidance on CUI Marking Responsibilities

DoDI 5200.48, Section 4.2:

The individual creating or handling CUImust apply the appropriate markings as per the DoD CUI Registry guidelines.

DoDI 5200.48, Section 5.2:

Themarking responsibility is NOT limited to a specific positionlike an Information Disclosure Official or a high-level DoD office.

Instead, it is theresponsibility of the person or entity generating, handling, or disseminatingthe CUI.

Why the Other Answer Choices Are Incorrect:

(A) DoD OUSD (Office of the Under Secretary of Defense):

The OUSD plays apolicy-setting rolebut doesnot directly mark CUI.

(C) Information Disclosure Official:

This role is responsible forpublic release of information, but marking CUI is the duty of theauthorized holdermanaging the data.

(D) Presidential authorized Original Classification Authority (OCA):

OCAs classifynational security information (Confidential, Secret, Top Secret), not CUI, which isnot classified information.

Final Validation from DoDI 5200.48:

PerDoDI 5200.48, authorized holders are explicitly responsible for marking CUI, making this the correct answer.

In Phase 1 (Planning) of the CMMC Assessment Process, the Lead Assessor is responsible for managing the team and identifying conflicts of interest. Assessment team members must also disclose potential conflicts.

Supporting Extracts from Official Content:

CAP v2.0, Planning (§2.5–2.8): “The Lead Assessor and Assessment Team Members must identify and disclose any conflicts of interest prior to conducting the assessment.”

Why Option D is Correct:

Only the Lead Assessor and assessment team are responsible for identifying conflicts of interest during Phase 1.

Options A, B, and C incorrectly assign this role to organizations that do not hold the responsibility.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 1 Planning responsibilities.

===========

During a Readiness Review (Phase 1), the purpose is to validate whether an OSC is prepared to move forward with a formal assessment. The CAP specifies that the Lead Assessor must collect sufficient evidence for each practice to make a preliminary determination of readiness.

Supporting Extracts from Official Content:

CAP v2.0, Readiness Review (§2.14): “The Lead Assessor must collect a sufficient amount of evidence for each practice to determine the OSC’s readiness.”

Why Option A is Correct:

The requirement is for sufficient evidence; CAP does not mandate a set number of assessment objects or methods.

Options B, C, and D incorrectly suggest minimum counts or methods that are not part of the readiness review requirements.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 1 Readiness Review.

===========

The correct answer is C because the CMMC ecosystem treats conflicts of interest as both actual and perceived conflicts. The CMMC Code of Professional Conduct requires CMMC ecosystem members to avoid participating in any activity, practice, or transaction that could result in an actual or perceived conflict of interest. It also requires compliance with conflict-of-interest prohibitions and restricts CMMC ecosystem members from participating in a Level 2 certification process where their prior role or relationship could compromise objectivity.

A conflict of interest exists when professional judgment, independence, or impartiality could be affected, or reasonably appear to be affected, by another interest, relationship, duty, or prior activity. In CMMC, this is especially important because assessment credibility depends on independence between consulting and certification assessment functions. For example, an assessor or C3PAO that previously helped design, implement, or remediate the OSC’s cybersecurity program may have an actual or perceived conflict when later assessing that same OSC. Option A is incorrect because lack of transparency may contribute to a conflict issue, but it is not the definition. Option B is too broad because not every legal violation is a conflict of interest. Option D describes a disclosure problem, not a conflict of interest. Therefore, the best answer is C , a perceived or actual conflict.

===========

Who Do DoD Contractors Report CUI Breaches To?

PerDFARS 252.204-7012, all DoD contractors handlingControlled Unclassified Information (CUI)must report cyber incidents to theDoD Cyber Crime Center (DC3).

Key Reporting Requirements

✅Cyber incidents involving CUI must be reported toDC3 within 72 hours.

✅Reports must be submitted via theDoD's Cyber Incident Reporting Portal.

✅Contractors mustpreserve forensic evidencefor potential investigation.

Why "DoD Cyber Crime Center" is Correct?

The FBI (Option A) handles criminal investigations, but DoD contractorsmust report cyber incidents to DC3.

NARA (Option B) oversees the CUI Registry, butis not responsible for breach reporting.

The Under Secretary of Defense for Intelligence and Security (Option D) is responsible for intelligence operations, not incident reporting.

Breakdown of Answer Choices

Option

Description

Correct?

A. FBI

❌Incorrect–The FBI handlescriminal cases, not CUI breach reporting.

B. NARA

❌Incorrect–NARA manages theCUI Registry, butdoes not handle breaches.

C. DoD Cyber Crime Center

✅Correct – Per DFARS 252.204-7012, cyber incidents involving CUI must be reported to DC3.

D. Under Secretary of Defense for Intelligence and Security

❌Incorrect–This office doesnothandle cyber incident reports.

Official References from CMMC 2.0 and DFARS Documentation

DFARS 252.204-7012– Requires DoD contractors to report CUI-related cyber incidents toDC3.

DoD Cyber Crime Center (DC3) Website– The official platform forcyber incident reporting.

Final Verification and Conclusion

The correct answer isC. DoD Cyber Crime Center, as perDFARS 252.204-7012, which mandates that all DoD contractors reportCUI breaches to DC3 within 72 hours.

In the context of the Cybersecurity Maturity Model Certification (CMMC) Assessment Process, understanding the roles of various entities associated with an Organization Seeking Certification (OSC) is crucial during the planning phase. When a Certified Third-Party Assessment Organization (C3PAO) staff reviews these entities for a CMMC Level 2 Assessment, it's essential to distinguish between internal components and external participants.

Step-by-Step Explanation:

Definition of the HQ Organization:

The HQ Organization refers to the entire legal entity delivering services under the terms of a Department of Defense (DoD) contract. This entity is responsible for ensuring compliance with CMMC requirements.

Identification of External Entities:

External entities encompass people, processes, and technology that are not part of the HQ Organization but support its operations. These entities participate in the assessment process due to their involvement in handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) related to the DoD contract.

Role of Supporting Organizations/Units:

According to the CMMC Assessment Process documentation, Supporting Organizations are defined as "the people, procedures, and technology external to the HQ Organization that support the Host Unit." These external entities are integral to the operations of the Host Unit but are not encompassed within the HQ Organization's immediate structure.

Assessment Implications:

While Supporting Organizations/Units play a vital role in supporting the Host Unit, they do not receive a separate CMMC Level certification unless an enterprise assessment is conducted. In such cases, the assessment would encompass both the HQ Organization and its Supporting Organizations to ensure comprehensive compliance across all associated entities.

Understanding the False Claims Act (FCA) and Whistleblower Protections

TheFalse Claims Act (FCA)(31 U.S.C. §§ 3729–3733) is aU.S. federal lawthat allowswhistleblowers (also known as "relators")to sue on behalf of the federal government if they believe a company issubmitting fraudulent claimsfor government funds.

The FCA includes a"qui tam" provision, which:

✅Allows private individuals to file lawsuits on behalf of the U.S. government.

✅Provides financial rewards to whistleblowersif the lawsuit results in recovered funds.

✅Protects whistleblowers from employer retaliation.

In the context ofCMMC and cybersecurity compliance, theFCA has been used to hold companies accountableformisrepresenting their cybersecurity compliancewhen working with federal contracts.

For example:

If a companyfalsely claimscompliance withCMMC, NIST SP 800-171, or DFARS 252.204-7012butfails to meet security requirements, it could beliable under the FCA.

TheDepartment of Justice (DOJ)has pursued cases under theCyber-Fraud Initiative, using theFCA against defense contractorsfor cybersecurity noncompliance.

Thus, the correct answer isC. False Claims Actbecause it specifically allows whistleblowers tosue on behalf of the federal government.

Why the Other Answers Are Incorrect

A. NIST SP 800-53

❌Incorrect.NIST SP 800-53provides security controls for federal agencies butdoes notcontain whistleblower provisions.

B. NIST SP 800-171

❌Incorrect.NIST SP 800-171outlines security requirements for protectingCUI, but itdoes not have legal mechanismsfor whistleblower lawsuits.

D. Code of Professional Conduct

❌Incorrect. TheCMMC Code of Professional Conductapplies toC3PAOs and assessorsbut doesnot provide a legal basis for whistleblower lawsuits.

CMMC Official References

False Claims Act (31 U.S.C. §§ 3729–3733)– Establishes whistleblower protections and qui tam lawsuits.

DOJ Cyber-Fraud Initiative– Uses the FCA to enforce cybersecurity compliance in government contracts.

DFARS 252.204-7012 & CMMC– Require accurate reporting of cybersecurity compliance, which can lead to FCA violations if misrepresented.

Thus,option C (False Claims Act) is the correct answeras per official legal guidance.

TheCMMC Scoping Guide for Level 2outlines thatCUI assetsinclude systems, applications, and services thatstore, process, or transmitControlled Unclassified Information (CUI). These are the three core functions that defineCUI handlingwithin anOrganization Seeking Certification (OSC).

Step-by-Step Breakdown:

✅1. CUI Assets Defined in CMMC

Stored:CUI is saved on hard drives, cloud storage, or databases.

Processed:CUI is actively used, modified, or analyzed by applications and users.

Transmitted:CUI is sent between systems via email, file transfers, or network communication.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Received and transferred❌

Whilereceiving and transferring CUIis part of handling CUI, it does not fully cover all CUI asset responsibilities.

(C) Entered, edited, manipulated, printed, and viewed❌

These arespecific actionswithinprocessingbut do not coverstorage or transmission, which are also required for CMMC scoping.

(D) Located on electronic media, on system component memory, and on paper❌

While CUI can exist inelectronic and physical forms, CMMC scoping focuses onhow CUI is actively managed (stored, processed, transmitted)rather than where it physically resides.

Final Validation from CMMC Documentation:

TheCMMC Level 2 Scoping Guideconfirms thatCUI Assets are categorized based on their role in storing, processing, or transmitting CUI.

NIST SP 800-171also defines these three functions as key components of CUI protection.

