CMMC-CCP Certified CMMC Professional (CCP) Exam Questions and Answers

DFARS clause 252.204-7012 establishes the safeguarding of Covered Defense Information (CDI), which aligns with CUI categories. The clause specifies that the DoD is responsible for determining whether information is Controlled Unclassified Information (CUI) and marking it accordingly before sharing it with contractors. Contractors do not make determinations about what constitutes CUI; they are responsible for safeguarding information once it is received and marked as CUI.

Reference Documents:

DFARS 252.204-7012,Safeguarding Covered Defense Information and Cyber Incident Reporting

CMMC Model v2.0 Overview, December 2021

1. Understanding Basic Safeguarding Requirements for FCI in CMMC Level 1

Federal Contract Information (FCI) is defined as information provided by or generated for the government under a contract that isnot intended for public release.

CMMCLevel 1is designed to ensurebasic safeguardingof FCI, aligning with15 security requirementsfound inFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

Contractors handlingonly FCImust meetCMMC Level 1, which alignsdirectlywith the safeguarding requirements set inFAR 52.204-21.

2. FAR 52.204-21 and Its Role in CMMC Level 1 Compliance

FAR 52.204-21establishes the baseline cybersecurity controls that contractors must implement to protectFCI.

The15 basic safeguarding requirementsinclude:

Limiting information accessto authorized users.

Identifying and authenticating usersbefore allowing system access.

Protecting transmitted FCIfrom unauthorized disclosure.

Monitoring and controlling connectionsto external systems.

Applying boundary protectionand cybersecurity measures.

Sanitizing mediabefore disposal.

Updating security configurationsto reduce vulnerabilities.

Providing physical securityprotections.

Controlling physical accessto systems that process FCI.

Enforcing multi-factor authentication (MFA) where applicable.

Patching vulnerabilitiesin software and hardware.

Limiting the use of removable media.

Creating and retaining system audit logs.

Performing risk-based security assessments.

Developing an incident response plan.

These 15 practices form thefoundationof CMMCLevel 1 Self-Assessment, ensuring contractorsmeet minimum cybersecurity expectationsfor handling FCI.

3. Why the Other Options Are Incorrect

B. 22 CFR 120-130:

This refers toInternational Traffic in Arms Regulations (ITAR), which controls the export of defense-related articles and services,notFCI safeguarding requirements.

C. DFARS 252.204-7011:

This clause refers toalternative line item structuresand does not pertain to cybersecurity or safeguarding FCI.

D. DFARS 252.204-7021:

This clause enforcesCMMC requirementsbut doesnot definebasic safeguarding controls. It requires compliance with CMMC but does not specify the foundational requirements (which come fromFAR 52.204-21for Level 1).

4. Official CMMC 2.0 Reference & Study Guide Alignment

TheCMMC 2.0 model documentationconfirms that Level 1 is focused on the15 practices from FAR 52.204-21.

TheDoD’s official CMMC Assessment Guidefor Level 1 explicitly states that meeting FAR 52.204-21 is therequirement for passing a Level 1 Self-Assessment.

TheCMMC 2.0 Scoping Guideclarifies that contractors handling onlyFCIand seekingLevel 1 certificationmust implementonly FAR 52.204-21security controls.

Final Confirmation:

The correct answer isA. FAR 52.204-21, as it directly governs the basic safeguarding ofFCIand is the foundational requirement for aLevel 1 Self-Assessmentin CMMC 2.0.

Understanding CMMC 2.0 Levels and Their Descriptions

TheCybersecurity Maturity Model Certification (CMMC) 2.0consists ofthree levels, each representing increasing cybersecurity maturity:

Level 1 – Foundational

Focuses onbasic cyber hygiene

Implements17 practicesaligned withFAR 52.204-21

Primarily protectsFederal Contract Information (FCI)

Level 2 – Advanced(Correct Answer)

Focuses onprotecting Controlled Unclassified Information (CUI)

Implements110 practicesaligned withNIST SP 800-171

Requirestriennial third-party assessments for critical programs

Level 3 – Expert

Focuses onadvanced cybersecurityagainstAPT (Advanced Persistent Threats)

ImplementsNIST SP 800-171 and additional NIST SP 800-172 controls

Requirestriennial government-led assessments

Why "B. Advanced" is Correct?

TheCMMC 2.0 framework explicitly describes Level 2 as "Advanced."

Italigns with NIST SP 800-171to ensure robustCUI protection.

Why Other Answers Are Incorrect?

A. Expert (Incorrect)– This describesLevel 3, not Level 2.

C. Optimizing (Incorrect)– Not a defined CMMC level description.

D. Continuously Improved (Incorrect)– CMMC does not use this terminology.

Conclusion

The correct answer isB. Advanced, which accurately describesCMMC Level 2.

This question aligns to the CMMC requirement to control information posted or processed on publicly accessible information systems , which appears in the CMMC Model Overview as AC.L1-3.1.22 (Control Public Information) and maps to FAR 52.204-21(b)(1)(iv) and NIST SP 800-171 Rev. 2 / r2 requirement 3.1.22 .

NIST explains that publicly accessible systems are typically those accessible to the public without identification or authentication , and that individuals authorized to post nonpublic information (including CUI/FCI and proprietary information) are designated . It also emphasizes controlling what gets posted and ensuring nonpublic information is not exposed.

The most direct technical way to “limit individuals who are authorized to post or process information” is to implement role-based administrative access (least privilege) to the website/CMS/admin console—granting publish/edit privileges only to approved roles (e.g., “Web Publisher,” “Content Approver”), and keeping all other users read-only or without access to posting functions. This directly enforces the requirement by using access control to restrict who can post/process content on the public system.

Options B and C are helpful procedural/administrative controls , but the question asks for technical means . Option A (cookies) does not control authorization to post; it’s not an access control mechanism. Therefore, D is best.

During aCMMC assessment, organizations must provide evidence to demonstrate compliance with requiredpractices and processes. Assessors evaluate this evidence based on two key criteria:

Adequacy– Does the evidence meet the intent of the security requirement?

Sufficiency– Is there enough evidence to reasonably conclude that the practice/process is effectively implemented?

These principles are outlined in theCMMC Assessment Process Guide, which provides a structured approach for evaluating compliance.

Step-by-Step Breakdown:

✅1. Adequacy – Does the evidence fully meet the requirement?

Adequacyrefers to whether the evidence properly demonstrates that the security practice has been implemented as required.

Example: If an organization claims to enforceMulti-Factor Authentication (MFA), an assessor would checksystem configurations, login policies, and user authentication logsto confirm that MFA is actually in use.

✅2. Sufficiency – Is there enough evidence to support the claim?

Sufficiencymeans that there isenough supporting evidenceto prove compliance.

Example: If an organization providesonly one screenshot of an MFA login screen, that alone may not besufficient—additional logs, policies, and user records would help strengthen the case.

Why the Other Answer Choices Are Incorrect:

(B) Adequacy and Thoroughness❌

Thoroughnessis not a defined metric in CMMC evidence evaluation.

The focus is onwhether the evidence meets the requirement (adequacy)and if there isenough of it (sufficiency).

(C) Sufficiency and Thoroughness❌

Thoroughnessis not a recognized term in CMMC compliance validation.

Evidence must beadequate and sufficient, not just thorough.

(D) Sufficiency and Appropriateness❌

Appropriatenessis not a CMMC-defined criterion.

Thecorrect terms used in CMMC assessmentsareAdequacy(Does it meet the requirement?) andSufficiency(Is there enough proof?).

Final Validation from CMMC Documentation:

CMMC Assessment Process Guideexplicitly states that evidence must be evaluated based onadequacyandsufficiencyto confirm compliance with security practices.

The core protection principle for OSC-provided assessment information (including PCI/CUI, assessment workpapers/notes, and the assessment results package ) is confidentiality / non-disclosure . The CMMC rules require assessors not to disclose OSC information outside the assessment participants, except as required by law. For example, CMMC assessor requirements include not sharing information about an OSC obtained during pre-assessment and assessment activities with anyone not involved in that specific assessment .

For retention, the authoritative requirement in the CMMC Program rule (32 CFR Part 170) is that assessment-related records are maintained for six (6) years , unless disposition is otherwise authorized by the CMMC PMO. This record set includes assessment materials and working papers generated during Level 2 certification assessments, and it also includes contractual agreements.

Important correction to the multiple-choice options: none of the answers list the official six-year retention period. The best available option is therefore B because it correctly captures the required confidentiality/non-disclosure principle—but the “ 3 years ” duration in the option does not match the official CMMC v2.0 retention requirement (which is 6 years ).

===========

Who Determines the Assessment Method for Each Practice?

In aCMMC Level 2 Assessment, theLead Assessorhas thefinal authorityin determining theassessment methodused to evaluate each practice.

Key Responsibilities of the Lead Assessor

✅Ensures theCMMC Assessment Process (CAP) Guideis followed.

✅Determines whether a practice is evaluated usinginterviews, demonstrations, or document reviews.

✅Directs theCertified CMMC Professionals (CCPs)and other assessors on themethodologyfor gathering evidence.

✅Works under aCertified Third-Party Assessment Organization (C3PAO)to ensure proper assessment execution.

Why "Lead Assessor" is Correct?

CCP (Option A) assists in the assessment but does not make final decisionson methods.

OSC (Option B) is the Organization Seeking Certification, and they do not control assessment methodology.

Site Manager (Option C) may coordinate logistics but has no authority over assessment decisions.

Breakdown of Answer Choices

Option

Description

Correct?

A. CCP

❌Incorrect–A CCPassistsbut doesnot determine assessment methods.

B. OSC

❌Incorrect–The OSC is beingassessedand does not decide assessment methods.

C. Site Manager

❌Incorrect–The Site Manager handles logistics butdoes not control assessment methods.

D. Lead Assessor

✅Correct – The Lead Assessor has the final say on the assessment method used.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– Defines theLead Assessor’s rolein determining assessment methods.

Final Verification and Conclusion

The correct answer isD. Lead Assessor, as they havefinal decision-making authority over the assessment methodology.

