Cyber AB CMMC-CCP Certified CMMC Professional (CCP) Exam Exam Practice Test

Understanding FCI and Asset CategorizationFederal Contract Information (FCI)is any informationnot intended for public releasethat is provided by or generated for thegovernmentunder aDoD contract.

Acompany-issued laptopused by a sales representative to enter FCI into aspreadsheetis considered anFCI assetbecause it:

✅Stores FCI– The spreadsheet contains sensitive information.

✅Processes FCI– The representative is entering data into the spreadsheet.

✅Organizes FCI– The spreadsheet helps structure and manage FCI data.

Processing (Option B and C)is occurring, but since the laptop is primarily being used toorganize data,Option D is the most comprehensive.

Transmission (Option A and C)is not explicitly mentioned, soOption D is the best fit.

Why "Store, Process, and Organize FCI" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Process and transmit FCI.

❌Incorrect–No indication oftransmissionis provided.

B. Process and organize FCI.

❌Incorrect–Storage is also a key function of the laptop.

C. Store, process, and transmit FCI.

❌Incorrect–Transmission is not confirmed in the scenario.

D. Store, process, and organize FCI.

✅Correct – The laptop is used to store, process, and organize FCI in a spreadsheet.

CMMC Asset Categorization Guidelines– DefinesFCI assetsbased onstorage, processing, and organization functions.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Store, process, and organize FCI, as the laptop is used tostore information, enter (process) data, and structure (organize) FCI within a spreadsheet.

1. Understanding the Role of Assessment Objectives in CMMC 2.0Theassessment objectivesfor each CMMC practice define thespecific criteriathat an assessor uses to evaluate whether a practice is implemented correctly. These objectives break down each control into measurable components, ensuring a structured and consistent assessment process.

To determine where these objectives are best documented, we need to consider theofficial CMMC documentation sources.

2. Why Answer Choice "D" is Correct – CMMC Assessment Guide Levels 1 and 2TheCMMC Assessment Guide (Levels 1 & 2)is theprimary documentthat provides:

✅The detailedassessment objectivesfor each practice

✅A breakdown of the expectedevidence and implementation details

✅Step-by-stepassessment criteriafor assessors to verify compliance

Each CMMC practice in the Assessment Guide is aligned with the correspondingNIST SP 800-171 or FAR 52.204-21 control, and the guide specifies:

How to assess compliancewith each practice

What evidenceis required for validation

What stepsan assessor should follow

????Reference from Official CMMC Documentation:

CMMC Assessment Guide – Level 2 (Aligned with NIST SP 800-171)explicitly states:

"Each practice is assessed based on defined assessment objectives to determine if the practice is MET or NOT MET."

CMMC Assessment Guide – Level 1 (Aligned with FAR 52.204-21)provides similar objectives tailored for foundational cybersecurity requirements.

Thus,CMMC Assessment Guide Levels 1 & 2 are the BEST sources for assessment objectives.

3. Why Other Answer Choices Are IncorrectOption

Reason for Elimination

A. CMMC Glossary

❌The glossary only defines terminology used in CMMC but does not provide assessment objectives.

B. CMMC Appendices

❌The appendices contain supplementary details, but they do not comprehensively list assessment objectives for each practice.

C. CMMC Assessment Process (CAP)

❌While the CAP document describes the assessmentworkflow and methodology, it does not outline the specific objectives for each practice.

4. ConclusionTo locate thebest reference for assessment objectives, theCMMC Assessment Guide Levels 1 & 2are the most authoritative and detailed sources. They contain step-by-step assessment criteria, ensuring that practices are evaluated correctly.

✅Final Answer:

D. CMMC Assessment Guide Levels 1 and 2

Understanding Access Control (AC) in CMMC Advanced (Level 3)TheCMMC Advanced Level (Level 3)is designed for organizations handlinghigh-value Controlled Unclassified Information (CUI)and aligns with a subset ofNIST SP 800-172for advanced cybersecurity protections.

Access Control (AC) Practices in CMMC Level 3✅CMMC Level 1 includesbasic AC practices fromFAR 52.204-21(e.g., restricting access to authorized users).

✅CMMC Level 2 includesallAccess Control (AC) practices from NIST SP 800-171(e.g., managing privileged access).

✅CMMC Level 3 expands on Levels 1 and 2, incorporatingadditional protections from NIST SP 800-172, such as enhanced monitoring and adversary deception techniques.

CMMC Level 3 builds upon all previous levels, includingAccess Control (AC) practices from Levels 1 and 2.

Options A, B, and C are incorrectbecause Level 3 includesallprevious AC practices fromLevels 1 and 2, plus additional ones.

Why "Levels 1, 2, and 3" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Level 1

❌Incorrect–Level 3 includes AC practices fromLevels 1 and 2, not just Level 1.

B. Level 3

❌Incorrect – Level 3 builds onLevels 1 and 2, not just Level 3 practices.

C. Levels 1 and 2

❌Incorrect–Level 3 containsadditionalAC practices beyond Levels 1 and 2.

D. Levels 1, 2, and 3

✅Correct – Level 3 contains all AC practices from Levels 1 and 2, plus additional ones.

CMMC Model Framework– Outlines howLevel 3 builds upon Level 1 and 2 practices.

NIST SP 800-172– Definesadvanced cybersecurity controlsrequired inCMMC Level 3.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Levels 1, 2, and 3, as CMMC Level 3 includesAccess Control (AC) practices from all previous levels plus additional enhancements.

Step 1: Review CMMC 2.0 Reforms (Level 1 – Foundational)As part ofCMMC 2.0, the DoD announced changes toreduce burden and costsfor companies that only handleFederal Contract Information (FCI):

DoD Statement (CMMC 2.0 Overview):

“Level 1 (Foundational) will only require an annual self-assessment, affirming implementation of the 17 FAR 52.204-21 controls.”

✅Step 2: Intent of “Reduced Assessment Costs”The move to allowself-assessments at Level 1was explicitly designed toeliminate the costof hiring third-party assessors for organizations that only handle FCI.

Level 1 self-assessments are:

Conductedinternally by the OSC,

Affirmed annuallyby a senior company official,

Submitted via SPRS(Supplier Performance Risk System).

B. Opt out of CMMC Assessments✘ Incorrect. Organizations must still perform aself-assessmentannually — they cannot opt out entirely.

C. Have assessment costs reimbursed by the DoD✘ No such reimbursement mechanism exists.

D. Pay no more than $500.00…✘ No such fixed cost is set or guaranteed in CMMC documentation.

❌Why the Other Options Are Incorrect

UnderCMMC 2.0, all companies atLevel 1 (Foundational)are permitted toconduct self-assessmentsannually to demonstrate compliance, supporting the DoD’s goal ofreducing assessment costsfor low-risk contractors.

Per the CMMC Assessment Process (CAP), the Assessment Team is responsible for determining the adequacy and sufficiency of evidence collected during the assessment. The team validates whether practices and components for each in-scope Host Unit, Supporting Organization, or enclave meet the target CMMC level. The OSC (Organization Seeking Certification) provides evidence, but only the Assessment Team makes the verification and scoring determination.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

AC3PAO (Certified Third-Party Assessment Organization)is responsible for conductingCMMC Level 2 assessments.

After completing theassessment, theC3PAO generates the Final Recommended Assessment Results, which include key documentation reviewed by theCMMC Quality Assurance Professional (CQAP)for quality control.

Understanding Licensed Training Providers (LTPs) in CMMCALicensed Training Provider (LTP)is an entity that is authorized by theCybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)todeliver CMMC trainingbased on anapproved curriculum.

Provides CMMC-AB-approved training programsfor individuals seeking CMMC certifications.

Uses an official CMMC curriculumthat aligns with theCMMC Body of Knowledge (BoK)and other CMMC-AB guidance.

Prepares students for CMMC roles, such asCertified CMMC Assessors (CCA) and Certified CMMC Professionals (CCP).

Key Responsibilities of an LTP:

A. Creates DoD-licensed training → Incorrect

TheCMMC-AB, not the DoD, manages LTP licensing. LTPsdo not create new training contentbut mustfollow an approved curriculum.

B. Instructs a curriculum approved by CMMC-AB → Correct

LTPsteacha curriculum that has beenapproved by the CMMC-AB, ensuring consistency in CMMC training.

C. May market itself as a CMMC-AB Licensed Provider for testing → Incorrect

LTPs provide training, not testing. Testing is handled byLicensed Partner Publishers (LPPs)and exam bodies.

D. Delivers training using some CMMC body of knowledge objectives → Incorrect

LTPs mustfully adhereto theCMMC-AB-approved curriculum, not just "some" objectives.

Why is the Correct Answer "Instructs a curriculum approved by CMMC-AB" (B)?

CMMC-AB Licensed Training Provider (LTP) Program Guidelines

Defines LTPs as entities thatdeliver CMMC-AB-approved training programs.

CMMC Body of Knowledge (BoK)

Specifies that training must follow theCMMC-AB-approved curriculumto ensure standardization.