Understanding the Role of NIST SP 800-171 in CMMC

NIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.

This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.

Breakdown of Answer Choices

NIST SP

Title

Relevance to CMMC

NIST SP 800-37

Risk Management Framework (RMF)

Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.

NIST SP 800-53

Security and Privacy Controls for Federal Systems

Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.

NIST SP 800-88

Guidelines for Media Sanitization

Covers secure data destruction and disposal, not overall CUI protection.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

✅Correct Answer – Directly addresses CUI protection in contractor systems.

Key Requirements from NIST SP 800-171

The document outlines110 security controlsgrouped into14 families, including:

Access Control (AC)– Restrict access to authorized users.

Audit and Accountability (AU)– Maintain system logs and monitor activity.

Incident Response (IR)– Establish an incident response plan.

System and Communications Protection (SC)– Encrypt CUI in transit and at rest.

These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.

Official Reference from CMMC 2.0 Documentation

CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.

DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.

Final Verification and Conclusion

The correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.

Step 1: Understand the “CA” Domain – Security Assessment

TheCA (Security Assessment)domain includes practices related to:

Planning security assessments,

Performing periodic reviews,

Managing plans of action and milestones (POA & Ms).

These practices derive fromNIST SP 800-171, specifically:

CA.2.157– Develop, document, and periodically update security plans,

CA.2.158– Periodically assess security controls,

CA.2.159– Develop and implement POA & Ms.

✅Step 2: Review CMMC Levels

Level 1 (Foundational):

Implements only the17 practicesfromFAR 52.204-21

Doesnot include the CA domain

Level 2 (Advanced):

Implements110 practicesfromNIST SP 800-171, including CA.2.157–159

First levelwhereSecurity Assessment (CA)practices are required

Level 3:

Not yet finalized but intended to include selected controls fromNIST SP 800-172

❌Why the Other Options Are Incorrect

A. Level 1

✘No CA domain practices are present at Level 1.

C. Level 3 / D. Level 4

✘These levels build on CA practices but do not represent thestarting point.

TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.

Understanding Federal Contract Information (FCI) and Publicly Accessible Information

Federal Contract Information (FCI)isnon-public informationprovided by or generated for the U.S. governmentunder a contractthat isnot intended for public release.

Key Characteristics of FCI:

✔FCI includesdetails related togovernment contracts, project specifics, and performance data.

✔It must be protected under FAR 52.204-21, which requiresbasic safeguarding measuresto prevent unauthorized access.

✔Posting FCI on a public site is a security violationsince it ismeant to be restrictedfrom public disclosure.

Why is the Correct Answer "A. FCI (Federal Contract Information)"?

A. FCI → Correct

FCI must be protected from unauthorized access, and if it wasincorrectly published online, it should have been restricted.

B. Change of leadership in the organization → Incorrect

Leadership changes are typically public informationand do not require restriction unless they involve sensitive government-related security clearances.

C. Launching of their new business service line → Incorrect

Marketing and business announcementsare generallypublicly availableandnot restricted information.

D. Public releases identifying major deals signed with commercial entities → Incorrect

Commercial contracts and business deals are not considered FCIunless they involvegovernment contracts.

CMMC 2.0 References Supporting This Answer:

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

DefinesFCI as sensitive but unclassified informationthat must beprotected from public disclosure.

CMMC 2.0 Level 1 Requirements

Requires contractors toprotect FCI under basic cybersecurity standardsto prevent unauthorized exposure.

DoD Guidance on FCI Protection

States thatpublishing FCI on public websites violates federal cybersecurity requirements.

Understanding Restricted Information Systems (IS) in CMMC Scoping

InCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:

Internet of Things (IoT) Devices– Smart or network-connected devices.

Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.

Test Equipment– Devices used for specialized testing or measurement.

Government Property– Equipment owned by theU.S. Governmentbut used by contractors.

Why "B. Restricted IS" is Correct?

The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.

Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.

These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.

Why Other Answers Are Incorrect?

A. IoT (Incorrect)

IoT devices includesmart devices, sensors, and embedded systems, but the contractor's business systems are not classified as IoT.

C. Test Equipment (Incorrect)

The contractor’s systems areused for handling FCI, not for testing or measurement.

D. Government Property (Incorrect)

The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.

Conclusion

The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.

When a company usesthird-party IT providersto manage their infrastructure, these organizations are classified asExternal Service Providers (ESPs)underCMMC scoping guidelines.

Step-by-Step Breakdown:

✅1. What is an ESP?

External Service Providers (ESPs)arethird-party organizationsthat:

ProvideIT services, cloud hosting, and managed security solutions.

Process, store, or transmit FCI or CUIon behalf of a contractor.

Mustmeet the same security requirementsas the OSC if they handle FCI or CUI.

If a company relies ona hosting provider to manage IT infrastructure, that provider is anESPunderCMMC scoping guidelines.

✅2. Why the Other Answer Choices Are Incorrect:

(B) People❌

Incorrect:ESPs areorganizations, not individual people.

(C) Facilities❌

Incorrect:Facilities refer tophysical locationslike office buildings or data centers, not third-partyservice providers.

(D) Technology❌

Incorrect:While ESPs provide technology services, the correct term forthird-party IT providersunder CMMC isESPs, not just "Technology."

Final Validation from CMMC Documentation:

TheCMMC Level 1 Scoping GuidedefinesExternal Service Providers (ESPs)asthird-party organizations that manage IT infrastructure and security services.

Thus, the correct answer is:

✅A. ESPs (External Service Providers).

Understanding the Assessment Environment Requirement

During aCMMC Level 2 assessment, assessors requireobjective evidencethat security controls are implementedin the actual operating environmentwhereControlled Unclassified Information (CUI)is handled.

This means thattests or demonstrations must be conducted in the production environment, where the organization’s real systems and security controls are in use.

Why Option B (Production) is Correct

Assessment teams need to validate security controls in the actual environment where they are applied, ensuring that security measures are in effect in thereal-world operating conditions.

Option A (Client)is incorrect because "Client" is not a defined assessment environment.

Option C (Development)is incorrect because testing in a development environmentdoes not accurately represent the production security posture.

Option D (Demonstration)is incorrect becausedemonstrations in a separate test environment do not provide valid evidence for CMMC assessments—actual security implementations must be verified in production.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide – Section 3.5 (Assessment Methods)

NIST SP 800-171 Assessment Procedures(Verification must occur in the actual system where CUI resides.)

Final Verification

SinceCMMC assessments require security controls to be validated in the actual production environment, the correct answer isOption B: Production.

NIST SP 800-88 Rev. 1 is the authoritative guide for media sanitization. It defines three categories of data disposal: Clear, Purge, and Destroy.

Supporting Extracts from Official Content:

NIST SP 800-88 Rev. 1: “Media sanitization techniques are divided into three categories: Clear, Purge, and Destroy.”

Why Option A is Correct:

“Clear, Purge, Destroy” are the exact three categories named.

Redact and Overwrite are not categories; Overwriting is a technique that may fall under Clear.

References (Official CMMC v2.0 Content and Source Documents):

NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization.

===========

According to the CMMC Assessment Process (CAP) and the C3PAO Authorization Requirements, every assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) must undergo a formal Quality Management System (QMS) review before the results are finalized and uploaded to the eMASS (Enterprise Mission Assurance Support Service) or the SPRS (Supplier Performance Risk System).

The Quality Review Requirement: The CAP explicitly states that the C3PAO is responsible for the accuracy and integrity of the assessment findings. Before the Assessment Team Lead can formally submit the package, a person or team within the C3PAO (who was ideally not part of the active assessment team to ensure objectivity) must conduct an internal review. This review ensures that the evidence collected supports the "Met" or "Not Met" determinations and that all CMMC methodology requirements were followed.

Why other options are incorrect:

Option A: While there may be administrative costs associated with maintaining C3PAO status, paying a specific "per-submission fee" is not a mandatory procedural stepwithin the assessment lifecyclethat governs the validity of the results.

Option C: The Cyber AB (CMMC-AB) provides the platform and oversight, but a "forthcoming notification" is not a formal requirement in the CAP; the act of submission itself serves as the notification.

Option D: While a final briefing is a "best practice" and usually occurs during the "Post-Assessment" phase, the internal quality review (Option B) is the regulatory mandate that must be completed to ensure the C3PAO's certification of the results is valid and defensible.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Phase 4: Reporting Results," specifically the sub-section on C3PAO Quality Assurance Review.

C3PAO Quality Management System (QMS) Requirements: Outlines the necessity for internal validation of assessment packages to maintain accreditation.

Per the CMMC Scoping Guidance, External Service Providers (ESPs) must be included in scope if they process, store, or transmit CUI or FCI on behalf of the OSC. However, ESPs do not themselves receive a separate CMMC certification unless they undergo their own assessment or an enterprise-level certification is conducted. Their environment is assessed only as part of the OSC’s scope.

Reference Documents:

CMMC Scoping Guidance for Level 2

CMMC Model v2.0 Overview

Understanding Asset Categorization in CMMC 2.0

InCMMC 2.0, assets are categorized into different types based on their function, connectivity, and whether they process, store, or transmitFederal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Why "D. Specialized Asset" is Correct?

TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT classificationsbut still exist within the organizational environment.

Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined in CMMC.

Why Other Answers Are Incorrect?

A. FCI Asset (Incorrect)

FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does not.

B. CUI Asset (Incorrect)

CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.

C. In-scope Asset (Incorrect)

In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.

Conclusion

The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into theSpecialized Assetcategory.

Under the CMMC Assessment Process (CAP) v2.0 , the C3PAO holds the initial (and ultimate) responsibility to identify and manage conflicts of interest (COI) related to a CMMC Level 2 certification assessment. CAP v2.0 includes an explicit pre-assessment activity titled “Identify and Manage Initial Conflicts of Interest (COI)” and states that C3PAOs are ultimately responsible for managing impartiality and identifying conflicts of interest for the assessment.

