Cyber AB CMMC-CCP Certified CMMC Professional (CCP) Exam Exam Practice Test

Under Title 44 U.S.C. Chapter 33 (Records Management) and NARA directives, agencies and organizations must establish policies and procedures for the disposal of all recorded information, regardless of form or characteristics. This includes paper records, electronic documents, digital media, audiovisual files, and any other information format. The requirement ensures consistent handling, retention, and lawful disposal of both federal records and CUI.

Reference Documents:

Title 44, U.S. Code, Chapter 33: Records Management

NARA Records Management Directive

Understanding CMMC Asset Categorization

TheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).

In this scenario:

Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-scopefor CMMC Level 1.

Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-Scope Assets.

CMMC 2.0 Definition of Out-of-Scope Assets

As per theCMMC Scoping Guide, assets that:

✅Do not store, process, or transmit FCI/CUI

✅Do not directly impact the security of in-scope assets

✅Are completely segregated from the FCI/CUI environment

are classified asOut-of-Scope Assets.

Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.

Why the Other Answers Are Incorrect

A. FCI Assets

❌Incorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify.

B. Specialized Assets

❌Incorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division.

D. Operational Technology Assets

❌Incorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.

CMMC Official References

CMMC 2.0 Scoping Guide – Level 1 & Level 2

CMMC Assessment Process (CAP) Document

Thus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.

Per the CMMC Assessment Process (CAP), when planning an assessment, the Lead Assessor must coordinate with the Organization Seeking Certification (OSC) to select interview participants who can provide clarity and understanding of their practice activities. The intent is to interview individuals directly involved with and knowledgeable about the processes and practices under review, rather than selecting personnel based solely on rank, clearance, or formal expertise in CMMC.

This ensures the assessment is evidence-based and grounded in how practices are actually performed within the OSC.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

TheCybersecurity Maturity Model Certification (CMMC) 2.0is primarily based on two key National Institute of Standards and Technology (NIST) Special Publications:

NIST SP 800-171– "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations"

NIST SP 800-172– "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171"

Reference and Breakdown:

NIST SP 800-171

This document is thecore foundationof CMMC 2.0 and establishes the security requirements for protectingControlled Unclassified Information (CUI)in non-federal systems.

The 110 security controls fromNIST SP 800-171 Rev. 2are mapped directly toCMMC Level 2.

NIST SP 800-172

This supplement includesenhanced security requirementsfor organizations handlinghigh-value CUIthat faces advanced persistent threats (APTs).

These enhanced requirements apply toCMMC Level 3under the 2.0 model.

Eliminating Incorrect Answer Choices:

B. DFARS, FIPS 100, and NIST SP 800-171→Incorrect

WhileDFARS 252.204-7012mandates compliance withNIST SP 800-171,FIPS 100 does not existas a relevant cybersecurity standard.

C. DFARS, NIST, and Carnegie Mellon University→Incorrect

CMMC is aligned with DFARS and NIST but isnot developed or directly influenced by Carnegie Mellon University.

D. DFARS, FIPS 100, NIST SP 800-171, and Carnegie Mellon University→Incorrect

Again,FIPS 100 is not relevant, andCarnegie Mellon Universityis not a defining entity in the CMMC framework.

Official CMMC 2.0 References Supporting the Answer:

CMMC 2.0 Scoping Guide (2023)confirms thatCMMC Level 2 is entirely based on NIST SP 800-171.

CMMC 2.0 Level 3 Draft Documentationexplicitly referencesNIST SP 800-172for enhanced security requirements.

DoD Interim Rule (DFARS 252.204-7021)mandates that organizations meetNIST SP 800-171 for CUI protection.

Final Conclusion:

The CMMC 2.0 model is derivedsolely from NIST SP 800-171 and NIST SP 800-172, makingAnswer A the only correct choice.

Assets that store, process, or transmit FCI or CUI are always in scope for CMMC. If a server with a cloud provider is used for long-term storage of FCI, that server is considered in scope because it directly holds covered data.

Supporting Extracts from Official Content:

CMMC Scoping Guide for Level 1: “Assets that store, process, or transmit FCI are in scope.”

CMMC Scoping Guide for Level 2: confirms the same rule applies for CUI.

Why Option A is Correct:

The server stores FCI, making it automatically in scope.

Option B is incorrect because long-term storage does not make an asset out of scope.

Option C is incorrect — Level 1 (FCI) does not require a Level 2 certified provider.

Option D is incorrect because encryption does not remove scope requirements.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1.

CMMC Model v2.0, Scoping and Implementation guidance.

===========

CMMC Level 2 Readiness and Certification Requirements

CMMCLevel 2is required forOrganizations Seeking Certification (OSCs) that handle Controlled Unclassified Information (CUI)and aligns withNIST SP 800-171's 110 security controls.

Key Readiness Indicators for a Level 2 Assessment:

The OSC must have implemented all 110 security practices from NIST SP 800-171.

Documented and validated cybersecurity policies and procedures must exist.

The OSC must be prepared to provide objective evidence (artifacts) proving compliance.

Why the OSC in the Question is Not Ready:

They have not won a DoD contract yet→ This means they do not yet have a contractually definedCUI environment, which is the foundation for defining their security scope.

They have only provided FCI-related artifacts(e.g., visitor logs, workstation policies, FedRAMP configurations).

Lack of full documentation of CMMC Level 2 controls→ The assessment requiresevidence for all 110 security practices(e.g., system security plans, incident response records, security awareness training documentation).

Clarification of Incorrect Options:

A. "Ready because there is no need to certify this company until after they win a DoD contract."

Incorrect→ Some organizationsseek certification proactivelybefore winning contracts. However, readiness depends on implementingall 110 required controls, not contract status alone.

B. "Not ready because the OSC is not on contract because they do not know the scope of FCI protection required by the contract."

Incorrect→ CMMC Level 2focuses on CUI, not just FCI. While FCI protection is important, the assessment’s focus is onCUI security requirements, which arenot fully addressed by the provided artifacts.

D. "Ready because all DoD contractors are required to achieve CMMC Level 2; therefore, they are being proactive in seeking certification."

Incorrect→ While it is commendable that the OSC is being proactive,readiness is based on full compliance with NIST SP 800-171, not just intent.

Per the CMMC Assessment Process (CAP), the Assessment Team is responsible for determining the adequacy and sufficiency of evidence collected during the assessment. The team validates whether practices and components for each in-scope Host Unit, Supporting Organization, or enclave meet the target CMMC level. The OSC (Organization Seeking Certification) provides evidence, but only the Assessment Team makes the verification and scoring determination.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Understanding the Principle of Least Functionality in the CM Domain

TheConfiguration Management (CM) domainin CMMC 2.0 focuses on maintaining the security and integrity of an organization’s systems through controlled configurations and restrictions on system capabilities.

The principle ofLeast Functionalityrefers to limiting a system’s features, services, and applications to only those necessary for its intended purpose. This principle reduces the attack surface by minimizing unnecessary components that could be exploited by attackers.

Justification for the Correct Answer: Least Functionality (C)

CMMC Practice CM.L2-3.4.6 (Use Least Functionality)explicitly states:

"Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities."

Thegoalis to prevent unauthorized or unnecessary applications, services, and ports from running on the system.

Examples of Implementation:

Disabling unnecessary services, such as remote desktop access if not required.

Restricting software installation to approved applications.

Blocking unused network ports and protocols.

Why Other Options Are Incorrect

A. Least Privilege

This principle (associated with Access Control) ensures that users and processes have only the minimum level of access necessary to perform their jobs.

It is relevant to CMMC PracticeAC.L2-3.1.5 (Least Privilege)but does not define system capabilities.

B. Essential Concern

There is no officially recognized cybersecurity principle called "Essential Concern" in CMMC, NIST, or related frameworks.

D. Separation of Duties

This principle (covered under CMMCAC.L2-3.1.4) ensures that no single individual has unchecked control over critical functions, reducing the risk of fraud or abuse.

While important for security, it does not define essential system capabilities.

Official CMMC and NIST References

CMMC 2.0 Level 2 Assessment Guide – Configuration Management (CM) Domain

CM.L2-3.4.6 mandatesleast functionalityto enhance security by removing unnecessary features.

NIST SP 800-171 (which CMMC is based on) – Requirement 3.4.6

States:"Limit system functionality to only the essential capabilities required for organizational missions or business functions."

NIST SP 800-53 – Control CM-7 (Least Functionality)

Provides detailed recommendations on configuring systems to operate with only necessary features.

Conclusion

Theprinciple of Least Functionality (C)is the basis for defining essential system capabilities in theConfiguration Management (CM) domainof CMMC 2.0. By applying this principle, organizations reduce security risks by ensuring that only the necessary functions, services, and applications are enabled.

Understanding Restricted Information Systems (IS) in CMMC Scoping

InCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:

Internet of Things (IoT) Devices– Smart or network-connected devices.

Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.

Test Equipment– Devices used for specialized testing or measurement.

Government Property– Equipment owned by theU.S. Governmentbut used by contractors.

Why "B. Restricted IS" is Correct?

The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.

Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.

These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.

Why Other Answers Are Incorrect?

A. IoT (Incorrect)

IoT devices includesmart devices, sensors, and embedded systems, but the contractor's business systems are not classified as IoT.

C. Test Equipment (Incorrect)

The contractor’s systems areused for handling FCI, not for testing or measurement.

D. Government Property (Incorrect)

The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.

Conclusion

The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.

Step 1: Understanding the Role of the DoD in CMMC

TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.

This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.

Under the Cybersecurity Maturity Model Certification (CMMC) 2.0, a Plan of Action (POA) is a critical document that outlines the specific actions a contractor needs to take to remediate cybersecurity deficiencies. While POAs serve as a roadmap for achieving compliance with required controls, the inclusion of certain elements is standardized.

Key Elements of a Plan of Action (POA)

According to the CMMC guidelines and NIST SP 800-171, which underpins many CMMC requirements, a POA typically includes:

Completion Dates: Identifies target deadlines for resolving deficiencies.

Milestones to Measure Progress: Includes interim steps or markers to ensure progress is monitored over time.

Ownership or Accountability: Clearly assigns responsibility for each action item to specific personnel or teams.

What is Generally NOT Part of a POA?

