CMMC-CCP Certified CMMC Professional (CCP) Exam Questions and Answers

Step 1: Understand the Assessor’s Role and Chain of Responsibility

During a CMMC assessment, the assessor ispart of the team organized by a C3PAO (Certified Third-Party Assessment Organization). If the assessor determines thatevidence is insufficient or inadequate, they arenot authorizedto act independently in terms of halting or postponing the assessment.

Source Reference: CMMC Assessment Process (CAP) v1.0 – Section 3.5.4 & 3.5.6

"If the Assessment Team identifies gaps in the sufficiency or adequacy of evidence, they must work with the Lead Assessor and C3PAO to determine the appropriate course of action."

✅Step 2: Why Contacting the C3PAO Is the Correct Action

The C3PAO is responsible for overseeing the assessment lifecycle.

If evidence isnot adequate, the assessor mustescalate within their organization(i.e., to the Lead Assessor or C3PAO point of contact) to:

Request clarifications from the OSC,

Determine if additional evidence can be requested,

Decide on continuing, pausing, or modifying the assessment schedule.

❌Why the Other Options Are Incorrect

A. Notify the CMMC-AB

✘Incorrect. The Cyber AB (formerly CMMC-AB) isnot involved in operational aspectsof assessments. They do not manage day-to-day assessment decisions.

B. Cancel the assessment

✘Incorrect. An assessorcannot unilaterally cancelan assessment. Only theC3PAO, in consultation with all parties, may take such action.

C. Postpone the assessment

✘Incorrect. Postponements are logistical decisions that must be managed through theC3PAO, not an individual assessor.

When an assessor determines that the evidence submitted by an OSC is inadequate or insufficient to meet a CMMC practice, thecorrect and required course of action is to consult with the C3PAO. The C3PAO will provide guidance or coordinate appropriate next steps.

Level 1 only addresses the protection of Federal Contract Information (FCI) and does not include requirements for safeguarding Controlled Unclassified Information (CUI).

Level 2 is explicitly designed to protect Controlled Unclassified Information (CUI). It requires implementation of all 110 security requirements from NIST SP 800-171 Rev. 2, which directly support the safeguarding of CUI and help prevent its unauthorized disclosure or exfiltration.

Level 3 builds on Level 2 by including a subset of requirements from NIST SP 800-172. These additional practices are designed to enhance the protection of CUI against advanced persistent threats (APTs), further strengthening defenses against exfiltration.

Therefore, the levels that focus on protecting CUI from exfiltration are Levels 2 and 3.

Reference Documents:

CMMC Model v2.0 Overview (DoD, December 2021)

NIST SP 800-171 Rev. 2,Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-172,Enhanced Security Requirements for Protecting Controlled Unclassified Information

Under the Cybersecurity Maturity Model Certification (CMMC) 2.0, a Plan of Action (POA) is a critical document that outlines the specific actions a contractor needs to take to remediate cybersecurity deficiencies. While POAs serve as a roadmap for achieving compliance with required controls, the inclusion of certain elements is standardized.

Key Elements of a Plan of Action (POA)

According to the CMMC guidelines and NIST SP 800-171, which underpins many CMMC requirements, a POA typically includes:

Completion Dates: Identifies target deadlines for resolving deficiencies.

Milestones to Measure Progress: Includes interim steps or markers to ensure progress is monitored over time.

Ownership or Accountability: Clearly assigns responsibility for each action item to specific personnel or teams.

What is Generally NOT Part of a POA?

Budget requirements to implement the plan's remediation actions (Option D) are generally not included in a POA. While budgeting is critical for ensuring the plan's success, it is considered a part of the broaderproject management or resource planning process, not the POA itself. This distinction is intentional to keep the POA focused on actionable items rather than resource allocation.

Supporting Reference

NIST SP 800-171A, Appendix D: Provides an overview of POA components, emphasizing the prioritization of corrective actions, responsibility, and measurable outcomes.

CMMC Level 2 Practices (Aligned with NIST SP 800-171): Specifically, the focus is on actions, timelines, and accountability rather than financial planning.

By excluding budget details, the POA remains a tactical document that supports immediate action and compliance tracking, separate from financial considerations.

Understanding the "Examine" Assessment Method in CMMC 2.0

CMMC 2.0 usesthree assessment methodsto evaluate security compliance:

Examine– Reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., policies, system documentation).

Interview– Speaking with personnel to verify knowledge and responsibilities.

Test– Performing technical validation to check system configurations.

Relevant CMMC 2.0 Reference:

TheCMMC Assessment Process (CAP)definesExamineas the method used toreview or analyze assessment objects, such as policies, procedures, configurations, and logs.

Why is the Correct Answer "Examine" (C)?

A. Test → Incorrect

"Test" involvesexecutinga function to validate its security (e.g., verifying access controls through a live system test).

B. Assess → Incorrect

"Assess" is a broad term; CMMC explicitly defines "Examine" as the method for reviewing documentation.

C. Examine → Correct

"Examine" is the official term forreviewing policies, procedures, configurations, or logs.

D. Interview → Incorrect

"Interview" involvesverbal discussions with personnel, not document analysis.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines "Examine" asanalyzing assessment objects (e.g., policies, procedures, logs, documentation).

NIST SP 800-171A

Specifies "Examine" as a method toreview security controls and configurations.

According to the CMMC Assessment Process (CAP) and the roles defined within the CMMC Ecosystem, the responsibility for the final determination of assessment findings rests with the C3PAO (Certified Third-Party Assessment Organization).

While the Assessment Team (Lead Assessor and Assessor) performs the legwork—conducting interviews, examining documents, and testing mechanisms—the C3PAO is the legal entity contracted by the OSC (Organization Seeking Certification) to conduct the assessment and issue the recommendation for certification.

Role of the C3PAO: The C3PAO provides the quality assurance and oversight. Once the Assessment Team completes the draft findings, the C3PAO performs a quality or "peer" review to ensure the findings are consistent with CMMC requirements. They hold the final authority over the Recommended Finding (Met, Not Met, or N/A) before it is uploaded to the eMASS (Enterprise Mission Assurance Support Service) or the designated DoD database.

Role of the Cyber AB (formerly CMMC-AB): The Board provides the accreditation for the C3PAOs and manages the ecosystem, but they do not participate in individual assessments or overrule specific technical findings of an assessment unless there is a formal appeal or ethics complaint.

Role of the Assessment Team Members: They collect evidence and make initial determinations, but their findings are subject to the C3PAO’s internal quality management system (QMS) review.

Role of the OSC Sponsor: The OSC is the entity being assessed; they have no authority over the interpretation of findings, though they may provide additional evidence during the remediation period.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Phase 3: Conduct Assessment" and "Phase 4: Reporting Results," which details the C3PAO’s responsibility for the final package.

C3PAO Authorization Requirements: Outlines the requirement for a quality management review of all assessment findings by the C3PAO before submission to the DoD.

What is Required in the CMMC Assessment Kickoff and Opening Briefing?

Before starting aCMMC assessment, theLead Assessormust present anopening briefingto ensure that theOrganization Seeking Certification (OSC)understands the assessment process.

Step-by-Step Breakdown:

✅1. Overview of the Assessment Process

The Lead Assessormust explain the CMMC assessment methodology, including:

Theassessment objectives and scope

How theassessment team will review security controls

What to expectduring interviews, testing, and document review

This ensurestransparency and alignmentbetween the assessors and the OSC.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Gathering Evidence❌

Evidence collection is part of the assessment butnot the primary topic of the opening briefing.

(B) Review of the OSC's SSP❌

While theSSP is a key document, reviewing it is part of the assessment,not the kickoff briefing.

(D) Examination of the artifacts for sufficiency❌

Artifact review happens laterin the assessment process,not during the kickoff.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guidestates that theopening briefing must include an overview of the assessment process, ensuring the OSC understands the expectations and methodology.

Thus, the correct answer is:

✅C. Overview of the assessment process.

Understanding the “Verify Evidence and Record Gaps” Activity in a CMMC Assessment

During aCMMC Level 2 Assessment, theAssessment Teamfollows a structured methodology toverify evidenceand determine whether theOrganization Seeking Certification (OSC)has met all required practices. One of the key activities in this process is"Verify Evidence and Record Gaps", which ensures that the assessment findings accurately reflect any missing or inadequate compliance evidence.

Step-by-Step Breakdown:

✅1. Primary Intent: Identifying Gaps Between Required and Collected Evidence

TheAssessment Teamcompares the evidence provided by the OSC against theCMMC practice requirements.

If evidence ismissing, insufficient, or inconsistent, assessors mustdocument the gapand describe what is lacking.

This ensures that compliance deficiencies are clearly identified, allowing the OSC to understand what must be corrected.

✅2. How This Process Works in a CMMC Assessment

Assessorsreview collected documentation, system configurations, policies, and interview responses.

They verify that the evidencematches the expected implementationof a practice.

If gaps exist, they arerecordedfor discussion and potential remediation before assessment completion.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Map test and demonstration responses to CMMC practices.❌

Incorrect:While mapping evidence to CMMC practices is part of the assessment, theprimary intentof the "Verify Evidence and Record Gaps" step is toidentify deficiencies, not just mapping responses.

(B) Conduct interviews to test process implementation knowledge.❌

Incorrect:Interviews are a method used during evidence collection, but they arenot the primary focusof the verification and gap analysis step.

