Cyber AB CMMC-CCP Certified CMMC Professional (CCP) Exam Exam Practice Test

Understanding Federal Contract Information (FCI)Federal Contract Information (FCI) is defined by48 CFR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems). FCI refers to information that:

Is NOT intended for public release.

Is provided by or generated for the government under a contract.

Is necessary to develop or deliver a product or service to the government.

Excludes publicly available government information(such as information on public websites).

Excludes simple transactional information(e.g., necessary to process payments).

In the context ofCMMC 2.0, organizations thatprocess, store, or transmit FCImust meetCMMC Level 1 (Foundational), which requires implementing17 basic safeguarding practicesoutlined inFAR 52.204-21.

A. CDI (Controlled Defense Information)→ Incorrect

This term was used inDFARS 252.204-7012but has been replaced byCUI (Controlled Unclassified Information)in CMMC discussions.

B. CTI (Cyber Threat Intelligence)→ Incorrect

This refers to intelligence on cyber threats, tactics, and indicators, not contractual data.

C. CUI (Controlled Unclassified Information)→ Incorrect

CUI is sensitive information requiring additional safeguarding but is a separate category from FCI.

D. FCI (Federal Contract Information)→Correct

The definition of FCI explicitly matches the description given in the question.

Why is the Correct Answer FCI (D)?

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

Defines FCI and the required safeguards.

Establishes17 cybersecurity practicesfor FCI protection.

CMMC 2.0 Framework

Level 1 (Foundational)is required for contractors handlingFCI.

Ensures compliance withbasic safeguarding requirementsoutlined inFAR 52.204-21.

NIST SP 800-171 and DFARS 252.204-7012

FCI doesnotrequire compliance withNIST SP 800-171, butCUI does.

CMMC 2.0 References Supporting this Answer:

Understanding CMMC Assessment MethodsTheCybersecurity Maturity Model Certification (CMMC) 2.0follows theNIST SP 800-171A assessment methodology, which includesthree primary assessment methods:

Examine– Reviewing policies, procedures, system configurations, and documentation.

Interview– Engaging with personnel to validate their understanding and execution of security practices.

Test– Conducting actual technical or operational tests to determine whether security controls function as expected.

"Test" is the method that compares actual-specified conditions with expected behavior.

It involvesexecuting procedures, configurations, or automated toolsto see if thesystem behaves as required.

For example, if a policy states that multi-factor authentication (MFA) must be enforced, a test would involveattempting to log in without MFAto confirm whether access is blocked as expected.

TheNIST SP 800-171A Guide (Assessment Procedures for CUI)defines testing as an assessment method that:

Actively verifies a security control is functioning

Simulates real-world attack scenarios

Checks compliance through system actions rather than documentation

B. Examine (Incorrect)

Examining only involvesreviewing policies, procedures, or configurationsbut does not actively test system behavior.

C. Compile (Incorrect)

"Compile" is not an assessment method in CMMC 2.0 or NIST SP 800-171A.

D. Interview (Incorrect)

Interviews are used to gather insights from personnel, but they do not compare actual conditions with expected behavior.

The correct answer isA. Testbecause itactively verifies system performance against expected security conditions.

Understanding RA.L2-3.11.1 Risk Assessment Scope in CMMC Level 2TheCMMC Level 2 control RA.L2-3.11.1aligns withNIST SP 800-171, Requirement 3.11.1, which mandates that organizationsperiodically assess risks to operations, assets, and individuals arising from the processing, storage, or transmission of CUI.

What is Required for Compliance?

The organization must performrisk assessments on all assets and entities involved in handling CUI.

Risk assessments mustevaluate potential threats, vulnerabilities, and impacts on CUI security.

The scopemust include people, processes, physical locations, and IT systemsto ensure comprehensive risk management.

Why the Correct Answer is "Processes, people, physical entities, and IT systems in which CUI is processed, stored, or transmitted":

CUIcan be exposed to risk in multiple ways—not just IT systems but also human error, physical security gaps, and process weaknesses.

Risk assessmentsmust evaluate all areas that could impact CUI security, including:

Personnel security risks(e.g., insider threats, phishing attacks).

Process vulnerabilities(e.g., mishandling of CUI, policy weaknesses).

Physical security risks(e.g., unauthorized access to servers, storage rooms).

IT systems(e.g., networks, servers, cloud environments processing CUI).

A. "IT systems"→Too narrow.Risk assessmentmust cover more than just IT systems, includingpeople, physical assets, and processesaffecting CUI.

B. "Enterprise systems"→Too broad.While enterprise systems might be assessed, thefocus is specifically on areas handling CUI, not all enterprise operations.

C. "CUI Marking processes"→Incorrect focus.While marking CUI correctly is important,RA.L2-3.11.1 pertains to risk assessments, not data classification.

TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.

This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.

Understanding Multi-Function Device (MFD) Security in CMMCMulti-function devices (MFDs), such asscanners, printers, and copiers,process, store, and transmit FCI, making them apotential attack surfacefor unauthorized access.

Thebest technical controlto limit MFD access to only authorized systems isVirtual LAN (VLAN) restrictions, whichsegment and isolate network traffic.

VLAN Restrictions Provide Network Segmentation

VLANsisolate the MFDfrom unauthorized systems, ensuringonly approved devicescan communicate with it.

Prevents unauthorized network access bylimiting connectionsto specific IPs or subnets.

Meets CMMC 2.0 Network Security Controls

Aligns withCMMC System and Communications Protection (SC) Practicesfor network segmentation and access control.

Reducesthe risk of unauthorized access to scanned and printed FCI.

B. Single administrative account→Incorrect

Asingle admin accountdoes not restrict accessbetween devices, only controlswho can configurethe MFD.

C. Documentation showing MFD configuration→Incorrect

Documentation helps with compliance butdoes not actively restrict access.

D. Access lists only known to the IT administrator→Incorrect

Access lists should besystem-enforced, not just "known" to the administrator.

CMMC Practice SC.3.192 (Network Segmentation)– Requires restricting access usingnetwork segmentation techniques such as VLANs.

NIST SP 800-171 (SC Family)– Supportsisolation of sensitive devicesusing VLANs and other segmentation controls.

Why the Correct Answer is "A. Virtual LAN (VLAN) Restrictions"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:SinceVirtual LAN (VLAN) restrictions enforce access control at the network level, the correct answer isA. Virtual LAN (VLAN) restrictions.

Understanding the CMMC Readiness Review ProcessALead Assessorconducting aCMMC Readiness Reviewevaluates whether anOrganization Seeking Certification (OSC)is prepared for a formal assessment.

After recording theassessment risk statusandoverall assessment feasibility, theminimum remaining criteriato be verified include:

Logistics Planning– Ensuring that the assessment timeline, locations, and necessary resources are in place.

Assessment Team Preparation– Confirming that assessors and required personnel are available and briefed.

Evidence Readiness– Ensuring the OSC has gathered all required artifacts and documentation for review.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Determine the practice pass/fail results.

Happensduringthe formal assessment, not the readiness review.

❌Incorrect

B. Determine the preliminary recommended findings.

Findings are only madeafterthe full assessment.

❌Incorrect

C. Determine the initial model practice ratings and record them.

Ratings are assigned during theassessment, not readiness review.

❌Incorrect

D. Determine the logistics, Assessment Team, and the evidence readiness.

✅Essential readiness criteria that must be confirmedbeforeassessment starts.

✅Correct

TheCMMC Assessment Process Guide (CAP)states that readiness review ensureslogistics, assessment team availability, and evidence readinessare verified.

Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Determine the logistics, Assessment Team, and the evidence readiness.This aligns withCMMC readiness review requirements.

Understanding the “Verify Evidence and Record Gaps” Activity in a CMMC AssessmentDuring aCMMC Level 2 Assessment, theAssessment Teamfollows a structured methodology toverify evidenceand determine whether theOrganization Seeking Certification (OSC)has met all required practices. One of the key activities in this process is"Verify Evidence and Record Gaps", which ensures that the assessment findings accurately reflect any missing or inadequate compliance evidence.

Step-by-Step Breakdown:✅1. Primary Intent: Identifying Gaps Between Required and Collected Evidence

TheAssessment Teamcompares the evidence provided by the OSC against theCMMC practice requirements.

If evidence ismissing, insufficient, or inconsistent, assessors mustdocument the gapand describe what is lacking.

This ensures that compliance deficiencies are clearly identified, allowing the OSC to understand what must be corrected.

✅2. How This Process Works in a CMMC Assessment

Assessorsreview collected documentation, system configurations, policies, and interview responses.

They verify that the evidencematches the expected implementationof a practice.

If gaps exist, they arerecordedfor discussion and potential remediation before assessment completion.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Map test and demonstration responses to CMMC practices.❌

Incorrect:While mapping evidence to CMMC practices is part of the assessment, theprimary intentof the "Verify Evidence and Record Gaps" step is toidentify deficiencies, not just mapping responses.

(B) Conduct interviews to test process implementation knowledge.❌

Incorrect:Interviews are a method used during evidence collection, but they arenot the primary focusof the verification and gap analysis step.

