CMMC-CCP Certified CMMC Professional (CCP) Exam Questions and Answers

nderstanding Objectivity in CMMC-AB Activities

Objectivityin CMMC-AB activities refers to therequirement that assessors and C3PAOs remain impartial, unbiased, and free from conflicts of interestwhile conducting assessments and providing CMMC-related services.

Key Aspects of Objectivity in CMMC Assessments:

✔No conflicts of interest—Assessors must not assess organizations they havefinancial, professional, or personal ties to.

✔Unbiased reporting—Findings must bebased solely on evidence, with no external influence.

✔Avoiding even the appearance of a conflict—If there isany perception of bias, it must be addressed.

Why is the Correct Answer "C. Avoiding the appearance of or actual, conflicts of interest"?

A. Ensuring full disclosure → Incorrect

Full disclosure is importantbut doesnot define objectivity. Objectivity meansremaining neutral and free from conflicts.

B. Reporting results of CMMC services completely → Incorrect

Whileaccurate reporting is required,objectivity focuses on impartiality, not just completeness.

C. Avoiding the appearance of or actual, conflicts of interest → Correct

Objectivity in CMMC-AB activities is primarily about preventing bias and ensuring fair assessments.

Avoiding conflicts of interest ensures thatassessments are credible and trustworthy.

D. Demonstrating integrity in the use of materials as described in policy → Incorrect

Integrity is important, butobjectivity is specifically about avoiding bias and conflicts of interest.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Code of Professional Conduct

Requiresassessors and C3PAOs to avoid conflicts of interestand maintainimpartiality.

CMMC Assessment Process (CAP) Document

Emphasizes that assessments must befree from external influence and conflicts of interest.

ISO/IEC 17020 Requirements for Inspection Bodies

Definesobjectivity as avoiding conflicts of interest in the assessment process.

The correct answer is C because the CMMC physical protection requirement focuses on protecting areas where in-scope information systems, equipment, and controlled environments are located. CMMC Level 2 requirement PE.L2-3.10.3, Escort Visitors , requires the organization to “escort visitors and monitor visitor activity.” The official CMMC Level 2 Assessment Guide states that the assessment objectives include determining whether visitors are escorted, visitor activity is monitored, physical access audit logs are maintained, and physical access devices are controlled and managed. The same guide explains that individuals with permanent physical access authorization credentials are not considered visitors, and that audit logs can be used to monitor visitor activity.

For CMMC purposes, the key issue is whether the visitor could physically access organizational systems, equipment, FCI, CUI, or the respective operating environment. A general corporate area that is outside the controlled environment may not require the same escort rule unless it provides access to in-scope assets. However, the controlled environment must be protected from unauthorized physical access. Therefore, visitors should be escorted in the controlled environment, where FCI/CUI systems or related assets may be present. Option A is incorrect because CMMC requires visitor escorting. Option B reverses the protection priority. Option D is overly broad for this question because it does not distinguish between a general corporate area and the controlled environment defined in the DAP.

===========

Understanding FAR Clause 52.204-21

TheFederal Acquisition Regulation (FAR) Clause 52.204-21is titled"Basic Safeguarding of Covered Contractor Information Systems."This clause establishesminimum cybersecurity requirementsforfederal contractorsthat handleFederal Contract Information (FCI).

Key Purpose of FAR Clause 52.204-21

Theprimary objectiveof FAR 52.204-21 is to ensure that contractors applybasic cybersecurity protectionsto theirinformation systemsthat process, store, or transmitFCI. Theseminimum safeguarding requirementsserve as abaseline security standardfor contractors doing business with theU.S. government.

Why "Minimum Standard of Care" is Correct?

FAR 52.204-21 doesnotrequire contractors to install specific cybersecurity tools (eliminating option A).

Itoutlines only the minimum safeguards, notallcybersecurity controls needed for complete security (eliminating option B).

CMMC certification isnotmandated by this clause alone (eliminating option D).

Instead, it establishesa baseline "standard of care"that all federal contractorsmust followto protectFCI(making option C correct).

Breakdown of Answer Choices

Option

Description

Correct?

A. It directs all covered contractors to install the cybersecurity systems listed in that clause.

❌Incorrect–The clause doesnotspecify tools or require specific cybersecurity systems.

B. It describes all of the safeguards that contractors must take to secure covered contractor IS.

❌Incorrect–It only setsminimumrequirements, notall possiblesecurity measures.

C. It describes the minimum standard of care that contractors must take to secure covered contractor IS.

✅Correct – The clause defines basic safeguards as a minimum security standard.

D. It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts.

❌Incorrect–FAR 52.204-21 doesnot mandateCMMC certification; that requirement comes from DFARS 252.204-7012 and 7021.

Minimum Safeguarding Requirements Under FAR 52.204-21

The clause defines15 basic security controls, which align withCMMC Level 1. Some examples include:

✅Access Control– Limit access to authorized users.

✅Identification & Authentication– Authenticate system users.

✅Media Protection– Sanitize media before disposal.

✅System & Communications Protection– Monitor and control network connections.

Official References from CMMC 2.0 and FAR Documentation

FAR 52.204-21– Establishes thebasic safeguarding requirementsfor FCI.

CMMC 2.0 Level 1– Directly aligns withFAR 52.204-21 controls.

Final Verification and Conclusion

The correct answer isC. It describes the minimum standard of care that contractors must take to secure covered contractor IS.This aligns withFAR 52.204-21 requirementsas abaseline security standard for FCI.

Background on Legacy Markings and CUI

Legacy markings refer to classification labels used before the implementation of the Controlled Unclassified Information (CUI) Program under DoD Instruction 5200.48.

Documents with legacy markings (such as “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU)) must be reviewed for re-marking or redaction to align with CUI requirements.

When Must Legacy Markings Be Updated?

If the document is retained internally (Answer A - Incorrect): Documents under DoD control do not require immediate re-marking unless they are being shared externally.

If the document is classified as Secret (Answer B - Incorrect): This question is about CUI, not classified information. Secret-level documents follow different marking rules under DoD Manual 5200.01.

If a document is being shared externally (Answer C - Correct):

According to DoD Instruction 5200.48, Section 3.6(a), organizations must review legacy markings before sharing documents outside the organization.

The document must be re-marked in compliance with the CUI Program before dissemination.

If the original document does not contain CUI (Answer D - Incorrect): The original source document's status does not affect the requirement to re-mark a derivative document if it contains CUI.

Conclusion

The correct answer is C: Documents with legacy markings must be re-marked or redacted when being shared outside the organization to comply with DoD CUI guidelines.

Step 1: Understand the “CA” Domain – Security Assessment

TheCA (Security Assessment)domain includes practices related to:

Planning security assessments,

Performing periodic reviews,

Managing plans of action and milestones (POA & Ms).

These practices derive fromNIST SP 800-171, specifically:

CA.2.157– Develop, document, and periodically update security plans,

CA.2.158– Periodically assess security controls,

CA.2.159– Develop and implement POA & Ms.

✅Step 2: Review CMMC Levels

Level 1 (Foundational):

Implements only the17 practicesfromFAR 52.204-21

Doesnot include the CA domain

Level 2 (Advanced):

Implements110 practicesfromNIST SP 800-171, including CA.2.157–159

First levelwhereSecurity Assessment (CA)practices are required

Level 3:

Not yet finalized but intended to include selected controls fromNIST SP 800-172

❌Why the Other Options Are Incorrect

A. Level 1

✘No CA domain practices are present at Level 1.

C. Level 3 / D. Level 4

✘These levels build on CA practices but do not represent thestarting point.

TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.

Assets that store, process, or transmit FCI or CUI are always in scope for CMMC. If a server with a cloud provider is used for long-term storage of FCI, that server is considered in scope because it directly holds covered data.

Supporting Extracts from Official Content:

CMMC Scoping Guide for Level 1: “Assets that store, process, or transmit FCI are in scope.”

CMMC Scoping Guide for Level 2: confirms the same rule applies for CUI.

Why Option A is Correct:

The server stores FCI, making it automatically in scope.

Option B is incorrect because long-term storage does not make an asset out of scope.

Option C is incorrect — Level 1 (FCI) does not require a Level 2 certified provider.

Option D is incorrect because encryption does not remove scope requirements.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1.

CMMC Model v2.0, Scoping and Implementation guidance.

===========

The National Archives and Records Administration (NARA) serves as the authoritative body overseeing the Controlled Unclassified Information (CUI) program within the United States federal government. NARA maintains the CUI Registry, which is the definitive resource for all categories, subcategories, and associated markings of CUI. This registry provides comprehensive guidance on the identification and handling of CUI, ensuring standardized practices across federal agencies and their contractors.

The other options are delineated as follows:

CMMC-AB:The Cybersecurity Maturity Model Certification Accreditation Body is responsible for overseeing the CMMC program but does not manage CUI classifications.

DoD Contractors FAQ:While it may offer guidance to Department of Defense contractors, it is not an authoritative source for CUI data classifications.

OSC's privacy policies:An Organization Seeking Certification's internal policies pertain to its own data handling practices and are not authoritative for CUI classifications.

Therefore, for authoritative information on CUI data classifications, the NARA's CUI Registry is the appropriate resource.

A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.

Supporting Extracts from Official Content:

CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”

Why Option B is Correct:

The Windows 95 system is an example of a restricted IS, so it can be scoped out.

Option A is incorrect — the asset is not handling CUI in this case.

Option C is incorrect — government property designation does not define scope.

Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.

===========

Understanding Who Must Perform Tests in a CMMC Assessment

During aCMMC Level 2 Assessment, assessorsmust observe operational activities and security practicesto verify compliance. This process involves:

✔Testing security controls and proceduresas part of the assessment.

✔Observation of standard work practicesto ensure controls are properly implemented.

✔Using operational personnel (OSC employees) who regularly perform the taskto ensure realistic assessment conditions.

Who Performs Tests?

Operational personnel (OSC employees) must conduct the actual work while assessors observe.

Certified CMMC Professionals (CCPs) or Lead Assessorsoversee and document the testing process.

Why is the Correct Answer "A" (OSC personnel who normally perform that work as the CCP observes)?

A. OSC personnel who normally perform that work as the CCP observes → Correct

CMMC assessments require actual users (OSC personnel) to perform their regular duties while assessors observeto verify security practices.