(C) Determine the one-to-one relationship between a practice and an assessment object.❌

Incorrect:The assessment teamreviews multiple sources of evidencefor each practice, and some practices require multiple assessment objects. The goal isnot a strict one-to-one mappingbut rathera holistic validation of compliance.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guidestates that"Verify Evidence and Record Gaps"is the step where assessorscompare expected evidence against what has been provided and document discrepancies. This ensurestransparent assessment findings and remediation planning.

Thus, the correct answer is:

D. Identify and describe differences between what the Assessment Team required and the evidence collected.

During a Readiness Review (Phase 1), the purpose is to validate whether an OSC is prepared to move forward with a formal assessment. The CAP specifies that the Lead Assessor must collect sufficient evidence for each practice to make a preliminary determination of readiness.

Supporting Extracts from Official Content:

CAP v2.0, Readiness Review (§2.14): “The Lead Assessor must collect a sufficient amount of evidence for each practice to determine the OSC’s readiness.”

Why Option A is Correct:

The requirement is for sufficient evidence; CAP does not mandate a set number of assessment objects or methods.

Options B, C, and D incorrectly suggest minimum counts or methods that are not part of the readiness review requirements.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 1 Readiness Review.

===========

Under the CMMC Assessment Process (CAP) and CMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed through three primary assessment methods:

Examination – Reviewing documents, records, system configurations, and other artifacts.

Interviews – Speaking with personnel to verify processes, responsibilities, and understanding of security controls.

Testing – Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.

Why Option D is Correct

The CMMC Assessment Process (CAP) states that an assessor must use a combination of evidence-gathering methods (examinations, interviews, and tests) to determine compliance.

CMMC 2.0 Level 2 (Aligned with NIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.

Solely relying on one method (like interviews in Option A) is insufficient.

Testing all practices or objectives (Option B) is unnecessary, as assessors follow scoping guidance to determine which objectives need deeper examination.

Testing only "certain" objectives (Option C) does not fully align with the requirement of gathering sufficient evidence from multiple methods.

CMMC 2.0 and Official Documentation References

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods explicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.

CMMC 2.0 Level 2 Practices and NIST SP 800-171 require assessors to validate the presence, implementation, and effectiveness of security controls.

CMMC Appendix E: Assessment Procedures states that an assessor should use multiple sources of evidence to determine compliance.

Final Verification

To ensure compliance with CMMC 2.0 guidelines and official documentation, an assessor must use examinations, interviews, and tests to gather evidence effectively, making Option D the correct answer.

CMMC Level 1 includes 17 practices derived fromFAR 52.204-21. Among them, theMedia Protection (MP) practicerequires organizations to ensure thatmedia containing FCI is sanitized or destroyed before disposal or release for reuseto prevent unauthorized access.

This requirement ensures that any storage devices, hard drives, USBs, or physical documents containingFederal Contract Information (FCI)areproperly disposed of or sanitizedto prevent data leakage.

The evidence collected for this practice should demonstrate that an organization has established and followed propermedia sanitization or destruction procedures.

Why the Correct Answer is "B. Adequate"?

TheCMMC Assessment Process (CAP) Guideoutlines that for an assessment to be considered complete, all submitted evidence must meet the standard ofadequacybefore it is accepted by the Lead Assessor.

Definition of "Adequate" Evidence in CMMC:

Evidence isadequatewhen itfully demonstrates that a practice has been performed as requiredby CMMC guidelines.

TheLead Assessorevaluates whether the submitted documentation meets the CMMC 2.0 Level 1 requirements.

If the evidenceaccurately and completely demonstrates the sanitization or destruction of media containing FCI, then it meets the standard ofadequacy.

Why Not the Other Options?

A. Official– While the evidence may come from an official source, the CMMCdoes not require evidence to be "official", only that it beadequateto confirm compliance.

C. Compliant– Compliance is the final result of an assessment, but before compliance is determined, the evidence must first beadequatefor evaluation.

D. Subjective– CMMC evidence isobjective, meaning it should be based on verifiable documents, policies, logs, and procedures—not opinions or interpretations.

Relevant CMMC 2.0 References:

CMMC 2.0 Scoping Guide (Nov 2021)– Specifies that Media Protection (MP) at Level 1 applies only to assets that process, store, or transmit FCI.

CMMC Assessment Process (CAP) Guide– Definesadequate evidenceas documentation that completely and clearly supports the implementation of a required security practice.

FAR 52.204-21– The source of the Level 1 requirements, which includessanitization and destruction of media containing FCI.

Final Justification:

The CCP’s statement that the evidence"fully reflects the performance of the practice"aligns with the definition ofadequate evidenceunder CMMC. Since adequacy is the key standard used before final compliance decisions are made, the correct answer isB. Adequate.

Understanding the Official CUI Registry

TheControlled Unclassified Information (CUI) Registryis theauthoritative sourcefor all federal agencies'CUI categories and indices. It is maintained by theNational Archives and Records Administration (NARA)and provides:

✅Acomprehensive listof CUI categories and subcategories.

✅Details onwho can handle, store, and share CUI.

✅Guidance onCUI marking and safeguarding requirements.

Why "Official CUI Registry" is Correct?

TheOfficial CUI Registryis theonly federal resourcethat listsall CUI categories and agencies that use them.

32 CFR Section 2002(Option A) definesCUI policiesbut doesnotprovide a full listing of CUI categories.

Executive Order 13556(Option C) established theCUI Programbut doesnotmaintain an active list of categories.

The "Official CMMC Registry" (Option D) does not exist—CMMC is a security framework, not a CUI classification system.

Breakdown of Answer Choices

Option

Description

Correct?

A. 32 CFR Section 2002

❌Incorrect–Defines CUI program rules butdoes not listcategories.

B. Official CUI Registry

✅Correct – The registry contains the full list of CUI categories.

C. Executive Order 13556

❌Incorrect–Established the CUI program butdoes not maintain a category list.

D. Official CMMC Registry

❌Incorrect–No such registry exists; CMMC is a cybersecurity framework, not a CUI classification system.

Official References from CMMC 2.0 and Federal Documentation

National Archives (NARA) CUI Registry– The authoritative source forall federal agency CUI categories.

32 CFR 2002– Provides CUIpolicy guidancebut refers agencies to theOfficial CUI Registryfor classification.

Final Verification and Conclusion

The correct answer isB. Official CUI Registry, as it is theonly official source listing all federal agencies' CUI indices and categories.

ACertified CMMC Professional (CCP)advising anOrganization Seeking Certification (OSC)must ensure thatFederal Contract Information (FCI)andControlled Unclassified Information (CUI)are properly documented within required security documents.

Step-by-Step Breakdown:

✅1. System Security Plan (SSP)

CMMC Level 2requires anSSPto documenthow CUI is protected, including:

Security controlsimplemented

Asset categorization(CUI Assets, Security Protection Assets, etc.)

Policies and proceduresfor handling CUI

✅2. Asset Inventory

Anasset inventorylistsall relevant IT systems, applications, and hardwarethat store, process, or transmitCUI or FCI.

TheCMMC Scoping Guiderequires OSCs to identifyCUI-relevant assetsas part of their compliance.

✅3. Network Diagram

Anetwork diagramvisually representshow data flows across systems, showing:

WhereCUI is transmitted and stored

Security boundaries protectingCUI Assets

Connectivity betweenCUI Assets and Security Protection Assets

✅4. Why the Other Answer Choices Are Incorrect:

(B) Within the hardware inventory, data flow diagram, and in the network diagram❌

While adata flow diagramis useful,hardware inventory alone is insufficientto document CUI.

(C) Within the asset inventory, in the proposal response, and in the network diagram❌

Aproposal responseis not a required document for CMMC assessments.

(D) In the network diagram, in the SSP, within the base inventory, and in the proposal response❌

Base inventoryis not a specific CMMC documentation requirement.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guideconfirms that FCI and CUI must be documented in:

The SSP

The asset inventory

The network diagram

Thus, the correct answer is:

✅A. "In the SSP, within the asset inventory, and in the network diagram."

Understanding Evidence Sufficiency in CMMC Level 2 Assessments

During aCMMC Level 2 Assessment, theLead Assessormust determine whether the evidence collected for each practice issufficientto support an assessment finding. This aligns with theCMMC Assessment Process (CAP) Guide, which requires assessors to evaluate:

Examinations– Reviewing documents, configurations, and system records.

Interviews– Speaking with personnel to confirm implementation and understanding.

Testing– Observing security controls in action to validate effectiveness.

To determine whether evidence issufficient, the assessor ensures that it:

Directly supports the assessment objective.

Demonstrates that the practice is consistently implemented.

Can be independently verified.

Why Option B (Sufficiency) is Correct

Sufficiencyrefers to whetherenoughevidence has been collected to make an accurate determination about compliance.

Option A (Adequacy)is incorrect because adequacy relates tothe qualityof evidence, while sufficiency focuses on whetherenoughevidence exists.

Option C (Process Mapping)is incorrect because process mapping is used for understanding workflows but is not an assessment verification method.

Option D (Assessment Scope)is incorrect because defining the scope happensbeforeevidence collection, during the planning phase.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide – Section 3.6 (Determining Sufficiency of Evidence)

CMMC Level 2 Assessment Guide – Evidence Collection and Evaluation

Final Verification

Since theLead Assessor is ensuring enough evidence is available to verify compliance, the correct answer isOption B: Sufficiency.

According to the CMMC Assessment Process (CAP), specifically within the Phase 4: Reporting Results requirements, a C3PAO must ensure that every assessment package undergoes a rigorous quality review before it is finalized and submitted to the Department of Defense (DoD).