CMMC-AB Training & Certification Framework

Requires LTPs todeliver structured training that meets CMMC-AB guidelines.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔B. Instructs a curriculum approved by CMMC-AB

Understanding the CMMC Level 2 Assessment ProcessWhen anOrganization Seeking Certification (OSC)engages aCertified Third-Party Assessment Organization (C3PAO)to conduct aCMMC Level 2 Assessment, anAssessment Planis developed to outline the scope, methodology, and logistics of the assessment.

According to theCMMC Assessment Process (CAP) Guide, theAssessment Plan must be formally agreed upon and signed off by:

Lead Assessor– The individual responsible for overseeing the execution of the assessment.

C3PAO (Certified Third-Party Assessment Organization)– The entity conducting the assessment.

TheLead Assessorensures that theAssessment Plan aligns with CMMC-AB and DoD requirements, including methodology, objectives, and evidence collection.

TheC3PAOprovides organizational approval, confirming that the assessment is conducted according toCMMC-AB rules and contractual agreements.

A. OSC and Sponsor (Incorrect)

TheOSC (Organization Seeking Certification)is involved in planning but does not sign off on the plan.

Asponsoris not part of the sign-off process in CMMC assessments.

B. OSC and CMMC-AB (Incorrect)

TheOSCdoes not formally approve theAssessment Plan—this responsibility belongs to the assessment team.

TheCMMC-ABdoes not sign off on individualAssessment Plans.

D. C3PAO and Assessment Official (Incorrect)

"Assessment Official" isnot a defined rolein the CMMC assessment process.

TheC3PAOis involved, but it must be theLead Assessorwho signs off, not an unspecified official.

The correct answer isC. Lead Assessor and C3PAO.

TheLead Assessorensures assessment integrity, while theC3PAOprovides official authorization.

Understanding the CMMC Assessment ProcessTheCMMC Assessment Process (CAP)consists offour phases, each with specific tasks and objectives.

Phase 1: Plan and Prepare Assessment– Planning, scheduling, and preparing for the assessment.

Phase 2: Conduct Assessment–Gathering and verifying evidence, conducting interviews, and evaluating compliance.

Phase 3: Report Recommended Assessment Results– Documenting findings and reporting results.

Phase 4: Remediation of Outstanding Assessment Issues– Allowing the organization to address any deficiencies.

Why "Phase 2: Conduct Assessment" is Correct?DuringPhase 2: Conduct Assessment, theAssessment Teamperforms key activities, including:

✅Identifying required evidencefor compliance verification.

✅Obtaining and reviewing artifacts(e.g., security policies, configurations, logs).

✅Verifying the sufficiency of evidenceagainst CMMC practice requirements.

✅Interviewing key personneland observing cybersecurity implementations.

Since the question specifically mentions"identify, obtain inventory, and verify evidence,"this task directly falls underPhase 2: Conduct Assessment.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Phase 1: Plan and Prepare Assessment

❌Incorrect–This phase focuses onscheduling, logistics, and planning, not evidence collection.

B. Phase 2: Conduct Assessment

✅Correct – This phase involves gathering, verifying, and reviewing evidence.

C. Phase 3: Report Recommended Assessment Results

❌Incorrect–This phasedocumentsresults but doesnotcollect evidence.

D. Phase 4: Remediation of Outstanding Assessment Issues

❌Incorrect–This phase focuses oncorrective actions, not evidence collection.

CMMC Assessment Process Guide (CAP)–Phase 2: Conduct Assessmentexplicitly includes tasks such asgathering and verifying evidence.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isB. Phase 2: Conduct Assessment, as this phase includesidentifying, obtaining, and verifying evidence, which is critical for determining CMMC compliance.

Last Step in Developing an Assessment Plan for an OSCDeveloping anassessment planinvolves:

Defining the assessment scope(e.g., systems, networks, locations).

Planning test activities(e.g., interviews, evidence review, technical testing).

Verifying the OSC’s readiness(e.g., ensuring required documents are available).

Updating the assessment plan and schedule as needed.

Final Step: Obtaining and recording the OSC’s commitment to the assessment plan.

Why is obtaining commitment the last step?✔Theassessment cannot proceed unless the OSC agrees to the finalized plan.

✔This ensuresOSC leadership understands the scope, timeline, and responsibilities.

✔TheC3PAO must document this commitmentto formalize the agreement.

A. Verify the readiness to conduct the assessment → Incorrect

Readiness verification happens earlierin the planning process, not as the last step.

B. Perform certification assessment readiness review → Incorrect

Areadiness review is conducted before finalizing the plan, not at the very end.

C. Update the assessment plan and schedule as needed → Incorrect

Updating the plan happens before commitment is obtained; it is not the final step.

D. Obtain and record commitment to the assessment plan → Correct

This is the final step before conducting the assessment. The OSC must formally agree to the plan.

Why is the Correct Answer "D. Obtain and record commitment to the assessment plan"?

CMMC Assessment Process (CAP) Document

States that theOSC must confirm agreement to the assessment plan before execution.

CMMC-AB Guidelines for C3PAOs

Specifies thatfinalizing the assessment plan requires documented commitment from the OSC.

CMMC Assessment Guide

Outlines thatassessments cannot begin without formal approval of the plan.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔D. Obtain and record commitment to the assessment plan.

DFARS clause 252.204-7012 establishes the safeguarding of Covered Defense Information (CDI), which aligns with CUI categories. The clause specifies that the DoD is responsible for determining whether information is Controlled Unclassified Information (CUI) and marking it accordingly before sharing it with contractors. Contractors do not make determinations about what constitutes CUI; they are responsible for safeguarding information once it is received and marked as CUI.

Reference Documents:

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting

CMMC Model v2.0 Overview, December 2021

DoDI 5200.48 specifies that Authorized Holders of CUI are responsible for applying appropriate CUI markings. An authorized holder is an individual who has lawful government purpose access to the information. This ensures that responsibility for correctly marking information rests with those who create or handle the material, not only with original classification authorities (which apply to classified information, not CUI).

Reference Documents:

DoDI 5200.48, Controlled Unclassified Information (CUI)

During aCMMC readiness review, anOrganization Seeking Certification (OSC)may argue that a specificenclave (network segment or system) is out of scopefor assessment. TheLead Assessor is responsible for verifying and approving this request.

Certified CMMC Professional (CCP)

A CCP supports OSCs inpreparing for assessmentsbutdoes not make final scope determinations.

Certified Third-Party Assessment Organization (C3PAO)

The C3PAOoversees the assessmentbut doesnot personally verify scope exclusions—that falls under theLead Assessor’s role.

Lead Assessor (Correct Answer)

TheLead Assessor has the authorityto determine if anenclave is out of scopebased on OSC-provided evidence.

The Lead Assessor followsCMMC Assessment Process (CAP) guidelinesto ensure proper scoping.

Advisory Board

TheCMMC-AB (Advisory Board) does not make scope determinations. It focuses onprogram oversightandcertification processes.

CMMC Assessment Process (CAP) v1.0

TheLead Assessor is responsible for confirming the assessment scopeand determining enclave applicability.

CMMC Scoping Guidance for Level 2 Assessments

Requires theLead Assessor to review and approve any enclave exclusionsbefore finalizing the assessment scope.

Roles and Responsibilities in CMMC Assessments:Official References Supporting the Correct Answer:Conclusion:TheLead Assessoris the correct answer because they have the authority to verify scope determinations during the assessment.

✅Correct Answer: C. Lead Assessor

Federal Contract Information (FCI) is defined inFAR 52.204-21as information provided by or generated for the government under contract but not intended for public release. UnderCMMC 2.0, organizations handling FCI must implementFAR 52.204-21 Basic Safeguarding Requirements, ensuring proper protection inprocessing, storing, and transmittingFCI.

Analyzing the Given OptionsThe question involves an email system that is used tosendFCI to a subcontractor. Let’s break down the possible answers:

A. Manage FCI→ Incorrect

Managing FCI involves activities like organizing, storing, and maintaining access to FCI. Sending an email does not fall under management; it is an act of transmission.

B. Process FCI→ Incorrect

Processing refers to actively using FCI for operational or analytical purposes, such as analyzing, modifying, or computing data. Simply sending an email does not constitute processing.

C. Transmit FCI→ Correct

Transmission refers to the act of sending FCI from one entity to another. Since the contractor issendingFCI via email, this falls undertransmittingthe data.

Assets that store, process, or transmit FCI or CUI are always in scope for CMMC. If a server with a cloud provider is used for long-term storage of FCI, that server is considered in scope because it directly holds covered data.

Supporting Extracts from Official Content:

CMMC Scoping Guide for Level 1: “Assets that store, process, or transmit FCI are in scope.”

CMMC Scoping Guide for Level 2: confirms the same rule applies for CUI.

Why Option A is Correct:

The server stores FCI, making it automatically in scope.

Option B is incorrect because long-term storage does not make an asset out of scope.

