When assessing SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems, evidence shows that all of the OSC ' s workstations and servers have antivirus software installed for malicious code protection. A centralized console for the antivirus software management is in place and records show that all devices have received the most updated antivirus patterns. What is the BEST determination that the Lead Assessor should reach regarding the evidence?
It is sufficient, and the audit finding can be rated as MET.
It is insufficient, and the audit finding can be rated NOT MET.
It is sufficient, and the Lead Assessor should seek more evidence.
It is insufficient, and the Lead Assessor should seek more evidence.
Understanding SI.L1-3.14.2: Provide Protection from Malicious Code
The CMMC Level 1 practiceSI.L1-3.14.2is based onNIST SP 800-171 Requirement 3.14.2, which requires organizations to:
Implement malicious code protection(e.g., antivirus, endpoint security software).
Ensure coverage across all appropriate locations(e.g., workstations, servers, network entry points).
Keep protection mechanisms updated(e.g., regular signature updates, policy enforcement).
Assessment Criteria for a " MET " Rating:
To determine whether the practice isMET, the Lead Assessor must confirm that:
✔Antivirus or endpoint protection software is installedon all workstations and servers.
✔The solution is centrally managed, ensuring consistent policy enforcement.
✔Signature updates are current, meaning systems are protected against new threats.
✔Logs or reports demonstrate active monitoring and updates.
Why is the Correct Answer " A. It is sufficient, and the audit finding can be rated as MET " ?
The provided evidenceconfirms all necessary requirementsfor SI.L1-3.14.2:
✔All workstations and servers have antivirus installed→Meets installation requirement.
✔A centralized management console is in place→Ensures consistent enforcement.
✔Records show antivirus signatures are up to date→Confirms system protection is current.
Because the evidencemeets the requirement, the practice should berated as MET.
Why Are the Other Answers Incorrect?
B. It is insufficient, and the audit finding can be rated NOT MET → Incorrect
The evidence providedmeets all necessary requirements, so the practiceshould not be rated as NOT MET.
C. It is sufficient, and the Lead Assessor should seek more evidence → Incorrect
Ifadequate evidence already exists,additional evidence is unnecessary.
D. It is insufficient, and the Lead Assessor should seek more evidence → Incorrect
The evidence providedmeets the control requirements, making itsufficient.
CMMC 2.0 References Supporting This Answer:
CMMC Assessment Process (CAP) Document
Specifies that a practice can be marked asMET if sufficient evidence is provided.
NIST SP 800-171 (Requirement 3.14.2)
Defines the standard formalicious code protection, which ismet by antivirus with active updates.
CMMC 2.0 Level 1 (Foundational) Requirements
Clarifies that basic cybersecurity measures likeantivirus installation and updatesmeet compliance forSI.L1-3.14.2.
Final Answer:
✔A. It is sufficient, and the audit finding can be rated as MET.
What is the BEST document to find the objectives of the assessment of each practice?
CMMC Glossary
CMMC Appendices
CMMC Assessment Process
CMMC Assessment Guide Levels 1 and 2
1. Understanding the Role of Assessment Objectives in CMMC 2.0
Theassessment objectivesfor each CMMC practice define thespecific criteriathat an assessor uses to evaluate whether a practice is implemented correctly. These objectives break down each control into measurable components, ensuring a structured and consistent assessment process.
To determine where these objectives are best documented, we need to consider theofficial CMMC documentation sources.
2. Why Answer Choice " D " is Correct – CMMC Assessment Guide Levels 1 and 2
TheCMMC Assessment Guide (Levels 1 & 2)is theprimary documentthat provides:
✅The detailedassessment objectivesfor each practice
✅A breakdown of the expectedevidence and implementation details
✅Step-by-stepassessment criteriafor assessors to verify compliance
Each CMMC practice in the Assessment Guide is aligned with the correspondingNIST SP 800-171 or FAR 52.204-21 control, and the guide specifies:
How to assess compliancewith each practice
What evidenceis required for validation
What stepsan assessor should follow
???? Reference from Official CMMC Documentation:
CMMC Assessment Guide – Level 2 (Aligned with NIST SP 800-171)explicitly states:
" Each practice is assessed based on defined assessment objectives to determine if the practice is MET or NOT MET. "
CMMC Assessment Guide – Level 1 (Aligned with FAR 52.204-21)provides similar objectives tailored for foundational cybersecurity requirements.
Thus,CMMC Assessment Guide Levels 1 & 2 are the BEST sources for assessment objectives.
3. Why Other Answer Choices Are Incorrect
Option
Reason for Elimination
A. CMMC Glossary
❌The glossary only defines terminology used in CMMC but does not provide assessment objectives.
B. CMMC Appendices
❌The appendices contain supplementary details, but they do not comprehensively list assessment objectives for each practice.
C. CMMC Assessment Process (CAP)
❌While the CAP document describes the assessmentworkflow and methodology, it does not outline the specific objectives for each practice.
4. Conclusion
To locate thebest reference for assessment objectives, theCMMC Assessment Guide Levels 1 & 2are the most authoritative and detailed sources. They contain step-by-step assessment criteria, ensuring that practices are evaluated correctly.
✅Final Answer:
D. CMMC Assessment Guide Levels 1 and 2
Which domains are a part of a Level 1 Self-Assessment?
Access Control (AC), Risk Management < RM), and Media Protection (MP)
Risk Management (RM). Access Control (AC), and Physical Protection (PE)
Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)
Risk Management (RM). Media Protection (MP), and Identification and Authentication (IA)
CMMCLevel 1focuses onbasic cyber hygieneand includes17 practicesderived fromNIST SP 800-171 Rev. 2butonly covers the protection of Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).
UnlikeLevel 2, which aligns fully withNIST SP 800-171,Level 1 does not require third-party certificationand can beself-assessedby the organization.
Domains Covered in a Level 1 Self-Assessment
CMMC Level 1 practices fall underthree specific domains:
Access Control (AC)– Ensures that only authorized individuals can access FCI.
Physical Protection (PE)– Protects physical access to systems and facilities storing FCI.
Identification and Authentication (IA)– Verifies the identity of users accessing systems containing FCI.
These domains focus on foundational security controls necessary toprotect FCI from unauthorized access.
Official CMMC 2.0 Documentation References
CMMC Model v2.0states thatLevel 1 includes only 17 practicesmapped toNIST SP 800-171requirements specific toAccess Control (AC), Physical Protection (PE), and Identification and Authentication (IA).
CMMC Assessment Guide, Level 1confirms thatRisk Management (RM) and Media Protection (MP) are not included in Level 1, as they pertain to more advanced security measures needed for handlingCUI (Level 2).
Breakdown of Answer Choices
A. Access Control (AC), Risk Management (RM), and Media Protection (MP)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.
B. Risk Management (RM), Access Control (AC), and Physical Protection (PE)→ Incorrect.Risk Management (RM) is not part of Level 1.
C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)→Correct.These are thethree domains covered in CMMC Level 1 self-assessments.
D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.
Conclusion
Thecorrect answer is C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA), as these are theonly three domains included in a CMMC Level 1 Self-Assessmentaccording toCMMC 2.0 documentation and NIST SP 800-171 mapping.
Reference Documents for Further Reading
CMMC 2.0 Model Overview – DoD Official Documentation
CMMC Assessment Guide, Level 1
NIST SP 800-171 Rev. 2 (Basic Security Requirements for FCI)
As defined in the CMMC-AB Code of Professional Conduct, what term describes any contract between two legal entities?
Union
Accord
Alliance
Agreement
Understanding the Definition of an Agreement in the CMMC-AB Code of Professional Conduct
TheCMMC-AB Code of Professional Conductdefines anagreementasany contract between two legal entities. This includes:
✔Contracts between an OSC and a C3PAOfor CMMC assessments.
✔Service agreements between cybersecurity providers and defense contractors.
✔Any formal, legally binding arrangement related to CMMC compliance.
Why is the Correct Answer " D. Agreement " ?
A. Union → Incorrect
Auniontypically refers to anorganization representing workersand is not used to describe acontractual relationship.
B. Accord → Incorrect
While anaccordcan mean an agreement, it isnot the standard legal term for a binding contractin CMMC documentation.
C. Alliance → Incorrect
Analliancerefers to astrategic partnership, but does not necessarily imply alegally binding contract.
D. Agreement → Correct
TheCMMC-AB Code of Professional Conductdefines anagreementas anylegally binding contract between two entities.
CMMC 2.0 References Supporting This Answer:
CMMC-AB Code of Professional Conduct
Defines " Agreement " as alegally binding contract between two parties.
CMMC-AB Licensed Training and Assessment Provider Guidelines
Requires that all engagementsbe governed by a formal agreement (contract) between the parties.
DFARS and CMMC Certification Contracts
States thatOSC-C3PAO relationships must be formalized through a legal agreement.
When are contractors required to achieve a CMMC certificate at the Level specified in the solicitation?
At the time of award
Upon solicitation submission
Thirty days from the award date
Before the due date of submission
PerDFARS 252.204-7021, contractors must achieve the requiredCMMC certification levelbefore contract awardif the solicitation specifies it.
Key Requirements:
✔Contractorsmust be certified at the required CMMC levelprior to contract award.
✔Thecertification must be conducted by a C3PAO(for Level 2) orthrough self-assessment(for Level 1).
✔The certification must bevalid and registered in the Supplier Performance Risk System (SPRS)before award.
Why is the Correct Answer " At the Time of Award " (A)?
A. At the time of award → Correct
DFARS 252.204-7021requires CMMC certification before a contract can be awardedif the solicitation includes CMMC requirements.
B. Upon solicitation submission → Incorrect
Contractorsdo notneed to be CMMC-certified at thetime of bid submission, only by the time of award.
C. Thirty days from the award date → Incorrect
Contractorsmust already be certified before the award is granted. There isno grace period.
D. Before the due date of submission → Incorrect
While compliance planning is important,CMMC certification is only required before contract award, not before bid submission.
CMMC 2.0 References Supporting This Answer:
DFARS 252.204-7021 (CMMC Requirement Clause)
CMMC certification is required prior to contract awardif specified in the solicitation.
CMMC 2.0 Program Overview
States that certificationis not needed at bid submission but is required before award.
DoD Interim Rule & SPRS Guidance
Contractors must havea valid CMMC certification recorded in SPRSbefore award.
In preparation for a CMMC Level 1 Self-Assessment, the IT manager for a DIB organization is documenting asset types in the company ' s SSP The manager determines that identified machine controllers and assembly machines should be documented as Specialized Assets. Which type of Specialized Assets has the manager identified and documented?
loT
Restricted IS
Test equipment
Operational technology
Understanding Specialized Assets in a CMMC Self-Assessment
DuringCMMC Level 1 Self-Assessments, organizations must classify theirassetsin theSystem Security Plan (SSP).
Specialized Asset Type: Operational Technology (OT)
Operational Technology (OT)includesmachine controllers, industrial control systems (ICS), and assembly machines.
Thesesystems control physical processesin manufacturing, energy, and industrial environments.
OT assets are distinct from traditional IT systemsbecause they haveunique security considerations(e.g., real-time control, legacy system constraints).
Why is the Correct Answer " D. Operational Technology " ?
A. IoT (Internet of Things) → Incorrect
IoT devicesinclude smart home systems, connected sensors, and networked appliances, butmachine controllers and assembly machines fall under OT, not IoT.
B. Restricted IS → Incorrect
Restricted Information Systems (IS) refer to classified or highly controlled systems, whichdoes not apply to standard industrial machines.
C. Test Equipment → Incorrect
Test equipment includes diagnostic tools or measurement devicesused forquality assurance, not industrial machine controllers.
D. Operational Technology → Correct
Machine controllers and assembly machinesare part ofindustrial automation and control systems, which are classified asOperational Technology (OT).
CMMC 2.0 References Supporting This Answer:
CMMC Scoping Guidance for Level 1 & Level 2 Assessments
DefinesOperational Technology (OT) as a category of Specialized Assetsthat requirespecific security considerations.
NIST SP 800-82 (Guide to Industrial Control Systems Security)
Identifiesmachine controllers and assembly machinesas part ofOperational Technology (OT).
CMMC 2.0 Asset Classification Guidelines
Specifies thatOT systems should be documented separately in an organization ' s SSP.