B. Military personnel and the CCP and/or Lead Assessor to test the adequacy of the written procedure(s) → Incorrect

Military personnel are not responsible for testing contractor security controls.

Assessors observe and evaluate but do not perform testing themselves.

C. Military personnel assigned to the contractor for that contract to ensure the confidentiality of the CUI → Incorrect

Military personnel do not perform the testing.

The contractor (OSC) is responsible for implementing and demonstrating security controls.

D. OSC personnel who do not ordinarily perform that work to evaluate the accuracy of the written procedure(s) → Incorrect

Personnel unfamiliar with the job should not be used for testing.

Theassessment must reflect real-world conditions, so theactual employees who perform the work must demonstrate the process.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

Specifies thatassessments must observe real operational activities to determine compliance.

CMMC-AB Assessment Methodology

Requirestesting of security controls in a realistic operational environment, meaning actual OSC personnel must perform the tasks.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Specifies thatinterviews and observations should be conducted with personnel who regularly perform the work.

Step 1: Define Roles – CCP and CCA

CCP (Certified CMMC Professional):

Entry-level certification in the CMMC ecosystem.

Supports assessment activities under the supervision of a CCA.

May assist in consulting roles outside of formal assessments.

CCA (Certified CMMC Assessor):

Certified tolead assessmentsunder the CMMC model.

Requiredfor conductingLevel 2 formal assessments.

Can be part of a C3PAO assessment team or lead it.

Source: CMMC Assessment Process (CAP) v1.0, Section 2.3 – Assessment Team Composition

“Level 2 assessments must be led by a Certified CMMC Assessor (CCA), who may be supported by one or more CCPs.”

✅Step 2: Citizenship Requirements

CAP v1.0 – Appendix B: Team Composition and Clearance Requirements

“All team members performing Level 2 assessments must be U.S. citizens when handling CUI, regardless of role.”

But forsupporting team members who do not handle CUIor inFCI-only scoping, there is no automatic exclusion based on citizenship.

So:

TheCCA leadsthe team.

CCPs can be team membersregardless of citizenship,unless restricted by contract or CUI handling needs.

❌Why the Other Options Are Incorrect

A. The CCP leads the Level 2 Assessment Team…

✘Incorrect. CCPscannot leadLevel 2 assessments.

B. The CCA leads… includes 3 CCP with US Citizenship.

✘Incorrect. Citizenship is requiredonly when handling CUI, not a universal requirement.

D. The CCP leads…

✘Again, CCPs donot have the authority to leadformal CMMC assessments.

Only aCertified CMMC Assessor (CCA)may lead aLevel 2 Assessment Team, and theymay include CCPs, evennon-U.S. citizens, if citizenship is not a requirement based on contractual or data sensitivity scope.

The presence of badge readers, PIN code pads, and keys directly corresponds to controlling and managing physical access devices, which maps to PE.L1-3.10.5 under the Physical Protection (PE) domain. This practice ensures that only authorized individuals have access to physical areas containing information systems.

The other options address unrelated requirements:

MP.L2-3.8.5 addresses marking CUI media,

SI.L2-3.14.3 addresses monitoring security alerts,

PS.L2-3.9.2 addresses protections during personnel changes.

Reference Documents:

CMMC Model v2.0, Level 1–3 Practices

NIST SP 800-171 Rev. 2, Control PE-3

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.

Why NIST SP 800-171 is Essential for Level 2 Scoping:

Defines the Security Requirements for Protecting CUI:

NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.

These controls are categorized under14 families, including access control, incident response, and risk management.

Establishes the Baseline for CMMC Level 2 Compliance:

CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.

Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.

Provides Guidance for Implementation & Assessment:

TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.

It helps define the scope of an assessment by clarifying how each control should be implemented and verified.

Referenced in CMMC and DFARS Regulations:

DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.

TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.

Explanation of Incorrect Answers:

A. NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")

This documentapplies to federal systems, not nonfederal entities handling CUI.

While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.

B. NIST SP 800-88 ("Guidelines for Media Sanitization")

This documentfocuses on secure data destructionand media sanitization techniques.

While data disposal is important, this standarddoes not define security controls for protecting CUI.

D. NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")

This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).

It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.

Key References for CMMC Level 2 Scoping:

NIST SP 800-171 Rev. 2(NIST Official Site)

NIST SP 800-171A (Assessment Guide)(NIST Official Site)

CMMC 2.0 Level 2 Scoping Guide(Cyber AB)

Conclusion:

SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:

✅C. NIST SP 800-171

According to the CMMC Assessment Process (CAP) and the roles defined within the CMMC Ecosystem, the responsibility for the final determination of assessment findings rests with the C3PAO (Certified Third-Party Assessment Organization).

While the Assessment Team (Lead Assessor and Assessor) performs the legwork—conducting interviews, examining documents, and testing mechanisms—the C3PAO is the legal entity contracted by the OSC (Organization Seeking Certification) to conduct the assessment and issue the recommendation for certification.

Role of the C3PAO: The C3PAO provides the quality assurance and oversight. Once the Assessment Team completes the draft findings, the C3PAO performs a quality or "peer" review to ensure the findings are consistent with CMMC requirements. They hold the final authority over the Recommended Finding (Met, Not Met, or N/A) before it is uploaded to the eMASS (Enterprise Mission Assurance Support Service) or the designated DoD database.

Role of the Cyber AB (formerly CMMC-AB): The Board provides the accreditation for the C3PAOs and manages the ecosystem, but they do not participate in individual assessments or overrule specific technical findings of an assessment unless there is a formal appeal or ethics complaint.

Role of the Assessment Team Members: They collect evidence and make initial determinations, but their findings are subject to the C3PAO’s internal quality management system (QMS) review.

Role of the OSC Sponsor: The OSC is the entity being assessed; they have no authority over the interpretation of findings, though they may provide additional evidence during the remediation period.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Phase 3: Conduct Assessment" and "Phase 4: Reporting Results," which details the C3PAO’s responsibility for the final package.

C3PAO Authorization Requirements: Outlines the requirement for a quality management review of all assessment findings by the C3PAO before submission to the DoD.

Federal Contract Information (FCI) is defined in FAR 52.204-21 as information provided by or generated for the government under contract but not intended for public release. Under CMMC 2.0, organizations handling FCI must implement FAR 52.204-21 Basic Safeguarding Requirements, ensuring proper protection in processing, storing, and transmitting FCI.

Analyzing the Given Options

The question involves an email system that is used to send FCI to a subcontractor. Let’s break down the possible answers:

A. Manage FCI → Incorrect

Managing FCI involves activities like organizing, storing, and maintaining access to FCI. Sending an email does not fall under management; it is an act of transmission.

B. Process FCI → Incorrect

Processing refers to actively using FCI for operational or analytical purposes, such as analyzing, modifying, or computing data. Simply sending an email does not constitute processing.

C. Transmit FCI → Correct

Transmission refers to the act of sending FCI from one entity to another. Since the contractor is sending FCI via email, this falls under transmitting the data.

Understanding the Role of the DoD CIO Office in CMMC

TheDepartment of Defense (DoD) Chief Information Officer (CIO) officeis theprimary authorityresponsible for leading the direction, standards, and best practices of theCybersecurity Maturity Model Certification (CMMC)framework.

Why "B. DoD CIO Office" is Correct?

The DoD CIO Oversees CMMC Policy and Implementation

TheDoD CIO Office is responsible for the governance and strategic direction of CMMC.

It ensures thatCMMC aligns with DoD cybersecurity policies, such asDoD Instruction 5200.48 (Controlled Unclassified Information)andNIST SP 800-171.

CMMC Development and Evolution

TheDoD CIO played a critical role in launching CMMCto improve cybersecurity across theDefense Industrial Base (DIB).

The CIO office leadspolicy development and updates to the CMMC framework, including the transition fromCMMC 1.0 to CMMC 2.0.

Alignment of CMMC with Federal Cybersecurity Strategy

The DoD CIO ensures that CMMCintegrates with federal cybersecurity policiesandNIST frameworks.

It provides oversight formapping CMMC Levels (1-2-3) to existing cybersecurity standards and controls.

Why Other Answers Are Incorrect?

A. NIST (Incorrect)

TheNational Institute of Standards and Technology (NIST)provides thetechnical framework (NIST SP 800-171, SP 800-172), butNIST does not lead the CMMC program.

C. Federal CIO Office (Incorrect)

TheFederal CIO focuses on broader government IT policiesandnot specifically on DoD cybersecurity requirementslike CMMC.

D. Defense Federal Acquisition Regulation Council (Incorrect)

TheDFARS Counciloverseescontracting regulationsrelated to CMMC (e.g.,DFARS 252.204-7012, 7019, 7020, 7021), but it doesnot lead CMMC standards and best practices.

Conclusion

The correct answer isB. DoD CIO Office, as it isthe lead authority guiding the CMMC framework, standards, and implementation across the Defense Industrial Base (DIB).

Understanding Access Control in CMMC

Access control refers to the process ofgranting or denyingspecific requests to:

Obtain and use information

Access information processing services

Enter specific physical locations

TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:

✅Implement policies for granting and revoking access.

✅Restrict access to authorized personnel only.

✅Protect physical and digital assets from unauthorized access.

Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.

Why the Other Answers Are Incorrect

B. Physical access control

❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.

C. Mandatory access control (MAC)

❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.

D. Discretionary access control (DAC)

❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.

CMMC Official References

CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.

NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.

Thus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.

Who Should Be Interviewed During a CMMC Assessment?

During assessment planning, theOrganization Seeking Certification (OSC)may suggest personnel for interviews. However, the person interviewedmustbe someone who:

✅Implementsthe practice (directly responsible for executing it).

✅Performsthe practice (carries out day-to-day security operations).

✅Supportsthe practice (provides necessary resources or oversight).

Why "Implements, Performs, or Supports That Practice" is Correct?

Theassessor needs direct insightsfrom individuals actively involved in the practice.

Funding (Option A)does not providetechnical or operationalinsight into practice execution.

Auditing (Option B)focuses on compliance checks, but auditorsdo not implementthe practice.

Supporting, auditing, and performing (Option C)includesauditors, who arenot necessarily the right interviewees.

Breakdown of Answer Choices

Option

Description

Correct?

A. Funds that practice.

❌Incorrect–Funding is important but doesnot mean direct involvement.

B. Audits that practice.

❌Incorrect–Auditors check compliance but donot implementpractices.