Option C is incorrect — Level 1 (FCI) does not require a Level 2 certified provider.

Option D is incorrect because encryption does not remove scope requirements.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1.

CMMC Model v2.0, Scoping and Implementation guidance.

===========

CMMC Level 2 requires full implementation of the 110 security requirements specified in NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. These practices form the foundation for safeguarding CUI across defense contractor systems.

NIST SP 800-53 is a broader catalog of security controls for federal systems, not specific to CUI in the defense contractor environment.

48 CFR 52.204-21 establishes basic safeguarding requirements for Federal Contract Information (FCI) and corresponds to CMMC Level 1.

DFARS 252.204-7012 defines safeguarding and incident reporting obligations but does not enumerate the specific security practices required.

Thus, Level 2 practices are aligned to NIST SP 800-171.

Reference Documents:

CMMC Model v2.0 Overview, December 2021

NIST SP 800-171 Rev. 2

The Lead Assessor has the authority to make the final determination in situations where assessors cannot agree on a rating. CAP specifies that the Lead Assessor ensures consistency, resolves disputes, and provides the authoritative interpretation during the assessment process. Escalation to the CMMC-AB or Quality Assurance would only occur in rare post-assessment review cases, not during an active assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Key References for a Lead Assessor in a CMMC AssessmentALead Assessorconducting aCMMC assessmentmust rely onofficial CMMC guidance documentsto evaluate whether anOrganization Seeking Certification (OSC)meets the required cybersecurity practices.

TheCMMC Assessment Guideprovidesdetailed descriptionsof eachpractice and processat the specificCMMC level being assessed.

It defines:✔Theassessment objectivesfor each practice.✔Therequired evidencefor compliance.✔Thescoring criteriato determine if a practice isMET or NOT MET.

Most Relevant Reference: CMMC Assessment Guide

A. DoD adequate security checklist for covered defense information → Incorrect

TheDoD adequate security checklistis related toDFARS 252.204-7012 compliance, butCMMC assessmentsfollow theCMMC Assessment Guide.

B. CMMC Model Overview as it provides assessment methods and objects → Incorrect

TheCMMC Model Overviewprovideshigh-level guidance, butdoes not contain specific assessment criteria.

C. Safeguarding requirements from FAR Clause 52.204-21 for a Level 2 Assessment → Incorrect

FAR 52.204-21is relevant toCMMC Level 1 (FCI protection), butCMMC Level 2 follows NIST SP 800-171and requiresCMMC Assessment Guidesfor validation.

D. Published CMMC Assessment Guide practice descriptions for the desired certification level → Correct

TheCMMC Assessment Guideis theofficial documentused to determine if anOSC meets the required security practices for certification.

Why is the Correct Answer "D. Published CMMC Assessment Guide practice descriptions for the desired certification level"?

CMMC Assessment Process (CAP) Document

Specifies thatLead Assessors must use the CMMC Assessment Guidefor official scoring.

CMMC Assessment Guide for Level 1 & Level 2

Providesdetailed descriptions, assessment methods, and scoring criteriafor each practice.

CMMC-AB Guidance for Certified Third-Party Assessment Organizations (C3PAOs)

Confirms thatCMMC assessments must follow the Assessment Guide, not general DoD security policies.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔D. Published CMMC Assessment Guide practice descriptions for the desired certification level.

Does a File Cabinet Containing Paper FCI Fall Within CMMC Scope?CMMConly applies to digital systems and assetsthatprocess, store, or transmitFederal Contract Information (FCI)andControlled Unclassified Information (CUI).Physical storage (such as paper documents) is not included in CMMC scoping.

Step-by-Step Breakdown:✅1. CMMC Scope Covers Only Digital Systems and Assets

According to theCMMC Scoping Guide (Level 1),only digital assetsthat handleFCIarein scopefor aLevel 1 Self-Assessment.

Afile cabinetisnot a digital system; therefore, it isnot in scopefor CMMC compliance.

✅2. Why the Other Answer Choices Are Incorrect:

(A) In scope, because it is an asset that stores FCI❌

Incorrect:While the file cabinetdoes store FCI,CMMC only applies to digital systems.

(B) In scope, because it is part of the same physical location❌

Incorrect:CMMCdoes notconsiderphysical proximitywhen determining scope—only digital data handling matters.

(D) Out of scope, because it does not process or transmit FCI❌

Partially correct, but incomplete: Themain reasonit is out of scope is that itcontains only paper documents, not that it doesn’t process/transmit data.

TheCMMC Level 1 Scoping Guideexplicitly states thatpaper-based storage of FCI does not fall within scope.

Final Validation from CMMC Documentation:Thus, the correct answer is:

✅C. Out of scope, because they are all only paper documents.

Understanding CMMC 2.0 Incident Response PracticesTheIncident Response (IR) domaininCMMC 2.0 Level 2aligns withNIST SP 800-171, Section 3.6, which defines requirements forestablishing and maintaining an incident response capability.

The documentation provideddescribes an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities.

IR.L2-3.6.1specifically requires organizations toestablish an incident handling processcovering:

Preparation

Detection & Analysis

Containment

Eradication & Recovery

Post-Incident Response

B. IR.L2-3.6.2: Incident Reporting (Incorrect)

Incident reporting focuses on reporting incidents to external parties (e.g., DoD, DIBNet),which isnot what the provided documentation describes.

C. IR.L2-3.6.3: Incident Response Testing (Incorrect)

Incident response testing ensures that the response process is regularly tested and evaluated,which isnot the primary focus of the documentation provided.

D. IR.L2-3.6.4: Incident Spillage (Incorrect)

Incident spillage specifically refers to CUI exposure or handling unauthorized CUI incidents,which isnot the scenario described.

The correct answer isA. IR.L2-3.6.1: Incident Handling, as the documentationattests to the establishment of an incident response capability.

TheU.S. Department of Defense (DoD)determines the requiredCMMC Levelbased on thesensitivity of the information involved in a contract.

The required CMMC Level isspecified in Requests for Information (RFIs) and Requests for Proposals (RFPs).

In the Cybersecurity Maturity Model Certification (CMMC) assessment process, the presentation of the Final Recommended Assessment Findings is a critical step. According to the CMMC Assessment Process guidelines, the Lead Assessor is responsible for compiling and presenting these findings. The prescribed method for this presentation is the utilization of the standardized CMMC Findings Brief template.

Step-by-Step Explanation:

Responsibility of the Lead Assessor:

The Lead Assessor oversees the assessment process and is tasked with compiling the Final Recommended Assessment Findings.

Utilization of the CMMC Findings Brief Template:

To ensure consistency and adherence to CMMC standards, the Lead Assessor must use the official CMMC Findings Brief template when presenting the assessment findings.

Presentation of Findings:

The findings, documented in the CMMC Findings Brief template, are then presented to the Organization Seeking Certification (OSC). This presentation ensures that the OSC receives a clear and standardized report of the assessment outcomes.

Step 1: Understand the “CA” Domain – Security AssessmentTheCA (Security Assessment)domain includes practices related to:

Planning security assessments,

Performing periodic reviews,

Managing plans of action and milestones (POA&Ms).

These practices derive fromNIST SP 800-171, specifically:

CA.2.157– Develop, document, and periodically update security plans,

CA.2.158– Periodically assess security controls,

CA.2.159– Develop and implement POA&Ms.

Level 1 (Foundational):

Implements only the17 practicesfromFAR 52.204-21

Doesnot include the CA domain

Level 2 (Advanced):

Implements110 practicesfromNIST SP 800-171, including CA.2.157–159

First levelwhereSecurity Assessment (CA)practices are required

Level 3:

Not yet finalized but intended to include selected controls fromNIST SP 800-172

✅Step 2: Review CMMC Levels

A. Level 1✘ No CA domain practices are present at Level 1.

C. Level 3 / D. Level 4✘ These levels build on CA practices but do not represent thestarting point.

❌Why the Other Options Are Incorrect

TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.

1. Understanding Basic Safeguarding Requirements for FCI in CMMC Level 1

Federal Contract Information (FCI) is defined as information provided by or generated for the government under a contract that isnot intended for public release.

CMMCLevel 1is designed to ensurebasic safeguardingof FCI, aligning with15 security requirementsfound inFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

Contractors handlingonly FCImust meetCMMC Level 1, which alignsdirectlywith the safeguarding requirements set inFAR 52.204-21.

2. FAR 52.204-21 and Its Role in CMMC Level 1 Compliance

FAR 52.204-21establishes the baseline cybersecurity controls that contractors must implement to protectFCI.

The15 basic safeguarding requirementsinclude:

Limiting information accessto authorized users.

Identifying and authenticating usersbefore allowing system access.

Protecting transmitted FCIfrom unauthorized disclosure.

Monitoring and controlling connectionsto external systems.

Applying boundary protectionand cybersecurity measures.

Sanitizing mediabefore disposal.

Updating security configurationsto reduce vulnerabilities.

Providing physical securityprotections.