(C) Determine the one-to-one relationship between a practice and an assessment object.❌

Incorrect:The assessment teamreviews multiple sources of evidencefor each practice, and some practices require multiple assessment objects. The goal isnot a strict one-to-one mappingbut rathera holistic validation of compliance.

Final Validation from CMMC Documentation:TheCMMC Assessment Process Guidestates that"Verify Evidence and Record Gaps"is the step where assessorscompare expected evidence against what has been provided and document discrepancies. This ensurestransparent assessment findings and remediation planning.

Thus, the correct answer is:

D. Identify and describe differences between what the Assessment Team required and the evidence collected.

ACertified CMMC Professional (CCP)advising anOrganization Seeking Certification (OSC)must ensure thatFederal Contract Information (FCI)andControlled Unclassified Information (CUI)are properly documented within required security documents.

Step-by-Step Breakdown:✅1. System Security Plan (SSP)

CMMC Level 2requires anSSPto documenthow CUI is protected, including:

Security controlsimplemented

Asset categorization(CUI Assets, Security Protection Assets, etc.)

Policies and proceduresfor handling CUI

✅2. Asset Inventory

Anasset inventorylistsall relevant IT systems, applications, and hardwarethat store, process, or transmitCUI or FCI.

TheCMMC Scoping Guiderequires OSCs to identifyCUI-relevant assetsas part of their compliance.

✅3. Network Diagram

Anetwork diagramvisually representshow data flows across systems, showing:

WhereCUI is transmitted and stored

Security boundaries protectingCUI Assets

Connectivity betweenCUI Assets and Security Protection Assets

✅4. Why the Other Answer Choices Are Incorrect:

(B) Within the hardware inventory, data flow diagram, and in the network diagram❌

While adata flow diagramis useful,hardware inventory alone is insufficientto document CUI.

(C) Within the asset inventory, in the proposal response, and in the network diagram❌

Aproposal responseis not a required document for CMMC assessments.

(D) In the network diagram, in the SSP, within the base inventory, and in the proposal response❌

Base inventoryis not a specific CMMC documentation requirement.

TheCMMC Assessment Guideconfirms that FCI and CUI must be documented in:

The SSP

The asset inventory

The network diagram

Final Validation from CMMC Documentation:Thus, the correct answer is:

✅A. "In the SSP, within the asset inventory, and in the network diagram."

1. Understanding the Role of Assessment Objectives in CMMC 2.0Theassessment objectivesfor each CMMC practice define thespecific criteriathat an assessor uses to evaluate whether a practice is implemented correctly. These objectives break down each control into measurable components, ensuring a structured and consistent assessment process.

To determine where these objectives are best documented, we need to consider theofficial CMMC documentation sources.

2. Why Answer Choice "D" is Correct – CMMC Assessment Guide Levels 1 and 2TheCMMC Assessment Guide (Levels 1 & 2)is theprimary documentthat provides:

✅The detailedassessment objectivesfor each practice

✅A breakdown of the expectedevidence and implementation details

✅Step-by-stepassessment criteriafor assessors to verify compliance

Each CMMC practice in the Assessment Guide is aligned with the correspondingNIST SP 800-171 or FAR 52.204-21 control, and the guide specifies:

How to assess compliancewith each practice

What evidenceis required for validation

What stepsan assessor should follow

????Reference from Official CMMC Documentation:

CMMC Assessment Guide – Level 2 (Aligned with NIST SP 800-171)explicitly states:

"Each practice is assessed based on defined assessment objectives to determine if the practice is MET or NOT MET."

CMMC Assessment Guide – Level 1 (Aligned with FAR 52.204-21)provides similar objectives tailored for foundational cybersecurity requirements.

Thus,CMMC Assessment Guide Levels 1 & 2 are the BEST sources for assessment objectives.

3. Why Other Answer Choices Are IncorrectOption

Reason for Elimination

A. CMMC Glossary

❌The glossary only defines terminology used in CMMC but does not provide assessment objectives.

B. CMMC Appendices

❌The appendices contain supplementary details, but they do not comprehensively list assessment objectives for each practice.

C. CMMC Assessment Process (CAP)

❌While the CAP document describes the assessmentworkflow and methodology, it does not outline the specific objectives for each practice.

4. ConclusionTo locate thebest reference for assessment objectives, theCMMC Assessment Guide Levels 1 & 2are the most authoritative and detailed sources. They contain step-by-step assessment criteria, ensuring that practices are evaluated correctly.

✅Final Answer:

D. CMMC Assessment Guide Levels 1 and 2

CMMC Level 2 Readiness and Certification RequirementsCMMCLevel 2is required forOrganizations Seeking Certification (OSCs) that handle Controlled Unclassified Information (CUI)and aligns withNIST SP 800-171's 110 security controls.

Key Readiness Indicators for a Level 2 Assessment:

The OSC must have implemented all 110 security practices from NIST SP 800-171.

Documented and validated cybersecurity policies and procedures must exist.

The OSC must be prepared to provide objective evidence (artifacts) proving compliance.

Why the OSC in the Question is Not Ready:

They have not won a DoD contract yet→ This means they do not yet have a contractually definedCUI environment, which is the foundation for defining their security scope.

They have only provided FCI-related artifacts(e.g., visitor logs, workstation policies, FedRAMP configurations).

Lack of full documentation of CMMC Level 2 controls→ The assessment requiresevidence for all 110 security practices(e.g., system security plans, incident response records, security awareness training documentation).

A. "Ready because there is no need to certify this company until after they win a DoD contract."

Incorrect→ Some organizationsseek certification proactivelybefore winning contracts. However, readiness depends on implementingall 110 required controls, not contract status alone.

B. "Not ready because the OSC is not on contract because they do not know the scope of FCI protection required by the contract."

Incorrect→ CMMC Level 2focuses on CUI, not just FCI. While FCI protection is important, the assessment’s focus is onCUI security requirements, which arenot fully addressed by the provided artifacts.

D. "Ready because all DoD contractors are required to achieve CMMC Level 2; therefore, they are being proactive in seeking certification."

Incorrect→ While it is commendable that the OSC is being proactive,readiness is based on full compliance with NIST SP 800-171, not just intent.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to implement stringent controls to protect Controlled Unclassified Information (CUI). This includes adhering to specific practices related to media protection and physical security.

Media Protection (MP):

MP.L2-3.8.1 – Media Protection:Organizations must protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. This ensures that sensitive information is not accessible to unauthorized individuals.

Defense Innovation Unit

MP.L2-3.8.3 – Media Disposal:It is imperative to sanitize or destroy information system media containing CUI before disposal or release for reuse. This practice prevents potential data breaches from discarded or repurposed media.

Defense Innovation Unit

Physical Protection (PE):

PE.L2-3.10.2 – Monitor Facility:Organizations are required to protect and monitor the physical facility and support infrastructure for organizational systems. This includes ensuring that areas where CUI is processed or stored are secure and access is controlled.

Defense Innovation Unit

Application to the Scenario:

Given that the Organization Seeking Certification (OSC) operates within a shared, multi-tenant building and utilizes a common conference room for assessments, the following considerations are crucial:

Reviewing the Evidence File:The evidence file, which contains CUI, should be reviewed on a secure, authorized device to prevent unauthorized access or potential data leakage.

Printing the Evidence File:If printing is necessary, ensure that the printer is located in a secure area, and the printed documents are retrieved immediately to prevent unauthorized viewing.

Making Notes:Any notes derived from the evidence file should be treated with the same level of security as the original document, especially if they contain CUI.

Disposal of Printed Materials:After the assessment, all printed materials and notes containing CUI must be destroyed using a cross-cut shredder. Cross-cut shredding ensures that the information cannot be reconstructed, thereby maintaining confidentiality.

totem.tech

Options A and D are inadequate as they involve leaving sensitive information in unsecured locations, which violates CMMC physical security requirements. Option B, while secure in terms of digital handling, does not address the proper disposal of any physical copies that may have been made. Therefore, Option C is the best practice, aligning with CMMC 2.0 guidelines by ensuring that all physical media containing CUI are properly reviewed, securely stored during use, and thoroughly destroyed when no longer needed.

CMMC Level 1 includes 17 practices derived fromFAR 52.204-21. Among them, theMedia Protection (MP) practicerequires organizations to ensure thatmedia containing FCI is sanitized or destroyed before disposal or release for reuseto prevent unauthorized access.

This requirement ensures that any storage devices, hard drives, USBs, or physical documents containingFederal Contract Information (FCI)areproperly disposed of or sanitizedto prevent data leakage.

The evidence collected for this practice should demonstrate that an organization has established and followed propermedia sanitization or destruction procedures.

Why the Correct Answer is "B. Adequate"?TheCMMC Assessment Process (CAP) Guideoutlines that for an assessment to be considered complete, all submitted evidence must meet the standard ofadequacybefore it is accepted by the Lead Assessor.

Definition of "Adequate" Evidence in CMMC:

Evidence isadequatewhen itfully demonstrates that a practice has been performed as requiredby CMMC guidelines.

TheLead Assessorevaluates whether the submitted documentation meets the CMMC 2.0 Level 1 requirements.

If the evidenceaccurately and completely demonstrates the sanitization or destruction of media containing FCI, then it meets the standard ofadequacy.

Why Not the Other Options?