C. Supports, audits, and performs that practice.

❌Incorrect–Auditing isnot a requirementfor interviewees.

D. Implements, performs, or supports that practice.

✅Correct – The interviewee must have direct involvement in execution.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– Requires that interviewees bedirectly responsiblefor implementing, performing, or supporting the practice.

Final Verification and Conclusion

The correct answer isD. Implements, performs, or supports that practice, as the interviewee mustactively contribute to the execution of the practice.

CMMC Level 1 practices correspond directly to the basic safeguarding requirements for Federal Contract Information (FCI), which are codified in FAR clause 48 CFR 52.204-21. These 15 requirements form the foundation for Level 1 compliance.

Supporting Extracts from Official Content:

48 CFR 52.204-21: “Contractors shall apply the following 15 basic safeguarding requirements to protect Federal Contract Information (FCI).”

CMMC Model v2.0 Overview: “Level 1 corresponds to the 15 basic safeguarding requirements in FAR 52.204-21.”

Why Option C is Correct:

FAR 52.204-21 is the source for Level 1 practices.

NIST SP 800-171 applies to CUI and Level 2, not Level 1.

NIST SP 800-171b is the precursor to NIST SP 800-172 (used for Level 3).

DFARS 252.204-7012 covers CUI safeguarding and incident reporting, not Level 1 FCI requirements.

References (Official CMMC v2.0 Content):

FAR 48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

CMMC Model v2.0, Level 1 Overview.

Under the CMMC Assessment Process (CAP) and CMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed through three primary assessment methods:

Examination – Reviewing documents, records, system configurations, and other artifacts.

Interviews – Speaking with personnel to verify processes, responsibilities, and understanding of security controls.

Testing – Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.

Why Option D is Correct

The CMMC Assessment Process (CAP) states that an assessor must use a combination of evidence-gathering methods (examinations, interviews, and tests) to determine compliance.

CMMC 2.0 Level 2 (Aligned with NIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.

Solely relying on one method (like interviews in Option A) is insufficient.

Testing all practices or objectives (Option B) is unnecessary, as assessors follow scoping guidance to determine which objectives need deeper examination.

Testing only "certain" objectives (Option C) does not fully align with the requirement of gathering sufficient evidence from multiple methods.

CMMC 2.0 and Official Documentation References

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods explicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.

CMMC 2.0 Level 2 Practices and NIST SP 800-171 require assessors to validate the presence, implementation, and effectiveness of security controls.

CMMC Appendix E: Assessment Procedures states that an assessor should use multiple sources of evidence to determine compliance.

Final Verification

To ensure compliance with CMMC 2.0 guidelines and official documentation, an assessor must use examinations, interviews, and tests to gather evidence effectively, making Option D the correct answer.

Anorganization seeking helpto address security gaps—such asphysical access control deficiencies—needs acertified professional who can provide implementation supportwithoutbeing involved in the actual CMMC assessment.

Role of a Registered Practitioner (RP)

A Registered Practitioner (RP)is a CMMC-certified individualwho provides consulting and implementation supportto organizations butdoes not perform assessments.

RPs work independently from C3PAOsand canassist in fixing gapsin security controlsbeforeorafteran assessment.

Since RPs are not assessors, they can provide direct remediation supportwithout any conflict of interest.

Why "B. RP of an Organization Not Part of the Assessment" is Correct?

The OSC needs assistance in implementing security controls(not assessment).

An RP is trained and authorized to provide remediation and advisory services.

Conflict of interest rules prevent the assessing C3PAO from providing implementation support.

Why Other Answers Are Incorrect?

A. CCA of the C3PAO performing the assessment (Incorrect)

ACertified CMMC Assessor (CCA)is responsible for conducting the assessmentonly.

TheC3PAO performing the assessment cannot also provide remediationdue to aconflict of interest.

C. Practitioner of the Organization Performing the Assessment LTP (Incorrect)

The assessmentLead Technical Practitioner (LTP)cannot provide remediation support for an OSC they are assessing.

D. DoD Contract Official of the Organization Performing the Assessment (Incorrect)

DoD Contract Officialsoversee contract compliance butdo not provide cybersecurity implementation support.

Conclusion

The correct answer isB. RP of an organization not part of the assessment, asonly independent RPs can assist with remediation and implementation support.

CMMCLevel 1focuses onbasic cyber hygieneand includes17 practicesderived fromNIST SP 800-171 Rev. 2butonly covers the protection of Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).

UnlikeLevel 2, which aligns fully withNIST SP 800-171,Level 1 does not require third-party certificationand can beself-assessedby the organization.

Domains Covered in a Level 1 Self-Assessment

CMMC Level 1 practices fall underthree specific domains:

Access Control (AC)– Ensures that only authorized individuals can access FCI.

Physical Protection (PE)– Protects physical access to systems and facilities storing FCI.

Identification and Authentication (IA)– Verifies the identity of users accessing systems containing FCI.

These domains focus on foundational security controls necessary toprotect FCI from unauthorized access.

Official CMMC 2.0 Documentation References

CMMC Model v2.0states thatLevel 1 includes only 17 practicesmapped toNIST SP 800-171requirements specific toAccess Control (AC), Physical Protection (PE), and Identification and Authentication (IA).

CMMC Assessment Guide, Level 1confirms thatRisk Management (RM) and Media Protection (MP) are not included in Level 1, as they pertain to more advanced security measures needed for handlingCUI (Level 2).

Breakdown of Answer Choices

A. Access Control (AC), Risk Management (RM), and Media Protection (MP)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

B. Risk Management (RM), Access Control (AC), and Physical Protection (PE)→ Incorrect.Risk Management (RM) is not part of Level 1.

C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)→Correct.These are thethree domains covered in CMMC Level 1 self-assessments.

D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

Conclusion

Thecorrect answer is C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA), as these are theonly three domains included in a CMMC Level 1 Self-Assessmentaccording toCMMC 2.0 documentation and NIST SP 800-171 mapping.

Reference Documents for Further Reading

CMMC 2.0 Model Overview – DoD Official Documentation

CMMC Assessment Guide, Level 1

NIST SP 800-171 Rev. 2 (Basic Security Requirements for FCI)

Who Verifies the Adequacy and Sufficiency of Evidence?

In the CMMC assessment process, it is theAssessment Teamthat is responsible for verifying whether thepractices and related componentshave been met for each in-scopeHost Unit, Supporting Organization/Unit, or enclave.

TheCMMC Assessment Teamis composed of certified assessors and led by aCertified CMMC Assessor (CCA). Their primary role is to:

Review evidenceprovided by theOrganization Seeking Certification (OSC).

Determine compliancewith required CMMC practices and processes.

Evaluate the sufficiencyof evidence to confirm that all required practices have been properly implemented.

Document and report findingsto the CMMC Accreditation Body (CMMC-AB).

Breakdown of Answer Choices

Option

Description

Correct?

A. OSC (Organization Seeking Certification)

The OSC provides documentation and evidence but doesnotverify its adequacy.

❌Incorrect

B. Assessment Team

✅Responsible for verifying the adequacy and sufficiency of evidence.

✅Correct

C. Authorizing Official

Typically refers to an official responsible for system accreditation underNIST RMF, not CMMC.

❌Incorrect

D. Assessment Official

Not a defined role in the CMMC framework.

❌Incorrect

Official Reference from CMMC 2.0 Documentation

TheCMMC Assessment Process Guide(CAP) outlines theAssessment Team'sresponsibility in verifying evidence.

TheCMMC Assessment Teamevaluates whether theorganization's cybersecurity practices meet CMMC requirements.

Final Verification and Conclusion

The correct answer isB. Assessment Team, as per CMMC 2.0 documentation and official assessment processes.

Understanding SC.L2-3.13.14 – Control and Monitor the Use of VoIP Technologies

TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.

If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.

Why Option D is Correct

When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.

No assessment procedures are neededsince there is no VoIP system to evaluate.

Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14—only VoIP is within scope.

Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.

Option C (VoIP in scope but using FIPS-validated encryption, so it doesn’t need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.

Official CMMC Documentation References

CMMC 2.0 Level 2 Assessment Guide – SC.L2-3.13.14

NIST SP 800-171, Security Requirement 3.13.14

CMMC Scoping Guidance – Determining Not Applicable (N/A) Practices

Final Verification

IfVoIP is not used within the OSC’s system boundary, the control does not require assessment, making Option D the correct answer.

In the CMMC assessment process, conflicts of interest must be identified early to ensure an impartial and objective evaluation of an organization's compliance with CMMC 2.0 requirements. The appropriate phase for identifying conflicts of interest is during the"Verify Readiness to Conduct Assessment"phase.

Step-by-Step Explanation:

Assessment Planning & Conflict of Interest Consideration

Before an assessment begins, theC3PAO (Certified Third-Party Assessment Organization)or theDIBCAC (Defense Industrial Base Cybersecurity Assessment Center) for DOD-led assessmentsmust confirm that there are no conflicts of interest between assessors and the organization being assessed.

A conflict of interest may arise if an assessor haspreviously worked for, consulted with, or provided direct assistance tothe organization under review.

CMMC Assessment Process and Phases

The CMMC assessment process involves multiple steps, and the verification of readiness is acritical early phaseto ensure that the assessment is unbiased:

Analyze Requirements:This phase focuses on defining the assessment scope, but it does not include conflict of interest verification.

Develop Assessment Plan:This phase focuses on structuring the assessment methodology, not on identifying conflicts.

Verify Readiness to Conduct Assessment (Correct Answer):

At this stage, theC3PAO or assessment team must review potential conflicts of interest.

TheDefense Industrial Base Cybersecurity Assessment Center (DIBCAC)also ensures assessors do not have any prior relationships that could compromise the objectivity of the evaluation.

Generate Final Recommended Assessment Results:This phase occurs at the end of the process, after the assessment is complete, so conflict of interest identification is too late by this stage.

Official CMMC Documentation & References

CMMC Assessment Process (CAP) Guide– The CAP details procedures assessors must follow, including conflict of interest verification.

CMMC 2.0 Scoping and Assessment Guides– Published by the Cyber AB and DoD, these guides reinforce the need for impartiality and independence in assessments.

DoD Instruction 5200.48 (Controlled Unclassified Information Program)– Outlines requirements for ensuring objective cybersecurity assessments.