The Cyber AB (formerly CMMC-AB) Code of Professional Conduct (CoPC) is a mandatory agreement that all CMMC ecosystem members—including Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs)—must adhere to. This code ensures the reliability and trustworthiness of the assessment process.

The fundamental principles that form the foundation of the CoPC include:

Responsibility: This refers to the obligation of the CMMC professional to act in the best interest of the CMMC program, the Department of Defense (DoD), and the public. It includes maintaining professional competence and performing duties with due care.

Confidentiality: Assessors and professionals are granted access to sensitive information, including Controlled Unclassified Information (CUI) and proprietary business data of the Organization Seeking Certification (OSC). They must ensure this information is protected from unauthorized disclosure.

Information Integrity: This principle requires that all data, findings, and reports generated during the assessment are accurate, complete, and have not been tampered with. It ensures that the "Met" or "Not Met" determinations are based on honest evidence.

Why other options are incorrect:

Options A and B (Objectivity): While "Objectivity" is a crucialbehavioralrequirement for an assessor (remaining unbiased), the specific high-level triad often emphasized in the CMMC Professional training and the formal CoPC documentation focuses on the Responsibility-Confidentiality-Integrity framework to align with standard professional ethics and information security pillars.

Options A and C (Classification): "Classification" is a process used for National Security Information (Classified info), whereas CMMC is primarily focused on unclassified information (CUI and FCI). Classification is not a core principle of the professional code of conduct.

Options A and C (Information Accuracy): While accuracy is vital, it is considered a subset of Information Integrity within the formal definitions provided in the CCP curriculum.

Reference Documents:

CMMC-AB (The Cyber AB) Code of Professional Conduct: The official ethical framework for all credentialed individuals.

CMMC Professional (CCP) Study Guide: Section on "Ethics and the Code of Professional Conduct."

CMMC Assessment Process (CAP): References the ethical standards required to maintain the integrity of the assessment ecosystem.

Level 1 only addresses the protection of Federal Contract Information (FCI) and does not include requirements for safeguarding Controlled Unclassified Information (CUI).

Level 2 is explicitly designed to protect Controlled Unclassified Information (CUI). It requires implementation of all 110 security requirements from NIST SP 800-171 Rev. 2, which directly support the safeguarding of CUI and help prevent its unauthorized disclosure or exfiltration.

Level 3 builds on Level 2 by including a subset of requirements from NIST SP 800-172. These additional practices are designed to enhance the protection of CUI against advanced persistent threats (APTs), further strengthening defenses against exfiltration.

Therefore, the levels that focus on protecting CUI from exfiltration are Levels 2 and 3.

Reference Documents:

CMMC Model v2.0 Overview (DoD, December 2021)

NIST SP 800-171 Rev. 2,Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-172,Enhanced Security Requirements for Protecting Controlled Unclassified Information

Understanding Ethical Responsibility in the CMMC Ecosystem

Ethics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.

Key Ethical Responsibilities Include:

CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.

CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.

Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.

Why is the Correct Answer "CMMC-AB and Members of the CMMC Ecosystem" (C)?

A. DoD and CMMC-AB → Incorrect

TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.

B. OSC and Sponsors → Incorrect

TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.

C. CMMC-AB and Members of the CMMC Ecosystem → Correct

Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.

D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect

Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.

CMMC 2.0 References Supporting this Answer:

CMMC-AB Code of Professional Conduct

Defines ethical responsibilities forassessors, consultants, and ecosystem members.

CMMC Ecosystem Governance Policies

Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.

CMMC Assessment Process (CAP) Document

Outlines ethical expectations forassessors and consultantsduring certification assessments.

In a CMMC Level 2 Assessment, an assessor must achieve a high level of confidence that a practice is both implemented and institutionalized. This is determined through the Examine, Interview, and Test (E-I-T) methods as outlined in NIST SP 800-171A and the CMMC Assessment Process (CAP).

Conflict of Evidence: The scenario presents a direct conflict between the three pillars of evidence. The Policy/Documentation (Examine) states the practice occurs monthly. The Logs/Artifacts (Examine/Test) show it occurs quarterly. The Interviews claim it happens monthly but is only recorded quarterly.

The "Not Met" Determination: Under the CAP, if the evidence collected does not consistently support the assessment objective, the practice cannot be marked as "Met." Specifically:

Adequacy and Sufficiency: The logs (the primary proof of performance) are insufficient to prove the monthly requirement stated in the documentation.

Inconsistency: Assessors look for "corroboration." When interviews contradict the physical artifacts (the logs), the objective evidence (the logs) carries significant weight. If a practice is required monthly but only recorded quarterly, the assessor cannot verify that it was actually performed during the missing months.

Why other options are incorrect:

Option B: The practice isnotbeing done as documented because the documentation says "monthly" and the logs only show "quarterly."

Option C: This is a common misconception. Not all three methods (E, I, and T) are required foreverysingle practice (the Assessment Guide specifies which are required), but allusedmethods must yield consistent "Met" results.

Option D: Interviews alone are almost never sufficient to pass a practice that requires technical or administrative artifacts (logs).

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4 (Collect and Verify Evidence) and Section 3.5 (Determine Findings).

CMMC Level 2 Assessment Guide: Introduction to Assessment Methods, emphasizing that findings must be supported by the "preponderance of evidence."

NIST SP 800-171A: Chapter 2, "Assessment Procedures," regarding the necessity of artifacts to prove implementation over time.

Last Step in Developing an Assessment Plan for an OSC

Developing anassessment planinvolves:

Defining the assessment scope(e.g., systems, networks, locations).

Planning test activities(e.g., interviews, evidence review, technical testing).

Verifying the OSC’s readiness(e.g., ensuring required documents are available).

Updating the assessment plan and schedule as needed.

Final Step: Obtaining and recording the OSC’s commitment to the assessment plan.

Why is obtaining commitment the last step?

✔Theassessment cannot proceed unless the OSC agrees to the finalized plan.

✔This ensuresOSC leadership understands the scope, timeline, and responsibilities.

✔TheC3PAO must document this commitmentto formalize the agreement.

Why is the Correct Answer "D. Obtain and record commitment to the assessment plan"?

A. Verify the readiness to conduct the assessment → Incorrect

Readiness verification happens earlierin the planning process, not as the last step.

B. Perform certification assessment readiness review → Incorrect

Areadiness review is conducted before finalizing the plan, not at the very end.

C. Update the assessment plan and schedule as needed → Incorrect

Updating the plan happens before commitment is obtained; it is not the final step.

D. Obtain and record commitment to the assessment plan → Correct

This is the final step before conducting the assessment. The OSC must formally agree to the plan.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

States that theOSC must confirm agreement to the assessment plan before execution.

CMMC-AB Guidelines for C3PAOs

Specifies thatfinalizing the assessment plan requires documented commitment from the OSC.

CMMC Assessment Guide

Outlines thatassessments cannot begin without formal approval of the plan.

Final Answer:

✔D. Obtain and record commitment to the assessment plan.

The best match is Penetration test team because penetration testing is an authorized, structured security evaluation intended to find vulnerabilities in systems or networks and produce results that enable remediation/mitigation .

Authoritatively, NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) is a primary federal reference for technical security testing. It describes the purpose of technical testing as helping organizations plan and conduct tests , analyze findings , and develop mitigation strategies —which aligns directly with “vulnerability evaluations” and “providing mitigation techniques.” The DoD also points its Components to NIST SP 800-115 as guidance for penetration testing activities.

By contrast, a Red Team is typically framed as an “ethical adversary” that emulates attackers to test detection/response and overall readiness; it is often broader, scenario-driven, and focused on demonstrating what a capable adversary can accomplish rather than performing a scoped vulnerability evaluation with remediation-oriented outputs. A Blue Team is primarily defensive operations (monitoring, detection, response), not the group defined by conducting vulnerability evaluations for customers. “ White hat hackers ” is a general label for ethical hackers, but it is less specific than the established service construct of a penetration test team .

Because the question emphasizes operational network vulnerability evaluations plus mitigation techniques , the most precise and standard term is D: Penetration test team , supported by NIST’s testing-and-mitigation framing.

Understanding the Final Review Process in a CMMC Assessment

During aCMMC Level 2 Assessment, theAssessment Teamand theOrganization Seeking Certification (OSC)holddaily checkpoint meetingsto discuss progress, review evidence, and ensure transparency.

At theend of the assessment, afinal review meetingis conducted, during which theLead Assessor presents the results. Therecorded Daily Checkpoint logserves as theofficial document summarizing:

Theattendee list

Time, date, and locationof the final review

Final MET or NOT MET ratingsfor all practices

Discussion points, resulting actions, and due datesfor both the OSC and Assessment Team

Why "D. Final and recorded Daily Checkpoint log" is Correct?

TheCMMC Assessment Process (CAP) Guidespecifies that all assessment findings and discussions must bedocumented throughout the assessment in daily checkpoint logs.

TheFinal and Recorded Daily Checkpoint Logincludes all necessary details, such as attendee lists, discussion topics, and action items.

This document isused to ensure all discussed topics and agreed-upon actions are properly tracked and recordedbefore submission.

Why Other Answers Are Incorrect?

A. Final log report (Incorrect)

There isno specific "Final Log Report"required in CMMC assessments.

B. Final CMMC report (Incorrect)

TheFinal CMMC Reportdocuments the overall assessment results butdoes not serve as the official meeting logfor the final review discussion.

C. Final and recorded OSC CMMC report (Incorrect)

This documentdoes not include detailed discussion points from the daily checkpoint meetings.

Conclusion

The correct answer isD. Final and recorded Daily Checkpoint log, as this is the official document that captures thefinal meeting details, discussions, and action items.

CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 1 is designed to protectFederal Contract Information (FCI)and consists of17 foundational cybersecurity practices. These practices are directly derived fromFAR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems), which outlines minimum security requirements for contractors handling FCI.