CAP v2.0 further clarifies that this responsibility cannot be delegated to the assessment team (including the Lead Assessor/Lead CCA) or to the OSC. In other words, while the Lead Assessor participates in executing the process and the OSC must cooperate (e.g., disclose relationships or prior services that could create COI), CAP places the duty to run the COI identification/mitigation process squarely on the C3PAO as the assessment organization.

This aligns with the intent of impartiality controls in certification programs: the certification body (here, the C3PAO) must ensure objective assessments by identifying conflicts early, applying mitigation (or avoidance), and documenting the resolution before the assessment proceeds. Since the question asks who has the initial responsibility , the CAP’s direct assignment of COI management to the C3PAO makes B the correct answer.

===========

What Happens in Phase 4 of the CMMC Assessment Process?

Phase 4 of theCMMC Assessment Process (CAP)is theFinal Reporting and Decision Phase. During this phase, theLead Assessormust:

Review all assessment findings

Determine the Organization Seeking Certification’s (OSC) eligibility for certification

Make a recommendation to the C3PAO (Certified Third-Party Assessment Organization)

Key Responsibilities of the Lead Assessor in Phase 4:

Ensure that the OSC hasmet the required practices and processes.

Confirm that anydeficiencieshave been corrected or appropriately documented.

Recommendwhether the OSC is eligible for certificationbased on assessment results.

Since theLead Assessor must determine and recommend the OSC’s eligibilityto the C3PAO, the correct answer isB. Eligibility.

Why the Other Answers Are Incorrect

A. Ability

❌Incorrect. While assessing an OSC’s ability to meet CMMC requirements is part of the process, the final determination in Phase 4 is abouteligibilityfor certification.

C. Capability

❌Incorrect. Capability refers to an organization'stechnical and operational readiness. The Lead Assessor is making a recommendation oneligibility, not just capability.

D. Suitability

❌Incorrect. Suitability is not a defined term in theCMMC CAP processfor final assessment recommendations. The correct term iseligibility.

CMMC Official References

CMMC Assessment Process (CAP) Document– Specifies that the Lead Assessor must determine and recommend theeligibilityof the OSC in Phase 4.

CMMC 2.0 Model– Defines the assessment process, including certification decision-making.

Thus,option B (Eligibility) is the correct answer, as per official CMMC guidance.

Understanding the Final Review Process in a CMMC Assessment

During aCMMC Level 2 Assessment, theAssessment Teamand theOrganization Seeking Certification (OSC)holddaily checkpoint meetingsto discuss progress, review evidence, and ensure transparency.

At theend of the assessment, afinal review meetingis conducted, during which theLead Assessor presents the results. Therecorded Daily Checkpoint logserves as theofficial document summarizing:

Theattendee list

Time, date, and locationof the final review

Final MET or NOT MET ratingsfor all practices

Discussion points, resulting actions, and due datesfor both the OSC and Assessment Team

Why "D. Final and recorded Daily Checkpoint log" is Correct?

TheCMMC Assessment Process (CAP) Guidespecifies that all assessment findings and discussions must bedocumented throughout the assessment in daily checkpoint logs.

TheFinal and Recorded Daily Checkpoint Logincludes all necessary details, such as attendee lists, discussion topics, and action items.

This document isused to ensure all discussed topics and agreed-upon actions are properly tracked and recordedbefore submission.

Why Other Answers Are Incorrect?

A. Final log report (Incorrect)

There isno specific "Final Log Report"required in CMMC assessments.

B. Final CMMC report (Incorrect)

TheFinal CMMC Reportdocuments the overall assessment results butdoes not serve as the official meeting logfor the final review discussion.

C. Final and recorded OSC CMMC report (Incorrect)

This documentdoes not include detailed discussion points from the daily checkpoint meetings.

Conclusion

The correct answer isD. Final and recorded Daily Checkpoint log, as this is the official document that captures thefinal meeting details, discussions, and action items.

The correct answer is C because the CMMC physical protection requirement focuses on protecting areas where in-scope information systems, equipment, and controlled environments are located. CMMC Level 2 requirement PE.L2-3.10.3, Escort Visitors , requires the organization to “escort visitors and monitor visitor activity.” The official CMMC Level 2 Assessment Guide states that the assessment objectives include determining whether visitors are escorted, visitor activity is monitored, physical access audit logs are maintained, and physical access devices are controlled and managed. The same guide explains that individuals with permanent physical access authorization credentials are not considered visitors, and that audit logs can be used to monitor visitor activity.

For CMMC purposes, the key issue is whether the visitor could physically access organizational systems, equipment, FCI, CUI, or the respective operating environment. A general corporate area that is outside the controlled environment may not require the same escort rule unless it provides access to in-scope assets. However, the controlled environment must be protected from unauthorized physical access. Therefore, visitors should be escorted in the controlled environment, where FCI/CUI systems or related assets may be present. Option A is incorrect because CMMC requires visitor escorting. Option B reverses the protection priority. Option D is overly broad for this question because it does not distinguish between a general corporate area and the controlled environment defined in the DAP.

===========

Understanding SI.L2-3.14.6: Monitor Communications for Attacks

The practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:

✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)

✅Log analysis and network monitoring

✅Incident response planningfor detected threats

As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.

Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?

TheCCA must collect sufficient objective evidenceto determine compliance.

Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.

Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.

Breakdown of Answer Choices

Option

Description

Correct?

A. Conduct a penetration test

❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.

B. Interview the intrusion detection system's supplier.

❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.

C. Upload known malicious code and observe the system response.

❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.

D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.

Official References from CMMC 2.0 and NIST SP 800-171 Documentation

NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.

CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.

Final Verification and Conclusion

The correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.

Understanding Training Requirements in CMMC

The requirement for ensuring thatpersonnel are trained to carry out their assigned information security-related duties and responsibilitiesfirst appears inCMMC Level 2as part ofNIST SP 800-171 control AT.L2-3.2.1.

Key Details on the Training Requirement:

✔AT.L2-3.2.1: "Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities."

✔This control is derived fromNIST SP 800-171and applies toCMMC Level 2 (Advanced).

✔It ensures that employees handlingControlled Unclassified Information (CUI)understand theircybersecurity responsibilities.

Why is the Correct Answer "B. Level 2"?

A. Level 1 → Incorrect

CMMC Level 1 does not include this training requirement.Level 1 focuses on basic safeguarding ofFederal Contract Information (FCI)but doesnot require formal cybersecurity training.

B. Level 2 → Correct

The training requirement (AT.L2-3.2.1) first appears in CMMC Level 2, which aligns withNIST SP 800-171.

C. Level 3 → Incorrect

The training requirementalready exists in Level 2. Level 3 builds on Level 2 with additionalrisk management and advanced cybersecurity controls, but training is introduced at Level 2.

D. All levels → Incorrect

CMMC Level 1 does not include this requirement—it is first introduced in Level 2.

CMMC 2.0 References Supporting This Answer:

NIST SP 800-171 (Requirement 3.2.1)

Defines themandatory training requirementfor personnel handling CUI.

CMMC Assessment Guide for Level 2

ListsAT.L2-3.2.1as a required practice under Level 2.

CMMC 2.0 Model Overview

Confirms thatCMMC Level 2 aligns with NIST SP 800-171, which includes security training requirements.

In CMMC v2.0, Level 1 is explicitly the level that “focuses on the protection of FCI ” and is composed of the basic safeguarding requirements aligned to FAR 52.204-21 . This directly establishes Level 1 as meeting the standard for protecting FCI.

However, the question asks which levels meet the standard of protecting FCI—not which level is primarily intended for FCI. The official CMMC Model Overview (Version 2.0) states that the CMMC levels and associated sets of practices are cumulative , meaning that to achieve a higher level, an organization must also demonstrate achievement of the preceding lower levels. Because Level 2 and Level 3 certifications require meeting lower-level requirements as part of achieving the higher certification, an organization certified at Level 2 or Level 3 necessarily satisfies the Level 1 requirements that protect FCI.

In addition, the later Model Overview v2.13 reiterates the structure of the model: Level 1 requirements correspond to FAR 52.204-21 safeguards (FCI), while Level 2 and Level 3 focus on CUI protection at increasing rigor. Taken together, the official documents support that Levels 1, 2, and 3 all meet the standard for protecting FCI, with Level 1 being the foundational baseline and Levels 2/3 building on it.

===========

According to the CMMC Scoping Guidance, Level 1, the categorization of assets is much simpler than at Level 2. At Level 1, there are only two primary categories for assets within the Organization Seeking Certification (OSC): In-Scope Assets (FCI Assets) and Out-of-Scope Assets.

FCI Asset Definition: An asset is considered "In-Scope" for Level 1 if it processes, stores, or transmits Federal Contract Information (FCI). Since the company is building specialized parts under a DoD contract and using in-house staff and equipment for testing, the information related to that contract (the specifications, schedules, and test results) constitutes FCI.

The Level 1 Universe:

Level 1 does not use the complex sub-categories found in Level 2 scoping, such as "Specialized Assets" (OT/IoT/Test Equipment) or "Contractor Risk Managed Assets." Those distinctions are specific to CMMC Level 2 Scoping.

In a Level 1 environment, any piece of equipment or software that handles the contract's information is simply termed an FCI Asset, which falls under the broader umbrella of In-Scope Assets.

Why other options are incorrect:

Option A (CUI Asset): Level 1 is focused exclusively on FCI. CUI (Controlled Unclassified Information) is the focus of Level 2 and Level 3.

Option C (Specialized Asset) and Option D (Contractor Risk Managed Asset): These are specific scoping categories defined in the CMMC Level 2 Scoping Guidance. In Level 1, these categories do not exist; an asset either handles FCI (In-Scope) or it does not (Out-of-Scope).

Reference Documents:

CMMC Scoping Guidance, Level 1 (Version 2.0): Section 2.0 (CMMC Level 1 Asset Categories), which defines FCI Assets and Out-of-Scope Assets.

32 CFR Part 170 (CMMC Program Rule): Establishes the simplified scoping requirements for Level 1 self-assessments.

CMMC Level 1 Assessment Guide: Clarifies that the scope includes all "information systems" (including test equipment) used by the contractor to process, store, or transmit FCI.