By ensuring conflicts of interest are identified in the"Verify Readiness to Conduct Assessment"phase, the integrity of the CMMC certification process is maintained, ensuring that assessments are conductedfairly, independently, and in accordance with DoD cybersecurity policies.

Who Has the Final Authority Over Assessment Results?

During aCMMC Level 2 assessment, theCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting and finalizing the assessment results.

Key Responsibilities of a C3PAO

✅Leads the assessmentand ensures it follows the CMMC Assessment Process (CAP).

✅Validates compliancewith CMMC Level 2 requirements based onNIST SP 800-171controls.

✅Finalizes the assessment resultsand submits them to theCMMC-ABand theDoD.

✅Handles disagreementsfrom the OSC but hasfinal decision-making authorityon results.

Why "C3PAO" is Correct?

The C3PAO has final authority over the assessment resultsafter considering all evidence and findings.

TheCMMC-AB (Option B) does not finalize assessments—it accredits C3PAOs and manages the certification ecosystem.

TheAssessment Team (Option C) supports the C3PAO but does not have final decision authority.

TheAssessment Sponsor (Option D) is a representative from the OSC and does not control the results.

Breakdown of Answer Choices

Option

Description

Correct?

A. C3PAO

✅Correct – C3PAOs finalize and submit assessment results.

B. CMMC-AB

❌Incorrect–The CMMC-AB accredits C3PAOs but doesnot finalize results.

C. Assessment Team

❌Incorrect–They conduct the assessment, but the C3PAO makes final decisions.

D. Assessment Sponsor

❌Incorrect–This is arepresentative of the OSC, not the assessment authority.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– DefinesC3PAO authorityover final assessment results.

Final Verification and Conclusion

The correct answer isA. C3PAO, as theC3PAO has final decision-making authority over CMMC assessment results.

Step 1: Review CMMC 2.0 Reforms (Level 1 – Foundational)

As part ofCMMC 2.0, the DoD announced changes toreduce burden and costsfor companies that only handleFederal Contract Information (FCI):

DoD Statement (CMMC 2.0 Overview):

“Level 1 (Foundational) will only require an annual self-assessment, affirming implementation of the 17 FAR 52.204-21 controls.”

✅Step 2: Intent of “Reduced Assessment Costs”

The move to allowself-assessments at Level 1was explicitly designed toeliminate the costof hiring third-party assessors for organizations that only handle FCI.

Level 1 self-assessments are:

Conductedinternally by the OSC,

Affirmed annuallyby a senior company official,

Submitted via SPRS(Supplier Performance Risk System).

❌Why the Other Options Are Incorrect

B. Opt out of CMMC Assessments

✘Incorrect. Organizations must still perform aself-assessmentannually — they cannot opt out entirely.

C. Have assessment costs reimbursed by the DoD

✘No such reimbursement mechanism exists.

D. Pay no more than $500.00…

✘No such fixed cost is set or guaranteed in CMMC documentation.

UnderCMMC 2.0, all companies atLevel 1 (Foundational)are permitted toconduct self-assessmentsannually to demonstrate compliance, supporting the DoD’s goal ofreducing assessment costsfor low-risk contractors.

Planning and preparing for aCMMC assessmentinvolves collaboration between theassessorand theOrganization Seeking Certification (OSC)to determine scope, required evidence, and logistics. This planning process isdynamicand must adapt as new information emerges.

Why the Correct Answer is "D"?

Assessment Scope and Requirements May Change

As assessors gather evidence and analyze the environment,new details about assets, networks, and security controlsmay require adjustments to the assessment plan.

TheCMMC Assessment Process (CAP) Guideemphasizes that assessmentrequirements and scope should be continuously reviewed and updatedto reflect real-time findings.

Assessors Follow an Adaptive Approach

DuringCMMC assessments, organizations may discover additionalFCI or CUI assets, which can change the required security practices to be evaluated.

Assessors shouldrevise the assessment approach accordinglyrather than strictly following an initial, unchangeable plan.

Why Not the Other Options?

A. Scoping an assessment is easy and worry-free→Incorrect

Scoping is acritical and complex processthat requires careful evaluation of the OSC’s information systems and assets.

CMMC Scoping Guidestates thatidentifying in-scope assets is crucial and requires significant effort.

B. The initial plan cannot be changed once agreed upon→Incorrect

Theinitial assessment plan is a starting point, butit must be flexiblebased on real-time findings.

CMMC CAP Guideemphasizescontinuous refinementduring the assessment process.

C. There is a determined amount of time that the OSC's point of contact has to submit evidence and rough order-of-magnitude→Incorrect

While there aretimelines, the key focus is ensuring thatall necessary evidence is gathered accuratelyrather than rushing to meet a strict deadline.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– States that assessment requirements and planning should be updated as additional information is gathered.

CMMC Scoping Guide (Nov 2021)– Explains that assessors must continually refinein-scope assets and requirementsthroughout the process.

Final Justification:

Assessment planning is a dynamic process.Assessors must continuously review and update the requirements and planas new information emerges, makingDthe correct answer.

Understanding the Role of CAICO in the CMMC Ecosystem

TheCMMC Ecosystemconsists of multiple organizations that manage, implement, and oversee different aspects of theCybersecurity Maturity Model Certification (CMMC)program.

One of the key organizations is theCMMC Assessors and Instructors Certification Organization (CAICO), which is responsible for:

Training and certifying assessors and instructors.

Managing testing, authorization, and certificationfor CMMC professionals.

Ensuring assessors meet qualification and compliance standards.

Why Option D (CAICO) is Correct

TheCAICO is explicitly taskedwith thetraining, testing, authorization, and certification of candidate assessors and instructors.

Option A (DoD OUSD)is incorrect because theDoD Office of the Under Secretary of Defense(OUSD) provides policy oversight butdoes not handle certification of assessors.

Option B (DIB Collaborative Information Sharing Environment)is incorrect because theDIB CISfocuses on information sharing within the Defense Industrial Base, not assessor certification.

Option C (Committee on National Security Systems Instructions)is incorrect because CNSSI provides security standards butdoes not manage assessor training or certification.

Official CMMC Documentation References

CMMC Ecosystem Overview – Role of the CAICO

CMMC Assessment Process (CAP) Guide – Assessor Certification and Training

Final Verification

SinceCAICO is responsible for training, testing, and certifying CMMC assessors and instructors, the correct answer isOption D: CMMC Assessors and Instructors Certification Organization.

According to the CMMC Scoping Guidance, Level 1, the scope of an assessment includes all assets that process, store, or transmit Federal Contract Information (FCI). CMMC is "information-centric," meaning the security requirements apply to the information itself, regardless of the media it resides on (digital or physical).

Asset Identification: In a Level 1 assessment, assets are categorized as either FCI Assets or Out-of-Scope Assets. Since the file cabinet is explicitly identified as containing paper FCI, it meets the definition of an asset that stores the protected information.

Basic Safeguarding (FAR 52.204-21): The 17 practices of CMMC Level 1 are derived from the FAR clause for the "Basic Safeguarding of Covered Contractor Information Systems." However, the physical protection requirements within that set (such as PE.L1-3.10.1, which requires limiting physical access to organizational information systems and equipment) extend to the physical storage locations of that data.

Media Neutrality: CMMC documentation emphasizes that "information systems" include the physical components and the information processed by them. If FCI is printed and stored in a cabinet, that cabinet becomes a physical storage asset within the assessment boundary.

Why other options are incorrect:

Option B: Physical location alone does not bring an asset into scope. For example, a coffee machine in the same room as an FCI computer remains out of scope because it doesn't handle FCI. Thecontent(FCI) makes the cabinet in-scope, not its proximity.

Option C: CMMC and the underlying FAR clause do not exempt paper-based information. Protected data must be secured whether it is on a hard drive or a printed sheet.

Option D: While a file cabinet may not "process" or "transmit" data like a computer does, it absolutely stores it. The definition of the scope includes all three functions (process, store, or transmit).

Reference Documents:

CMMC Scoping Guidance, Level 1: Section 2.0 (CMMC Level 1 Asset Categories), which defines FCI Assets as those that process, store, or transmit FCI.

CMMC Assessment Guide, Level 1: Discussion on Physical Protection (PE) practices and their application to physical media.

32 CFR Part 170 (CMMC Program Rule): Definitions of FCI and the requirements for contractor self-assessments.

Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.

Why "A. Obtain Evidence" is Correct?

CMMC Assessments Require Evidence Collection

TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:

Examine– Reviewing documentation, policies, and system configurations.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Validating controls through operational or technical tests.

All these methods involve obtaining evidenceto support whether a security requirement has been met.

Alignment with NIST SP 800-171A

CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.

Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.

Why Other Answers Are Incorrect?

B. Define level of effort (Incorrect)

Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.

C. Determine information flow (Incorrect)

While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.

D. Determine value of hardware and software (Incorrect)

Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.

Conclusion

The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.

In a CMMC Level 2 Assessment, an assessor must achieve a high level of confidence that a practice is both implemented and institutionalized. This is determined through the Examine, Interview, and Test (E-I-T) methods as outlined in NIST SP 800-171A and the CMMC Assessment Process (CAP).

Conflict of Evidence: The scenario presents a direct conflict between the three pillars of evidence. The Policy/Documentation (Examine) states the practice occurs monthly. The Logs/Artifacts (Examine/Test) show it occurs quarterly. The Interviews claim it happens monthly but is only recorded quarterly.

The "Not Met" Determination: Under the CAP, if the evidence collected does not consistently support the assessment objective, the practice cannot be marked as "Met." Specifically:

Adequacy and Sufficiency: The logs (the primary proof of performance) are insufficient to prove the monthly requirement stated in the documentation.

Inconsistency: Assessors look for "corroboration." When interviews contradict the physical artifacts (the logs), the objective evidence (the logs) carries significant weight. If a practice is required monthly but only recorded quarterly, the assessor cannot verify that it was actually performed during the missing months.

Why other options are incorrect:

Option B: The practice isnotbeing done as documented because the documentation says "monthly" and the logs only show "quarterly."

Option C: This is a common misconception. Not all three methods (E, I, and T) are required foreverysingle practice (the Assessment Guide specifies which are required), but allusedmethods must yield consistent "Met" results.

Option D: Interviews alone are almost never sufficient to pass a practice that requires technical or administrative artifacts (logs).

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4 (Collect and Verify Evidence) and Section 3.5 (Determine Findings).

