CMMC-CCP Certified CMMC Professional (CCP) Exam Questions and Answers

During aCMMC assessment, assessors rely on interviews to validate the implementation of cybersecurity practices within anOrganization Seeking Certification (OSC). Ensuringconfidentiality and non-attributionallows employees to speak freely without fear of retaliation or bias, leading to more accurate and candid responses.

Step-by-Step Breakdown:

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide(Level 2) states thatinterviews are a key methodto verify compliance with security controls.

Employees may hesitate to provide truthful information if they fear negative consequences.

To obtain accurate information, assessors must create an environment where team members feel safe.

Ensuring Non-Attribution for Accurate Responses

DoD Assessment Methodologyhighlights thatinterviewees should remain anonymousin reports.

Non-attribution reduces the risk of OSC leadership influencing responses or retaliating against employees.

Employees are more likely to provideaccurateandhonestdescriptions of their responsibilities when confidentiality is guaranteed.

Why the Other Answer Choices Are Incorrect:

(A) Interview groups of people to get collective answers:

Group interviews may limit honest responses due topeer pressure or management presence.

Employees mayhesitate to contradictsupervisors or peers in a group setting.

(B) Understand that testing is more important than interviews:

While testing (e.g., reviewing logs, configurations, and security settings) is crucial, interviews providecontexton how security practices are implemented and followed.

Interviewscomplementtesting rather than being less important.

(D) Let team members know the questions prior to the assessment:

Advanced notice may allow employees toprepare rehearsed answers, which might not reflect actual practices.

This couldreduce the effectivenessof the interview process.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guideand DoDAssessment Methodologyemphasize the importance of confidentiality in interviews to ensure accuracy.Non-attribution protects employees and ensures assessors get honest, unfiltered answers.

Thus, the correct answer is:

C. Ensure confidentiality and non-attribution of team members.

The presence of badge readers, PIN code pads, and keys directly corresponds to controlling and managing physical access devices, which maps to PE.L1-3.10.5 under the Physical Protection (PE) domain. This practice ensures that only authorized individuals have access to physical areas containing information systems.

The other options address unrelated requirements:

MP.L2-3.8.5 addresses marking CUI media,

SI.L2-3.14.3 addresses monitoring security alerts,

PS.L2-3.9.2 addresses protections during personnel changes.

Reference Documents:

CMMC Model v2.0, Level 1–3 Practices

NIST SP 800-171 Rev. 2, Control PE-3

A Certified CMMC Instructor (CCI) is only authorized to deliver CMMC-AB (now The Cyber AB) approved training courses through a Licensed Training Provider (LTP). CCI instructors do not deliver DFARS or NARA CUI training under CMMC authorization—only formally approved CMMC courses.

Supporting Extracts from Official Content:

CMMC Ecosystem Roles: “CCIs are authorized to deliver CMMC-AB approved training courses through an LTP.”

Why Option A is Correct:

CCIs teach only CMMC-AB approved training.

Options B, C, and D include external trainings (DFARS or NARA CUI) that are not within the CCI’s scope.

References (Official CMMC v2.0 Content):

CMMC Ecosystem documentation – Roles and Responsibilities of LTPs and CCIs.

===========

The CAP specifies that the C3PAO is responsible for assigning the Lead Assessor to an OSC’s assessment. While the OSC contracts with the C3PAO, the authority to appoint the Lead Assessor resides solely with the C3PAO.

Supporting Extracts from Official Content:

CAP v2.0, Assessment Team Composition (§2.10): “The C3PAO shall designate a qualified Lead Assessor to lead the assessment.”

Why Option B is Correct:

Only the C3PAO has the authority to select and assign the Lead Assessor.

The OSC may influence scheduling and planning but cannot appoint assessors.

Options A, C, and D are inconsistent with CAP requirements.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Assessment Team Roles and Responsibilities (§2.10).

Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.

Why "A. Obtain Evidence" is Correct?

CMMC Assessments Require Evidence Collection

TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:

Examine– Reviewing documentation, policies, and system configurations.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Validating controls through operational or technical tests.

All these methods involve obtaining evidenceto support whether a security requirement has been met.

Alignment with NIST SP 800-171A

CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.

Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.