Controlling physical accessto systems that process FCI.

Enforcing multi-factor authentication (MFA) where applicable.

Patching vulnerabilitiesin software and hardware.

Limiting the use of removable media.

Creating and retaining system audit logs.

Performing risk-based security assessments.

Developing an incident response plan.

These 15 practices form thefoundationof CMMCLevel 1 Self-Assessment, ensuring contractorsmeet minimum cybersecurity expectationsfor handling FCI.

3. Why the Other Options Are Incorrect

B. 22 CFR 120-130:

This refers toInternational Traffic in Arms Regulations (ITAR), which controls the export of defense-related articles and services,notFCI safeguarding requirements.

C. DFARS 252.204-7011:

This clause refers toalternative line item structuresand does not pertain to cybersecurity or safeguarding FCI.

D. DFARS 252.204-7021:

This clause enforcesCMMC requirementsbut doesnot definebasic safeguarding controls. It requires compliance with CMMC but does not specify the foundational requirements (which come fromFAR 52.204-21for Level 1).

4. Official CMMC 2.0 Reference & Study Guide Alignment

TheCMMC 2.0 model documentationconfirms that Level 1 is focused on the15 practices from FAR 52.204-21.

TheDoD’s official CMMC Assessment Guidefor Level 1 explicitly states that meeting FAR 52.204-21 is therequirement for passing a Level 1 Self-Assessment.

TheCMMC 2.0 Scoping Guideclarifies that contractors handling onlyFCIand seekingLevel 1 certificationmust implementonly FAR 52.204-21security controls.

Final Confirmation:The correct answer isA. FAR 52.204-21, as it directly governs the basic safeguarding ofFCIand is the foundational requirement for aLevel 1 Self-Assessmentin CMMC 2.0.

Understanding the Role of the Lead Assessor in CMMC AssessmentsTheLead Assessoris responsible for managing theAssessment Teamand ensuring that all team members meet the required qualifications as defined by theCMMC Accreditation Body (CMMC-AB)and theCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) Guide.

Lead Assessor’s Key Responsibilities (Per CAP Guide)

Verify team member qualificationsto ensure compliance with CMMC-AB guidelines.

Assignappropriate assessment tasksbased on team members’ expertise.

Ensure that theassessment is conducted in accordance with CMMC procedures.

Why Not the Other Options?

A. C3PAO (Certified Third-Party Assessor Organization)→Incorrect

AC3PAOis responsible fororganizing assessmentsand ensuring their execution, but itdoes not verify individual team member qualifications—that responsibility belongs to theLead Assessor.

B. CMMC-AB (CMMC Accreditation Body)→Incorrect

TheCMMC-ABestablishestraining and certification requirements, but itdoes not verify individual assessment team members—that responsibility is given to theLead Assessor.

D. CMMC Marketplace→Incorrect

TheCMMC Marketplacelists authorizedC3PAOs, Registered Practitioners (RPs), and Certified Professionals (CCPs)butdoes not verify assessment team qualifications.

CMMC Assessment Process (CAP) Guide– Defines theLead Assessor’s responsibilityfor verifying assessment team qualifications.

CMMC-AB Certification Guide– Specifies that the Lead Assessor must ensure all assessment team members meet CMMC-AB qualification standards.

Why the Correct Answer is "C. Lead Assessor"?Relevant CMMC 2.0 References:Final Justification:Since theLead Assessor is responsible for verifying assessment team member qualifications, the correct answer isC. Lead Assessor.

Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.

CMMC Assessments Require Evidence Collection

TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:

Examine– Reviewing documentation, policies, and system configurations.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Validating controls through operational or technical tests.

All these methods involve obtaining evidenceto support whether a security requirement has been met.

Alignment with NIST SP 800-171A

CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.

Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.

B. Define level of effort (Incorrect)

Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.

C. Determine information flow (Incorrect)

While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.

D. Determine value of hardware and software (Incorrect)

Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.

The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.

Step 1: Define CUI (Controlled Unclassified Information)CUI is information thatrequires safeguarding or dissemination controlspursuant to and consistent with applicable law, regulations, and government-wide policies, butis not classifiedunder Executive Order 13526 or the Atomic Energy Act.

✅Step 2: Authority over CUI — NARA’s RoleNARA – National Archives and Records Administration, specifically theInformation Security Oversight Office (ISOO), is thegovernment-wide executive agentresponsible for implementing the CUI program.

Source:

32 CFR Part 2002 – Controlled Unclassified Information (CUI)

Executive Order 13556 – Controlled Unclassified Information

CUI Registry –

NARA:

Maintains theCUI Registry,

Issuesmarking and handling guidance,

DefinesCUI categoriesand their authority under law or regulation,

Trains and informs Federal agencies and contractors on CUI policy.

B. NIST✘ NIST (National Institute of Standards and Technology) developstechnical standards(e.g., SP 800-171), but it doesnot define or mark CUI. It helps secure CUI once it’s identified.

C. CMMC-AB (now Cyber AB)✘ The Cyber AB is theCMMC ecosystem’s accreditation body, not a government agency, and hasno authority over CUI classification or marking.

D. Department of Homeland Security (DHS)✘ While DHS mayhandle and protect CUI internally, it is not the executive agent for the CUI program.

❌Why the Other Options Are Incorrect

NARAis theofficial U.S. government authorityresponsible for defining, categorizing, and marking CUI via theCUI Registryand associated policies underExecutive Order 13556.

Understanding Ethical Responsibility in the CMMC EcosystemEthics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.

CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.

CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.

Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.

Key Ethical Responsibilities Include:

A. DoD and CMMC-AB → Incorrect

TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.

B. OSC and Sponsors → Incorrect

TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.

C. CMMC-AB and Members of the CMMC Ecosystem → Correct

Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.

D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect

Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.

Why is the Correct Answer "CMMC-AB and Members of the CMMC Ecosystem" (C)?

CMMC-AB Code of Professional Conduct

Defines ethical responsibilities forassessors, consultants, and ecosystem members.

CMMC Ecosystem Governance Policies

Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.

CMMC Assessment Process (CAP) Document

Outlines ethical expectations forassessors and consultantsduring certification assessments.

CMMC 2.0 References Supporting this Answer:

Understanding the Role of an FCI Asset in CMMCAdedicated local printer used to print Federal Contract Information (FCI)is considered anFCI Asset. UnderCMMC Level 1, FCI assets are required to meetbasic cybersecurity controlsto ensure that FCI is properlyprotected from unauthorized access.

Step-by-Step Breakdown:✅1. Why "Process" is the Best Answer

The printerreceives digital FCI, converts it into a physical format (paper), and outputs the document.

This aligns with thedefinition of "processing" in CMMC, which includes:

Transforming or modifying data

Generating output (e.g., printed documents)

Using systems to interpret or manipulate information

✅2. Why the Other Answer Choices Are Incorrect:

(A) Encrypt❌

Aprinter does not encryptFCI—it simply prints it. Encryption applies todigital storage and transmission, not printing.

(B) Manage❌

Managing FCI typically refers togovernance, access control, and oversight, which is not the function of a printer.

(D) Distribute❌

While a printed documentcould be distributed, theprinter itself is not responsible for distributing FCI—it only processes the data for output.

CMMC Assessment Guide (Level 1)confirms thatprocessing FCI includes using systems that convert or transform information, such as printers.

NIST SP 800-171definesprocessingas an action thatchanges or manipulates information, which applies to printing.

Final Validation from CMMC Documentation:

Understanding CUI Protection ResponsibilitiesControlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.

Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.

TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.

CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.

DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.

A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.

B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.

C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.

The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.

Understanding the Role of "Discussion" and "Further Discussion" Sections in CMMC AssessmentsWhen assessing anOrganization Seeking Certification (OSC)forCMMC compliance, theLead Assessorrelies on various sources of guidance.

Eachpracticein the CMMC model includes:

The Practice Statement– The official requirement the OSC must meet.

Discussion Section– Providesclarifications, interpretations, and guidancefor implementation.

Further Discussion Section– Expands on the practice,offering additional details, best practices, and examples.

These sections arenot mandatory, but they help assessorsinterpret and evaluatewhether an OSC has met the practice requirements.

TheDiscussion and Further Discussion sectionsprovidecontext, explanations, and examplesto assist theLead Assessorin understanding how an OSC might demonstrate compliance.

Theyhelp guide the assessment processbut arenot prescriptiveormandatoryfor an OSC.

Theassessor uses these sectionsto verify whether theOSC's implementation meets the intent of the requirement.

Why "Provides Additional Information to Facilitate the Assessment" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Is normative for an OSC to follow.

❌Incorrect–The sections areguidance, notnormative (mandatory)requirements.

B. Contains examples that an OSC must implement.

❌Incorrect–Examples aresuggestions, notmandatory implementations.

C. Is mandatory and aligns with FAR Clause 52.204-21.

❌Incorrect–The "Discussion" sections arenot mandatoryand arenot tied directlyto FAR 52.204-21.