A. Official– While the evidence may come from an official source, the CMMCdoes not require evidence to be "official", only that it beadequateto confirm compliance.

C. Compliant– Compliance is the final result of an assessment, but before compliance is determined, the evidence must first beadequatefor evaluation.

D. Subjective– CMMC evidence isobjective, meaning it should be based on verifiable documents, policies, logs, and procedures—not opinions or interpretations.

CMMC 2.0 Scoping Guide (Nov 2021)– Specifies that Media Protection (MP) at Level 1 applies only to assets that process, store, or transmit FCI.

CMMC Assessment Process (CAP) Guide– Definesadequate evidenceas documentation that completely and clearly supports the implementation of a required security practice.

FAR 52.204-21– The source of the Level 1 requirements, which includessanitization and destruction of media containing FCI.

Relevant CMMC 2.0 References:Final Justification:The CCP’s statement that the evidence"fully reflects the performance of the practice"aligns with the definition ofadequate evidenceunder CMMC. Since adequacy is the key standard used before final compliance decisions are made, the correct answer isB. Adequate.

Understanding the Phases of the CMMC Assessment ProcessTheCMMC Assessment Process (CAP)consists of multiple phases, with each phase focusing on a different aspect of the assessment.Developing the assessment planoccurs inPhase 1, which is thePre-Assessment Phase.

Engagement Agreement: TheOSC (Organization Seeking Certification)and theCertified Third-Party Assessment Organization (C3PAO)formalize the assessment contract.

Developing the Assessment Plan: TheLead Assessorand the assessment team create anAssessment Plan, which outlines:

Scope of the assessment

CMMC Level requirements

Assessment methodology

Timeline and logistics

Initial Data Collection: Review of system documentation, policies, and relevant security controls.

Key Activities in Phase 1 – Pre-Assessment Phase

A. Phase 1 → Correct

Phase 1 is where the assessment plan is developed.

It ensuresclarity on scope, methodology, and logistics before the assessment begins.

B. Phase 2 → Incorrect

Phase 2 is theAssessment Conduct Phase, where assessorsexecutethe plan by examining evidence and interviewing personnel.

C. Phase 3 → Incorrect

Phase 3 is thePost-Assessment Phase, which involvesfinalizing findings and submitting reports, not developing the plan.

D. Phase (Incomplete Answer) → Incorrect

The question requires a specific phase, and the correct one isPhase 1.

Why is the Correct Answer "Phase 1" (A)?

CMMC Assessment Process (CAP) Document

DefinesPhase 1as the stage where the assessment plan is developed.

CMMC Accreditation Body (CMMC-AB) Guidelines

Specifies thatplanning and pre-assessment activities occur in Phase 1.

CMMC 2.0 Certification Workflow

Outlines the assessment planning process as part of theinitial engagementbetween theC3PAO and the OSC.

CMMC 2.0 References Supporting this Answer:

During aCMMC assessment, assessors rely on interviews to validate the implementation of cybersecurity practices within anOrganization Seeking Certification (OSC). Ensuringconfidentiality and non-attributionallows employees to speak freely without fear of retaliation or bias, leading to more accurate and candid responses.

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide(Level 2) states thatinterviews are a key methodto verify compliance with security controls.

Employees may hesitate to provide truthful information if they fear negative consequences.

To obtain accurate information, assessors must create an environment where team members feel safe.

Ensuring Non-Attribution for Accurate Responses

DoD Assessment Methodologyhighlights thatinterviewees should remain anonymousin reports.

Non-attribution reduces the risk of OSC leadership influencing responses or retaliating against employees.

Employees are more likely to provideaccurateandhonestdescriptions of their responsibilities when confidentiality is guaranteed.

Why the Other Answer Choices Are Incorrect:

(A) Interview groups of people to get collective answers:

Group interviews may limit honest responses due topeer pressure or management presence.

Employees mayhesitate to contradictsupervisors or peers in a group setting.

(B) Understand that testing is more important than interviews:

While testing (e.g., reviewing logs, configurations, and security settings) is crucial, interviews providecontexton how security practices are implemented and followed.

Interviewscomplementtesting rather than being less important.

(D) Let team members know the questions prior to the assessment:

Advanced notice may allow employees toprepare rehearsed answers, which might not reflect actual practices.

This couldreduce the effectivenessof the interview process.

Step-by-Step Breakdown:Final Validation from CMMC Documentation:TheCMMC Assessment Process Guideand DoDAssessment Methodologyemphasize the importance of confidentiality in interviews to ensure accuracy.Non-attribution protects employees and ensures assessors get honest, unfiltered answers.

Thus, the correct answer is:

C. Ensure confidentiality and non-attribution of team members.

In aCMMC Level 2 assessment, theOrganization Seeking Certification (OSC)is responsible for identifying theassessment scopebased on theCMMC Scoping Guidanceprovided by theCyber AB (Cyber Accreditation Body) and DoD.

The OSC must determine which assets and systems handleControlled Unclassified Information (CUI)and categorize them accordingly.

Understanding the Role of a Registered Provider Organization (RPO)ARegistered Provider Organization (RPO)is an entity recognized by theCMMC Accreditation Body (CMMC-AB)to provideconsulting servicesto organizations seekingCMMC certification.

Key Functions of an RPO✅Consulting servicesto help companies prepare for CMMC assessments.

✅Guidance on security controlsrequired for compliance.

✅Assistance with documentation, policy development, and gap analysis.

✅Preparation for third-party CMMC assessmentsbutdoes not conduct official CMMC assessments(this is the role of a C3PAO).

Consulting servicesare thebroadest and most comprehensivefunction of an RPO.

RPOs do not conduct assessments(eliminating option D).

Training and educationmay be part of consulting but arenot the primary function(eliminating A and B).

Consulting includes training, guidance, documentation assistance, and security readiness, making it themost comprehensive service offered.

Why "Consulting Services" is the Correct Answer?Breakdown of Answer ChoicesOption

Description

Correct?

A. Training services

❌Incorrect–RPOs may provide training, but this isnot their primary function.

B. Education services

❌Incorrect–Similar to training, butnot the most comprehensive service.

C. Consulting services

✅Correct – The core function of an RPO is consulting, which includes various readiness services.

D. Assessment services

❌Incorrect–Only aC3PAO (Certified Third-Party Assessment Organization)can conductofficial CMMC assessments.

TheCMMC-AB RPO Programdefines an RPO as aconsulting organization that assists companies in preparing for CMMC certificationbutdoes not perform assessments.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isC. Consulting services, asRPOs primarily provide advisory and readiness supportto organizations preparing forCMMC compliance.

Understanding CMMC 2.0 Levels and Their DescriptionsTheCybersecurity Maturity Model Certification (CMMC) 2.0consists ofthree levels, each representing increasing cybersecurity maturity:

Level 1 – Foundational

Focuses onbasic cyber hygiene

Implements17 practicesaligned withFAR 52.204-21

Primarily protectsFederal Contract Information (FCI)

Level 2 – Advanced(Correct Answer)

Focuses onprotecting Controlled Unclassified Information (CUI)

Implements110 practicesaligned withNIST SP 800-171

Requirestriennial third-party assessments for critical programs

Level 3 – Expert

Focuses onadvanced cybersecurityagainstAPT (Advanced Persistent Threats)

ImplementsNIST SP 800-171 and additional NIST SP 800-172 controls

Requirestriennial government-led assessments

TheCMMC 2.0 framework explicitly describes Level 2 as "Advanced."

Italigns with NIST SP 800-171to ensure robustCUI protection.

A. Expert (Incorrect)– This describesLevel 3, not Level 2.

C. Optimizing (Incorrect)– Not a defined CMMC level description.

D. Continuously Improved (Incorrect)– CMMC does not use this terminology.

The correct answer isB. Advanced, which accurately describesCMMC Level 2.

Understanding CMMC Assessment ProceduresACMMC assessment procedureconsists of:

Assessment Objective– Defines what is being evaluated and the expected outcome.

Assessment Methods– Specifies how the evaluation is conducted (e.g.,examination, interviews, testing).

Assessment Objects– Identifies what is being evaluated, such as policies, systems, or people.

Assessment Objectivesincludedetermination statementsthat describe the expected outcome for each CMMC security practice.

These statements define whether a practice has beenadequately implementedbased ondocumented evidence and assessment findings.

TheCMMC Assessment Process (CAP) GuideandNIST SP 800-171Aspecify that each practice has a determination statement guiding assessment decisions.

A. Specifications and mechanisms→Incorrect

These belong toassessment objects, which refer to the systems, policies, and mechanisms being evaluated.

B. Examination, interviews, and testing→Incorrect

These areassessment methods, which describe how assessorsverifycompliance (e.g., through interviews or testing).

D. Exercising assessment objects under specified conditions→Incorrect

This refers toassessment testing, which is a method, not an assessment objective.

CMMC Assessment Process (CAP) Guide– Describes determination statements as the core of assessment objectives.

NIST SP 800-171A– Defines determination statements as a key element of evaluating security controls.

Why the Correct Answer is "C"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:Since anassessment objectiveincludes adetermination statementthat describes whether a practice is implemented properly, the correct answer isC.