The Role of the CQAP: The CMMC Quality Assurance Professional (CQAP) is a designated role within a C3PAO responsible for verifying that the assessment was conducted in accordance with the CAP and that the evidence collected (the "Artifacts") supports the findings (Met/Not Met).

Mandatory Inclusion: When generating the Final Recommended Assessment Results, the package is not considered complete or valid without the formal review documentation from the CQAP. This documentation serves as the "stamp of approval" that the internal Quality Management System (QMS) of the C3PAO has validated the assessment team's work.

Why other options are incorrect:

Option A: While the Assessment Plan is a required document during the planning phase, it is an input to the process, not a mandatory component of theFinal Resultsgeneration in the same way quality validation is.

Option B: Daily Checkpoints are administrative tools used during the "Conduct Assessment" phase to keep the OSC informed. While they are part of the assessment record, they are not a mandatory technical component of the final results package.

Option C: The contract is a legal/business requirement handled during the "Plan and Prepare" phase; it is not included in the technical assessment results uploaded to the DoD.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 4.2 (Finalize Assessment Report) and Section 4.3 (C3PAO Quality Review).

C3PAO Authorization Requirements: Specifies the requirement for a Quality Assurance (QA) function to review all assessment outputs to ensure consistency and integrity across the ecosystem.

Planning and preparing for aCMMC assessmentinvolves collaboration between theassessorand theOrganization Seeking Certification (OSC)to determine scope, required evidence, and logistics. This planning process isdynamicand must adapt as new information emerges.

Why the Correct Answer is "D"?

Assessment Scope and Requirements May Change

As assessors gather evidence and analyze the environment,new details about assets, networks, and security controlsmay require adjustments to the assessment plan.

TheCMMC Assessment Process (CAP) Guideemphasizes that assessmentrequirements and scope should be continuously reviewed and updatedto reflect real-time findings.

Assessors Follow an Adaptive Approach

DuringCMMC assessments, organizations may discover additionalFCI or CUI assets, which can change the required security practices to be evaluated.

Assessors shouldrevise the assessment approach accordinglyrather than strictly following an initial, unchangeable plan.

Why Not the Other Options?

A. Scoping an assessment is easy and worry-free→Incorrect

Scoping is acritical and complex processthat requires careful evaluation of the OSC’s information systems and assets.

CMMC Scoping Guidestates thatidentifying in-scope assets is crucial and requires significant effort.

B. The initial plan cannot be changed once agreed upon→Incorrect

Theinitial assessment plan is a starting point, butit must be flexiblebased on real-time findings.

CMMC CAP Guideemphasizescontinuous refinementduring the assessment process.

C. There is a determined amount of time that the OSC's point of contact has to submit evidence and rough order-of-magnitude→Incorrect

While there aretimelines, the key focus is ensuring thatall necessary evidence is gathered accuratelyrather than rushing to meet a strict deadline.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– States that assessment requirements and planning should be updated as additional information is gathered.

CMMC Scoping Guide (Nov 2021)– Explains that assessors must continually refinein-scope assets and requirementsthroughout the process.

Final Justification:

Assessment planning is a dynamic process.Assessors must continuously review and update the requirements and planas new information emerges, makingDthe correct answer.

According to the CMMC Scoping Guidance, Level 1, the fundamental definition of an FCI Asset is any asset that performs at least one of three primary functions with Federal Contract Information (FCI). These functions are consistently defined across both Level 1 and Level 2 documentation as Processing, Storing, or Transmitting.

Process: In this scenario, the sales representative is "entering FCI data into various fields." The act of inputting, manipulating, or editing data within an application (the spreadsheet) is the definition of processing.

Store: Because the spreadsheet is on the laptop, the data resides on the laptop's hard drive or memory. This constitutes storing.

Transmit: While the prompt focuses on the data entry, a laptop is an endpoint designed to move data across a network (email, cloud uploads, or server saves). In the context of CMMC scoping, assets that handle protected information are categorized by their capability and role in the data lifecycle, which includes transmitting.

Why other options are incorrect:

Options B and D: These include the word "organize." While organizing data is a task a human performs, it is not a formal technical term used in the CMMC or NIST SP 800-171/FAR 52.204-21 definitions to categorize asset functions.

Option A: This option omits "store." Since the spreadsheet exists on the laptop, storage is a primary function being utilized.

Reference Documents:

CMMC Scoping Guidance, Level 1 (Version 2.0): Section 2.0, which defines FCI Assets as assets that "process, store, or transmit FCI."

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems): The regulatory source for Level 1, which applies to systems that "process, store, or transmit" federal contract information.

CMMC Assessment Guide, Level 1: Introduction and Scoping sections, reinforcing the triad of data handling functions.

Step 1: Responsibility for Subcontractor Compliance

The prime contractor (contractor organization)is responsible for ensuring thatits subcontractorshave the requiredCMMC certification levelbefore engaging them inDoD contracts that involve FCI or CUI.

This requirement is enforced throughflow-down clausesinDFARS 252.204-7021, which mandates that subcontractors handlingCUImeet the necessaryCMMC Level 2 or Level 3 requirements.

TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.

Analysis of the Given Options:

A. Level 1→Incorrect

CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.

B. Level 2→Correct

TheAU domain is required at Level 2, which aligns withNIST SP 800-171.

CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.

C. Levels 1 and 2→Incorrect

Level 1 does not requireaudit and accountability practices.

D. Levels 1 and 3→Incorrect

CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.

Official References Supporting the Correct Answer:

NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3)

TheAU domainconsists of security controls3.3.1 – 3.3.8, focusing on audit log generation, retention, and accountability.

CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171)

AU practices (Audit and Accountability) are only required at Level 2.

Conclusion:

TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:

✅B. Level 2.

Step 1: Understanding CMMC Level 1 Self-Assessment Scope

CMMC Level 1applies toFederal Contract Information (FCI)systems.

Any system or device that is connected to an FCI-handling network is within the assessment scopebecause it canintroduce vulnerabilitiesinto the environment.

Step 2: Why the Thermostat is in Scope

TheWi-Fi-enabled thermostat is connected to the FCI network, meaning it haspotential accessto sensitive contract-related data.

PerCMMC Scoping Guidance, this type of device is classified as aRestricted Information System (Restricted IS)—devices that do not store, process, or transmit FCI but areconnected to networks that do.

Restricted IS must be accounted for in the self-assessment scope to ensure they do not compromise security controls.

Step 1: Understanding Who Specifies CMMC Levels

TheU.S. Department of Defense (DoD)determines the requiredCMMC Levelbased on thesensitivity of the information involved in a contract.

The required CMMC Level isspecified in Requests for Information (RFIs) and Requests for Proposals (RFPs).

Understanding the CMMC Level 2 Final Report Requirements

For aCMMC Level 2 Assessment, theFinal CMMC Assessment Results Reportmust include:

Assessment findings for each practice

Final ratings (MET or NOT MET) for each practice

A detailed rationale for each practice rated as NOT MET

Why "B. Documented rationale for each failed practice" is Correct?

The CMMC Assessment Process (CAP) Guidestates that if a practice is markedNOT MET, theassessors must provide a rationale explaining why it failed.

This rationale helps theOSC understand what needs remediationand, if applicable, whether the deficiency can be addressed via aPlan of Action & Milestones (POA&M).

TheFinal Report serves as an official recordand must be submitted as part of theresults package.

Why Other Answers Are Incorrect?

A. Affirmation for each practice or control (Incorrect)

While the report includes aMET/NOT MET ratingfor each practice,affirmation is not a required component.

C. Suggested improvements for each failed practice (Incorrect)

Assessors do not provide recommendations for improvement—they only document findings and rationale.

Providing suggestions would create aconflict of interestperCMMC-AB Code of Professional Conduct.

D. Gaps or deltas due to any reciprocity model are recorded as met (Incorrect)

If an organization isleveraging reciprocity (e.g., FedRAMP, Joint Surveillance Voluntary Assessments), gapsmust still be documented—not automatically marked as "MET."

Conclusion

The correct answer isB. Documented rationale for each failed practice, as this is amandatory requirement in the Final CMMC Assessment Results Report.

In the CMMC 2.0 Model, the "Advanced Level" specifically refers to Level 2. The CMMC model is designed to be cumulative, meaning each level builds upon the requirements of the levels beneath it.

Cumulative Framework: To achieve a certification at a specific level, an Organization Seeking Certification (OSC) must demonstrate compliance with all practices at that level and all practices from the lower levels.

Access Control (AC) Domain: The Access Control domain is one of the 14 domains in CMMC Level 2. It consists of a total of 22 practices:

Level 1 (Foundational): Contains 4 basic safeguarding practices (mapped to FAR 52.204-21).

Level 2 (Advanced): Adds 18 additional practices (mapped to NIST SP 800-171), totaling 22 practices for the AC domain at this level.

Defining "Advanced": The DoD defines the levels as Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Therefore, the "Advanced Level" (Level 2) contains the practices from Level 1 and Level 2, but does not include the "Expert" (Level 3) practices, which are derived from NIST SP 800-172.

Why other options are incorrect:

Option A: While it contains Level 1 practices, it also includes Level 2 practices.

Option B: Level 3 is the "Expert" level, which is separate and higher than the "Advanced" level.

Option D: The Advanced level does not reach the requirements of Level 3.

Reference Documents:

CMMC Model Overview (v2.0): Section 3.2, "Level 2: Advanced," which describes the 110 practices derived from NIST SP 800-171.

32 CFR Part 170 (CMMC Program Rule): Details the structure of the levels and the requirement for cumulative compliance.

CMMC Level 2 Assessment Guide: Lists all 22 Access Control practices required for a Level 2 assessment, clearly identifying which are carried over from Level 1.

