While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users. processes acting on behalf of users, and devices?
Procedures for implementing access control lists
List of unauthorized users that identifies their identities and roles
User names associated with system accounts assigned to those individuals
Physical access policy that states. "All non-employees must wear a special visitor pass or be escorted."
Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.
To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:
A unique identifier (username) for each system user
Mapping of system accounts to specific individuals
Identification of devices and automated processes that access systems
This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.
Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.
It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.
A. Procedures for implementing access control lists (Incorrect)
While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.
B. List of unauthorized users that identifies their identities and roles (Incorrect)
Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.
D. Physical access policy stating "All non-employees must wear a special visitor pass or be escorted" (Incorrect)
This pertains tophysical security, not system-baseduser identification and authentication.
The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.
Contractor scoping requirements for a CMMC Level 2 Assessment to document the asset in an inventory, in the SSP and on the network diagram apply to:
GUI Assets.
CUI and Security Protection Asset categories.
all asset categories except for the Out-of-scope Assets.
Contractor Risk Managed Assets and Specialized Assets.
UnderCMMC Level 2, contractors are required toidentify, document, and categorize assetsinvolved in handlingControlled Unclassified Information (CUI). This is part of thescoping process, which ensures that all security-relevant assets are properly protected and accounted for in the System Security Plan (SSP), asset inventory, and network diagram.
CMMC Scoping Requirements for Level 2 Assessments:
TheCMMC Scoping Guide(CMMC v2.0) identifies four asset categories:
CUI Assets:Systems that store, process, or transmit CUI.
Security Protection Assets (SPA):Systems providing security functions for CUI Assets (e.g., firewalls, SIEMs).
Contractor Risk Managed Assets (CRMA):Assets that interact with CUI but arenot directly controlledby the organization (e.g., personal devices).
Specialized Assets:These include IoT devices, OT systems, and Government Furnished Equipment (GFE) thatmay require specific security controls.
Where Documentation is Required:
The contractor mustdocument all assets (except out-of-scope assets)in:
The System Security Plan (SSP):A key document detailing security controls and asset categorization.
An asset inventory:Lists all in-scope assets (CUI Assets, SPAs, CRMA, and Specialized Assets).
The network diagram:Provides a visual representation of system connectivity and security boundaries.
Why Out-of-Scope Assets Are Excluded:
TheCMMC Scoping Guidespecifically states that Out-of-Scope Assets arenot required to be documentedin these compliance artifacts because they haveno direct or indirect interaction with CUI.
These assets do not require CMMC controls because they are completely isolated from CUI handling environments.
Why the Other Answer Choices Are Incorrect:
(A) GUI Assets:There is no specific "GUI Asset" category in CMMC scoping.
(B) CUI and Security Protection Asset categories:While these are included, this answerexcludesContractor Risk Managed and Specialized Assets, which are also required.
(D) Contractor Risk Managed Assets and Specialized Assets:These assetsare included in scopingbut this answer excludes CUI Assets and Security Protection Assets, making it incomplete.
Step-by-Step Breakdown:Final Validation from CMMC Documentation:According to theCMMC Assessment Scope Level 2 Guide, allin-scope assetsmust be documented in the SSP, inventory, and network diagram.The only assets excluded are Out-of-Scope Assets.
Thus, the correct answer is:
C. All asset categories except for the Out-of-Scope Assets.
During assessment planning, the OSC recommends a person to interview for a certain practice. The person being interviewed MUST be the person who:
funds that practice.
audits that practice.
supports, audits, and performs that practice.
implements, performs, or supports that practice.
Who Should Be Interviewed During a CMMC Assessment?During assessment planning, theOrganization Seeking Certification (OSC)may suggest personnel for interviews. However, the person interviewedmustbe someone who:
✅Implementsthe practice (directly responsible for executing it).
✅Performsthe practice (carries out day-to-day security operations).
✅Supportsthe practice (provides necessary resources or oversight).
Theassessor needs direct insightsfrom individuals actively involved in the practice.
Funding (Option A)does not providetechnical or operationalinsight into practice execution.
Auditing (Option B)focuses on compliance checks, but auditorsdo not implementthe practice.
Supporting, auditing, and performing (Option C)includesauditors, who arenot necessarily the right interviewees.
Why "Implements, Performs, or Supports That Practice" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A. Funds that practice.
❌Incorrect–Funding is important but doesnot mean direct involvement.
B. Audits that practice.
❌Incorrect–Auditors check compliance but donot implementpractices.
C. Supports, audits, and performs that practice.
❌Incorrect–Auditing isnot a requirementfor interviewees.
D. Implements, performs, or supports that practice.
✅Correct – The interviewee must have direct involvement in execution.
CMMC Assessment Process Guide (CAP)– Requires that interviewees bedirectly responsiblefor implementing, performing, or supporting the practice.
Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Implements, performs, or supports that practice, as the interviewee mustactively contribute to the execution of the practice.
When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:
have a security clearance.
be a senior person in the company.
demonstrate expertise on the CMMC requirements.
provide clarity and understanding of their practice activities.
Interview Selection in CMMC AssessmentsDuring aCMMC assessment, theLead Assessormust work with theOrganization Seeking Certification (OSC)to select personnel for interviews. The goal is to:
✅Verify that personnel understand andperform security-related practices.
✅Ensure that individuals canexplain how they implement CMMC requirements.
✅Gain insight intoactual cybersecurity operationsrather than just documented policies.
The best interviewees are those whodirectly engage with security practicesand canclearly explain how they perform their duties.
CMMC assessmentsrely on interviewsto validate that security practices areimplemented effectively.
Themost valuable intervieweesare those who canexplainhow security measures are appliedin day-to-day operations.
CMMC Assessment Process (CAP)emphasizes that assessors should speak tothose actively involved in security practicesrather than just senior management or policy owners.
Why "Providing Clarity and Understanding" Is KeyThus,option D is the correct choicebecause the Lead Assessor should prioritizeinterviewing personnel who can clearly explain how CMMC practices are implemented.
A. Have a security clearance.❌Incorrect.Security clearance is not a requirementfor CMMC assessments. The focus is onpractical implementation of security controls, not classified work.
B. Be a senior person in the company.❌Incorrect. Senior executives may not be involved in theactual implementation of security controls. The best interviewees are those whoperform the work, not just oversee it.
C. Demonstrate expertise on the CMMC requirements.❌Incorrect. Whileunderstanding CMMC is important, expertise alonedoes not guarantee practical knowledgeof security controls. The key is thatinterviewees must provide clarity on how they perform security tasks.
Why the Other Answers Are Incorrect
CMMC Assessment Process (CAP) Document– Guides interview selection based on personnel who perform security functions.
NIST SP 800-171 & CMMC 2.0– Emphasize that cybersecurity controls must beactively implemented, not just documented.
CMMC Official ReferencesThus,option D (Provide clarity and understanding of their practice activities) is the correct answeras per official CMMC assessment guidelines.
An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?
OSC and Sponsor
OSC and CMMC-AB
Lead Assessor and C3PAO
C3PAO and Assessment Official
Understanding the CMMC Level 2 Assessment ProcessWhen anOrganization Seeking Certification (OSC)engages aCertified Third-Party Assessment Organization (C3PAO)to conduct aCMMC Level 2 Assessment, anAssessment Planis developed to outline the scope, methodology, and logistics of the assessment.
According to theCMMC Assessment Process (CAP) Guide, theAssessment Plan must be formally agreed upon and signed off by:
Lead Assessor– The individual responsible for overseeing the execution of the assessment.
C3PAO (Certified Third-Party Assessment Organization)– The entity conducting the assessment.
TheLead Assessorensures that theAssessment Plan aligns with CMMC-AB and DoD requirements, including methodology, objectives, and evidence collection.
TheC3PAOprovides organizational approval, confirming that the assessment is conducted according toCMMC-AB rules and contractual agreements.
A. OSC and Sponsor (Incorrect)
TheOSC (Organization Seeking Certification)is involved in planning but does not sign off on the plan.
Asponsoris not part of the sign-off process in CMMC assessments.
B. OSC and CMMC-AB (Incorrect)
TheOSCdoes not formally approve theAssessment Plan—this responsibility belongs to the assessment team.
TheCMMC-ABdoes not sign off on individualAssessment Plans.
D. C3PAO and Assessment Official (Incorrect)
"Assessment Official" isnot a defined rolein the CMMC assessment process.
TheC3PAOis involved, but it must be theLead Assessorwho signs off, not an unspecified official.
The correct answer isC. Lead Assessor and C3PAO.
TheLead Assessorensures assessment integrity, while theC3PAOprovides official authorization.
A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?
"The OSC determines the CMMC Assessment Scope, and the CCP validates the CMMC Assessment Scope."
"The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope."
"The CMMC Lead Assessor determines the CMMC Assessment Scope, and the OSC validates the CMMC Assessment Scope."
"The CMMC C3PAO determines the CMMC Assessment Scope, and the Lead Assessor validates the CMMC Assessment Scope."
In aCMMC Level 2 assessment, theOrganization Seeking Certification (OSC)is responsible for identifying theassessment scopebased on theCMMC Scoping Guidanceprovided by theCyber AB (Cyber Accreditation Body) and DoD.
The OSC must determine which assets and systems handleControlled Unclassified Information (CUI)and categorize them accordingly.
Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?
Phase 1: Plan and Prepare Assessment
Phase 2: Conduct Assessment
Phase 3: Report Recommended Assessment Results
Phase 4: Remediation of Outstanding Assessment Issues
Understanding the CMMC Assessment ProcessTheCMMC Assessment Process (CAP)consists offour phases, each with specific tasks and objectives.
Phase 1: Plan and Prepare Assessment– Planning, scheduling, and preparing for the assessment.
Phase 2: Conduct Assessment–Gathering and verifying evidence, conducting interviews, and evaluating compliance.
Phase 3: Report Recommended Assessment Results– Documenting findings and reporting results.
Phase 4: Remediation of Outstanding Assessment Issues– Allowing the organization to address any deficiencies.
Why "Phase 2: Conduct Assessment" is Correct?DuringPhase 2: Conduct Assessment, theAssessment Teamperforms key activities, including:
✅Identifying required evidencefor compliance verification.
✅Obtaining and reviewing artifacts(e.g., security policies, configurations, logs).
✅Verifying the sufficiency of evidenceagainst CMMC practice requirements.
✅Interviewing key personneland observing cybersecurity implementations.