Breakdown of CMMC Level 1 Practices

The17 practicesin Level 1 focus on basic cybersecurity hygiene and fall under the following6 domains:

Access Control (AC)– 4 practices

AC.L1-3.1.1: Limit system access to authorized users

AC.L1-3.1.2: Limit user access to authorized transactions and functions

AC.L1-3.1.20: Verify and control connections to external systems

AC.L1-3.1.22: Control information posted or processed on publicly accessible systems

Identification and Authentication (IA)– 2 practices

IA.L1-3.5.1: Identify and authenticate system users

IA.L1-3.5.2: Use multifactor authentication for local and network access

Media Protection (MP)– 1 practice

MP.L1-3.8.3: Sanitize media before disposal or reuse

Physical Protection (PE)– 4 practices

PE.L1-3.10.1: Limit physical access to systems containing FCI

PE.L1-3.10.3: Escort visitors and monitor visitor activity

PE.L1-3.10.4: Maintain audit logs of physical access

PE.L1-3.10.5: Control and manage physical access devices

System and Communications Protection (SC)– 2 practices

SC.L1-3.13.1: Monitor and control communications at system boundaries

SC.L1-3.13.5: Implement subnetworks for publicly accessible system components

System and Information Integrity (SI)– 4 practices

SI.L1-3.14.1: Identify, report, and correct system flaws in a timely manner

SI.L1-3.14.2: Provide protection from malicious code at designated locations

SI.L1-3.14.4: Update malicious code protection mechanisms periodically

SI.L1-3.14.5: Perform scans of system components and real-time file scans

Official Reference from CMMC 2.0 Documentation

The 17 practices forCMMC Level 1are explicitly listed in theCMMC 2.0 Appendices and Assessment Guide for Level 1, as well as in theFAR 52.204-21 requirements. These practices representbasic safeguarding measuresthat all DoD contractors handlingFCImust implement.

???? CMMC 2.0 Level 1 Summary:

Focus:Basic safeguarding of FCI

Total Practices:17

Derived From:FAR 52.204-21

Assessment Type:Self-assessment (annual)

Final Verification and Conclusion

The correct answer isB. 17 practicesas verified from theCMMC 2.0 official documentsandFAR 52.204-21 requirements.

The Lead Assessor has the authority to make the final determination in situations where assessors cannot agree on a rating. CAP specifies that the Lead Assessor ensures consistency, resolves disputes, and provides the authoritative interpretation during the assessment process. Escalation to the CMMC-AB or Quality Assurance would only occur in rare post-assessment review cases, not during an active assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Understanding the "Examine" Assessment Method in CMMC 2.0

CMMC 2.0 usesthree assessment methodsto evaluate security compliance:

Examine– Reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., policies, system documentation).

Interview– Speaking with personnel to verify knowledge and responsibilities.

Test– Performing technical validation to check system configurations.

Relevant CMMC 2.0 Reference:

TheCMMC Assessment Process (CAP)definesExamineas the method used toreview or analyze assessment objects, such as policies, procedures, configurations, and logs.

Why is the Correct Answer "Examine" (C)?

A. Test → Incorrect

"Test" involvesexecutinga function to validate its security (e.g., verifying access controls through a live system test).

B. Assess → Incorrect

"Assess" is a broad term; CMMC explicitly defines "Examine" as the method for reviewing documentation.

C. Examine → Correct

"Examine" is the official term forreviewing policies, procedures, configurations, or logs.

D. Interview → Incorrect

"Interview" involvesverbal discussions with personnel, not document analysis.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines "Examine" asanalyzing assessment objects (e.g., policies, procedures, logs, documentation).

NIST SP 800-171A

Specifies "Examine" as a method toreview security controls and configurations.

Step 1: Understanding the Role of the DoD in CMMC

TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.

This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.

According to the CMMC Scoping Guidance, Level 1, the scope of an assessment includes all assets that process, store, or transmit Federal Contract Information (FCI). CMMC is "information-centric," meaning the security requirements apply to the information itself, regardless of the media it resides on (digital or physical).

Asset Identification: In a Level 1 assessment, assets are categorized as either FCI Assets or Out-of-Scope Assets. Since the file cabinet is explicitly identified as containing paper FCI, it meets the definition of an asset that stores the protected information.

Basic Safeguarding (FAR 52.204-21): The 17 practices of CMMC Level 1 are derived from the FAR clause for the "Basic Safeguarding of Covered Contractor Information Systems." However, the physical protection requirements within that set (such as PE.L1-3.10.1, which requires limiting physical access to organizational information systems and equipment) extend to the physical storage locations of that data.

Media Neutrality: CMMC documentation emphasizes that "information systems" include the physical components and the information processed by them. If FCI is printed and stored in a cabinet, that cabinet becomes a physical storage asset within the assessment boundary.

Why other options are incorrect:

Option B: Physical location alone does not bring an asset into scope. For example, a coffee machine in the same room as an FCI computer remains out of scope because it doesn't handle FCI. Thecontent(FCI) makes the cabinet in-scope, not its proximity.

Option C: CMMC and the underlying FAR clause do not exempt paper-based information. Protected data must be secured whether it is on a hard drive or a printed sheet.

Option D: While a file cabinet may not "process" or "transmit" data like a computer does, it absolutely stores it. The definition of the scope includes all three functions (process, store, or transmit).

Reference Documents:

CMMC Scoping Guidance, Level 1: Section 2.0 (CMMC Level 1 Asset Categories), which defines FCI Assets as those that process, store, or transmit FCI.

CMMC Assessment Guide, Level 1: Discussion on Physical Protection (PE) practices and their application to physical media.

32 CFR Part 170 (CMMC Program Rule): Definitions of FCI and the requirements for contractor self-assessments.

In the CMMC 2.0 Model , the "Advanced Level" specifically refers to Level 2 . The CMMC model is designed to be cumulative , meaning each level builds upon the requirements of the levels beneath it.

Cumulative Framework : To achieve a certification at a specific level, an Organization Seeking Certification (OSC) must demonstrate compliance with all practices at that level and all practices from the lower levels.

Access Control (AC) Domain : The Access Control domain is one of the 14 domains in CMMC Level 2. It consists of a total of 22 practices :

Level 1 (Foundational) : Contains 4 basic safeguarding practices (mapped to FAR 52.204-21).

Level 2 (Advanced) : Adds 18 additional practices (mapped to NIST SP 800-171), totaling 22 practices for the AC domain at this level.

Defining "Advanced" : The DoD defines the levels as Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Therefore, the "Advanced Level" (Level 2) contains the practices from Level 1 and Level 2, but does not include the "Expert" (Level 3) practices, which are derived from NIST SP 800-172.

Why other options are incorrect :

Option A : While it contains Level 1 practices, it also includes Level 2 practices.

Option B : Level 3 is the "Expert" level, which is separate and higher than the "Advanced" level.

Option D : The Advanced level does not reach the requirements of Level 3.

Reference Documents :

CMMC Model Overview (v2.0) : Section 3.2, "Level 2: Advanced," which describes the 110 practices derived from NIST SP 800-171.

32 CFR Part 170 (CMMC Program Rule) : Details the structure of the levels and the requirement for cumulative compliance.

CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment, clearly identifying which are carried over from Level 1.

===========

Step 1: Define Roles – CCP and CCA

CCP (Certified CMMC Professional):

Entry-level certification in the CMMC ecosystem.

Supports assessment activities under the supervision of a CCA.

May assist in consulting roles outside of formal assessments.

CCA (Certified CMMC Assessor):

Certified tolead assessmentsunder the CMMC model.

Requiredfor conductingLevel 2 formal assessments.

Can be part of a C3PAO assessment team or lead it.

Source: CMMC Assessment Process (CAP) v1.0, Section 2.3 – Assessment Team Composition

“Level 2 assessments must be led by a Certified CMMC Assessor (CCA), who may be supported by one or more CCPs.”

✅Step 2: Citizenship Requirements

CAP v1.0 – Appendix B: Team Composition and Clearance Requirements

“All team members performing Level 2 assessments must be U.S. citizens when handling CUI, regardless of role.”

But forsupporting team members who do not handle CUIor inFCI-only scoping, there is no automatic exclusion based on citizenship.

So:

TheCCA leadsthe team.

CCPs can be team membersregardless of citizenship,unless restricted by contract or CUI handling needs.

❌Why the Other Options Are Incorrect

A. The CCP leads the Level 2 Assessment Team…

✘Incorrect. CCPscannot leadLevel 2 assessments.

B. The CCA leads… includes 3 CCP with US Citizenship.

✘Incorrect. Citizenship is requiredonly when handling CUI, not a universal requirement.

D. The CCP leads…

✘Again, CCPs donot have the authority to leadformal CMMC assessments.

Only aCertified CMMC Assessor (CCA)may lead aLevel 2 Assessment Team, and theymay include CCPs, evennon-U.S. citizens, if citizenship is not a requirement based on contractual or data sensitivity scope.

Scoping Requirements in CMMC Assessments

TheCMMC 2.0 Scoping GuideandCMMC Assessment Process (CAP) Documentclearly define what should be included in the scope of an assessment.

The assessment scope must cover:

All assets that process, store, or transmit FCI/CUI

Security Protection Assets (ESP)– these assets help protect FCI/CUI, such as firewalls, endpoint detection systems, and encryption mechanisms.

Thus, thecorrect scope includes both:

✅FCI/CUI Assets(Data storage, processing, or transmission assets)

✅Security Protection Assets (ESP)(Firewalls, security tools, etc.)

Why the Other Answers Are Incorrect

A. All assets documented in the business plan

❌Incorrect.Business plans may include assets unrelated to FCI/CUI, making this scopetoo broad. Only assets relevant to FCI/CUI should be assessed.

B. All assets regardless if they do or do not process, store, or transmit FCI/CUI

❌Incorrect. CMMC doesnotrequire organizations to include assets thathave no connection to FCI/CUI.

C. All entities, regardless of the line of business, associated with the organization

❌Incorrect.Only the assets relevant to FCI/CUI or security protection should be assessed. Unrelated business divisions (like a non-federal commercial division) areout-of-scope.