A CCP is part of a CMMC Assessment Team interviewing a subject-matter expert on Access Control (AC) within an OSC. During the interview process, what will the CCP ensure about the information exchanged during the interview?
Performed in groups for more efficient use of resources
Recorded for inclusion in the Final Recommended Findings report
Confidential and non-attributable so interviewees can speak without fear of reprisal
Mapped to specific CMMC practices to clearly delineate which practice is being evaluated
Understanding the Role of a CCP in CMMC Assessments
ACertified CMMC Professional (CCP)is responsible for assistingCertified CMMC Assessors (CCA)in evaluating anOrganization Seeking Certification (OSC)during a CMMC assessment. One key aspect of this process isconducting interviewswith Subject Matter Experts (SMEs) to verify security practices.
Ensuring that interviewees canspeak freely without fear of retaliationiscriticalto obtainingaccurate and unbiased informationabout the implementation of security controls.
Step-by-Step Breakdown:
CMMC Assessment Process and the Role of Interviews
TheCMMC Assessment Guide (Level 2)outlines that interviews are conducted to confirm that security practices are effectively implemented.
Interviewees mustfeel comfortable sharing candid responseswithout concern that their statements will lead tonegative consequenceswithin the organization.
Ensuring Confidentiality and Non-Attribution
DoD Assessment Methodologyspecifies that interviews should be conductedconfidentiallytoprotect the identity of interviewees.
TheCMMC Code of Professional Conduct (CoPC)for assessors and professionals reinforces the requirement to maintain theconfidentialityof assessment participants.
Non-attributionensures that responses are used for evaluation purposeswithout linking statements to specific individuals.
Why the Other Answer Choices Are Incorrect:
(A) Performed in groups for more efficient use of resources:
Group interviews may prevent individuals from speaking openly.
Employees might be hesitant to contradict leadership or peers.
(B) Recorded for inclusion in the Final Recommended Findings report:
Interviews arenot directly recorded or attributedin assessment reports.
Instead, findings are documentedwithout identifying specific individuals.
(D) Mapped to specific CMMC practices to clearly delineate which practice is being evaluated:
While responsesinformwhich practices are being assessed, theprimary goalof an interview is to ensure accurate,unbiased information gathering.
Final Validation from CMMC Documentation:
According to theCMMC Assessment Guide and DoD Assessment Methodology, interview confidentiality iscrucialto gatheringaccurateandunbiasedresponses. This makesconfidentiality and non-attributionthe correct answer.
Thus, the correct answer is:
C. Confidential and non-attributable so interviewees can speak without fear of reprisal.
The Lead Assessor is presenting the Final Findings Presentation to the OSC. During the presentation, the Assessment Sponsor and OSC staff inform the assessor that they do not agree with the assessment results. Who has the final authority for the assessment results?
C3PAO
CMMC-AB
Assessment Team
Assessment Sponsor
Who Has the Final Authority Over Assessment Results?
During aCMMC Level 2 assessment, theCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting and finalizing the assessment results.
Key Responsibilities of a C3PAO
✅Leads the assessmentand ensures it follows the CMMC Assessment Process (CAP).
✅Validates compliancewith CMMC Level 2 requirements based onNIST SP 800-171controls.
✅Finalizes the assessment resultsand submits them to theCMMC-ABand theDoD.
✅Handles disagreementsfrom the OSC but hasfinal decision-making authorityon results.
Why " C3PAO " is Correct?
The C3PAO has final authority over the assessment resultsafter considering all evidence and findings.
TheCMMC-AB (Option B) does not finalize assessments—it accredits C3PAOs and manages the certification ecosystem.
TheAssessment Team (Option C) supports the C3PAO but does not have final decision authority.
TheAssessment Sponsor (Option D) is a representative from the OSC and does not control the results.
Breakdown of Answer Choices
Option
Description
Correct?
A. C3PAO
✅Correct – C3PAOs finalize and submit assessment results.
B. CMMC-AB
❌Incorrect–The CMMC-AB accredits C3PAOs but doesnot finalize results.
C. Assessment Team
❌Incorrect–They conduct the assessment, but the C3PAO makes final decisions.
D. Assessment Sponsor
❌Incorrect–This is arepresentative of the OSC, not the assessment authority.
Official References from CMMC 2.0 Documentation
CMMC Assessment Process Guide (CAP)– DefinesC3PAO authorityover final assessment results.
Final Verification and Conclusion
The correct answer isA. C3PAO, as theC3PAO has final decision-making authority over CMMC assessment results.
In CMMC High-Level scoping, which definition BEST describes an HQ organization?
The entity that carries out the tasks under a contract
The unit to which a CMMC Level is applied for each contract
The teams, services, and technologies that provide support to a Host Unit
The entity legally responsible for the delivery of products or services under a contract
In CMMC scoping terminology, an HQ Organization is the entity legally responsible for contract performance and delivery of products or services.
Supporting Extracts from Official Content:
CMMC Scoping Guide: “HQ Organization is the legal entity responsible for the performance and delivery of contract requirements.”
Why Option D is Correct:
The HQ Org is legally accountable, while Host Units (option A/B) are subordinate entities.
Option C refers to shared services, not the HQ.
References (Official CMMC v2.0 Content):
CMMC Scoping Guide, High-Level Scoping Definitions.
===========
Which code or clause requires that a contractor is meeting the basic safeguarding requirements for FCI during a Level 1 Self-Assessment?
FAR 52.204-21
22CFR 120-130
DFARS 252.204-7011
DFARS 252.204-7021
1. Understanding Basic Safeguarding Requirements for FCI in CMMC Level 1
Federal Contract Information (FCI) is defined as information provided by or generated for the government under a contract that isnot intended for public release.
CMMCLevel 1is designed to ensurebasic safeguardingof FCI, aligning with15 security requirementsfound inFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).
Contractors handlingonly FCImust meetCMMC Level 1, which alignsdirectlywith the safeguarding requirements set inFAR 52.204-21.
2. FAR 52.204-21 and Its Role in CMMC Level 1 Compliance
FAR 52.204-21establishes the baseline cybersecurity controls that contractors must implement to protectFCI.
The15 basic safeguarding requirementsinclude:
Limiting information accessto authorized users.
Identifying and authenticating usersbefore allowing system access.
Protecting transmitted FCIfrom unauthorized disclosure.
Monitoring and controlling connectionsto external systems.
Applying boundary protectionand cybersecurity measures.
Sanitizing mediabefore disposal.
Updating security configurationsto reduce vulnerabilities.
Providing physical securityprotections.
Controlling physical accessto systems that process FCI.
Enforcing multi-factor authentication (MFA) where applicable.
Patching vulnerabilitiesin software and hardware.
Limiting the use of removable media.
Creating and retaining system audit logs.
Performing risk-based security assessments.
Developing an incident response plan.
These 15 practices form thefoundationof CMMCLevel 1 Self-Assessment, ensuring contractorsmeet minimum cybersecurity expectationsfor handling FCI.
3. Why the Other Options Are Incorrect
B. 22 CFR 120-130:
This refers toInternational Traffic in Arms Regulations (ITAR), which controls the export of defense-related articles and services,notFCI safeguarding requirements.
C. DFARS 252.204-7011:
This clause refers toalternative line item structuresand does not pertain to cybersecurity or safeguarding FCI.
D. DFARS 252.204-7021:
This clause enforcesCMMC requirementsbut doesnot definebasic safeguarding controls. It requires compliance with CMMC but does not specify the foundational requirements (which come fromFAR 52.204-21for Level 1).
4. Official CMMC 2.0 Reference & Study Guide Alignment
TheCMMC 2.0 model documentationconfirms that Level 1 is focused on the15 practices from FAR 52.204-21.
TheDoD’s official CMMC Assessment Guidefor Level 1 explicitly states that meeting FAR 52.204-21 is therequirement for passing a Level 1 Self-Assessment.
TheCMMC 2.0 Scoping Guideclarifies that contractors handling onlyFCIand seekingLevel 1 certificationmust implementonly FAR 52.204-21security controls.
Final Confirmation:
The correct answer isA. FAR 52.204-21, as it directly governs the basic safeguarding ofFCIand is the foundational requirement for aLevel 1 Self-Assessmentin CMMC 2.0.
CMMC scoping covers the CUI environment encompassing the systems, applications, and services that focus on where CUI is:
received and transferred.
stored, processed, and transmitted.
entered, edited, manipulated, printed, and viewed.
located on electronic media, on system component memory, and on paper.
TheCMMC Scoping Guide for Level 2outlines thatCUI assetsinclude systems, applications, and services thatstore, process, or transmitControlled Unclassified Information (CUI). These are the three core functions that defineCUI handlingwithin anOrganization Seeking Certification (OSC).
Step-by-Step Breakdown:
✅1. CUI Assets Defined in CMMC
Stored:CUI is saved on hard drives, cloud storage, or databases.
Processed:CUI is actively used, modified, or analyzed by applications and users.
Transmitted:CUI is sent between systems via email, file transfers, or network communication.
✅2. Why the Other Answer Choices Are Incorrect:
(A) Received and transferred❌
Whilereceiving and transferring CUIis part of handling CUI, it does not fully cover all CUI asset responsibilities.
(C) Entered, edited, manipulated, printed, and viewed❌
These arespecific actionswithinprocessingbut do not coverstorage or transmission, which are also required for CMMC scoping.
(D) Located on electronic media, on system component memory, and on paper❌
While CUI can exist inelectronic and physical forms, CMMC scoping focuses onhow CUI is actively managed (stored, processed, transmitted)rather than where it physically resides.
Final Validation from CMMC Documentation:
TheCMMC Level 2 Scoping Guideconfirms thatCUI Assets are categorized based on their role in storing, processing, or transmitting CUI.
NIST SP 800-171also defines these three functions as key components of CUI protection.
A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?
" The OSC determines the CMMC Assessment Scope, and the CCP validates the CMMC Assessment Scope. "
" The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope. "
" The CMMC Lead Assessor determines the CMMC Assessment Scope, and the OSC validates the CMMC Assessment Scope. "
" The CMMC C3PAO determines the CMMC Assessment Scope, and the Lead Assessor validates the CMMC Assessment Scope. "
Step 1: Understanding CMMC Assessment Scope Determination
In a CMMC Level 2 assessment, the Organization Seeking Certification (OSC) is responsible for identifying the assessment scope based on the CMMC Scoping Guidance provided by the Cyber AB (Cyber Accreditation Body) and DoD.
The OSC must determine which assets and systems handle Controlled Unclassified Information (CUI) and categorize them accordingly.
The evidence needed for each practice and/or process is weight for:
adequacy and sufficiency.
adequacy and thoroughness.
sufficiency and thoroughness.
sufficiency and appropriateness.
During aCMMC assessment, organizations must provide evidence to demonstrate compliance with requiredpractices and processes. Assessors evaluate this evidence based on two key criteria:
Adequacy– Does the evidence meet the intent of the security requirement?
Sufficiency– Is there enough evidence to reasonably conclude that the practice/process is effectively implemented?
These principles are outlined in theCMMC Assessment Process Guide, which provides a structured approach for evaluating compliance.
Step-by-Step Breakdown:
✅1. Adequacy – Does the evidence fully meet the requirement?
Adequacyrefers to whether the evidence properly demonstrates that the security practice has been implemented as required.
Example: If an organization claims to enforceMulti-Factor Authentication (MFA), an assessor would checksystem configurations, login policies, and user authentication logsto confirm that MFA is actually in use.
✅2. Sufficiency – Is there enough evidence to support the claim?
Sufficiencymeans that there isenough supporting evidenceto prove compliance.
Example: If an organization providesonly one screenshot of an MFA login screen, that alone may not besufficient—additional logs, policies, and user records would help strengthen the case.
Why the Other Answer Choices Are Incorrect:
(B) Adequacy and Thoroughness❌
Thoroughnessis not a defined metric in CMMC evidence evaluation.
The focus is onwhether the evidence meets the requirement (adequacy)and if there isenough of it (sufficiency).
(C) Sufficiency and Thoroughness❌
Thoroughnessis not a recognized term in CMMC compliance validation.
Evidence must beadequate and sufficient, not just thorough.