CMMCLevel 1focuses onbasic cyber hygieneand includes17 practicesderived fromNIST SP 800-171 Rev. 2butonly covers the protection of Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).

UnlikeLevel 2, which aligns fully withNIST SP 800-171,Level 1 does not require third-party certificationand can beself-assessedby the organization.

Domains Covered in a Level 1 Self-Assessment

CMMC Level 1 practices fall underthree specific domains:

Access Control (AC)– Ensures that only authorized individuals can access FCI.

Physical Protection (PE)– Protects physical access to systems and facilities storing FCI.

Identification and Authentication (IA)– Verifies the identity of users accessing systems containing FCI.

These domains focus on foundational security controls necessary toprotect FCI from unauthorized access.

Official CMMC 2.0 Documentation References

CMMC Model v2.0states thatLevel 1 includes only 17 practicesmapped toNIST SP 800-171requirements specific toAccess Control (AC), Physical Protection (PE), and Identification and Authentication (IA).

CMMC Assessment Guide, Level 1confirms thatRisk Management (RM) and Media Protection (MP) are not included in Level 1, as they pertain to more advanced security measures needed for handlingCUI (Level 2).

Breakdown of Answer Choices

A. Access Control (AC), Risk Management (RM), and Media Protection (MP)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

B. Risk Management (RM), Access Control (AC), and Physical Protection (PE)→ Incorrect.Risk Management (RM) is not part of Level 1.

C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)→Correct.These are thethree domains covered in CMMC Level 1 self-assessments.

D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

Conclusion

Thecorrect answer is C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA), as these are theonly three domains included in a CMMC Level 1 Self-Assessmentaccording toCMMC 2.0 documentation and NIST SP 800-171 mapping.

Reference Documents for Further Reading

CMMC 2.0 Model Overview – DoD Official Documentation

CMMC Assessment Guide, Level 1

NIST SP 800-171 Rev. 2 (Basic Security Requirements for FCI)

nderstanding Objectivity in CMMC-AB Activities

Objectivityin CMMC-AB activities refers to therequirement that assessors and C3PAOs remain impartial, unbiased, and free from conflicts of interestwhile conducting assessments and providing CMMC-related services.

Key Aspects of Objectivity in CMMC Assessments:

✔No conflicts of interest—Assessors must not assess organizations they havefinancial, professional, or personal ties to.

✔Unbiased reporting—Findings must bebased solely on evidence, with no external influence.

✔Avoiding even the appearance of a conflict—If there isany perception of bias, it must be addressed.

Why is the Correct Answer "C. Avoiding the appearance of or actual, conflicts of interest"?

A. Ensuring full disclosure → Incorrect

Full disclosure is importantbut doesnot define objectivity. Objectivity meansremaining neutral and free from conflicts.

B. Reporting results of CMMC services completely → Incorrect

Whileaccurate reporting is required,objectivity focuses on impartiality, not just completeness.

C. Avoiding the appearance of or actual, conflicts of interest → Correct

Objectivity in CMMC-AB activities is primarily about preventing bias and ensuring fair assessments.

Avoiding conflicts of interest ensures thatassessments are credible and trustworthy.

D. Demonstrating integrity in the use of materials as described in policy → Incorrect

Integrity is important, butobjectivity is specifically about avoiding bias and conflicts of interest.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Code of Professional Conduct

Requiresassessors and C3PAOs to avoid conflicts of interestand maintainimpartiality.

CMMC Assessment Process (CAP) Document

Emphasizes that assessments must befree from external influence and conflicts of interest.

ISO/IEC 17020 Requirements for Inspection Bodies

Definesobjectivity as avoiding conflicts of interest in the assessment process.

Understanding the Assessment Results Package Submission

After completing aCMMC Level 2 Assessment, theCertified Third-Party Assessment Organization (C3PAO)mustsubmit the final assessment results packageto theEnterprise Mission Assurance Support Service (eMASS)system.

Key Required Document: Final Report

TheFinal Reportis themandatory documentthatcontains all assessment details, findings, and scoring.

It serves as theofficial record of the assessmentanddetermines certification eligibility.

Why is the Correct Answer "Final Report" (A)?

A. Final Report → Correct

TheFinal Report is requiredin the submission package todocument assessment results officially.

It includes asummary of findings, scoring, and recommendations.

B. Certification rating → Incorrect

The C3PAO does not issue certification ratings—theDoDandCMMC-ABdetermine certification status after reviewing the Final Report.

C. Summary-level findings → Incorrect

While the Final Reportincludessummary findings, astandalone summary-level findings document is not a required upload.

D. All Daily Checkpoint logs → Incorrect

Checkpoint logsare part of the internal assessment process butare not required in the final eMASS submission.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

Specifies that theFinal Report must be submitted to eMASSafter a Level 2 assessment.

CMMC-AB Guidelines for C3PAOs

States that theFinal Report is the key document used to determine certification status.

DFARS 252.204-7021 (CMMC Requirements Clause)

Requires the assessment results to be documented in an official report and submitted via eMASS.

Final Answer:

✔A. Final Report

Understanding the Official CUI Registry

TheControlled Unclassified Information (CUI) Registryis theauthoritative sourcefor all federal agencies'CUI categories and indices. It is maintained by theNational Archives and Records Administration (NARA)and provides:

✅Acomprehensive listof CUI categories and subcategories.

✅Details onwho can handle, store, and share CUI.

✅Guidance onCUI marking and safeguarding requirements.

Why "Official CUI Registry" is Correct?

TheOfficial CUI Registryis theonly federal resourcethat listsall CUI categories and agencies that use them.

32 CFR Section 2002(Option A) definesCUI policiesbut doesnotprovide a full listing of CUI categories.

Executive Order 13556(Option C) established theCUI Programbut doesnotmaintain an active list of categories.

The "Official CMMC Registry" (Option D) does not exist—CMMC is a security framework, not a CUI classification system.

Breakdown of Answer Choices

Option

Description

Correct?

A. 32 CFR Section 2002

❌Incorrect–Defines CUI program rules butdoes not listcategories.

B. Official CUI Registry

✅Correct – The registry contains the full list of CUI categories.

C. Executive Order 13556

❌Incorrect–Established the CUI program butdoes not maintain a category list.

D. Official CMMC Registry

❌Incorrect–No such registry exists; CMMC is a cybersecurity framework, not a CUI classification system.

Official References from CMMC 2.0 and Federal Documentation

National Archives (NARA) CUI Registry– The authoritative source forall federal agency CUI categories.

32 CFR 2002– Provides CUIpolicy guidancebut refers agencies to theOfficial CUI Registryfor classification.

Final Verification and Conclusion

The correct answer isB. Official CUI Registry, as it is theonly official source listing all federal agencies' CUI indices and categories.

TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.

Analysis of the Given Options:

A. Level 1→Incorrect

CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.

B. Level 2→Correct

TheAU domain is required at Level 2, which aligns withNIST SP 800-171.

CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.

C. Levels 1 and 2→Incorrect

Level 1 does not requireaudit and accountability practices.

D. Levels 1 and 3→Incorrect

CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.

Official References Supporting the Correct Answer:

NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3)

TheAU domainconsists of security controls3.3.1 – 3.3.8, focusing on audit log generation, retention, and accountability.

CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171)

AU practices (Audit and Accountability) are only required at Level 2.

Conclusion:

TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:

✅B. Level 2.

According to the CMMC Assessment Process (CAP), specifically in the context of scoping and organizational structure, the term Host Unit is used to define the specific entity within an Organization Seeking Certification (OSC) that is the primary subject of the assessment.

Definition of Host Unit: Within the CAP, the Host Unit represents the specific people, processes, and technology that process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) for the contract in scope. It is the "anchor" for the assessment boundary.

Context in High-Level Scoping: During the initial phases of an assessment, a C3PAO must distinguish between the entire corporation (the OSC) and the specific parts of that corporation that are actually performing the DoD work. The Host Unit is that functional or logical division that will be evaluated against the CMMC practices.

Relationship to other units:

Supporting Organization/Units (Option D): These are entities that provide services to the Host Unit (such as an enterprise IT department or a separate HR branch) but are not the primary "Host" of the CUI/FCI. They are in-scope because they provide "Security Protection" or "Administrative" functions to the Host Unit.

Coordinating Unit (Option C): This term is often used in broader organizational contexts but is not a defined scoping term for the "people, processes, and technology" being assessed under the CMMC CAP.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Glossary and Section 1 (Plan and Prepare Assessment), which defines the relationship between the OSC, the Host Unit, and Supporting Units.

CMMC Level 2 Scoping Guidance: Provides the framework for identifying the "assets" (people, technology, facilities) that reside within the Host Unit boundary.

CCP Study Guide: Section on "Scoping the Assessment," which explains how to identify the Host Unit versus External Service Providers (ESPs).

Understanding the Role of the DoD CIO Office in CMMC

TheDepartment of Defense (DoD) Chief Information Officer (CIO) officeis theprimary authorityresponsible for leading the direction, standards, and best practices of theCybersecurity Maturity Model Certification (CMMC)framework.

Why "B. DoD CIO Office" is Correct?

The DoD CIO Oversees CMMC Policy and Implementation

TheDoD CIO Office is responsible for the governance and strategic direction of CMMC.

It ensures thatCMMC aligns with DoD cybersecurity policies, such asDoD Instruction 5200.48 (Controlled Unclassified Information)andNIST SP 800-171.

CMMC Development and Evolution

TheDoD CIO played a critical role in launching CMMCto improve cybersecurity across theDefense Industrial Base (DIB).

The CIO office leadspolicy development and updates to the CMMC framework, including the transition fromCMMC 1.0 to CMMC 2.0.

Alignment of CMMC with Federal Cybersecurity Strategy

The DoD CIO ensures that CMMCintegrates with federal cybersecurity policiesandNIST frameworks.

It provides oversight formapping CMMC Levels (1-2-3) to existing cybersecurity standards and controls.

Why Other Answers Are Incorrect?