CMMC Official References

CMMC 2.0 Scoping Guide – Level 1 & Level 2

CMMC Assessment Process (CAP) Document

Thus,option D (All assets processing, storing, or transmitting FCI/CUI and security protection assets) is the correct answeras per official CMMC assessment scoping requirements.

Understanding CMMC Asset Scoping Requirements

Before conducting aCMMC Level 2 Assessment, anOrganization Seeking Certification (OSC)must define theassessment scopeby categorizing all assets. This ensures that only relevant systems are assessed againstCMMC practices, reducing unnecessary compliance burdens.

According to theCMMC Scoping Guide for Level 2, there are four asset categories:

CUI Assets– Assets that process, store, or transmitControlled Unclassified Information (CUI).

Security Protection Assets (SPA)– Assets that providesecurity functions(e.g., firewalls, intrusion detection systems, identity management systems).

Contractor Risk Managed Assets (CRMA)– Assets thatdo not directly store/process CUIbut interact with CUI environments (e.g., BYOD devices, personal computers used for remote access).

Specialized Assets– Unique systems such asOperational Technology (OT), IoT, and Government Furnished Equipment (GFE), which may requirelimitedCMMC assessment.

Which Asset Categories Are Always Assessed?

✅1. CUI Assets(ALWAYS ASSESSED)

These are theprimary focusof CMMC Level 2 since they handleCUI.

All110 NIST SP 800-171 controlsapply to these assets.

✅2. Security Protection Assets (SPA)(ALWAYS ASSESSED)

Security tools that protectCUI Assetsarealways includedin the assessment.

Examples includefirewalls, antivirus, endpoint detection and response (EDR) tools, and identity management systems.

Why the Other Answer Choices Are Incorrect:

(A) CUI Assets and Specialized Assets❌

CUI Assets are assessed, butSpecialized Assets are only assessed in a limited manner, depending on their role inCUI security.

(C) Specialized Assets and Contractor Risk Managed Assets❌

Specialized Assets and CRMAsare typicallynot fully assessedagainst CMMC controls unless they directly impactCUI security.

(D) Security Protection Assets and Contractor Risk Managed Assets❌

SPAs are always assessed, butCRMAs are not necessarily assessedunless they directly impact CUI.

Final Validation from CMMC Documentation:

TheCMMC Scoping Guide (Level 2)clearly states thatCUI Assets and Security Protection Assetsarealways assessedagainst CMMC practices.

Thus, the correct answer is:

B. Security Protection Assets and CUI Assets.

The requirement to exercise due care in protecting information gathered during an assessment aligns with the principle ofConfidentialityunder theCMMC Code of Professional Conduct (CoPC). This ensures that sensitive assessment data, findings, and any Controlled Unclassified Information (CUI) remain protected even after the engagement concludes.

Step-by-Step Breakdown:

Definition of Confidentiality in CMMC Context:

Confidentiality refers to protecting sensitive information from unauthorized disclosure.

In the context of a CMMC assessment, it includes safeguarding assessment artifacts, findings, and other sensitive data collected during the evaluation process.

CMMC Code of Professional Conduct (CoPC) References:

TheCMMC Code of Professional Conductstates that assessors and organizations must handle all collected information with discretion andensure its protection post-engagement.

Clause on"Maintaining Confidentiality"specifies that assessors must:

Not disclose sensitive information to unauthorized parties.

Secure data in storage and transmission.

Retain and dispose of data securely in accordance with federal regulations.

Alignment with NIST 800-171 & CMMC Practices:

CMMC Level 2 incorporates NIST SP 800-171 controls, which include:

Requirement 3.1.3:“Control CUI at rest and in transit” to ensure unauthorized individuals do not gain access.

Requirement 3.1.4:“Separate the duties of individuals to reduce risk” ensures that assessment findings are only shared with authorized personnel.

These requirements align with the duty toexercise due carein protecting assessment-related information.

Why the Other Options Are Incorrect:

(A) Availability:This refers to ensuring data is accessible when needed but does not directly relate to protecting gathered information post-assessment.

(C) Information Integrity:This focuses on preventing unauthorized modifications rather than restricting disclosure.

(D) Respect for Intellectual Property:While related to ethical handling of proprietary data, it does not directly cover post-engagement confidentiality requirements.

Final Validation from CMMC Documentation:

TheCMMC Code of Professional ConductandNIST SP 800-171control requirements confirm thatConfidentialityis the correct answer, as it directly pertains to protecting information post-assessment.

Thus, the correct answer isB. Confidentiality.

UnderDFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), if acontractoruses acloud-based serviceto store, process, or transmitControlled Unclassified Information (CUI), the cloud providermustmeet the security requirements ofFedRAMP Moderate or equivalent.

Key Requirements from DFARS 252.204-7012 (c)(1):

CUI stored in the cloud must be protected according to FedRAMP Moderate (or higher) requirements.

The cloud provider must meetFedRAMP Moderate baseline security controls, which align withNIST SP 800-53moderate impact level requirements.

The cloud provider must also ensure compliance withincident reportingandcyber incident response requirementsin DFARS 252.204-7012.

Why is the Correct Answer "FedRAMP Moderate" (B)?

A. FedRAMP Low → Incorrect

FedRAMP Lowis intended for systems withlow confidentiality, integrity, and availability risks, making itinadequate for CUI protection.

B. FedRAMP Moderate → Correct

FedRAMP Moderate is the minimum required level for CUIunder DFARS 252.204-7012.

It provides a security baseline for protectingsensitive but unclassified government data.

C. FedRAMP High → Incorrect

FedRAMP Highapplies to systems handlinghighly sensitive information (e.g., classified or national security data), which is not necessarily required for CUI.

D. FedRAMP Secure → Incorrect

There isno official FedRAMP Secure categoryin FedRAMP guidelines.

CMMC 2.0 References Supporting this Answer:

DFARS 252.204-7012(c)(1)

Specifies thatcontractors using external cloud services for CUI must meet FedRAMP Moderate or equivalent.

CMMC 2.0 Level 2 Requirements

CUI must be protected using NIST SP 800-171 security requirements, whichalign with FedRAMP Moderate controls.

FedRAMP Security Baselines

FedRAMP Moderateis designed for systems that handlesensitive government data, including CUI.

Understanding Access Control in CMMC

Access control refers to the process ofgranting or denyingspecific requests to:

Obtain and use information

Access information processing services

Enter specific physical locations

TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:

✅Implement policies for granting and revoking access.

✅Restrict access to authorized personnel only.

✅Protect physical and digital assets from unauthorized access.

Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.

Why the Other Answers Are Incorrect

B. Physical access control

❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.

C. Mandatory access control (MAC)

❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.

D. Discretionary access control (DAC)

❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.

CMMC Official References

CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.

NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.

Thus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.

According to the CMMC Assessment Process (CAP) and the CMMC Level 2 Assessment Guide, the assessment methodology is derived directly from NIST SP 800-171A. The framework defines three fundamental assessment methods used by a C3PAO (Certified Third-Party Assessment Organization) to determine if a practice is "Met." These are:

Examine: This involves reviewing, inspecting, or analyzing assessment objects. As per the CCP curriculum, these objects include documents (policies, procedures, plans), mechanisms (hardware, software, or firmware safeguards), or activities (logs, system configurations).

Interview: This involves holding discussions with personnel within the Organization Seeking Certification (OSC) to facilitate understanding or obtain evidence.

Test: This involves exercising assessment objects (mechanisms or activities) under specific conditions to compare actual behavior with expected behavior.

Detailed Breakdown of the Options:

Option A is correct because "documents, mechanisms, or activities" are the specific categories of assessment objects defined in the CMMC/NIST 171A methodology that are subjected to the Examine method.

Option B refers to specific technical components, which are types of mechanisms but do not represent the full scope of the assessment methods.

Option C lists specific examples of evidence, but is not the formal definition of the "Examine" method components.

Option D describes specific "Test" or "Interview" activities rather than the categorical objects of the "Examine" method.

Reference Documents:

CMMC Assessment Guide, Level 2: Section on "Assessment Methods" (derived from NIST SP 800-171A).

CMMC Assessment Process (CAP): Defines the evidence collection phase and the application of Examine, Interview, and Test (E-I-T).

NIST SP 800-171A: The source document defining the "Assessment Objects" as specifications (documents), mechanisms, and activities.

According to the CMMC Scoping Guidance, Level 2, assets are categorized into specific groups to determine how they are treated during an assessment. One of these categories is Specialized Assets.

The CMMC Scoping Guidance defines Specialized Assets as a specific group that includes:

Government Property: Any property owned or leased by the government and provided to the contractor (Government Furnished Equipment or GFE).

Internet of Things (IoT): Physical objects that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (e.g., Industrial Control Systems).

Restricted Information Systems: Systems that have specific configurations or constraints that prevent standard security controls from being applied (e.g., legacy systems).

Test Equipment: Specialized equipment used for testing, such as oscilloscopes or signal generators.

Why other options are incorrect:

Option A (SOCs): A Security Operations Center is typically considered a Security Protection Asset (SPA) because it provides security functions (monitoring/response) for the assessment scope.

Option B (Hosted VPN services): These are generally categorized as External Service Providers (ESPs) or part of the Security Protection Assets, depending on how they are managed and their role in protecting CUI.

Option C (Consultants): These are External Service Providers (ESP) (personnel/organizations), not specialized hardware/software assets.

Treatment of Specialized Assets: Under CMMC Level 2 scoping rules, Specialized Assets must be identified in the Asset Inventory and documented in the System Security Plan (SSP), but they are generally not managed against the CMMC practices unless they process, store, or transmit CUI in a way that falls outside their specialized function.

Reference Documents:

CMMC Scoping Guidance, Level 2 (Version 2.0/2.1): Section 3.1, "Specialized Assets" and Table 3.

32 CFR Part 170 (CMMC Program Rule): Definitions of asset categories and their associated assessment requirements.

The correct document is a Non-Disclosure Agreement (NDA) , because its specific purpose is to restrict a receiving party from disclosing sensitive or confidential information to unauthorized parties. In the official CMMC Assessment Process (CAP) v2.0 , NDAs are called out directly as a required element of the contracting relationship for a Level 2 certification assessment.