D. Provides additional information to facilitate the assessment of the practice.

✅Correct – These sections help the assessor evaluate compliance but do not mandate specific implementations.

TheCMMC Assessment Guidestates that theDiscussion and Further Discussion sections provide clarificationsto help both assessors and OSCs.

These sections arenot bindingbut serve asinterpretive guidanceto assist in assessments.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Provides additional information to facilitate the assessment of the practice.This aligns withCMMC 2.0 documentation and assessment guidelines.

The term Adversarial Assessment is formally defined in DoD cyber terminology. It describes testing that evaluates a unit or system’s ability to perform its mission while facing simulated cyber threat activity representative of a real-world adversary.

Supporting Extracts from Official Content:

DoD Cybersecurity Test and Evaluation Guidebook: “Adversarial Assessment: Test conducted to evaluate a unit’s ability to support its mission while withstanding cyber threat activity representative of an actual adversary.”

Why Option D is Correct:

A penetration test is narrower and focuses on identifying vulnerabilities.

Black hat testing is not an official DoD or CMMC term.

Red cell assessment refers more broadly to force-on-force exercises and is not the term used in CMMC/governing DoD definitions.

References (Official CMMC v2.0 Content and Source Documents):

DoD Cybersecurity Test and Evaluation Guidebook.

CMMC v2.0 Governance – Source Documents (incorporating DoD definitions).

Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.

To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:

A unique identifier (username) for each system user

Mapping of system accounts to specific individuals

Identification of devices and automated processes that access systems

This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.

Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.

It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.

A. Procedures for implementing access control lists (Incorrect)

While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.

B. List of unauthorized users that identifies their identities and roles (Incorrect)

Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.

D. Physical access policy stating "All non-employees must wear a special visitor pass or be escorted" (Incorrect)

This pertains tophysical security, not system-baseduser identification and authentication.

The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.

nderstanding Objectivity in CMMC-AB ActivitiesObjectivityin CMMC-AB activities refers to therequirement that assessors and C3PAOs remain impartial, unbiased, and free from conflicts of interestwhile conducting assessments and providing CMMC-related services.

Key Aspects of Objectivity in CMMC Assessments:✔No conflicts of interest—Assessors must not assess organizations they havefinancial, professional, or personal ties to.

✔Unbiased reporting—Findings must bebased solely on evidence, with no external influence.

✔Avoiding even the appearance of a conflict—If there isany perception of bias, it must be addressed.

A. Ensuring full disclosure → Incorrect

Full disclosure is importantbut doesnot define objectivity. Objectivity meansremaining neutral and free from conflicts.

B. Reporting results of CMMC services completely → Incorrect

Whileaccurate reporting is required,objectivity focuses on impartiality, not just completeness.

C. Avoiding the appearance of or actual, conflicts of interest → Correct

Objectivity in CMMC-AB activities is primarily about preventing bias and ensuring fair assessments.

Avoiding conflicts of interest ensures thatassessments are credible and trustworthy.

D. Demonstrating integrity in the use of materials as described in policy → Incorrect

Integrity is important, butobjectivity is specifically about avoiding bias and conflicts of interest.

Why is the Correct Answer "C. Avoiding the appearance of or actual, conflicts of interest"?

CMMC-AB Code of Professional Conduct

Requiresassessors and C3PAOs to avoid conflicts of interestand maintainimpartiality.

CMMC Assessment Process (CAP) Document

Emphasizes that assessments must befree from external influence and conflicts of interest.

ISO/IEC 17020 Requirements for Inspection Bodies

Definesobjectivity as avoiding conflicts of interest in the assessment process.

CMMC 2.0 References Supporting This Answer:

Which NIST SP Defines the Assessment Procedures for CMMC?CMMC Level 2 isdirectly based on NIST SP 800-171, and the assessment procedures used in CMMC assessments are derived fromNIST SP 800-171A.

Step-by-Step Breakdown:✅1. NIST SP 800-171A Defines Assessment Procedures

NIST SP 800-171Ais titled"Assessing Security Requirements for Controlled Unclassified Information (CUI)".

It providesdetailed assessment objectives and test proceduresfor evaluating compliance withNIST SP 800-171 security requirements, whichCMMC Level 2 is fully aligned with.

CMMC Assessors use 800-171Aas abaseline for assessing the effectiveness of security controls.

✅2. Why the Other Answer Choices Are Incorrect:

(A) NIST SP 800-53❌

800-53 defines security controlsfor federal information systems, but it doesnot provide assessment procedures specific to CMMC.

(B) NIST SP 800-53A❌

800-53A provides assessment procedures for 800-53 controls, butCMMC is based on NIST SP 800-171, not 800-53.

(C) NIST SP 800-171❌

800-171 defines security requirements, butit does not provide assessment procedures. Theassessment proceduresare in800-171A.

TheCMMC Assessment Guide (Level 2)explicitly states that assessment procedures are derived fromNIST SP 800-171A.

Final Validation from CMMC Documentation:Thus, the correct answer is:

When a company usesthird-party IT providersto manage their infrastructure, these organizations are classified asExternal Service Providers (ESPs)underCMMC scoping guidelines.

Step-by-Step Breakdown:✅1. What is an ESP?

External Service Providers (ESPs)arethird-party organizationsthat:

ProvideIT services, cloud hosting, and managed security solutions.

Process, store, or transmit FCI or CUIon behalf of a contractor.

Mustmeet the same security requirementsas the OSC if they handle FCI or CUI.

If a company relies ona hosting provider to manage IT infrastructure, that provider is anESPunderCMMC scoping guidelines.

✅2. Why the Other Answer Choices Are Incorrect:

(B) People❌

Incorrect:ESPs areorganizations, not individual people.

(C) Facilities❌

Incorrect:Facilities refer tophysical locationslike office buildings or data centers, not third-partyservice providers.

(D) Technology❌

Incorrect:While ESPs provide technology services, the correct term forthird-party IT providersunder CMMC isESPs, not just "Technology."

TheCMMC Level 1 Scoping GuidedefinesExternal Service Providers (ESPs)asthird-party organizations that manage IT infrastructure and security services.

Final Validation from CMMC Documentation:Thus, the correct answer is:

✅A. ESPs (External Service Providers).

Who Has the Final Authority Over Assessment Results?During aCMMC Level 2 assessment, theCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting and finalizing the assessment results.

Key Responsibilities of a C3PAO✅Leads the assessmentand ensures it follows the CMMC Assessment Process (CAP).

✅Validates compliancewith CMMC Level 2 requirements based onNIST SP 800-171controls.

✅Finalizes the assessment resultsand submits them to theCMMC-ABand theDoD.

✅Handles disagreementsfrom the OSC but hasfinal decision-making authorityon results.

The C3PAO has final authority over the assessment resultsafter considering all evidence and findings.

TheCMMC-AB (Option B) does not finalize assessments—it accredits C3PAOs and manages the certification ecosystem.

TheAssessment Team (Option C) supports the C3PAO but does not have final decision authority.

TheAssessment Sponsor (Option D) is a representative from the OSC and does not control the results.

Why "C3PAO" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. C3PAO

✅Correct – C3PAOs finalize and submit assessment results.

B. CMMC-AB

❌Incorrect–The CMMC-AB accredits C3PAOs but doesnot finalize results.

C. Assessment Team

❌Incorrect–They conduct the assessment, but the C3PAO makes final decisions.

D. Assessment Sponsor

❌Incorrect–This is arepresentative of the OSC, not the assessment authority.

CMMC Assessment Process Guide (CAP)– DefinesC3PAO authorityover final assessment results.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isA. C3PAO, as theC3PAO has final decision-making authority over CMMC assessment results.

Understanding SI.L2-3.14.6: Monitor Communications for AttacksThe practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:

✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)

✅Log analysis and network monitoring

✅Incident response planningfor detected threats

As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.

TheCCA must collect sufficient objective evidenceto determine compliance.

Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.

Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.

Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Conduct a penetration test

❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.

B. Interview the intrusion detection system's supplier.

❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.

C. Upload known malicious code and observe the system response.

❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.

D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.

NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.

CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.

Official References from CMMC 2.0 and NIST SP 800-171 DocumentationFinal Verification and ConclusionThe correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.

The Certified Third-Party Assessment Organization (C3PAO) enters into a contractual relationship with the OSC. As part of that contract, the C3PAO maintains a non-disclosure agreement (NDA) to protect sensitive and proprietary information reviewed during the assessment.

Supporting Extracts from Official Content:

CAP v2.0, Roles and Responsibilities (§2.8): “The C3PAO maintains a non-disclosure agreement with the OSC to protect all sensitive information disclosed during the assessment.”

Why Option B is Correct:

Only the C3PAO contracts directly with the OSC and is bound to protect assessment data.

NIST, The Cyber AB (formerly CMMC-AB), and OUSD A&S do not enter NDAs directly with OSCs.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Section on OSC–C3PAO agreements.

===========

Understanding Restricted Information Systems (IS) in CMMC ScopingInCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:

Internet of Things (IoT) Devices– Smart or network-connected devices.

Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.

Test Equipment– Devices used for specialized testing or measurement.

Government Property– Equipment owned by theU.S. Governmentbut used by contractors.

The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.

Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.

These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.

A. IoT (Incorrect)

IoT devices includesmart devices, sensors, and embedded systems, but the contractor's business systems are not classified as IoT.

C. Test Equipment (Incorrect)

The contractor’s systems areused for handling FCI, not for testing or measurement.

D. Government Property (Incorrect)

The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.

The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.

Understanding Asset Types in CMMC 2.0In CMMC 2.0, assets are categorized based on their role in handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI). TheCybersecurity Maturity Model Certification (CMMC) Scoping GuidanceforLevel 1andLevel 2provides asset definitions to help organizations identify what needs protection.

According toCMMC Scoping Guidance, there are five primary asset types:

Security Protection Assets (ESP - External Service Providers & Security Systems)

People (Personnel who interact with FCI/CUI)

Facilities (Physical locations housing FCI/CUI)

Technology (Hardware, software, and networks that store, process, or transmit FCI/CUI)

CUI Assets (For Level 2 assessments, assets specifically storing CUI)

Why "Technology" Is the Correct AnswerThe IT manager is evaluatingservers, laptops, databases, and applications—all of which aretechnology assetsused to store, process, or transmit FCI.

According toCMMC Scoping Guidance,Technology assetsinclude:

✅Endpoints(Laptops, Workstations, Mobile Devices)

✅Servers(On-premise or cloud-based)

✅Networking Devices(Routers, Firewalls, Switches)

✅Applications(Software, Cloud-based tools)

✅Databases(Storage of FCI or CUI)

Since the IT manager is focusing on these components, the correct asset category isTechnology (Option D).

A. ESP (Security Protection Assets)❌Incorrect. ESPs refer tosecurity-related assets(e.g., firewalls, monitoring tools, managed security services) thathelp protectFCI/CUI but do notstore, process, or transmitit directly.

B. People❌Incorrect. While employees play a role in handling FCI, the question focuses onhardware and software—which falls underTechnology, not People.

C. Facilities❌Incorrect. Facilities refer tophysical buildingsor secured areas where FCI/CUI is stored or processed. The question explicitly mentionsservers, laptops, and applications, which arenot physical facilities.

Why the Other Answers Are Incorrect

CMMC Level 1 Scoping Guide (CMMC-AB)– Defines asset categories, including Technology.

CMMC 2.0 Scoping Guidance for Assessors– Provides clarification on FCI assets.

CMMC Official ReferencesThus,option D (Technology) is the most correct choiceas per official CMMC 2.0 guidance.

TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.

This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.

In Phase 3 (Post-Assessment), the assessor’s responsibility is to archive or dispose of assessment artifacts according to the C3PAO’s policies and retention requirements. By this point, final findings and results have already been delivered, so the only remaining step is ensuring proper handling of assessment materials.

Supporting Extracts from Official Content:

CAP v2.0, Post-Assessment Activities (§3.17): “The assessor must archive or dispose of any assessment artifacts in accordance with the C3PAO’s retention and destruction policy.”

Why Option D is Correct:

Determining practice pass/fail results and level recommendations occurs earlier in Phases 2 and 3.

The final step left for the assessor is the proper archiving or destruction of artifacts.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 3: Post-Assessment (§3.17).

===========

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, the remediation review process is a critical phase where identified deficiencies from an initial assessment are addressed. The Lead Assessor, representing a Certified Third-Party Assessment Organization (C3PAO), plays a pivotal role in this process.

Role of the Lead Assessor in Remediation Reviews:

Validation of Remediation Efforts:

Objective:Ensure that the Organization Seeking Certification (OSC) has effectively addressed and corrected all deficiencies identified during the initial assessment.

Process:The Lead Assessor reviews the evidence provided by the OSC to confirm that each previously unmet practice now meets the required standards. This involves examining updated policies, procedures, system configurations, and other relevant artifacts.

Delta Assessment Remediation Package Submission:

Definition:A delta assessment focuses on evaluating only the components or practices that were previously found non-compliant or deficient.

Responsibility:After validating the remediation efforts, the Lead Assessor compiles a remediation package that includes:

Detailed documentation of the deficiencies identified in the initial assessment.

Evidence of the corrective actions taken by the OSC.

Findings from the reassessment of the remediated practices.

Internal Quality Review:This remediation package is then submitted for the C3PAO's internal quality review process. The purpose of this review is to ensure the accuracy, completeness, and consistency of the assessment findings before finalizing the certification decision.

Rationale for Selecting Answer C:

Alignment with CMMC Assessment Process:The submission of a delta assessment remediation package for internal quality review is a standard procedure outlined in the CMMC Assessment Process. This step ensures that all remediated items are thoroughly evaluated and validated, maintaining the integrity of the certification process.

Clarification of Incorrect Options:

Option A:"Help OSC to complete planned remediation activities."

The Lead Assessor's role is to assess and validate the OSC's compliance, not to assist in the implementation or completion of remediation activities. Providing such assistance could lead to a conflict of interest and compromise the objectivity of the assessment.

Option B:"Plan two consecutive remediation reviews for an OSC."

The standard process involves conducting a single remediation review after the OSC has addressed the identified deficiencies. Planning multiple consecutive remediation reviews is not a typical practice and could indicate a lack of proper remediation planning by the OSC.

Option D:"Validate that practices previously listed on the POA&M have been removed on an updated Risk Assessment."

While it's essential to ensure that deficiencies are addressed, the primary focus of the Lead Assessor during a remediation review is to validate the implementation of remediated practices. Updating the Risk Assessment is the responsibility of the OSC's internal risk management team, not the Lead Assessor.

Understanding CMMC Assessment ProceduresACMMC assessment procedureconsists of:

Assessment Objective– Defines what is being evaluated and the expected outcome.

Assessment Methods– Specifies how the evaluation is conducted (e.g.,examination, interviews, testing).

Assessment Objects– Identifies what is being evaluated, such as policies, systems, or people.

Assessment Objectivesincludedetermination statementsthat describe the expected outcome for each CMMC security practice.

These statements define whether a practice has beenadequately implementedbased ondocumented evidence and assessment findings.

TheCMMC Assessment Process (CAP) GuideandNIST SP 800-171Aspecify that each practice has a determination statement guiding assessment decisions.

A. Specifications and mechanisms→Incorrect

These belong toassessment objects, which refer to the systems, policies, and mechanisms being evaluated.

B. Examination, interviews, and testing→Incorrect

These areassessment methods, which describe how assessorsverifycompliance (e.g., through interviews or testing).

D. Exercising assessment objects under specified conditions→Incorrect

This refers toassessment testing, which is a method, not an assessment objective.

CMMC Assessment Process (CAP) Guide– Describes determination statements as the core of assessment objectives.

NIST SP 800-171A– Defines determination statements as a key element of evaluating security controls.

Why the Correct Answer is "C"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:Since anassessment objectiveincludes adetermination statementthat describes whether a practice is implemented properly, the correct answer isC.

Understanding the Role of a Registered Provider Organization (RPO)ARegistered Provider Organization (RPO)is an entity recognized by theCMMC Accreditation Body (CMMC-AB)to provideconsulting servicesto organizations seekingCMMC certification.

Key Functions of an RPO✅Consulting servicesto help companies prepare for CMMC assessments.

✅Guidance on security controlsrequired for compliance.

✅Assistance with documentation, policy development, and gap analysis.

✅Preparation for third-party CMMC assessmentsbutdoes not conduct official CMMC assessments(this is the role of a C3PAO).

Consulting servicesare thebroadest and most comprehensivefunction of an RPO.

RPOs do not conduct assessments(eliminating option D).

Training and educationmay be part of consulting but arenot the primary function(eliminating A and B).

Consulting includes training, guidance, documentation assistance, and security readiness, making it themost comprehensive service offered.

Why "Consulting Services" is the Correct Answer?Breakdown of Answer ChoicesOption

Description

Correct?

A. Training services

❌Incorrect–RPOs may provide training, but this isnot their primary function.

B. Education services

❌Incorrect–Similar to training, butnot the most comprehensive service.

C. Consulting services

✅Correct – The core function of an RPO is consulting, which includes various readiness services.

D. Assessment services

❌Incorrect–Only aC3PAO (Certified Third-Party Assessment Organization)can conductofficial CMMC assessments.

TheCMMC-AB RPO Programdefines an RPO as aconsulting organization that assists companies in preparing for CMMC certificationbutdoes not perform assessments.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isC. Consulting services, asRPOs primarily provide advisory and readiness supportto organizations preparing forCMMC compliance.

The False Claims Act (31 U.S.C. §§ 3729–3733) imposes liability on companies that knowingly misrepresent compliance in order to receive or retain federal contracts. Penalties include treble damages (three times the government’s losses) plus additional penalties per claim.