Federal Contract Information (FCI) is defined inFAR 52.204-21as information provided by or generated for the government under contract but not intended for public release. UnderCMMC 2.0, organizations handling FCI must implementFAR 52.204-21 Basic Safeguarding Requirements, ensuring proper protection inprocessing, storing, and transmittingFCI.

Analyzing the Given OptionsThe question involves an email system that is used tosendFCI to a subcontractor. Let’s break down the possible answers:

A. Manage FCI→ Incorrect

Managing FCI involves activities like organizing, storing, and maintaining access to FCI. Sending an email does not fall under management; it is an act of transmission.

B. Process FCI→ Incorrect

Processing refers to actively using FCI for operational or analytical purposes, such as analyzing, modifying, or computing data. Simply sending an email does not constitute processing.

C. Transmit FCI→ Correct

Transmission refers to the act of sending FCI from one entity to another. Since the contractor issendingFCI via email, this falls undertransmittingthe data.

In the context of CMMC 2.0 assessments, thesufficiency criteriaare used to determine whether the assessment team has gathered enough evidence to support their conclusions about compliance with a given requirement.

Definition of Sufficiency Criteria:

Sufficiency refers to thequantityandcompletenessof the evidence collected during an assessment.

This ensures that the evidence collected isenough to support an objective and valid determinationof compliance.

Why Sufficiency Matters in CMMC 2.0:

Assessors must ensure that the amount of evidence collected isadequate to substantiate findingswithout doubt or gaps.

This prevents situations where an organization might claim compliance but lacks thenecessary documentation, technical evidence, or procedural validationto prove it.

Official CMMC 2.0 References:

TheCMMC Assessment Process (CAP) Guidedefines sufficiency as a key factor in validating assessment findings.

According toCMMC 2.0 Level 2 Scoping Guidance, assessors must apply sufficiency criteria when reviewingartifacts, documentation, interviews, and system configurations.

TheDoD CMMC Assessment Guide(aligned with NIST SP 800-171A) emphasizes that compliance decisions must besupported by a sufficient amount of verifiable evidence.

Comparison with Other Criteria:

Adequacy Criteria→ Focuses onqualityof the evidence, not the quantity.

Objectivity Criteria→ Ensures evidence isunbiased and impartial, not necessarily complete.

Subjectivity Criteria→ Not applicable in CMMC since assessments must beobjective and based on factual evidence.

Step-by-Step Breakdown:Conclusion:To verify compliance in CMMC 2.0 assessments, the assessment team must ensuresufficientevidence is available to support a determination. This makes"Sufficiency Criteria" (Option C)the correct answer.

Understanding DFARS Clause 252.204-7012TheDefense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012is a mandatory cybersecurity clause required inall DoD contracts and solicitationsthat involveControlled Unclassified Information (CUI).

Key Requirements of DFARS 252.204-7012✅Implements NIST SP 800-171security controls for contractors handlingCUI.

✅Requirescyber incident reportingto theDoD Cyber Crime Center (DC3)within72 hours.

✅Mandatesadequate security measuresto protectDoD information systems.

✅Applies toall DoD contracts, except for those exclusively acquiring COTS items.

Option A (Correct):DFARS 252.204-7012must be included in all DoD contracts and solicitationswhen CUI is involved.

Option B (Incorrect):FAR Part 12 procedures apply tocommercial item acquisitions, but DFARS 7012 appliesregardless of procurement procedures.

Option C (Incorrect):Contractssolely for COTS (Commercial Off-the-Shelf) productsare exemptfrom DFARS 7012.

Option D (Incorrect):COTS itemssold without modificationsarenot requiredto include DFARS 7012.

DFARS Clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)

NIST SP 800-171– The required cybersecurity standard for contractors under DFARS 7012.

Why "All DoD Solicitations and Contracts" is Correct?Official References from DoD and DFARS DocumentationFinal Verification and ConclusionQUESTION NO: 128

A C3PAO Assessment Plan document captures the names of the interviewees, the facilities that will utilized, along with estimated costs and schedule of the assessment. What part of the assessment plan is this?

A. Identify resources and schedule.

B. Select Assessment Team members.

C. Identify and manage assessment risks.

D. Select and develop the evidence collection approach.

Answer: A

ACertified Third-Party Assessor Organization (C3PAO)is responsible for conductingCMMC Level 2 Assessments. Before the assessment begins, the C3PAO must develop anAssessment Plan, which includes several key elements.

The part of the plan that captures:

✅Names of interviewees

✅Facilities to be utilized

✅Estimated costs

✅Assessment schedule

falls under the"Identify Resources and Schedule"section of the plan.

Step-by-Step Breakdown:✅1. Identify Resources and Schedule

This section of theCMMC Assessment Planoutlines:

Thepersonnelinvolved (e.g., interviewees, assessors).

Thelocationswhere the assessment will take place.

Thetimeline and scheduling details.

Theestimated costsassociated with the assessment.

This ensures that all necessaryresourcesare allocated and that the assessment proceeds as planned.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Select Assessment Team Members❌

This section focuses onchoosing the assessorswho will conduct the evaluation, not listing interviewees and facilities.

(C) Identify and Manage Assessment Risks❌

This part of the plandocuments risks(e.g., scheduling conflicts, data access issues), but it doesnot outline names, facilities, or costs.

(D) Select and Develop the Evidence Collection Approach❌

This step defineshowevidence will be gathered (e.g., document reviews, interviews, system testing) but doesnot focus on logistics.

Final Validation from CMMC Documentation:TheCMMC Assessment Process Guidestates thatresource identification and schedulingare essential for organizing the assessment. Since this sectioncaptures interviewees, facilities, costs, and the schedule, the correct answer is:

✅A. Identify resources and schedule.

In theCMMC 2.0 Assessment Process, after theAssessment Final Recommended Findings Brief, theLead Assessor and Assessment Team Membersmustreview the accuracy and validity of the Organization Seeking Certification (OSC)’s updated Plan of Action & Milestones (POA&M) and any accompanying evidence or scheduled collectionswithin180 days.

TheCMMC Assessment Process (CAP)outlines that organizations haveup to 180 daysto address identifieddeficienciesafter their initial assessment.

During this time, the OSC can update itsPOA&M with additional evidenceto demonstrate compliance.

Relevant CMMC 2.0 Reference:

A. 90 days → Incorrect

The CMMC CAP does not impose a90-day limiton POA&M updates; instead,180 daysis the standard timeframe.

B. 180 days → Correct

PerCMMC Assessment Process guidelines, theLead Assessor and Teammust review updateswithin 180 days.

C. 270 days → Incorrect

No official CMMC documentation mentions a270-dayreview period.

D. 360 days → Incorrect

The process must be completedfar sooner than 360 daysto maintain compliance.

Why is the Correct Answer 180 Days (B)?

CMMC Assessment Process (CAP) Document

Defines the180-day windowfor the OSC to update itsPOA&M and submit evidencefor review.

CMMC 2.0 Official Guidelines

Specifies that organizations are givenup to 180 daysto remediate deficiencies before reassessment.

CMMC 2.0 References Supporting this Answer:

Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.

To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:

A unique identifier (username) for each system user

Mapping of system accounts to specific individuals

Identification of devices and automated processes that access systems

This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.

Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.

It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.

A. Procedures for implementing access control lists (Incorrect)

While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.

B. List of unauthorized users that identifies their identities and roles (Incorrect)

Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.

D. Physical access policy stating "All non-employees must wear a special visitor pass or be escorted" (Incorrect)

This pertains tophysical security, not system-baseduser identification and authentication.

The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.

ThePhysical Protection (PE) domaininCMMC 2.0 Level 1includes the requirementPE.L1-3.10.3, which mandates that organizationsescort visitors and monitor their activity.

TheCMMC Assessment Teamarrives at the OSC.

Thereceptionist acknowledges their arrival but does not verify credentials or escort themto the appropriate location.

Failing to verify visitor identity and failing to escort them is a violation of PE.L1-3.10.3.

A. PE.L1-3.10.3: Escort visitors and monitor visitor activity→✅Correct

This requirement ensures that visitorsdo not have unsupervised access to sensitive areas.

The receptionistshould have checked credentials and escorted the assessment team.

B. PE.L1-3.10.5: Control and manage physical access devices→❌Incorrect

This requirement refers to managingkeys, access badges, and security devices, which isnot the issue in this scenario.

C. PS.L2-3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI→❌Incorrect

This control applies to personnel screeningsbefore granting access to CUI systems, not physical visitor access.

D. PS.L2-3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers→❌Incorrect

This requirement deals withoffboarding employees and ensuring they no longer have system access. It isnot relevant to visitor escorting.

CMMC 2.0 Level 1 - PE.L1-3.10.3 (Physical Protection)

Requires organizations toescort visitors and monitor visitor activityat facilities containingFCI or CUI.

NIST SP 800-171 Rev. 2, Control 3.10.3

States thatvisitors must be escorted and monitored at all timesto prevent unauthorized access.

Breaking Down the Scenario:Analysis of the Given Options:Official References Supporting the Correct Answer:Conclusion:Since the receptionist failed to verify credentials and escort the visitors, this violatesPE.L1-3.10.3.