Since the question specifically mentions"identify, obtain inventory, and verify evidence,"this task directly falls underPhase 2: Conduct Assessment.
Breakdown of Answer ChoicesOption
Description
Correct?
A. Phase 1: Plan and Prepare Assessment
❌Incorrect–This phase focuses onscheduling, logistics, and planning, not evidence collection.
B. Phase 2: Conduct Assessment
✅Correct – This phase involves gathering, verifying, and reviewing evidence.
C. Phase 3: Report Recommended Assessment Results
❌Incorrect–This phasedocumentsresults but doesnotcollect evidence.
D. Phase 4: Remediation of Outstanding Assessment Issues
❌Incorrect–This phase focuses oncorrective actions, not evidence collection.
CMMC Assessment Process Guide (CAP)–Phase 2: Conduct Assessmentexplicitly includes tasks such asgathering and verifying evidence.
Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isB. Phase 2: Conduct Assessment, as this phase includesidentifying, obtaining, and verifying evidence, which is critical for determining CMMC compliance.
Which assessment method describes the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specification, mechanisms, activities)?
Test
Assess
Examine
Interview
Understanding the "Examine" Assessment Method in CMMC 2.0CMMC 2.0 usesthree assessment methodsto evaluate security compliance:
Examine– Reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., policies, system documentation).
Interview– Speaking with personnel to verify knowledge and responsibilities.
Test– Performing technical validation to check system configurations.
TheCMMC Assessment Process (CAP)definesExamineas the method used toreview or analyze assessment objects, such as policies, procedures, configurations, and logs.
Relevant CMMC 2.0 Reference:
A. Test → Incorrect
"Test" involvesexecutinga function to validate its security (e.g., verifying access controls through a live system test).
B. Assess → Incorrect
"Assess" is a broad term; CMMC explicitly defines "Examine" as the method for reviewing documentation.
C. Examine → Correct
"Examine" is the official term forreviewing policies, procedures, configurations, or logs.
D. Interview → Incorrect
"Interview" involvesverbal discussions with personnel, not document analysis.
Why is the Correct Answer "Examine" (C)?
CMMC Assessment Process (CAP) Document
Defines "Examine" asanalyzing assessment objects (e.g., policies, procedures, logs, documentation).
NIST SP 800-171A
Specifies "Examine" as a method toreview security controls and configurations.
CMMC 2.0 References Supporting this Answer:
What is the primary intent of the verify evidence and record gaps activity?
Map test and demonstration responses to CMMC practices.
Conduct interviews to test process implementation knowledge.
Determine the one-to-one relationship between a practice and an assessment object.
Identify and describe differences between what the Assessment Team required and the evidence collected.
Understanding the “Verify Evidence and Record Gaps” Activity in a CMMC AssessmentDuring aCMMC Level 2 Assessment, theAssessment Teamfollows a structured methodology toverify evidenceand determine whether theOrganization Seeking Certification (OSC)has met all required practices. One of the key activities in this process is"Verify Evidence and Record Gaps", which ensures that the assessment findings accurately reflect any missing or inadequate compliance evidence.
Step-by-Step Breakdown:✅1. Primary Intent: Identifying Gaps Between Required and Collected Evidence
TheAssessment Teamcompares the evidence provided by the OSC against theCMMC practice requirements.
If evidence ismissing, insufficient, or inconsistent, assessors mustdocument the gapand describe what is lacking.
This ensures that compliance deficiencies are clearly identified, allowing the OSC to understand what must be corrected.
✅2. How This Process Works in a CMMC Assessment
Assessorsreview collected documentation, system configurations, policies, and interview responses.
They verify that the evidencematches the expected implementationof a practice.
If gaps exist, they arerecordedfor discussion and potential remediation before assessment completion.
✅3. Why the Other Answer Choices Are Incorrect:
(A) Map test and demonstration responses to CMMC practices.❌
Incorrect:While mapping evidence to CMMC practices is part of the assessment, theprimary intentof the "Verify Evidence and Record Gaps" step is toidentify deficiencies, not just mapping responses.
(B) Conduct interviews to test process implementation knowledge.❌
Incorrect:Interviews are a method used during evidence collection, but they arenot the primary focusof the verification and gap analysis step.
(C) Determine the one-to-one relationship between a practice and an assessment object.❌
Incorrect:The assessment teamreviews multiple sources of evidencefor each practice, and some practices require multiple assessment objects. The goal isnot a strict one-to-one mappingbut rathera holistic validation of compliance.
Final Validation from CMMC Documentation:TheCMMC Assessment Process Guidestates that"Verify Evidence and Record Gaps"is the step where assessorscompare expected evidence against what has been provided and document discrepancies. This ensurestransparent assessment findings and remediation planning.
Thus, the correct answer is:
D. Identify and describe differences between what the Assessment Team required and the evidence collected.
Which statement BEST describes a LTP?
Creates DoD-licensed training
Instructs a curriculum approved by CMMC-AB
May market itself as a CMMC-AB Licensed Provider for testing
Delivers training using some CMMC body of knowledge objectives
Understanding Licensed Training Providers (LTPs) in CMMCALicensed Training Provider (LTP)is an entity that is authorized by theCybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)todeliver CMMC trainingbased on anapproved curriculum.
Provides CMMC-AB-approved training programsfor individuals seeking CMMC certifications.
Uses an official CMMC curriculumthat aligns with theCMMC Body of Knowledge (BoK)and other CMMC-AB guidance.
Prepares students for CMMC roles, such asCertified CMMC Assessors (CCA) and Certified CMMC Professionals (CCP).
Key Responsibilities of an LTP:
A. Creates DoD-licensed training → Incorrect
TheCMMC-AB, not the DoD, manages LTP licensing. LTPsdo not create new training contentbut mustfollow an approved curriculum.
B. Instructs a curriculum approved by CMMC-AB → Correct
LTPsteacha curriculum that has beenapproved by the CMMC-AB, ensuring consistency in CMMC training.
C. May market itself as a CMMC-AB Licensed Provider for testing → Incorrect
LTPs provide training, not testing. Testing is handled byLicensed Partner Publishers (LPPs)and exam bodies.
D. Delivers training using some CMMC body of knowledge objectives → Incorrect
LTPs mustfully adhereto theCMMC-AB-approved curriculum, not just "some" objectives.
Why is the Correct Answer "Instructs a curriculum approved by CMMC-AB" (B)?
CMMC-AB Licensed Training Provider (LTP) Program Guidelines
Defines LTPs as entities thatdeliver CMMC-AB-approved training programs.
CMMC Body of Knowledge (BoK)
Specifies that training must follow theCMMC-AB-approved curriculumto ensure standardization.
CMMC-AB Training & Certification Framework
Requires LTPs todeliver structured training that meets CMMC-AB guidelines.
CMMC 2.0 References Supporting This Answer:
Final Answer:✔B. Instructs a curriculum approved by CMMC-AB
Ethics is a shared responsibility between:
DoD and CMMC-AB.
OSC and sponsors.
CMMC-AB and members of the CMMC Ecosystem.
members of the CMMC Ecosystem and Lead Assessors.
Understanding Ethical Responsibility in the CMMC EcosystemEthics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.
CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.
CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.
Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.
Key Ethical Responsibilities Include:
A. DoD and CMMC-AB → Incorrect
TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.
B. OSC and Sponsors → Incorrect
TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.
C. CMMC-AB and Members of the CMMC Ecosystem → Correct
Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.
D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect
Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.
Why is the Correct Answer "CMMC-AB and Members of the CMMC Ecosystem" (C)?
CMMC-AB Code of Professional Conduct
Defines ethical responsibilities forassessors, consultants, and ecosystem members.
CMMC Ecosystem Governance Policies
Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.
CMMC Assessment Process (CAP) Document
Outlines ethical expectations forassessors and consultantsduring certification assessments.
CMMC 2.0 References Supporting this Answer:
A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?
Host Unit
Branch Office
Coordinating Unit
Supporting Organization/Units
Understanding High-Level Scoping in a CMMC AssessmentDuringHigh-Level Scoping, aCertified Third-Party Assessment Organization (C3PAO)determines thepeople, processes, and technologythat are within scope for theCMMC Level 1 or Level 2 assessment.
Supporting Organization/Unitsrefer to thespecific groups, departments, or teamsthat handleControlled Unclassified Information (CUI)orFederal Contract Information (FCI)and are responsible for applyingCMMC security practices.
These units aredirectly involved in the contract's executionand are included in the CMMC assessment scope.
Key Term: Supporting Organization/Units
A. Host Unit → Incorrect
This term is not used inCMMC assessment scoping.
B. Branch Office → Incorrect
Abranch officemay or may not be in scope; scoping is based onwhether the unit handles CUI or FCI, not its physical location.
C. Coordinating Unit → Incorrect
No official CMMC term refers to a "Coordinating Unit."
D. Supporting Organization/Units → Correct
This termcorrectly describes the entities that apply security controls for the contract and are within the CMMC assessment scope.
Why is the Correct Answer "D. Supporting Organization/Units"?
CMMC Scoping Guidance for Level 1 & Level 2 Assessments
DefinesSupporting Organization/Unitsasin-scope entities responsible for implementing cybersecurity controls.
CMMC Assessment Process (CAP) Document
Specifies that theC3PAO must identify and document the units responsible for security compliance.
DoD CMMC 2.0 Guidance on Scoping
Requires theassessment team to define the people, processes, and technology that fall within the scopeof the assessment.
CMMC 2.0 References Supporting This Answer:
SC.L2-3 13.14: Control and monitor the use of VoIP technologies is marked as NOT APPLICABLE for an OSC's assessment. How does this affect the assessment scope?
Any existing telephone system is in scope even if it is not using VoIP technology.
An error has been made and the Lead Assessor should be contacted to correct the error.
VoIP technology is within scope, and it uses FlPS-validated encryption, so it does not need to be assessed.
VoIP technology is not used within scope boundary, so no assessment procedures are specified for this practice.
TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.
If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.
When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.
No assessment procedures are neededsince there is no VoIP system to evaluate.
Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14—only VoIP is within scope.
Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.
Option C (VoIP in scope but using FIPS-validated encryption, so it doesn’t need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.
CMMC 2.0 Level 2 Assessment Guide – SC.L2-3.13.14
NIST SP 800-171, Security Requirement 3.13.14
CMMC Scoping Guidance – Determining Not Applicable (N/A) Practices
Understanding SC.L2-3.13.14 – Control and Monitor the Use of VoIP TechnologiesWhy Option D is CorrectOfficial CMMC Documentation ReferencesFinal VerificationIfVoIP is not used within the OSC’s system boundary, the control does not require assessment, making Option D the correct answer.