===========

CMMC Level 1 practices correspond directly to the basic safeguarding requirements for Federal Contract Information (FCI), which are codified in FAR clause 48 CFR 52.204-21. These 15 requirements form the foundation for Level 1 compliance.

Supporting Extracts from Official Content:

48 CFR 52.204-21: “Contractors shall apply the following 15 basic safeguarding requirements to protect Federal Contract Information (FCI).”

CMMC Model v2.0 Overview: “Level 1 corresponds to the 15 basic safeguarding requirements in FAR 52.204-21.”

Why Option C is Correct:

FAR 52.204-21 is the source for Level 1 practices.

NIST SP 800-171 applies to CUI and Level 2, not Level 1.

NIST SP 800-171b is the precursor to NIST SP 800-172 (used for Level 3).

DFARS 252.204-7012 covers CUI safeguarding and incident reporting, not Level 1 FCI requirements.

References (Official CMMC v2.0 Content):

FAR 48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

CMMC Model v2.0, Level 1 Overview.

Interview Selection in CMMC Assessments

During aCMMC assessment, theLead Assessormust work with theOrganization Seeking Certification (OSC)to select personnel for interviews. The goal is to:

✅Verify that personnel understand andperform security-related practices.

✅Ensure that individuals canexplain how they implement CMMC requirements.

✅Gain insight intoactual cybersecurity operationsrather than just documented policies.

The best interviewees are those whodirectly engage with security practicesand canclearly explain how they perform their duties.

Why "Providing Clarity and Understanding" Is Key

CMMC assessmentsrely on interviewsto validate that security practices areimplemented effectively.

Themost valuable intervieweesare those who canexplainhow security measures are appliedin day-to-day operations.

CMMC Assessment Process (CAP)emphasizes that assessors should speak tothose actively involved in security practicesrather than just senior management or policy owners.

Thus,option D is the correct choicebecause the Lead Assessor should prioritizeinterviewing personnel who can clearly explain how CMMC practices are implemented.

Why the Other Answers Are Incorrect

A. Have a security clearance.

❌Incorrect.Security clearance is not a requirementfor CMMC assessments. The focus is onpractical implementation of security controls, not classified work.

B. Be a senior person in the company.

❌Incorrect. Senior executives may not be involved in theactual implementation of security controls. The best interviewees are those whoperform the work, not just oversee it.

C. Demonstrate expertise on the CMMC requirements.

❌Incorrect. Whileunderstanding CMMC is important, expertise alonedoes not guarantee practical knowledgeof security controls. The key is thatinterviewees must provide clarity on how they perform security tasks.

CMMC Official References

CMMC Assessment Process (CAP) Document– Guides interview selection based on personnel who perform security functions.

NIST SP 800-171 & CMMC 2.0– Emphasize that cybersecurity controls must beactively implemented, not just documented.

Thus,option D (Provide clarity and understanding of their practice activities) is the correct answeras per official CMMC assessment guidelines.

Understanding the Role of a CCP in CMMC Assessments

ACertified CMMC Professional (CCP)is responsible for assistingCertified CMMC Assessors (CCA)in evaluating anOrganization Seeking Certification (OSC)during a CMMC assessment. One key aspect of this process isconducting interviewswith Subject Matter Experts (SMEs) to verify security practices.

Ensuring that interviewees canspeak freely without fear of retaliationiscriticalto obtainingaccurate and unbiased informationabout the implementation of security controls.

Step-by-Step Breakdown:

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide (Level 2)outlines that interviews are conducted to confirm that security practices are effectively implemented.

Interviewees mustfeel comfortable sharing candid responseswithout concern that their statements will lead tonegative consequenceswithin the organization.

Ensuring Confidentiality and Non-Attribution

DoD Assessment Methodologyspecifies that interviews should be conductedconfidentiallytoprotect the identity of interviewees.

TheCMMC Code of Professional Conduct (CoPC)for assessors and professionals reinforces the requirement to maintain theconfidentialityof assessment participants.

Non-attributionensures that responses are used for evaluation purposeswithout linking statements to specific individuals.

Why the Other Answer Choices Are Incorrect:

(A) Performed in groups for more efficient use of resources:

Group interviews may prevent individuals from speaking openly.

Employees might be hesitant to contradict leadership or peers.

(B) Recorded for inclusion in the Final Recommended Findings report:

Interviews arenot directly recorded or attributedin assessment reports.

Instead, findings are documentedwithout identifying specific individuals.

(D) Mapped to specific CMMC practices to clearly delineate which practice is being evaluated:

While responsesinformwhich practices are being assessed, theprimary goalof an interview is to ensure accurate,unbiased information gathering.

Final Validation from CMMC Documentation:

According to theCMMC Assessment Guide and DoD Assessment Methodology, interview confidentiality iscrucialto gatheringaccurateandunbiasedresponses. This makesconfidentiality and non-attributionthe correct answer.

Thus, the correct answer is:

C. Confidential and non-attributable so interviewees can speak without fear of reprisal.

Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)

TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.

To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:

A unique identifier (username) for each system user

Mapping of system accounts to specific individuals

Identification of devices and automated processes that access systems

Why "C. User names associated with system accounts assigned to those individuals" is Correct?

This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.

Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.

It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.

Why Other Answers Are Incorrect?

A. Procedures for implementing access control lists (Incorrect)

While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.

B. List of unauthorized users that identifies their identities and roles (Incorrect)

Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.

D. Physical access policy stating "All non-employees must wear a special visitor pass or be escorted" (Incorrect)

This pertains tophysical security, not system-baseduser identification and authentication.

Conclusion

The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.

Who Do DoD Contractors Report CUI Breaches To?

PerDFARS 252.204-7012, all DoD contractors handlingControlled Unclassified Information (CUI)must report cyber incidents to theDoD Cyber Crime Center (DC3).

Key Reporting Requirements

✅Cyber incidents involving CUI must be reported toDC3 within 72 hours.

✅Reports must be submitted via theDoD's Cyber Incident Reporting Portal.

✅Contractors mustpreserve forensic evidencefor potential investigation.

Why "DoD Cyber Crime Center" is Correct?

The FBI (Option A) handles criminal investigations, but DoD contractorsmust report cyber incidents to DC3.

NARA (Option B) oversees the CUI Registry, butis not responsible for breach reporting.

The Under Secretary of Defense for Intelligence and Security (Option D) is responsible for intelligence operations, not incident reporting.

Breakdown of Answer Choices

Option

Description

Correct?

A. FBI

❌Incorrect–The FBI handlescriminal cases, not CUI breach reporting.

B. NARA

❌Incorrect–NARA manages theCUI Registry, butdoes not handle breaches.

C. DoD Cyber Crime Center

✅Correct – Per DFARS 252.204-7012, cyber incidents involving CUI must be reported to DC3.

D. Under Secretary of Defense for Intelligence and Security

❌Incorrect–This office doesnothandle cyber incident reports.

Official References from CMMC 2.0 and DFARS Documentation

DFARS 252.204-7012– Requires DoD contractors to report CUI-related cyber incidents toDC3.

DoD Cyber Crime Center (DC3) Website– The official platform forcyber incident reporting.

Final Verification and Conclusion

The correct answer isC. DoD Cyber Crime Center, as perDFARS 252.204-7012, which mandates that all DoD contractors reportCUI breaches to DC3 within 72 hours.

Understanding the CMMC Level 2 Assessment Process

When anOrganization Seeking Certification (OSC)engages aCertified Third-Party Assessment Organization (C3PAO)to conduct aCMMC Level 2 Assessment, anAssessment Planis developed to outline the scope, methodology, and logistics of the assessment.

Who Signs Off on the Assessment Plan?

According to theCMMC Assessment Process (CAP) Guide, theAssessment Plan must be formally agreed upon and signed off by:

Lead Assessor– The individual responsible for overseeing the execution of the assessment.

C3PAO (Certified Third-Party Assessment Organization)– The entity conducting the assessment.

Why "C. Lead Assessor and C3PAO" is Correct?

TheLead Assessorensures that theAssessment Plan aligns with CMMC-AB and DoD requirements, including methodology, objectives, and evidence collection.

TheC3PAOprovides organizational approval, confirming that the assessment is conducted according toCMMC-AB rules and contractual agreements.

Why Other Answers Are Incorrect?

A. OSC and Sponsor (Incorrect)

TheOSC (Organization Seeking Certification)is involved in planning but does not sign off on the plan.

Asponsoris not part of the sign-off process in CMMC assessments.

B. OSC and CMMC-AB (Incorrect)

TheOSCdoes not formally approve theAssessment Plan—this responsibility belongs to the assessment team.

TheCMMC-ABdoes not sign off on individualAssessment Plans.

D. C3PAO and Assessment Official (Incorrect)

"Assessment Official" isnot a defined rolein the CMMC assessment process.

TheC3PAOis involved, but it must be theLead Assessorwho signs off, not an unspecified official.

Conclusion

The correct answer isC. Lead Assessor and C3PAO.

TheLead Assessorensures assessment integrity, while theC3PAOprovides official authorization.

Background on Legacy Markings and CUI

Legacy markings refer to classification labels used before the implementation of the Controlled Unclassified Information (CUI) Program under DoD Instruction 5200.48.

Documents with legacy markings (such as “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU)) must be reviewed for re-marking or redaction to align with CUI requirements.

When Must Legacy Markings Be Updated?

If the document is retained internally (Answer A - Incorrect): Documents under DoD control do not require immediate re-marking unless they are being shared externally.