✅Correct Answer: A. PE.L1-3.10.3: Escort visitors and monitor visitor activity

Understanding Configuration Management (CM) in CMMC Level 2InCMMC Level 2, theConfiguration Management (CM) domainis critical for ensuring that systems aresecurely configured, maintained, and monitoredto prevent unauthorized changes. One key aspect of CM is managinguser-installed software, which can introducesecurity risksif not properly controlled.

The correct approach to managinguser-installed softwarealigns withCM.3.068fromNIST SP 800-171, which requires organizations to:

✅Establish and enforce configuration settingsto ensure security.

✅Monitor and control user-installed softwareto prevent unauthorized or insecure applications from running on organizational systems.

Why "Controlled and Monitored" is Correct?The CCP (Certified CMMC Professional) conducting theinterviewshould focus on whether theuser-installed softwareiscontrolled and monitoredto align withCMMC Level 2 requirements. This means verifying:

Approval processesfor user-installed software.

Monitoring mechanisms(e.g., system logs, audits) to track software changes.

Policies that restrict unauthorized installationsto prevent security risks.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Controlled and monitored

✅Ensures compliance with CM.3.068, verifying that user-installed software ismanaged securely.

✅Correct

B. Removed from the system

Software isnot always removed—only unauthorized or risky software should be.

❌Incorrect

C. Scanned for malicious code

While scanning isimportant(covered in SI.3.218), it isnot the primary focusof Configuration Management.

❌Incorrect

D. Limited to mission-essential use only

While limiting software is useful,monitoring and controllingis the key security measure.

❌Incorrect

NIST SP 800-171, CM.3.068– "Control and monitor user-installed software."

CMMC 2.0 Level 2 Requirements– Directly aligned withNIST SP 800-171 security controls.

Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isA. Controlled and monitored, as perCM.3.068inNIST SP 800-171andCMMC 2.0documentation.

Understanding the Reporting Process in a CMMC 2.0 Level 2 AssessmentACMMC Level 2 Assessmentconducted by aCertified Third-Party Assessor Organization (C3PAO)follows a structured approach to gathering evidence, evaluating compliance, and reporting findings to theOrganization Seeking Certification (OSC). The reporting process is outlined in theCMMC Assessment Process (CAP) Guide, which specifies how findings should be communicated.

Daily Checkpoints:

Throughout the assessment, the assessor team holdsdaily checkpoint meetingswith the OSC to provide updates on progress, observations, and preliminary findings.

These checkpoints help ensure transparency and allow the OSC to address minor issues as they arise.

Final Results Delivery:

Thefinal assessment resultsare typically shared during thefinal daily checkpointOR in aseparately scheduled findings and recommendations reviewmeeting.

This ensures that the OSC receives a structured and complete summary of the assessment findings before the official report is submitted.

TheCMMC Assessment Process (CAP) Guide, Section 4.5clearly states that assessment findings should be presentedeither at the last daily checkpoint or during a separately scheduled final review.

This aligns with best practices formaintaining transparency and ensuring the OSC has clarity on their assessment resultsbefore the final report submission.

Option A (End of every day)is incorrect because while assessors do provide updates, they do not deliver the "final results" daily.

Option B (Daily and a separate final review)is misleading, as the CAP Guide allows assessors tochoosebetween the final daily checkpoint OR a separate findings review—not both.

Option D (After C3PAO approval)is incorrect because theC3PAO does not approve findings before they are communicated to the OSC. The assessment team directly presents the results first.

CMMC Assessment Process (CAP) Guide, Section 4.5: Reporting and Findings Communication

CMMC 2.0 Level 2 Assessment Process Overview

CMMC Assessment Final Report Guidelines

Assessment Communication StructureWhy Option C is CorrectOfficial CMMC Documentation ReferencesFinal VerificationBased on officialCMMC 2.0 documentation, thefinal assessment results should be presented to the OSC either at the last daily checkpoint or in a separately scheduled review session, making Option C the correct answer.

AC3PAO (Certified Third-Party Assessment Organization)is responsible for conductingCMMC Level 2 assessments.

After completing theassessment, theC3PAO generates the Final Recommended Assessment Results, which include key documentation reviewed by theCMMC Quality Assurance Professional (CQAP)for quality control.

Who Has the Final Authority Over Assessment Results?During aCMMC Level 2 assessment, theCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting and finalizing the assessment results.

Key Responsibilities of a C3PAO✅Leads the assessmentand ensures it follows the CMMC Assessment Process (CAP).

✅Validates compliancewith CMMC Level 2 requirements based onNIST SP 800-171controls.

✅Finalizes the assessment resultsand submits them to theCMMC-ABand theDoD.

✅Handles disagreementsfrom the OSC but hasfinal decision-making authorityon results.

The C3PAO has final authority over the assessment resultsafter considering all evidence and findings.

TheCMMC-AB (Option B) does not finalize assessments—it accredits C3PAOs and manages the certification ecosystem.

TheAssessment Team (Option C) supports the C3PAO but does not have final decision authority.

TheAssessment Sponsor (Option D) is a representative from the OSC and does not control the results.

Why "C3PAO" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. C3PAO

✅Correct – C3PAOs finalize and submit assessment results.

B. CMMC-AB

❌Incorrect–The CMMC-AB accredits C3PAOs but doesnot finalize results.

C. Assessment Team

❌Incorrect–They conduct the assessment, but the C3PAO makes final decisions.

D. Assessment Sponsor

❌Incorrect–This is arepresentative of the OSC, not the assessment authority.

CMMC Assessment Process Guide (CAP)– DefinesC3PAO authorityover final assessment results.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isA. C3PAO, as theC3PAO has final decision-making authority over CMMC assessment results.

Understanding Access Control in CMMCAccess control refers to the process ofgranting or denyingspecific requests to:

Obtain and use information

Access information processing services

Enter specific physical locations

TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:

✅Implement policies for granting and revoking access.

✅Restrict access to authorized personnel only.

✅Protect physical and digital assets from unauthorized access.

Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.

B. Physical access control❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.

C. Mandatory access control (MAC)❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.

D. Discretionary access control (DAC)❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.

Why the Other Answers Are Incorrect

CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.

NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.

CMMC Official ReferencesThus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.

Understanding Specialized Assets in CMMCASpecialized Assetis defined asa system, device, or infrastructure component that is not a traditional IT system but still plays a role in cybersecurity or business operations.

Types of Specialized Assets (as per CMMC guidance):✔Operational Technology (OT)– Industrial control systems, SCADA systems.

✔Security Operations Centers (SOCs)– Dedicated cybersecurity monitoring and response centers.

✔IoT Devices– Smart sensors, embedded systems.

✔Restricted IT Systems– Systems with highly controlled access.

A. SOCs → Correct

Security Operations Centers (SOCs) are specialized cybersecurity environmentsused forthreat monitoring, detection, and response.

They oftenoperate outside standard IT infrastructureand are classified asspecialized assetsunder CMMC.

B. Hosted VPN services → Incorrect

VPN services are standard IT infrastructureanddo not qualify as specialized assets.

C. Consultants who provide cybersecurity services → Incorrect

Consultants are personnel, not specialized assets. Specialized assets refer tosystems, devices, or infrastructure.

D. All property owned or leased by the government → Incorrect

Government property is not automatically considered a specialized assetunder CMMC. Specialized assets refer tospecific IT or cybersecurity-related infrastructure.

Why is the Correct Answer "SOCs" (A)?

CMMC 2.0 Assessment Process (CAP) Document

DefinesSpecialized Assetsand includesSOCsin its examples.

CMMC-AB Guidelines

Listssecurity infrastructure like SOCsasSpecialized Assetsdue to their unique cybersecurity function.

NIST SP 800-171 & CMMC 2.0 Security Domains

Recognizesdedicated security monitoring environmentsas part of an organization's cybersecurity posture.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔A. SOCs (Security Operations Centers)

Understanding the Role of NIST SP 800-171 in CMMCNIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.

This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.

Breakdown of Answer ChoicesNIST SP

Title

Relevance to CMMC

NIST SP 800-37

Risk Management Framework (RMF)

Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.

NIST SP 800-53

Security and Privacy Controls for Federal Systems

Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.

NIST SP 800-88

Guidelines for Media Sanitization

Covers secure data destruction and disposal, not overall CUI protection.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

✅Correct Answer – Directly addresses CUI protection in contractor systems.

Key Requirements from NIST SP 800-171The document outlines110 security controlsgrouped into14 families, including:

Access Control (AC)– Restrict access to authorized users.

Audit and Accountability (AU)– Maintain system logs and monitor activity.

Incident Response (IR)– Establish an incident response plan.

System and Communications Protection (SC)– Encrypt CUI in transit and at rest.

These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.

CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.

DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.

Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.

Understanding SI.L1-3.14.2: Provide Protection from Malicious CodeThe CMMC Level 1 practiceSI.L1-3.14.2is based onNIST SP 800-171 Requirement 3.14.2, which requires organizations to:

Implement malicious code protection(e.g., antivirus, endpoint security software).

Ensure coverage across all appropriate locations(e.g., workstations, servers, network entry points).

Keep protection mechanisms updated(e.g., regular signature updates, policy enforcement).

Assessment Criteria for a "MET" Rating:To determine whether the practice isMET, the Lead Assessor must confirm that:

✔Antivirus or endpoint protection software is installedon all workstations and servers.