(D) Sufficiency and Appropriateness❌
Appropriatenessis not a CMMC-defined criterion.
Thecorrect terms used in CMMC assessmentsareAdequacy(Does it meet the requirement?) andSufficiency(Is there enough proof?).
Final Validation from CMMC Documentation:
CMMC Assessment Process Guideexplicitly states that evidence must be evaluated based onadequacyandsufficiencyto confirm compliance with security practices.
A server is used to store FCI with a cloud provider long-term. What is the server considered?
In scope, because the cloud provider will be storing the FCI data
Out of scope, because the cloud provider stores the FCI data long-term
In scope, because the cloud provider is required to be CMMC Level 2 certified
Out of scope, because encryption is always used when the cloud provider stores the FCI data
Assets that store, process, or transmit FCI or CUI are always in scope for CMMC. If a server with a cloud provider is used for long-term storage of FCI, that server is considered in scope because it directly holds covered data.
Supporting Extracts from Official Content:
CMMC Scoping Guide for Level 1: “Assets that store, process, or transmit FCI are in scope.”
CMMC Scoping Guide for Level 2: confirms the same rule applies for CUI.
Why Option A is Correct:
The server stores FCI, making it automatically in scope.
Option B is incorrect because long-term storage does not make an asset out of scope.
Option C is incorrect — Level 1 (FCI) does not require a Level 2 certified provider.
Option D is incorrect because encryption does not remove scope requirements.
References (Official CMMC v2.0 Content):
CMMC Scoping Guide, Level 1.
CMMC Model v2.0, Scoping and Implementation guidance.
===========
The evidence needed for each practice and/or process is weighed for:
Adequacy and sufficiency
Adequacy and thoroughness
Sufficiency and thoroughness
Sufficiency and appropriateness
The CAP makes clear that evidence collected during the assessment is evaluated for both adequacy (does the evidence align with the requirement) and sufficiency (is there enough evidence to make a confident determination).
Supporting Extracts from Official Content:
CAP v2.0, Evidence Collection Guidance: “Evidence must be evaluated for adequacy… and for sufficiency, to ensure enough information is available to support the assessor’s determination.”
Why Option A is Correct:
Evidence is assessed based on two qualities only: adequacy and sufficiency.
“Thoroughness” and “appropriateness” are not official CAP terms for evidence evaluation.
References (Official CMMC v2.0 Content):
CMMC Assessment Process (CAP) v2.0, Evidence Evaluation section.
===========
An organization ' s sales representative is tasked with entering FCI data into various fields within a spreadsheet on a company-issued laptop. This laptop is an FCI Asset being used to:
process and transmit FCI.
process and organize FCI.
store, process, and transmit FCI.
store, process, and organize FCI.
According to the CMMC Scoping Guidance, Level 1, the fundamental definition of an FCI Asset is any asset that performs at least one of three primary functions with Federal Contract Information (FCI). These functions are consistently defined across both Level 1 and Level 2 documentation as Processing, Storing, or Transmitting.
Process: In this scenario, the sales representative is " entering FCI data into various fields. " The act of inputting, manipulating, or editing data within an application (the spreadsheet) is the definition of processing.
Store: Because the spreadsheet is on the laptop, the data resides on the laptop ' s hard drive or memory. This constitutes storing.
Transmit: While the prompt focuses on the data entry, a laptop is an endpoint designed to move data across a network (email, cloud uploads, or server saves). In the context of CMMC scoping, assets that handle protected information are categorized by their capability and role in the data lifecycle, which includes transmitting.
Why other options are incorrect:
Options B and D: These include the word " organize. " While organizing data is a task a human performs, it is not a formal technical term used in the CMMC or NIST SP 800-171/FAR 52.204-21 definitions to categorize asset functions.
Option A: This option omits " store. " Since the spreadsheet exists on the laptop, storage is a primary function being utilized.
Reference Documents:
CMMC Scoping Guidance, Level 1 (Version 2.0): Section 2.0, which defines FCI Assets as assets that " process, store, or transmit FCI. "
FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems): The regulatory source for Level 1, which applies to systems that " process, store, or transmit " federal contract information.
CMMC Assessment Guide, Level 1: Introduction and Scoping sections, reinforcing the triad of data handling functions.
How many cybersecurity levels does the CMMC Model structure contain?
2 Levels.
3 Levels.
5 Levels.
4 Levels.
The correct answer is B , 3 Levels. The official CMMC 2.0 Model Overview states that there are three levels within CMMC: Level 1, Level 2, and Level 3 . It explains that the model measures implementation of cybersecurity requirements at three levels, with each level containing a defined set of CMMC practices. Level 1 is focused on basic safeguarding of Federal Contract Information, Level 2 is focused on protection of Controlled Unclassified Information using requirements aligned to NIST SP 800-171, and Level 3 is intended for higher-risk programs requiring enhanced protection.
This is a major difference between CMMC 2.0 and the earlier CMMC 1.0 structure. CMMC 1.0 used five maturity levels, but CMMC 2.0 simplified the model to three cybersecurity levels. Therefore, option C , 5 Levels, reflects the older CMMC 1.0 structure and is not correct for CMMC 2.0. Option A , 2 Levels, is incorrect because it omits one of the three official levels. Option D , 4 Levels, is also incorrect because the official CMMC 2.0 model does not contain four levels. The bottom line is that CMMC 2.0 contains three cybersecurity levels: Level 1 Foundational, Level 2 Advanced, and Level 3 Expert .
The practices in CMMC Level 2 consists of the security requirements specified in:
NISTSP 800-53.
NISTSP 800-171.
48 CFR 52.204-21.
DFARS 252.204-7012.
The Cybersecurity Maturity Model Certification (CMMC) Level 2 is designed to ensure that organizations can adequately protect Controlled Unclassified Information (CUI). To achieve this, CMMC Level 2 incorporates specific security requirements.
Step-by-Step Explanation:
Alignment with NIST SP 800-171:
CMMC Level 2 aligns directly with the security requirements outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). This publication, titled " Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, " provides a comprehensive framework for safeguarding CUI.
Incorporation of Security Requirements:
The practices required for CMMC Level 2 certification encompass all 110 security requirements specified in NIST SP 800-171. These requirements are organized into 14 families, each addressing different aspects of cybersecurity, such as access control, incident response, and risk assessment.
Purpose of Alignment:
By integrating the NIST SP 800-171 requirements, CMMC Level 2 aims to standardize the implementation of cybersecurity practices across organizations handling CUI, ensuring a consistent and robust approach to protecting sensitive information.
SC.L2-3 13.14: Control and monitor the use of VoIP technologies is marked as NOT APPLICABLE for an OSC ' s assessment. How does this affect the assessment scope?
Any existing telephone system is in scope even if it is not using VoIP technology.
An error has been made and the Lead Assessor should be contacted to correct the error.
VoIP technology is within scope, and it uses FlPS-validated encryption, so it does not need to be assessed.
VoIP technology is not used within scope boundary, so no assessment procedures are specified for this practice.
Understanding SC.L2-3.13.14 – Control and Monitor the Use of VoIP Technologies
TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.
If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.
Why Option D is Correct
When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.
No assessment procedures are neededsince there is no VoIP system to evaluate.
Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14—only VoIP is within scope.
Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.
Option C (VoIP in scope but using FIPS-validated encryption, so it doesn’t need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.
Official CMMC Documentation References
CMMC 2.0 Level 2 Assessment Guide – SC.L2-3.13.14
NIST SP 800-171, Security Requirement 3.13.14
CMMC Scoping Guidance – Determining Not Applicable (N/A) Practices
Final Verification
IfVoIP is not used within the OSC’s system boundary, the control does not require assessment, making Option D the correct answer.
Ethics is a shared responsibility between:
DoD and CMMC-AB.
OSC and sponsors.
CMMC-AB and members of the CMMC Ecosystem.
members of the CMMC Ecosystem and Lead Assessors.
Understanding Ethical Responsibility in the CMMC Ecosystem
Ethics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.
Key Ethical Responsibilities Include:
CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.
CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.
Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.
Why is the Correct Answer " CMMC-AB and Members of the CMMC Ecosystem " (C)?
A. DoD and CMMC-AB → Incorrect
TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.
B. OSC and Sponsors → Incorrect
TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.
C. CMMC-AB and Members of the CMMC Ecosystem → Correct
Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.
D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect
Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.
CMMC 2.0 References Supporting this Answer:
CMMC-AB Code of Professional Conduct
Defines ethical responsibilities forassessors, consultants, and ecosystem members.
CMMC Ecosystem Governance Policies
Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.
CMMC Assessment Process (CAP) Document
Outlines ethical expectations forassessors and consultantsduring certification assessments.
A C3PAO Assessment Plan document captures the names of the interviewees, the facilities that will utilized, along with estimated costs and schedule of the assessment. What part of the assessment plan is this?
Identify resources and schedule.
Select Assessment Team members.
Identify and manage assessment risks.
Select and develop the evidence collection approach.
ACertified Third-Party Assessor Organization (C3PAO)is responsible for conductingCMMC Level 2 Assessments. Before the assessment begins, the C3PAO must develop anAssessment Plan, which includes several key elements.
The part of the plan that captures:
✅Names of interviewees
✅Facilities to be utilized
✅Estimated costs
✅Assessment schedule
falls under the " Identify Resources and Schedule " section of the plan.
Step-by-Step Breakdown:
✅1. Identify Resources and Schedule
This section of theCMMC Assessment Planoutlines:
Thepersonnelinvolved (e.g., interviewees, assessors).
Thelocationswhere the assessment will take place.
Thetimeline and scheduling details.
Theestimated costsassociated with the assessment.
This ensures that all necessaryresourcesare allocated and that the assessment proceeds as planned.
✅2. Why the Other Answer Choices Are Incorrect:
(B) Select Assessment Team Members❌
This section focuses onchoosing the assessorswho will conduct the evaluation, not listing interviewees and facilities.
(C) Identify and Manage Assessment Risks❌
This part of the plandocuments risks(e.g., scheduling conflicts, data access issues), but it doesnot outline names, facilities, or costs.
(D) Select and Develop the Evidence Collection Approach❌
This step defineshowevidence will be gathered (e.g., document reviews, interviews, system testing) but doesnot focus on logistics.
Final Validation from CMMC Documentation:
TheCMMC Assessment Process Guidestates thatresource identification and schedulingare essential for organizing the assessment. Since this sectioncaptures interviewees, facilities, costs, and the schedule, the correct answer is:
✅A. Identify resources and schedule.
How many domains does the CMMC Model consist of?
14 domains
43 domains
72 domains
110 domains
Step 1: Understanding CMMC Domains
TheCMMC Model consists of 14 domains, which are based on theNIST SP 800-171 control familieswith additional cybersecurity practices.
Eachdomaincontainspractices and processesthat define cybersecurity requirements for organizations seeking CMMC certification.
The Advanced Level in CMMC will contain Access Control {AC) practices from:
Level 1.
Level 3.
Levels 1 and 2.
Levels 1,2, and 3.
In the CMMC 2.0 framework, the " Advanced " level is synonymous with CMMC Level 2 . The model is designed to be cumulative , meaning each higher level incorporates the requirements of the level(s) below it.
Cumulative Structure : For an organization to achieve a Level 2 Certification, it must demonstrate that it meets all 17 practices from Level 1 (Foundational) plus the additional 93 practices introduced at Level 2, totaling 110 practices (aligned with NIST SP 800-171 ).
Access Control (AC) Domain Breakdown :
Level 1 : Contains 4 AC practices (e.g., limiting system access to authorized users).
Level 2 : Contains 22 AC practices total. This includes the original 4 from Level 1 and 18 additional practices (e.g., controlling the use of privileged functions, limiting unsuccessful logon attempts).
Level 3 (Expert) : This level adds even more practices from NIST SP 800-172 . While Level 3 " contains " Level 2, the question asks specifically about what the Advanced Level (Level 2) contains. Therefore, it contains Level 1 and Level 2 practices.
Why other options are incorrect :
Option A : Level 2 is not just Level 1; it includes the additional NIST 800-171 requirements.
Option B : Level 3 practices are part of the " Expert " level, not the " Advanced " level.
Option D : The " Advanced " level (Level 2) does not include the " Expert " (Level 3) practices.