CAP v2.0 states that the C3PAO and the OSC must execute a written contractual agreement for the assessment and then specifies that “A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).”

This is important because CMMC assessments can involve access to highly sensitive organizational information, including details about system architectures, security implementations, and potentially CUI handling processes. The CAP’s NDA requirement supports controlling dissemination of that information and reinforces the broader confidentiality expectations placed on assessment participants.

While an “assessment agreement” or generic “legal agreement” might contain confidentiality clauses, CAP v2.0 explicitly identifies the NDA instrument (either embedded or standalone) as the mechanism to protect information exchanged during the assessment engagement. Therefore, the best answer—consistent with CMMC v2.0 official process documentation—is D (Non-disclosure agreement) .

For SI.L2-3.14.7 (Identify Unauthorized Use) , the assessment objectives focus on two outcomes: (a) the organization has defined authorized use of the system, and (b) the organization identifies unauthorized use when it occurs. The strongest evidence is therefore evidence that the organization actively monitors systems and can detect and recognize activity outside the defined authorized-use baseline.

In the DoD CMMC Assessment Guide – Level 2 (v2.13) , the “Potential Assessment Methods and Objects” for SI.L2-3.14.7 emphasize artifacts that are directly tied to monitoring and detection—such as a continuous monitoring strategy , system and information integrity policy , procedures addressing system monitoring tools and techniques , and technical monitoring capabilities (e.g., tools/techniques like IDS/IPS , audit record monitoring , and network monitoring ).

These artifacts are exactly what demonstrate that unauthorized use is being identified in practice (alerts, logs, correlation, and review processes) and that authorized use is defined (policies/standards that establish what “authorized” looks like so “unauthorized” can be recognized).

By contrast, risk assessment/response and incident response may be related program elements, but they are not the primary evidence that the organization is continuously detecting unauthorized use. The assessment guide’s focus on monitoring artifacts makes System monitoring the best evidence.

During aCMMC assessment, assessors rely on interviews to validate the implementation of cybersecurity practices within anOrganization Seeking Certification (OSC). Ensuringconfidentiality and non-attributionallows employees to speak freely without fear of retaliation or bias, leading to more accurate and candid responses.

Step-by-Step Breakdown:

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide(Level 2) states thatinterviews are a key methodto verify compliance with security controls.

Employees may hesitate to provide truthful information if they fear negative consequences.

To obtain accurate information, assessors must create an environment where team members feel safe.

Ensuring Non-Attribution for Accurate Responses

DoD Assessment Methodologyhighlights thatinterviewees should remain anonymousin reports.

Non-attribution reduces the risk of OSC leadership influencing responses or retaliating against employees.

Employees are more likely to provideaccurateandhonestdescriptions of their responsibilities when confidentiality is guaranteed.

Why the Other Answer Choices Are Incorrect:

(A) Interview groups of people to get collective answers:

Group interviews may limit honest responses due topeer pressure or management presence.

Employees mayhesitate to contradictsupervisors or peers in a group setting.

(B) Understand that testing is more important than interviews:

While testing (e.g., reviewing logs, configurations, and security settings) is crucial, interviews providecontexton how security practices are implemented and followed.

Interviewscomplementtesting rather than being less important.

(D) Let team members know the questions prior to the assessment:

Advanced notice may allow employees toprepare rehearsed answers, which might not reflect actual practices.

This couldreduce the effectivenessof the interview process.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guideand DoDAssessment Methodologyemphasize the importance of confidentiality in interviews to ensure accuracy.Non-attribution protects employees and ensures assessors get honest, unfiltered answers.

Thus, the correct answer is:

C. Ensure confidentiality and non-attribution of team members.

Understanding SI.L2-3.14.6: Monitor Communications for Attacks

The practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:

✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)

✅Log analysis and network monitoring

✅Incident response planningfor detected threats

As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.

Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?

TheCCA must collect sufficient objective evidenceto determine compliance.

Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.

Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.

Breakdown of Answer Choices

Option

Description

Correct?

A. Conduct a penetration test

❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.

B. Interview the intrusion detection system's supplier.

❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.

C. Upload known malicious code and observe the system response.

❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.

D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.

Official References from CMMC 2.0 and NIST SP 800-171 Documentation

NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.

CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.

Final Verification and Conclusion

The correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.

The CMMC Assessment Process (CAP) requires that sufficient evidence must:

Cover the sampled organization,

Cover the defined model scope of the assessment (Target CMMC Level), and

Correspond to the evidence collection approach.

Evidence is always required, even if the organization holds other certifications such as ISO. External certifications cannot replace CMMC evidence requirements. Thus, the statement that “Evidence is not required if the practice is ISO certified” is not valid.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

According to the CMMC Assessment Process (CAP) and the roles defined within the CMMC Ecosystem, the responsibility for the final determination of assessment findings rests with the C3PAO (Certified Third-Party Assessment Organization).

While the Assessment Team (Lead Assessor and Assessor) performs the legwork—conducting interviews, examining documents, and testing mechanisms—the C3PAO is the legal entity contracted by the OSC (Organization Seeking Certification) to conduct the assessment and issue the recommendation for certification.

Role of the C3PAO: The C3PAO provides the quality assurance and oversight. Once the Assessment Team completes the draft findings, the C3PAO performs a quality or "peer" review to ensure the findings are consistent with CMMC requirements. They hold the final authority over the Recommended Finding (Met, Not Met, or N/A) before it is uploaded to the eMASS (Enterprise Mission Assurance Support Service) or the designated DoD database.

Role of the Cyber AB (formerly CMMC-AB): The Board provides the accreditation for the C3PAOs and manages the ecosystem, but they do not participate in individual assessments or overrule specific technical findings of an assessment unless there is a formal appeal or ethics complaint.

Role of the Assessment Team Members: They collect evidence and make initial determinations, but their findings are subject to the C3PAO’s internal quality management system (QMS) review.

Role of the OSC Sponsor: The OSC is the entity being assessed; they have no authority over the interpretation of findings, though they may provide additional evidence during the remediation period.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Phase 3: Conduct Assessment" and "Phase 4: Reporting Results," which details the C3PAO’s responsibility for the final package.

C3PAO Authorization Requirements: Outlines the requirement for a quality management review of all assessment findings by the C3PAO before submission to the DoD.

Understanding the Role of a Registered Provider Organization (RPO)

ARegistered Provider Organization (RPO)is an entity recognized by theCMMC Accreditation Body (CMMC-AB)to provideconsulting servicesto organizations seekingCMMC certification.

Key Functions of an RPO

✅Consulting servicesto help companies prepare for CMMC assessments.

✅Guidance on security controlsrequired for compliance.

✅Assistance with documentation, policy development, and gap analysis.

✅Preparation for third-party CMMC assessmentsbutdoes not conduct official CMMC assessments(this is the role of a C3PAO).

Why "Consulting Services" is the Correct Answer?

Consulting servicesare thebroadest and most comprehensivefunction of an RPO.

RPOs do not conduct assessments(eliminating option D).

Training and educationmay be part of consulting but arenot the primary function(eliminating A and B).

Consulting includes training, guidance, documentation assistance, and security readiness, making it themost comprehensive service offered.

Breakdown of Answer Choices

Option

Description

Correct?

A. Training services

❌Incorrect–RPOs may provide training, but this isnot their primary function.

B. Education services

❌Incorrect–Similar to training, butnot the most comprehensive service.

C. Consulting services

✅Correct – The core function of an RPO is consulting, which includes various readiness services.

D. Assessment services

❌Incorrect–Only aC3PAO (Certified Third-Party Assessment Organization)can conductofficial CMMC assessments.

Official References from CMMC 2.0 Documentation

TheCMMC-AB RPO Programdefines an RPO as aconsulting organization that assists companies in preparing for CMMC certificationbutdoes not perform assessments.

Final Verification and Conclusion

The correct answer isC. Consulting services, asRPOs primarily provide advisory and readiness supportto organizations preparing forCMMC compliance.

What Happens in Phase 4 of the CMMC Assessment Process?

Phase 4 of theCMMC Assessment Process (CAP)is theFinal Reporting and Decision Phase. During this phase, theLead Assessormust:

Review all assessment findings

Determine the Organization Seeking Certification’s (OSC) eligibility for certification

Make a recommendation to the C3PAO (Certified Third-Party Assessment Organization)

Key Responsibilities of the Lead Assessor in Phase 4:

Ensure that the OSC hasmet the required practices and processes.

Confirm that anydeficiencieshave been corrected or appropriately documented.

Recommendwhether the OSC is eligible for certificationbased on assessment results.

Since theLead Assessor must determine and recommend the OSC’s eligibilityto the C3PAO, the correct answer isB. Eligibility.

Why the Other Answers Are Incorrect

A. Ability

❌Incorrect. While assessing an OSC’s ability to meet CMMC requirements is part of the process, the final determination in Phase 4 is abouteligibilityfor certification.

C. Capability

❌Incorrect. Capability refers to an organization'stechnical and operational readiness. The Lead Assessor is making a recommendation oneligibility, not just capability.

D. Suitability

❌Incorrect. Suitability is not a defined term in theCMMC CAP processfor final assessment recommendations. The correct term iseligibility.

CMMC Official References

CMMC Assessment Process (CAP) Document– Specifies that the Lead Assessor must determine and recommend theeligibilityof the OSC in Phase 4.

CMMC 2.0 Model– Defines the assessment process, including certification decision-making.

Thus,option B (Eligibility) is the correct answer, as per official CMMC guidance.

Under Title 44 U.S.C. Chapter 33 (Records Management) and NARA directives, agencies and organizations must establish policies and procedures for the disposal of all recorded information, regardless of form or characteristics. This includes paper records, electronic documents, digital media, audiovisual files, and any other information format. The requirement ensures consistent handling, retention, and lawful disposal of both federal records and CUI.