✔The solution is centrally managed, ensuring consistent policy enforcement.

✔Signature updates are current, meaning systems are protected against new threats.

✔Logs or reports demonstrate active monitoring and updates.

Why is the Correct Answer "A. It is sufficient, and the audit finding can be rated as MET"?The provided evidenceconfirms all necessary requirementsfor SI.L1-3.14.2:

✔All workstations and servers have antivirus installed→Meets installation requirement.

✔A centralized management console is in place→Ensures consistent enforcement.

✔Records show antivirus signatures are up to date→Confirms system protection is current.

Because the evidencemeets the requirement, the practice should berated as MET.

B. It is insufficient, and the audit finding can be rated NOT MET → Incorrect

The evidence providedmeets all necessary requirements, so the practiceshould not be rated as NOT MET.

C. It is sufficient, and the Lead Assessor should seek more evidence → Incorrect

Ifadequate evidence already exists,additional evidence is unnecessary.

D. It is insufficient, and the Lead Assessor should seek more evidence → Incorrect

The evidence providedmeets the control requirements, making itsufficient.

Why Are the Other Answers Incorrect?

CMMC Assessment Process (CAP) Document

Specifies that a practice can be marked asMET if sufficient evidence is provided.

NIST SP 800-171 (Requirement 3.14.2)

Defines the standard formalicious code protection, which ismet by antivirus with active updates.

CMMC 2.0 Level 1 (Foundational) Requirements

Clarifies that basic cybersecurity measures likeantivirus installation and updatesmeet compliance forSI.L1-3.14.2.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔A. It is sufficient, and the audit finding can be rated as MET.

For a practice to beadequately implementedin aCMMC Level 2 assessment, theresponsible personnel must demonstrate knowledge of deployment, maintenance, and operationof security tools such asantivirus programs. Simply having the tool in place isnot sufficient—there must be evidence that it isproperly configured, updated, and monitoredto protect against threats.

Step-by-Step Breakdown:✅1. Relevant CMMC and NIST SP 800-171 Requirements

CMMC Level 2 aligns with NIST SP 800-171, which includes:

Requirement 3.14.5 (System and Information Integrity - SI-3):

"Employautomatedmechanisms toidentify, report, and correctsystem flaws in a timely manner."

Requirement 3.14.6 (SI-3(2)):

"Employautomated toolsto detect and prevent malware execution."

These requirements imply that theperson responsible for antivirus must understand how it is deployed and maintainedto ensure compliance.

✅2. Why the Team Member’s Knowledge is Insufficient

Antivirus tools requireregular updates,configuration adjustments, andmonitoringto function properly.

The responsible team member must:

Knowhow the antivirus was deployedacross systems.

Be able toconfirm updates, logs, and alerts are monitored.

Understand how torespond to malware detectionsand failures.

If the team member lacks this knowledge, assessors maydetermine the practice is not fully implemented.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Yes, the antivirus program is available, so it is sufficient.❌

Incorrect:Just having antivirus softwareinstalleddoes not prove compliance. It must bemanaged and maintained.

(B) Yes, antivirus programs are automated to run independently.❌

Incorrect:While automation helps, security toolsrequire oversight, updates, and configuration.

(D) No, the team member's interview answers about deployment and maintenance are insufficient.❌

Partially correct but incomplete:Themain issueis that the team membermust have sufficient knowledge, not just that their answers are weak.

Final Validation from CMMC Documentation:TheCMMC Assessment Guide for SI-3 and SI-3(2)states that personnel mustunderstand the function, deployment, and maintenance of security toolsto ensure proper implementation.

Thus, the correct answer is:

Background on Legacy Markings and CUI

Legacy markings refer to classification labels used before the implementation of theControlled Unclassified Information (CUI) ProgramunderDoD Instruction 5200.48.

Documents with legacy markings (such as “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU)) must be reviewed for re-marking or redaction to align withCUI requirements.

When Must Legacy Markings Be Updated?

If the document is retained internally (Answer A - Incorrect): Documents under DoD control do not require immediate re-marking unless they are being shared externally.

If the document is classified as Secret (Answer B - Incorrect): This question is aboutCUI, not classified information. Secret-level documents follow different marking rules underDoD Manual 5200.01.

If a document is being shared externally (Answer C - Correct):

According toDoD Instruction 5200.48, Section 3.6(a), organizations mustreview legacy markings before sharing documents outside the organization.

The document must bere-markedin compliance with the CUI Program before dissemination.

If the original document does not contain CUI (Answer D - Incorrect): The original source document's status does not affect the requirement to re-mark a derivative document if it contains CUI.

Conclusion

The correct answer isC: Documents with legacy markings must bere-marked or redacted when being shared outside the organizationto comply with DoD CUI guidelines.

Understanding the Final Review Process in a CMMC AssessmentDuring aCMMC Level 2 Assessment, theAssessment Teamand theOrganization Seeking Certification (OSC)holddaily checkpoint meetingsto discuss progress, review evidence, and ensure transparency.

At theend of the assessment, afinal review meetingis conducted, during which theLead Assessor presents the results. Therecorded Daily Checkpoint logserves as theofficial document summarizing:

Theattendee list

Time, date, and locationof the final review

Final MET or NOT MET ratingsfor all practices

Discussion points, resulting actions, and due datesfor both the OSC and Assessment Team

TheCMMC Assessment Process (CAP) Guidespecifies that all assessment findings and discussions must bedocumented throughout the assessment in daily checkpoint logs.

TheFinal and Recorded Daily Checkpoint Logincludes all necessary details, such as attendee lists, discussion topics, and action items.

This document isused to ensure all discussed topics and agreed-upon actions are properly tracked and recordedbefore submission.

A. Final log report (Incorrect)

There isno specific "Final Log Report"required in CMMC assessments.

B. Final CMMC report (Incorrect)

TheFinal CMMC Reportdocuments the overall assessment results butdoes not serve as the official meeting logfor the final review discussion.

C. Final and recorded OSC CMMC report (Incorrect)

This documentdoes not include detailed discussion points from the daily checkpoint meetings.

The correct answer isD. Final and recorded Daily Checkpoint log, as this is the official document that captures thefinal meeting details, discussions, and action items.

Understanding Affirmations in a CMMC AssessmentAffirmations are a type ofevidencecollected during aCMMC assessmentto confirm compliance with required practices. Affirmations are typically collected from:

✅Interviews– Conversations with personnel implementing security practices.

✅Demonstrations– Observing the practice in action.

✅Emails and Messaging– Written communications confirming compliance efforts.

✅Presentations– Documents or briefings explaining security implementations.

✅Screenshots–Visual evidenceof system configurations and security measures.

TheCMMC Assessment Process (CAP) Guidestates that assessors may collectaffirmations via various communication methods, including emails, messaging, and presentations.

Screenshotsare an additional valid form ofobjective evidenceto confirm compliance.

Options A and B are incorrectbecause emails and messaging are explicitlyallowedforms of affirmation.

Option C is incompletebecause it does not mention screenshots, which are also considered valid evidence.

Why "Yes, the affirmations collected by the assessor are all appropriate, as are screenshots" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. No, emails are not appropriate affirmations.

❌Incorrect–Emailsarea valid affirmation method.

B. No, messaging is not an appropriate affirmation.

❌Incorrect–Messagingisallowed for collecting affirmations.

C. Yes, the affirmations collected by the assessor are all appropriate.

❌Incorrect–Screenshots should also be considered valid evidence.

D. Yes, the affirmations collected by the assessor are all appropriate, as are screenshots.

✅Correct – Screenshots are also a valid form of affirmation.

CMMC Assessment Process Guide (CAP)– Defines allowable evidence collection methods, including affirmations through written communication.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Yes, the affirmations collected by the assessor are all appropriate, as are screenshots.This aligns withCMMC 2.0 assessment proceduresfor collecting affirmations.

 Understanding CMMC Assessment Requirements

CMMC assessments usethree assessment methodsto verify compliance with security practices:

Examine– Reviewing documentation, policies, logs, or records.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Verifying through technical or operational means that the practice is being performed.

 Assessment Findings in the Given Scenario

Practice is documented as occurring monthly, but logs show quarterly execution.

Interviews indicate monthly execution, but documentation does not support this claim.

 Why the Organization Fails the Practice

Answer A (Incorrect): The work is being performed, but documentation is lacking, so the failure is not purely due to missing execution.

Answer B (Incorrect): The documented frequency does not match the evidence in logs, so the practice is not being done asfully documented.

Answer C (Correct):CMMC requires all three assessment methods (Examine, Interview, Test) to align. Since logs contradict the stated frequency, the practicefailscompliance.

Answer D (Incorrect): Interview responses alone are not enough. The CMMCCAP GuideandNIST SP 800-171Arequire corroboration with logs (Examine) and technical verification (Test).

 Conclusion

The correct answer isC: To pass a practice, the organization mustprovide evidence across all three assessment methods.

In the context of the Cybersecurity Maturity Model Certification (CMMC) Assessment Process, understanding the roles of various entities associated with an Organization Seeking Certification (OSC) is crucial during the planning phase. When a Certified Third-Party Assessment Organization (C3PAO) staff reviews these entities for a CMMC Level 2 Assessment, it's essential to distinguish between internal components and external participants.