If the document is classified as Secret (Answer B - Incorrect): This question is about CUI, not classified information. Secret-level documents follow different marking rules under DoD Manual 5200.01.

If a document is being shared externally (Answer C - Correct):

According to DoD Instruction 5200.48, Section 3.6(a), organizations must review legacy markings before sharing documents outside the organization.

The document must be re-marked in compliance with the CUI Program before dissemination.

If the original document does not contain CUI (Answer D - Incorrect): The original source document's status does not affect the requirement to re-mark a derivative document if it contains CUI.

Conclusion

The correct answer is C: Documents with legacy markings must be re-marked or redacted when being shared outside the organization to comply with DoD CUI guidelines.

Understanding Configuration Management (CM) in CMMC Level 2

InCMMC Level 2, theConfiguration Management (CM) domainis critical for ensuring that systems aresecurely configured, maintained, and monitoredto prevent unauthorized changes. One key aspect of CM is managinguser-installed software, which can introducesecurity risksif not properly controlled.

The correct approach to managinguser-installed softwarealigns withCM.3.068fromNIST SP 800-171, which requires organizations to:

✅Establish and enforce configuration settingsto ensure security.

✅Monitor and control user-installed softwareto prevent unauthorized or insecure applications from running on organizational systems.

Why "Controlled and Monitored" is Correct?

The CCP (Certified CMMC Professional) conducting theinterviewshould focus on whether theuser-installed softwareiscontrolled and monitoredto align withCMMC Level 2 requirements. This means verifying:

Approval processesfor user-installed software.

Monitoring mechanisms(e.g., system logs, audits) to track software changes.

Policies that restrict unauthorized installationsto prevent security risks.

Breakdown of Answer Choices

Option

Description

Correct?

A. Controlled and monitored

✅Ensures compliance with CM.3.068, verifying that user-installed software ismanaged securely.

✅Correct

B. Removed from the system

Software isnot always removed—only unauthorized or risky software should be.

❌Incorrect

C. Scanned for malicious code

While scanning isimportant(covered in SI.3.218), it isnot the primary focusof Configuration Management.

❌Incorrect

D. Limited to mission-essential use only

While limiting software is useful,monitoring and controllingis the key security measure.

❌Incorrect

Official Reference from CMMC 2.0 Documentation

NIST SP 800-171, CM.3.068– "Control and monitor user-installed software."

CMMC 2.0 Level 2 Requirements– Directly aligned withNIST SP 800-171 security controls.

Final Verification and Conclusion

The correct answer isA. Controlled and monitored, as perCM.3.068inNIST SP 800-171andCMMC 2.0documentation.

Per the CMMC Assessment Process (CAP), the Assessment Team is responsible for determining the adequacy and sufficiency of evidence collected during the assessment. The team validates whether practices and components for each in-scope Host Unit, Supporting Organization, or enclave meet the target CMMC level. The OSC (Organization Seeking Certification) provides evidence, but only the Assessment Team makes the verification and scoring determination.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Understanding Assessment Methods in CMMC 2.0

According to theCMMC Assessment Process (CAP) Guide, assessors usethree primary assessment methodsto determine compliance with security practices:

Examine– Reviewing documents, policies, configurations, and system records.

Interview– Speaking with personnel to gather insights into security processes.

Test– Performing technical validation of system functions and security controls.

Why Option C (Examine) is Correct

TheAssessment Team Memberis inspectingAssessment Objects(e.g., system configurations, user access control settings, policies) to determine if the OSC's evidence is sufficient forAC.L1-3.1.1 (Access Control – Authorized Users).

This activity aligns directly with theExaminemethod, which involves reviewing artifacts such as:

Access control lists (ACLs)

System user authentication logs

Account management policies

Role-based access control settings

"Observe" (Option B)is incorrect because "observing" is not an official assessment method in CMMC.

"Test" (Option A)is incorrect because the assessment is not actively executing a function but ratherreviewingevidence.

"Interview" (Option D)is incorrect because no personnel are being questioned—only documentation is being reviewed.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods

CMMC Level 2 Assessment Guide – Access Control Practices (AC.L1-3.1.1)

Final Verification

Since the activity involves reviewing documents and records to verify access control measures, it falls under theExaminemethod, makingOption C the correct answer.

CMMC Level 2 Readiness and Certification Requirements

CMMCLevel 2is required forOrganizations Seeking Certification (OSCs) that handle Controlled Unclassified Information (CUI)and aligns withNIST SP 800-171's 110 security controls.

Key Readiness Indicators for a Level 2 Assessment:

The OSC must have implemented all 110 security practices from NIST SP 800-171.

Documented and validated cybersecurity policies and procedures must exist.

The OSC must be prepared to provide objective evidence (artifacts) proving compliance.

Why the OSC in the Question is Not Ready:

They have not won a DoD contract yet→ This means they do not yet have a contractually definedCUI environment, which is the foundation for defining their security scope.

They have only provided FCI-related artifacts(e.g., visitor logs, workstation policies, FedRAMP configurations).

Lack of full documentation of CMMC Level 2 controls→ The assessment requiresevidence for all 110 security practices(e.g., system security plans, incident response records, security awareness training documentation).

Clarification of Incorrect Options:

A. "Ready because there is no need to certify this company until after they win a DoD contract."

Incorrect→ Some organizationsseek certification proactivelybefore winning contracts. However, readiness depends on implementingall 110 required controls, not contract status alone.

B. "Not ready because the OSC is not on contract because they do not know the scope of FCI protection required by the contract."

Incorrect→ CMMC Level 2focuses on CUI, not just FCI. While FCI protection is important, the assessment’s focus is onCUI security requirements, which arenot fully addressed by the provided artifacts.

D. "Ready because all DoD contractors are required to achieve CMMC Level 2; therefore, they are being proactive in seeking certification."

Incorrect→ While it is commendable that the OSC is being proactive,readiness is based on full compliance with NIST SP 800-171, not just intent.

When preparing forCMMC compliance, organizations must ensure that theirnetwork configurations align with required cybersecurity controls. Ifnetwork administratorsdisagree on certain configurations, the mostobjective and accurateway to resolve the disagreement is by referencingofficial CMMC guidanceandNIST SP 800-171 requirements, which form the foundation of CMMC Level 2.

Step-by-Step Breakdown:

CMMC Assessment Guides as the Primary Reference

TheCMMC Assessment Guides (Level 1 & Level 2)provide clearinterpretationsof security practices.

Theyexplain how each practice should be implemented and assessedduring certification.

NIST SP 800-171 as the Compliance Baseline

CMMC Level 2is based directly onNIST SP 800-171, which outlines the110 security controlsrequired for protectingControlled Unclassified Information (CUI).

Network configurations must complywith NIST-defined security requirements, including:

Access Control (AC) – Ensuring least privilege principles.

Audit and Accountability (AU) – Logging and monitoring network activity.

System and Communications Protection (SC) – Secure network design and encryption.

Why the Other Answer Choices Are Incorrect:

(A) Consult with the CEO of the company:

ACEO is not necessarily a cybersecurity expertand may not be familiar with CMMC technical requirements.

Technical compliance decisions should be based onCMMC and NISTframeworks, not executive opinions.

(C) Go with the network administrator's ideas with the least stringent controls:

Choosingless stringent controls increases security riskand could lead toCMMC non-compliance.

(D) Go with the network administrator's ideas with the most stringent controls:

While security is important,more stringent controlsmay introduceoperational inefficienciesorunnecessary coststhat are not required for compliance.

The correct approach is to implement what is required by CMMC and NIST SP 800-171, no more and no less.

Final Validation from CMMC Documentation:

TheCMMC Assessment GuidesandNIST SP 800-171 Rev. 2areofficial sourcesthat provide the most reliable guidance on compliance.

CMMC Level 2 is entirely based on NIST SP 800-171, making it the definitive source for resolving security disagreements.

Thus, the correct answer is:

B. Consult the CMMC Assessment Guides and NIST SP 800-171.

Step 1: Understanding CMMC Domains

TheCMMC Model consists of 14 domains, which are based on theNIST SP 800-171 control familieswith additional cybersecurity practices.

Eachdomaincontainspractices and processesthat define cybersecurity requirements for organizations seeking CMMC certification.

Assets that store, process, or transmit FCI or CUI are always in scope for CMMC. If a server with a cloud provider is used for long-term storage of FCI, that server is considered in scope because it directly holds covered data.

Supporting Extracts from Official Content:

CMMC Scoping Guide for Level 1: “Assets that store, process, or transmit FCI are in scope.”

CMMC Scoping Guide for Level 2: confirms the same rule applies for CUI.

Why Option A is Correct:

The server stores FCI, making it automatically in scope.

Option B is incorrect because long-term storage does not make an asset out of scope.

Option C is incorrect — Level 1 (FCI) does not require a Level 2 certified provider.

Option D is incorrect because encryption does not remove scope requirements.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1.

CMMC Model v2.0, Scoping and Implementation guidance.

===========

NIST SP 800-88 Rev. 1 is the authoritative guide for media sanitization. It defines three categories of data disposal: Clear, Purge, and Destroy.

Supporting Extracts from Official Content:

NIST SP 800-88 Rev. 1: “Media sanitization techniques are divided into three categories: Clear, Purge, and Destroy.”

Why Option A is Correct:

“Clear, Purge, Destroy” are the exact three categories named.

Redact and Overwrite are not categories; Overwriting is a technique that may fall under Clear.

References (Official CMMC v2.0 Content and Source Documents):

NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization.