Reference Documents:

Title 44, U.S. Code, Chapter 33: Records Management

NARA Records Management Directive

When preparing forCMMC compliance, organizations must ensure that theirnetwork configurations align with required cybersecurity controls. Ifnetwork administratorsdisagree on certain configurations, the mostobjective and accurateway to resolve the disagreement is by referencingofficial CMMC guidanceandNIST SP 800-171 requirements, which form the foundation of CMMC Level 2.

Step-by-Step Breakdown:

CMMC Assessment Guides as the Primary Reference

TheCMMC Assessment Guides (Level 1 & Level 2)provide clearinterpretationsof security practices.

Theyexplain how each practice should be implemented and assessedduring certification.

NIST SP 800-171 as the Compliance Baseline

CMMC Level 2is based directly onNIST SP 800-171, which outlines the110 security controlsrequired for protectingControlled Unclassified Information (CUI).

Network configurations must complywith NIST-defined security requirements, including:

Access Control (AC) – Ensuring least privilege principles.

Audit and Accountability (AU) – Logging and monitoring network activity.

System and Communications Protection (SC) – Secure network design and encryption.

Why the Other Answer Choices Are Incorrect:

(A) Consult with the CEO of the company:

ACEO is not necessarily a cybersecurity expertand may not be familiar with CMMC technical requirements.

Technical compliance decisions should be based onCMMC and NISTframeworks, not executive opinions.

(C) Go with the network administrator's ideas with the least stringent controls:

Choosingless stringent controls increases security riskand could lead toCMMC non-compliance.

(D) Go with the network administrator's ideas with the most stringent controls:

While security is important,more stringent controlsmay introduceoperational inefficienciesorunnecessary coststhat are not required for compliance.

The correct approach is to implement what is required by CMMC and NIST SP 800-171, no more and no less.

Final Validation from CMMC Documentation:

TheCMMC Assessment GuidesandNIST SP 800-171 Rev. 2areofficial sourcesthat provide the most reliable guidance on compliance.

CMMC Level 2 is entirely based on NIST SP 800-171, making it the definitive source for resolving security disagreements.

Thus, the correct answer is:

B. Consult the CMMC Assessment Guides and NIST SP 800-171.

CMMCLevel 1focuses onbasic cyber hygieneand includes17 practicesderived fromNIST SP 800-171 Rev. 2butonly covers the protection of Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).

UnlikeLevel 2, which aligns fully withNIST SP 800-171,Level 1 does not require third-party certificationand can beself-assessedby the organization.

Domains Covered in a Level 1 Self-Assessment

CMMC Level 1 practices fall underthree specific domains:

Access Control (AC)– Ensures that only authorized individuals can access FCI.

Physical Protection (PE)– Protects physical access to systems and facilities storing FCI.

Identification and Authentication (IA)– Verifies the identity of users accessing systems containing FCI.

These domains focus on foundational security controls necessary toprotect FCI from unauthorized access.

Official CMMC 2.0 Documentation References

CMMC Model v2.0states thatLevel 1 includes only 17 practicesmapped toNIST SP 800-171requirements specific toAccess Control (AC), Physical Protection (PE), and Identification and Authentication (IA).

CMMC Assessment Guide, Level 1confirms thatRisk Management (RM) and Media Protection (MP) are not included in Level 1, as they pertain to more advanced security measures needed for handlingCUI (Level 2).

Breakdown of Answer Choices

A. Access Control (AC), Risk Management (RM), and Media Protection (MP)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

B. Risk Management (RM), Access Control (AC), and Physical Protection (PE)→ Incorrect.Risk Management (RM) is not part of Level 1.

C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)→Correct.These are thethree domains covered in CMMC Level 1 self-assessments.

D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

Conclusion

Thecorrect answer is C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA), as these are theonly three domains included in a CMMC Level 1 Self-Assessmentaccording toCMMC 2.0 documentation and NIST SP 800-171 mapping.

Reference Documents for Further Reading

CMMC 2.0 Model Overview – DoD Official Documentation

CMMC Assessment Guide, Level 1

NIST SP 800-171 Rev. 2 (Basic Security Requirements for FCI)

In the context of the Cybersecurity Maturity Model Certification (CMMC) Assessment Process, understanding the roles of various entities associated with an Organization Seeking Certification (OSC) is crucial during the planning phase. When a Certified Third-Party Assessment Organization (C3PAO) staff reviews these entities for a CMMC Level 2 Assessment, it's essential to distinguish between internal components and external participants.

Step-by-Step Explanation:

Definition of the HQ Organization:

The HQ Organization refers to the entire legal entity delivering services under the terms of a Department of Defense (DoD) contract. This entity is responsible for ensuring compliance with CMMC requirements.

Identification of External Entities:

External entities encompass people, processes, and technology that are not part of the HQ Organization but support its operations. These entities participate in the assessment process due to their involvement in handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) related to the DoD contract.

Role of Supporting Organizations/Units:

According to the CMMC Assessment Process documentation, Supporting Organizations are defined as "the people, procedures, and technology external to the HQ Organization that support the Host Unit." These external entities are integral to the operations of the Host Unit but are not encompassed within the HQ Organization's immediate structure.

Assessment Implications:

While Supporting Organizations/Units play a vital role in supporting the Host Unit, they do not receive a separate CMMC Level certification unless an enterprise assessment is conducted. In such cases, the assessment would encompass both the HQ Organization and its Supporting Organizations to ensure comprehensive compliance across all associated entities.

Understanding CUI Markings and the Role of NARA

What Does "CUI//SP-PRVCY//FED Only" Mean?

The email containsControlled Unclassified Information (CUI)withspecific categories and dissemination controls.

CUI//SP-PRVCY//FED Onlybreaks down as follows:

CUI→ Controlled Unclassified Information designation.

SP-PRVCY→Specifiedcategory forPrivacy Information(SP stands for "Specified").

FED Only→ Restriction forFederal Government use only(not for contractors or the public).

Who Maintains the Official CUI Registry?

TheNational Archives and Records Administration (NARA) oversees the CUI Programand maintains the officialCUI Registry(https://www.archives.gov/cui).

The CUI Registry providesdefinitions, marking guidance, and categoriesfor all CUI labels, including "SP-PRVCY" and dissemination controls like "FED Only."

Why NARA is the Correct Answer:

NARA is the governing body responsible for defining and managing CUI markings.

Any organization handling CUI shouldrefer to the NARA CUI Registryfor official marking interpretations.

DoD contractors and other organizationsmust comply with NARA guidelines when handling, marking, and disseminating CUI.

Clarification of Incorrect Options:

B. CMMC-AB– TheCMMC Accreditation Bodymanages certification assessments butdoes not define or interpret CUI markings.

C. DoD Contractors FAQ Page– The DoD may provide general contractor guidance, butCUI markings are governed by NARA, not an FAQ page.

D. DoD 239.7601 Definitions Page– This refers to generalDoD acquisition definitions, butCUI categories and markings fall under NARA’s authority.

Under the CMMC Assessment Process (CAP) v2.0 , the C3PAO holds the initial (and ultimate) responsibility to identify and manage conflicts of interest (COI) related to a CMMC Level 2 certification assessment. CAP v2.0 includes an explicit pre-assessment activity titled “Identify and Manage Initial Conflicts of Interest (COI)” and states that C3PAOs are ultimately responsible for managing impartiality and identifying conflicts of interest for the assessment.

CAP v2.0 further clarifies that this responsibility cannot be delegated to the assessment team (including the Lead Assessor/Lead CCA) or to the OSC. In other words, while the Lead Assessor participates in executing the process and the OSC must cooperate (e.g., disclose relationships or prior services that could create COI), CAP places the duty to run the COI identification/mitigation process squarely on the C3PAO as the assessment organization.

This aligns with the intent of impartiality controls in certification programs: the certification body (here, the C3PAO) must ensure objective assessments by identifying conflicts early, applying mitigation (or avoidance), and documenting the resolution before the assessment proceeds. Since the question asks who has the initial responsibility , the CAP’s direct assignment of COI management to the C3PAO makes B the correct answer.

===========

What Does the Practice of Professionalism Require in the CMMC Code of Professional Conduct?

TheCMMC Code of Professional Conduct (CoPC)sets ethical and professional standards forCertified CMMC Assessors (CCAs) and Certified CMMC Professionals (CCPs).Professionalismrequireshonesty and integrity in all CMMC-related activities.

Step-by-Step Breakdown:

✅1. Professionalism Requires Ethical Behavior

TheCoPC states that professionalismincludes:

Acting with integrityin all assessment-related activities.

Providing truthful and objective assessmentsof cybersecurity practices.

Avoiding deceptive or misleading claimsabout assessments or compliance.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Do not copy materials without permission to do so❌

This falls underIntellectual Property (IP) protection, notProfessionalism.

(B) Do not make assertions about assessment outcomes❌

Assessorsmustprovide findings based on evidence. The rule is aboutnot making false or misleading claims, not about avoiding assertions altogether.

(D) Ensure the security of all information discovered or received❌

This falls underConfidentiality, notProfessionalism.

Final Validation from CMMC Documentation:

TheCMMC Code of Professional Conduct (CoPC)definesProfessionalism as requiring honesty and integrityin allCMMC-related activities.

Thus, the correct answer is:

✅C. Refrain from dishonesty in all dealings regarding CMMC.

Under the CMMC Assessment Process (CAP) v2.0 , the assessment results are not supposed to be delivered to the OSC as “initial” or unchecked findings. Instead, CAP v2.0 requires that the C3PAO conducts a formal quality assurance (QA) review of the certification assessment results prior to the Out-Brief Meeting with the OSC . This QA step is mandatory and is explicitly sequenced before results are conveyed to the OSC.

After the results are compiled and quality-reviewed, the Lead CCA convenes the Out-Brief Meeting specifically “to convey the results of the assessment to the OSC.” CAP v2.0 further requires the team to prepare and deliver an “Assessment Results Briefing” for the Out-Brief, and it lists the required contents (including final MET/NOT MET/NA determinations for each security requirement , POA & M status (if applicable), and the certificate determination).