Within how many days from the Assessment Final Recommended Findings Brief should the Lead Assessor and Assessment Team Members, if necessary, review the accuracy and validity of (he OSC's updated POA&M with any accompanying evidence or scheduled collections?
90 days
180 days
270 days
360 days
In theCMMC 2.0 Assessment Process, after theAssessment Final Recommended Findings Brief, theLead Assessor and Assessment Team Membersmustreview the accuracy and validity of the Organization Seeking Certification (OSC)’s updated Plan of Action & Milestones (POA&M) and any accompanying evidence or scheduled collectionswithin180 days.
TheCMMC Assessment Process (CAP)outlines that organizations haveup to 180 daysto address identifieddeficienciesafter their initial assessment.
During this time, the OSC can update itsPOA&M with additional evidenceto demonstrate compliance.
Relevant CMMC 2.0 Reference:
A. 90 days → Incorrect
The CMMC CAP does not impose a90-day limiton POA&M updates; instead,180 daysis the standard timeframe.
B. 180 days → Correct
PerCMMC Assessment Process guidelines, theLead Assessor and Teammust review updateswithin 180 days.
C. 270 days → Incorrect
No official CMMC documentation mentions a270-dayreview period.
D. 360 days → Incorrect
The process must be completedfar sooner than 360 daysto maintain compliance.
Why is the Correct Answer 180 Days (B)?
CMMC Assessment Process (CAP) Document
Defines the180-day windowfor the OSC to update itsPOA&M and submit evidencefor review.
CMMC 2.0 Official Guidelines
Specifies that organizations are givenup to 180 daysto remediate deficiencies before reassessment.
CMMC 2.0 References Supporting this Answer:
How does the CMMC define a practice?
A business transaction
A condition arrived at by experience or exercise
A series of changes taking place in a defined manner
An activity or activities performed to meet defined CMMC objectives
Understanding the Definition of a "Practice" in CMMC 2.0In CMMC 2.0, the term"practice"refers to specific cybersecurity activities that organizations must implement to achieve compliance with defined security objectives.
Definition from CMMC Documentation:
According to theCMMC Model Overview, apracticeis defined as:
Step-by-Step Breakdown:"An activity or activities performed to meet defined CMMC objectives."
This means that practices are theactions and implementations required to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
How Practices Fit into CMMC 2.0:
CMMC 2.0 Level 1 consists of17 practices, which align withFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).
CMMC 2.0 Level 2 consists of110 practices, aligned directly withNIST SP 800-171 Rev. 2.
Each practice has anobjectivethat must be met to demonstrate compliance.
Official CMMC 2.0 References:
TheCMMC 2.0 Model Documentationdefines practices as "the fundamental cybersecurity activities necessary to achieve security objectives."
TheCMMC Assessment Process (CAP) Guideoutlines how assessors verify the implementation of these practices during an assessment.
TheNIST SP 800-171A Guideprovidesassessment objectivesfor each practice to ensure they are implemented effectively.
Comparison with Other Answer Choices:
A. A business transaction→ Incorrect. CMMC practices focus on cybersecurity activities, not financial or operational transactions.
B. A condition arrived at by experience or exercise→ Incorrect. While practices evolve over time, they are defined activities, not just experience-based conditions.
C. A series of changes taking place in a defined manner→ Incorrect. A practice is a set of security actions, not just a process of change.
Conclusion:ACMMC practicerefers to specificcybersecurity activities performed to meet defined CMMC objectives. This makesOption Dthe correct answer.
In scoping a CMMC Level 1 Self-Assessment, all of the computers and digital assets that handle FCI are identified. A file cabinet that contains paper FCI is also identified. What can this file cabinet BEST be determined to be?
In scope, because it is an asset that stores FCI
In scope, because it is part of the same physical location
Out of scope, because they are all only paper documents
Out of scope, because it does not process or transmit FCI
Does a File Cabinet Containing Paper FCI Fall Within CMMC Scope?CMMConly applies to digital systems and assetsthatprocess, store, or transmitFederal Contract Information (FCI)andControlled Unclassified Information (CUI).Physical storage (such as paper documents) is not included in CMMC scoping.
Step-by-Step Breakdown:✅1. CMMC Scope Covers Only Digital Systems and Assets
According to theCMMC Scoping Guide (Level 1),only digital assetsthat handleFCIarein scopefor aLevel 1 Self-Assessment.
Afile cabinetisnot a digital system; therefore, it isnot in scopefor CMMC compliance.
✅2. Why the Other Answer Choices Are Incorrect:
(A) In scope, because it is an asset that stores FCI❌
Incorrect:While the file cabinetdoes store FCI,CMMC only applies to digital systems.
(B) In scope, because it is part of the same physical location❌
Incorrect:CMMCdoes notconsiderphysical proximitywhen determining scope—only digital data handling matters.
(D) Out of scope, because it does not process or transmit FCI❌
Partially correct, but incomplete: Themain reasonit is out of scope is that itcontains only paper documents, not that it doesn’t process/transmit data.
TheCMMC Level 1 Scoping Guideexplicitly states thatpaper-based storage of FCI does not fall within scope.
Final Validation from CMMC Documentation:Thus, the correct answer is:
✅C. Out of scope, because they are all only paper documents.
An Assessment Team is reviewing a practice that is documented and being checked monthly. When reviewing the logs, the practice is only being completed quarterly. During the interviews, the team members say they perform the practice monthly but only document quarterly. Is this sufficient to pass the practice?
No, the work is not being done as stated.
Yes, the practice is being done as documented.
No, all three assessment methods must be met to pass.
Yes. the interview process is enough to pass a practice.
Understanding CMMC Assessment Requirements
CMMC assessments usethree assessment methodsto verify compliance with security practices:
Examine– Reviewing documentation, policies, logs, or records.
Interview– Speaking with personnel to confirm understanding and execution.
Test– Verifying through technical or operational means that the practice is being performed.
Assessment Findings in the Given Scenario
Practice is documented as occurring monthly, but logs show quarterly execution.
Interviews indicate monthly execution, but documentation does not support this claim.
Why the Organization Fails the Practice
Answer A (Incorrect): The work is being performed, but documentation is lacking, so the failure is not purely due to missing execution.
Answer B (Incorrect): The documented frequency does not match the evidence in logs, so the practice is not being done asfully documented.
Answer C (Correct):CMMC requires all three assessment methods (Examine, Interview, Test) to align. Since logs contradict the stated frequency, the practicefailscompliance.
Answer D (Incorrect): Interview responses alone are not enough. The CMMCCAP GuideandNIST SP 800-171Arequire corroboration with logs (Examine) and technical verification (Test).
Conclusion
The correct answer isC: To pass a practice, the organization mustprovide evidence across all three assessment methods.
In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI. What is the ESP employee considered?
In scope
Out of scope
OSC point of contact
Assessment Team Member
Federal Contract Information (FCI)is any informationnot intended for public releasethat is provided or generated under aU.S. Government contracttodevelop or deliver a product or service.
Enhanced Security Personnel (ESP)refers to employees, contractors, or third parties whohave access to FCIwithin anOrganization Seeking Certification (OSC).
UnderCMMC 2.0 Scoping Guidance, anypersonnel, system, or asset with access to FCI is considered in scopefor a CMMC Level 1 assessment.
Since theESP employee has access to FCI, theymustbe included in the assessment scope.
Option B (Out of scope)is incorrect because anyone with access to FCI is automatically considered part of theCMMC Level 1 boundary.
Option C (OSC point of contact)is incorrect because thepoint of contactis typically an administrative or compliance representative, not necessarily someone with FCI access.
Option D (Assessment Team Member)is incorrect because anESP employee is not part of the assessment team but rather a subject of the assessment.
CMMC Level 1 Scoping Guide, Section 2 – Defining Scope for FCI
CMMC Assessment Process (CAP) Guide – Roles and Responsibilities
Federal Acquisition Regulation (FAR) 52.204-21(Basic Safeguarding of FCI)
Understanding Scoping in CMMC Level 1 Self-AssessmentsWhy Option A (In scope) is CorrectOfficial CMMC Documentation ReferencesFinal VerificationSince theESP employee has access to FCI, they are consideredin scopefor the CMMC Level 1 self-assessment, makingOption A the correct answer.
An OSC receives an email with "CUI//SP-PRVCY//FED Only" in the body of the message Which organization's website should the OSC go to identify what this marking means?
NARA
CMMC-AB
DoD Contractors FAQ page
DoD 239.7601 Definitions page
What Does "CUI//SP-PRVCY//FED Only" Mean?
The email containsControlled Unclassified Information (CUI)withspecific categories and dissemination controls.
CUI//SP-PRVCY//FED Onlybreaks down as follows:
CUI→ Controlled Unclassified Information designation.
SP-PRVCY→Specifiedcategory forPrivacy Information(SP stands for "Specified").
FED Only→ Restriction forFederal Government use only(not for contractors or the public).
Who Maintains the Official CUI Registry?
TheNational Archives and Records Administration (NARA) oversees the CUI Programand maintains the officialCUI Registry(https://www.archives.gov/cui).
The CUI Registry providesdefinitions, marking guidance, and categoriesfor all CUI labels, including "SP-PRVCY" and dissemination controls like "FED Only."
Why NARA is the Correct Answer:
NARA is the governing body responsible for defining and managing CUI markings.
Any organization handling CUI shouldrefer to the NARA CUI Registryfor official marking interpretations.
DoD contractors and other organizationsmust comply with NARA guidelines when handling, marking, and disseminating CUI.
B. CMMC-AB– TheCMMC Accreditation Bodymanages certification assessments butdoes not define or interpret CUI markings.
C. DoD Contractors FAQ Page– The DoD may provide general contractor guidance, butCUI markings are governed by NARA, not an FAQ page.
D. DoD 239.7601 Definitions Page– This refers to generalDoD acquisition definitions, butCUI categories and markings fall under NARA’s authority.
The Audit and Accountability (AU) domain has practices in:
Level 1.
Level 2.
Levels 1 and 2.
Levels 1 and 3.
TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.
A. Level 1→Incorrect
CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.
B. Level 2→Correct
TheAU domain is required at Level 2, which aligns withNIST SP 800-171.
CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.