Reference Documents :
CMMC Model Overview (v2.0/v2.1) : Section 3.2, " Level 2: Advanced, " which explicitly states the level consists of the 110 practices from NIST SP 800-171, which includes the Level 1 requirements.
32 CFR Part 170 (CMMC Program Rule) : Defines the mapping of the 14 domains and the cumulative nature of the certification levels.
CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment.
A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of the assessors approaches with a signed policy. There is one signatory, and that person has since left the company. Subsequently, another person was hired into that position but has not signed the document. Is this document valid?
The signatory is the authority to implement and enforce the policy, and since that person is no longer with the company, the policy is not valid.
More research on the company policy of creating, implementing, and enforcing policies is needed. If the company has a policy identifying the authority as with the position or person, then the policy is valid.
The signatory does not validate or invalidate the policy. For the purpose of this assessment, ensuring that the policy is current and is being implemented by the individuals who are performing the work is sufficient.
The authority to implement and enforce lies with the position, not the person. As long as that position ' s authority and responsibilities have not been removed from implementing that domain, it is still a valid policy.
In the context of a CMMC Level 2 Assessment, assessors must evaluate the " Institutionalization " of practices, which includes the review of Policies. The validity of a policy document depends on the Organization Seeking Certification (OSC) ' s internal governance and administrative procedures.
Internal Governance (The " Why " ): CMMC does not dictate exactlyhowa company must authorize its policies (e.g., whether a signature must be refreshed immediately upon a personnel change). Instead, the assessor must verify if the document is considered " active " and " authoritative " by the OSC’s own standards.
The Role of the Assessor: As per the CMMC Assessment Process (CAP) and CCP training materials, an assessor cannot unilaterally declare a policy invalid simply because a signatory has left. The assessor must perform " more research " (typically through Interviews or examining Supplemental Documents) to determine the OSC ' s internal rules for policy management.
If the OSC ' s " Policy on Policies " states that a signature is tied to the individual, the document may be expired.
If the OSC ' s rules state that the authority is tied to the role/position (which is common in most corporate governance), the policy remains in effect until it is formally rescinded or updated.
Distinction from other options:
Option A is too restrictive; it assumes a universal rule that doesn ' t exist in the CMMC framework.
Option C is incorrect because a signatory (or formal approval)isoften what gives a policy its " authoritative " status in an audit; ignoring it would be a failure of the Examine method.
Option D is a common business assumption, but an assessor must verify this via the OSC ' s own procedures rather than assuming it is true for every company.
Reference Documents:
CMMC Assessment Process (CAP) v1.0: Section on " Examine " methods and evaluating evidence integrity.
NIST SP 800-171A: Discussion on " Organizational Policies " as assessment objects and the requirement for policies to be " established and maintained. "
CMMC Level 2 Assessment Guide: Clarifies that policies must be " formally documented " and " representative of organizational requirements. "
According to DFARS clause 252.204-7012, who is responsible for determining that Information in a given category should be considered CUI?
The NARA CUI Executive Agent
The contractor who generated the information
The DoD agency for whom the contractor is performing the work
The military personnel assigned to the contractor for that purpose
DFARS clause 252.204-7012 establishes the safeguarding of Covered Defense Information (CDI), which aligns with CUI categories. The clause specifies that the DoD is responsible for determining whether information is Controlled Unclassified Information (CUI) and marking it accordingly before sharing it with contractors. Contractors do not make determinations about what constitutes CUI; they are responsible for safeguarding information once it is received and marked as CUI.
Reference Documents:
DFARS 252.204-7012,Safeguarding Covered Defense Information and Cyber Incident Reporting
CMMC Model v2.0 Overview, December 2021
A Lead Assessor is ensuring all actions have been completed to conclude a Level 2 Assessment. The final Assessment Results Package has been properly reviewed and is ready to be uploaded. What other materials is the Lead Assessor responsible for maintaining and protecting?
Any additional notes and information from the Assessment
A final assessment plan, and a Quality Control report from C3PAO
A final assessment plan, and a letter from the Lead Assessor explaining the process
A final assessment plan, a letter from the Lead Assessor explaining the results, and a Quality Control report from C3PAO
The Lead Assessor is responsible for protecting and maintaining all assessment records, notes, and information gathered during the assessment process. This includes working papers and supplemental documentation that may be needed for auditability or dispute resolution.
Supporting Extracts from Official Content:
CAP v2.0, Post-Assessment Responsibilities (§3.17): “The Lead Assessor must ensure that all assessment artifacts, notes, and information are archived or disposed of in accordance with C3PAO policy.”
Why Option A is Correct:
The CAP specifies that notes and information from the assessment must be preserved or disposed of according to policy.
Options B, C, and D list items not required in the CAP. The “letter” and “quality control report” are not part of the Lead Assessor’s required maintained materials.
References (Official CMMC v2.0 Content):
CMMC Assessment Process (CAP) v2.0, Phase 3 Post-Assessment (§3.17).
===========
Which document is used to protect sensitive and confidential information from being made available by the recipient of that information?
Legal agreement
CMMC agreement
Assessment agreement
Non-disclosure agreement
The correct document is a Non-Disclosure Agreement (NDA) , because its specific purpose is to restrict a receiving party from disclosing sensitive or confidential information to unauthorized parties. In the official CMMC Assessment Process (CAP) v2.0 , NDAs are called out directly as a required element of the contracting relationship for a Level 2 certification assessment.
CAP v2.0 states that the C3PAO and the OSC must execute a written contractual agreement for the assessment and then specifies that “A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).”
This is important because CMMC assessments can involve access to highly sensitive organizational information, including details about system architectures, security implementations, and potentially CUI handling processes. The CAP’s NDA requirement supports controlling dissemination of that information and reinforces the broader confidentiality expectations placed on assessment participants.
While an “assessment agreement” or generic “legal agreement” might contain confidentiality clauses, CAP v2.0 explicitly identifies the NDA instrument (either embedded or standalone) as the mechanism to protect information exchanged during the assessment engagement. Therefore, the best answer—consistent with CMMC v2.0 official process documentation—is D (Non-disclosure agreement) .
Who is responsible for identifying and verifying Assessment Team Member qualifications?
C3PAO
CMMC-AB
Lead Assessor
CMMC Marketplace
Understanding the Role of the Lead Assessor in CMMC Assessments
TheLead Assessoris responsible for managing theAssessment Teamand ensuring that all team members meet the required qualifications as defined by theCMMC Accreditation Body (CMMC-AB)and theCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) Guide.
Why the Correct Answer is " C. Lead Assessor " ?
Lead Assessor’s Key Responsibilities (Per CAP Guide)
Verify team member qualificationsto ensure compliance with CMMC-AB guidelines.
Assignappropriate assessment tasksbased on team members’ expertise.
Ensure that theassessment is conducted in accordance with CMMC procedures.
Why Not the Other Options?
A. C3PAO (Certified Third-Party Assessor Organization)→Incorrect
AC3PAOis responsible fororganizing assessmentsand ensuring their execution, but itdoes not verify individual team member qualifications—that responsibility belongs to theLead Assessor.
B. CMMC-AB (CMMC Accreditation Body)→Incorrect
TheCMMC-ABestablishestraining and certification requirements, but itdoes not verify individual assessment team members—that responsibility is given to theLead Assessor.
D. CMMC Marketplace→Incorrect
TheCMMC Marketplacelists authorizedC3PAOs, Registered Practitioners (RPs), and Certified Professionals (CCPs)butdoes not verify assessment team qualifications.
Relevant CMMC 2.0 References:
CMMC Assessment Process (CAP) Guide– Defines theLead Assessor’s responsibilityfor verifying assessment team qualifications.
CMMC-AB Certification Guide– Specifies that the Lead Assessor must ensure all assessment team members meet CMMC-AB qualification standards.
Final Justification:
Since theLead Assessor is responsible for verifying assessment team member qualifications, the correct answer isC. Lead Assessor.
Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?
Organizational operations, business assets, and employees
Organizational operations, business processes, and employees
Organizational operations, organizational assets, and individuals
Organizational operations, organizational processes, and individuals
TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.
TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:
" Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. "
This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:
✅Organizational operations(e.g., mission, business continuity, functions)
✅Organizational assets(e.g., data, IT systems, intellectual property)
✅Individuals(e.g., employees, contractors, customers affected by security risks)
Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.
Why the Other Answers Are Incorrect
A. Organizational operations, business assets, and employees
❌Incorrect. " Business assets " is not the correct terminology used in CMMC/NIST SP 800-171. Instead, " organizational assets " is the proper term.
B. Organizational operations, business processes, and employees
❌Incorrect. " Business processes " is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.
D. Organizational operations, organizational processes, and individuals
❌Incorrect. While processes are important,organizational assetsmust be considered in the assessment, not just processes.
CMMC Official References
CMMC 2.0 Model (Level 2 - RA.3.144)– Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.
NIST SP 800-171 (3.11.1)– Reinforces the same risk assessment scope.
Thus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.
Which term describes assessing the ability of a unit equipped with a system to support its mission while withstanding cyber threat activity representative of an actual adversary?
Penetration test
Black hat testing
Red cell assessment
Adversarial assessment
The term Adversarial Assessment is formally defined in DoD cyber terminology. It describes testing that evaluates a unit or system’s ability to perform its mission while facing simulated cyber threat activity representative of a real-world adversary.
Supporting Extracts from Official Content:
DoD Cybersecurity Test and Evaluation Guidebook: “Adversarial Assessment: Test conducted to evaluate a unit’s ability to support its mission while withstanding cyber threat activity representative of an actual adversary.”
Why Option D is Correct:
A penetration test is narrower and focuses on identifying vulnerabilities.
Black hat testing is not an official DoD or CMMC term.
Red cell assessment refers more broadly to force-on-force exercises and is not the term used in CMMC/governing DoD definitions.
References (Official CMMC v2.0 Content and Source Documents):
DoD Cybersecurity Test and Evaluation Guidebook.
CMMC v2.0 Governance – Source Documents (incorporating DoD definitions).
What is DFARS clause 252.204-7012 required for?
All DoD solicitations and contracts
Solicitations and contracts that use FAR part 12 procedures
Procurements solely for the acquisition of commercial off-the-shelf
Commercial off-the-shelf sold in the marketplace without modifications
When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:
have a security clearance.
be a senior person in the company.
demonstrate expertise on the CMMC requirements.
provide clarity and understanding of their practice activities.
Interview Selection in CMMC Assessments
During aCMMC assessment, theLead Assessormust work with theOrganization Seeking Certification (OSC)to select personnel for interviews. The goal is to:
✅Verify that personnel understand andperform security-related practices.
✅Ensure that individuals canexplain how they implement CMMC requirements.
✅Gain insight intoactual cybersecurity operationsrather than just documented policies.
The best interviewees are those whodirectly engage with security practicesand canclearly explain how they perform their duties.
Why " Providing Clarity and Understanding " Is Key
CMMC assessmentsrely on interviewsto validate that security practices areimplemented effectively.
Themost valuable intervieweesare those who canexplainhow security measures are appliedin day-to-day operations.
CMMC Assessment Process (CAP)emphasizes that assessors should speak tothose actively involved in security practicesrather than just senior management or policy owners.
Thus,option D is the correct choicebecause the Lead Assessor should prioritizeinterviewing personnel who can clearly explain how CMMC practices are implemented.
Why the Other Answers Are Incorrect
A. Have a security clearance.
❌Incorrect.Security clearance is not a requirementfor CMMC assessments. The focus is onpractical implementation of security controls, not classified work.
B. Be a senior person in the company.
❌Incorrect. Senior executives may not be involved in theactual implementation of security controls. The best interviewees are those whoperform the work, not just oversee it.
C. Demonstrate expertise on the CMMC requirements.
❌Incorrect. Whileunderstanding CMMC is important, expertise alonedoes not guarantee practical knowledgeof security controls. The key is thatinterviewees must provide clarity on how they perform security tasks.
CMMC Official References
CMMC Assessment Process (CAP) Document– Guides interview selection based on personnel who perform security functions.
NIST SP 800-171 & CMMC 2.0– Emphasize that cybersecurity controls must beactively implemented, not just documented.
Thus,option D (Provide clarity and understanding of their practice activities) is the correct answeras per official CMMC assessment guidelines.