CMMC Level 2 Assessment Guide: Introduction to Assessment Methods, emphasizing that findings must be supported by the "preponderance of evidence."

NIST SP 800-171A: Chapter 2, "Assessment Procedures," regarding the necessity of artifacts to prove implementation over time.

When preparing forCMMC compliance, organizations must ensure that theirnetwork configurations align with required cybersecurity controls. Ifnetwork administratorsdisagree on certain configurations, the mostobjective and accurateway to resolve the disagreement is by referencingofficial CMMC guidanceandNIST SP 800-171 requirements, which form the foundation of CMMC Level 2.

Step-by-Step Breakdown:

CMMC Assessment Guides as the Primary Reference

TheCMMC Assessment Guides (Level 1 & Level 2)provide clearinterpretationsof security practices.

Theyexplain how each practice should be implemented and assessedduring certification.

NIST SP 800-171 as the Compliance Baseline

CMMC Level 2is based directly onNIST SP 800-171, which outlines the110 security controlsrequired for protectingControlled Unclassified Information (CUI).

Network configurations must complywith NIST-defined security requirements, including:

Access Control (AC) – Ensuring least privilege principles.

Audit and Accountability (AU) – Logging and monitoring network activity.

System and Communications Protection (SC) – Secure network design and encryption.

Why the Other Answer Choices Are Incorrect:

(A) Consult with the CEO of the company:

ACEO is not necessarily a cybersecurity expertand may not be familiar with CMMC technical requirements.

Technical compliance decisions should be based onCMMC and NISTframeworks, not executive opinions.

(C) Go with the network administrator's ideas with the least stringent controls:

Choosingless stringent controls increases security riskand could lead toCMMC non-compliance.

(D) Go with the network administrator's ideas with the most stringent controls:

While security is important,more stringent controlsmay introduceoperational inefficienciesorunnecessary coststhat are not required for compliance.

The correct approach is to implement what is required by CMMC and NIST SP 800-171, no more and no less.

Final Validation from CMMC Documentation:

TheCMMC Assessment GuidesandNIST SP 800-171 Rev. 2areofficial sourcesthat provide the most reliable guidance on compliance.

CMMC Level 2 is entirely based on NIST SP 800-171, making it the definitive source for resolving security disagreements.

Thus, the correct answer is:

B. Consult the CMMC Assessment Guides and NIST SP 800-171.

Understanding the CMMC Assessment Process

TheCMMC Assessment Process (CAP)consists offour phases, each with specific tasks and objectives.

Phase 1: Plan and Prepare Assessment– Planning, scheduling, and preparing for the assessment.

Phase 2: Conduct Assessment–Gathering and verifying evidence, conducting interviews, and evaluating compliance.

Phase 3: Report Recommended Assessment Results– Documenting findings and reporting results.

Phase 4: Remediation of Outstanding Assessment Issues– Allowing the organization to address any deficiencies.

Why "Phase 2: Conduct Assessment" is Correct?

DuringPhase 2: Conduct Assessment, theAssessment Teamperforms key activities, including:

✅Identifying required evidencefor compliance verification.

✅Obtaining and reviewing artifacts(e.g., security policies, configurations, logs).

✅Verifying the sufficiency of evidenceagainst CMMC practice requirements.

✅Interviewing key personneland observing cybersecurity implementations.

Since the question specifically mentions"identify, obtain inventory, and verify evidence,"this task directly falls underPhase 2: Conduct Assessment.

Breakdown of Answer Choices

Option

Description

Correct?

A. Phase 1: Plan and Prepare Assessment

❌Incorrect–This phase focuses onscheduling, logistics, and planning, not evidence collection.

B. Phase 2: Conduct Assessment

✅Correct – This phase involves gathering, verifying, and reviewing evidence.

C. Phase 3: Report Recommended Assessment Results

❌Incorrect–This phasedocumentsresults but doesnotcollect evidence.

D. Phase 4: Remediation of Outstanding Assessment Issues

❌Incorrect–This phase focuses oncorrective actions, not evidence collection.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)–Phase 2: Conduct Assessmentexplicitly includes tasks such asgathering and verifying evidence.

Final Verification and Conclusion

The correct answer isB. Phase 2: Conduct Assessment, as this phase includesidentifying, obtaining, and verifying evidence, which is critical for determining CMMC compliance.

This question pertains to theminimum evidence requirementsneeded by a CMMCAssessment Teamto score a practice asMETduring aLevel 2 Assessment.

The CMMC Level 2 assessment must align withNIST SP 800-171and follow the procedures outlined in theCMMC Assessment Process (CAP) Guide v1.0, particularly aroundevidence collection and scoring methodology.

✅Step 1: Refer to the CMMC Assessment Process (CAP) Guide v1.0

CAP v1.0 – Section 3.5.4: Evaluate Evidence and Score Practices

“To assign a MET determination, the Assessment Team must collect and corroborate at least two types of objective evidence: either through examination of artifacts, interviews (affirmation), or testing (demonstration).”

This meansat least two typesof the following evidence are required:

Examine(documentation/artifacts),

Interview(affirmation from personnel),

Test(demonstration of implementation).

✅Step 2: Clarify the Official Minimum Standard for a Practice to be Scored MET

The CAP explicitly states:

“A practice can only be scored MET when a minimum oftwo types of evidencefrom the E-I-T (Examine, Interview, Test) triad are successfully collected and evaluated.”

Theevidence types must come from two different categories, for example:

An artifact(Examine)+ an interview affirmation(Interview),

A demonstration(Test)+ an interview(Interview),

Etc.

This cross-validation ensures that the control isimplemented, documented, and understoodby personnel — a core principle in assessing effective cybersecurity implementation.

❌Why the Other Options Are Incorrect

A. All three types of evidence are documented for every control

✘Incorrect:While collecting all three types (E-I-T) strengthens the assessment, theminimum requirementis onlytwo. Collecting all three isnot requiredfor a practice to be scoredMET.

B. Examine and accept evidence from one of the three evidence types

✘Incorrect:This fails to meet theminimum two-evidence-type requirementset by the CAP. Single-source evidence is not sufficient to score a practice as MET.

C. Complete one of the following; examine two artifacts, observe one demonstration, or receive one affirmation

✘Incorrect:Even if two artifacts are examined,this is still only one type of evidence(Examine). The CAP requires twotypes— not two instances of the same type.

✅Why D is Correct

D. Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.

✔This directly reflects theCAP’s requirement for collecting two different types of objective evidenceto determine a practice is MET.

BLUF (Bottom Line Up Front):

To score a CMMC Level 2 practice asMET, the Assessment Team must collecta minimum of two distinct types of evidence— from theExamine, Interview, Test (E-I-T)categories. This requirement is clearly stated in the CMMC Assessment Process (CAP) v1.0.

Under the Cybersecurity Maturity Model Certification (CMMC) 2.0, a Plan of Action (POA) is a critical document that outlines the specific actions a contractor needs to take to remediate cybersecurity deficiencies. While POAs serve as a roadmap for achieving compliance with required controls, the inclusion of certain elements is standardized.

Key Elements of a Plan of Action (POA)

According to the CMMC guidelines and NIST SP 800-171, which underpins many CMMC requirements, a POA typically includes:

Completion Dates: Identifies target deadlines for resolving deficiencies.

Milestones to Measure Progress: Includes interim steps or markers to ensure progress is monitored over time.

Ownership or Accountability: Clearly assigns responsibility for each action item to specific personnel or teams.

What is Generally NOT Part of a POA?

Budget requirements to implement the plan's remediation actions (Option D) are generally not included in a POA. While budgeting is critical for ensuring the plan's success, it is considered a part of the broaderproject management or resource planning process, not the POA itself. This distinction is intentional to keep the POA focused on actionable items rather than resource allocation.

Supporting Reference

NIST SP 800-171A, Appendix D: Provides an overview of POA components, emphasizing the prioritization of corrective actions, responsibility, and measurable outcomes.

CMMC Level 2 Practices (Aligned with NIST SP 800-171): Specifically, the focus is on actions, timelines, and accountability rather than financial planning.

By excluding budget details, the POA remains a tactical document that supports immediate action and compliance tracking, separate from financial considerations.

The correct answer is C because the CMMC ecosystem treats conflicts of interest as both actual and perceived conflicts. The CMMC Code of Professional Conduct requires CMMC ecosystem members to avoid participating in any activity, practice, or transaction that could result in an actual or perceived conflict of interest. It also requires compliance with conflict-of-interest prohibitions and restricts CMMC ecosystem members from participating in a Level 2 certification process where their prior role or relationship could compromise objectivity.

A conflict of interest exists when professional judgment, independence, or impartiality could be affected, or reasonably appear to be affected, by another interest, relationship, duty, or prior activity. In CMMC, this is especially important because assessment credibility depends on independence between consulting and certification assessment functions. For example, an assessor or C3PAO that previously helped design, implement, or remediate the OSC’s cybersecurity program may have an actual or perceived conflict when later assessing that same OSC. Option A is incorrect because lack of transparency may contribute to a conflict issue, but it is not the definition. Option B is too broad because not every legal violation is a conflict of interest. Option D describes a disclosure problem, not a conflict of interest. Therefore, the best answer is C , a perceived or actual conflict.

===========

Understanding the False Claims Act (FCA) and Whistleblower Protections

TheFalse Claims Act (FCA)(31 U.S.C. §§ 3729–3733) is aU.S. federal lawthat allowswhistleblowers (also known as "relators")to sue on behalf of the federal government if they believe a company issubmitting fraudulent claimsfor government funds.

The FCA includes a"qui tam" provision, which:

✅Allows private individuals to file lawsuits on behalf of the U.S. government.

✅Provides financial rewards to whistleblowersif the lawsuit results in recovered funds.

✅Protects whistleblowers from employer retaliation.

In the context ofCMMC and cybersecurity compliance, theFCA has been used to hold companies accountableformisrepresenting their cybersecurity compliancewhen working with federal contracts.

For example:

If a companyfalsely claimscompliance withCMMC, NIST SP 800-171, or DFARS 252.204-7012butfails to meet security requirements, it could beliable under the FCA.

TheDepartment of Justice (DOJ)has pursued cases under theCyber-Fraud Initiative, using theFCA against defense contractorsfor cybersecurity noncompliance.

Thus, the correct answer isC. False Claims Actbecause it specifically allows whistleblowers tosue on behalf of the federal government.