C. Levels 1 and 2→Incorrect
Level 1 does not requireaudit and accountability practices.
D. Levels 1 and 3→Incorrect
CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.
NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3)
TheAU domainconsists of security controls3.3.1 – 3.3.8, focusing on audit log generation, retention, and accountability.
CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171)
AU practices (Audit and Accountability) are only required at Level 2.
Analysis of the Given Options:Official References Supporting the Correct Answer:Conclusion:TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:
✅B. Level 2.
At which CMMC Level do the Security Assessment (CA) practices begin?
Level 1
Level 2
Level 3
Level 4
Step 1: Understand the “CA” Domain – Security AssessmentTheCA (Security Assessment)domain includes practices related to:
Planning security assessments,
Performing periodic reviews,
Managing plans of action and milestones (POA&Ms).
These practices derive fromNIST SP 800-171, specifically:
CA.2.157– Develop, document, and periodically update security plans,
CA.2.158– Periodically assess security controls,
CA.2.159– Develop and implement POA&Ms.
Level 1 (Foundational):
Implements only the17 practicesfromFAR 52.204-21
Doesnot include the CA domain
Level 2 (Advanced):
Implements110 practicesfromNIST SP 800-171, including CA.2.157–159
First levelwhereSecurity Assessment (CA)practices are required
Level 3:
Not yet finalized but intended to include selected controls fromNIST SP 800-172
✅Step 2: Review CMMC Levels
A. Level 1✘ No CA domain practices are present at Level 1.
C. Level 3 / D. Level 4✘ These levels build on CA practices but do not represent thestarting point.
❌Why the Other Options Are Incorrect
TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.
CMMC scoping covers the CUI environment encompassing the systems, applications, and services that focus on where CUI is:
received and transferred.
stored, processed, and transmitted.
entered, edited, manipulated, printed, and viewed.
located on electronic media, on system component memory, and on paper.
TheCMMC Scoping Guide for Level 2outlines thatCUI assetsinclude systems, applications, and services thatstore, process, or transmitControlled Unclassified Information (CUI). These are the three core functions that defineCUI handlingwithin anOrganization Seeking Certification (OSC).
Step-by-Step Breakdown:✅1. CUI Assets Defined in CMMC
Stored:CUI is saved on hard drives, cloud storage, or databases.
Processed:CUI is actively used, modified, or analyzed by applications and users.
Transmitted:CUI is sent between systems via email, file transfers, or network communication.
✅2. Why the Other Answer Choices Are Incorrect:
(A) Received and transferred❌
Whilereceiving and transferring CUIis part of handling CUI, it does not fully cover all CUI asset responsibilities.
(C) Entered, edited, manipulated, printed, and viewed❌
These arespecific actionswithinprocessingbut do not coverstorage or transmission, which are also required for CMMC scoping.
(D) Located on electronic media, on system component memory, and on paper❌
While CUI can exist inelectronic and physical forms, CMMC scoping focuses onhow CUI is actively managed (stored, processed, transmitted)rather than where it physically resides.
TheCMMC Level 2 Scoping Guideconfirms thatCUI Assets are categorized based on their role in storing, processing, or transmitting CUI.
NIST SP 800-171also defines these three functions as key components of CUI protection.
Final Validation from CMMC Documentation:
On a Level 2 Assessment Team, what are the roles of the CCP and the CCA?
The CCP leads the Level 2 Assessment Team, which consists of one or more CCAs.
The CCA leads the Level 2 Assessment Team, which can include 3 CCP with US Citizenship.
The CCA leads the Level 2 Assessment Team, which can include a CCP regardless of citizenship.
The CCP leads the Level 2 Assessment Team, which can include a CCA. regardless of citizenship.
CCP (Certified CMMC Professional):
Entry-level certification in the CMMC ecosystem.
Supports assessment activities under the supervision of a CCA.
May assist in consulting roles outside of formal assessments.
CCA (Certified CMMC Assessor):
Certified tolead assessmentsunder the CMMC model.
Requiredfor conductingLevel 2 formal assessments.
Can be part of a C3PAO assessment team or lead it.
Step 1: Define Roles – CCP and CCASource: CMMC Assessment Process (CAP) v1.0, Section 2.3 – Assessment Team Composition
“Level 2 assessments must be led by a Certified CMMC Assessor (CCA), who may be supported by one or more CCPs.”
✅Step 2: Citizenship RequirementsCAP v1.0 – Appendix B: Team Composition and Clearance Requirements
“All team members performing Level 2 assessments must be U.S. citizens when handling CUI, regardless of role.”
But forsupporting team members who do not handle CUIor inFCI-only scoping, there is no automatic exclusion based on citizenship.
So:
TheCCA leadsthe team.
CCPs can be team membersregardless of citizenship,unless restricted by contract or CUI handling needs.
A. The CCP leads the Level 2 Assessment Team…✘ Incorrect. CCPscannot leadLevel 2 assessments.
B. The CCA leads… includes 3 CCP with US Citizenship.✘ Incorrect. Citizenship is requiredonly when handling CUI, not a universal requirement.
D. The CCP leads…✘ Again, CCPs donot have the authority to leadformal CMMC assessments.
❌Why the Other Options Are Incorrect
Only aCertified CMMC Assessor (CCA)may lead aLevel 2 Assessment Team, and theymay include CCPs, evennon-U.S. citizens, if citizenship is not a requirement based on contractual or data sensitivity scope.
While developing an assessment plan for an OSC. it is discovered that the certified assessor will be interviewing a former college roommate. What is the MOST correct action to take?
Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.
Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.
Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.
Inform the OSC and the C3PAO of the possible conflict of interest, document the conflict and mitigation actions in the assessment plan, and if the mitigation actions are acceptable, continue with the assessment.
TheCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP)outlines strict guidelines regardingconflicts of interest (COI)to ensure the integrity and impartiality of assessments conducted byCertified Third-Party Assessment Organizations (C3PAOs)andCertified Assessors (CAs).
The scenario presented involves apotential conflict of interestdue to a prior relationship (former college roommate) between thecertified assessorand an individual at theOrganization Seeking Certification (OSC). While this prior relationship does not automatically disqualify the assessor, it must bedisclosed, documented, and mitigated appropriately.
Inform the OSC and C3PAO of the Potential Conflict of Interest
TheCMMC Code of Professional Conduct (CoPC)requires assessors to disclose any potential conflicts of interest.
Transparency ensures that all parties, including theOSC and C3PAO, are aware of the situation.
Document the Conflict and Mitigation Actions in the Assessment Plan
PerCMMC CAP documentation, potential conflicts should be assessed based on their material impact on the objectivity of the assessment.
The conflict and proposed mitigation strategies must beformally recorded in the assessment planto provide an audit trail.
Determine If the Mitigation Actions Are Acceptable
If theOSC and C3PAOdetermine that the mitigation actions adequatelyeliminate or reduce the risk of bias, the assessment may proceed.
Common mitigation strategies include:
Assigning another assessor forinterviews with the conflicted individual.
Ensuring thatdecisions regarding the OSC’s compliance are reviewed independently.
Proceed with the Assessment If Mitigation Is Acceptable
If the mitigation actions sufficiently address the conflict, the assessment may continue understrict adherence to documented procedures.
CMMC Conflict of Interest Handling Process
A. Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.❌Incorrect. This violates CMMC’s integrity requirements and could result indisciplinary actions against the assessor or invalidation of the assessment. Transparency is mandatory.
B. Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.❌Incorrect. The CAP doesnotmandate immediate reassignment unless the conflict isunresolvable. Instead, mitigation strategies should be considered first.
C. Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.❌Incorrect.The passage of time alone does not automatically eliminate a conflict of interest. Proper documentation and mitigation are still required.
Why the Other Answers Are Incorrect
CMMC Assessment Process (CAP) Document– Defines COI requirements and mitigation actions.
CMMC Code of Professional Conduct (CoPC)– Outlines ethical responsibilities of assessors.
CMMC Accreditation Body (Cyber-AB) Guidance– Provides rules on conflict resolution.
CMMC Official ReferencesThus,option D is the most correct choice, as it aligns with the official CMMC conflict of interest procedures.
What is the MOST common purpose of assessment procedures?
Obtain evidence.
Define level of effort.
Determine information flow.
Determine value of hardware and software.
Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.
CMMC Assessments Require Evidence Collection
TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:
Examine– Reviewing documentation, policies, and system configurations.
Interview– Speaking with personnel to confirm understanding and execution.
Test– Validating controls through operational or technical tests.
All these methods involve obtaining evidenceto support whether a security requirement has been met.
Alignment with NIST SP 800-171A
CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.
Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.
B. Define level of effort (Incorrect)
Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.
C. Determine information flow (Incorrect)
While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.
D. Determine value of hardware and software (Incorrect)
Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.
The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.
Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?
Access control
Physical access control
Mandatory access control
Discretionary access control
Understanding Access Control in CMMCAccess control refers to the process ofgranting or denyingspecific requests to:
Obtain and use information
Access information processing services
Enter specific physical locations
TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:
✅Implement policies for granting and revoking access.
✅Restrict access to authorized personnel only.
✅Protect physical and digital assets from unauthorized access.
Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.
B. Physical access control❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.
C. Mandatory access control (MAC)❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.
D. Discretionary access control (DAC)❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.
Why the Other Answers Are Incorrect
CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.
NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.
CMMC Official ReferencesThus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.
Exercising due care to ensure the information gathered during the assessment is protected even after the engagement has ended meets which code of conduct requirement?
Availability
Confidentiality
Information Integrity
Respect for Intellectual Property
The requirement to exercise due care in protecting information gathered during an assessment aligns with the principle ofConfidentialityunder theCMMC Code of Professional Conduct (CoPC). This ensures that sensitive assessment data, findings, and any Controlled Unclassified Information (CUI) remain protected even after the engagement concludes.
Definition of Confidentiality in CMMC Context:
Confidentiality refers to protecting sensitive information from unauthorized disclosure.
In the context of a CMMC assessment, it includes safeguarding assessment artifacts, findings, and other sensitive data collected during the evaluation process.
CMMC Code of Professional Conduct (CoPC) References:
TheCMMC Code of Professional Conductstates that assessors and organizations must handle all collected information with discretion andensure its protection post-engagement.
Clause on"Maintaining Confidentiality"specifies that assessors must:
Not disclose sensitive information to unauthorized parties.
Secure data in storage and transmission.
Retain and dispose of data securely in accordance with federal regulations.