Budget requirements to implement the plan's remediation actions (Option D) are generally not included in a POA. While budgeting is critical for ensuring the plan's success, it is considered a part of the broaderproject management or resource planning process, not the POA itself. This distinction is intentional to keep the POA focused on actionable items rather than resource allocation.

Supporting Reference

NIST SP 800-171A, Appendix D: Provides an overview of POA components, emphasizing the prioritization of corrective actions, responsibility, and measurable outcomes.

CMMC Level 2 Practices (Aligned with NIST SP 800-171): Specifically, the focus is on actions, timelines, and accountability rather than financial planning.

By excluding budget details, the POA remains a tactical document that supports immediate action and compliance tracking, separate from financial considerations.

Who Determines the Assessment Method for Each Practice?

In aCMMC Level 2 Assessment, theLead Assessorhas thefinal authorityin determining theassessment methodused to evaluate each practice.

Key Responsibilities of the Lead Assessor

✅Ensures theCMMC Assessment Process (CAP) Guideis followed.

✅Determines whether a practice is evaluated usinginterviews, demonstrations, or document reviews.

✅Directs theCertified CMMC Professionals (CCPs)and other assessors on themethodologyfor gathering evidence.

✅Works under aCertified Third-Party Assessment Organization (C3PAO)to ensure proper assessment execution.

Why "Lead Assessor" is Correct?

CCP (Option A) assists in the assessment but does not make final decisionson methods.

OSC (Option B) is the Organization Seeking Certification, and they do not control assessment methodology.

Site Manager (Option C) may coordinate logistics but has no authority over assessment decisions.

Breakdown of Answer Choices

Option

Description

Correct?

A. CCP

❌Incorrect–A CCPassistsbut doesnot determine assessment methods.

B. OSC

❌Incorrect–The OSC is beingassessedand does not decide assessment methods.

C. Site Manager

❌Incorrect–The Site Manager handles logistics butdoes not control assessment methods.

D. Lead Assessor

✅Correct – The Lead Assessor has the final say on the assessment method used.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– Defines theLead Assessor’s rolein determining assessment methods.

Final Verification and Conclusion

The correct answer isD. Lead Assessor, as they havefinal decision-making authority over the assessment methodology.

The CMMC Assessment Process uses three methods: Examine, Interview, and Test. The method that involves analyzing artifacts (documents, system configurations, records, logs, etc.) is Examine.

Supporting Extracts from Official Content:

CMMC Assessment Guide: “Examine consists of reviewing, inspecting, or analyzing assessment objects such as documents, system configurations, or other artifacts to evaluate compliance.”

Why Option B is Correct:

Examine = analyzing artifacts.

Interview = discussions with personnel.

Test = executing technical checks.

Behavior is not an assessment method.

References (Official CMMC v2.0 Content):

CMMC Assessment Guide, Levels 1 and 2 — Assessment Methods (Examine, Interview, Test).

===========

The CAP specifies that the C3PAO is responsible for assigning the Lead Assessor to an OSC’s assessment. While the OSC contracts with the C3PAO, the authority to appoint the Lead Assessor resides solely with the C3PAO.

Supporting Extracts from Official Content:

CAP v2.0, Assessment Team Composition (§2.10): “The C3PAO shall designate a qualified Lead Assessor to lead the assessment.”

Why Option B is Correct:

Only the C3PAO has the authority to select and assign the Lead Assessor.

The OSC may influence scheduling and planning but cannot appoint assessors.

Options A, C, and D are inconsistent with CAP requirements.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Assessment Team Roles and Responsibilities (§2.10).

Understanding DFARS Clause 252.204-7012

TheDefense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012is a mandatory cybersecurity clause required inall DoD contracts and solicitationsthat involveControlled Unclassified Information (CUI).

Key Requirements of DFARS 252.204-7012

✅Implements NIST SP 800-171security controls for contractors handlingCUI.

✅Requirescyber incident reportingto theDoD Cyber Crime Center (DC3)within72 hours.

✅Mandatesadequate security measuresto protectDoD information systems.

✅Applies toall DoD contracts, except for those exclusively acquiring COTS items.

Why "All DoD Solicitations and Contracts" is Correct?

Option A (Correct):DFARS 252.204-7012must be included in all DoD contracts and solicitationswhen CUI is involved.

Option B (Incorrect):FAR Part 12 procedures apply tocommercial item acquisitions, but DFARS 7012 appliesregardless of procurement procedures.

Option C (Incorrect):Contractssolely for COTS (Commercial Off-the-Shelf) productsare exemptfrom DFARS 7012.

Option D (Incorrect):COTS itemssold without modificationsarenot requiredto include DFARS 7012.

Official References from DoD and DFARS Documentation

DFARS Clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)

NIST SP 800-171– The required cybersecurity standard for contractors under DFARS 7012.

Final Verification and Conclusion

TheCMMC Assessment Guideis the best source for determining the sources of evidence for a given practice because it provides specific guidance on how organizations should implement and demonstrate compliance with CMMC practices. Each CMMC level has its own assessment guide (e.g.,CMMC Assessment Guide – Level 1, Level 2), detailing expected evidence and assessment procedures.

Detailed Justification:

CMMC Assessment Guide (Primary Source for Evidence)

TheCMMC Assessment Guideexplicitly outlines the evidence required to verify compliance with each practice.

It provides detailed instructions on assessment objectives, clarifying what assessors should look for when determining compliance.

The guide breaks down each practice intoassessment objectives, helping organizations prepare appropriate documentation and artifacts.

Other Documents and Why They Are Not the Best Choice:

NIST SP 800-53 (Option A)

WhileNIST SP 800-53provides a comprehensive catalog of security and privacy controls, it does not focus on CMMC-specific evidence requirements.

It serves as a foundational cybersecurity framework but does not define the specific artifacts required for CMMC assessment.

NIST SP 800-53A (Option B)

NIST SP 800-53Aprovides guidance on assessing security controls but is not tailored to the CMMC framework.

It includes general control assessment procedures, but theCMMC Assessment Guideis more precise in defining the evidence needed for CMMC compliance.

CMMC Assessment Scope (Option C)

TheCMMC Assessment Scopedocument outlines which systems, assets, and processes are subject to assessment.

While important for defining boundaries, it does not provide details on specific evidence requirements for each practice.

References from Official CMMC Documents:

CMMC Assessment Guide (Level 2) – Section on "Assessment Objectives"

This document details how evidence is collected and evaluated for each CMMC practice.

Example: ForAC.L2-3.1.1 (Access Control – Limit System Access), the guide specifies that assessors should verify documented policies, system configurations, and audit logs.

CMMC Model Overview (Official DoD Documents)

Emphasizes thatCMMC Assessment Guidesare the official reference for determining sources of evidence.

Conclusion:

TheCMMC Assessment Guideis the most authoritative source for determining the required evidence for a given practice in CMMC assessments. It provides detailed breakdowns of assessment objectives, required artifacts, and verification steps necessary for compliance.

Understanding the Role of NIST SP 800-171 in CMMC

NIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.

This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.

Breakdown of Answer Choices

NIST SP

Title

Relevance to CMMC

NIST SP 800-37

Risk Management Framework (RMF)

Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.

NIST SP 800-53

Security and Privacy Controls for Federal Systems

Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.

NIST SP 800-88

Guidelines for Media Sanitization

Covers secure data destruction and disposal, not overall CUI protection.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

✅Correct Answer – Directly addresses CUI protection in contractor systems.

Key Requirements from NIST SP 800-171

The document outlines110 security controlsgrouped into14 families, including:

Access Control (AC)– Restrict access to authorized users.

Audit and Accountability (AU)– Maintain system logs and monitor activity.

Incident Response (IR)– Establish an incident response plan.

System and Communications Protection (SC)– Encrypt CUI in transit and at rest.

These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.

Official Reference from CMMC 2.0 Documentation

CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.

DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.

Final Verification and Conclusion

The correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.

The requirement to exercise due care in protecting information gathered during an assessment aligns with the principle ofConfidentialityunder theCMMC Code of Professional Conduct (CoPC). This ensures that sensitive assessment data, findings, and any Controlled Unclassified Information (CUI) remain protected even after the engagement concludes.

Step-by-Step Breakdown:

Definition of Confidentiality in CMMC Context:

Confidentiality refers to protecting sensitive information from unauthorized disclosure.

In the context of a CMMC assessment, it includes safeguarding assessment artifacts, findings, and other sensitive data collected during the evaluation process.

CMMC Code of Professional Conduct (CoPC) References:

TheCMMC Code of Professional Conductstates that assessors and organizations must handle all collected information with discretion andensure its protection post-engagement.

Clause on"Maintaining Confidentiality"specifies that assessors must:

Not disclose sensitive information to unauthorized parties.

Secure data in storage and transmission.

Retain and dispose of data securely in accordance with federal regulations.

Alignment with NIST 800-171 & CMMC Practices:

CMMC Level 2 incorporates NIST SP 800-171 controls, which include:

Requirement 3.1.3:“Control CUI at rest and in transit” to ensure unauthorized individuals do not gain access.

Requirement 3.1.4:“Separate the duties of individuals to reduce risk” ensures that assessment findings are only shared with authorized personnel.

These requirements align with the duty toexercise due carein protecting assessment-related information.

Why the Other Options Are Incorrect:

(A) Availability:This refers to ensuring data is accessible when needed but does not directly relate to protecting gathered information post-assessment.

(C) Information Integrity:This focuses on preventing unauthorized modifications rather than restricting disclosure.

(D) Respect for Intellectual Property:While related to ethical handling of proprietary data, it does not directly cover post-engagement confidentiality requirements.

Final Validation from CMMC Documentation:

TheCMMC Code of Professional ConductandNIST SP 800-171control requirements confirm thatConfidentialityis the correct answer, as it directly pertains to protecting information post-assessment.

Thus, the correct answer isB. Confidentiality.

Understanding Assessment Methods in CMMC 2.0

According to theCMMC Assessment Process (CAP) Guide, assessors usethree primary assessment methodsto determine compliance with security practices:

Examine– Reviewing documents, policies, configurations, and system records.

Interview– Speaking with personnel to gather insights into security processes.

Test– Performing technical validation of system functions and security controls.