The results package for a Level 2 Assessment is being submitted. What MUST a Final Report. CMMC Assessment Results include?
Affirmation for each practice or control
Documented rationale for each failed practice
Suggested improvements for each failed practice
Gaps or deltas due to any reciprocity model are recorded as met
Understanding the CMMC Level 2 Final Report Requirements
For aCMMC Level 2 Assessment, theFinal CMMC Assessment Results Reportmust include:
Assessment findings for each practice
Final ratings (MET or NOT MET) for each practice
A detailed rationale for each practice rated as NOT MET
Why " B. Documented rationale for each failed practice " is Correct?
The CMMC Assessment Process (CAP) Guidestates that if a practice is markedNOT MET, theassessors must provide a rationale explaining why it failed.
This rationale helps theOSC understand what needs remediationand, if applicable, whether the deficiency can be addressed via aPlan of Action & Milestones (POA & M).
TheFinal Report serves as an official recordand must be submitted as part of theresults package.
Why Other Answers Are Incorrect?
A. Affirmation for each practice or control (Incorrect)
While the report includes aMET/NOT MET ratingfor each practice,affirmation is not a required component.
C. Suggested improvements for each failed practice (Incorrect)
Assessors do not provide recommendations for improvement—they only document findings and rationale.
Providing suggestions would create aconflict of interestperCMMC-AB Code of Professional Conduct.
D. Gaps or deltas due to any reciprocity model are recorded as met (Incorrect)
If an organization isleveraging reciprocity (e.g., FedRAMP, Joint Surveillance Voluntary Assessments), gapsmust still be documented—not automatically marked as " MET. "
Conclusion
The correct answer isB. Documented rationale for each failed practice, as this is amandatory requirement in the Final CMMC Assessment Results Report.
How does the CMMC define a practice?
A business transaction
A condition arrived at by experience or exercise
A series of changes taking place in a defined manner
An activity or activities performed to meet defined CMMC objectives
Understanding the Definition of a " Practice " in CMMC 2.0
In CMMC 2.0, the term " practice " refers to specific cybersecurity activities that organizations must implement to achieve compliance with defined security objectives.
Step-by-Step Breakdown:
Definition from CMMC Documentation:
According to theCMMC Model Overview, apracticeis defined as:
" An activity or activities performed to meet defined CMMC objectives. "
This means that practices are theactions and implementations required to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
How Practices Fit into CMMC 2.0:
CMMC 2.0 Level 1 consists of17 practices, which align withFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).
CMMC 2.0 Level 2 consists of110 practices, aligned directly withNIST SP 800-171 Rev. 2.
Each practice has anobjectivethat must be met to demonstrate compliance.
Official CMMC 2.0 References:
TheCMMC 2.0 Model Documentationdefines practices as " the fundamental cybersecurity activities necessary to achieve security objectives. "
TheCMMC Assessment Process (CAP) Guideoutlines how assessors verify the implementation of these practices during an assessment.
TheNIST SP 800-171A Guideprovidesassessment objectivesfor each practice to ensure they are implemented effectively.
Comparison with Other Answer Choices:
A. A business transaction→ Incorrect. CMMC practices focus on cybersecurity activities, not financial or operational transactions.
B. A condition arrived at by experience or exercise→ Incorrect. While practices evolve over time, they are defined activities, not just experience-based conditions.
C. A series of changes taking place in a defined manner→ Incorrect. A practice is a set of security actions, not just a process of change.
Conclusion:
ACMMC practicerefers to specificcybersecurity activities performed to meet defined CMMC objectives. This makesOption Dthe correct answer.
When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?
Conduct a penetration test
Interview the intrusion detection system ' s supplier.
Upload known malicious code and observe the system response.
Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
Understanding SI.L2-3.14.6: Monitor Communications for Attacks
The practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:
✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)
✅Log analysis and network monitoring
✅Incident response planningfor detected threats
As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.
Why " Review an artifact to check key references for the configuration of the IDS or IPS " is Correct?
TheCCA must collect sufficient objective evidenceto determine compliance.
Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.
Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.
Breakdown of Answer Choices
Option
Description
Correct?
A. Conduct a penetration test
❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor ' s responsibilities.
B. Interview the intrusion detection system ' s supplier.
❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.
C. Upload known malicious code and observe the system response.
❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.
D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.
Official References from CMMC 2.0 and NIST SP 800-171 Documentation
NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.
CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.
Final Verification and Conclusion
The correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.
Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?
Phase 1: Plan and Prepare Assessment
Phase 2: Conduct Assessment
Phase 3: Report Recommended Assessment Results
Phase 4: Remediation of Outstanding Assessment Issues
Understanding the CMMC Assessment Process
TheCMMC Assessment Process (CAP)consists offour phases, each with specific tasks and objectives.
Phase 1: Plan and Prepare Assessment– Planning, scheduling, and preparing for the assessment.
Phase 2: Conduct Assessment–Gathering and verifying evidence, conducting interviews, and evaluating compliance.
Phase 3: Report Recommended Assessment Results– Documenting findings and reporting results.
Phase 4: Remediation of Outstanding Assessment Issues– Allowing the organization to address any deficiencies.
Why " Phase 2: Conduct Assessment " is Correct?
DuringPhase 2: Conduct Assessment, theAssessment Teamperforms key activities, including:
✅Identifying required evidencefor compliance verification.
✅Obtaining and reviewing artifacts(e.g., security policies, configurations, logs).
✅Verifying the sufficiency of evidenceagainst CMMC practice requirements.
✅Interviewing key personneland observing cybersecurity implementations.
Since the question specifically mentions " identify, obtain inventory, and verify evidence, " this task directly falls underPhase 2: Conduct Assessment.
Breakdown of Answer Choices
Option
Description
Correct?
A. Phase 1: Plan and Prepare Assessment
❌Incorrect–This phase focuses onscheduling, logistics, and planning, not evidence collection.
B. Phase 2: Conduct Assessment
✅Correct – This phase involves gathering, verifying, and reviewing evidence.
C. Phase 3: Report Recommended Assessment Results
❌Incorrect–This phasedocumentsresults but doesnotcollect evidence.
D. Phase 4: Remediation of Outstanding Assessment Issues
❌Incorrect–This phase focuses oncorrective actions, not evidence collection.
Official References from CMMC 2.0 Documentation
CMMC Assessment Process Guide (CAP)–Phase 2: Conduct Assessmentexplicitly includes tasks such asgathering and verifying evidence.
Final Verification and Conclusion
The correct answer isB. Phase 2: Conduct Assessment, as this phase includesidentifying, obtaining, and verifying evidence, which is critical for determining CMMC compliance.
What activities are conducted while developing an assessment plan?
The C3PAO decides the Assessment Team members and notifies the Lead Assessor.
The Lead Assessor and the OSC’s sponsor determine the assessment resources and schedule.
The C3PAO’s project manager is responsible for handling potential conflicts of interest.
The evidence collection approach can be finalized when the Lead Assessor conducts an onsite assessment.
In the CAP v2.0 “preliminary proceedings,” the assessment is “framed” before Phase 1/Phase 2 execution. CAP states the C3PAO works with the OSC’s leadership point(s) of contact (the Affirming Official and/or OSC POC ) “to determine the purview and planning details of the assessment,” explicitly including schedule , personnel , logistics , relevant contractual requirements, and the prospective CMMC Assessment Scope .
Although the question uses the term “OSC sponsor,” the CAP’s official role language is Affirming Official / OSC POC , and the Lead CCA (Lead Assessor) is the assessor counterpart. CAP further explains that the In-Brief Meeting establishes a common understanding of objectives, roles/responsibilities, and the schedule , and the Lead CCA must (at minimum) review the schedule and confirm assessment scope with the OSC.
Option A is incomplete because team assignment is a C3PAO responsibility, but CAP’s “plan” emphasis here is broader framing: availability of personnel/evidence, documentation readiness, timing, and logistics. Option C is incorrect because CAP states C3PAOs are ultimately responsible for managing conflicts of interest and this responsibility cannot be delegated to the assessment team or the OSC. Option D is incorrect because CAP requires evaluation methods and evidence planning activities to be established during Phase 1 planning, not deferred until onsite work.
===========
What technical means can an OSC have in place to limit individuals who are authorized to post or process information on publicly accessible systems?
Enable cookies to track who has accessed certain websites.
Ensure procedural documentation is in place on how to access website consoles.
Ensure marketing team trainings are required so that any changes to the website go through proper review.
Enable administrative access roles to those that need them so that only those people can post items to the website.
This question aligns to the CMMC requirement to control information posted or processed on publicly accessible information systems , which appears in the CMMC Model Overview as AC.L1-3.1.22 (Control Public Information) and maps to FAR 52.204-21(b)(1)(iv) and NIST SP 800-171 Rev. 2 / r2 requirement 3.1.22 .
NIST explains that publicly accessible systems are typically those accessible to the public without identification or authentication , and that individuals authorized to post nonpublic information (including CUI/FCI and proprietary information) are designated . It also emphasizes controlling what gets posted and ensuring nonpublic information is not exposed.
The most direct technical way to “limit individuals who are authorized to post or process information” is to implement role-based administrative access (least privilege) to the website/CMS/admin console—granting publish/edit privileges only to approved roles (e.g., “Web Publisher,” “Content Approver”), and keeping all other users read-only or without access to posting functions. This directly enforces the requirement by using access control to restrict who can post/process content on the public system.
Options B and C are helpful procedural/administrative controls , but the question asks for technical means . Option A (cookies) does not control authorization to post; it’s not an access control mechanism. Therefore, D is best.
Companies that knowingly defraud the government by not being in compliance with cybersecurity regulations are at risk of being held liable for:
The contract value plus a penalty as stated in the Cyber Claims Act
The contract value plus a penalty as stated in the False Claims Act
Three times the contract value plus a penalty as stated in the Cyber Claims Act
Three times the contract value plus a penalty as stated in the False Claims Act
The False Claims Act (31 U.S.C. §§ 3729–3733) imposes liability on companies that knowingly misrepresent compliance in order to receive or retain federal contracts. Penalties include treble damages (three times the government’s losses) plus additional penalties per claim.
Supporting Extracts from Official Content:
False Claims Act: “Any person who knowingly submits false claims to the Government is liable for three times the Government’s damages plus a penalty.”
DOJ Cyber-Fraud Initiative (2021): confirms the FCA is applied to cases of misrepresenting compliance with cybersecurity requirements.
Why Option D is Correct:
The applicable law is the False Claims Act, not a “Cyber Claims Act” (which does not exist).
The FCA specifies treble damages plus penalties, which exactly matches Option D.
References (Official CMMC v2.0 Governance and Source Documents):
False Claims Act (31 U.S.C. §§ 3729–3733).
DOJ Cyber-Fraud Initiative (2021), applied to CMMC-related compliance misrepresentation.
===========
A company has a government services division and a commercial services division. The government services division interacts exclusively with federal clients and regularly receives FCI. The commercial services division interacts exclusively with non-federal clients and processes only publicly available information. For this company ' s CMMC Level 1 Self-Assessment, how should the assets supporting the commercial services division be categorized?
FCI Assets
Specialized Assets
Out-of-Scope Assets
Operational Technology Assets
Understanding CMMC Asset Categorization
TheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).
In this scenario:
Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-scopefor CMMC Level 1.
Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-Scope Assets.
CMMC 2.0 Definition of Out-of-Scope Assets
As per theCMMC Scoping Guide, assets that:
✅Do not store, process, or transmit FCI/CUI
✅Do not directly impact the security of in-scope assets
✅Are completely segregated from the FCI/CUI environment
are classified asOut-of-Scope Assets.
Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.
Why the Other Answers Are Incorrect
A. FCI Assets
❌Incorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify.
B. Specialized Assets
❌Incorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division.
D. Operational Technology Assets
❌Incorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.
CMMC Official References
CMMC 2.0 Scoping Guide – Level 1 & Level 2
CMMC Assessment Process (CAP) Document
Thus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.
Within what amount of time MUST convictions, guilty pleas, or no contest pleas to crimes of fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or a similar offense in any legal proceeding, civil or criminal, whether or not connected with activities that relate to carrying out a Lead Assessor role, be reported to the CMMC Accreditation Body?