Alignment with NIST 800-171 & CMMC Practices:
CMMC Level 2 incorporates NIST SP 800-171 controls, which include:
Requirement 3.1.3:“Control CUI at rest and in transit” to ensure unauthorized individuals do not gain access.
Requirement 3.1.4:“Separate the duties of individuals to reduce risk” ensures that assessment findings are only shared with authorized personnel.
These requirements align with the duty toexercise due carein protecting assessment-related information.
Why the Other Options Are Incorrect:
(A) Availability:This refers to ensuring data is accessible when needed but does not directly relate to protecting gathered information post-assessment.
(C) Information Integrity:This focuses on preventing unauthorized modifications rather than restricting disclosure.
(D) Respect for Intellectual Property:While related to ethical handling of proprietary data, it does not directly cover post-engagement confidentiality requirements.
TheCMMC Code of Professional ConductandNIST SP 800-171control requirements confirm thatConfidentialityis the correct answer, as it directly pertains to protecting information post-assessment.
Step-by-Step Breakdown:Final Validation from CMMC Documentation:Thus, the correct answer isB. Confidentiality.
When assessing an OSC for CMMC: the Lead Assessor should use the information from the Discussion and Further Discussion sections in each practice because it:
is normative for an OSC to follow.
contains examples that an OSC must implement.
is mandatory and aligns with FAR Clause 52.204-21.
provides additional information to facilitate the assessment of the practice.
Understanding the Role of "Discussion" and "Further Discussion" Sections in CMMC AssessmentsWhen assessing anOrganization Seeking Certification (OSC)forCMMC compliance, theLead Assessorrelies on various sources of guidance.
Eachpracticein the CMMC model includes:
The Practice Statement– The official requirement the OSC must meet.
Discussion Section– Providesclarifications, interpretations, and guidancefor implementation.
Further Discussion Section– Expands on the practice,offering additional details, best practices, and examples.
These sections arenot mandatory, but they help assessorsinterpret and evaluatewhether an OSC has met the practice requirements.
TheDiscussion and Further Discussion sectionsprovidecontext, explanations, and examplesto assist theLead Assessorin understanding how an OSC might demonstrate compliance.
Theyhelp guide the assessment processbut arenot prescriptiveormandatoryfor an OSC.
Theassessor uses these sectionsto verify whether theOSC's implementation meets the intent of the requirement.
Why "Provides Additional Information to Facilitate the Assessment" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A. Is normative for an OSC to follow.
❌Incorrect–The sections areguidance, notnormative (mandatory)requirements.
B. Contains examples that an OSC must implement.
❌Incorrect–Examples aresuggestions, notmandatory implementations.
C. Is mandatory and aligns with FAR Clause 52.204-21.
❌Incorrect–The "Discussion" sections arenot mandatoryand arenot tied directlyto FAR 52.204-21.
D. Provides additional information to facilitate the assessment of the practice.
✅Correct – These sections help the assessor evaluate compliance but do not mandate specific implementations.
TheCMMC Assessment Guidestates that theDiscussion and Further Discussion sections provide clarificationsto help both assessors and OSCs.
These sections arenot bindingbut serve asinterpretive guidanceto assist in assessments.
Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Provides additional information to facilitate the assessment of the practice.This aligns withCMMC 2.0 documentation and assessment guidelines.
What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?
CDI
CTI
CUI
FCI
Understanding Federal Contract Information (FCI)Federal Contract Information (FCI) is defined by48 CFR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems). FCI refers to information that:
Is NOT intended for public release.
Is provided by or generated for the government under a contract.
Is necessary to develop or deliver a product or service to the government.
Excludes publicly available government information(such as information on public websites).
Excludes simple transactional information(e.g., necessary to process payments).
In the context ofCMMC 2.0, organizations thatprocess, store, or transmit FCImust meetCMMC Level 1 (Foundational), which requires implementing17 basic safeguarding practicesoutlined inFAR 52.204-21.
A. CDI (Controlled Defense Information)→ Incorrect
This term was used inDFARS 252.204-7012but has been replaced byCUI (Controlled Unclassified Information)in CMMC discussions.
B. CTI (Cyber Threat Intelligence)→ Incorrect
This refers to intelligence on cyber threats, tactics, and indicators, not contractual data.
C. CUI (Controlled Unclassified Information)→ Incorrect
CUI is sensitive information requiring additional safeguarding but is a separate category from FCI.
D. FCI (Federal Contract Information)→Correct
The definition of FCI explicitly matches the description given in the question.
Why is the Correct Answer FCI (D)?
FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)
Defines FCI and the required safeguards.
Establishes17 cybersecurity practicesfor FCI protection.
CMMC 2.0 Framework
Level 1 (Foundational)is required for contractors handlingFCI.
Ensures compliance withbasic safeguarding requirementsoutlined inFAR 52.204-21.
NIST SP 800-171 and DFARS 252.204-7012
FCI doesnotrequire compliance withNIST SP 800-171, butCUI does.
CMMC 2.0 References Supporting this Answer:
What service is the MOST comprehensive that the RPO provides?
Training services
Education services
Consulting services
Assessment services
Understanding the Role of a Registered Provider Organization (RPO)ARegistered Provider Organization (RPO)is an entity recognized by theCMMC Accreditation Body (CMMC-AB)to provideconsulting servicesto organizations seekingCMMC certification.
Key Functions of an RPO✅Consulting servicesto help companies prepare for CMMC assessments.
✅Guidance on security controlsrequired for compliance.
✅Assistance with documentation, policy development, and gap analysis.
✅Preparation for third-party CMMC assessmentsbutdoes not conduct official CMMC assessments(this is the role of a C3PAO).
Consulting servicesare thebroadest and most comprehensivefunction of an RPO.
RPOs do not conduct assessments(eliminating option D).
Training and educationmay be part of consulting but arenot the primary function(eliminating A and B).
Consulting includes training, guidance, documentation assistance, and security readiness, making it themost comprehensive service offered.
Why "Consulting Services" is the Correct Answer?Breakdown of Answer ChoicesOption
Description
Correct?
A. Training services
❌Incorrect–RPOs may provide training, but this isnot their primary function.
B. Education services
❌Incorrect–Similar to training, butnot the most comprehensive service.
C. Consulting services
✅Correct – The core function of an RPO is consulting, which includes various readiness services.
D. Assessment services
❌Incorrect–Only aC3PAO (Certified Third-Party Assessment Organization)can conductofficial CMMC assessments.
TheCMMC-AB RPO Programdefines an RPO as aconsulting organization that assists companies in preparing for CMMC certificationbutdoes not perform assessments.
Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isC. Consulting services, asRPOs primarily provide advisory and readiness supportto organizations preparing forCMMC compliance.
During the review of information that was published to a publicly accessible site, an OSC correctly identifies that part of the information posted should have been restricted. Which item did the OSC MOST LIKELY identify?
FCI
Change of leadership in the organization
Launching of their new business service line
Public releases identifying major deals signed with commercial entities
Understanding Federal Contract Information (FCI) and Publicly Accessible InformationFederal Contract Information (FCI)isnon-public informationprovided by or generated for the U.S. governmentunder a contractthat isnot intended for public release.
Key Characteristics of FCI:✔FCI includesdetails related togovernment contracts, project specifics, and performance data.
✔It must be protected under FAR 52.204-21, which requiresbasic safeguarding measuresto prevent unauthorized access.
✔Posting FCI on a public site is a security violationsince it ismeant to be restrictedfrom public disclosure.
A. FCI → Correct
FCI must be protected from unauthorized access, and if it wasincorrectly published online, it should have been restricted.
B. Change of leadership in the organization → Incorrect
Leadership changes are typically public informationand do not require restriction unless they involve sensitive government-related security clearances.
C. Launching of their new business service line → Incorrect
Marketing and business announcementsare generallypublicly availableandnot restricted information.
D. Public releases identifying major deals signed with commercial entities → Incorrect
Commercial contracts and business deals are not considered FCIunless they involvegovernment contracts.
Why is the Correct Answer "A. FCI (Federal Contract Information)"?
FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)
DefinesFCI as sensitive but unclassified informationthat must beprotected from public disclosure.
CMMC 2.0 Level 1 Requirements
Requires contractors toprotect FCI under basic cybersecurity standardsto prevent unauthorized exposure.
DoD Guidance on FCI Protection
States thatpublishing FCI on public websites violates federal cybersecurity requirements.
CMMC 2.0 References Supporting This Answer:
A CMMC Level 1 Self-Assessment identified an asset in the OSC's facility that does not process, store, or transmit FCI. Which type of asset is this considered?
FCI Assets
Specialized Assets
Out-of-Scope Assets
Government-Issued Assets
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework categorizes assets based on their interaction with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In a CMMC Level 1 self-assessment, assets are classified based on whether they process, store, or transmit FCI.
FCI Assets– These assets process, store, or transmit FCI and must meet CMMC Level 1 security requirements (17 practices from FAR 52.204-21).
CUI Assets– These assets handle Controlled Unclassified Information (CUI) and are subject to CMMC Level 2 requirements, aligned with NIST SP 800-171.
Specialized Assets– Includes IoT devices, Operational Technology (OT), Government-Furnished Equipment (GFE), and test equipment. These are often categorized separately due to their specific cybersecurity requirements.
Out-of-Scope Assets– Assets that do not process, store, or transmit FCI or CUI. These do not require compliance with CMMC practices.
Government-Issued Assets– These are assets provided by the government for contract-specific purposes, often requiring compliance based on government policies.
The question specifies that the identified assetdoes not process, store, or transmit FCI.
According to CMMC 2.0 guidelines,only assets that handle FCI or CUI are subject to security controls.
Assets that are physically located within an OSC’s facility but do not interact with FCI or CUI fall into the"Out-of-Scope Assets"category.
These assets do not require CMMC-specific cybersecurity controls, as they have no impact on the security of FCI or CUI.
CMMC Scoping Guide (Nov 2021)– Definesout-of-scope assetsas those that are within an OSC’s environment but have no interaction with FCI or CUI.
CMMC 2.0 Level 1 Guide– Only requires security controls on FCI assets, meaning assets that do not process, store, or transmit FCI are out of scope.
CMMC Assessment Process (CAP) Guide– Identifies the classification of assets in an OSC’s environment to determine compliance requirements.