Why Option C (Examine) is Correct

TheAssessment Team Memberis inspectingAssessment Objects(e.g., system configurations, user access control settings, policies) to determine if the OSC's evidence is sufficient forAC.L1-3.1.1 (Access Control – Authorized Users).

This activity aligns directly with theExaminemethod, which involves reviewing artifacts such as:

Access control lists (ACLs)

System user authentication logs

Account management policies

Role-based access control settings

"Observe" (Option B)is incorrect because "observing" is not an official assessment method in CMMC.

"Test" (Option A)is incorrect because the assessment is not actively executing a function but ratherreviewingevidence.

"Interview" (Option D)is incorrect because no personnel are being questioned—only documentation is being reviewed.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods

CMMC Level 2 Assessment Guide – Access Control Practices (AC.L1-3.1.1)

Final Verification

Since the activity involves reviewing documents and records to verify access control measures, it falls under theExaminemethod, makingOption C the correct answer.

Who Should Be Interviewed During a CMMC Assessment?

During assessment planning, theOrganization Seeking Certification (OSC)may suggest personnel for interviews. However, the person interviewedmustbe someone who:

✅Implementsthe practice (directly responsible for executing it).

✅Performsthe practice (carries out day-to-day security operations).

✅Supportsthe practice (provides necessary resources or oversight).

Why "Implements, Performs, or Supports That Practice" is Correct?

Theassessor needs direct insightsfrom individuals actively involved in the practice.

Funding (Option A)does not providetechnical or operationalinsight into practice execution.

Auditing (Option B)focuses on compliance checks, but auditorsdo not implementthe practice.

Supporting, auditing, and performing (Option C)includesauditors, who arenot necessarily the right interviewees.

Breakdown of Answer Choices

Option

Description

Correct?

A. Funds that practice.

❌Incorrect–Funding is important but doesnot mean direct involvement.

B. Audits that practice.

❌Incorrect–Auditors check compliance but donot implementpractices.

C. Supports, audits, and performs that practice.

❌Incorrect–Auditing isnot a requirementfor interviewees.

D. Implements, performs, or supports that practice.

✅Correct – The interviewee must have direct involvement in execution.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– Requires that interviewees bedirectly responsiblefor implementing, performing, or supporting the practice.

Final Verification and Conclusion

The correct answer isD. Implements, performs, or supports that practice, as the interviewee mustactively contribute to the execution of the practice.

In the Cybersecurity Maturity Model Certification (CMMC) assessment process, the presentation of the Final Recommended Assessment Findings is a critical step. According to the CMMC Assessment Process guidelines, the Lead Assessor is responsible for compiling and presenting these findings. The prescribed method for this presentation is the utilization of the standardized CMMC Findings Brief template.

Step-by-Step Explanation:

Responsibility of the Lead Assessor:

The Lead Assessor oversees the assessment process and is tasked with compiling the Final Recommended Assessment Findings.

Utilization of the CMMC Findings Brief Template:

To ensure consistency and adherence to CMMC standards, the Lead Assessor must use the official CMMC Findings Brief template when presenting the assessment findings.

Presentation of Findings:

The findings, documented in the CMMC Findings Brief template, are then presented to the Organization Seeking Certification (OSC). This presentation ensures that the OSC receives a clear and standardized report of the assessment outcomes.

The correct document is a Non-Disclosure Agreement (NDA) , because its specific purpose is to restrict a receiving party from disclosing sensitive or confidential information to unauthorized parties. In the official CMMC Assessment Process (CAP) v2.0 , NDAs are called out directly as a required element of the contracting relationship for a Level 2 certification assessment.

CAP v2.0 states that the C3PAO and the OSC must execute a written contractual agreement for the assessment and then specifies that “A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).”

This is important because CMMC assessments can involve access to highly sensitive organizational information, including details about system architectures, security implementations, and potentially CUI handling processes. The CAP’s NDA requirement supports controlling dissemination of that information and reinforces the broader confidentiality expectations placed on assessment participants.

While an “assessment agreement” or generic “legal agreement” might contain confidentiality clauses, CAP v2.0 explicitly identifies the NDA instrument (either embedded or standalone) as the mechanism to protect information exchanged during the assessment engagement. Therefore, the best answer—consistent with CMMC v2.0 official process documentation—is D (Non-disclosure agreement) .

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.

Why NIST SP 800-171 is Essential for Level 2 Scoping:

Defines the Security Requirements for Protecting CUI:

NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.

These controls are categorized under14 families, including access control, incident response, and risk management.

Establishes the Baseline for CMMC Level 2 Compliance:

CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.

Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.

Provides Guidance for Implementation & Assessment:

TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.

It helps define the scope of an assessment by clarifying how each control should be implemented and verified.

Referenced in CMMC and DFARS Regulations:

DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.

TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.

Explanation of Incorrect Answers:

A. NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")

This documentapplies to federal systems, not nonfederal entities handling CUI.

While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.

B. NIST SP 800-88 ("Guidelines for Media Sanitization")

This documentfocuses on secure data destructionand media sanitization techniques.

While data disposal is important, this standarddoes not define security controls for protecting CUI.

D. NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")

This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).

It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.

Key References for CMMC Level 2 Scoping:

NIST SP 800-171 Rev. 2(NIST Official Site)

NIST SP 800-171A (Assessment Guide)(NIST Official Site)

CMMC 2.0 Level 2 Scoping Guide(Cyber AB)

Conclusion:

SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:

✅C. NIST SP 800-171

Background on Legacy Markings and CUI

Legacy markings refer to classification labels used before the implementation of the Controlled Unclassified Information (CUI) Program under DoD Instruction 5200.48.

Documents with legacy markings (such as “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU)) must be reviewed for re-marking or redaction to align with CUI requirements.

When Must Legacy Markings Be Updated?

If the document is retained internally (Answer A - Incorrect): Documents under DoD control do not require immediate re-marking unless they are being shared externally.

If the document is classified as Secret (Answer B - Incorrect): This question is about CUI, not classified information. Secret-level documents follow different marking rules under DoD Manual 5200.01.

If a document is being shared externally (Answer C - Correct):

According to DoD Instruction 5200.48, Section 3.6(a), organizations must review legacy markings before sharing documents outside the organization.

The document must be re-marked in compliance with the CUI Program before dissemination.

If the original document does not contain CUI (Answer D - Incorrect): The original source document's status does not affect the requirement to re-mark a derivative document if it contains CUI.

Conclusion

The correct answer is C: Documents with legacy markings must be re-marked or redacted when being shared outside the organization to comply with DoD CUI guidelines.

Understanding the CMMC Level 2 Final Report Requirements

For aCMMC Level 2 Assessment, theFinal CMMC Assessment Results Reportmust include:

Assessment findings for each practice

Final ratings (MET or NOT MET) for each practice

A detailed rationale for each practice rated as NOT MET

Why "B. Documented rationale for each failed practice" is Correct?

The CMMC Assessment Process (CAP) Guidestates that if a practice is markedNOT MET, theassessors must provide a rationale explaining why it failed.

This rationale helps theOSC understand what needs remediationand, if applicable, whether the deficiency can be addressed via aPlan of Action & Milestones (POA & M).

TheFinal Report serves as an official recordand must be submitted as part of theresults package.

Why Other Answers Are Incorrect?

A. Affirmation for each practice or control (Incorrect)

While the report includes aMET/NOT MET ratingfor each practice,affirmation is not a required component.

C. Suggested improvements for each failed practice (Incorrect)

Assessors do not provide recommendations for improvement—they only document findings and rationale.

Providing suggestions would create aconflict of interestperCMMC-AB Code of Professional Conduct.

D. Gaps or deltas due to any reciprocity model are recorded as met (Incorrect)

If an organization isleveraging reciprocity (e.g., FedRAMP, Joint Surveillance Voluntary Assessments), gapsmust still be documented—not automatically marked as "MET."

Conclusion

The correct answer isB. Documented rationale for each failed practice, as this is amandatory requirement in the Final CMMC Assessment Results Report.

NIST SP 800-88 Rev. 1 is the authoritative guide for media sanitization. It defines three categories of data disposal: Clear, Purge, and Destroy.

Supporting Extracts from Official Content:

NIST SP 800-88 Rev. 1: “Media sanitization techniques are divided into three categories: Clear, Purge, and Destroy.”

Why Option A is Correct:

“Clear, Purge, Destroy” are the exact three categories named.

Redact and Overwrite are not categories; Overwriting is a technique that may fall under Clear.

References (Official CMMC v2.0 Content and Source Documents):

NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization.

===========

The correct answer is A because CMMC 2.0 Level 2 requirement RA.L2-3.11.2, Vulnerability Scan , requires organizations to “scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.” The official CMMC Model Overview maps this requirement directly to NIST SP 800-171 Rev. 2, 3.11.2 . The official CMMC Level 2 Assessment Guide further breaks this into assessment objectives: the organization must define the frequency for vulnerability scanning, perform scans on organizational systems and applications at that defined frequency, and perform scans when new vulnerabilities are identified.

Therefore, the OSC must maintain evidence such as vulnerability scan schedules, scan reports, tool outputs, procedures, policies, or tickets showing that scans occur at the organization’s defined frequency and when new vulnerabilities are identified. Option B is incorrect because an RPO may advise or assist, but the scan frequency is not “defined by an accredited RPO” in the CMMC requirement. Option C is incorrect because vulnerability scanning is not limited to penetration testing events. Option D is incorrect because purely ad hoc scanning or scanning only when directed by a security manager does not satisfy the requirement to define and follow a frequency.

Understanding FAR Clause 52.204-21

TheFederal Acquisition Regulation (FAR) Clause 52.204-21is titled"Basic Safeguarding of Covered Contractor Information Systems."This clause establishesminimum cybersecurity requirementsforfederal contractorsthat handleFederal Contract Information (FCI).

Key Purpose of FAR Clause 52.204-21

Theprimary objectiveof FAR 52.204-21 is to ensure that contractors applybasic cybersecurity protectionsto theirinformation systemsthat process, store, or transmitFCI. Theseminimum safeguarding requirementsserve as abaseline security standardfor contractors doing business with theU.S. government.

Why "Minimum Standard of Care" is Correct?

FAR 52.204-21 doesnotrequire contractors to install specific cybersecurity tools (eliminating option A).