A. NIST (Incorrect)

TheNational Institute of Standards and Technology (NIST)provides thetechnical framework (NIST SP 800-171, SP 800-172), butNIST does not lead the CMMC program.

C. Federal CIO Office (Incorrect)

TheFederal CIO focuses on broader government IT policiesandnot specifically on DoD cybersecurity requirementslike CMMC.

D. Defense Federal Acquisition Regulation Council (Incorrect)

TheDFARS Counciloverseescontracting regulationsrelated to CMMC (e.g.,DFARS 252.204-7012, 7019, 7020, 7021), but it doesnot lead CMMC standards and best practices.

Conclusion

The correct answer isB. DoD CIO Office, as it isthe lead authority guiding the CMMC framework, standards, and implementation across the Defense Industrial Base (DIB).

Understanding the "Examine" Assessment Method in CMMC 2.0

CMMC 2.0 usesthree assessment methodsto evaluate security compliance:

Examine– Reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., policies, system documentation).

Interview– Speaking with personnel to verify knowledge and responsibilities.

Test– Performing technical validation to check system configurations.

Relevant CMMC 2.0 Reference:

TheCMMC Assessment Process (CAP)definesExamineas the method used toreview or analyze assessment objects, such as policies, procedures, configurations, and logs.

Why is the Correct Answer "Examine" (C)?

A. Test → Incorrect

"Test" involvesexecutinga function to validate its security (e.g., verifying access controls through a live system test).

B. Assess → Incorrect

"Assess" is a broad term; CMMC explicitly defines "Examine" as the method for reviewing documentation.

C. Examine → Correct

"Examine" is the official term forreviewing policies, procedures, configurations, or logs.

D. Interview → Incorrect

"Interview" involvesverbal discussions with personnel, not document analysis.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines "Examine" asanalyzing assessment objects (e.g., policies, procedures, logs, documentation).

NIST SP 800-171A

Specifies "Examine" as a method toreview security controls and configurations.

According to the CMMC Model and Assessment Guides, specifically the rules governing Plan of Action and Milestones (POA & M) and the remediation period, an Organization Seeking Certification (OSC) is allowed a limited opportunity to remediate certain "Not Met" practices to achieve a "Met" status without failing the assessment entirely.

Here is the breakdown based on CMMC Ecosystem protocols:

The 180-Day POA & M Rule: CMMC Level 2 allows for the use of POA & Ms for specific practices, provided they are not high-priority items (typically 5-point values in the scoring methodology). If an OSC has "Not Met" practices that are eligible for a POA & M, they have up to 180 days to remediate them.

The Remediation Period (Assessment Closeout): During the assessment process itself, there is a "remediation period" (often referred to within the 1-90 day window depending on the specific C3PAO methodology and the CMMC assessment process) where an OSC can fix minor issues identified by the assessor before the final report is submitted.

Eligibility Criteria: The question states there are 15 practices "Not Met." While this is a high number, the CMMC rule does not automatically disqualify an OSC based solely on thequantityof practices, but rather thetype(weight) of the practices and the resulting score. To be eligible for a conditional "Met" (via POA & M), the OSC must achieve a minimum score (often 80% of the total points) and none of the "Not Met" practices can be those designated as mandatory "Met" (no POA & M allowed) in the CMMC rule.

Why "C" is correct: Because we do not know the specific weights of the 15 "Not Met" practices or the total score, we cannot definitively say theywillbe remediated (A) or that they areineligible(B). However, under the CMMC assessment framework, the OSC may be eligible to enter a remediation phase or utilize a POA & M to bridge the gap, provided they meet the scoring threshold and the specific practices allow for it.

Reference Documents:

CMMC Assessment Process (CAP): Defines the phases of assessment including the "Remediation Period."

32 CFR Part 170 (CMMC Program Rule): Outlines the specific requirements for POA & Ms, the 180-day timeline, and the scoring parameters required to be eligible for a Conditional Certification.

For CMMC Level 1 scoping , the DoD’s CMMC Scoping Guide – Level 1 (v2.13) instructs an organization performing a Level 1 self-assessment to consider what is in scope for protecting Federal Contract Information (FCI) . Specifically, it states that to appropriately scope a Level 1 self-assessment, the OSA should consider the people, technology, facilities, and external service providers (ESPs) within its environment that process, store, or transmit FCI .

In this scenario, the director is evaluating company offices and data centers where FCI is stored. These are physical locations and physical environments—exactly what the scoping guidance categorizes under Facilities . Facilities in a Level 1 context include physical sites and spaces that may house systems or media containing FCI (e.g., offices, server rooms, data centers), because those locations affect physical access controls, environmental protections, and overall safeguarding of where FCI is handled and stored.

This is distinct from Technology (devices/systems), People (personnel who handle FCI), and ESPs (external providers delivering IT/cyber services). Since the question is explicitly about which offices and data centers store FCI —a physical boundary and location question—the correct asset type is Facilities .

Contractors that handle Covered Defense Information (CDI) are required to report cyber incidents to the Department of Defense within 72 hours of discovery.

Supporting Extracts from Official Content:

DFARS 252.204-7012(c)(1): “When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, the Contractor shall conduct a review… and rapidly report the cyber incident to DoD within 72 hours of discovery.”

Why Option C is Correct:

The regulation explicitly specifies 72 hours.

Options A (24 hrs), B (48 hrs), and D (96 hrs) do not align with DFARS requirements.

References (Official CMMC v2.0 Content and Source Documents):

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

CMMC v2.0 Governance – Source Documents list includes DFARS 252.204-7012.

===========

The CAP makes clear that evidence collected during the assessment is evaluated for both adequacy (does the evidence align with the requirement) and sufficiency (is there enough evidence to make a confident determination).

Supporting Extracts from Official Content:

CAP v2.0, Evidence Collection Guidance: “Evidence must be evaluated for adequacy… and for sufficiency, to ensure enough information is available to support the assessor’s determination.”

Why Option A is Correct:

Evidence is assessed based on two qualities only: adequacy and sufficiency.

“Thoroughness” and “appropriateness” are not official CAP terms for evidence evaluation.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Evidence Evaluation section.

===========

In the CMMC 2.0 framework, the "Advanced" level is synonymous with CMMC Level 2 . The model is designed to be cumulative , meaning each higher level incorporates the requirements of the level(s) below it.

Cumulative Structure : For an organization to achieve a Level 2 Certification, it must demonstrate that it meets all 17 practices from Level 1 (Foundational) plus the additional 93 practices introduced at Level 2, totaling 110 practices (aligned with NIST SP 800-171 ).

Access Control (AC) Domain Breakdown :

Level 1 : Contains 4 AC practices (e.g., limiting system access to authorized users).

Level 2 : Contains 22 AC practices total. This includes the original 4 from Level 1 and 18 additional practices (e.g., controlling the use of privileged functions, limiting unsuccessful logon attempts).

Level 3 (Expert) : This level adds even more practices from NIST SP 800-172 . While Level 3 "contains" Level 2, the question asks specifically about what the Advanced Level (Level 2) contains. Therefore, it contains Level 1 and Level 2 practices.

Why other options are incorrect :

Option A : Level 2 is not just Level 1; it includes the additional NIST 800-171 requirements.

Option B : Level 3 practices are part of the "Expert" level, not the "Advanced" level.

Option D : The "Advanced" level (Level 2) does not include the "Expert" (Level 3) practices.

Reference Documents :

CMMC Model Overview (v2.0/v2.1) : Section 3.2, "Level 2: Advanced," which explicitly states the level consists of the 110 practices from NIST SP 800-171, which includes the Level 1 requirements.

32 CFR Part 170 (CMMC Program Rule) : Defines the mapping of the 14 domains and the cumulative nature of the certification levels.

CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment.

In the context of a Cybersecurity Maturity Model Certification (CMMC) Level 2 Assessment, specific practices must be evaluated to ensure compliance with established security requirements. One such practice is AC.L2-3.1.19, which mandates the encryption of Controlled Unclassified Information (CUI) on mobile devices and mobile computing platforms.

Step-by-Step Explanation:

Requirement Overview:

Practice AC.L2-3.1.19 requires organizations to "Encrypt CUI on mobile devices and mobile computing platforms." This ensures that any CUI accessed, stored, or transmitted via mobile devices is protected through encryption, mitigating risks associated with data breaches or unauthorized access.

Assessment of Provided Evidence:

During the assessment, the Organization Seeking Certification (OSC) provided an inventory list encompassing servers, workstations, and network devices. Notably, this list lacks any mention of mobile devices or mobile computing platforms.

Implications of the Omission:

The absence of mobile devices in the inventory suggests that the OSC may not have accounted for all assets that process, store, or transmit CUI. Without a comprehensive inventory that includes mobile devices, it's challenging to verify whether the OSC has implemented the necessary encryption measures for CUI on these platforms.

Assessment Determination:

Given the incomplete inventory, the evidence is insufficient to make a definitive scoring determination for practice AC.L2-3.1.19. The OSC must provide a detailed inventory that encompasses all relevant devices, including mobile devices and computing platforms, to demonstrate compliance with the encryption requirements for CUI.

Step 1: Understanding AC.L1-3.1.22

AC.L1-3.1.22states:"Control information posted or processed on publicly accessible systems."

This control requires organizations toensure that FCI (Federal Contract Information) is not publicly postedor made accessible in an uncontrolled manner.

FCI must beprotected from unauthorized disclosure, even if it is not classified or CUI.

In theCMMC 2.0 Assessment Process, after theAssessment Final Recommended Findings Brief, theLead Assessor and Assessment Team Membersmustreview the accuracy and validity of the Organization Seeking Certification (OSC)’s updated Plan of Action & Milestones (POA & M) and any accompanying evidence or scheduled collectionswithin180 days.

Relevant CMMC 2.0 Reference:

TheCMMC Assessment Process (CAP)outlines that organizations haveup to 180 daysto address identifieddeficienciesafter their initial assessment.

During this time, the OSC can update itsPOA & M with additional evidenceto demonstrate compliance.