Therefore, the best answer is D because CAP v2.0 makes clear that results must undergo C3PAO QA review before they are formally presented to the OSC during the Out-Brief.

The term Adversarial Assessment is formally defined in DoD cyber terminology. It describes testing that evaluates a unit or system’s ability to perform its mission while facing simulated cyber threat activity representative of a real-world adversary.

Supporting Extracts from Official Content:

DoD Cybersecurity Test and Evaluation Guidebook: “Adversarial Assessment: Test conducted to evaluate a unit’s ability to support its mission while withstanding cyber threat activity representative of an actual adversary.”

Why Option D is Correct:

A penetration test is narrower and focuses on identifying vulnerabilities.

Black hat testing is not an official DoD or CMMC term.

Red cell assessment refers more broadly to force-on-force exercises and is not the term used in CMMC/governing DoD definitions.

References (Official CMMC v2.0 Content and Source Documents):

DoD Cybersecurity Test and Evaluation Guidebook.

CMMC v2.0 Governance – Source Documents (incorporating DoD definitions).

Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)

TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.

To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:

A unique identifier (username) for each system user

Mapping of system accounts to specific individuals

Identification of devices and automated processes that access systems

Why "C. User names associated with system accounts assigned to those individuals" is Correct?

This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.

Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.

It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.

Why Other Answers Are Incorrect?

A. Procedures for implementing access control lists (Incorrect)

While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.

B. List of unauthorized users that identifies their identities and roles (Incorrect)

Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.

D. Physical access policy stating "All non-employees must wear a special visitor pass or be escorted" (Incorrect)

This pertains tophysical security, not system-baseduser identification and authentication.

Conclusion

The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.

The CMMC Code of Professional Conduct applies to all CMMC assessors, practitioners, and ecosystem participants. Its guiding principles are: Objectivity, Information Integrity, and Higher Accountability.

Supporting Extracts from Official Content:

CMMC Code of Professional Conduct: “Guiding principles… include Objectivity, Information Integrity, and Higher Accountability.”

Why Option A is Correct:

These three principles are the official guiding values documented in the Code of Professional Conduct.

Options B, C, and D insert terms (“proper use of methods”) that are not part of the official guiding principles.

References (Official CMMC v2.0 Content):

CMMC Code of Professional Conduct.

===========

DoDI 5200.48 specifies that Authorized Holders of CUI are responsible for applying appropriate CUI markings. An authorized holder is an individual who has lawful government purpose access to the information. This ensures that responsibility for correctly marking information rests with those who create or handle the material, not only with original classification authorities (which apply to classified information, not CUI).

Reference Documents:

DoDI 5200.48,Controlled Unclassified Information (CUI)

TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.

TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:

"Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI."

This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:

✅Organizational operations(e.g., mission, business continuity, functions)

✅Organizational assets(e.g., data, IT systems, intellectual property)

✅Individuals(e.g., employees, contractors, customers affected by security risks)

Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.

Why the Other Answers Are Incorrect

A. Organizational operations, business assets, and employees

❌Incorrect."Business assets"is not the correct terminology used in CMMC/NIST SP 800-171. Instead,"organizational assets"is the proper term.

B. Organizational operations, business processes, and employees

❌Incorrect."Business processes"is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.

D. Organizational operations, organizational processes, and individuals

❌Incorrect. While processes are important,organizational assetsmust be considered in the assessment, not just processes.

CMMC Official References

CMMC 2.0 Model (Level 2 - RA.3.144)– Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.

NIST SP 800-171 (3.11.1)– Reinforces the same risk assessment scope.

Thus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.

According to the CMMC Model and Assessment Guides, specifically the rules governing Plan of Action and Milestones (POA & M) and the remediation period, an Organization Seeking Certification (OSC) is allowed a limited opportunity to remediate certain "Not Met" practices to achieve a "Met" status without failing the assessment entirely.

Here is the breakdown based on CMMC Ecosystem protocols:

The 180-Day POA & M Rule: CMMC Level 2 allows for the use of POA & Ms for specific practices, provided they are not high-priority items (typically 5-point values in the scoring methodology). If an OSC has "Not Met" practices that are eligible for a POA & M, they have up to 180 days to remediate them.

The Remediation Period (Assessment Closeout): During the assessment process itself, there is a "remediation period" (often referred to within the 1-90 day window depending on the specific C3PAO methodology and the CMMC assessment process) where an OSC can fix minor issues identified by the assessor before the final report is submitted.

Eligibility Criteria: The question states there are 15 practices "Not Met." While this is a high number, the CMMC rule does not automatically disqualify an OSC based solely on thequantityof practices, but rather thetype(weight) of the practices and the resulting score. To be eligible for a conditional "Met" (via POA & M), the OSC must achieve a minimum score (often 80% of the total points) and none of the "Not Met" practices can be those designated as mandatory "Met" (no POA & M allowed) in the CMMC rule.

Why "C" is correct: Because we do not know the specific weights of the 15 "Not Met" practices or the total score, we cannot definitively say theywillbe remediated (A) or that they areineligible(B). However, under the CMMC assessment framework, the OSC may be eligible to enter a remediation phase or utilize a POA & M to bridge the gap, provided they meet the scoring threshold and the specific practices allow for it.

Reference Documents:

CMMC Assessment Process (CAP): Defines the phases of assessment including the "Remediation Period."

32 CFR Part 170 (CMMC Program Rule): Outlines the specific requirements for POA & Ms, the 180-day timeline, and the scoring parameters required to be eligible for a Conditional Certification.

In CMMC scoping terminology, an HQ Organization is the entity legally responsible for contract performance and delivery of products or services.

Supporting Extracts from Official Content:

CMMC Scoping Guide: “HQ Organization is the legal entity responsible for the performance and delivery of contract requirements.”

Why Option D is Correct:

The HQ Org is legally accountable, while Host Units (option A/B) are subordinate entities.

Option C refers to shared services, not the HQ.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, High-Level Scoping Definitions.

===========

Under NIST SP 800-171, Personnel Security (PS) family, requirement PS.L2-3.9.1, organizations must screen individuals prior to granting access to CUI. The screening is intended to evaluate conduct, integrity, and loyalty to ensure that individuals can be trusted with sensitive information.

Supporting Extracts from Official Content:

NIST SP 800-171 Rev. 2, PS.L2-3.9.1: “Screen individuals prior to authorizing access to organizational systems containing CUI… Screening is intended to assess an individual’s conduct, integrity, judgment, loyalty, and reliability.”

CMMC Level 2 Assessment Guide (Personnel Security practices): confirms that screening covers conduct, integrity, and loyalty.

Why Option C is Correct:

The key attributes explicitly listed are conduct, integrity, and loyalty.

Options A and B describe subjective or informal measures, not compliance criteria.

Option D uses terms not aligned with the official requirement.

References (Official CMMC v2.0 Content):

NIST SP 800-171 Rev. 2, Personnel Security controls.

CMMC Assessment Guide, Level 2 – PS.L2-3.9.1.

===========

The False Claims Act (31 U.S.C. §§ 3729–3733) imposes liability on companies that knowingly misrepresent compliance in order to receive or retain federal contracts. Penalties include treble damages (three times the government’s losses) plus additional penalties per claim.

Supporting Extracts from Official Content:

False Claims Act: “Any person who knowingly submits false claims to the Government is liable for three times the Government’s damages plus a penalty.”

DOJ Cyber-Fraud Initiative (2021): confirms the FCA is applied to cases of misrepresenting compliance with cybersecurity requirements.

Why Option D is Correct:

The applicable law is the False Claims Act, not a “Cyber Claims Act” (which does not exist).

The FCA specifies treble damages plus penalties, which exactly matches Option D.

References (Official CMMC v2.0 Governance and Source Documents):

False Claims Act (31 U.S.C. §§ 3729–3733).

DOJ Cyber-Fraud Initiative (2021), applied to CMMC-related compliance misrepresentation.

===========

A Certified CMMC Instructor (CCI) is only authorized to deliver CMMC-AB (now The Cyber AB) approved training courses through a Licensed Training Provider (LTP). CCI instructors do not deliver DFARS or NARA CUI training under CMMC authorization—only formally approved CMMC courses.

Supporting Extracts from Official Content:

CMMC Ecosystem Roles: “CCIs are authorized to deliver CMMC-AB approved training courses through an LTP.”

Why Option A is Correct:

CCIs teach only CMMC-AB approved training.

Options B, C, and D include external trainings (DFARS or NARA CUI) that are not within the CCI’s scope.

References (Official CMMC v2.0 Content):

CMMC Ecosystem documentation – Roles and Responsibilities of LTPs and CCIs.

===========

Understanding the Role of an FCI Asset in CMMC

Adedicated local printer used to print Federal Contract Information (FCI)is considered anFCI Asset. UnderCMMC Level 1, FCI assets are required to meetbasic cybersecurity controlsto ensure that FCI is properlyprotected from unauthorized access.

Step-by-Step Breakdown:

✅1. Why "Process" is the Best Answer

The printerreceives digital FCI, converts it into a physical format (paper), and outputs the document.

This aligns with thedefinition of "processing" in CMMC, which includes:

Transforming or modifying data

Generating output (e.g., printed documents)

Using systems to interpret or manipulate information

✅2. Why the Other Answer Choices Are Incorrect:

(A) Encrypt❌

Aprinter does not encryptFCI—it simply prints it. Encryption applies todigital storage and transmission, not printing.

(B) Manage❌

Managing FCI typically refers togovernance, access control, and oversight, which is not the function of a printer.

(D) Distribute❌

While a printed documentcould be distributed, theprinter itself is not responsible for distributing FCI—it only processes the data for output.

Final Validation from CMMC Documentation:

CMMC Assessment Guide (Level 1)confirms thatprocessing FCI includes using systems that convert or transform information, such as printers.

NIST SP 800-171definesprocessingas an action thatchanges or manipulates information, which applies to printing.