Itoutlines only the minimum safeguards, notallcybersecurity controls needed for complete security (eliminating option B).

CMMC certification isnotmandated by this clause alone (eliminating option D).

Instead, it establishesa baseline "standard of care"that all federal contractorsmust followto protectFCI(making option C correct).

Breakdown of Answer Choices

Option

Description

Correct?

A. It directs all covered contractors to install the cybersecurity systems listed in that clause.

❌Incorrect–The clause doesnotspecify tools or require specific cybersecurity systems.

B. It describes all of the safeguards that contractors must take to secure covered contractor IS.

❌Incorrect–It only setsminimumrequirements, notall possiblesecurity measures.

C. It describes the minimum standard of care that contractors must take to secure covered contractor IS.

✅Correct – The clause defines basic safeguards as a minimum security standard.

D. It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts.

❌Incorrect–FAR 52.204-21 doesnot mandateCMMC certification; that requirement comes from DFARS 252.204-7012 and 7021.

Minimum Safeguarding Requirements Under FAR 52.204-21

The clause defines15 basic security controls, which align withCMMC Level 1. Some examples include:

✅Access Control– Limit access to authorized users.

✅Identification & Authentication– Authenticate system users.

✅Media Protection– Sanitize media before disposal.

✅System & Communications Protection– Monitor and control network connections.

Official References from CMMC 2.0 and FAR Documentation

FAR 52.204-21– Establishes thebasic safeguarding requirementsfor FCI.

CMMC 2.0 Level 1– Directly aligns withFAR 52.204-21 controls.

Final Verification and Conclusion

The correct answer isC. It describes the minimum standard of care that contractors must take to secure covered contractor IS.This aligns withFAR 52.204-21 requirementsas abaseline security standard for FCI.

Level 1 only addresses the protection of Federal Contract Information (FCI) and does not include requirements for safeguarding Controlled Unclassified Information (CUI).

Level 2 is explicitly designed to protect Controlled Unclassified Information (CUI). It requires implementation of all 110 security requirements from NIST SP 800-171 Rev. 2, which directly support the safeguarding of CUI and help prevent its unauthorized disclosure or exfiltration.

Level 3 builds on Level 2 by including a subset of requirements from NIST SP 800-172. These additional practices are designed to enhance the protection of CUI against advanced persistent threats (APTs), further strengthening defenses against exfiltration.

Therefore, the levels that focus on protecting CUI from exfiltration are Levels 2 and 3.

Reference Documents:

CMMC Model v2.0 Overview (DoD, December 2021)

NIST SP 800-171 Rev. 2,Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-172,Enhanced Security Requirements for Protecting Controlled Unclassified Information

nderstanding Objectivity in CMMC-AB Activities

Objectivityin CMMC-AB activities refers to therequirement that assessors and C3PAOs remain impartial, unbiased, and free from conflicts of interestwhile conducting assessments and providing CMMC-related services.

Key Aspects of Objectivity in CMMC Assessments:

✔No conflicts of interest—Assessors must not assess organizations they havefinancial, professional, or personal ties to.

✔Unbiased reporting—Findings must bebased solely on evidence, with no external influence.

✔Avoiding even the appearance of a conflict—If there isany perception of bias, it must be addressed.

Why is the Correct Answer "C. Avoiding the appearance of or actual, conflicts of interest"?

A. Ensuring full disclosure → Incorrect

Full disclosure is importantbut doesnot define objectivity. Objectivity meansremaining neutral and free from conflicts.

B. Reporting results of CMMC services completely → Incorrect

Whileaccurate reporting is required,objectivity focuses on impartiality, not just completeness.

C. Avoiding the appearance of or actual, conflicts of interest → Correct

Objectivity in CMMC-AB activities is primarily about preventing bias and ensuring fair assessments.

Avoiding conflicts of interest ensures thatassessments are credible and trustworthy.

D. Demonstrating integrity in the use of materials as described in policy → Incorrect

Integrity is important, butobjectivity is specifically about avoiding bias and conflicts of interest.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Code of Professional Conduct

Requiresassessors and C3PAOs to avoid conflicts of interestand maintainimpartiality.

CMMC Assessment Process (CAP) Document

Emphasizes that assessments must befree from external influence and conflicts of interest.

ISO/IEC 17020 Requirements for Inspection Bodies

Definesobjectivity as avoiding conflicts of interest in the assessment process.

Understanding Federal Contract Information (FCI) and Publicly Accessible Information

Federal Contract Information (FCI)isnon-public informationprovided by or generated for the U.S. governmentunder a contractthat isnot intended for public release.

Key Characteristics of FCI:

✔FCI includesdetails related togovernment contracts, project specifics, and performance data.

✔It must be protected under FAR 52.204-21, which requiresbasic safeguarding measuresto prevent unauthorized access.

✔Posting FCI on a public site is a security violationsince it ismeant to be restrictedfrom public disclosure.

Why is the Correct Answer "A. FCI (Federal Contract Information)"?

A. FCI → Correct

FCI must be protected from unauthorized access, and if it wasincorrectly published online, it should have been restricted.

B. Change of leadership in the organization → Incorrect

Leadership changes are typically public informationand do not require restriction unless they involve sensitive government-related security clearances.

C. Launching of their new business service line → Incorrect

Marketing and business announcementsare generallypublicly availableandnot restricted information.

D. Public releases identifying major deals signed with commercial entities → Incorrect

Commercial contracts and business deals are not considered FCIunless they involvegovernment contracts.

CMMC 2.0 References Supporting This Answer:

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

DefinesFCI as sensitive but unclassified informationthat must beprotected from public disclosure.

CMMC 2.0 Level 1 Requirements

Requires contractors toprotect FCI under basic cybersecurity standardsto prevent unauthorized exposure.

DoD Guidance on FCI Protection

States thatpublishing FCI on public websites violates federal cybersecurity requirements.

Understanding SI.L2-3.14.6: Monitor Communications for Attacks

The practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:

✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)

✅Log analysis and network monitoring

✅Incident response planningfor detected threats

As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.

Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?

TheCCA must collect sufficient objective evidenceto determine compliance.

Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.

Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.

Breakdown of Answer Choices

Option

Description

Correct?

A. Conduct a penetration test

❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.

B. Interview the intrusion detection system's supplier.

❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.

C. Upload known malicious code and observe the system response.

❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.

D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.

Official References from CMMC 2.0 and NIST SP 800-171 Documentation

NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.

CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.

Final Verification and Conclusion

The correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.

The core protection principle for OSC-provided assessment information (including PCI/CUI, assessment workpapers/notes, and the assessment results package ) is confidentiality / non-disclosure . The CMMC rules require assessors not to disclose OSC information outside the assessment participants, except as required by law. For example, CMMC assessor requirements include not sharing information about an OSC obtained during pre-assessment and assessment activities with anyone not involved in that specific assessment .

For retention, the authoritative requirement in the CMMC Program rule (32 CFR Part 170) is that assessment-related records are maintained for six (6) years , unless disposition is otherwise authorized by the CMMC PMO. This record set includes assessment materials and working papers generated during Level 2 certification assessments, and it also includes contractual agreements.

Important correction to the multiple-choice options: none of the answers list the official six-year retention period. The best available option is therefore B because it correctly captures the required confidentiality/non-disclosure principle—but the “ 3 years ” duration in the option does not match the official CMMC v2.0 retention requirement (which is 6 years ).

===========

Understanding RA.L2-3.11.1 Risk Assessment Scope in CMMC Level 2

TheCMMC Level 2 control RA.L2-3.11.1aligns withNIST SP 800-171, Requirement 3.11.1, which mandates that organizationsperiodically assess risks to operations, assets, and individuals arising from the processing, storage, or transmission of CUI.

What is Required for Compliance?

The organization must performrisk assessments on all assets and entities involved in handling CUI.

Risk assessments mustevaluate potential threats, vulnerabilities, and impacts on CUI security.

The scopemust include people, processes, physical locations, and IT systemsto ensure comprehensive risk management.

Why the Correct Answer is "Processes, people, physical entities, and IT systems in which CUI is processed, stored, or transmitted":

CUIcan be exposed to risk in multiple ways—not just IT systems but also human error, physical security gaps, and process weaknesses.

Risk assessmentsmust evaluate all areas that could impact CUI security, including:

Personnel security risks(e.g., insider threats, phishing attacks).

Process vulnerabilities(e.g., mishandling of CUI, policy weaknesses).

Physical security risks(e.g., unauthorized access to servers, storage rooms).

IT systems(e.g., networks, servers, cloud environments processing CUI).

Clarification of Incorrect Options:

A. "IT systems"→Too narrow.Risk assessmentmust cover more than just IT systems, includingpeople, physical assets, and processesaffecting CUI.

B. "Enterprise systems"→Too broad.While enterprise systems might be assessed, thefocus is specifically on areas handling CUI, not all enterprise operations.

C. "CUI Marking processes"→Incorrect focus.While marking CUI correctly is important,RA.L2-3.11.1 pertains to risk assessments, not data classification.

Understanding Ethical Responsibility in the CMMC Ecosystem

Ethics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.

Key Ethical Responsibilities Include:

CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.

CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.

Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.

Why is the Correct Answer "CMMC-AB and Members of the CMMC Ecosystem" (C)?

A. DoD and CMMC-AB → Incorrect

TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.

B. OSC and Sponsors → Incorrect

TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.

C. CMMC-AB and Members of the CMMC Ecosystem → Correct

Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.

D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect

Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.

CMMC 2.0 References Supporting this Answer:

CMMC-AB Code of Professional Conduct

Defines ethical responsibilities forassessors, consultants, and ecosystem members.

CMMC Ecosystem Governance Policies

Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.

CMMC Assessment Process (CAP) Document

Outlines ethical expectations forassessors and consultantsduring certification assessments.

The Controlled Unclassified Information (CUI) Program, established by Executive Order 13556, standardizes the handling and marking of unclassified information that requires safeguarding or dissemination controls across federal agencies and their contractors. The National Archives and Records Administration (NARA) serves as the Executive Agent responsible for implementing the CUI Program.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to protect CUI by adhering to the security requirements outlined in NIST Special Publication 800-171. This includes proper marking of CUI to ensure that all personnel recognize and handle such information appropriately.