Why the Other Answers Are Incorrect

A. NIST SP 800-53

❌Incorrect.NIST SP 800-53provides security controls for federal agencies butdoes notcontain whistleblower provisions.

B. NIST SP 800-171

❌Incorrect.NIST SP 800-171outlines security requirements for protectingCUI, but itdoes not have legal mechanismsfor whistleblower lawsuits.

D. Code of Professional Conduct

❌Incorrect. TheCMMC Code of Professional Conductapplies toC3PAOs and assessorsbut doesnot provide a legal basis for whistleblower lawsuits.

CMMC Official References

False Claims Act (31 U.S.C. §§ 3729–3733)– Establishes whistleblower protections and qui tam lawsuits.

DOJ Cyber-Fraud Initiative– Uses the FCA to enforce cybersecurity compliance in government contracts.

DFARS 252.204-7012 & CMMC– Require accurate reporting of cybersecurity compliance, which can lead to FCA violations if misrepresented.

Thus,option C (False Claims Act) is the correct answeras per official legal guidance.

Understanding Restricted Information Systems (IS) in CMMC Scoping

InCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:

Internet of Things (IoT) Devices– Smart or network-connected devices.

Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.

Test Equipment– Devices used for specialized testing or measurement.

Government Property– Equipment owned by theU.S. Governmentbut used by contractors.

Why "B. Restricted IS" is Correct?

The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.

Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.

These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.

Why Other Answers Are Incorrect?

A. IoT (Incorrect)

IoT devices includesmart devices, sensors, and embedded systems, but the contractor's business systems are not classified as IoT.

C. Test Equipment (Incorrect)

The contractor’s systems areused for handling FCI, not for testing or measurement.

D. Government Property (Incorrect)

The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.

Conclusion

The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.

In this scenario, the primary concern is the protection of Controlled Unclassified Information (CUI) in an environment that lacks sufficient physical security controls (specifically, a lack of a locked cabinet or drawer). According to the CMMC Assessment Process (CAP) and NIST SP 800-171 (specifically the Physical Protection (PE) family), CUI must be protected from unauthorized access at all times.

Responsibility of the Assessor: CMMC Professionals (CCPs and CCAs) are bound by the CMMC Code of Professional Conduct and the C3PAO's internal security protocols to ensure that any CUI provided by the Organization Seeking Certification (OSC) is handled securely.

Physical Protection (PE.L2-3.10.1 and PE.L2-3.10.2): These practices require that an organization limit physical access to systems and equipment to authorized users and protect the physical facility. If the provided "hoteling space" does not offer a locked container (like a cabinet) to secure the CUI overnight, leaving it in an unlocked drawer (Option C) or on the desk (Option B) would be a violation of CUI handling requirements and a security risk.

Why Option A is the best "Next" step: In the absence of on-site secure storage, the assessor must maintain positive control of the CUI. Taking the document to a secure location (such as the assessor's hotel room or person) where they can ensure it remains under their control is the only viable way to prevent unauthorized access by janitorial staff or other unauthorized personnel at the client site overnight.

Why other options are incorrect:

Option B and C: Both fail to protect the CUI from unauthorized access in a non-secure, shared environment.

Option D: Taking a picture of CUI on a personal phone is a major security violation (spillage), as personal devices are generally not authorized to store or process CUI.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section regarding "Assessor Responsibilities for CUI and Proprietary Information."

NIST SP 800-171 Rev 2: Physical Protection (PE) family (3.10.1, 3.10.2).

DoD Instruction 5200.48: "Controlled Unclassified Information (CUI)," which specifies that CUI must be protected by at least one physical barrier when not in the direct control of an authorized individual.

According to the CMMC Assessment Process (CAP), the Lead Assessor must use the CMMC Findings Brief to formally present assessment results to the Organization Seeking Certification (OSC). The Findings Brief ensures consistency across assessments and provides the OSC with an official, standardized presentation of results, including observed strengths, weaknesses, and any non-conformities.

Other options are incorrect because:

POA & M Brief is not part of the official CAP presentation.

CMMC Assessment Tracker Tool is an internal tool used by assessors, not for presentation to the OSC.

Recommended Findings template is not a recognized deliverable in CAP.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

The correct answer is B , 3 Levels. The official CMMC 2.0 Model Overview states that there are three levels within CMMC: Level 1, Level 2, and Level 3 . It explains that the model measures implementation of cybersecurity requirements at three levels, with each level containing a defined set of CMMC practices. Level 1 is focused on basic safeguarding of Federal Contract Information, Level 2 is focused on protection of Controlled Unclassified Information using requirements aligned to NIST SP 800-171, and Level 3 is intended for higher-risk programs requiring enhanced protection.

This is a major difference between CMMC 2.0 and the earlier CMMC 1.0 structure. CMMC 1.0 used five maturity levels, but CMMC 2.0 simplified the model to three cybersecurity levels. Therefore, option C , 5 Levels, reflects the older CMMC 1.0 structure and is not correct for CMMC 2.0. Option A , 2 Levels, is incorrect because it omits one of the three official levels. Option D , 4 Levels, is also incorrect because the official CMMC 2.0 model does not contain four levels. The bottom line is that CMMC 2.0 contains three cybersecurity levels: Level 1 Foundational, Level 2 Advanced, and Level 3 Expert .

DFARS clause 252.204-7012 establishes the safeguarding of Covered Defense Information (CDI), which aligns with CUI categories. The clause specifies that the DoD is responsible for determining whether information is Controlled Unclassified Information (CUI) and marking it accordingly before sharing it with contractors. Contractors do not make determinations about what constitutes CUI; they are responsible for safeguarding information once it is received and marked as CUI.

Reference Documents:

DFARS 252.204-7012,Safeguarding Covered Defense Information and Cyber Incident Reporting

CMMC Model v2.0 Overview, December 2021

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, the remediation review process is a critical phase where identified deficiencies from an initial assessment are addressed. The Lead Assessor, representing a Certified Third-Party Assessment Organization (C3PAO), plays a pivotal role in this process.

Role of the Lead Assessor in Remediation Reviews:

Validation of Remediation Efforts:

Objective: Ensure that the Organization Seeking Certification (OSC) has effectively addressed and corrected all deficiencies identified during the initial assessment.

Process: The Lead Assessor reviews the evidence provided by the OSC to confirm that each previously unmet practice now meets the required standards. This involves examining updated policies, procedures, system configurations, and other relevant artifacts.

Delta Assessment Remediation Package Submission:

Definition: A delta assessment focuses on evaluating only the components or practices that were previously found non-compliant or deficient.

Responsibility: After validating the remediation efforts, the Lead Assessor compiles a remediation package that includes:

Detailed documentation of the deficiencies identified in the initial assessment.

Evidence of the corrective actions taken by the OSC.

Findings from the reassessment of the remediated practices.

Internal Quality Review: This remediation package is then submitted for the C3PAO's internal quality review process. The purpose of this review is to ensure the accuracy, completeness, and consistency of the assessment findings before finalizing the certification decision.

Rationale for Selecting Answer C:

Alignment with CMMC Assessment Process: The submission of a delta assessment remediation package for internal quality review is a standard procedure outlined in the CMMC Assessment Process. This step ensures that all remediated items are thoroughly evaluated and validated, maintaining the integrity of the certification process.

Clarification of Incorrect Options:

Option A: "Help OSC to complete planned remediation activities."

The Lead Assessor's role is to assess and validate the OSC's compliance, not to assist in the implementation or completion of remediation activities. Providing such assistance could lead to a conflict of interest and compromise the objectivity of the assessment.

Option B: "Plan two consecutive remediation reviews for an OSC."

The standard process involves conducting a single remediation review after the OSC has addressed the identified deficiencies. Planning multiple consecutive remediation reviews is not a typical practice and could indicate a lack of proper remediation planning by the OSC.

Option D: "Validate that practices previously listed on the POA & M have been removed on an updated Risk Assessment."

While it's essential to ensure that deficiencies are addressed, the primary focus of the Lead Assessor during a remediation review is to validate the implementation of remediated practices. Updating the Risk Assessment is the responsibility of the OSC's internal risk management team, not the Lead Assessor.

Per the CMMC Scoping Guidance, External Service Providers (ESPs) must be included in scope if they process, store, or transmit CUI or FCI on behalf of the OSC. However, ESPs do not themselves receive a separate CMMC certification unless they undergo their own assessment or an enterprise-level certification is conducted. Their environment is assessed only as part of the OSC’s scope.

Reference Documents:

CMMC Scoping Guidance for Level 2

CMMC Model v2.0 Overview

The correct answer is A because CMMC 2.0 Level 2 requirement RA.L2-3.11.2, Vulnerability Scan , requires organizations to “scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.” The official CMMC Model Overview maps this requirement directly to NIST SP 800-171 Rev. 2, 3.11.2 . The official CMMC Level 2 Assessment Guide further breaks this into assessment objectives: the organization must define the frequency for vulnerability scanning, perform scans on organizational systems and applications at that defined frequency, and perform scans when new vulnerabilities are identified.

Therefore, the OSC must maintain evidence such as vulnerability scan schedules, scan reports, tool outputs, procedures, policies, or tickets showing that scans occur at the organization’s defined frequency and when new vulnerabilities are identified. Option B is incorrect because an RPO may advise or assist, but the scan frequency is not “defined by an accredited RPO” in the CMMC requirement. Option C is incorrect because vulnerability scanning is not limited to penetration testing events. Option D is incorrect because purely ad hoc scanning or scanning only when directed by a security manager does not satisfy the requirement to define and follow a frequency.

The False Claims Act (31 U.S.C. §§ 3729–3733) imposes liability on companies that knowingly misrepresent compliance in order to receive or retain federal contracts. Penalties include treble damages (three times the government’s losses) plus additional penalties per claim.

Supporting Extracts from Official Content:

False Claims Act: “Any person who knowingly submits false claims to the Government is liable for three times the Government’s damages plus a penalty.”

DOJ Cyber-Fraud Initiative (2021): confirms the FCA is applied to cases of misrepresenting compliance with cybersecurity requirements.

Why Option D is Correct:

The applicable law is the False Claims Act, not a “Cyber Claims Act” (which does not exist).

The FCA specifies treble damages plus penalties, which exactly matches Option D.

References (Official CMMC v2.0 Governance and Source Documents):

False Claims Act (31 U.S.C. §§ 3729–3733).