Step-by-Step Explanation:

Definition of the HQ Organization:

The HQ Organization refers to the entire legal entity delivering services under the terms of a Department of Defense (DoD) contract. This entity is responsible for ensuring compliance with CMMC requirements.

Identification of External Entities:

External entities encompass people, processes, and technology that are not part of the HQ Organization but support its operations. These entities participate in the assessment process due to their involvement in handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) related to the DoD contract.

Role of Supporting Organizations/Units:

According to the CMMC Assessment Process documentation, Supporting Organizations are defined as "the people, procedures, and technology external to the HQ Organization that support the Host Unit." These external entities are integral to the operations of the Host Unit but are not encompassed within the HQ Organization's immediate structure.

Assessment Implications:

While Supporting Organizations/Units play a vital role in supporting the Host Unit, they do not receive a separate CMMC Level certification unless an enterprise assessment is conducted. In such cases, the assessment would encompass both the HQ Organization and its Supporting Organizations to ensure comprehensive compliance across all associated entities.

ACMMC Level 2 Assessmentis conducted by aC3PAO (Certified Third-Party Assessment Organization)to determine whether theOrganization Seeking Certification (OSC)meets all required110 NIST SP 800-171 controls.

Before submitting the results, theC3PAO must complete a final briefing between the Lead Assessor and the OSCto review findings and clarify any concerns.

A. Pay an assessment submission fee→Incorrect

There is no mandatory submission fee for assessment results.Fees apply to the assessment process, not submission.

B. Complete an internal review of the results→Incorrect

While internal reviews are encouraged, they arenot a required step before submissionin CMMC assessment procedures.

C. Notify the CMMC-AB that submission is forthcoming→Incorrect

TheC3PAO submits results to the CMMC-AB through the CMMC eMASS system, but prior notification isnot a required procedural step.

D. Coordinate a final briefing between the Lead Assessor and the OSC→Correct

According toCMMC Assessment Process (CAP) guidelines, theLead Assessor must conduct a final briefing with the OSCbefore submitting the results.

This briefing ensures transparency, provides OSC with insight into the findings, and allows for final clarifications.

CMMC Assessment Process (CAP) v1.0

Requires afinal briefing between the Lead Assessor and the OSC before submitting assessment results.

CMMC-AB and C3PAO Process Requirements

TheLead Assessor must communicate final findings with the OSC before submission to CMMC-AB.

Analysis of the Given Options:Official References Supporting the Correct Answer:Conclusion:The correct answer is:

✅D. Coordinate a final briefing between the Lead Assessor and the OSC.

CCP (Certified CMMC Professional):

Entry-level certification in the CMMC ecosystem.

Supports assessment activities under the supervision of a CCA.

May assist in consulting roles outside of formal assessments.

CCA (Certified CMMC Assessor):

Certified tolead assessmentsunder the CMMC model.

Requiredfor conductingLevel 2 formal assessments.

Can be part of a C3PAO assessment team or lead it.

Step 1: Define Roles – CCP and CCASource: CMMC Assessment Process (CAP) v1.0, Section 2.3 – Assessment Team Composition

“Level 2 assessments must be led by a Certified CMMC Assessor (CCA), who may be supported by one or more CCPs.”

✅Step 2: Citizenship RequirementsCAP v1.0 – Appendix B: Team Composition and Clearance Requirements

“All team members performing Level 2 assessments must be U.S. citizens when handling CUI, regardless of role.”

But forsupporting team members who do not handle CUIor inFCI-only scoping, there is no automatic exclusion based on citizenship.

So:

TheCCA leadsthe team.

CCPs can be team membersregardless of citizenship,unless restricted by contract or CUI handling needs.

A. The CCP leads the Level 2 Assessment Team…✘ Incorrect. CCPscannot leadLevel 2 assessments.

B. The CCA leads… includes 3 CCP with US Citizenship.✘ Incorrect. Citizenship is requiredonly when handling CUI, not a universal requirement.

D. The CCP leads…✘ Again, CCPs donot have the authority to leadformal CMMC assessments.

❌Why the Other Options Are Incorrect

Only aCertified CMMC Assessor (CCA)may lead aLevel 2 Assessment Team, and theymay include CCPs, evennon-U.S. citizens, if citizenship is not a requirement based on contractual or data sensitivity scope.

TheCMMC Assessment Guideis the best source for determining the sources of evidence for a given practice because it provides specific guidance on how organizations should implement and demonstrate compliance with CMMC practices. Each CMMC level has its own assessment guide (e.g.,CMMC Assessment Guide – Level 1, Level 2), detailing expected evidence and assessment procedures.

CMMC Assessment Guide (Primary Source for Evidence)

TheCMMC Assessment Guideexplicitly outlines the evidence required to verify compliance with each practice.

It provides detailed instructions on assessment objectives, clarifying what assessors should look for when determining compliance.

The guide breaks down each practice intoassessment objectives, helping organizations prepare appropriate documentation and artifacts.

Other Documents and Why They Are Not the Best Choice:

NIST SP 800-53 (Option A)

WhileNIST SP 800-53provides a comprehensive catalog of security and privacy controls, it does not focus on CMMC-specific evidence requirements.

It serves as a foundational cybersecurity framework but does not define the specific artifacts required for CMMC assessment.

NIST SP 800-53A (Option B)

NIST SP 800-53Aprovides guidance on assessing security controls but is not tailored to the CMMC framework.

It includes general control assessment procedures, but theCMMC Assessment Guideis more precise in defining the evidence needed for CMMC compliance.

CMMC Assessment Scope (Option C)

TheCMMC Assessment Scopedocument outlines which systems, assets, and processes are subject to assessment.

While important for defining boundaries, it does not provide details on specific evidence requirements for each practice.

CMMC Assessment Guide (Level 2) – Section on "Assessment Objectives"

This document details how evidence is collected and evaluated for each CMMC practice.

Example: ForAC.L2-3.1.1 (Access Control – Limit System Access), the guide specifies that assessors should verify documented policies, system configurations, and audit logs.

CMMC Model Overview (Official DoD Documents)

Emphasizes thatCMMC Assessment Guidesare the official reference for determining sources of evidence.

Detailed Justification:References from Official CMMC Documents:Conclusion:TheCMMC Assessment Guideis the most authoritative source for determining the required evidence for a given practice in CMMC assessments. It provides detailed breakdowns of assessment objectives, required artifacts, and verification steps necessary for compliance.

Understanding Licensed Training Providers (LTPs) in CMMCALicensed Training Provider (LTP)is an entity that is authorized by theCybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)todeliver CMMC trainingbased on anapproved curriculum.

Provides CMMC-AB-approved training programsfor individuals seeking CMMC certifications.

Uses an official CMMC curriculumthat aligns with theCMMC Body of Knowledge (BoK)and other CMMC-AB guidance.

Prepares students for CMMC roles, such asCertified CMMC Assessors (CCA) and Certified CMMC Professionals (CCP).

Key Responsibilities of an LTP:

A. Creates DoD-licensed training → Incorrect

TheCMMC-AB, not the DoD, manages LTP licensing. LTPsdo not create new training contentbut mustfollow an approved curriculum.

B. Instructs a curriculum approved by CMMC-AB → Correct

LTPsteacha curriculum that has beenapproved by the CMMC-AB, ensuring consistency in CMMC training.

C. May market itself as a CMMC-AB Licensed Provider for testing → Incorrect

LTPs provide training, not testing. Testing is handled byLicensed Partner Publishers (LPPs)and exam bodies.

D. Delivers training using some CMMC body of knowledge objectives → Incorrect

LTPs mustfully adhereto theCMMC-AB-approved curriculum, not just "some" objectives.

Why is the Correct Answer "Instructs a curriculum approved by CMMC-AB" (B)?

CMMC-AB Licensed Training Provider (LTP) Program Guidelines

Defines LTPs as entities thatdeliver CMMC-AB-approved training programs.

CMMC Body of Knowledge (BoK)

Specifies that training must follow theCMMC-AB-approved curriculumto ensure standardization.

CMMC-AB Training & Certification Framework

Requires LTPs todeliver structured training that meets CMMC-AB guidelines.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔B. Instructs a curriculum approved by CMMC-AB

UnderCMMC 2.0 Level 2, which aligns with the requirements ofNIST SP 800-171, maintaining robust control overnonlocal maintenance sessionsis critical. While multifactor authentication (MFA) is a required safeguard for secure access, additional measures must be implemented to fully meet the maintenance requirements as outlined inControl 3.3.5:

Key Requirements for Nonlocal Maintenance:

Termination of Nonlocal Maintenance Sessions:

To reduce the attack surface and prevent unauthorized access, nonlocal maintenance connectionsmust be terminated immediately after the maintenance activity is completed. This is a direct requirement to mitigate risks associated with lingering remote sessions that could be exploited by threat actors.

Supporting Reference:NIST SP 800-171, Control 3.3.5 states: "Ensure that remote maintenance is conducted in a controlled manner and disable connections immediately after use."

Multifactor Authentication (MFA):

OSCs are required to implement MFA for nonlocal remote maintenance sessions. MFA must includeat least two factors(e.g., something you know, something you have, or something you are).