The NARA CUI Introduction to Marking provides comprehensive guidance on the correct procedures for marking documents and communications containing CUI. This resource is essential for training purposes, as it offers detailed instructions and examples to help personnel understand and implement proper CUI markings. By referring the sales team to the NARA CUI Introduction to Marking, the director of sales ensures that the team receives authoritative and standardized training on how to appropriately mark emails and other documents containing CUI, thereby maintaining compliance with federal regulations and CMMC requirements.

Key References for a Lead Assessor in a CMMC Assessment

ALead Assessorconducting aCMMC assessmentmust rely onofficial CMMC guidance documentsto evaluate whether anOrganization Seeking Certification (OSC)meets the required cybersecurity practices.

Most Relevant Reference: CMMC Assessment Guide

TheCMMC Assessment Guideprovidesdetailed descriptionsof eachpractice and processat the specificCMMC level being assessed.

It defines:

✔Theassessment objectivesfor each practice.

✔Therequired evidencefor compliance.

✔Thescoring criteriato determine if a practice isMET or NOT MET.

Why is the Correct Answer "D. Published CMMC Assessment Guide practice descriptions for the desired certification level"?

A. DoD adequate security checklist for covered defense information → Incorrect

TheDoD adequate security checklistis related toDFARS 252.204-7012 compliance, butCMMC assessmentsfollow theCMMC Assessment Guide.

B. CMMC Model Overview as it provides assessment methods and objects → Incorrect

TheCMMC Model Overviewprovideshigh-level guidance, butdoes not contain specific assessment criteria.

C. Safeguarding requirements from FAR Clause 52.204-21 for a Level 2 Assessment → Incorrect

FAR 52.204-21is relevant toCMMC Level 1 (FCI protection), butCMMC Level 2 follows NIST SP 800-171and requiresCMMC Assessment Guidesfor validation.

D. Published CMMC Assessment Guide practice descriptions for the desired certification level → Correct

TheCMMC Assessment Guideis theofficial documentused to determine if anOSC meets the required security practices for certification.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

Specifies thatLead Assessors must use the CMMC Assessment Guidefor official scoring.

CMMC Assessment Guide for Level 1 & Level 2

Providesdetailed descriptions, assessment methods, and scoring criteriafor each practice.

CMMC-AB Guidance for Certified Third-Party Assessment Organizations (C3PAOs)

Confirms thatCMMC assessments must follow the Assessment Guide, not general DoD security policies.

Final Answer:

✔D. Published CMMC Assessment Guide practice descriptions for the desired certification level.

Best Practices for Handling Sensitive Assessment Information

CMMC assessments involve handlingsensitive and potentially CUI-related documents. Assessors must follow strictsecurity policiesto avoid unauthorized access, data leaks, or non-compliance withCMMC 2.0 and NIST SP 800-171 requirements.

Why Logging into the Client VPN on the Client Laptop is the Best Approach:

Ensures Data Protection:The client laptop is likely configured to meet security controls required for handling assessment-related materials.

Prevents Data Spillage:Keeping all assessment-related activities within the client’s secured environment reduces the risk ofdata leakage or unauthorized storage.

Maintains Compliance with CMMC/NIST Guidelines:Using aproperly configured client laptop and secured connectionensures compliance withNIST SP 800-171 controls on secure remote access(Requirement3.13.12).

Clarification of Incorrect Options:

A. "Log into the secure cloud storage service to save copies of the documents on both the work and client laptops."

Incorrect→Sensitive data should not be duplicated across multiple systems, especially a non-client-approved laptop. Storing it on an unauthorized systemviolates data handling best practices.

C. "Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service."

Incorrect→ Theassessor’s laptop may not be authorizedorsecuredto handle client data. CMMC guidelines emphasizeusing approved, secured systemsfor assessment-related information.

D. "Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick."

Incorrect→

Transferring sensitive documents via USBintroduces security risks, including unauthorized data storage and potential malware contamination.

Home office workstationsare unlikely to be authorized for handling CMMC-sensitive data.

Understanding the Role of the Lead Assessor in CMMC Assessments

TheLead Assessoris responsible for managing theAssessment Teamand ensuring that all team members meet the required qualifications as defined by theCMMC Accreditation Body (CMMC-AB)and theCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) Guide.

Why the Correct Answer is "C. Lead Assessor"?

Lead Assessor’s Key Responsibilities (Per CAP Guide)

Verify team member qualificationsto ensure compliance with CMMC-AB guidelines.

Assignappropriate assessment tasksbased on team members’ expertise.

Ensure that theassessment is conducted in accordance with CMMC procedures.

Why Not the Other Options?

A. C3PAO (Certified Third-Party Assessor Organization)→Incorrect

AC3PAOis responsible fororganizing assessmentsand ensuring their execution, but itdoes not verify individual team member qualifications—that responsibility belongs to theLead Assessor.

B. CMMC-AB (CMMC Accreditation Body)→Incorrect

TheCMMC-ABestablishestraining and certification requirements, but itdoes not verify individual assessment team members—that responsibility is given to theLead Assessor.

D. CMMC Marketplace→Incorrect

TheCMMC Marketplacelists authorizedC3PAOs, Registered Practitioners (RPs), and Certified Professionals (CCPs)butdoes not verify assessment team qualifications.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– Defines theLead Assessor’s responsibilityfor verifying assessment team qualifications.

CMMC-AB Certification Guide– Specifies that the Lead Assessor must ensure all assessment team members meet CMMC-AB qualification standards.

Final Justification:

Since theLead Assessor is responsible for verifying assessment team member qualifications, the correct answer isC. Lead Assessor.

According to the CMMC Assessment Process (CAP) and the roles defined within the CMMC Ecosystem, the responsibility for the final determination of assessment findings rests with the C3PAO (Certified Third-Party Assessment Organization).

While the Assessment Team (Lead Assessor and Assessor) performs the legwork—conducting interviews, examining documents, and testing mechanisms—the C3PAO is the legal entity contracted by the OSC (Organization Seeking Certification) to conduct the assessment and issue the recommendation for certification.

Role of the C3PAO: The C3PAO provides the quality assurance and oversight. Once the Assessment Team completes the draft findings, the C3PAO performs a quality or "peer" review to ensure the findings are consistent with CMMC requirements. They hold the final authority over the Recommended Finding (Met, Not Met, or N/A) before it is uploaded to the eMASS (Enterprise Mission Assurance Support Service) or the designated DoD database.

Role of the Cyber AB (formerly CMMC-AB): The Board provides the accreditation for the C3PAOs and manages the ecosystem, but they do not participate in individual assessments or overrule specific technical findings of an assessment unless there is a formal appeal or ethics complaint.

Role of the Assessment Team Members: They collect evidence and make initial determinations, but their findings are subject to the C3PAO’s internal quality management system (QMS) review.

Role of the OSC Sponsor: The OSC is the entity being assessed; they have no authority over the interpretation of findings, though they may provide additional evidence during the remediation period.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Phase 3: Conduct Assessment" and "Phase 4: Reporting Results," which details the C3PAO’s responsibility for the final package.

C3PAO Authorization Requirements: Outlines the requirement for a quality management review of all assessment findings by the C3PAO before submission to the DoD.

Understanding the "Examine" Assessment Method in CMMC 2.0

CMMC 2.0 usesthree assessment methodsto evaluate security compliance:

Examine– Reviewing, inspecting, observing, studying, or analyzing assessment objects (e.g., policies, system documentation).

Interview– Speaking with personnel to verify knowledge and responsibilities.

Test– Performing technical validation to check system configurations.

Relevant CMMC 2.0 Reference:

TheCMMC Assessment Process (CAP)definesExamineas the method used toreview or analyze assessment objects, such as policies, procedures, configurations, and logs.

Why is the Correct Answer "Examine" (C)?

A. Test → Incorrect

"Test" involvesexecutinga function to validate its security (e.g., verifying access controls through a live system test).

B. Assess → Incorrect

"Assess" is a broad term; CMMC explicitly defines "Examine" as the method for reviewing documentation.

C. Examine → Correct

"Examine" is the official term forreviewing policies, procedures, configurations, or logs.

D. Interview → Incorrect

"Interview" involvesverbal discussions with personnel, not document analysis.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines "Examine" asanalyzing assessment objects (e.g., policies, procedures, logs, documentation).

NIST SP 800-171A

Specifies "Examine" as a method toreview security controls and configurations.

Step 1: Understand the Definitions of Evidence Evaluation Criteria

TheCMMC Assessment Process (CAP)introduces two key criteria for evaluating evidence:

Adequacy– Does the evidencealign with the practice?

Sufficiency– Is the evidencecomprehensive enoughin terms ofcoverage across systems, users, and scope?

CAP v1.0 – Section 3.5.4:

“Evidence must be evaluated for bothadequacy(is it the right evidence?) andsufficiency(is there enough of it across all in-scope assets and areas?) to score a practice as MET.”

✅Step 2: Applying to the Scenario

In the question, the Lead Assessor is asking the team toverify that evidence is sufficient across:

Domains

Practices

Host Units

Supporting Organizations

Enclaves

➡️This is adirect reference to sufficiency, which evaluates whether thebreadth and depthof evidence is enough to make an informed judgment that the control is truly implemented across theentire assessed environment.

❌Why the Other Options Are Incorrect

A. Adequacy

✘Adequacy refers to therelevanceof the evidence to the specific practice — not itscoverageacross scope.

B. Capability

✘Not a term used in evidence validation within CMMC CAP documentation.

D. Objectivity

✘While objectivity is important, it refers to theunbiased nature of assessment activities, not to theextent of evidence coverage.

When an assessor evaluates whether the evidence is broad enough across all necessary systems, units, and enclaves to score a practice as MET, they are evaluatingsufficiency— one of the two core criteria for evidence validity in a CMMC assessment.

TheCMMC Scoping Guide for Level 2outlines thatCUI assetsinclude systems, applications, and services thatstore, process, or transmitControlled Unclassified Information (CUI). These are the three core functions that defineCUI handlingwithin anOrganization Seeking Certification (OSC).

Step-by-Step Breakdown:

✅1. CUI Assets Defined in CMMC

Stored:CUI is saved on hard drives, cloud storage, or databases.