According to the CMMC Assessment Process (CAP), the Lead Assessor must use the CMMC Findings Brief to formally present assessment results to the Organization Seeking Certification (OSC). The Findings Brief ensures consistency across assessments and provides the OSC with an official, standardized presentation of results, including observed strengths, weaknesses, and any non-conformities.

Other options are incorrect because:

POA & M Brief is not part of the official CAP presentation.

CMMC Assessment Tracker Tool is an internal tool used by assessors, not for presentation to the OSC.

Recommended Findings template is not a recognized deliverable in CAP.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Step 1: Understand the Assessment Phases (CAP v1.0)

TheCMMC Assessment Process (CAP)outlines a structured lifecycle for assessments, including:

Plan and Prepare Phase– Develop the assessment plan (before the assessment starts).

Conduct Assessment Phase– Execute the actual assessment activities.

Report Results Phase– Finalize and deliver the assessment outcomes.

CAP v1.0 – Section 3.5 (Conduct Assessment):

“The assessment team collects, examines, and evaluates evidence to determine if practices are MET or NOT MET.”

✅Step 2: Why “Collect and Examine Evidence” Is the Primary Activity

During the“Conduct Assessment” phase, the main activity is to:

Collect evidence(documentation, interviews, testing),

Validate adequacy and sufficiency,

Score practicesas MET/NOT MET.

This is thecore responsibilityof assessorswhile conductingan assessment.

❌Why the Other Options Are Incorrect

A. Develop assessment plan

✘This occurs in thePlan and Preparephasebeforeconducting the assessment.

C. Verify readiness to conduct assessment

✘Readiness verification is part ofpre-assessment activities, not during the assessment itself.

D. Deliver recommended assessment results

✘This is done during theReport Resultsphase after the assessment has been conducted.

Theprimary activity performed during the actual executionof a CMMC assessment iscollecting and examining evidenceto determine compliance with practices.

Understanding Training Requirements in CMMC

The requirement for ensuring thatpersonnel are trained to carry out their assigned information security-related duties and responsibilitiesfirst appears inCMMC Level 2as part ofNIST SP 800-171 control AT.L2-3.2.1.

Key Details on the Training Requirement:

✔AT.L2-3.2.1: "Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities."

✔This control is derived fromNIST SP 800-171and applies toCMMC Level 2 (Advanced).

✔It ensures that employees handlingControlled Unclassified Information (CUI)understand theircybersecurity responsibilities.

Why is the Correct Answer "B. Level 2"?

A. Level 1 → Incorrect

CMMC Level 1 does not include this training requirement.Level 1 focuses on basic safeguarding ofFederal Contract Information (FCI)but doesnot require formal cybersecurity training.

B. Level 2 → Correct

The training requirement (AT.L2-3.2.1) first appears in CMMC Level 2, which aligns withNIST SP 800-171.

C. Level 3 → Incorrect

The training requirementalready exists in Level 2. Level 3 builds on Level 2 with additionalrisk management and advanced cybersecurity controls, but training is introduced at Level 2.

D. All levels → Incorrect

CMMC Level 1 does not include this requirement—it is first introduced in Level 2.

CMMC 2.0 References Supporting This Answer:

NIST SP 800-171 (Requirement 3.2.1)

Defines themandatory training requirementfor personnel handling CUI.

CMMC Assessment Guide for Level 2

ListsAT.L2-3.2.1as a required practice under Level 2.

CMMC 2.0 Model Overview

Confirms thatCMMC Level 2 aligns with NIST SP 800-171, which includes security training requirements.

Understanding CMMC Asset Categorization

TheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).

In this scenario:

Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-scopefor CMMC Level 1.

Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-Scope Assets.

CMMC 2.0 Definition of Out-of-Scope Assets

As per theCMMC Scoping Guide, assets that:

✅Do not store, process, or transmit FCI/CUI

✅Do not directly impact the security of in-scope assets

✅Are completely segregated from the FCI/CUI environment

are classified asOut-of-Scope Assets.

Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.

Why the Other Answers Are Incorrect

A. FCI Assets

❌Incorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify.

B. Specialized Assets

❌Incorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division.

D. Operational Technology Assets

❌Incorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.

CMMC Official References

CMMC 2.0 Scoping Guide – Level 1 & Level 2

CMMC Assessment Process (CAP) Document

Thus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.

Understanding the Concept of Security in CMMC 2.0

CMMC 2.0 aligns with federal cybersecurity standards, particularlyFISMA (Federal Information Security Modernization Act), NIST SP 800-171, and FAR 52.204-21. One key principle in these frameworks is the implementation of security measures that are appropriate for the risk level associated with the data being protected.

The question describes security measures that are proportionate to therisk of loss, misuse, unauthorized access, or modificationof information. This matches the definition of"Adequate Security."

Analyzing the Given Options

A. Adopted security→ Incorrect

The term"adopted security"is not officially recognized in CMMC, NIST, or FISMA. Organizations adopt security policies, but the concept does not directly align with the question’s definition.

B. Adaptive security→ Incorrect

Adaptive securityrefers to adynamic cybersecurity modelwhere security measures continuously evolve based on real-time threats. While important, it does not directly match the definition in the question.

C. Adequate security→Correct

The term"adequate security"is defined inNIST SP 800-171, DFARS 252.204-7012, and FISMAas the level of protection that isproportional to the consequences and likelihood of a security incident.

This aligns perfectly with the definition in the question.

D. Advanced security→ Incorrect

Advanced securitytypically refers tohighly sophisticated cybersecurity mechanisms, such as AI-driven threat detection. However, the term does not explicitly relate to the concept of risk-based proportional security.

Official References Supporting the Correct Answer

FISMA (44 U.S.C. § 3552(b)(3))

Definesadequate securityas"protective measures commensurate with the risk and potential impact of unauthorized access, use, disclosure, disruption, modification, or destruction of information."

This directly matches the question's wording.

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)

Mandates that contractors apply"adequate security"to protect Controlled Unclassified Information (CUI).

NIST SP 800-171 Rev. 2, Requirement 3.1.1

States that organizations must "limit system access to authorized users and implement adequate security protections to prevent unauthorized disclosure."

CMMC 2.0 Documentation (Level 1 and Level 2 Requirements)

Requires that organizationsapply adequate security measures in accordance with NIST SP 800-171to meet compliance standards.

Conclusion

The term"adequate security"is the correct answer because it is explicitly defined in federal cybersecurity frameworks asprotection proportional to risk and potential consequences. Thus, the verified answer is:

Understanding "Adequate Evidence" in the CMMC Assessment Process

In aCMMC assessment,adequate evidencerefers to the proof required to demonstrate that a specific cybersecurity practice has been implemented correctly. Evidence can come from:

Artifacts(e.g., security policies, system configurations, logs).

Interview responses(e.g., verbal confirmation from personnel about their responsibilities).

Demonstrations(e.g., showing how a security control is implemented in real time).

Testing(e.g., verifying technical security mechanisms such as multi-factor authentication).

Thegoalof evidence collection is to determinewhether a CMMC practice is met—not just whether the organization operates within the assessment scope.

Why is the Correct Answer "Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice" (D)?

A. Verify, based on an assessment and organizational scope → Incorrect

Theassessment scopedefineswhat is evaluated, but adequacy of evidence is based oncompliance with specific CMMC practices.

B. Verify, based on an assessment and organizational practice → Incorrect

CMMC assessments focus on cybersecurity practices defined in the CMMC framework, not just general organizational practices.

C. Determine if a given artifact, interview response, demonstration, or test meets the CMMC scope → Incorrect

Thescopedefines the assessment boundaries, but theassessment team's job is to confirm whether CMMC practices are satisfied.

D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice → Correct

TheCMMC assessment process focuses on ensuring that required practices are implemented, making this the correct answer.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines "adequate evidence" asproof that a CMMC practice has been correctly implemented.

CMMC 2.0 Assessment Criteria

Specifies that evidence must beevaluated against specific cybersecurity practices.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Provides guidance on evaluating artifacts, interviews, demonstrations, and testing to confirm compliance with required practices.

Final Answer:

✔D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.

Understanding Scoping in CMMC Level 1 Self-Assessments

Federal Contract Information (FCI)is any informationnot intended for public releasethat is provided or generated under aU.S. Government contracttodevelop or deliver a product or service.

Enhanced Security Personnel (ESP)refers to employees, contractors, or third parties whohave access to FCIwithin anOrganization Seeking Certification (OSC).

UnderCMMC 2.0 Scoping Guidance, anypersonnel, system, or asset with access to FCI is considered in scopefor a CMMC Level 1 assessment.

Why Option A (In scope) is Correct

Since theESP employee has access to FCI, theymustbe included in the assessment scope.

Option B (Out of scope)is incorrect because anyone with access to FCI is automatically considered part of theCMMC Level 1 boundary.

Option C (OSC point of contact)is incorrect because thepoint of contactis typically an administrative or compliance representative, not necessarily someone with FCI access.

Option D (Assessment Team Member)is incorrect because anESP employee is not part of the assessment team but rather a subject of the assessment.

Official CMMC Documentation References

CMMC Level 1 Scoping Guide, Section 2 – Defining Scope for FCI

CMMC Assessment Process (CAP) Guide – Roles and Responsibilities

Federal Acquisition Regulation (FAR) 52.204-21(Basic Safeguarding of FCI)

Final Verification

Since theESP employee has access to FCI, they are consideredin scopefor the CMMC Level 1 self-assessment, makingOption A the correct answer.

Understanding NIST SP 800-88 Rev. 1 and Media Sanitization

TheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.

Three Categories of Data Disposal in NIST SP 800-88 Rev. 1

Clear

Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.

Example:Overwriting all datawith binary zeros or ones on a hard drive.

Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.

Purge

Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.

Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).

Applies to:Media that is leaving organizational control or requires a higher level of assurance than "Clear".

Destroy

Physicallydamages the mediaso that data recovery isimpossible.

Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.

Applies to:Highly sensitive data that must be permanently eliminated.

Why "A. Clear, Purge, Destroy" is Correct?

B. Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata disposal.

C. Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level categoryin NIST SP 800-88.

D. Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is missing, making this incorrect.

Conclusion

The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.