Asset Categories as per CMMC 2.0:Why the Correct Answer is C. Out-of-Scope Assets?Relevant CMMC 2.0 References:Final Justification:Since the assetdoes not process, store, or transmit FCI, it does not fall under "FCI Assets" or "Specialized Assets." It is also not a government-issued asset. Therefore, the correct classification under CMMC 2.0 isOut-of-Scope Assets (C).
Who is responsible for identifying and verifying Assessment Team Member qualifications?
C3PAO
CMMC-AB
Lead Assessor
CMMC Marketplace
Understanding the Role of the Lead Assessor in CMMC AssessmentsTheLead Assessoris responsible for managing theAssessment Teamand ensuring that all team members meet the required qualifications as defined by theCMMC Accreditation Body (CMMC-AB)and theCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) Guide.
Lead Assessor’s Key Responsibilities (Per CAP Guide)
Verify team member qualificationsto ensure compliance with CMMC-AB guidelines.
Assignappropriate assessment tasksbased on team members’ expertise.
Ensure that theassessment is conducted in accordance with CMMC procedures.
Why Not the Other Options?
A. C3PAO (Certified Third-Party Assessor Organization)→Incorrect
AC3PAOis responsible fororganizing assessmentsand ensuring their execution, but itdoes not verify individual team member qualifications—that responsibility belongs to theLead Assessor.
B. CMMC-AB (CMMC Accreditation Body)→Incorrect
TheCMMC-ABestablishestraining and certification requirements, but itdoes not verify individual assessment team members—that responsibility is given to theLead Assessor.
D. CMMC Marketplace→Incorrect
TheCMMC Marketplacelists authorizedC3PAOs, Registered Practitioners (RPs), and Certified Professionals (CCPs)butdoes not verify assessment team qualifications.
CMMC Assessment Process (CAP) Guide– Defines theLead Assessor’s responsibilityfor verifying assessment team qualifications.
CMMC-AB Certification Guide– Specifies that the Lead Assessor must ensure all assessment team members meet CMMC-AB qualification standards.
Why the Correct Answer is "C. Lead Assessor"?Relevant CMMC 2.0 References:Final Justification:Since theLead Assessor is responsible for verifying assessment team member qualifications, the correct answer isC. Lead Assessor.
During an assessment, which phase of the process identifies conflicts of interest?
Analyze requirements.
Develop assessment plan.
Verify readiness to conduct assessment.
Generate final recommended assessment results.
In the CMMC assessment process, conflicts of interest must be identified early to ensure an impartial and objective evaluation of an organization's compliance with CMMC 2.0 requirements. The appropriate phase for identifying conflicts of interest is during the"Verify Readiness to Conduct Assessment"phase.
Assessment Planning & Conflict of Interest Consideration
Before an assessment begins, theC3PAO (Certified Third-Party Assessment Organization)or theDIBCAC (Defense Industrial Base Cybersecurity Assessment Center) for DOD-led assessmentsmust confirm that there are no conflicts of interest between assessors and the organization being assessed.
A conflict of interest may arise if an assessor haspreviously worked for, consulted with, or provided direct assistance tothe organization under review.
CMMC Assessment Process and PhasesThe CMMC assessment process involves multiple steps, and the verification of readiness is acritical early phaseto ensure that the assessment is unbiased:
Analyze Requirements:This phase focuses on defining the assessment scope, but it does not include conflict of interest verification.
Develop Assessment Plan:This phase focuses on structuring the assessment methodology, not on identifying conflicts.
Verify Readiness to Conduct Assessment (Correct Answer):
At this stage, theC3PAO or assessment team must review potential conflicts of interest.
TheDefense Industrial Base Cybersecurity Assessment Center (DIBCAC)also ensures assessors do not have any prior relationships that could compromise the objectivity of the evaluation.
Generate Final Recommended Assessment Results:This phase occurs at the end of the process, after the assessment is complete, so conflict of interest identification is too late by this stage.
Official CMMC Documentation & References
CMMC Assessment Process (CAP) Guide– The CAP details procedures assessors must follow, including conflict of interest verification.
CMMC 2.0 Scoping and Assessment Guides– Published by the Cyber AB and DoD, these guides reinforce the need for impartiality and independence in assessments.
DoD Instruction 5200.48 (Controlled Unclassified Information Program)– Outlines requirements for ensuring objective cybersecurity assessments.
Step-by-Step Explanation:By ensuring conflicts of interest are identified in the"Verify Readiness to Conduct Assessment"phase, the integrity of the CMMC certification process is maintained, ensuring that assessments are conductedfairly, independently, and in accordance with DoD cybersecurity policies.
During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC's WiFi network. What type of asset is this?
FCI Asset
CUI Asset
In-scope Asset
Specialized Asset
Understanding Asset Categorization in CMMC 2.0InCMMC 2.0, assets are categorized into different types based on their function, connectivity, and whether they process, store, or transmitFederal Contract Information (FCI) or Controlled Unclassified Information (CUI).
TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT classificationsbut still exist within the organizational environment.
Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined in CMMC.
A. FCI Asset (Incorrect)
FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does not.
B. CUI Asset (Incorrect)
CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.
C. In-scope Asset (Incorrect)
In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.
The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into theSpecialized Assetcategory.
In the CMMC Model, how many practices are included in Level 1?
15 practices
17 practices
72 practices
110 practices
CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 1 is designed to protectFederal Contract Information (FCI)and consists of17 foundational cybersecurity practices. These practices are directly derived fromFAR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems), which outlines minimum security requirements for contractors handling FCI.
Breakdown of CMMC Level 1 PracticesThe17 practicesin Level 1 focus on basic cybersecurity hygiene and fall under the following6 domains:
Access Control (AC)– 4 practices
AC.L1-3.1.1: Limit system access to authorized users
AC.L1-3.1.2: Limit user access to authorized transactions and functions
AC.L1-3.1.20: Verify and control connections to external systems
AC.L1-3.1.22: Control information posted or processed on publicly accessible systems
Identification and Authentication (IA)– 2 practices
IA.L1-3.5.1: Identify and authenticate system users
IA.L1-3.5.2: Use multifactor authentication for local and network access
Media Protection (MP)– 1 practice
MP.L1-3.8.3: Sanitize media before disposal or reuse
Physical Protection (PE)– 4 practices
PE.L1-3.10.1: Limit physical access to systems containing FCI
PE.L1-3.10.3: Escort visitors and monitor visitor activity
PE.L1-3.10.4: Maintain audit logs of physical access
PE.L1-3.10.5: Control and manage physical access devices
System and Communications Protection (SC)– 2 practices
SC.L1-3.13.1: Monitor and control communications at system boundaries
SC.L1-3.13.5: Implement subnetworks for publicly accessible system components
System and Information Integrity (SI)– 4 practices
SI.L1-3.14.1: Identify, report, and correct system flaws in a timely manner
SI.L1-3.14.2: Provide protection from malicious code at designated locations
SI.L1-3.14.4: Update malicious code protection mechanisms periodically
SI.L1-3.14.5: Perform scans of system components and real-time file scans
Official Reference from CMMC 2.0 DocumentationThe 17 practices forCMMC Level 1are explicitly listed in theCMMC 2.0 Appendices and Assessment Guide for Level 1, as well as in theFAR 52.204-21 requirements. These practices representbasic safeguarding measuresthat all DoD contractors handlingFCImust implement.
????CMMC 2.0 Level 1 Summary:
Focus:Basic safeguarding of FCI
Total Practices:17
Derived From:FAR 52.204-21
Assessment Type:Self-assessment (annual)
Final Verification and ConclusionThe correct answer isB. 17 practicesas verified from theCMMC 2.0 official documentsandFAR 52.204-21 requirements.
An assessment is being conducted at a remote client site. For the duration of the assessment, the client has provided a designated hoteling space in their secure facility which consists of a desk with access to a shared printer. After noticing that the desk does not lock, a locked cabinet is requested but the client does not have one available. At the end of the day, the client provides a printout copy of an important network diagram. The diagram is clearly marked and contains CUI. What should be done NEXT to protect the document?
Take it with them to review in the evening.
Leave it on the desk for review the following day.
Put it in the unlocked desk drawer for review the following morning.
Take a picture with the personal phone before securely shredding it.
Understanding CUI Handling and Storage RequirementsControlled Unclassified Information (CUI) must beprotected from unauthorized access and properly storedperCMMC 2.0 Level 2 requirementsandNIST SP 800-171 controls. Key requirements include:
NIST SP 800-171 (Requirement 3.8.3)– CUI must bephysically protectedwhen not in use.
NIST SP 800-171 (Requirement 3.1.3)– CUI access should berestricted to authorized personnel only.
DoD CUI Program Guidance– Ifproper storage (e.g., locked cabinets or controlled access areas) is unavailable, CUI should be returned to an authorized individual or secure facility.
A. Take it with them to review in the evening → Incorrect
CUI should never be removed from a secure facility unless explicitly authorizedand handled in accordance with security policies (e.g., encrypted electronic transport, secure physical storage).
B. Leave it on the desk for review the following day → Incorrect
Leaving CUI unattendedon an open desk violatesCUI physical protection requirements.
C. Put it in the unlocked desk drawer for review the following morning → Incorrect
Anunlocked drawer does not meet CUI physical security storage requirements.
D. Take a picture with the personal phone before securely shredding it → Incorrect
Storing CUI on an unauthorized personal device is a serious security violationandunauthorized reproduction of CUI is prohibited.
Why None of the Provided Answers Are Fully Correct
What Should Be Done Instead?✔Return the document to the client for secure storage.
Since nosecure storage optionis available, thedocument must be returnedto the client, who should store it in anapproved secure location (e.g., a locked cabinet or classified storage area).
Theassessment team should not retain CUI unless they have an approved method of safeguarding it.
NIST SP 800-171 (Requirement 3.8.3 – Media Protection)
RequiresCUI to be physically securedwhen not in use.
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
Establishes CUIstorage and handling protections.
CMMC 2.0 Level 2 (Advanced) Requirements
Requires organizations toimplement physical security controlsto protect CUI.
DoD CUI Program Guidelines
Clearly state thatCUI must be stored in locked cabinets or controlled-access areaswhen not actively in use.
CMMC 2.0 References Supporting This Answer:
Final Answer:????None of the provided answers fully comply with CUI protection requirements.Thebest course of action is to return the document to the client for secure storage.
A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?
That the information is correct
That the CEO approved the message
That the company has to safeguard the release of FCI
That so long as the information is only FCI, it can be released
AC.L1-3.1.22states:"Control information posted or processed on publicly accessible systems."