Processed:CUI is actively used, modified, or analyzed by applications and users.

Transmitted:CUI is sent between systems via email, file transfers, or network communication.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Received and transferred❌

Whilereceiving and transferring CUIis part of handling CUI, it does not fully cover all CUI asset responsibilities.

(C) Entered, edited, manipulated, printed, and viewed❌

These arespecific actionswithinprocessingbut do not coverstorage or transmission, which are also required for CMMC scoping.

(D) Located on electronic media, on system component memory, and on paper❌

While CUI can exist inelectronic and physical forms, CMMC scoping focuses onhow CUI is actively managed (stored, processed, transmitted)rather than where it physically resides.

Final Validation from CMMC Documentation:

TheCMMC Level 2 Scoping Guideconfirms thatCUI Assets are categorized based on their role in storing, processing, or transmitting CUI.

NIST SP 800-171also defines these three functions as key components of CUI protection.

Planning and preparing for aCMMC assessmentinvolves collaboration between theassessorand theOrganization Seeking Certification (OSC)to determine scope, required evidence, and logistics. This planning process isdynamicand must adapt as new information emerges.

Why the Correct Answer is "D"?

Assessment Scope and Requirements May Change

As assessors gather evidence and analyze the environment,new details about assets, networks, and security controlsmay require adjustments to the assessment plan.

TheCMMC Assessment Process (CAP) Guideemphasizes that assessmentrequirements and scope should be continuously reviewed and updatedto reflect real-time findings.

Assessors Follow an Adaptive Approach

DuringCMMC assessments, organizations may discover additionalFCI or CUI assets, which can change the required security practices to be evaluated.

Assessors shouldrevise the assessment approach accordinglyrather than strictly following an initial, unchangeable plan.

Why Not the Other Options?

A. Scoping an assessment is easy and worry-free→Incorrect

Scoping is acritical and complex processthat requires careful evaluation of the OSC’s information systems and assets.

CMMC Scoping Guidestates thatidentifying in-scope assets is crucial and requires significant effort.

B. The initial plan cannot be changed once agreed upon→Incorrect

Theinitial assessment plan is a starting point, butit must be flexiblebased on real-time findings.

CMMC CAP Guideemphasizescontinuous refinementduring the assessment process.

C. There is a determined amount of time that the OSC's point of contact has to submit evidence and rough order-of-magnitude→Incorrect

While there aretimelines, the key focus is ensuring thatall necessary evidence is gathered accuratelyrather than rushing to meet a strict deadline.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– States that assessment requirements and planning should be updated as additional information is gathered.

CMMC Scoping Guide (Nov 2021)– Explains that assessors must continually refinein-scope assets and requirementsthroughout the process.

Final Justification:

Assessment planning is a dynamic process.Assessors must continuously review and update the requirements and planas new information emerges, makingDthe correct answer.

Understanding Scoping in CMMC 2.0

TheCMMC 2.0 framework applies to nonfederal systemsthat process, store, or transmitCUI.

Scoping determineswhich system components must comply with CMMC practices.

If a systemprocesses, stores, or transmits CUI, orprovides security for those systems, itmust be included in the assessment scope.

Why the Correct Answer is "D. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components"?

CMMC Applies to Contractors, Not Federal Systems

CMMC isdesigned for Department of Defense (DoD) contractors, notfederal systems.

Federal systems arealready governed by NIST SP 800-53and other regulations.

Scope Includes Systems That Process CUI AND Those That Protect Them

Systemsprocessing, storing, or transmitting CUIare in scope.

Systems thatprovide protection for CUI systems(e.g., firewalls, monitoring tools, security appliances) arealso in scope.

Why Not the Other Options?

A. Federal systems that process, store, or transmit CUI.→Incorrect

CMMCdoes not apply to federal systems.

B. Nonfederal systems that process, store, or transmit CUI.→Partially correct but incomplete

Itexcludes security systemsthat protect CUI assets, whichare also in scope.

C. Federal systems that process, store, or transmit CUI, or that provide protection for the system components.→Incorrect

CMMConly applies to nonfederal systems.

Relevant CMMC 2.0 References:

CMMC Scoping Guide (Nov 2021)– Confirms that CMMCapplies to nonfederal systemsprocessingCUI.

NIST SP 800-171 Rev. 2– Specifies security requirements fornonfederal systemshandling CUI.

DFARS 252.204-7012– Requires DoD contractors to implementNIST SP 800-171onnonfederal systemshandling CUI.

Final Justification:

SinceCMMC applies to nonfederal systems that process CUI or protect those systems, the correct answer isD. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.

Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.

Why "A. Obtain Evidence" is Correct?

CMMC Assessments Require Evidence Collection

TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:

Examine– Reviewing documentation, policies, and system configurations.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Validating controls through operational or technical tests.

All these methods involve obtaining evidenceto support whether a security requirement has been met.

Alignment with NIST SP 800-171A

CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.

Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.

Why Other Answers Are Incorrect?

B. Define level of effort (Incorrect)

Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.

C. Determine information flow (Incorrect)

While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.

D. Determine value of hardware and software (Incorrect)

Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.

Conclusion

The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.

Understanding the CMMC Readiness Review Process

ALead Assessorconducting aCMMC Readiness Reviewevaluates whether anOrganization Seeking Certification (OSC)is prepared for a formal assessment.

After recording theassessment risk statusandoverall assessment feasibility, theminimum remaining criteriato be verified include:

Logistics Planning– Ensuring that the assessment timeline, locations, and necessary resources are in place.

Assessment Team Preparation– Confirming that assessors and required personnel are available and briefed.

Evidence Readiness– Ensuring the OSC has gathered all required artifacts and documentation for review.

Breakdown of Answer Choices

Option

Description

Correct?

A. Determine the practice pass/fail results.

Happensduringthe formal assessment, not the readiness review.

❌Incorrect

B. Determine the preliminary recommended findings.

Findings are only madeafterthe full assessment.

❌Incorrect

C. Determine the initial model practice ratings and record them.

Ratings are assigned during theassessment, not readiness review.

❌Incorrect

D. Determine the logistics, Assessment Team, and the evidence readiness.

✅Essential readiness criteria that must be confirmedbeforeassessment starts.

✅Correct

Official Reference from CMMC 2.0 Documentation

TheCMMC Assessment Process Guide (CAP)states that readiness review ensureslogistics, assessment team availability, and evidence readinessare verified.

Final Verification and Conclusion

The correct answer isD. Determine the logistics, Assessment Team, and the evidence readiness.This aligns withCMMC readiness review requirements.

The CMMC Code of Professional Conduct applies to all CMMC assessors, practitioners, and ecosystem participants. Its guiding principles are: Objectivity, Information Integrity, and Higher Accountability.

Supporting Extracts from Official Content:

CMMC Code of Professional Conduct: “Guiding principles… include Objectivity, Information Integrity, and Higher Accountability.”

Why Option A is Correct:

These three principles are the official guiding values documented in the Code of Professional Conduct.

Options B, C, and D insert terms (“proper use of methods”) that are not part of the official guiding principles.

References (Official CMMC v2.0 Content):

CMMC Code of Professional Conduct.

===========

CMMC Level 1 practices correspond directly to the basic safeguarding requirements for Federal Contract Information (FCI), which are codified in FAR clause 48 CFR 52.204-21. These 15 requirements form the foundation for Level 1 compliance.

Supporting Extracts from Official Content:

48 CFR 52.204-21: “Contractors shall apply the following 15 basic safeguarding requirements to protect Federal Contract Information (FCI).”

CMMC Model v2.0 Overview: “Level 1 corresponds to the 15 basic safeguarding requirements in FAR 52.204-21.”

Why Option C is Correct:

FAR 52.204-21 is the source for Level 1 practices.

NIST SP 800-171 applies to CUI and Level 2, not Level 1.

NIST SP 800-171b is the precursor to NIST SP 800-172 (used for Level 3).

DFARS 252.204-7012 covers CUI safeguarding and incident reporting, not Level 1 FCI requirements.

References (Official CMMC v2.0 Content):

FAR 48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

CMMC Model v2.0, Level 1 Overview.

This question pertains to theminimum evidence requirementsneeded by a CMMCAssessment Teamto score a practice asMETduring aLevel 2 Assessment.

The CMMC Level 2 assessment must align withNIST SP 800-171and follow the procedures outlined in theCMMC Assessment Process (CAP) Guide v1.0, particularly aroundevidence collection and scoring methodology.

✅Step 1: Refer to the CMMC Assessment Process (CAP) Guide v1.0

CAP v1.0 – Section 3.5.4: Evaluate Evidence and Score Practices

“To assign a MET determination, the Assessment Team must collect and corroborate at least two types of objective evidence: either through examination of artifacts, interviews (affirmation), or testing (demonstration).”

This meansat least two typesof the following evidence are required:

Examine(documentation/artifacts),

Interview(affirmation from personnel),

Test(demonstration of implementation).

✅Step 2: Clarify the Official Minimum Standard for a Practice to be Scored MET

The CAP explicitly states:

“A practice can only be scored MET when a minimum oftwo types of evidencefrom the E-I-T (Examine, Interview, Test) triad are successfully collected and evaluated.”

Theevidence types must come from two different categories, for example:

An artifact(Examine)+ an interview affirmation(Interview),

A demonstration(Test)+ an interview(Interview),

Etc.

This cross-validation ensures that the control isimplemented, documented, and understoodby personnel — a core principle in assessing effective cybersecurity implementation.

❌Why the Other Options Are Incorrect

A. All three types of evidence are documented for every control

✘Incorrect:While collecting all three types (E-I-T) strengthens the assessment, theminimum requirementis onlytwo. Collecting all three isnot requiredfor a practice to be scoredMET.

B. Examine and accept evidence from one of the three evidence types

✘Incorrect:This fails to meet theminimum two-evidence-type requirementset by the CAP. Single-source evidence is not sufficient to score a practice as MET.

C. Complete one of the following; examine two artifacts, observe one demonstration, or receive one affirmation

✘Incorrect:Even if two artifacts are examined,this is still only one type of evidence(Examine). The CAP requires twotypes— not two instances of the same type.

✅Why D is Correct

D. Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.

✔This directly reflects theCAP’s requirement for collecting two different types of objective evidenceto determine a practice is MET.