DOJ Cyber-Fraud Initiative (2021), applied to CMMC-related compliance misrepresentation.

===========

Understanding the Role of a Registered Provider Organization (RPO)

ARegistered Provider Organization (RPO)is an entity recognized by theCMMC Accreditation Body (CMMC-AB)to provideconsulting servicesto organizations seekingCMMC certification.

Key Functions of an RPO

✅Consulting servicesto help companies prepare for CMMC assessments.

✅Guidance on security controlsrequired for compliance.

✅Assistance with documentation, policy development, and gap analysis.

✅Preparation for third-party CMMC assessmentsbutdoes not conduct official CMMC assessments(this is the role of a C3PAO).

Why "Consulting Services" is the Correct Answer?

Consulting servicesare thebroadest and most comprehensivefunction of an RPO.

RPOs do not conduct assessments(eliminating option D).

Training and educationmay be part of consulting but arenot the primary function(eliminating A and B).

Consulting includes training, guidance, documentation assistance, and security readiness, making it themost comprehensive service offered.

Breakdown of Answer Choices

Option

Description

Correct?

A. Training services

❌Incorrect–RPOs may provide training, but this isnot their primary function.

B. Education services

❌Incorrect–Similar to training, butnot the most comprehensive service.

C. Consulting services

✅Correct – The core function of an RPO is consulting, which includes various readiness services.

D. Assessment services

❌Incorrect–Only aC3PAO (Certified Third-Party Assessment Organization)can conductofficial CMMC assessments.

Official References from CMMC 2.0 Documentation

TheCMMC-AB RPO Programdefines an RPO as aconsulting organization that assists companies in preparing for CMMC certificationbutdoes not perform assessments.

Final Verification and Conclusion

The correct answer isC. Consulting services, asRPOs primarily provide advisory and readiness supportto organizations preparing forCMMC compliance.

Understanding RA.L2-3.11.1 Risk Assessment Scope in CMMC Level 2

TheCMMC Level 2 control RA.L2-3.11.1aligns withNIST SP 800-171, Requirement 3.11.1, which mandates that organizationsperiodically assess risks to operations, assets, and individuals arising from the processing, storage, or transmission of CUI.

What is Required for Compliance?

The organization must performrisk assessments on all assets and entities involved in handling CUI.

Risk assessments mustevaluate potential threats, vulnerabilities, and impacts on CUI security.

The scopemust include people, processes, physical locations, and IT systemsto ensure comprehensive risk management.

Why the Correct Answer is "Processes, people, physical entities, and IT systems in which CUI is processed, stored, or transmitted":

CUIcan be exposed to risk in multiple ways—not just IT systems but also human error, physical security gaps, and process weaknesses.

Risk assessmentsmust evaluate all areas that could impact CUI security, including:

Personnel security risks(e.g., insider threats, phishing attacks).

Process vulnerabilities(e.g., mishandling of CUI, policy weaknesses).

Physical security risks(e.g., unauthorized access to servers, storage rooms).

IT systems(e.g., networks, servers, cloud environments processing CUI).

Clarification of Incorrect Options:

A. "IT systems"→Too narrow.Risk assessmentmust cover more than just IT systems, includingpeople, physical assets, and processesaffecting CUI.

B. "Enterprise systems"→Too broad.While enterprise systems might be assessed, thefocus is specifically on areas handling CUI, not all enterprise operations.

C. "CUI Marking processes"→Incorrect focus.While marking CUI correctly is important,RA.L2-3.11.1 pertains to risk assessments, not data classification.

Which NIST SP Defines the Assessment Procedures for CMMC?

CMMC Level 2 isdirectly based on NIST SP 800-171, and the assessment procedures used in CMMC assessments are derived fromNIST SP 800-171A.

Step-by-Step Breakdown:

✅1. NIST SP 800-171A Defines Assessment Procedures

NIST SP 800-171Ais titled"Assessing Security Requirements for Controlled Unclassified Information (CUI)".

It providesdetailed assessment objectives and test proceduresfor evaluating compliance withNIST SP 800-171 security requirements, whichCMMC Level 2 is fully aligned with.

CMMC Assessors use 800-171Aas abaseline for assessing the effectiveness of security controls.

✅2. Why the Other Answer Choices Are Incorrect:

(A) NIST SP 800-53❌

800-53 defines security controlsfor federal information systems, but it doesnot provide assessment procedures specific to CMMC.

(B) NIST SP 800-53A❌

800-53A provides assessment procedures for 800-53 controls, butCMMC is based on NIST SP 800-171, not 800-53.

(C) NIST SP 800-171❌

800-171 defines security requirements, butit does not provide assessment procedures. Theassessment proceduresare in800-171A.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guide (Level 2)explicitly states that assessment procedures are derived fromNIST SP 800-171A.

Thus, the correct answer is:

According to the CMMC Assessment Process (CAP) and the C3PAO Authorization Requirements, every assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) must undergo a formal Quality Management System (QMS) review before the results are finalized and uploaded to the eMASS (Enterprise Mission Assurance Support Service) or the SPRS (Supplier Performance Risk System).

The Quality Review Requirement: The CAP explicitly states that the C3PAO is responsible for the accuracy and integrity of the assessment findings. Before the Assessment Team Lead can formally submit the package, a person or team within the C3PAO (who was ideally not part of the active assessment team to ensure objectivity) must conduct an internal review. This review ensures that the evidence collected supports the "Met" or "Not Met" determinations and that all CMMC methodology requirements were followed.

Why other options are incorrect:

Option A: While there may be administrative costs associated with maintaining C3PAO status, paying a specific "per-submission fee" is not a mandatory procedural stepwithin the assessment lifecyclethat governs the validity of the results.

Option C: The Cyber AB (CMMC-AB) provides the platform and oversight, but a "forthcoming notification" is not a formal requirement in the CAP; the act of submission itself serves as the notification.

Option D: While a final briefing is a "best practice" and usually occurs during the "Post-Assessment" phase, the internal quality review (Option B) is the regulatory mandate that must be completed to ensure the C3PAO's certification of the results is valid and defensible.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Phase 4: Reporting Results," specifically the sub-section on C3PAO Quality Assurance Review.

C3PAO Quality Management System (QMS) Requirements: Outlines the necessity for internal validation of assessment packages to maintain accreditation.

The CMMC Code of Professional Conduct applies to all CMMC assessors, practitioners, and ecosystem participants. Its guiding principles are: Objectivity, Information Integrity, and Higher Accountability.

Supporting Extracts from Official Content:

CMMC Code of Professional Conduct: “Guiding principles… include Objectivity, Information Integrity, and Higher Accountability.”

Why Option A is Correct:

These three principles are the official guiding values documented in the Code of Professional Conduct.

Options B, C, and D insert terms (“proper use of methods”) that are not part of the official guiding principles.

References (Official CMMC v2.0 Content):

CMMC Code of Professional Conduct.

===========

Under DFARS and CMMC requirements, the prime contractor is responsible for ensuring its subcontractors meet the required CMMC level. Neither the DoD, The Cyber AB, nor OUSD A & S directly manages subcontractor certification.

Supporting Extracts from Official Content:

DFARS 252.204-7021: “The contractor shall ensure that its subcontractors have the appropriate CMMC level certification for the information they will handle.”

Why Option D is Correct:

Compliance responsibility flows through the contractor supply chain.

CMMC-AB (The Cyber AB) accredits assessors but does not police subcontractors.

OUSD A & S sets policy, not enforcement at contract level.

DoD agencies only require compliance at award/contract oversight level.

References (Official CMMC v2.0 Content):

DFARS 252.204-7021.

CMMC Model v2.0 governance guidance.

===========

ACertified CMMC Professional (CCP)advising anOrganization Seeking Certification (OSC)must ensure thatFederal Contract Information (FCI)andControlled Unclassified Information (CUI)are properly documented within required security documents.

Step-by-Step Breakdown:

✅1. System Security Plan (SSP)

CMMC Level 2requires anSSPto documenthow CUI is protected, including:

Security controlsimplemented

Asset categorization(CUI Assets, Security Protection Assets, etc.)

Policies and proceduresfor handling CUI

✅2. Asset Inventory

Anasset inventorylistsall relevant IT systems, applications, and hardwarethat store, process, or transmitCUI or FCI.

TheCMMC Scoping Guiderequires OSCs to identifyCUI-relevant assetsas part of their compliance.

✅3. Network Diagram

Anetwork diagramvisually representshow data flows across systems, showing:

WhereCUI is transmitted and stored

Security boundaries protectingCUI Assets

Connectivity betweenCUI Assets and Security Protection Assets

✅4. Why the Other Answer Choices Are Incorrect:

(B) Within the hardware inventory, data flow diagram, and in the network diagram❌

While adata flow diagramis useful,hardware inventory alone is insufficientto document CUI.

(C) Within the asset inventory, in the proposal response, and in the network diagram❌

Aproposal responseis not a required document for CMMC assessments.

(D) In the network diagram, in the SSP, within the base inventory, and in the proposal response❌

Base inventoryis not a specific CMMC documentation requirement.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guideconfirms that FCI and CUI must be documented in:

The SSP

The asset inventory

The network diagram

Thus, the correct answer is:

✅A. "In the SSP, within the asset inventory, and in the network diagram."

Step 1: Understanding CMMC Assessment Scope Determination

In a CMMC Level 2 assessment, the Organization Seeking Certification (OSC) is responsible for identifying the assessment scope based on the CMMC Scoping Guidance provided by the Cyber AB (Cyber Accreditation Body) and DoD.

The OSC must determine which assets and systems handle Controlled Unclassified Information (CUI) and categorize them accordingly.

The Cybersecurity Maturity Model Certification (CMMC) Level 2 is designed to ensure that organizations can adequately protect Controlled Unclassified Information (CUI). To achieve this, CMMC Level 2 incorporates specific security requirements.

Step-by-Step Explanation:

Alignment with NIST SP 800-171:

CMMC Level 2 aligns directly with the security requirements outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). This publication, titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," provides a comprehensive framework for safeguarding CUI.

Incorporation of Security Requirements:

The practices required for CMMC Level 2 certification encompass all 110 security requirements specified in NIST SP 800-171. These requirements are organized into 14 families, each addressing different aspects of cybersecurity, such as access control, incident response, and risk assessment.