This control requires organizations toensure that FCI (Federal Contract Information) is not publicly postedor made accessible in an uncontrolled manner.
FCI must beprotected from unauthorized disclosure, even if it is not classified or CUI.
When executing a remediation review, the Lead Assessor should:
help OSC to complete planned remediation activities.
plan two consecutive remediation reviews for an OSC.
submit a delta assessment remediation package for C3PAO's internal quality review.
validate that practices previously listed on the POA&M have been removed on an updated Risk Assessment.
In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, the remediation review process is a critical phase where identified deficiencies from an initial assessment are addressed. The Lead Assessor, representing a Certified Third-Party Assessment Organization (C3PAO), plays a pivotal role in this process.
Role of the Lead Assessor in Remediation Reviews:
Validation of Remediation Efforts:
Objective:Ensure that the Organization Seeking Certification (OSC) has effectively addressed and corrected all deficiencies identified during the initial assessment.
Process:The Lead Assessor reviews the evidence provided by the OSC to confirm that each previously unmet practice now meets the required standards. This involves examining updated policies, procedures, system configurations, and other relevant artifacts.
Delta Assessment Remediation Package Submission:
Definition:A delta assessment focuses on evaluating only the components or practices that were previously found non-compliant or deficient.
Responsibility:After validating the remediation efforts, the Lead Assessor compiles a remediation package that includes:
Detailed documentation of the deficiencies identified in the initial assessment.
Evidence of the corrective actions taken by the OSC.
Findings from the reassessment of the remediated practices.
Internal Quality Review:This remediation package is then submitted for the C3PAO's internal quality review process. The purpose of this review is to ensure the accuracy, completeness, and consistency of the assessment findings before finalizing the certification decision.
Rationale for Selecting Answer C:
Alignment with CMMC Assessment Process:The submission of a delta assessment remediation package for internal quality review is a standard procedure outlined in the CMMC Assessment Process. This step ensures that all remediated items are thoroughly evaluated and validated, maintaining the integrity of the certification process.
Clarification of Incorrect Options:
Option A:"Help OSC to complete planned remediation activities."
Explanation:The Lead Assessor's role is to assess and validate the OSC's compliance, not to assist in the implementation or completion of remediation activities. Providing such assistance could lead to a conflict of interest and compromise the objectivity of the assessment.
Option B:"Plan two consecutive remediation reviews for an OSC."
Explanation:The standard process involves conducting a single remediation review after the OSC has addressed the identified deficiencies. Planning multiple consecutive remediation reviews is not a typical practice and could indicate a lack of proper remediation planning by the OSC.
Option D:"Validate that practices previously listed on the POA&M have been removed on an updated Risk Assessment."
Explanation:While it's essential to ensure that deficiencies are addressed, the primary focus of the Lead Assessor during a remediation review is to validate the implementation of remediated practices. Updating the Risk Assessment is the responsibility of the OSC's internal risk management team, not the Lead Assessor.
An assessment is being completed at a client site that is not far from the Lead Assessor's home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?
Log into the secure cloud storage service to save copies of the documents on both the work and client laptops.
Log into the client VPN from the client laptop and retrieve the documents from the secure cloud storage service.
Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service.
Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick.
Best Practices for Handling Sensitive Assessment InformationCMMC assessments involve handlingsensitive and potentially CUI-related documents. Assessors must follow strictsecurity policiesto avoid unauthorized access, data leaks, or non-compliance withCMMC 2.0 and NIST SP 800-171 requirements.
Why Logging into the Client VPN on the Client Laptop is the Best Approach:
Ensures Data Protection:The client laptop is likely configured to meet security controls required for handling assessment-related materials.
Prevents Data Spillage:Keeping all assessment-related activities within the client’s secured environment reduces the risk ofdata leakage or unauthorized storage.
Maintains Compliance with CMMC/NIST Guidelines:Using aproperly configured client laptop and secured connectionensures compliance withNIST SP 800-171 controls on secure remote access(Requirement3.13.12).
A. "Log into the secure cloud storage service to save copies of the documents on both the work and client laptops."
Incorrect→Sensitive data should not be duplicated across multiple systems, especially a non-client-approved laptop. Storing it on an unauthorized systemviolates data handling best practices.
C. "Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service."
Incorrect→ Theassessor’s laptop may not be authorizedorsecuredto handle client data. CMMC guidelines emphasizeusing approved, secured systemsfor assessment-related information.
D. "Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick."
Incorrect→
Transferring sensitive documents via USBintroduces security risks, including unauthorized data storage and potential malware contamination.
Home office workstationsare unlikely to be authorized for handling CMMC-sensitive data.
Which NIST SP discusses protecting CUI in nonfederal systems and organizations?
NIST SP 800-37
NIST SP 800-53
NIST SP 800-88
NIST SP 800-171
Understanding the Role of NIST SP 800-171 in CMMCNIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.
This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.
Breakdown of Answer ChoicesNIST SP
Title
Relevance to CMMC
NIST SP 800-37
Risk Management Framework (RMF)
Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.
NIST SP 800-53
Security and Privacy Controls for Federal Systems
Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.
NIST SP 800-88
Guidelines for Media Sanitization
Covers secure data destruction and disposal, not overall CUI protection.
NIST SP 800-171
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
✅Correct Answer – Directly addresses CUI protection in contractor systems.
Key Requirements from NIST SP 800-171The document outlines110 security controlsgrouped into14 families, including:
Access Control (AC)– Restrict access to authorized users.
Audit and Accountability (AU)– Maintain system logs and monitor activity.
Incident Response (IR)– Establish an incident response plan.
System and Communications Protection (SC)– Encrypt CUI in transit and at rest.
These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.
CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.
DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.
Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.
A defense contractor needs to share FCI with a subcontractor and sends this data in an email. The email system involved in this process is being used to:
manage FCI.
process FCI.
transmit FCI.
generate FCI
Federal Contract Information (FCI) is defined inFAR 52.204-21as information provided by or generated for the government under contract but not intended for public release. UnderCMMC 2.0, organizations handling FCI must implementFAR 52.204-21 Basic Safeguarding Requirements, ensuring proper protection inprocessing, storing, and transmittingFCI.
Analyzing the Given OptionsThe question involves an email system that is used tosendFCI to a subcontractor. Let’s break down the possible answers:
A. Manage FCI→ Incorrect
Managing FCI involves activities like organizing, storing, and maintaining access to FCI. Sending an email does not fall under management; it is an act of transmission.
B. Process FCI→ Incorrect
Processing refers to actively using FCI for operational or analytical purposes, such as analyzing, modifying, or computing data. Simply sending an email does not constitute processing.
C. Transmit FCI→ Correct
Transmission refers to the act of sending FCI from one entity to another. Since the contractor issendingFCI via email, this falls undertransmittingthe data.
An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice. What can the assessor do?
Notify the CMMC-AB.
Cancel the assessment.
Postpone the assessment.
Contact the C3PAO for guidance.
Step 1: Understand the Assessor’s Role and Chain of ResponsibilityDuring a CMMC assessment, the assessor ispart of the team organized by a C3PAO (Certified Third-Party Assessment Organization). If the assessor determines thatevidence is insufficient or inadequate, they arenot authorizedto act independently in terms of halting or postponing the assessment.
Source Reference: CMMC Assessment Process (CAP) v1.0 – Section 3.5.4 & 3.5.6
"If the Assessment Team identifies gaps in the sufficiency or adequacy of evidence, they must work with the Lead Assessor and C3PAO to determine the appropriate course of action."
The C3PAO is responsible for overseeing the assessment lifecycle.
If evidence isnot adequate, the assessor mustescalate within their organization(i.e., to the Lead Assessor or C3PAO point of contact) to:
Request clarifications from the OSC,
Determine if additional evidence can be requested,
Decide on continuing, pausing, or modifying the assessment schedule.
✅Step 2: Why Contacting the C3PAO Is the Correct Action
A. Notify the CMMC-AB✘ Incorrect. The Cyber AB (formerly CMMC-AB) isnot involved in operational aspectsof assessments. They do not manage day-to-day assessment decisions.
B. Cancel the assessment✘ Incorrect. An assessorcannot unilaterally cancelan assessment. Only theC3PAO, in consultation with all parties, may take such action.
C. Postpone the assessment✘ Incorrect. Postponements are logistical decisions that must be managed through theC3PAO, not an individual assessor.
❌Why the Other Options Are Incorrect
When an assessor determines that the evidence submitted by an OSC is inadequate or insufficient to meet a CMMC practice, thecorrect and required course of action is to consult with the C3PAO. The C3PAO will provide guidance or coordinate appropriate next steps.
Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?
CMMC Glossary
CMMC Appendices
CMMC Assessment Process
CMMC Assessment Guide Levels 1 and 2
Understanding the Best Source for CMMC Practice DescriptionsTheCMMC Assessment Guide (Levels 1 and 2)is theprimaryandmost authoritativedocument for detailed descriptions of each practice and process within the variousCMMC domains.
Step-by-Step Breakdown:✅1. What is the CMMC Assessment Guide?
TheCMMC Assessment Guideprovides detailed explanations of:
EachCMMC practicewithin its respectivedomain.
Theassessment objectivesfor verifying implementation.
Examples ofevidence requiredto demonstrate compliance.
CMMC 2.0 includes two levels:
Level 1: 17 basic cybersecurity practices.
Level 2: 110 practices aligned withNIST SP 800-171.
TheAssessment Guidedefines howassessorsevaluate compliance.
✅2. Why the Other Answer Choices Are Incorrect:
(A) CMMC Glossary❌
TheGlossaryprovidesdefinitions of termsused in CMMC but does not describe specific practices in detail.
(B) CMMC Appendices❌
Appendicesinclude supplementary information likereferences and scoping guidance, but they do not provide full descriptions of practices.
(C) CMMC Assessment Process❌
TheAssessment Process Guideexplainshowassessments are conducted, but it doesnot describe each practicein detail.
Final Validation from CMMC Documentation:TheCMMC Assessment Guide (Levels 1 and 2)is theofficialsource for descriptions of eachCMMC practice and process, making it thebest referencefor understanding compliance requirements.
Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?
Organizational operations, business assets, and employees
Organizational operations, business processes, and employees
Organizational operations, organizational assets, and individuals
Organizational operations, organizational processes, and individuals
TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.
TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:
"Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI."