BLUF (Bottom Line Up Front):

To score a CMMC Level 2 practice asMET, the Assessment Team must collecta minimum of two distinct types of evidence— from theExamine, Interview, Test (E-I-T)categories. This requirement is clearly stated in the CMMC Assessment Process (CAP) v1.0.

Understanding Scoping in CMMC Level 1 Self-Assessments

Federal Contract Information (FCI)is any informationnot intended for public releasethat is provided or generated under aU.S. Government contracttodevelop or deliver a product or service.

Enhanced Security Personnel (ESP)refers to employees, contractors, or third parties whohave access to FCIwithin anOrganization Seeking Certification (OSC).

UnderCMMC 2.0 Scoping Guidance, anypersonnel, system, or asset with access to FCI is considered in scopefor a CMMC Level 1 assessment.

Why Option A (In scope) is Correct

Since theESP employee has access to FCI, theymustbe included in the assessment scope.

Option B (Out of scope)is incorrect because anyone with access to FCI is automatically considered part of theCMMC Level 1 boundary.

Option C (OSC point of contact)is incorrect because thepoint of contactis typically an administrative or compliance representative, not necessarily someone with FCI access.

Option D (Assessment Team Member)is incorrect because anESP employee is not part of the assessment team but rather a subject of the assessment.

Official CMMC Documentation References

CMMC Level 1 Scoping Guide, Section 2 – Defining Scope for FCI

CMMC Assessment Process (CAP) Guide – Roles and Responsibilities

Federal Acquisition Regulation (FAR) 52.204-21(Basic Safeguarding of FCI)

Final Verification

Since theESP employee has access to FCI, they are consideredin scopefor the CMMC Level 1 self-assessment, makingOption A the correct answer.

ACertified Third-Party Assessor Organization (C3PAO)is responsible for conductingCMMC Level 2 Assessments. Before the assessment begins, the C3PAO must develop anAssessment Plan, which includes several key elements.

The part of the plan that captures:

✅Names of interviewees

✅Facilities to be utilized

✅Estimated costs

✅Assessment schedule

falls under the"Identify Resources and Schedule"section of the plan.

Step-by-Step Breakdown:

✅1. Identify Resources and Schedule

This section of theCMMC Assessment Planoutlines:

Thepersonnelinvolved (e.g., interviewees, assessors).

Thelocationswhere the assessment will take place.

Thetimeline and scheduling details.

Theestimated costsassociated with the assessment.

This ensures that all necessaryresourcesare allocated and that the assessment proceeds as planned.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Select Assessment Team Members❌

This section focuses onchoosing the assessorswho will conduct the evaluation, not listing interviewees and facilities.

(C) Identify and Manage Assessment Risks❌

This part of the plandocuments risks(e.g., scheduling conflicts, data access issues), but it doesnot outline names, facilities, or costs.

(D) Select and Develop the Evidence Collection Approach❌

This step defineshowevidence will be gathered (e.g., document reviews, interviews, system testing) but doesnot focus on logistics.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guidestates thatresource identification and schedulingare essential for organizing the assessment. Since this sectioncaptures interviewees, facilities, costs, and the schedule, the correct answer is:

✅A. Identify resources and schedule.

The Lead Assessor is responsible for protecting and maintaining all assessment records, notes, and information gathered during the assessment process. This includes working papers and supplemental documentation that may be needed for auditability or dispute resolution.

Supporting Extracts from Official Content:

CAP v2.0, Post-Assessment Responsibilities (§3.17): “The Lead Assessor must ensure that all assessment artifacts, notes, and information are archived or disposed of in accordance with C3PAO policy.”

Why Option A is Correct:

The CAP specifies that notes and information from the assessment must be preserved or disposed of according to policy.

Options B, C, and D list items not required in the CAP. The “letter” and “quality control report” are not part of the Lead Assessor’s required maintained materials.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 3 Post-Assessment (§3.17).

===========

CMMC Assessment Process (CAP) and CMMC Code of Professional Conduct emphasize that conflicts of interest (COI) must be disclosed and managed transparently. A Certified CMMC Professional (CCP) is required to:

Inform their organization,

Disclose the COI to the affected stakeholders, and

Take reasonable steps to minimize the impact.

What they must NOT do is conceal it from the Assessment Team Lead or others. Concealing a COI violates the CMMC Code of Professional Conduct and compromises the integrity of the assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

CMMC Code of Professional Conduct, CMMC-AB

According to the CMMC Assessment Process (CAP), specifically during the Phase 3: Conduct Assessment (Evidence Collection and Verification), the Assessment Team must evaluate all collected artifacts, interview notes, and test results against two primary dimensions: Adequacy and Sufficiency.

Adequacy (The "Right" Evidence): This criterion focuses on the quality, relevance, and validity of the evidence. It addresses whether the evidence actually maps to the specific CMMC practice being assessed and whether it is authoritative (e.g., signed, current, and from a trusted source). If an assessor asks, "Is this therightpiece of information to prove this practice is met?" they are testing for Adequacy.

Sufficiency (The "Enough" Evidence): This criterion focuses on the quantity and scope of the evidence. It addresses whether the Assessment Team has collected enough data points (across the required number of assets and using the required methods of Examine, Interview, and Test) to reach a confident conclusion. If an assessor asks, "Do I haveenoughexamples of this practice in action across the entire enclave?" they are testing for Sufficiency.

Why other options are incorrect:

B and D (Objectivity/Subjectivity): While assessors must remain objective, these are not the formal "criteria" used to categorize the evidence collection quality within the CAP framework.

C (Sufficiency): As noted above, Sufficiency is about theamountof evidence, not whether it is thecorrect type(the "right" evidence).

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4, "Collect and Verify Evidence," which explicitly defines the requirement for evidence to be both adequate and sufficient.

CMMC Level 2 Assessment Guide: Guidance on the application of the Examine, Interview, and Test (E-I-T) methods to ensure evidence quality.

NIST SP 800-171A: The foundation for CMMC assessment procedures, which emphasizes the need for relevant (adequate) evidence to support findings.

Understanding CMMC 2.0 Incident Response Practices

TheIncident Response (IR) domaininCMMC 2.0 Level 2aligns withNIST SP 800-171, Section 3.6, which defines requirements forestablishing and maintaining an incident response capability.

Why "A. IR.L2-3.6.1: Incident Handling" is Correct?

The documentation provideddescribes an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities.

IR.L2-3.6.1specifically requires organizations toestablish an incident handling processcovering:

Preparation

Detection & Analysis

Containment

Eradication & Recovery

Post-Incident Response

Why Other Answers Are Incorrect?

B. IR.L2-3.6.2: Incident Reporting (Incorrect)

Incident reporting focuses on reporting incidents to external parties (e.g., DoD, DIBNet),which isnot what the provided documentation describes.

C. IR.L2-3.6.3: Incident Response Testing (Incorrect)

Incident response testing ensures that the response process is regularly tested and evaluated,which isnot the primary focus of the documentation provided.

D. IR.L2-3.6.4: Incident Spillage (Incorrect)

Incident spillage specifically refers to CUI exposure or handling unauthorized CUI incidents,which isnot the scenario described.

Conclusion

The correct answer isA. IR.L2-3.6.1: Incident Handling, as the documentationattests to the establishment of an incident response capability.

The correct answer is B , 3 Levels. The official CMMC 2.0 Model Overview states that there are three levels within CMMC: Level 1, Level 2, and Level 3 . It explains that the model measures implementation of cybersecurity requirements at three levels, with each level containing a defined set of CMMC practices. Level 1 is focused on basic safeguarding of Federal Contract Information, Level 2 is focused on protection of Controlled Unclassified Information using requirements aligned to NIST SP 800-171, and Level 3 is intended for higher-risk programs requiring enhanced protection.

This is a major difference between CMMC 2.0 and the earlier CMMC 1.0 structure. CMMC 1.0 used five maturity levels, but CMMC 2.0 simplified the model to three cybersecurity levels. Therefore, option C , 5 Levels, reflects the older CMMC 1.0 structure and is not correct for CMMC 2.0. Option A , 2 Levels, is incorrect because it omits one of the three official levels. Option D , 4 Levels, is also incorrect because the official CMMC 2.0 model does not contain four levels. The bottom line is that CMMC 2.0 contains three cybersecurity levels: Level 1 Foundational, Level 2 Advanced, and Level 3 Expert .

CMMC v2.0 scoping defines “in-scope” assets for Level 1 (FCI protection) based on whether the asset processes, stores, or transmits FCI . The DoD CMMC Assessment Scope – Level 1 (v2.13) states: “Assets in scope … are all assets that **process, store, or transmit Federal Contract Information (FCI).” It then defines these terms. Critically for this question, Store is defined as when “FCI is inactive or at rest on an asset (e.g., located on electronic media…).”

A flash drive is “electronic media.” If the program manager places contract-relevant FCI onto the flash drive, the flash drive is now an asset that stores FCI (FCI at rest). Under the scoping guidance, that alone is enough to classify it as an in-scope FCI asset for Level 1 purposes, meaning it falls within the Level 1 assessment scope and must be protected by applicable Level 1 requirements.

The other answer choices do not align to the scoping definitions. “Testing FCI” (B) is not one of the scope-determining criteria in the Level 1 scoping guide. “Distributing FCI” (C) is not the formal criterion either (the guide uses Transmit , not “distribute”). Finally, being “properly marked” (D) does not determine whether something is in scope; the decisive factor is whether the asset processes, stores, or transmits FCI.

During aCMMC assessment, organizations must provide evidence to demonstrate compliance with requiredpractices and processes. Assessors evaluate this evidence based on two key criteria:

Adequacy– Does the evidence meet the intent of the security requirement?

Sufficiency– Is there enough evidence to reasonably conclude that the practice/process is effectively implemented?

These principles are outlined in theCMMC Assessment Process Guide, which provides a structured approach for evaluating compliance.

Step-by-Step Breakdown:

✅1. Adequacy – Does the evidence fully meet the requirement?

Adequacyrefers to whether the evidence properly demonstrates that the security practice has been implemented as required.

Example: If an organization claims to enforceMulti-Factor Authentication (MFA), an assessor would checksystem configurations, login policies, and user authentication logsto confirm that MFA is actually in use.