While the OSC’s use of MFA satisfies part of the requirement, it does not complete the control unless proper termination procedures are in place.

Policy and Procedure Adherence:

The OSC must also document amaintenance policyand ensure it reflects the need for terminating connections post-maintenance. The policy should outline roles, responsibilities, and steps for ensuring secure nonlocal maintenance practices.

Incorrect Options:

B. Unlimited connections:Allowing unrestricted nonlocal maintenance sessions is a significant security risk and violates the principle of least privilege.

C. Removing restrictions:Removing restrictions for convenience directly undermines compliance and security.

D. Multifactor authentication details:While MFA is necessary, the question states the OSC already uses it. Termination of sessions is the missing requirement.

Conclusion:

The requirement toterminate nonlocal maintenance sessions after maintenance is complete(Option A) is critical for compliance withCMMC 2.0 Level 2andNIST SP 800-171, Control 3.3.5. This ensures that nonlocal maintenance activities are secured against unauthorized access and potential vulnerabilities.

What is Required in the CMMC Assessment Kickoff and Opening Briefing?Before starting aCMMC assessment, theLead Assessormust present anopening briefingto ensure that theOrganization Seeking Certification (OSC)understands the assessment process.

Step-by-Step Breakdown:✅1. Overview of the Assessment Process

The Lead Assessormust explain the CMMC assessment methodology, including:

Theassessment objectives and scope

How theassessment team will review security controls

What to expectduring interviews, testing, and document review

This ensurestransparency and alignmentbetween the assessors and the OSC.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Gathering Evidence❌

Evidence collection is part of the assessment butnot the primary topic of the opening briefing.

(B) Review of the OSC's SSP❌

While theSSP is a key document, reviewing it is part of the assessment,not the kickoff briefing.

(D) Examination of the artifacts for sufficiency❌

Artifact review happens laterin the assessment process,not during the kickoff.

TheCMMC Assessment Process Guidestates that theopening briefing must include an overview of the assessment process, ensuring the OSC understands the expectations and methodology.

Final Validation from CMMC Documentation:Thus, the correct answer is:

✅C. Overview of the assessment process.

The prime contractor (contractor organization)is responsible for ensuring thatits subcontractorshave the requiredCMMC certification levelbefore engaging them inDoD contracts that involve FCI or CUI.

This requirement is enforced throughflow-down clausesinDFARS 252.204-7021, which mandates that subcontractors handlingCUImeet the necessaryCMMC Level 2 or Level 3 requirements.

Who Should Be Interviewed During a CMMC Assessment?During assessment planning, theOrganization Seeking Certification (OSC)may suggest personnel for interviews. However, the person interviewedmustbe someone who:

✅Implementsthe practice (directly responsible for executing it).

✅Performsthe practice (carries out day-to-day security operations).

✅Supportsthe practice (provides necessary resources or oversight).

Theassessor needs direct insightsfrom individuals actively involved in the practice.

Funding (Option A)does not providetechnical or operationalinsight into practice execution.

Auditing (Option B)focuses on compliance checks, but auditorsdo not implementthe practice.

Supporting, auditing, and performing (Option C)includesauditors, who arenot necessarily the right interviewees.

Why "Implements, Performs, or Supports That Practice" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Funds that practice.

❌Incorrect–Funding is important but doesnot mean direct involvement.

B. Audits that practice.

❌Incorrect–Auditors check compliance but donot implementpractices.

C. Supports, audits, and performs that practice.

❌Incorrect–Auditing isnot a requirementfor interviewees.

D. Implements, performs, or supports that practice.

✅Correct – The interviewee must have direct involvement in execution.

CMMC Assessment Process Guide (CAP)– Requires that interviewees bedirectly responsiblefor implementing, performing, or supporting the practice.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Implements, performs, or supports that practice, as the interviewee mustactively contribute to the execution of the practice.

Understanding the CMMC Assessment ProcessTheCMMC Assessment Process (CAP)consists offour phases, each with specific tasks and objectives.

Phase 1: Plan and Prepare Assessment– Planning, scheduling, and preparing for the assessment.

Phase 2: Conduct Assessment–Gathering and verifying evidence, conducting interviews, and evaluating compliance.

Phase 3: Report Recommended Assessment Results– Documenting findings and reporting results.

Phase 4: Remediation of Outstanding Assessment Issues– Allowing the organization to address any deficiencies.

Why "Phase 2: Conduct Assessment" is Correct?DuringPhase 2: Conduct Assessment, theAssessment Teamperforms key activities, including:

✅Identifying required evidencefor compliance verification.

✅Obtaining and reviewing artifacts(e.g., security policies, configurations, logs).

✅Verifying the sufficiency of evidenceagainst CMMC practice requirements.

✅Interviewing key personneland observing cybersecurity implementations.

Since the question specifically mentions"identify, obtain inventory, and verify evidence,"this task directly falls underPhase 2: Conduct Assessment.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Phase 1: Plan and Prepare Assessment

❌Incorrect–This phase focuses onscheduling, logistics, and planning, not evidence collection.

B. Phase 2: Conduct Assessment

✅Correct – This phase involves gathering, verifying, and reviewing evidence.

C. Phase 3: Report Recommended Assessment Results

❌Incorrect–This phasedocumentsresults but doesnotcollect evidence.

D. Phase 4: Remediation of Outstanding Assessment Issues

❌Incorrect–This phase focuses oncorrective actions, not evidence collection.

CMMC Assessment Process Guide (CAP)–Phase 2: Conduct Assessmentexplicitly includes tasks such asgathering and verifying evidence.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isB. Phase 2: Conduct Assessment, as this phase includesidentifying, obtaining, and verifying evidence, which is critical for determining CMMC compliance.

Understanding NIST SP 800-88 Rev. 1 and Media SanitizationTheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.

Clear

Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.

Example:Overwriting all datawith binary zeros or ones on a hard drive.

Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.

Purge

Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.

Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).

Applies to:Media that is leaving organizational control or requires a higher level of assurance than "Clear".

Destroy

Physicallydamages the mediaso that data recovery isimpossible.

Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.

Applies to:Highly sensitive data that must be permanently eliminated.

B. Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata disposal.

C. Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level categoryin NIST SP 800-88.

D. Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is missing, making this incorrect.

The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.

TheCMMC 2.0 framework applies to nonfederal systemsthat process, store, or transmitCUI.

Scoping determineswhich system components must comply with CMMC practices.

If a systemprocesses, stores, or transmits CUI, orprovides security for those systems, itmust be included in the assessment scope.

CMMC Applies to Contractors, Not Federal Systems

CMMC isdesigned for Department of Defense (DoD) contractors, notfederal systems.

Federal systems arealready governed by NIST SP 800-53and other regulations.

Scope Includes Systems That Process CUI AND Those That Protect Them

Systemsprocessing, storing, or transmitting CUIare in scope.

Systems thatprovide protection for CUI systems(e.g., firewalls, monitoring tools, security appliances) arealso in scope.

A. Federal systems that process, store, or transmit CUI.→Incorrect

CMMCdoes not apply to federal systems.

B. Nonfederal systems that process, store, or transmit CUI.→Partially correct but incomplete

Itexcludes security systemsthat protect CUI assets, whichare also in scope.

C. Federal systems that process, store, or transmit CUI, or that provide protection for the system components.→Incorrect

CMMConly applies to nonfederal systems.

CMMC Scoping Guide (Nov 2021)– Confirms that CMMCapplies to nonfederal systemsprocessingCUI.

NIST SP 800-171 Rev. 2– Specifies security requirements fornonfederal systemshandling CUI.

DFARS 252.204-7012– Requires DoD contractors to implementNIST SP 800-171onnonfederal systemshandling CUI.

Understanding Scoping in CMMC 2.0Why the Correct Answer is "D. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:SinceCMMC applies to nonfederal systems that process CUI or protect those systems, the correct answer isD. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.

Understanding Assessment Methods in CMMC 2.0According to theCMMC Assessment Process (CAP) Guide, assessors usethree primary assessment methodsto determine compliance with security practices:

Examine– Reviewing documents, policies, configurations, and system records.

Interview– Speaking with personnel to gather insights into security processes.

Test– Performing technical validation of system functions and security controls.

TheAssessment Team Memberis inspectingAssessment Objects(e.g., system configurations, user access control settings, policies) to determine if the OSC's evidence is sufficient forAC.L1-3.1.1 (Access Control – Authorized Users).

This activity aligns directly with theExaminemethod, which involves reviewing artifacts such as:

Access control lists (ACLs)

System user authentication logs

Account management policies

Role-based access control settings

"Observe" (Option B)is incorrect because "observing" is not an official assessment method in CMMC.

"Test" (Option A)is incorrect because the assessment is not actively executing a function but ratherreviewingevidence.

"Interview" (Option D)is incorrect because no personnel are being questioned—only documentation is being reviewed.

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods

CMMC Level 2 Assessment Guide – Access Control Practices (AC.L1-3.1.1)

Why Option C (Examine) is CorrectOfficial CMMC Documentation ReferencesFinal VerificationSince the activity involves reviewing documents and records to verify access control measures, it falls under theExaminemethod, makingOption C the correct answer.