This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:
✅Organizational operations(e.g., mission, business continuity, functions)
✅Organizational assets(e.g., data, IT systems, intellectual property)
✅Individuals(e.g., employees, contractors, customers affected by security risks)
Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.
A. Organizational operations, business assets, and employees❌Incorrect."Business assets"is not the correct terminology used in CMMC/NIST SP 800-171. Instead,"organizational assets"is the proper term.
B. Organizational operations, business processes, and employees❌Incorrect."Business processes"is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.
D. Organizational operations, organizational processes, and individuals❌Incorrect. While processes are important,organizational assetsmust be considered in the assessment, not just processes.
Why the Other Answers Are Incorrect
CMMC 2.0 Model (Level 2 - RA.3.144)– Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.
NIST SP 800-171 (3.11.1)– Reinforces the same risk assessment scope.
CMMC Official ReferencesThus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.
When are data and documents with legacy markings from or for the DoD required to be re-marked or redacted?
When under the control of the DoD
When the document is considered secret
When a document is being shared outside of the organization
When a derivative document's original information is not CUI
Background on Legacy Markings and CUI
Legacy markings refer to classification labels used before the implementation of theControlled Unclassified Information (CUI) ProgramunderDoD Instruction 5200.48.
Documents with legacy markings (such as “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU)) must be reviewed for re-marking or redaction to align withCUI requirements.
When Must Legacy Markings Be Updated?
If the document is retained internally (Answer A - Incorrect): Documents under DoD control do not require immediate re-marking unless they are being shared externally.
If the document is classified as Secret (Answer B - Incorrect): This question is aboutCUI, not classified information. Secret-level documents follow different marking rules underDoD Manual 5200.01.
If a document is being shared externally (Answer C - Correct):
According toDoD Instruction 5200.48, Section 3.6(a), organizations mustreview legacy markings before sharing documents outside the organization.
The document must bere-markedin compliance with the CUI Program before dissemination.
If the original document does not contain CUI (Answer D - Incorrect): The original source document's status does not affect the requirement to re-mark a derivative document if it contains CUI.
Conclusion
The correct answer isC: Documents with legacy markings must bere-marked or redacted when being shared outside the organizationto comply with DoD CUI guidelines.
What are CUI protection responsibilities?
Shielding
Governing
Correcting
Safeguarding
Understanding CUI Protection ResponsibilitiesControlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.
Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.
TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.
CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.
DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.
A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.
B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.
C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.
The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.
During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?
Host Unit
Organization
Coordinating Unit
Supporting Organization/Unit
In the context of the Cybersecurity Maturity Model Certification (CMMC) Assessment Process, understanding the roles of various entities associated with an Organization Seeking Certification (OSC) is crucial during the planning phase. When a Certified Third-Party Assessment Organization (C3PAO) staff reviews these entities for a CMMC Level 2 Assessment, it's essential to distinguish between internal components and external participants.
Step-by-Step Explanation:
Definition of the HQ Organization:
The HQ Organization refers to the entire legal entity delivering services under the terms of a Department of Defense (DoD) contract. This entity is responsible for ensuring compliance with CMMC requirements.
Identification of External Entities:
External entities encompass people, processes, and technology that are not part of the HQ Organization but support its operations. These entities participate in the assessment process due to their involvement in handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) related to the DoD contract.
Role of Supporting Organizations/Units:
According to the CMMC Assessment Process documentation, Supporting Organizations are defined as "the people, procedures, and technology external to the HQ Organization that support the Host Unit." These external entities are integral to the operations of the Host Unit but are not encompassed within the HQ Organization's immediate structure.
Assessment Implications:
While Supporting Organizations/Units play a vital role in supporting the Host Unit, they do not receive a separate CMMC Level certification unless an enterprise assessment is conducted. In such cases, the assessment would encompass both the HQ Organization and its Supporting Organizations to ensure comprehensive compliance across all associated entities.
A Lead Assessor is planning an assessment and scheduling the test activities. Who MUST perform tests to obtain evidence?
OSC personnel who normally perform that work as the CCP observes
Military personnel and the CCP and/or Lead Assessor to test the adequacy of the written procedure(s)
Military personnel assigned to the contractor for that contract to ensure the confidentiality of the CUI
OSC personnel who do not ordinarily perform that work to evaluate the accuracy of the written procedure(s)
Understanding Who Must Perform Tests in a CMMC AssessmentDuring aCMMC Level 2 Assessment, assessorsmust observe operational activities and security practicesto verify compliance. This process involves:
✔Testing security controls and proceduresas part of the assessment.
✔Observation of standard work practicesto ensure controls are properly implemented.
✔Using operational personnel (OSC employees) who regularly perform the taskto ensure realistic assessment conditions.
Operational personnel (OSC employees) must conduct the actual work while assessors observe.
Certified CMMC Professionals (CCPs) or Lead Assessorsoversee and document the testing process.
Who Performs Tests?
A. OSC personnel who normally perform that work as the CCP observes → Correct
CMMC assessments require actual users (OSC personnel) to perform their regular duties while assessors observeto verify security practices.
B. Military personnel and the CCP and/or Lead Assessor to test the adequacy of the written procedure(s) → Incorrect
Military personnel are not responsible for testing contractor security controls.
Assessors observe and evaluate but do not perform testing themselves.
C. Military personnel assigned to the contractor for that contract to ensure the confidentiality of the CUI → Incorrect
Military personnel do not perform the testing.
The contractor (OSC) is responsible for implementing and demonstrating security controls.
D. OSC personnel who do not ordinarily perform that work to evaluate the accuracy of the written procedure(s) → Incorrect
Personnel unfamiliar with the job should not be used for testing.
Theassessment must reflect real-world conditions, so theactual employees who perform the work must demonstrate the process.
Why is the Correct Answer "A" (OSC personnel who normally perform that work as the CCP observes)?
CMMC Assessment Process (CAP) Document
Specifies thatassessments must observe real operational activities to determine compliance.
CMMC-AB Assessment Methodology
Requirestesting of security controls in a realistic operational environment, meaning actual OSC personnel must perform the tasks.
NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)
Specifies thatinterviews and observations should be conducted with personnel who regularly perform the work.
The IT manager is scoping the company's CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI. Which asset type is being considered by the IT manager?
ESP
People
Facilities
Technology
Understanding Asset Types in CMMC 2.0In CMMC 2.0, assets are categorized based on their role in handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI). TheCybersecurity Maturity Model Certification (CMMC) Scoping GuidanceforLevel 1andLevel 2provides asset definitions to help organizations identify what needs protection.
According toCMMC Scoping Guidance, there are five primary asset types:
Security Protection Assets (ESP - External Service Providers & Security Systems)
People (Personnel who interact with FCI/CUI)
Facilities (Physical locations housing FCI/CUI)
Technology (Hardware, software, and networks that store, process, or transmit FCI/CUI)
CUI Assets (For Level 2 assessments, assets specifically storing CUI)
Why "Technology" Is the Correct AnswerThe IT manager is evaluatingservers, laptops, databases, and applications—all of which aretechnology assetsused to store, process, or transmit FCI.
According toCMMC Scoping Guidance,Technology assetsinclude:
✅Endpoints(Laptops, Workstations, Mobile Devices)
✅Servers(On-premise or cloud-based)
✅Networking Devices(Routers, Firewalls, Switches)
✅Applications(Software, Cloud-based tools)
✅Databases(Storage of FCI or CUI)
Since the IT manager is focusing on these components, the correct asset category isTechnology (Option D).
A. ESP (Security Protection Assets)❌Incorrect. ESPs refer tosecurity-related assets(e.g., firewalls, monitoring tools, managed security services) thathelp protectFCI/CUI but do notstore, process, or transmitit directly.
B. People❌Incorrect. While employees play a role in handling FCI, the question focuses onhardware and software—which falls underTechnology, not People.
C. Facilities❌Incorrect. Facilities refer tophysical buildingsor secured areas where FCI/CUI is stored or processed. The question explicitly mentionsservers, laptops, and applications, which arenot physical facilities.
Why the Other Answers Are Incorrect
CMMC Level 1 Scoping Guide (CMMC-AB)– Defines asset categories, including Technology.
CMMC 2.0 Scoping Guidance for Assessors– Provides clarification on FCI assets.
CMMC Official ReferencesThus,option D (Technology) is the most correct choiceas per official CMMC 2.0 guidance.
Which domains are a part of a Level 1 Self-Assessment?
Access Control (AC), Risk Management
Risk Management (RM). Access Control (AC), and Physical Protection (PE)
Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)
Risk Management (RM). Media Protection (MP), and Identification and Authentication (IA)
CMMCLevel 1focuses onbasic cyber hygieneand includes17 practicesderived fromNIST SP 800-171 Rev. 2butonly covers the protection of Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).
UnlikeLevel 2, which aligns fully withNIST SP 800-171,Level 1 does not require third-party certificationand can beself-assessedby the organization.
Domains Covered in a Level 1 Self-AssessmentCMMC Level 1 practices fall underthree specific domains:
Access Control (AC)– Ensures that only authorized individuals can access FCI.
Physical Protection (PE)– Protects physical access to systems and facilities storing FCI.
Identification and Authentication (IA)– Verifies the identity of users accessing systems containing FCI.
These domains focus on foundational security controls necessary toprotect FCI from unauthorized access.
CMMC Model v2.0states thatLevel 1 includes only 17 practicesmapped toNIST SP 800-171requirements specific toAccess Control (AC), Physical Protection (PE), and Identification and Authentication (IA).
CMMC Assessment Guide, Level 1confirms thatRisk Management (RM) and Media Protection (MP) are not included in Level 1, as they pertain to more advanced security measures needed for handlingCUI (Level 2).
A. Access Control (AC), Risk Management (RM), and Media Protection (MP)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.
B. Risk Management (RM), Access Control (AC), and Physical Protection (PE)→ Incorrect.Risk Management (RM) is not part of Level 1.
C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)→Correct.These are thethree domains covered in CMMC Level 1 self-assessments.
D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.
Official CMMC 2.0 Documentation ReferencesBreakdown of Answer ChoicesConclusionThecorrect answer is C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA), as these are theonly three domains included in a CMMC Level 1 Self-Assessmentaccording toCMMC 2.0 documentation and NIST SP 800-171 mapping.
CMMC 2.0 Model Overview – DoD Official Documentation
CMMC Assessment Guide, Level 1
NIST SP 800-171 Rev. 2 (Basic Security Requirements for FCI)
Reference Documents for Further Reading