===========

Understanding CMMC Assessment Procedures

ACMMC assessment procedureconsists of:

Assessment Objective– Defines what is being evaluated and the expected outcome.

Assessment Methods– Specifies how the evaluation is conducted (e.g.,examination, interviews, testing).

Assessment Objects– Identifies what is being evaluated, such as policies, systems, or people.

Why the Correct Answer is "C"?

Assessment Objectivesincludedetermination statementsthat describe the expected outcome for each CMMC security practice.

These statements define whether a practice has beenadequately implementedbased ondocumented evidence and assessment findings.

TheCMMC Assessment Process (CAP) GuideandNIST SP 800-171Aspecify that each practice has a determination statement guiding assessment decisions.

Why Not the Other Options?

A. Specifications and mechanisms→Incorrect

These belong toassessment objects, which refer to the systems, policies, and mechanisms being evaluated.

B. Examination, interviews, and testing→Incorrect

These areassessment methods, which describe how assessorsverifycompliance (e.g., through interviews or testing).

D. Exercising assessment objects under specified conditions→Incorrect

This refers toassessment testing, which is a method, not an assessment objective.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– Describes determination statements as the core of assessment objectives.

NIST SP 800-171A– Defines determination statements as a key element of evaluating security controls.

Final Justification:

Since anassessment objectiveincludes adetermination statementthat describes whether a practice is implemented properly, the correct answer isC.

The CMMC Assessment Process (CAP) requires that sufficient evidence must:

Cover the sampled organization,

Cover the defined model scope of the assessment (Target CMMC Level), and

Correspond to the evidence collection approach.

Evidence is always required, even if the organization holds other certifications such as ISO. External certifications cannot replace CMMC evidence requirements. Thus, the statement that “Evidence is not required if the practice is ISO certified” is not valid.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Understanding the Role of the DoD CIO Office in CMMC

TheDepartment of Defense (DoD) Chief Information Officer (CIO) officeis theprimary authorityresponsible for leading the direction, standards, and best practices of theCybersecurity Maturity Model Certification (CMMC)framework.

Why "B. DoD CIO Office" is Correct?

The DoD CIO Oversees CMMC Policy and Implementation

TheDoD CIO Office is responsible for the governance and strategic direction of CMMC.

It ensures thatCMMC aligns with DoD cybersecurity policies, such asDoD Instruction 5200.48 (Controlled Unclassified Information)andNIST SP 800-171.

CMMC Development and Evolution

TheDoD CIO played a critical role in launching CMMCto improve cybersecurity across theDefense Industrial Base (DIB).

The CIO office leadspolicy development and updates to the CMMC framework, including the transition fromCMMC 1.0 to CMMC 2.0.

Alignment of CMMC with Federal Cybersecurity Strategy

The DoD CIO ensures that CMMCintegrates with federal cybersecurity policiesandNIST frameworks.

It provides oversight formapping CMMC Levels (1-2-3) to existing cybersecurity standards and controls.

Why Other Answers Are Incorrect?

A. NIST (Incorrect)

TheNational Institute of Standards and Technology (NIST)provides thetechnical framework (NIST SP 800-171, SP 800-172), butNIST does not lead the CMMC program.

C. Federal CIO Office (Incorrect)

TheFederal CIO focuses on broader government IT policiesandnot specifically on DoD cybersecurity requirementslike CMMC.

D. Defense Federal Acquisition Regulation Council (Incorrect)

TheDFARS Counciloverseescontracting regulationsrelated to CMMC (e.g.,DFARS 252.204-7012, 7019, 7020, 7021), but it doesnot lead CMMC standards and best practices.

Conclusion

The correct answer isB. DoD CIO Office, as it isthe lead authority guiding the CMMC framework, standards, and implementation across the Defense Industrial Base (DIB).

According to the CMMC Assessment Process (CAP), specifically in the context of scoping and organizational structure, the term Host Unit is used to define the specific entity within an Organization Seeking Certification (OSC) that is the primary subject of the assessment.

Definition of Host Unit: Within the CAP, the Host Unit represents the specific people, processes, and technology that process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) for the contract in scope. It is the "anchor" for the assessment boundary.

Context in High-Level Scoping: During the initial phases of an assessment, a C3PAO must distinguish between the entire corporation (the OSC) and the specific parts of that corporation that are actually performing the DoD work. The Host Unit is that functional or logical division that will be evaluated against the CMMC practices.

Relationship to other units:

Supporting Organization/Units (Option D): These are entities that provide services to the Host Unit (such as an enterprise IT department or a separate HR branch) but are not the primary "Host" of the CUI/FCI. They are in-scope because they provide "Security Protection" or "Administrative" functions to the Host Unit.

Coordinating Unit (Option C): This term is often used in broader organizational contexts but is not a defined scoping term for the "people, processes, and technology" being assessed under the CMMC CAP.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Glossary and Section 1 (Plan and Prepare Assessment), which defines the relationship between the OSC, the Host Unit, and Supporting Units.

CMMC Level 2 Scoping Guidance: Provides the framework for identifying the "assets" (people, technology, facilities) that reside within the Host Unit boundary.

CCP Study Guide: Section on "Scoping the Assessment," which explains how to identify the Host Unit versus External Service Providers (ESPs).

Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.

Why "A. Obtain Evidence" is Correct?

CMMC Assessments Require Evidence Collection

TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:

Examine– Reviewing documentation, policies, and system configurations.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Validating controls through operational or technical tests.

All these methods involve obtaining evidenceto support whether a security requirement has been met.

Alignment with NIST SP 800-171A

CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.

Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.

Why Other Answers Are Incorrect?

B. Define level of effort (Incorrect)

Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.

C. Determine information flow (Incorrect)

While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.

D. Determine value of hardware and software (Incorrect)

Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.

Conclusion

The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.

Step 1: Review CMMC 2.0 Reforms (Level 1 – Foundational)

As part ofCMMC 2.0, the DoD announced changes toreduce burden and costsfor companies that only handleFederal Contract Information (FCI):

DoD Statement (CMMC 2.0 Overview):

“Level 1 (Foundational) will only require an annual self-assessment, affirming implementation of the 17 FAR 52.204-21 controls.”

✅Step 2: Intent of “Reduced Assessment Costs”

The move to allowself-assessments at Level 1was explicitly designed toeliminate the costof hiring third-party assessors for organizations that only handle FCI.

Level 1 self-assessments are:

Conductedinternally by the OSC,

Affirmed annuallyby a senior company official,

Submitted via SPRS(Supplier Performance Risk System).

❌Why the Other Options Are Incorrect

B. Opt out of CMMC Assessments

✘Incorrect. Organizations must still perform aself-assessmentannually — they cannot opt out entirely.

C. Have assessment costs reimbursed by the DoD

✘No such reimbursement mechanism exists.

D. Pay no more than $500.00…

✘No such fixed cost is set or guaranteed in CMMC documentation.

UnderCMMC 2.0, all companies atLevel 1 (Foundational)are permitted toconduct self-assessmentsannually to demonstrate compliance, supporting the DoD’s goal ofreducing assessment costsfor low-risk contractors.

In the CMMC assessment process, conflicts of interest must be identified early to ensure an impartial and objective evaluation of an organization's compliance with CMMC 2.0 requirements. The appropriate phase for identifying conflicts of interest is during the"Verify Readiness to Conduct Assessment"phase.

Step-by-Step Explanation:

Assessment Planning & Conflict of Interest Consideration

Before an assessment begins, theC3PAO (Certified Third-Party Assessment Organization)or theDIBCAC (Defense Industrial Base Cybersecurity Assessment Center) for DOD-led assessmentsmust confirm that there are no conflicts of interest between assessors and the organization being assessed.

A conflict of interest may arise if an assessor haspreviously worked for, consulted with, or provided direct assistance tothe organization under review.

CMMC Assessment Process and Phases

The CMMC assessment process involves multiple steps, and the verification of readiness is acritical early phaseto ensure that the assessment is unbiased:

Analyze Requirements:This phase focuses on defining the assessment scope, but it does not include conflict of interest verification.

Develop Assessment Plan:This phase focuses on structuring the assessment methodology, not on identifying conflicts.

Verify Readiness to Conduct Assessment (Correct Answer):

At this stage, theC3PAO or assessment team must review potential conflicts of interest.

TheDefense Industrial Base Cybersecurity Assessment Center (DIBCAC)also ensures assessors do not have any prior relationships that could compromise the objectivity of the evaluation.

Generate Final Recommended Assessment Results:This phase occurs at the end of the process, after the assessment is complete, so conflict of interest identification is too late by this stage.

Official CMMC Documentation & References

CMMC Assessment Process (CAP) Guide– The CAP details procedures assessors must follow, including conflict of interest verification.

CMMC 2.0 Scoping and Assessment Guides– Published by the Cyber AB and DoD, these guides reinforce the need for impartiality and independence in assessments.

DoD Instruction 5200.48 (Controlled Unclassified Information Program)– Outlines requirements for ensuring objective cybersecurity assessments.

By ensuring conflicts of interest are identified in the"Verify Readiness to Conduct Assessment"phase, the integrity of the CMMC certification process is maintained, ensuring that assessments are conductedfairly, independently, and in accordance with DoD cybersecurity policies.

1. Understanding Basic Safeguarding Requirements for FCI in CMMC Level 1

Federal Contract Information (FCI) is defined as information provided by or generated for the government under a contract that isnot intended for public release.