Why is the Correct Answer 180 Days (B)?

A. 90 days → Incorrect

The CMMC CAP does not impose a90-day limiton POA & M updates; instead,180 daysis the standard timeframe.

B. 180 days → Correct

PerCMMC Assessment Process guidelines, theLead Assessor and Teammust review updateswithin 180 days.

C. 270 days → Incorrect

No official CMMC documentation mentions a270-dayreview period.

D. 360 days → Incorrect

The process must be completedfar sooner than 360 daysto maintain compliance.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines the180-day windowfor the OSC to update itsPOA & M and submit evidencefor review.

CMMC 2.0 Official Guidelines

Specifies that organizations are givenup to 180 daysto remediate deficiencies before reassessment.

In the CMMC assessment process, conflicts of interest must be identified early to ensure an impartial and objective evaluation of an organization's compliance with CMMC 2.0 requirements. The appropriate phase for identifying conflicts of interest is during the"Verify Readiness to Conduct Assessment"phase.

Step-by-Step Explanation:

Assessment Planning & Conflict of Interest Consideration

Before an assessment begins, theC3PAO (Certified Third-Party Assessment Organization)or theDIBCAC (Defense Industrial Base Cybersecurity Assessment Center) for DOD-led assessmentsmust confirm that there are no conflicts of interest between assessors and the organization being assessed.

A conflict of interest may arise if an assessor haspreviously worked for, consulted with, or provided direct assistance tothe organization under review.

CMMC Assessment Process and Phases

The CMMC assessment process involves multiple steps, and the verification of readiness is acritical early phaseto ensure that the assessment is unbiased:

Analyze Requirements:This phase focuses on defining the assessment scope, but it does not include conflict of interest verification.

Develop Assessment Plan:This phase focuses on structuring the assessment methodology, not on identifying conflicts.

Verify Readiness to Conduct Assessment (Correct Answer):

At this stage, theC3PAO or assessment team must review potential conflicts of interest.

TheDefense Industrial Base Cybersecurity Assessment Center (DIBCAC)also ensures assessors do not have any prior relationships that could compromise the objectivity of the evaluation.

Generate Final Recommended Assessment Results:This phase occurs at the end of the process, after the assessment is complete, so conflict of interest identification is too late by this stage.

Official CMMC Documentation & References

CMMC Assessment Process (CAP) Guide– The CAP details procedures assessors must follow, including conflict of interest verification.

CMMC 2.0 Scoping and Assessment Guides– Published by the Cyber AB and DoD, these guides reinforce the need for impartiality and independence in assessments.

DoD Instruction 5200.48 (Controlled Unclassified Information Program)– Outlines requirements for ensuring objective cybersecurity assessments.

By ensuring conflicts of interest are identified in the"Verify Readiness to Conduct Assessment"phase, the integrity of the CMMC certification process is maintained, ensuring that assessments are conductedfairly, independently, and in accordance with DoD cybersecurity policies.

In CMMC scoping terminology, an HQ Organization is the entity legally responsible for contract performance and delivery of products or services.

Supporting Extracts from Official Content:

CMMC Scoping Guide: “HQ Organization is the legal entity responsible for the performance and delivery of contract requirements.”

Why Option D is Correct:

The HQ Org is legally accountable, while Host Units (option A/B) are subordinate entities.

Option C refers to shared services, not the HQ.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, High-Level Scoping Definitions.

===========

The correct answer is D because CMMC Level 1 is based on the basic safeguarding requirements in FAR Clause 52.204-21 , not on the full NIST SP 800-171 or DFARS 252.204-7012 requirements. The official CMMC Model Overview states that Level 1 focuses on protecting Federal Contract Information (FCI) and consists of security requirements that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 , commonly referred to as the FAR Clause. It also states that Level 2 is the level that incorporates the 110 security requirements from NIST SP 800-171 Rev. 2 for protection of Controlled Unclassified Information (CUI) .

FAR 52.204-21 applies to covered contractor information systems that process, store, or transmit Federal Contract Information. The clause requires contractors to apply basic safeguarding requirements and procedures, including limiting system access to authorized users, controlling external connections, protecting information on publicly accessible systems, identifying and authenticating users, and sanitizing or destroying media containing FCI before disposal or reuse.

Option A is incorrect because NIST SP 800-171 is associated with CMMC Level 2, not Level 1. Option B is incorrect because the cited DFARS clause number is not the CMMC Level 1 source. Option C is incorrect because DFARS 252.204-7012 is tied to safeguarding covered defense information and implementing NIST SP 800-171 for CUI, not the Level 1 basic safeguarding baseline.

Step 1: Define CUI (Controlled Unclassified Information)

CUI is information thatrequires safeguarding or dissemination controlspursuant to and consistent with applicable law, regulations, and government-wide policies, butis not classifiedunder Executive Order 13526 or the Atomic Energy Act.

✅Step 2: Authority over CUI — NARA’s Role

NARA – National Archives and Records Administration, specifically theInformation Security Oversight Office (ISOO), is thegovernment-wide executive agentresponsible for implementing the CUI program.

Source:

32 CFR Part 2002 – Controlled Unclassified Information (CUI)

Executive Order 13556 – Controlled Unclassified Information

CUI Registry – https://www.archives.gov/cui

NARA:

Maintains theCUI Registry,

Issuesmarking and handling guidance,

DefinesCUI categoriesand their authority under law or regulation,

Trains and informs Federal agencies and contractors on CUI policy.

❌Why the Other Options Are Incorrect

B. NIST

✘NIST (National Institute of Standards and Technology) developstechnical standards(e.g., SP 800-171), but it doesnot define or mark CUI. It helps secure CUI once it’s identified.

C. CMMC-AB (now Cyber AB)

✘The Cyber AB is theCMMC ecosystem’s accreditation body, not a government agency, and hasno authority over CUI classification or marking.

D. Department of Homeland Security (DHS)

✘While DHS mayhandle and protect CUI internally, it is not the executive agent for the CUI program.

NARAis theofficial U.S. government authorityresponsible for defining, categorizing, and marking CUI via theCUI Registryand associated policies underExecutive Order 13556.

CMMC Level 1 practices correspond directly to the basic safeguarding requirements for Federal Contract Information (FCI), which are codified in FAR clause 48 CFR 52.204-21. These 15 requirements form the foundation for Level 1 compliance.

Supporting Extracts from Official Content:

48 CFR 52.204-21: “Contractors shall apply the following 15 basic safeguarding requirements to protect Federal Contract Information (FCI).”

CMMC Model v2.0 Overview: “Level 1 corresponds to the 15 basic safeguarding requirements in FAR 52.204-21.”

Why Option C is Correct:

FAR 52.204-21 is the source for Level 1 practices.

NIST SP 800-171 applies to CUI and Level 2, not Level 1.

NIST SP 800-171b is the precursor to NIST SP 800-172 (used for Level 3).

DFARS 252.204-7012 covers CUI safeguarding and incident reporting, not Level 1 FCI requirements.

References (Official CMMC v2.0 Content):

FAR 48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

CMMC Model v2.0, Level 1 Overview.

Understanding RA.L2-3.11.2: Vulnerability Scanning

TheRA.L2-3.11.2practice requires organizations to:

✔Regularly scan for vulnerabilitiesin systems and applications.

✔Perform scans when new vulnerabilities are identified.

✔Use vulnerability scanning tools or servicesto proactively detect security weaknesses.

Why Is an Incident Monitoring Report Irrelevant?

Anincident monitoring reporttrackssecurity incidents, notvulnerability scanning activities.

Vulnerability scanning reportsshould include:

✔A list of vulnerabilities detected.

✔Remediation actions taken.

✔Scan frequency and schedule.

Theabsence of reported security incidentsdoesnotconfirm that vulnerability scans were performed.

Why is the Correct Answer "A. Inadequate because it is irrelevant to the practice"?

A. Inadequate because it is irrelevant to the practice → Correct

Alack of reported security incidents does not confirm that vulnerability scanning was performed.

B. Adequate because it fits well for expected artifacts → Incorrect

Incident monitoring reportsare not expected artifactsfor this control.Vulnerability scan reportsare required instead.

C. Adequate because no security incidents were reported → Incorrect

The absence of incidents does not mean the OSC is performing vulnerability scanning. This isnot valid evidence.

D. Inadequate because the OSC's service provider should be interviewed → Incorrect

While interviewing the provider may be useful, themain issue is that the provided evidence is irrelevant. Thecorrect evidence (vulnerability scan reports) is missing.

CMMC 2.0 References Supporting This Answer:

NIST SP 800-171 (Requirement 3.11.2 – Vulnerability Scanning)

Defines the requirement toscan for vulnerabilities periodically and when new threats emerge.

CMMC Assessment Guide for Level 2

Specifies that evidence for RA.L2-3.11.2 should includevulnerability scan reports, not incident monitoring reports.

CMMC 2.0 Model Overview

Confirms that organizationsmust proactively identify vulnerabilities through scanning, not just rely on incident detection.

The False Claims Act (31 U.S.C. §§ 3729–3733) imposes liability on companies that knowingly misrepresent compliance in order to receive or retain federal contracts. Penalties include treble damages (three times the government’s losses) plus additional penalties per claim.

Supporting Extracts from Official Content:

False Claims Act: “Any person who knowingly submits false claims to the Government is liable for three times the Government’s damages plus a penalty.”

DOJ Cyber-Fraud Initiative (2021): confirms the FCA is applied to cases of misrepresenting compliance with cybersecurity requirements.

Why Option D is Correct:

The applicable law is the False Claims Act, not a “Cyber Claims Act” (which does not exist).

The FCA specifies treble damages plus penalties, which exactly matches Option D.

References (Official CMMC v2.0 Governance and Source Documents):

False Claims Act (31 U.S.C. §§ 3729–3733).

DOJ Cyber-Fraud Initiative (2021), applied to CMMC-related compliance misrepresentation.

===========

CMMC Level 2 requires full implementation of the 110 security requirements specified in NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. These practices form the foundation for safeguarding CUI across defense contractor systems.