✅2. Sufficiency – Is there enough evidence to support the claim?

Sufficiencymeans that there isenough supporting evidenceto prove compliance.

Example: If an organization providesonly one screenshot of an MFA login screen, that alone may not besufficient—additional logs, policies, and user records would help strengthen the case.

Why the Other Answer Choices Are Incorrect:

(B) Adequacy and Thoroughness❌

Thoroughnessis not a defined metric in CMMC evidence evaluation.

The focus is onwhether the evidence meets the requirement (adequacy)and if there isenough of it (sufficiency).

(C) Sufficiency and Thoroughness❌

Thoroughnessis not a recognized term in CMMC compliance validation.

Evidence must beadequate and sufficient, not just thorough.

(D) Sufficiency and Appropriateness❌

Appropriatenessis not a CMMC-defined criterion.

Thecorrect terms used in CMMC assessmentsareAdequacy(Does it meet the requirement?) andSufficiency(Is there enough proof?).

Final Validation from CMMC Documentation:

CMMC Assessment Process Guideexplicitly states that evidence must be evaluated based onadequacyandsufficiencyto confirm compliance with security practices.

A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.

Supporting Extracts from Official Content:

CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”

Why Option B is Correct:

The Windows 95 system is an example of a restricted IS, so it can be scoped out.

Option A is incorrect — the asset is not handling CUI in this case.

Option C is incorrect — government property designation does not define scope.

Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.

===========

In CMMC scoping terminology, an HQ Organization is the entity legally responsible for contract performance and delivery of products or services.

Supporting Extracts from Official Content:

CMMC Scoping Guide: “HQ Organization is the legal entity responsible for the performance and delivery of contract requirements.”

Why Option D is Correct:

The HQ Org is legally accountable, while Host Units (option A/B) are subordinate entities.

Option C refers to shared services, not the HQ.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, High-Level Scoping Definitions.

===========

In the CMMC assessment process, conflicts of interest must be identified early to ensure an impartial and objective evaluation of an organization's compliance with CMMC 2.0 requirements. The appropriate phase for identifying conflicts of interest is during the"Verify Readiness to Conduct Assessment"phase.

Step-by-Step Explanation:

Assessment Planning & Conflict of Interest Consideration

Before an assessment begins, theC3PAO (Certified Third-Party Assessment Organization)or theDIBCAC (Defense Industrial Base Cybersecurity Assessment Center) for DOD-led assessmentsmust confirm that there are no conflicts of interest between assessors and the organization being assessed.

A conflict of interest may arise if an assessor haspreviously worked for, consulted with, or provided direct assistance tothe organization under review.

CMMC Assessment Process and Phases

The CMMC assessment process involves multiple steps, and the verification of readiness is acritical early phaseto ensure that the assessment is unbiased:

Analyze Requirements:This phase focuses on defining the assessment scope, but it does not include conflict of interest verification.

Develop Assessment Plan:This phase focuses on structuring the assessment methodology, not on identifying conflicts.

Verify Readiness to Conduct Assessment (Correct Answer):

At this stage, theC3PAO or assessment team must review potential conflicts of interest.

TheDefense Industrial Base Cybersecurity Assessment Center (DIBCAC)also ensures assessors do not have any prior relationships that could compromise the objectivity of the evaluation.

Generate Final Recommended Assessment Results:This phase occurs at the end of the process, after the assessment is complete, so conflict of interest identification is too late by this stage.

Official CMMC Documentation & References

CMMC Assessment Process (CAP) Guide– The CAP details procedures assessors must follow, including conflict of interest verification.

CMMC 2.0 Scoping and Assessment Guides– Published by the Cyber AB and DoD, these guides reinforce the need for impartiality and independence in assessments.

DoD Instruction 5200.48 (Controlled Unclassified Information Program)– Outlines requirements for ensuring objective cybersecurity assessments.

By ensuring conflicts of interest are identified in the"Verify Readiness to Conduct Assessment"phase, the integrity of the CMMC certification process is maintained, ensuring that assessments are conductedfairly, independently, and in accordance with DoD cybersecurity policies.

The National Archives and Records Administration (NARA) serves as the authoritative body overseeing the Controlled Unclassified Information (CUI) program within the United States federal government. NARA maintains the CUI Registry, which is the definitive resource for all categories, subcategories, and associated markings of CUI. This registry provides comprehensive guidance on the identification and handling of CUI, ensuring standardized practices across federal agencies and their contractors.

The other options are delineated as follows:

CMMC-AB:The Cybersecurity Maturity Model Certification Accreditation Body is responsible for overseeing the CMMC program but does not manage CUI classifications.

DoD Contractors FAQ:While it may offer guidance to Department of Defense contractors, it is not an authoritative source for CUI data classifications.

OSC's privacy policies:An Organization Seeking Certification's internal policies pertain to its own data handling practices and are not authoritative for CUI classifications.

Therefore, for authoritative information on CUI data classifications, the NARA's CUI Registry is the appropriate resource.

Federal Contract Information (FCI) is defined in FAR 52.204-21 as information provided by or generated for the government under contract but not intended for public release. Under CMMC 2.0, organizations handling FCI must implement FAR 52.204-21 Basic Safeguarding Requirements, ensuring proper protection in processing, storing, and transmitting FCI.

Analyzing the Given Options

The question involves an email system that is used to send FCI to a subcontractor. Let’s break down the possible answers:

A. Manage FCI → Incorrect

Managing FCI involves activities like organizing, storing, and maintaining access to FCI. Sending an email does not fall under management; it is an act of transmission.

B. Process FCI → Incorrect

Processing refers to actively using FCI for operational or analytical purposes, such as analyzing, modifying, or computing data. Simply sending an email does not constitute processing.

C. Transmit FCI → Correct

Transmission refers to the act of sending FCI from one entity to another. Since the contractor is sending FCI via email, this falls under transmitting the data.

Step 1: Understanding Who Specifies CMMC Levels

TheU.S. Department of Defense (DoD)determines the requiredCMMC Levelbased on thesensitivity of the information involved in a contract.

The required CMMC Level isspecified in Requests for Information (RFIs) and Requests for Proposals (RFPs).

Who is Responsible for Marking CUI?

According toDoDI 5200.48 (Controlled Unclassified Information (CUI)), the responsibility for marking CUI falls on theauthorized holder of the information.

Step-by-Step Breakdown:

Definition of an Authorized Holder

PerDoDI 5200.48, Section 3.4, anauthorized holderis anyone who has beengranted accessto CUI and is responsible for handling, safeguarding, and marking it according toDoD CUI policy.

The authorized holder may be:

ADoD employee

Acontractorhandling CUI

Anyorganization or individual authorizedto access and manage CUI

DoD Guidance on CUI Marking Responsibilities

DoDI 5200.48, Section 4.2:

The individual creating or handling CUImust apply the appropriate markings as per the DoD CUI Registry guidelines.

DoDI 5200.48, Section 5.2:

Themarking responsibility is NOT limited to a specific positionlike an Information Disclosure Official or a high-level DoD office.

Instead, it is theresponsibility of the person or entity generating, handling, or disseminatingthe CUI.

Why the Other Answer Choices Are Incorrect:

(A) DoD OUSD (Office of the Under Secretary of Defense):

The OUSD plays apolicy-setting rolebut doesnot directly mark CUI.

(C) Information Disclosure Official:

This role is responsible forpublic release of information, but marking CUI is the duty of theauthorized holdermanaging the data.

(D) Presidential authorized Original Classification Authority (OCA):

OCAs classifynational security information (Confidential, Secret, Top Secret), not CUI, which isnot classified information.

Final Validation from DoDI 5200.48:

PerDoDI 5200.48, authorized holders are explicitly responsible for marking CUI, making this the correct answer.

Understanding the Concept of Security in CMMC 2.0

CMMC 2.0 aligns with federal cybersecurity standards, particularlyFISMA (Federal Information Security Modernization Act), NIST SP 800-171, and FAR 52.204-21. One key principle in these frameworks is the implementation of security measures that are appropriate for the risk level associated with the data being protected.

The question describes security measures that are proportionate to therisk of loss, misuse, unauthorized access, or modificationof information. This matches the definition of"Adequate Security."

Analyzing the Given Options

A. Adopted security→ Incorrect

The term"adopted security"is not officially recognized in CMMC, NIST, or FISMA. Organizations adopt security policies, but the concept does not directly align with the question’s definition.

B. Adaptive security→ Incorrect

Adaptive securityrefers to adynamic cybersecurity modelwhere security measures continuously evolve based on real-time threats. While important, it does not directly match the definition in the question.

C. Adequate security→Correct

The term"adequate security"is defined inNIST SP 800-171, DFARS 252.204-7012, and FISMAas the level of protection that isproportional to the consequences and likelihood of a security incident.

This aligns perfectly with the definition in the question.

D. Advanced security→ Incorrect

Advanced securitytypically refers tohighly sophisticated cybersecurity mechanisms, such as AI-driven threat detection. However, the term does not explicitly relate to the concept of risk-based proportional security.

Official References Supporting the Correct Answer

FISMA (44 U.S.C. § 3552(b)(3))

Definesadequate securityas"protective measures commensurate with the risk and potential impact of unauthorized access, use, disclosure, disruption, modification, or destruction of information."

This directly matches the question's wording.

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)

Mandates that contractors apply"adequate security"to protect Controlled Unclassified Information (CUI).

NIST SP 800-171 Rev. 2, Requirement 3.1.1

States that organizations must "limit system access to authorized users and implement adequate security protections to prevent unauthorized disclosure."

CMMC 2.0 Documentation (Level 1 and Level 2 Requirements)

Requires that organizationsapply adequate security measures in accordance with NIST SP 800-171to meet compliance standards.

Conclusion

The term"adequate security"is the correct answer because it is explicitly defined in federal cybersecurity frameworks asprotection proportional to risk and potential consequences. Thus, the verified answer is:

DoDI 5200.48 specifies that Authorized Holders of CUI are responsible for applying appropriate CUI markings. An authorized holder is an individual who has lawful government purpose access to the information. This ensures that responsibility for correctly marking information rests with those who create or handle the material, not only with original classification authorities (which apply to classified information, not CUI).

Reference Documents:

DoDI 5200.48,Controlled Unclassified Information (CUI)