CMMCLevel 1is designed to ensurebasic safeguardingof FCI, aligning with15 security requirementsfound inFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

Contractors handlingonly FCImust meetCMMC Level 1, which alignsdirectlywith the safeguarding requirements set inFAR 52.204-21.

2. FAR 52.204-21 and Its Role in CMMC Level 1 Compliance

FAR 52.204-21establishes the baseline cybersecurity controls that contractors must implement to protectFCI.

The15 basic safeguarding requirementsinclude:

Limiting information accessto authorized users.

Identifying and authenticating usersbefore allowing system access.

Protecting transmitted FCIfrom unauthorized disclosure.

Monitoring and controlling connectionsto external systems.

Applying boundary protectionand cybersecurity measures.

Sanitizing mediabefore disposal.

Updating security configurationsto reduce vulnerabilities.

Providing physical securityprotections.

Controlling physical accessto systems that process FCI.

Enforcing multi-factor authentication (MFA) where applicable.

Patching vulnerabilitiesin software and hardware.

Limiting the use of removable media.

Creating and retaining system audit logs.

Performing risk-based security assessments.

Developing an incident response plan.

These 15 practices form thefoundationof CMMCLevel 1 Self-Assessment, ensuring contractorsmeet minimum cybersecurity expectationsfor handling FCI.

3. Why the Other Options Are Incorrect

B. 22 CFR 120-130:

This refers toInternational Traffic in Arms Regulations (ITAR), which controls the export of defense-related articles and services,notFCI safeguarding requirements.

C. DFARS 252.204-7011:

This clause refers toalternative line item structuresand does not pertain to cybersecurity or safeguarding FCI.

D. DFARS 252.204-7021:

This clause enforcesCMMC requirementsbut doesnot definebasic safeguarding controls. It requires compliance with CMMC but does not specify the foundational requirements (which come fromFAR 52.204-21for Level 1).

4. Official CMMC 2.0 Reference & Study Guide Alignment

TheCMMC 2.0 model documentationconfirms that Level 1 is focused on the15 practices from FAR 52.204-21.

TheDoD’s official CMMC Assessment Guidefor Level 1 explicitly states that meeting FAR 52.204-21 is therequirement for passing a Level 1 Self-Assessment.

TheCMMC 2.0 Scoping Guideclarifies that contractors handling onlyFCIand seekingLevel 1 certificationmust implementonly FAR 52.204-21security controls.

Final Confirmation:

The correct answer isA. FAR 52.204-21, as it directly governs the basic safeguarding ofFCIand is the foundational requirement for aLevel 1 Self-Assessmentin CMMC 2.0.

Step 1: Understand the “CA” Domain – Security Assessment

TheCA (Security Assessment)domain includes practices related to:

Planning security assessments,

Performing periodic reviews,

Managing plans of action and milestones (POA&Ms).

These practices derive fromNIST SP 800-171, specifically:

CA.2.157– Develop, document, and periodically update security plans,

CA.2.158– Periodically assess security controls,

CA.2.159– Develop and implement POA&Ms.

✅Step 2: Review CMMC Levels

Level 1 (Foundational):

Implements only the17 practicesfromFAR 52.204-21

Doesnot include the CA domain

Level 2 (Advanced):

Implements110 practicesfromNIST SP 800-171, including CA.2.157–159

First levelwhereSecurity Assessment (CA)practices are required

Level 3:

Not yet finalized but intended to include selected controls fromNIST SP 800-172

❌Why the Other Options Are Incorrect

A. Level 1

✘No CA domain practices are present at Level 1.

C. Level 3 / D. Level 4

✘These levels build on CA practices but do not represent thestarting point.

TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.

Which NIST SP Defines the Assessment Procedures for CMMC?

CMMC Level 2 isdirectly based on NIST SP 800-171, and the assessment procedures used in CMMC assessments are derived fromNIST SP 800-171A.

Step-by-Step Breakdown:

✅1. NIST SP 800-171A Defines Assessment Procedures

NIST SP 800-171Ais titled"Assessing Security Requirements for Controlled Unclassified Information (CUI)".

It providesdetailed assessment objectives and test proceduresfor evaluating compliance withNIST SP 800-171 security requirements, whichCMMC Level 2 is fully aligned with.

CMMC Assessors use 800-171Aas abaseline for assessing the effectiveness of security controls.

✅2. Why the Other Answer Choices Are Incorrect:

(A) NIST SP 800-53❌

800-53 defines security controlsfor federal information systems, but it doesnot provide assessment procedures specific to CMMC.

(B) NIST SP 800-53A❌

800-53A provides assessment procedures for 800-53 controls, butCMMC is based on NIST SP 800-171, not 800-53.

(C) NIST SP 800-171❌

800-171 defines security requirements, butit does not provide assessment procedures. Theassessment proceduresare in800-171A.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guide (Level 2)explicitly states that assessment procedures are derived fromNIST SP 800-171A.

Thus, the correct answer is:

Last Step in Developing an Assessment Plan for an OSC

Developing anassessment planinvolves:

Defining the assessment scope(e.g., systems, networks, locations).

Planning test activities(e.g., interviews, evidence review, technical testing).

Verifying the OSC’s readiness(e.g., ensuring required documents are available).

Updating the assessment plan and schedule as needed.

Final Step: Obtaining and recording the OSC’s commitment to the assessment plan.

Why is obtaining commitment the last step?

✔Theassessment cannot proceed unless the OSC agrees to the finalized plan.

✔This ensuresOSC leadership understands the scope, timeline, and responsibilities.

✔TheC3PAO must document this commitmentto formalize the agreement.

Why is the Correct Answer "D. Obtain and record commitment to the assessment plan"?

A. Verify the readiness to conduct the assessment → Incorrect

Readiness verification happens earlierin the planning process, not as the last step.

B. Perform certification assessment readiness review → Incorrect

Areadiness review is conducted before finalizing the plan, not at the very end.

C. Update the assessment plan and schedule as needed → Incorrect

Updating the plan happens before commitment is obtained; it is not the final step.

D. Obtain and record commitment to the assessment plan → Correct

This is the final step before conducting the assessment. The OSC must formally agree to the plan.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

States that theOSC must confirm agreement to the assessment plan before execution.

CMMC-AB Guidelines for C3PAOs

Specifies thatfinalizing the assessment plan requires documented commitment from the OSC.

CMMC Assessment Guide

Outlines thatassessments cannot begin without formal approval of the plan.

Final Answer:

✔D. Obtain and record commitment to the assessment plan.

During aCMMC assessment, assessors rely on interviews to validate the implementation of cybersecurity practices within anOrganization Seeking Certification (OSC). Ensuringconfidentiality and non-attributionallows employees to speak freely without fear of retaliation or bias, leading to more accurate and candid responses.

Step-by-Step Breakdown:

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide(Level 2) states thatinterviews are a key methodto verify compliance with security controls.

Employees may hesitate to provide truthful information if they fear negative consequences.

To obtain accurate information, assessors must create an environment where team members feel safe.

Ensuring Non-Attribution for Accurate Responses

DoD Assessment Methodologyhighlights thatinterviewees should remain anonymousin reports.

Non-attribution reduces the risk of OSC leadership influencing responses or retaliating against employees.

Employees are more likely to provideaccurateandhonestdescriptions of their responsibilities when confidentiality is guaranteed.

Why the Other Answer Choices Are Incorrect:

(A) Interview groups of people to get collective answers:

Group interviews may limit honest responses due topeer pressure or management presence.

Employees mayhesitate to contradictsupervisors or peers in a group setting.

(B) Understand that testing is more important than interviews:

While testing (e.g., reviewing logs, configurations, and security settings) is crucial, interviews providecontexton how security practices are implemented and followed.

Interviewscomplementtesting rather than being less important.

(D) Let team members know the questions prior to the assessment:

Advanced notice may allow employees toprepare rehearsed answers, which might not reflect actual practices.

This couldreduce the effectivenessof the interview process.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guideand DoDAssessment Methodologyemphasize the importance of confidentiality in interviews to ensure accuracy.Non-attribution protects employees and ensures assessors get honest, unfiltered answers.

Thus, the correct answer is:

C. Ensure confidentiality and non-attribution of team members.

Under NIST SP 800-171, Personnel Security (PS) family, requirement PS.L2-3.9.1, organizations must screen individuals prior to granting access to CUI. The screening is intended to evaluate conduct, integrity, and loyalty to ensure that individuals can be trusted with sensitive information.

Supporting Extracts from Official Content:

NIST SP 800-171 Rev. 2, PS.L2-3.9.1: “Screen individuals prior to authorizing access to organizational systems containing CUI… Screening is intended to assess an individual’s conduct, integrity, judgment, loyalty, and reliability.”

CMMC Level 2 Assessment Guide (Personnel Security practices): confirms that screening covers conduct, integrity, and loyalty.

Why Option C is Correct:

The key attributes explicitly listed are conduct, integrity, and loyalty.

Options A and B describe subjective or informal measures, not compliance criteria.

Option D uses terms not aligned with the official requirement.

References (Official CMMC v2.0 Content):

NIST SP 800-171 Rev. 2, Personnel Security controls.

CMMC Assessment Guide, Level 2 – PS.L2-3.9.1.

===========

The CMMC Assessment Process uses three methods: Examine, Interview, and Test. The method that involves analyzing artifacts (documents, system configurations, records, logs, etc.) is Examine.

Supporting Extracts from Official Content:

CMMC Assessment Guide: “Examine consists of reviewing, inspecting, or analyzing assessment objects such as documents, system configurations, or other artifacts to evaluate compliance.”

Why Option B is Correct:

Examine = analyzing artifacts.