90 days.
30 days.
3 days.
7 days.
The correct answer is B , 30 days. The official CMMC Program rule at 32 CFR Part 170 , Subpart C, requires CMMC ecosystem members to report certain criminal matters to the Accreditation Body within 30 days . The rule specifically includes convictions, guilty pleas, and no contest pleas involving crimes such as fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or similar offenses in civil or criminal legal proceedings. This requirement applies whether or not the offense is directly connected to the individual’s CMMC ecosystem role.
This requirement is important because CMMC ecosystem roles, including Lead Assessors, depend on trustworthiness, professional integrity, impartiality, and reliability. A Lead Assessor participates in activities that may affect whether an OSC receives a CMMC certification, so criminal conduct involving dishonesty or misuse of funds is highly relevant to the integrity of the ecosystem. Option A , 90 days, is incorrect because the reporting window is shorter. Option C , 3 days, and option D , 7 days, are also incorrect because they do not match the official 30-day reporting requirement. Although older training materials may use the term “CMMC-AB,” the current terminology commonly refers to the Accreditation Body or The Cyber AB. The required reporting period remains 30 days .
===========
The practices in CMMC Level 2 consist of the security requirements specified in:
NIST SP 800-53
NIST SP 800-171
48 CFR 52.204-21
DFARS 252.204-7012
CMMC Level 2 requires full implementation of the 110 security requirements specified in NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. These practices form the foundation for safeguarding CUI across defense contractor systems.
NIST SP 800-53 is a broader catalog of security controls for federal systems, not specific to CUI in the defense contractor environment.
48 CFR 52.204-21 establishes basic safeguarding requirements for Federal Contract Information (FCI) and corresponds to CMMC Level 1.
DFARS 252.204-7012 defines safeguarding and incident reporting obligations but does not enumerate the specific security practices required.
Thus, Level 2 practices are aligned to NIST SP 800-171.
Reference Documents:
CMMC Model v2.0 Overview, December 2021
NIST SP 800-171 Rev. 2
What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?
CDI
CTI
CUI
FCI
Understanding Federal Contract Information (FCI)
Federal Contract Information (FCI) is defined by48 CFR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems). FCI refers to information that:
Is NOT intended for public release.
Is provided by or generated for the government under a contract.
Is necessary to develop or deliver a product or service to the government.
Excludes publicly available government information(such as information on public websites).
Excludes simple transactional information(e.g., necessary to process payments).
In the context ofCMMC 2.0, organizations thatprocess, store, or transmit FCImust meetCMMC Level 1 (Foundational), which requires implementing17 basic safeguarding practicesoutlined inFAR 52.204-21.
Why is the Correct Answer FCI (D)?
A. CDI (Controlled Defense Information)→ Incorrect
This term was used inDFARS 252.204-7012but has been replaced byCUI (Controlled Unclassified Information)in CMMC discussions.
B. CTI (Cyber Threat Intelligence)→ Incorrect
This refers to intelligence on cyber threats, tactics, and indicators, not contractual data.
C. CUI (Controlled Unclassified Information)→ Incorrect
CUI is sensitive information requiring additional safeguarding but is a separate category from FCI.
D. FCI (Federal Contract Information)→Correct
The definition of FCI explicitly matches the description given in the question.
CMMC 2.0 References Supporting this Answer:
FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)
Defines FCI and the required safeguards.
Establishes17 cybersecurity practicesfor FCI protection.
CMMC 2.0 Framework
Level 1 (Foundational)is required for contractors handlingFCI.
Ensures compliance withbasic safeguarding requirementsoutlined inFAR 52.204-21.
NIST SP 800-171 and DFARS 252.204-7012
FCI doesnotrequire compliance withNIST SP 800-171, butCUI does.
Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?
DoD
CISA
NIST
CMMC-AB
Step 1: Understanding the Role of the DoD in CMMC
TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.
This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.
A C3PAO has conducted a CMMC Level 2 Assessment for an OSC. The results have been reviewed by a CMMC Quality Assurance Professional. What is the final step in the process of submitting assessment results?
The C3PAO submits the results to the CMMC-AB.
The OSC submits the results, as provided by the Lead Assessor, to the CMMC-AB.
The C3PAO submits the results to Enterprise Mission Assurance Support Service.
The Lead Assessor submits the results to the CMMC-AB.
The correct answer is C . Under the official CMMC Assessment Process, the C3PAO is responsible for submitting CMMC Level 2 certification assessment results into CMMC eMASS , which is the Enterprise Mission Assurance Support Service environment used for CMMC assessment result submission. The CMMC Assessment Process Version 2.0 states that CMMC Level 2 certification assessment results are uploaded to CMMC eMASS by the C3PAO, and that the user workspace used for upload must exist within the scope of the C3PAO’s DIBCAC-assessed environment.
This means the OSC does not submit the final certification assessment package directly, and the Lead Assessor does not independently submit final results to the CMMC-AB. The Lead Assessor leads assessment execution, prepares findings, supports the out-brief, and works with the assessment team, but the formal assessment-result submission function belongs to the authorized C3PAO. The CMMC Quality Assurance Professional review occurs before final submission to help ensure assessment completeness, consistency, and quality. After that review, the C3PAO submits the assessment results into the official CMMC eMASS environment. Therefore, options A , B , and D are incorrect because they identify the wrong receiving entity or the wrong submitting party. Option C correctly identifies both the submitting organization and the official submission system.
===========
What is the MOST common purpose of assessment procedures?
Obtain evidence.
Define level of effort.
Determine information flow.
Determine value of hardware and software.
Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.
Why " A. Obtain Evidence " is Correct?
CMMC Assessments Require Evidence Collection
TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:
Examine– Reviewing documentation, policies, and system configurations.
Interview– Speaking with personnel to confirm understanding and execution.
Test– Validating controls through operational or technical tests.
All these methods involve obtaining evidenceto support whether a security requirement has been met.
Alignment with NIST SP 800-171A
CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.
Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.
Why Other Answers Are Incorrect?
B. Define level of effort (Incorrect)
Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.
C. Determine information flow (Incorrect)
While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.
D. Determine value of hardware and software (Incorrect)
Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.
Conclusion
The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.
Which statement BEST describes the requirements for a C3PA0?
An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements.
An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements.
AC3PAO must be accredited by DoD before being able to conduct assessments.
A C3PAO must be authorized by CMMC-AB before being able to conduct assessments.
Understanding C3PAO Requirements
ACertified Third-Party Assessment Organization (C3PAO)is an entityauthorized by the CMMC Accreditation Body (CMMC-AB)to conductCMMC Level 2 Assessmentsfor organizations handlingControlled Unclassified Information (CUI).
Key Requirements for a C3PAO to Conduct Assessments:
✔Must be authorized by CMMC-AB before conducting assessments.
✔Must meet CMMC-AB and DoD cybersecurity and process requirements.
✔Must comply with ISO/IEC 17020 standards for inspection bodies.
✔Must undergo a rigorous vetting process, including cybersecurity verification.
Why is the Correct Answer " D " (A C3PAO must be authorized by CMMC-AB before being able to conduct assessments)?
A. An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements → Incorrect
C3PAOs must comply with CMMC-AB authorization requirementsbefore performing assessments.
While they must align withISO/IEC 17020, they donotnecessarily meet all requirements upfront.
B. An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements → Incorrect
C3PAOs are not accredited by DoD; they areauthorized by CMMC-ABto perform assessments.
Accreditation follows full compliance with CMMC-AB and ISO/IEC 17020 requirements.
C. A C3PAO must be accredited by DoD before being able to conduct assessments → Incorrect
The DoD does not directly accredit C3PAOs—CMMC-AB is responsible forauthorization and oversight.
D. A C3PAO must be authorized by CMMC-AB before being able to conduct assessments → Correct
CMMC-AB grants authorization to C3PAOs, allowing them to perform assessmentsonly after meeting specific requirements.
CMMC 2.0 References Supporting This Answer:
CMMC-AB Certified Third-Party Assessment Organization (C3PAO) Guidelines
States thatC3PAOs must receive CMMC-AB authorization before conducting assessments.
CMMC 2.0 Assessment Process (CAP) Document
Specifies that onlyC3PAOs authorized by CMMC-AB can conduct official CMMC assessments.
ISO/IEC 17020 Compliance for C3PAOs
Defines theinspection body requirements for C3PAOs, which must be met for accreditation.
Which domain references the requirements needed to handle physical or digital assets containing CUI?
Media Protection (MP)
Physical Protection (PE)
System and Information Integrity (SI)
System and Communications Protection (SC)
Understanding the Media Protection (MP) Domain
TheMedia Protection (MP) domaininCMMC 2.0focuses on the security requirements needed to handlephysical or digital mediacontainingControlled Unclassified Information (CUI).
This domain includes controls for:
Protecting digital and physical mediathat store CUI.
Sanitizing and destroying mediabefore disposal or reuse.
Restricting access to CUI mediato authorized personnel only.
Why the Correct Answer is " A. Media Protection (MP) " ?
TheMP domaindirectly addresses the requirements for handlingCUI media, includingencryption, access control, storage, and disposal.
CMMC 2.0Level 2aligns withNIST SP 800-171, which includesMP controlsfor managing media containing CUI.
Why Not the Other Options?
B. Physical Protection (PE)→Incorrect
PEfocuses onphysical security(e.g., facility access, visitor logs, physical barriers),not the handling of CUI on media.
C. System and Information Integrity (SI)→Incorrect
SIdeals withsystem monitoring, vulnerability management, and incident response, not media protection.
D. System and Communications Protection (SC)→Incorrect
SCcoversnetwork security, encryption, and secure communications, but does not specifically focus on media handling.
Relevant CMMC 2.0 References:
CMMC Level 2 Practice MP.3.125– Protects CUI by ensuring proper handling ofmedia containing CUI.
NIST SP 800-171 (MP Family)– Establishes security requirements for handlingdigital and physical mediacontaining CUI.
CMMC Scoping Guide (Nov 2021)– ConfirmsMP controls apply to all media that store, process, or transmit CUI.
Final Justification:
SinceMedia Protection (MP) directly addresses the handling of assets containing CUI, the correct answer isA. Media Protection (MP).
A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?
Host Unit
Branch Office
Coordinating Unit
Supporting Organization/Units
According to the CMMC Assessment Process (CAP), specifically in the context of scoping and organizational structure, the term Host Unit is used to define the specific entity within an Organization Seeking Certification (OSC) that is the primary subject of the assessment.
Definition of Host Unit: Within the CAP, the Host Unit represents the specific people, processes, and technology that process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) for the contract in scope. It is the " anchor " for the assessment boundary.
Context in High-Level Scoping: During the initial phases of an assessment, a C3PAO must distinguish between the entire corporation (the OSC) and the specific parts of that corporation that are actually performing the DoD work. The Host Unit is that functional or logical division that will be evaluated against the CMMC practices.
Relationship to other units:
Supporting Organization/Units (Option D): These are entities that provide services to the Host Unit (such as an enterprise IT department or a separate HR branch) but are not the primary " Host " of the CUI/FCI. They are in-scope because they provide " Security Protection " or " Administrative " functions to the Host Unit.
Coordinating Unit (Option C): This term is often used in broader organizational contexts but is not a defined scoping term for the " people, processes, and technology " being assessed under the CMMC CAP.
Reference Documents:
CMMC Assessment Process (CAP) v1.0: Glossary and Section 1 (Plan and Prepare Assessment), which defines the relationship between the OSC, the Host Unit, and Supporting Units.
CMMC Level 2 Scoping Guidance: Provides the framework for identifying the " assets " (people, technology, facilities) that reside within the Host Unit boundary.
CCP Study Guide: Section on " Scoping the Assessment, " which explains how to identify the Host Unit versus External Service Providers (ESPs).
For CMMC Assessments, during Phase 1 of the CMMC Assessment Process, which are responsible for identifying potential conflicts of information?
C3PAO and OSC
OSC and CMMC-AB
CMMC-AB and C3PAO
Lead Assessor and Assessment Team Members
In Phase 1 (Planning) of the CMMC Assessment Process, the Lead Assessor is responsible for managing the team and identifying conflicts of interest. Assessment team members must also disclose potential conflicts.