Supporting Extracts from Official Content:

False Claims Act: “Any person who knowingly submits false claims to the Government is liable for three times the Government’s damages plus a penalty.”

DOJ Cyber-Fraud Initiative (2021): confirms the FCA is applied to cases of misrepresenting compliance with cybersecurity requirements.

Why Option D is Correct:

The applicable law is the False Claims Act, not a “Cyber Claims Act” (which does not exist).

The FCA specifies treble damages plus penalties, which exactly matches Option D.

References (Official CMMC v2.0 Governance and Source Documents):

False Claims Act (31 U.S.C. §§ 3729–3733).

DOJ Cyber-Fraud Initiative (2021), applied to CMMC-related compliance misrepresentation.

===========

According to the CMMC Assessment Process (CAP), the Lead Assessor must use the CMMC Findings Brief to formally present assessment results to the Organization Seeking Certification (OSC). The Findings Brief ensures consistency across assessments and provides the OSC with an official, standardized presentation of results, including observed strengths, weaknesses, and any non-conformities.

Other options are incorrect because:

POA&M Brief is not part of the official CAP presentation.

CMMC Assessment Tracker Tool is an internal tool used by assessors, not for presentation to the OSC.

Recommended Findings template is not a recognized deliverable in CAP.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Who is Responsible for Marking CUI?According toDoDI 5200.48 (Controlled Unclassified Information (CUI)), the responsibility for marking CUI falls on theauthorized holder of the information.

Definition of an Authorized Holder

PerDoDI 5200.48, Section 3.4, anauthorized holderis anyone who has beengranted accessto CUI and is responsible for handling, safeguarding, and marking it according toDoD CUI policy.

The authorized holder may be:

ADoD employee

Acontractorhandling CUI

Anyorganization or individual authorizedto access and manage CUI

DoD Guidance on CUI Marking Responsibilities

DoDI 5200.48, Section 4.2:

The individual creating or handling CUImust apply the appropriate markings as per the DoD CUI Registry guidelines.

DoDI 5200.48, Section 5.2:

Themarking responsibility is NOT limited to a specific positionlike an Information Disclosure Official or a high-level DoD office.

Instead, it is theresponsibility of the person or entity generating, handling, or disseminatingthe CUI.

Why the Other Answer Choices Are Incorrect:

(A) DoD OUSD (Office of the Under Secretary of Defense):

The OUSD plays apolicy-setting rolebut doesnot directly mark CUI.

(C) Information Disclosure Official:

This role is responsible forpublic release of information, but marking CUI is the duty of theauthorized holdermanaging the data.

(D) Presidential authorized Original Classification Authority (OCA):

OCAs classifynational security information (Confidential, Secret, Top Secret), not CUI, which isnot classified information.

Step-by-Step Breakdown:Final Validation from DoDI 5200.48:PerDoDI 5200.48, authorized holders are explicitly responsible for marking CUI, making this the correct answer.

Under Title 44 U.S.C. Chapter 33 (Records Management) and NARA directives, agencies and organizations must establish policies and procedures for the disposal of all recorded information, regardless of form or characteristics. This includes paper records, electronic documents, digital media, audiovisual files, and any other information format. The requirement ensures consistent handling, retention, and lawful disposal of both federal records and CUI.

Reference Documents:

Title 44, U.S. Code, Chapter 33: Records Management

NARA Records Management Directive

The term that describes"the prevention of damage to, protection of, and restoration of computers and electronic communication systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation"isCybersecurity.

Step-by-Step Breakdown:✅1. Cybersecurity Defined

Cybersecurityfocuses onprotecting networks, systems, and datafrom cyber threats.

It includes measures to ensure:

Availability(data is accessible when needed).

Integrity(data is accurate and unaltered).

Authentication(verifying users' identities).

Confidentiality(ensuring only authorized access).

Non-repudiation(preventing denial of actions).

The definition in the questionaligns directly with cybersecurity principles, making it the best answer.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Data Security❌

Data securityfocusesspecificallyon protectingstored information(e.g., encryption, access controls), but cybersecurity is broader—it includesnetworks, systems, and communication services.

(C) Network Security❌

Network securityis asubset of cybersecuritythat focuses on protectingnetwork infrastructure(e.g., firewalls, intrusion detection systems).

The definition in the question includesmore than just networks, so cybersecurity is the better choice.

(D) Information Security❌

Information security (InfoSec)is related but broader than cybersecurity.

InfoSeccoversphysical and organizational security(e.g., policies, procedures) in addition todigital protections.

CMMC and NIST SP 800-171 define cybersecurityas the protection ofsystems, networks, and data from cyber threats.

DoD Cybersecurity Definitions(aligned with NIST) confirm that cybersecurity is the term thatbest fits the definition in the question.

Final Validation from CMMC Documentation:

In the context of a Cybersecurity Maturity Model Certification (CMMC) assessment, the roles and responsibilities of individuals involved are clearly delineated to ensure a structured and effective evaluation process. The term "applicable staff" refers to personnel within the Organization Seeking Certification (OSC) who possess specific knowledge or expertise pertinent to the assessment. These individuals are integral to the assessment process as they provide essential information, demonstrate the implementation of security practices, and facilitate the assessment team's understanding of the organization's cybersecurity posture.

In this scenario, the employee serving as the primary system administrator is responsible for managing and maintaining the organization's systems. Given their comprehensive understanding of the system configurations, security controls, and operational procedures, this individual is best categorized as "applicable staff." Their involvement is crucial during the assessment, as they can provide detailed insights, demonstrate compliance measures, and address technical inquiries from the assessment team.

The other options can be delineated as follows:

Analyzer:Typically refers to individuals who analyze data or security incidents, often as part of a security operations center. This role is not specifically defined within the CMMC assessment context.

Inspector:Generally denotes a person who examines or inspects systems and processes, possibly as part of an internal audit or compliance check. This term is not a standard designation within the CMMC assessment framework.

Demonstration staff:While this could imply personnel responsible for demonstrating systems or processes, it is not a recognized role within the CMMC assessment process.

Therefore, the primary system administrator, by virtue of their role and responsibilities, aligns with the "applicable staff" category, playing a pivotal role in facilitating a successful CMMC assessment.

Understanding CMMC Assessment MethodsTheCMMC Assessment Process (CAP)definesthree primary assessment methodsused to verify compliance with cybersecurity practices:

Examine– Reviewing documents, policies, configurations, and logs.

Interview– Engaging with subject matter experts (SMEs) to clarify processes and verify implementation.

Test– Observing technical implementations, such as system configurations and security measures.

Since the question asks for a method thatgathers information from SMEs to facilitate understanding and achieve clarification, the correct method isInterview.

Why "Interview" is Correct?✅Interviewsare specifically designed togather information from SMEsto confirm understanding and clarify security processes.

✅TheCMMC Assessment Guiderequires assessors tointerview key personnelresponsible for cybersecurity practices.

✅Examine (Option B)andTest (Option A)are also valid assessment methods, but they donot focus on gathering insights directly from SMEs.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Test

❌Incorrect–This method involvestechnical verification, not gathering SME insights.

B. Examine

❌Incorrect–This method focuses ondocument review, not SME interaction.

C. Interview

✅Correct – The method used to gather information from SMEs and achieve clarification.

D. Assessment

❌Incorrect–This is a general term,not a specific assessment method.

CMMC Assessment Process Guide (CAP)– DefinesInterviewas the method for obtaining information from SMEs.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isC. Interview, as this methodgathers insights from subject matter expertsto verify cybersecurity implementations.

Understanding the Media Protection (MP) DomainTheMedia Protection (MP) domaininCMMC 2.0focuses on the security requirements needed to handlephysical or digital mediacontainingControlled Unclassified Information (CUI).

This domain includes controls for:

Protecting digital and physical mediathat store CUI.

Sanitizing and destroying mediabefore disposal or reuse.

Restricting access to CUI mediato authorized personnel only.

TheMP domaindirectly addresses the requirements for handlingCUI media, includingencryption, access control, storage, and disposal.

CMMC 2.0Level 2aligns withNIST SP 800-171, which includesMP controlsfor managing media containing CUI.

B. Physical Protection (PE)→Incorrect

PEfocuses onphysical security(e.g., facility access, visitor logs, physical barriers),not the handling of CUI on media.

C. System and Information Integrity (SI)→Incorrect

SIdeals withsystem monitoring, vulnerability management, and incident response, not media protection.

D. System and Communications Protection (SC)→Incorrect

SCcoversnetwork security, encryption, and secure communications, but does not specifically focus on media handling.

CMMC Level 2 Practice MP.3.125– Protects CUI by ensuring proper handling ofmedia containing CUI.

NIST SP 800-171 (MP Family)– Establishes security requirements for handlingdigital and physical mediacontaining CUI.

CMMC Scoping Guide (Nov 2021)– ConfirmsMP controls apply to all media that store, process, or transmit CUI.

Why the Correct Answer is "A. Media Protection (MP)"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:SinceMedia Protection (MP) directly addresses the handling of assets containing CUI, the correct answer isA. Media Protection (MP).