Purpose of Alignment:

By integrating the NIST SP 800-171 requirements, CMMC Level 2 aims to standardize the implementation of cybersecurity practices across organizations handling CUI, ensuring a consistent and robust approach to protecting sensitive information.

Under NIST SP 800-171, Personnel Security (PS) family, requirement PS.L2-3.9.1, organizations must screen individuals prior to granting access to CUI. The screening is intended to evaluate conduct, integrity, and loyalty to ensure that individuals can be trusted with sensitive information.

Supporting Extracts from Official Content:

NIST SP 800-171 Rev. 2, PS.L2-3.9.1: “Screen individuals prior to authorizing access to organizational systems containing CUI… Screening is intended to assess an individual’s conduct, integrity, judgment, loyalty, and reliability.”

CMMC Level 2 Assessment Guide (Personnel Security practices): confirms that screening covers conduct, integrity, and loyalty.

Why Option C is Correct:

The key attributes explicitly listed are conduct, integrity, and loyalty.

Options A and B describe subjective or informal measures, not compliance criteria.

Option D uses terms not aligned with the official requirement.

References (Official CMMC v2.0 Content):

NIST SP 800-171 Rev. 2, Personnel Security controls.

CMMC Assessment Guide, Level 2 – PS.L2-3.9.1.

===========

Understanding the Assessment Environment Requirement

During aCMMC Level 2 assessment, assessors requireobjective evidencethat security controls are implementedin the actual operating environmentwhereControlled Unclassified Information (CUI)is handled.

This means thattests or demonstrations must be conducted in the production environment, where the organization’s real systems and security controls are in use.

Why Option B (Production) is Correct

Assessment teams need to validate security controls in the actual environment where they are applied, ensuring that security measures are in effect in thereal-world operating conditions.

Option A (Client)is incorrect because "Client" is not a defined assessment environment.

Option C (Development)is incorrect because testing in a development environmentdoes not accurately represent the production security posture.

Option D (Demonstration)is incorrect becausedemonstrations in a separate test environment do not provide valid evidence for CMMC assessments—actual security implementations must be verified in production.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide – Section 3.5 (Assessment Methods)

NIST SP 800-171 Assessment Procedures(Verification must occur in the actual system where CUI resides.)

Final Verification

SinceCMMC assessments require security controls to be validated in the actual production environment, the correct answer isOption B: Production.

Understanding CMMC Assessment Procedures

ACMMC assessment procedureconsists of:

Assessment Objective– Defines what is being evaluated and the expected outcome.

Assessment Methods– Specifies how the evaluation is conducted (e.g.,examination, interviews, testing).

Assessment Objects– Identifies what is being evaluated, such as policies, systems, or people.

Why the Correct Answer is "C"?

Assessment Objectivesincludedetermination statementsthat describe the expected outcome for each CMMC security practice.

These statements define whether a practice has beenadequately implementedbased ondocumented evidence and assessment findings.

TheCMMC Assessment Process (CAP) GuideandNIST SP 800-171Aspecify that each practice has a determination statement guiding assessment decisions.

Why Not the Other Options?

A. Specifications and mechanisms→Incorrect

These belong toassessment objects, which refer to the systems, policies, and mechanisms being evaluated.

B. Examination, interviews, and testing→Incorrect

These areassessment methods, which describe how assessorsverifycompliance (e.g., through interviews or testing).

D. Exercising assessment objects under specified conditions→Incorrect

This refers toassessment testing, which is a method, not an assessment objective.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– Describes determination statements as the core of assessment objectives.

NIST SP 800-171A– Defines determination statements as a key element of evaluating security controls.

Final Justification:

Since anassessment objectiveincludes adetermination statementthat describes whether a practice is implemented properly, the correct answer isC.

Understanding Federal Contract Information (FCI) and Publicly Accessible Information

Federal Contract Information (FCI)isnon-public informationprovided by or generated for the U.S. governmentunder a contractthat isnot intended for public release.

Key Characteristics of FCI:

✔FCI includesdetails related togovernment contracts, project specifics, and performance data.

✔It must be protected under FAR 52.204-21, which requiresbasic safeguarding measuresto prevent unauthorized access.

✔Posting FCI on a public site is a security violationsince it ismeant to be restrictedfrom public disclosure.

Why is the Correct Answer "A. FCI (Federal Contract Information)"?

A. FCI → Correct

FCI must be protected from unauthorized access, and if it wasincorrectly published online, it should have been restricted.

B. Change of leadership in the organization → Incorrect

Leadership changes are typically public informationand do not require restriction unless they involve sensitive government-related security clearances.

C. Launching of their new business service line → Incorrect

Marketing and business announcementsare generallypublicly availableandnot restricted information.

D. Public releases identifying major deals signed with commercial entities → Incorrect

Commercial contracts and business deals are not considered FCIunless they involvegovernment contracts.

CMMC 2.0 References Supporting This Answer:

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

DefinesFCI as sensitive but unclassified informationthat must beprotected from public disclosure.

CMMC 2.0 Level 1 Requirements

Requires contractors toprotect FCI under basic cybersecurity standardsto prevent unauthorized exposure.

DoD Guidance on FCI Protection

States thatpublishing FCI on public websites violates federal cybersecurity requirements.

TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.

TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:

"Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI."

This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:

✅Organizational operations(e.g., mission, business continuity, functions)

✅Organizational assets(e.g., data, IT systems, intellectual property)

✅Individuals(e.g., employees, contractors, customers affected by security risks)

Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.

Why the Other Answers Are Incorrect

A. Organizational operations, business assets, and employees

❌Incorrect."Business assets"is not the correct terminology used in CMMC/NIST SP 800-171. Instead,"organizational assets"is the proper term.

B. Organizational operations, business processes, and employees

❌Incorrect."Business processes"is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.

D. Organizational operations, organizational processes, and individuals

❌Incorrect. While processes are important,organizational assetsmust be considered in the assessment, not just processes.

CMMC Official References

CMMC 2.0 Model (Level 2 - RA.3.144)– Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.

NIST SP 800-171 (3.11.1)– Reinforces the same risk assessment scope.

Thus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.

Understanding the Role of NIST SP 800-171 in CMMC

NIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.

This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.

Breakdown of Answer Choices

NIST SP

Title

Relevance to CMMC

NIST SP 800-37

Risk Management Framework (RMF)

Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.

NIST SP 800-53

Security and Privacy Controls for Federal Systems

Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.

NIST SP 800-88

Guidelines for Media Sanitization

Covers secure data destruction and disposal, not overall CUI protection.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

✅Correct Answer – Directly addresses CUI protection in contractor systems.

Key Requirements from NIST SP 800-171

The document outlines110 security controlsgrouped into14 families, including:

Access Control (AC)– Restrict access to authorized users.

Audit and Accountability (AU)– Maintain system logs and monitor activity.

Incident Response (IR)– Establish an incident response plan.

System and Communications Protection (SC)– Encrypt CUI in transit and at rest.

These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.

Official Reference from CMMC 2.0 Documentation

CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.

DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.

Final Verification and Conclusion

The correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.

Step 1: Define CUI (Controlled Unclassified Information)

CUI is information thatrequires safeguarding or dissemination controlspursuant to and consistent with applicable law, regulations, and government-wide policies, butis not classifiedunder Executive Order 13526 or the Atomic Energy Act.

✅Step 2: Authority over CUI — NARA’s Role

NARA – National Archives and Records Administration, specifically theInformation Security Oversight Office (ISOO), is thegovernment-wide executive agentresponsible for implementing the CUI program.

Source:

32 CFR Part 2002 – Controlled Unclassified Information (CUI)

Executive Order 13556 – Controlled Unclassified Information

CUI Registry – https://www.archives.gov/cui

NARA:

Maintains theCUI Registry,

Issuesmarking and handling guidance,

DefinesCUI categoriesand their authority under law or regulation,

Trains and informs Federal agencies and contractors on CUI policy.

❌Why the Other Options Are Incorrect

B. NIST

✘NIST (National Institute of Standards and Technology) developstechnical standards(e.g., SP 800-171), but it doesnot define or mark CUI. It helps secure CUI once it’s identified.

C. CMMC-AB (now Cyber AB)

✘The Cyber AB is theCMMC ecosystem’s accreditation body, not a government agency, and hasno authority over CUI classification or marking.

D. Department of Homeland Security (DHS)

✘While DHS mayhandle and protect CUI internally, it is not the executive agent for the CUI program.

NARAis theofficial U.S. government authorityresponsible for defining, categorizing, and marking CUI via theCUI Registryand associated policies underExecutive Order 13556.

In Phase 1 (Planning) of the CMMC Assessment Process, the Lead Assessor is responsible for managing the team and identifying conflicts of interest. Assessment team members must also disclose potential conflicts.

Supporting Extracts from Official Content:

CAP v2.0, Planning (§2.5–2.8): “The Lead Assessor and Assessment Team Members must identify and disclose any conflicts of interest prior to conducting the assessment.”

Why Option D is Correct:

Only the Lead Assessor and assessment team are responsible for identifying conflicts of interest during Phase 1.

Options A, B, and C incorrectly assign this role to organizations that do not hold the responsibility.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 1 Planning responsibilities.

===========

The CMMC Assessment Process (CAP) requires that sufficient evidence must:

Cover the sampled organization,

Cover the defined model scope of the assessment (Target CMMC Level), and

Correspond to the evidence collection approach.

Evidence is always required, even if the organization holds other certifications such as ISO. External certifications cannot replace CMMC evidence requirements. Thus, the statement that “Evidence is not required if the practice is ISO certified” is not valid.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Understanding Ethical Responsibility in the CMMC Ecosystem

Ethics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.

Key Ethical Responsibilities Include:

CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.

CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.

Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.

Why is the Correct Answer "CMMC-AB and Members of the CMMC Ecosystem" (C)?

A. DoD and CMMC-AB → Incorrect

TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.

B. OSC and Sponsors → Incorrect

TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.

C. CMMC-AB and Members of the CMMC Ecosystem → Correct

Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.

D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect

Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.

CMMC 2.0 References Supporting this Answer:

CMMC-AB Code of Professional Conduct

Defines ethical responsibilities forassessors, consultants, and ecosystem members.

CMMC Ecosystem Governance Policies

Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.

CMMC Assessment Process (CAP) Document

Outlines ethical expectations forassessors and consultantsduring certification assessments.