Supporting Extracts from Official Content:
CAP v2.0, Planning (§2.5–2.8): “The Lead Assessor and Assessment Team Members must identify and disclose any conflicts of interest prior to conducting the assessment.”
Why Option D is Correct:
Only the Lead Assessor and assessment team are responsible for identifying conflicts of interest during Phase 1.
Options A, B, and C incorrectly assign this role to organizations that do not hold the responsibility.
References (Official CMMC v2.0 Content):
CMMC Assessment Process (CAP) v2.0, Phase 1 Planning responsibilities.
===========
An OSC needs to be assessed on RA.L2-3.11.1: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. What is in scope for a Level 2 assessment of RA.L2-3.11.1?
IT systems
Enterprise systems
CUI Marking processes
Processes, people, physical entities, and IT systems in which CUI processed, stored, or transmitted
Understanding RA.L2-3.11.1 Risk Assessment Scope in CMMC Level 2
TheCMMC Level 2 control RA.L2-3.11.1aligns withNIST SP 800-171, Requirement 3.11.1, which mandates that organizationsperiodically assess risks to operations, assets, and individuals arising from the processing, storage, or transmission of CUI.
What is Required for Compliance?
The organization must performrisk assessments on all assets and entities involved in handling CUI.
Risk assessments mustevaluate potential threats, vulnerabilities, and impacts on CUI security.
The scopemust include people, processes, physical locations, and IT systemsto ensure comprehensive risk management.
Why the Correct Answer is " Processes, people, physical entities, and IT systems in which CUI is processed, stored, or transmitted " :
CUIcan be exposed to risk in multiple ways—not just IT systems but also human error, physical security gaps, and process weaknesses.
Risk assessmentsmust evaluate all areas that could impact CUI security, including:
Personnel security risks(e.g., insider threats, phishing attacks).
Process vulnerabilities(e.g., mishandling of CUI, policy weaknesses).
Physical security risks(e.g., unauthorized access to servers, storage rooms).
IT systems(e.g., networks, servers, cloud environments processing CUI).
Clarification of Incorrect Options:
A. " IT systems " →Too narrow.Risk assessmentmust cover more than just IT systems, includingpeople, physical assets, and processesaffecting CUI.
B. " Enterprise systems " →Too broad.While enterprise systems might be assessed, thefocus is specifically on areas handling CUI, not all enterprise operations.
C. " CUI Marking processes " →Incorrect focus.While marking CUI correctly is important,RA.L2-3.11.1 pertains to risk assessments, not data classification.
Recording evidence as adequate is defined as the criteria needed to:
verify, based on an assessment and organizational scope.
verify, based on an assessment and organizational practice.
determine if a given artifact, interview response, demonstration, or test meets the CMMC scope.
determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.
Understanding " Adequate Evidence " in the CMMC Assessment Process
In aCMMC assessment,adequate evidencerefers to the proof required to demonstrate that a specific cybersecurity practice has been implemented correctly. Evidence can come from:
Artifacts(e.g., security policies, system configurations, logs).
Interview responses(e.g., verbal confirmation from personnel about their responsibilities).
Demonstrations(e.g., showing how a security control is implemented in real time).
Testing(e.g., verifying technical security mechanisms such as multi-factor authentication).
Thegoalof evidence collection is to determinewhether a CMMC practice is met—not just whether the organization operates within the assessment scope.
Why is the Correct Answer " Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice " (D)?
A. Verify, based on an assessment and organizational scope → Incorrect
Theassessment scopedefineswhat is evaluated, but adequacy of evidence is based oncompliance with specific CMMC practices.
B. Verify, based on an assessment and organizational practice → Incorrect
CMMC assessments focus on cybersecurity practices defined in the CMMC framework, not just general organizational practices.
C. Determine if a given artifact, interview response, demonstration, or test meets the CMMC scope → Incorrect
Thescopedefines the assessment boundaries, but theassessment team ' s job is to confirm whether CMMC practices are satisfied.
D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice → Correct
TheCMMC assessment process focuses on ensuring that required practices are implemented, making this the correct answer.
CMMC 2.0 References Supporting this Answer:
CMMC Assessment Process (CAP) Document
Defines " adequate evidence " asproof that a CMMC practice has been correctly implemented.
CMMC 2.0 Assessment Criteria
Specifies that evidence must beevaluated against specific cybersecurity practices.
NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)
Provides guidance on evaluating artifacts, interviews, demonstrations, and testing to confirm compliance with required practices.
Final Answer:
✔D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.
While conducting a CMMC Level 2 Assessment, the Lead Assessor determines that the OSC has badge readers, pin code pads, and keys for various access points as well as documentation to demonstrate meeting the practice. Which CMMC practice has the OSC MET?
PE.L1-3.10.5: Control and manage physical access devices
MP.L2-3.8.5: Mark media with necessary CUI markings and distribution limitations
SI.L2-3.14.3: Monitor system security alerts and advisories and take action in response
PS.L2-3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers
The presence of badge readers, PIN code pads, and keys directly corresponds to controlling and managing physical access devices, which maps to PE.L1-3.10.5 under the Physical Protection (PE) domain. This practice ensures that only authorized individuals have access to physical areas containing information systems.
The other options address unrelated requirements:
MP.L2-3.8.5 addresses marking CUI media,
SI.L2-3.14.3 addresses monitoring security alerts,
PS.L2-3.9.2 addresses protections during personnel changes.
Reference Documents:
CMMC Model v2.0, Level 1–3 Practices
NIST SP 800-171 Rev. 2, Control PE-3
A CCP is working as an Assessment Team Member on a CMMC Level 2 Assessment. The Lead Assessor has assigned the CCP to assess the OSC ' s Configuration Management (CM) domain. The CCP ' s first interview is with a subject-matter expert for user-installed software. With respect to user-installed software, what facet should the CCP ' s interview focus on?
Controlled and monitored
Removed from the system
Scanned for malicious code
Limited to mission-essential use only
Understanding Configuration Management (CM) in CMMC Level 2
InCMMC Level 2, theConfiguration Management (CM) domainis critical for ensuring that systems aresecurely configured, maintained, and monitoredto prevent unauthorized changes. One key aspect of CM is managinguser-installed software, which can introducesecurity risksif not properly controlled.
The correct approach to managinguser-installed softwarealigns withCM.3.068fromNIST SP 800-171, which requires organizations to:
✅Establish and enforce configuration settingsto ensure security.
✅Monitor and control user-installed softwareto prevent unauthorized or insecure applications from running on organizational systems.
Why " Controlled and Monitored " is Correct?
The CCP (Certified CMMC Professional) conducting theinterviewshould focus on whether theuser-installed softwareiscontrolled and monitoredto align withCMMC Level 2 requirements. This means verifying:
Approval processesfor user-installed software.
Monitoring mechanisms(e.g., system logs, audits) to track software changes.
Policies that restrict unauthorized installationsto prevent security risks.
Breakdown of Answer Choices
Option
Description
Correct?
A. Controlled and monitored
✅Ensures compliance with CM.3.068, verifying that user-installed software ismanaged securely.
✅Correct
B. Removed from the system
Software isnot always removed—only unauthorized or risky software should be.
❌Incorrect
C. Scanned for malicious code
While scanning isimportant(covered in SI.3.218), it isnot the primary focusof Configuration Management.
❌Incorrect
D. Limited to mission-essential use only
While limiting software is useful,monitoring and controllingis the key security measure.
❌Incorrect
Official Reference from CMMC 2.0 Documentation
NIST SP 800-171, CM.3.068– " Control and monitor user-installed software. "
CMMC 2.0 Level 2 Requirements– Directly aligned withNIST SP 800-171 security controls.
Final Verification and Conclusion
The correct answer isA. Controlled and monitored, as perCM.3.068inNIST SP 800-171andCMMC 2.0documentation.
A program manager for a defense contractor saves all FCI data relevant to a contract on a flash drive. Why is the flash drive categorized as an FCI Asset ?
It is storing FCI.
It is testing FCI.
It is distributing FCI.
It is properly marked as FCI.
CMMC v2.0 scoping defines “in-scope” assets for Level 1 (FCI protection) based on whether the asset processes, stores, or transmits FCI . The DoD CMMC Assessment Scope – Level 1 (v2.13) states: “Assets in scope … are all assets that **process, store, or transmit Federal Contract Information (FCI).” It then defines these terms. Critically for this question, Store is defined as when “FCI is inactive or at rest on an asset (e.g., located on electronic media…).”
A flash drive is “electronic media.” If the program manager places contract-relevant FCI onto the flash drive, the flash drive is now an asset that stores FCI (FCI at rest). Under the scoping guidance, that alone is enough to classify it as an in-scope FCI asset for Level 1 purposes, meaning it falls within the Level 1 assessment scope and must be protected by applicable Level 1 requirements.
The other answer choices do not align to the scoping definitions. “Testing FCI” (B) is not one of the scope-determining criteria in the Level 1 scoping guide. “Distributing FCI” (C) is not the formal criterion either (the guide uses Transmit , not “distribute”). Finally, being “properly marked” (D) does not determine whether something is in scope; the decisive factor is whether the asset processes, stores, or transmits FCI.
A Lead Assessor and an OSC ' s Assessment Official have agreed to have the Assessment results presented during the final Daily Checkpoint of the OSC ' s CMMC Level 2 Assessment. Which document MUST the Lead Assessor use to present assessment findings to the OSC?
CMMC POA & M Brief
CMMC Findings Brief
CMMC Assessment Tracker Tool
CMMC Recommended Findings template
According to the CMMC Assessment Process (CAP), the Lead Assessor must use the CMMC Findings Brief to formally present assessment results to the Organization Seeking Certification (OSC). The Findings Brief ensures consistency across assessments and provides the OSC with an official, standardized presentation of results, including observed strengths, weaknesses, and any non-conformities.
Other options are incorrect because:
POA & M Brief is not part of the official CAP presentation.
CMMC Assessment Tracker Tool is an internal tool used by assessors, not for presentation to the OSC.
Recommended Findings template is not a recognized deliverable in CAP.
Reference Documents:
CMMC Assessment Process (CAP), v1.0
Who will verify the adequacy and sufficiency of evidence to determine whether the practices and related components for each in-scope Host Unit. Supporting Organization/Unit, or enclave has been met?
OSC
Assessment Team
Authorizing official
Assessment official
Who Verifies the Adequacy and Sufficiency of Evidence?
In the CMMC assessment process, it is theAssessment Teamthat is responsible for verifying whether thepractices and related componentshave been met for each in-scopeHost Unit, Supporting Organization/Unit, or enclave.
TheCMMC Assessment Teamis composed of certified assessors and led by aCertified CMMC Assessor (CCA). Their primary role is to:
Review evidenceprovided by theOrganization Seeking Certification (OSC).
Determine compliancewith required CMMC practices and processes.
Evaluate the sufficiencyof evidence to confirm that all required practices have been properly implemented.
Document and report findingsto the CMMC Accreditation Body (CMMC-AB).
Breakdown of Answer Choices
Option
Description
Correct?
A. OSC (Organization Seeking Certification)
The OSC provides documentation and evidence but doesnotverify its adequacy.
❌Incorrect
B. Assessment Team
✅Responsible for verifying the adequacy and sufficiency of evidence.
✅Correct
C. Authorizing Official
Typically refers to an official responsible for system accreditation underNIST RMF, not CMMC.
❌Incorrect
D. Assessment Official
Not a defined role in the CMMC framework.
❌Incorrect
Official Reference from CMMC 2.0 Documentation
TheCMMC Assessment Process Guide(CAP) outlines theAssessment Team ' sresponsibility in verifying evidence.
TheCMMC Assessment Teamevaluates whether theorganization ' s cybersecurity practices meet CMMC requirements.
Final Verification and Conclusion
The correct answer isB. Assessment Team, as per CMMC 2.0 documentation and official assessment processes.
A contractor provides services and data to the DoD. The transactions that occur to handle FCI take place over the contractor ' s business network, but the work is performed on contractor-owned systems, which must be configured based on government requirements and are used to support a contract. What type of Specialized Asset are these systems?
loT
Restricted IS
Test equipment
Government property
Understanding Restricted Information Systems (IS) in CMMC Scoping
InCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:
Internet of Things (IoT) Devices– Smart or network-connected devices.
Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.
Test Equipment– Devices used for specialized testing or measurement.
Government Property– Equipment owned by theU.S. Governmentbut used by contractors.
Why " B. Restricted IS " is Correct?
The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.
Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.
These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.
Why Other Answers Are Incorrect?
A. IoT (Incorrect)
IoT devices includesmart devices, sensors, and embedded systems, but the contractor ' s business systems are not classified as IoT.
C. Test Equipment (Incorrect)
The contractor’s systems areused for handling FCI, not for testing or measurement.
D. Government Property (Incorrect)
The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.
Conclusion
The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.
What is objectivity as it applies to activities with the CMMC-AB?
Ensuring full disclosure
Reporting results of CMMC services completely
Avoiding the appearance of or actual, conflicts of interest
Demonstrating integrity in the use of materials as described in policy
nderstanding Objectivity in CMMC-AB Activities
Objectivityin CMMC-AB activities refers to therequirement that assessors and C3PAOs remain impartial, unbiased, and free from conflicts of interestwhile conducting assessments and providing CMMC-related services.
Key Aspects of Objectivity in CMMC Assessments:
✔No conflicts of interest—Assessors must not assess organizations they havefinancial, professional, or personal ties to.
✔Unbiased reporting—Findings must bebased solely on evidence, with no external influence.
✔Avoiding even the appearance of a conflict—If there isany perception of bias, it must be addressed.
Why is the Correct Answer " C. Avoiding the appearance of or actual, conflicts of interest " ?
A. Ensuring full disclosure → Incorrect
Full disclosure is importantbut doesnot define objectivity. Objectivity meansremaining neutral and free from conflicts.
B. Reporting results of CMMC services completely → Incorrect
Whileaccurate reporting is required,objectivity focuses on impartiality, not just completeness.
C. Avoiding the appearance of or actual, conflicts of interest → Correct
Objectivity in CMMC-AB activities is primarily about preventing bias and ensuring fair assessments.
Avoiding conflicts of interest ensures thatassessments are credible and trustworthy.
D. Demonstrating integrity in the use of materials as described in policy → Incorrect
Integrity is important, butobjectivity is specifically about avoiding bias and conflicts of interest.
CMMC 2.0 References Supporting This Answer:
CMMC-AB Code of Professional Conduct
Requiresassessors and C3PAOs to avoid conflicts of interestand maintainimpartiality.
CMMC Assessment Process (CAP) Document
Emphasizes that assessments must befree from external influence and conflicts of interest.
ISO/IEC 17020 Requirements for Inspection Bodies
Definesobjectivity as avoiding conflicts of interest in the assessment process.
Which method facilitates understanding by analyzing gathered artifacts as evidence?
Test
Examine
Behavior
Interview
The CMMC Assessment Process uses three methods: Examine, Interview, and Test. The method that involves analyzing artifacts (documents, system configurations, records, logs, etc.) is Examine.
Supporting Extracts from Official Content:
CMMC Assessment Guide: “Examine consists of reviewing, inspecting, or analyzing assessment objects such as documents, system configurations, or other artifacts to evaluate compliance.”
Why Option B is Correct:
Examine = analyzing artifacts.
Interview = discussions with personnel.
Test = executing technical checks.
Behavior is not an assessment method.
References (Official CMMC v2.0 Content):
CMMC Assessment Guide, Levels 1 and 2 — Assessment Methods (Examine, Interview, Test).
===========
In the CMMC Model, how many practices are included in Level 2?
17 practices
72 practices
110 practices
180 practices
How Many Practices Are Included in CMMC Level 2?
CMMC Level 2is designed to alignfullywithNIST SP 800-171, which consists of110 security controls (practices).
This meansall 110 practicesfrom NIST SP 800-171 are required for aCMMC Level 2 certification.
Breakdown of Practices in CMMC 2.0
CMMC Level
Number of Practices
Level 1
17 practices(Basic Cyber Hygiene)
Level 2
110 practices(Aligned with NIST SP 800-171)
Level 3
Not yet finalized but expected to exceed 110
Since CMMC Level 2 mandatesall 110 NIST SP 800-171 practices, the correct answer isC. 110 practices.
Why the Other Answers Are Incorrect
A. 17 practices
❌Incorrect.17 practicesapply only toCMMC Level 1, not Level 2.
B. 72 practices
❌Incorrect. There is no CMMC level with72 practices.
D. 180 practices
❌Incorrect. CMMC Level 2only requires 110 practices, not 180.
CMMC Official References
CMMC 2.0 Model– Confirms thatLevel 2 includes 110 practicesaligned withNIST SP 800-171.
NIST SP 800-171 Rev. 2– Outlines the110 security controlsrequired for handlingControlled Unclassified Information (CUI).
Thus,option C (110 practices) is the correct answer, as per official CMMC guidance.
In the CMMC Model, how many practices are included in Level 1?
15 practices
17 practices
72 practices
110 practices
CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 1 is designed to protectFederal Contract Information (FCI)and consists of17 foundational cybersecurity practices. These practices are directly derived fromFAR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems), which outlines minimum security requirements for contractors handling FCI.
Breakdown of CMMC Level 1 Practices
The17 practicesin Level 1 focus on basic cybersecurity hygiene and fall under the following6 domains:
Access Control (AC)– 4 practices
AC.L1-3.1.1: Limit system access to authorized users
AC.L1-3.1.2: Limit user access to authorized transactions and functions
AC.L1-3.1.20: Verify and control connections to external systems
AC.L1-3.1.22: Control information posted or processed on publicly accessible systems
Identification and Authentication (IA)– 2 practices
IA.L1-3.5.1: Identify and authenticate system users
IA.L1-3.5.2: Use multifactor authentication for local and network access
Media Protection (MP)– 1 practice
MP.L1-3.8.3: Sanitize media before disposal or reuse
Physical Protection (PE)– 4 practices
PE.L1-3.10.1: Limit physical access to systems containing FCI
PE.L1-3.10.3: Escort visitors and monitor visitor activity
PE.L1-3.10.4: Maintain audit logs of physical access
PE.L1-3.10.5: Control and manage physical access devices
System and Communications Protection (SC)– 2 practices
SC.L1-3.13.1: Monitor and control communications at system boundaries
SC.L1-3.13.5: Implement subnetworks for publicly accessible system components
System and Information Integrity (SI)– 4 practices
SI.L1-3.14.1: Identify, report, and correct system flaws in a timely manner
SI.L1-3.14.2: Provide protection from malicious code at designated locations
SI.L1-3.14.4: Update malicious code protection mechanisms periodically
SI.L1-3.14.5: Perform scans of system components and real-time file scans
Official Reference from CMMC 2.0 Documentation
The 17 practices forCMMC Level 1are explicitly listed in theCMMC 2.0 Appendices and Assessment Guide for Level 1, as well as in theFAR 52.204-21 requirements. These practices representbasic safeguarding measuresthat all DoD contractors handlingFCImust implement.
???? CMMC 2.0 Level 1 Summary:
Focus:Basic safeguarding of FCI
Total Practices:17
Derived From:FAR 52.204-21
Assessment Type:Self-assessment (annual)
Final Verification and Conclusion
The correct answer isB. 17 practicesas verified from theCMMC 2.0 official documentsandFAR 52.204-21 requirements.
Which statement is NOT a requirement for a Licensed Partner Publisher?
Must have at least two years of history in publishing
Must possess a Dun and Bradstreet number and background check
Must receive CMMC Level 3 certification
Must be approved by CMMC-AB or authorized organization
The correct answer is C because a Licensed Partner Publisher is an ecosystem participant that produces or distributes approved CMMC-related learning or publishing content; it is not the same thing as an Organization Seeking Assessment or a Defense Industrial Base contractor pursuing a CMMC Level 3 certification status. CMMC certification levels apply to organizations handling FCI or CUI in connection with DoD contract performance, not to every training, publishing, or ecosystem-support organization. The CMMC Assessment Process describes CMMC as the DoD initiative for assessing and certifying conformance by companies and organizations in the Defense Industrial Base, specifically to safeguard CUI and FCI processed, stored, or transmitted during DoD contract performance. A publisher may need business validation, authorization, background checks, and approval by the CMMC Accreditation Body or authorized program entity, but requiring CMMC Level 3 certification would be misaligned with the role. Level 3 is an advanced contractor cybersecurity status, not a publishing-partner qualification. Reference/topics: CMMC Ecosystem, Licensed Partner Publisher, Cyber AB ecosystem roles, CMMC certification applicability.
Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1, Guidelines for Media Sanitation?
Clear, purge, destroy
Clear, redact, destroy
Clear, overwrite, purge
Clear, overwrite, destroy
NIST SP 800-88 Rev. 1 is the authoritative guide for media sanitization. It defines three categories of data disposal: Clear, Purge, and Destroy.
Supporting Extracts from Official Content:
NIST SP 800-88 Rev. 1: “Media sanitization techniques are divided into three categories: Clear, Purge, and Destroy.”
Why Option A is Correct:
“Clear, Purge, Destroy” are the exact three categories named.
Redact and Overwrite are not categories; Overwriting is a technique that may fall under Clear.
References (Official CMMC v2.0 Content and Source Documents):
NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization.
===========
The director of sales, in a meeting, stated that the sales team received feedback on some emails that were sent, stating that the emails were not marked correctly. Which training should the director of sales refer the sales team to regarding information as to how to mark emails?
FBI CUI Introduction to Marking
NARA CUI Introduction to Marking
C3PAO CUI Introduction to Marking
CMMC-AB CUI Introduction to Marking
The Controlled Unclassified Information (CUI) Program, established by Executive Order 13556, standardizes the handling and marking of unclassified information that requires safeguarding or dissemination controls across federal agencies and their contractors. The National Archives and Records Administration (NARA) serves as the Executive Agent responsible for implementing the CUI Program.
In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to protect CUI by adhering to the security requirements outlined in NIST Special Publication 800-171. This includes proper marking of CUI to ensure that all personnel recognize and handle such information appropriately.
The NARA CUI Introduction to Marking provides comprehensive guidance on the correct procedures for marking documents and communications containing CUI. This resource is essential for training purposes, as it offers detailed instructions and examples to help personnel understand and implement proper CUI markings. By referring the sales team to the NARA CUI Introduction to Marking, the director of sales ensures that the team receives authoritative and standardized training on how to appropriately mark emails and other documents containing CUI, thereby maintaining compliance with federal regulations and CMMC requirements.
During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC ' s WiFi network. What type of asset is this?
FCI Asset
CUI Asset
In-scope Asset
Specialized Asset
Understanding Asset Categorization in CMMC 2.0
InCMMC 2.0, assets are categorized into different types based on their function, connectivity, and whether they process, store, or transmitFederal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Why " D. Specialized Asset " is Correct?
TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT classificationsbut still exist within the organizational environment.
Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined in CMMC.
Why Other Answers Are Incorrect?
A. FCI Asset (Incorrect)
FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does not.
B. CUI Asset (Incorrect)
CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.
C. In-scope Asset (Incorrect)
In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.
Conclusion
The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into theSpecialized Assetcategory.
The facilities manager for a company has procured a Wi-Fi enabled, mobile application-controlled thermostat for the server room, citing concerns over the inability to remotely gauge and control the temperature of the room. Because the thermostat is connected to the company ' s FCI network, should it be assessed as part of the CMMC Level 1 Self-Assessment Scope?
No, because it is OT
No, because it is an loT device
Yes. because it is a restricted IS
Yes, because it is government property
Step 1: Understanding CMMC Level 1 Self-Assessment Scope
CMMC Level 1applies toFederal Contract Information (FCI)systems.
Any system or device that is connected to an FCI-handling network is within the assessment scopebecause it canintroduce vulnerabilitiesinto the environment.
Step 2: Why the Thermostat is in Scope
TheWi-Fi-enabled thermostat is connected to the FCI network, meaning it haspotential accessto sensitive contract-related data.
PerCMMC Scoping Guidance, this type of device is classified as aRestricted Information System (Restricted IS)—devices that do not store, process, or transmit FCI but areconnected to networks that do.
Restricted IS must be accounted for in the self-assessment scope to ensure they do not compromise security controls.
TESTED 14 Jul 2026