Interview = discussions with personnel.

Test = executing technical checks.

Behavior is not an assessment method.

References (Official CMMC v2.0 Content):

CMMC Assessment Guide, Levels 1 and 2 — Assessment Methods (Examine, Interview, Test).

===========

In theCMMC 2.0 Assessment Process, after theAssessment Final Recommended Findings Brief, theLead Assessor and Assessment Team Membersmustreview the accuracy and validity of the Organization Seeking Certification (OSC)’s updated Plan of Action & Milestones (POA&M) and any accompanying evidence or scheduled collectionswithin180 days.

Relevant CMMC 2.0 Reference:

TheCMMC Assessment Process (CAP)outlines that organizations haveup to 180 daysto address identifieddeficienciesafter their initial assessment.

During this time, the OSC can update itsPOA&M with additional evidenceto demonstrate compliance.

Why is the Correct Answer 180 Days (B)?

A. 90 days → Incorrect

The CMMC CAP does not impose a90-day limiton POA&M updates; instead,180 daysis the standard timeframe.

B. 180 days → Correct

PerCMMC Assessment Process guidelines, theLead Assessor and Teammust review updateswithin 180 days.

C. 270 days → Incorrect

No official CMMC documentation mentions a270-dayreview period.

D. 360 days → Incorrect

The process must be completedfar sooner than 360 daysto maintain compliance.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines the180-day windowfor the OSC to update itsPOA&M and submit evidencefor review.

CMMC 2.0 Official Guidelines

Specifies that organizations are givenup to 180 daysto remediate deficiencies before reassessment.

According to the CMMC Scoping Guidance, Level 1, the scope of an assessment includes all assets that process, store, or transmit Federal Contract Information (FCI). CMMC is "information-centric," meaning the security requirements apply to the information itself, regardless of the media it resides on (digital or physical).

Asset Identification: In a Level 1 assessment, assets are categorized as either FCI Assets or Out-of-Scope Assets. Since the file cabinet is explicitly identified as containing paper FCI, it meets the definition of an asset that stores the protected information.

Basic Safeguarding (FAR 52.204-21): The 17 practices of CMMC Level 1 are derived from the FAR clause for the "Basic Safeguarding of Covered Contractor Information Systems." However, the physical protection requirements within that set (such as PE.L1-3.10.1, which requires limiting physical access to organizational information systems and equipment) extend to the physical storage locations of that data.

Media Neutrality: CMMC documentation emphasizes that "information systems" include the physical components and the information processed by them. If FCI is printed and stored in a cabinet, that cabinet becomes a physical storage asset within the assessment boundary.

Why other options are incorrect:

Option B: Physical location alone does not bring an asset into scope. For example, a coffee machine in the same room as an FCI computer remains out of scope because it doesn't handle FCI. Thecontent(FCI) makes the cabinet in-scope, not its proximity.

Option C: CMMC and the underlying FAR clause do not exempt paper-based information. Protected data must be secured whether it is on a hard drive or a printed sheet.

Option D: While a file cabinet may not "process" or "transmit" data like a computer does, it absolutely stores it. The definition of the scope includes all three functions (process, store, or transmit).

Reference Documents:

CMMC Scoping Guidance, Level 1: Section 2.0 (CMMC Level 1 Asset Categories), which defines FCI Assets as those that process, store, or transmit FCI.

CMMC Assessment Guide, Level 1: Discussion on Physical Protection (PE) practices and their application to physical media.

32 CFR Part 170 (CMMC Program Rule): Definitions of FCI and the requirements for contractor self-assessments.

The CAP specifies that the C3PAO is responsible for assigning the Lead Assessor to an OSC’s assessment. While the OSC contracts with the C3PAO, the authority to appoint the Lead Assessor resides solely with the C3PAO.

Supporting Extracts from Official Content:

CAP v2.0, Assessment Team Composition (§2.10): “The C3PAO shall designate a qualified Lead Assessor to lead the assessment.”

Why Option B is Correct:

Only the C3PAO has the authority to select and assign the Lead Assessor.

The OSC may influence scheduling and planning but cannot appoint assessors.

Options A, C, and D are inconsistent with CAP requirements.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Assessment Team Roles and Responsibilities (§2.10).

ACertified Third-Party Assessor Organization (C3PAO)is responsible for conductingCMMC Level 2 Assessments. Before the assessment begins, the C3PAO must develop anAssessment Plan, which includes several key elements.

The part of the plan that captures:

✅Names of interviewees

✅Facilities to be utilized

✅Estimated costs

✅Assessment schedule

falls under the"Identify Resources and Schedule"section of the plan.

Step-by-Step Breakdown:

✅1. Identify Resources and Schedule

This section of theCMMC Assessment Planoutlines:

Thepersonnelinvolved (e.g., interviewees, assessors).

Thelocationswhere the assessment will take place.

Thetimeline and scheduling details.

Theestimated costsassociated with the assessment.

This ensures that all necessaryresourcesare allocated and that the assessment proceeds as planned.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Select Assessment Team Members❌

This section focuses onchoosing the assessorswho will conduct the evaluation, not listing interviewees and facilities.

(C) Identify and Manage Assessment Risks❌

This part of the plandocuments risks(e.g., scheduling conflicts, data access issues), but it doesnot outline names, facilities, or costs.

(D) Select and Develop the Evidence Collection Approach❌

This step defineshowevidence will be gathered (e.g., document reviews, interviews, system testing) but doesnot focus on logistics.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guidestates thatresource identification and schedulingare essential for organizing the assessment. Since this sectioncaptures interviewees, facilities, costs, and the schedule, the correct answer is:

✅A. Identify resources and schedule.

Understanding IA.L2-3.5.3: Multifactor Authentication (MFA) Requirement

TheIA.L2-3.5.3practice, derived fromNIST SP 800-171 (Requirement 3.5.3), requires thatmultifactor authentication (MFA) be implemented for both privileged and standard userswhen accessing:

✔Organizational endpoints(e.g., laptops, desktops, mobile devices).

✔Network resources(e.g., VPNs, internal systems).

✔Cloud services containing Controlled Unclassified Information (CUI).

Key Requirement for a "MET" Rating

For IA.L2-3.5.3 to beMet, the organization must:

Require MFA for all privileged users(e.g., system administrators).

Require MFA for standard users accessing endpoints and network resources.

Implement MFA across all relevant systems.

Sincestandard users do not require MFA in the OSC’s current implementation, the practiceis not fully implementedand must be ratedNOT MET.

Why is the Correct Answer "D" (Practice is NOT MET since the objective was not implemented)?

A. The process is running correctly → Incorrect

MFA isonly applied to privileged users, but it isalso required for standard users. The process isnot fully implemented.

B. It is out of scope as this is a new acquisition → Incorrect

New acquisitionsmust still meet MFA requirementsif they handle CUI or network access.

C. The new acquisition is considered Specialized Assets → Incorrect

Specialized assets (e.g., IoT, legacy systems) may have alternative security controls, but standard users and endpointsmust still comply with MFA.

D. Practice is NOT MET since the objective was not implemented → Correct

MFA must be enabled for both privileged and standard usersaccessing endpoints and network resources. Since standard users are excluded, the practice isNOT MET.

CMMC 2.0 References Supporting This Answer:

CMMC 2.0 Level 2 (Advanced) Requirements

Specifies thatMFA must be applied to all users accessing CUI and network resources.

NIST SP 800-171 (Requirement 3.5.3 – MFA Implementation)

Requires MFA forall user types, including privileged and standard users.

CMMC Assessment Process (CAP) Document

States that a practicemust be fully implemented to be considered MET. Partial implementation meansNOT MET.

Understanding the CMMC Assessment Process

TheCMMC Assessment Process (CAP)consists offour phases, each with specific tasks and objectives.

Phase 1: Plan and Prepare Assessment– Planning, scheduling, and preparing for the assessment.

Phase 2: Conduct Assessment–Gathering and verifying evidence, conducting interviews, and evaluating compliance.

Phase 3: Report Recommended Assessment Results– Documenting findings and reporting results.

Phase 4: Remediation of Outstanding Assessment Issues– Allowing the organization to address any deficiencies.

Why "Phase 2: Conduct Assessment" is Correct?

DuringPhase 2: Conduct Assessment, theAssessment Teamperforms key activities, including:

✅Identifying required evidencefor compliance verification.

✅Obtaining and reviewing artifacts(e.g., security policies, configurations, logs).

✅Verifying the sufficiency of evidenceagainst CMMC practice requirements.

✅Interviewing key personneland observing cybersecurity implementations.

Since the question specifically mentions"identify, obtain inventory, and verify evidence,"this task directly falls underPhase 2: Conduct Assessment.

Breakdown of Answer Choices

Option

Description

Correct?

A. Phase 1: Plan and Prepare Assessment

❌Incorrect–This phase focuses onscheduling, logistics, and planning, not evidence collection.

B. Phase 2: Conduct Assessment

✅Correct – This phase involves gathering, verifying, and reviewing evidence.

C. Phase 3: Report Recommended Assessment Results

❌Incorrect–This phasedocumentsresults but doesnotcollect evidence.

D. Phase 4: Remediation of Outstanding Assessment Issues

❌Incorrect–This phase focuses oncorrective actions, not evidence collection.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)–Phase 2: Conduct Assessmentexplicitly includes tasks such asgathering and verifying evidence.

Final Verification and Conclusion

The correct answer isB. Phase 2: Conduct Assessment, as this phase includesidentifying, obtaining, and verifying evidence, which is critical for determining CMMC compliance.