ACertified CMMC Professional (CCP)advising anOrganization Seeking Certification (OSC)must ensure thatFederal Contract Information (FCI)andControlled Unclassified Information (CUI)are properly documented within required security documents.

Step-by-Step Breakdown:✅1. System Security Plan (SSP)

CMMC Level 2requires anSSPto documenthow CUI is protected, including:

Security controlsimplemented

Asset categorization(CUI Assets, Security Protection Assets, etc.)

Policies and proceduresfor handling CUI

✅2. Asset Inventory

Anasset inventorylistsall relevant IT systems, applications, and hardwarethat store, process, or transmitCUI or FCI.

TheCMMC Scoping Guiderequires OSCs to identifyCUI-relevant assetsas part of their compliance.

✅3. Network Diagram

Anetwork diagramvisually representshow data flows across systems, showing:

WhereCUI is transmitted and stored

Security boundaries protectingCUI Assets

Connectivity betweenCUI Assets and Security Protection Assets

✅4. Why the Other Answer Choices Are Incorrect:

(B) Within the hardware inventory, data flow diagram, and in the network diagram❌

While adata flow diagramis useful,hardware inventory alone is insufficientto document CUI.

(C) Within the asset inventory, in the proposal response, and in the network diagram❌

Aproposal responseis not a required document for CMMC assessments.

(D) In the network diagram, in the SSP, within the base inventory, and in the proposal response❌

Base inventoryis not a specific CMMC documentation requirement.

TheCMMC Assessment Guideconfirms that FCI and CUI must be documented in:

The SSP

The asset inventory

The network diagram

Final Validation from CMMC Documentation:Thus, the correct answer is:

✅A. "In the SSP, within the asset inventory, and in the network diagram."

Understanding the CMMC Assessment Process (CAP) PhasesTheCMMC Assessment Process (CAP)consists ofthree primary phases:

Phase 1 - Planning(Pre-assessment activities)

Phase 2 - Conducting the Assessment(Evidence collection and analysis)

Phase 3 - Reporting and Finalizing Results

DuringPhase 3, the Assessment Teamreviews evidenceto confirm if anyLimited Practice Deficiency Correctionshave been successfully implemented.

Scoring Practices in Phase 3The CAP document specifies that a practice can bescored as METif:

✅The deficiency identified in Phase 2 has been fully corrected before final scoring.

✅Sufficient evidence is provided to demonstrate compliance with the CMMC requirement.

✅The correction is notmerely plannedbutfully implemented and validatedby the assessors.

Since the evidence shows thatdeficiencies have been corrected, the correct score isMET.

B. POA&M (Plan of Action & Milestones)❌Incorrect. APOA&M (Plan of Action and Milestones)is usedonly when a deficiency remains unresolved. Since the deficiency is already corrected, this option does not apply.

C. NOT MET❌Incorrect. A practice is scoredNOT METonly if the deficiency hasnotbeen corrected by the end of the assessment.

D. NOT APPLICABLE❌Incorrect. A practice is markedNOT APPLICABLE (N/A)only if it doesnot apply to the organization’s environment, which is not the case here.

Why the Other Answers Are Incorrect

CMMC Assessment Process (CAP) Document– Defines scoring criteria for MET, NOT MET, and POA&M.

CMMC Official ReferencesThus,option A (MET) is the correct answer, as the deficiencies have been corrected before final scoring.

UnderCMMC Level 2, contractors are required toidentify, document, and categorize assetsinvolved in handlingControlled Unclassified Information (CUI). This is part of thescoping process, which ensures that all security-relevant assets are properly protected and accounted for in the System Security Plan (SSP), asset inventory, and network diagram.

CMMC Scoping Requirements for Level 2 Assessments:

TheCMMC Scoping Guide(CMMC v2.0) identifies four asset categories:

CUI Assets:Systems that store, process, or transmit CUI.

Security Protection Assets (SPA):Systems providing security functions for CUI Assets (e.g., firewalls, SIEMs).

Contractor Risk Managed Assets (CRMA):Assets that interact with CUI but arenot directly controlledby the organization (e.g., personal devices).

Specialized Assets:These include IoT devices, OT systems, and Government Furnished Equipment (GFE) thatmay require specific security controls.

Where Documentation is Required:

The contractor mustdocument all assets (except out-of-scope assets)in:

The System Security Plan (SSP):A key document detailing security controls and asset categorization.

An asset inventory:Lists all in-scope assets (CUI Assets, SPAs, CRMA, and Specialized Assets).

The network diagram:Provides a visual representation of system connectivity and security boundaries.

Why Out-of-Scope Assets Are Excluded:

TheCMMC Scoping Guidespecifically states that Out-of-Scope Assets arenot required to be documentedin these compliance artifacts because they haveno direct or indirect interaction with CUI.

These assets do not require CMMC controls because they are completely isolated from CUI handling environments.

Why the Other Answer Choices Are Incorrect:

(A) GUI Assets:There is no specific "GUI Asset" category in CMMC scoping.

(B) CUI and Security Protection Asset categories:While these are included, this answerexcludesContractor Risk Managed and Specialized Assets, which are also required.

(D) Contractor Risk Managed Assets and Specialized Assets:These assetsare included in scopingbut this answer excludes CUI Assets and Security Protection Assets, making it incomplete.

Step-by-Step Breakdown:Final Validation from CMMC Documentation:According to theCMMC Assessment Scope Level 2 Guide, allin-scope assetsmust be documented in the SSP, inventory, and network diagram.The only assets excluded are Out-of-Scope Assets.

Thus, the correct answer is:

C. All asset categories except for the Out-of-Scope Assets.

Understanding the Official CUI RegistryTheControlled Unclassified Information (CUI) Registryis theauthoritative sourcefor all federal agencies'CUI categories and indices. It is maintained by theNational Archives and Records Administration (NARA)and provides:

✅Acomprehensive listof CUI categories and subcategories.

✅Details onwho can handle, store, and share CUI.

✅Guidance onCUI marking and safeguarding requirements.

TheOfficial CUI Registryis theonly federal resourcethat listsall CUI categories and agencies that use them.

32 CFR Section 2002(Option A) definesCUI policiesbut doesnotprovide a full listing of CUI categories.

Executive Order 13556(Option C) established theCUI Programbut doesnotmaintain an active list of categories.

The "Official CMMC Registry" (Option D) does not exist—CMMC is a security framework, not a CUI classification system.

Why "Official CUI Registry" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. 32 CFR Section 2002

❌Incorrect–Defines CUI program rules butdoes not listcategories.

B. Official CUI Registry

✅Correct – The registry contains the full list of CUI categories.

C. Executive Order 13556

❌Incorrect–Established the CUI program butdoes not maintain a category list.

D. Official CMMC Registry

❌Incorrect–No such registry exists; CMMC is a cybersecurity framework, not a CUI classification system.

National Archives (NARA) CUI Registry– The authoritative source forall federal agency CUI categories.

32 CFR 2002– Provides CUIpolicy guidancebut refers agencies to theOfficial CUI Registryfor classification.

Official References from CMMC 2.0 and Federal DocumentationFinal Verification and ConclusionThe correct answer isB. Official CUI Registry, as it is theonly official source listing all federal agencies' CUI indices and categories.

TheLimited Practice Deficiency Correction Evaluationprocess occurs when anOrganization Seeking Certification (OSC)has undergone aCMMC Level 2 Assessmentby aCertified Third-Party Assessment Organization (C3PAO)and hasunresolved deficienciesin some security practices.

According toCMMC 2.0 policy and DFARS 252.204-7021, OSCs can still achieveInterim Certificationif they meet theminimum thresholdof security practices while addressing deficiencies through aPlan of Action & Milestones (POA&M).

TheCMMC 2.0 Interim Rulestates that an OSCmust meet at least 100 out of 110 practicesto qualify for aPOA&M-based remediation.

A maximum of 10 practices can be listed in the POA&Mfor later correction.

Failure to meet at least 100 practices results in failing the assessment outright, requiring a full reassessment after remediation.

The Lead Assessor can recommend POA&M placementonly if the OSC meets at least 100 practices.

Less than 100 practices scored as MET means the OSC does not qualify for a POA&Mand mustretest completely.

DFARS 252.204-7021 and CMMC 2.0 policiesconfirm the100-practice thresholdfor conditional certification.

A. 80 practices (Incorrect)– Falls well below the 100-practice requirement.

B. 88 practices (Incorrect)– Still below the POA&M eligibility threshold.

D. 110 practices (Incorrect)– While meeting 110 practices would be ideal,CMMC allows a POA&M option at 100 practices.

The correct answer isC. 100 practices, as this meets theminimum threshold for POA&M-based Interim Certification.

TheCMMC Model consists of 14 domains, which are based on theNIST SP 800-171 control familieswith additional cybersecurity practices.

Eachdomaincontainspractices and processesthat define cybersecurity requirements for organizations seeking CMMC certification.