NIST SP 800-53 is a broader catalog of security controls for federal systems, not specific to CUI in the defense contractor environment.

48 CFR 52.204-21 establishes basic safeguarding requirements for Federal Contract Information (FCI) and corresponds to CMMC Level 1.

DFARS 252.204-7012 defines safeguarding and incident reporting obligations but does not enumerate the specific security practices required.

Thus, Level 2 practices are aligned to NIST SP 800-171.

Reference Documents:

CMMC Model v2.0 Overview, December 2021

NIST SP 800-171 Rev. 2

CMMC Level 1 includes 17 practices derived fromFAR 52.204-21. Among them, theMedia Protection (MP) practicerequires organizations to ensure thatmedia containing FCI is sanitized or destroyed before disposal or release for reuseto prevent unauthorized access.

This requirement ensures that any storage devices, hard drives, USBs, or physical documents containingFederal Contract Information (FCI)areproperly disposed of or sanitizedto prevent data leakage.

The evidence collected for this practice should demonstrate that an organization has established and followed propermedia sanitization or destruction procedures.

Why the Correct Answer is "B. Adequate"?

TheCMMC Assessment Process (CAP) Guideoutlines that for an assessment to be considered complete, all submitted evidence must meet the standard ofadequacybefore it is accepted by the Lead Assessor.

Definition of "Adequate" Evidence in CMMC:

Evidence isadequatewhen itfully demonstrates that a practice has been performed as requiredby CMMC guidelines.

TheLead Assessorevaluates whether the submitted documentation meets the CMMC 2.0 Level 1 requirements.

If the evidenceaccurately and completely demonstrates the sanitization or destruction of media containing FCI, then it meets the standard ofadequacy.

Why Not the Other Options?

A. Official– While the evidence may come from an official source, the CMMCdoes not require evidence to be "official", only that it beadequateto confirm compliance.

C. Compliant– Compliance is the final result of an assessment, but before compliance is determined, the evidence must first beadequatefor evaluation.

D. Subjective– CMMC evidence isobjective, meaning it should be based on verifiable documents, policies, logs, and procedures—not opinions or interpretations.

Relevant CMMC 2.0 References:

CMMC 2.0 Scoping Guide (Nov 2021)– Specifies that Media Protection (MP) at Level 1 applies only to assets that process, store, or transmit FCI.

CMMC Assessment Process (CAP) Guide– Definesadequate evidenceas documentation that completely and clearly supports the implementation of a required security practice.

FAR 52.204-21– The source of the Level 1 requirements, which includessanitization and destruction of media containing FCI.

Final Justification:

The CCP’s statement that the evidence"fully reflects the performance of the practice"aligns with the definition ofadequate evidenceunder CMMC. Since adequacy is the key standard used before final compliance decisions are made, the correct answer isB. Adequate.

According to the CMMC Assessment Process (CAP) v2.0, assessors are required to conduct Daily Checkpoint Meetings at the end of each day to summarize progress with the OSC (Organization Seeking Certification). The final Daily Checkpoint is where preliminary practice ratings are shared, before the quality assurance review and Out-Brief. The Out-Brief is reserved for the presentation of final results. Additionally, Department of Defense regulations (32 CFR §170.17(c)(2)) provide a 10-business-day re-evaluation window for requirements marked NOT MET before the final report is delivered, which necessitates that the OSC see preliminary ratings during the assessment process itself.

Supporting Extracts from Official Content:

CAP v2.0, §2.23: “The assessment team shall host a Daily Checkpoint Meeting with the OSC at the end of each assessment day to summarize progress.”

CAP v2.0, §3.7: “The C3PAO shall conduct the quality assurance review… prior to the conduct of the Out-Brief Meeting.”

CAP v2.0, §3.10: “The purpose of the Out-Brief Meeting is to convey the results of the assessment to the OSC.”

32 CFR §170.17(c)(2): “A security requirement assessed as NOT MET may be re-evaluated… for 10 business days… if the CMMC Assessment Findings Report has not been delivered.”

Why Option A is Correct:

The CAP specifies that Daily Checkpoint Meetings are the formal, structured mechanism for assessors to communicate progress and preliminary findings to the OSC.

The final Daily Checkpoint provides the OSC with visibility into the preliminary practice ratings before they are finalized, ensuring transparency and alignment.

The Out-Brief is explicitly for conveying the final assessment results after the C3PAO has completed QA.

Federal regulation (32 CFR §170.17(c)(2)) requires the OSC to have access to preliminary results so they can provide additional evidence for re-evaluation before the report is locked, further confirming that this exchange must occur at the final Daily Checkpoint.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0: Sections 2.23 (Daily Checkpoints), 3.7–3.10 (QA and Out-Brief).

32 CFR §170.17(c)(2): Security Requirement Re-evaluation Window.

DoD CMMC Assessment Guide – Level 2 (v2.13): Guidance on MET/NOT MET determinations and findings.

The correct answer isA. CMMC Assessment Reporting Requirementsbecause this document specifically outlines thestructured processthat Certified Third-Party Assessment Organizations (C3PAOs) must follow when conducting and reporting CMMC assessments.

Step-by-Step Breakdown:

Understanding the CMMC Assessment Process

TheLead Assessorbriefs the team on theassessment requirementsand theevaluation criteriabefore the assessment begins.

Throughout the assessment,findings summaries, practice ratings, and level recommendationsare documented and reported.

These findings are internally reviewed by theC3PAObefore they are formally submitted forquality review and final rating approval.

Key Document Stipulating Reporting Requirements: CMMC Assessment Reporting Requirements

This documentspecifically details how assessments must be reportedwithin theCMMC ecosystem.

It describes the structured process for assessment submission, internalC3PAO reviews, andquality checks by the CMMC-ABbefore an organization can receive a final certification decision.

It ensures thatresults are consistent, transparent, and aligned with DoD cybersecurity compliance expectations.

Why Other Options Are Incorrect:

B. DFARS 52.204-21 Assessment Reporting Requirements

This clause only specifiesbasic safeguardingof Federal Contract Information (FCI) but doesnotdictate the reporting process for CMMC assessments.

C. NIST SP 800-171 Revision 2 Assessment Reporting Requirements

WhileNIST SP 800-171 Rev. 2outlines security controls, it doesnotdefine how CMMC assessments must be conducted and reported.

D. DFARS Clause 252.204-7012 Assessment Reporting Requirements

This DFARS clause focuses onincident reportingandcyber incident response requirementsbut does not detail theCMMC assessment reporting process.

Official Reference:

CMMC Assessment Reporting Requirements, issued byThe Cyber ABandDoD, governs how C3PAOs must report assessment results.

CMMC Assessment Process (CAP)also outlines reporting workflows for certification.

Thus, theCMMC Assessment Reporting Requirementsdocument is the authoritative source that dictates the reporting procedures for CMMC assessments.

A Certified CMMC Instructor (CCI) is only authorized to deliver CMMC-AB (now The Cyber AB) approved training courses through a Licensed Training Provider (LTP). CCI instructors do not deliver DFARS or NARA CUI training under CMMC authorization—only formally approved CMMC courses.

Supporting Extracts from Official Content:

CMMC Ecosystem Roles: “CCIs are authorized to deliver CMMC-AB approved training courses through an LTP.”

Why Option A is Correct:

CCIs teach only CMMC-AB approved training.

Options B, C, and D include external trainings (DFARS or NARA CUI) that are not within the CCI’s scope.

References (Official CMMC v2.0 Content):

CMMC Ecosystem documentation – Roles and Responsibilities of LTPs and CCIs.

===========

Understanding the Phases of the CMMC Assessment Process

TheCMMC Assessment Process (CAP)consists of multiple phases, with each phase focusing on a different aspect of the assessment.Developing the assessment planoccurs inPhase 1, which is thePre-Assessment Phase.

Key Activities in Phase 1 – Pre-Assessment Phase

Engagement Agreement: TheOSC (Organization Seeking Certification)and theCertified Third-Party Assessment Organization (C3PAO)formalize the assessment contract.

Developing the Assessment Plan: TheLead Assessorand the assessment team create anAssessment Plan, which outlines:

Scope of the assessment

CMMC Level requirements

Assessment methodology

Timeline and logistics

Initial Data Collection: Review of system documentation, policies, and relevant security controls.

Why is the Correct Answer "Phase 1" (A)?

A. Phase 1 → Correct

Phase 1 is where the assessment plan is developed.

It ensuresclarity on scope, methodology, and logistics before the assessment begins.

B. Phase 2 → Incorrect

Phase 2 is theAssessment Conduct Phase, where assessorsexecutethe plan by examining evidence and interviewing personnel.

C. Phase 3 → Incorrect

Phase 3 is thePost-Assessment Phase, which involvesfinalizing findings and submitting reports, not developing the plan.

D. Phase (Incomplete Answer) → Incorrect

The question requires a specific phase, and the correct one isPhase 1.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

DefinesPhase 1as the stage where the assessment plan is developed.

CMMC Accreditation Body (CMMC-AB) Guidelines

Specifies thatplanning and pre-assessment activities occur in Phase 1.

CMMC 2.0 Certification Workflow

Outlines the assessment planning process as part of theinitial engagementbetween theC3PAO and the OSC.

Understanding the CMMC Assessment Process (CAP) Phases

TheCMMC Assessment Process (CAP)consists ofthree primary phases:

Phase 1 - Planning(Pre-assessment activities)

Phase 2 - Conducting the Assessment(Evidence collection and analysis)

Phase 3 - Reporting and Finalizing Results

DuringPhase 3, the Assessment Teamreviews evidenceto confirm if anyLimited Practice Deficiency Correctionshave been successfully implemented.

Scoring Practices in Phase 3

The CAP document specifies that a practice can bescored as METif:

✅The deficiency identified in Phase 2 has been fully corrected before final scoring.

✅Sufficient evidence is provided to demonstrate compliance with the CMMC requirement.

✅The correction is notmerely plannedbutfully implemented and validatedby the assessors.

Since the evidence shows thatdeficiencies have been corrected, the correct score isMET.

Why the Other Answers Are Incorrect

B. POA & M (Plan of Action & Milestones)

❌Incorrect. APOA & M (Plan of Action and Milestones)is usedonly when a deficiency remains unresolved. Since the deficiency is already corrected, this option does not apply.

C. NOT MET

❌Incorrect. A practice is scoredNOT METonly if the deficiency hasnotbeen corrected by the end of the assessment.

D. NOT APPLICABLE

❌Incorrect. A practice is markedNOT APPLICABLE (N/A)only if it doesnot apply to the organization’s environment, which is not the case here.

CMMC Official References

CMMC Assessment Process (CAP) Document– Defines scoring criteria for MET, NOT MET, and POA & M.

Thus,option A (MET) is the correct answer, as the deficiencies have been corrected before final scoring.

1. Understanding Basic Safeguarding Requirements for FCI in CMMC Level 1

Federal Contract Information (FCI) is defined as information provided by or generated for the government under a contract that isnot intended for public release.

CMMCLevel 1is designed to ensurebasic safeguardingof FCI, aligning with15 security requirementsfound inFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

Contractors handlingonly FCImust meetCMMC Level 1, which alignsdirectlywith the safeguarding requirements set inFAR 52.204-21.

2. FAR 52.204-21 and Its Role in CMMC Level 1 Compliance

FAR 52.204-21establishes the baseline cybersecurity controls that contractors must implement to protectFCI.

The15 basic safeguarding requirementsinclude:

Limiting information accessto authorized users.

Identifying and authenticating usersbefore allowing system access.

Protecting transmitted FCIfrom unauthorized disclosure.

Monitoring and controlling connectionsto external systems.

Applying boundary protectionand cybersecurity measures.

Sanitizing mediabefore disposal.

Updating security configurationsto reduce vulnerabilities.

Providing physical securityprotections.

Controlling physical accessto systems that process FCI.

Enforcing multi-factor authentication (MFA) where applicable.

Patching vulnerabilitiesin software and hardware.

Limiting the use of removable media.

Creating and retaining system audit logs.

Performing risk-based security assessments.

Developing an incident response plan.

These 15 practices form thefoundationof CMMCLevel 1 Self-Assessment, ensuring contractorsmeet minimum cybersecurity expectationsfor handling FCI.

3. Why the Other Options Are Incorrect

B. 22 CFR 120-130:

This refers toInternational Traffic in Arms Regulations (ITAR), which controls the export of defense-related articles and services,notFCI safeguarding requirements.

C. DFARS 252.204-7011:

This clause refers toalternative line item structuresand does not pertain to cybersecurity or safeguarding FCI.

D. DFARS 252.204-7021:

This clause enforcesCMMC requirementsbut doesnot definebasic safeguarding controls. It requires compliance with CMMC but does not specify the foundational requirements (which come fromFAR 52.204-21for Level 1).

4. Official CMMC 2.0 Reference & Study Guide Alignment

TheCMMC 2.0 model documentationconfirms that Level 1 is focused on the15 practices from FAR 52.204-21.

TheDoD’s official CMMC Assessment Guidefor Level 1 explicitly states that meeting FAR 52.204-21 is therequirement for passing a Level 1 Self-Assessment.

TheCMMC 2.0 Scoping Guideclarifies that contractors handling onlyFCIand seekingLevel 1 certificationmust implementonly FAR 52.204-21security controls.

Final Confirmation:

The correct answer isA. FAR 52.204-21, as it directly governs the basic safeguarding ofFCIand is the foundational requirement for aLevel 1 Self-Assessmentin CMMC 2.0.

In the context of a Cybersecurity Maturity Model Certification (CMMC) assessment, the roles and responsibilities of individuals involved are clearly delineated to ensure a structured and effective evaluation process. The term "applicable staff" refers to personnel within the Organization Seeking Certification (OSC) who possess specific knowledge or expertise pertinent to the assessment. These individuals are integral to the assessment process as they provide essential information, demonstrate the implementation of security practices, and facilitate the assessment team's understanding of the organization's cybersecurity posture.

In this scenario, the employee serving as the primary system administrator is responsible for managing and maintaining the organization's systems. Given their comprehensive understanding of the system configurations, security controls, and operational procedures, this individual is best categorized as "applicable staff." Their involvement is crucial during the assessment, as they can provide detailed insights, demonstrate compliance measures, and address technical inquiries from the assessment team.

The other options can be delineated as follows:

Analyzer:Typically refers to individuals who analyze data or security incidents, often as part of a security operations center. This role is not specifically defined within the CMMC assessment context.

Inspector:Generally denotes a person who examines or inspects systems and processes, possibly as part of an internal audit or compliance check. This term is not a standard designation within the CMMC assessment framework.

Demonstration staff:While this could imply personnel responsible for demonstrating systems or processes, it is not a recognized role within the CMMC assessment process.

Therefore, the primary system administrator, by virtue of their role and responsibilities, aligns with the "applicable staff" category, playing a pivotal role in facilitating a successful CMMC assessment.

Understanding C3PAO Requirements

ACertified Third-Party Assessment Organization (C3PAO)is an entityauthorized by the CMMC Accreditation Body (CMMC-AB)to conductCMMC Level 2 Assessmentsfor organizations handlingControlled Unclassified Information (CUI).

Key Requirements for a C3PAO to Conduct Assessments:

✔Must be authorized by CMMC-AB before conducting assessments.

✔Must meet CMMC-AB and DoD cybersecurity and process requirements.

✔Must comply with ISO/IEC 17020 standards for inspection bodies.

✔Must undergo a rigorous vetting process, including cybersecurity verification.

Why is the Correct Answer "D" (A C3PAO must be authorized by CMMC-AB before being able to conduct assessments)?

A. An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements → Incorrect

C3PAOs must comply with CMMC-AB authorization requirementsbefore performing assessments.

While they must align withISO/IEC 17020, they donotnecessarily meet all requirements upfront.

B. An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements → Incorrect

C3PAOs are not accredited by DoD; they areauthorized by CMMC-ABto perform assessments.

Accreditation follows full compliance with CMMC-AB and ISO/IEC 17020 requirements.

C. A C3PAO must be accredited by DoD before being able to conduct assessments → Incorrect

The DoD does not directly accredit C3PAOs—CMMC-AB is responsible forauthorization and oversight.

D. A C3PAO must be authorized by CMMC-AB before being able to conduct assessments → Correct

CMMC-AB grants authorization to C3PAOs, allowing them to perform assessmentsonly after meeting specific requirements.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Certified Third-Party Assessment Organization (C3PAO) Guidelines

States thatC3PAOs must receive CMMC-AB authorization before conducting assessments.

CMMC 2.0 Assessment Process (CAP) Document

Specifies that onlyC3PAOs authorized by CMMC-AB can conduct official CMMC assessments.

ISO/IEC 17020 Compliance for C3PAOs

Defines theinspection body requirements for C3PAOs, which must be met for accreditation.

Understanding Federal Contract Information (FCI)

Federal Contract Information (FCI) is defined by48 CFR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems). FCI refers to information that:

Is NOT intended for public release.

Is provided by or generated for the government under a contract.

Is necessary to develop or deliver a product or service to the government.

Excludes publicly available government information(such as information on public websites).

Excludes simple transactional information(e.g., necessary to process payments).

In the context ofCMMC 2.0, organizations thatprocess, store, or transmit FCImust meetCMMC Level 1 (Foundational), which requires implementing17 basic safeguarding practicesoutlined inFAR 52.204-21.

Why is the Correct Answer FCI (D)?

A. CDI (Controlled Defense Information)→ Incorrect

This term was used inDFARS 252.204-7012but has been replaced byCUI (Controlled Unclassified Information)in CMMC discussions.

B. CTI (Cyber Threat Intelligence)→ Incorrect

This refers to intelligence on cyber threats, tactics, and indicators, not contractual data.

C. CUI (Controlled Unclassified Information)→ Incorrect

CUI is sensitive information requiring additional safeguarding but is a separate category from FCI.

D. FCI (Federal Contract Information)→Correct

The definition of FCI explicitly matches the description given in the question.

CMMC 2.0 References Supporting this Answer:

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

Defines FCI and the required safeguards.

Establishes17 cybersecurity practicesfor FCI protection.

CMMC 2.0 Framework

Level 1 (Foundational)is required for contractors handlingFCI.

Ensures compliance withbasic safeguarding requirementsoutlined inFAR 52.204-21.

NIST SP 800-171 and DFARS 252.204-7012

FCI doesnotrequire compliance withNIST SP 800-171, butCUI does.

Who Should Be Interviewed During a CMMC Assessment?

During assessment planning, theOrganization Seeking Certification (OSC)may suggest personnel for interviews. However, the person interviewedmustbe someone who:

✅Implementsthe practice (directly responsible for executing it).

✅Performsthe practice (carries out day-to-day security operations).

✅Supportsthe practice (provides necessary resources or oversight).

Why "Implements, Performs, or Supports That Practice" is Correct?

Theassessor needs direct insightsfrom individuals actively involved in the practice.

Funding (Option A)does not providetechnical or operationalinsight into practice execution.

Auditing (Option B)focuses on compliance checks, but auditorsdo not implementthe practice.

Supporting, auditing, and performing (Option C)includesauditors, who arenot necessarily the right interviewees.

Breakdown of Answer Choices

Option

Description

Correct?

A. Funds that practice.

❌Incorrect–Funding is important but doesnot mean direct involvement.

B. Audits that practice.

❌Incorrect–Auditors check compliance but donot implementpractices.

C. Supports, audits, and performs that practice.

❌Incorrect–Auditing isnot a requirementfor interviewees.

D. Implements, performs, or supports that practice.

✅Correct – The interviewee must have direct involvement in execution.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– Requires that interviewees bedirectly responsiblefor implementing, performing, or supporting the practice.

Final Verification and Conclusion

The correct answer isD. Implements, performs, or supports that practice, as the interviewee mustactively contribute to the execution of the practice.