Why Other Answers Are Incorrect?

B. Define level of effort (Incorrect)

Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.

C. Determine information flow (Incorrect)

While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.

D. Determine value of hardware and software (Incorrect)

Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.

Conclusion

The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.

According to the CMMC Assessment Process (CAP), specifically within the Phase 4: Reporting Results requirements, a C3PAO must ensure that every assessment package undergoes a rigorous quality review before it is finalized and submitted to the Department of Defense (DoD).

The Role of the CQAP: The CMMC Quality Assurance Professional (CQAP) is a designated role within a C3PAO responsible for verifying that the assessment was conducted in accordance with the CAP and that the evidence collected (the "Artifacts") supports the findings (Met/Not Met).

Mandatory Inclusion: When generating the Final Recommended Assessment Results, the package is not considered complete or valid without the formal review documentation from the CQAP. This documentation serves as the "stamp of approval" that the internal Quality Management System (QMS) of the C3PAO has validated the assessment team's work.

Why other options are incorrect:

Option A: While the Assessment Plan is a required document during the planning phase, it is an input to the process, not a mandatory component of theFinal Resultsgeneration in the same way quality validation is.

Option B: Daily Checkpoints are administrative tools used during the "Conduct Assessment" phase to keep the OSC informed. While they are part of the assessment record, they are not a mandatory technical component of the final results package.

Option C: The contract is a legal/business requirement handled during the "Plan and Prepare" phase; it is not included in the technical assessment results uploaded to the DoD.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 4.2 (Finalize Assessment Report) and Section 4.3 (C3PAO Quality Review).

C3PAO Authorization Requirements: Specifies the requirement for a Quality Assurance (QA) function to review all assessment outputs to ensure consistency and integrity across the ecosystem.

Understanding CMMC 2.0 Incident Response Practices

TheIncident Response (IR) domaininCMMC 2.0 Level 2aligns withNIST SP 800-171, Section 3.6, which defines requirements forestablishing and maintaining an incident response capability.

Why "A. IR.L2-3.6.1: Incident Handling" is Correct?

The documentation provideddescribes an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities.

IR.L2-3.6.1specifically requires organizations toestablish an incident handling processcovering:

Preparation

Detection & Analysis

Containment

Eradication & Recovery

Post-Incident Response

Why Other Answers Are Incorrect?

B. IR.L2-3.6.2: Incident Reporting (Incorrect)

Incident reporting focuses on reporting incidents to external parties (e.g., DoD, DIBNet),which isnot what the provided documentation describes.

C. IR.L2-3.6.3: Incident Response Testing (Incorrect)

Incident response testing ensures that the response process is regularly tested and evaluated,which isnot the primary focus of the documentation provided.

D. IR.L2-3.6.4: Incident Spillage (Incorrect)

Incident spillage specifically refers to CUI exposure or handling unauthorized CUI incidents,which isnot the scenario described.

Conclusion

The correct answer isA. IR.L2-3.6.1: Incident Handling, as the documentationattests to the establishment of an incident response capability.

Under CMMC 2.0 Level 2, which aligns with the requirements of NIST SP 800-171, maintaining robust control over nonlocal maintenance sessions is critical. While multifactor authentication (MFA) is a required safeguard for secure access, additional measures must be implemented to fully meet the maintenance requirements as outlined in Control 3.3.5:

Key Requirements for Nonlocal Maintenance:

Termination of Nonlocal Maintenance Sessions:

To reduce the attack surface and prevent unauthorized access, nonlocal maintenance connections must be terminated immediately after the maintenance activity is completed. This is a direct requirement to mitigate risks associated with lingering remote sessions that could be exploited by threat actors.

Supporting Reference: NIST SP 800-171, Control 3.3.5 states: "Ensure that remote maintenance is conducted in a controlled manner and disable connections immediately after use."

Multifactor Authentication (MFA):

OSCs are required to implement MFA for nonlocal remote maintenance sessions. MFA must include at least two factors (e.g., something you know, something you have, or something you are).

While the OSC’s use of MFA satisfies part of the requirement, it does not complete the control unless proper termination procedures are in place.

Policy and Procedure Adherence:

The OSC must also document a maintenance policy and ensure it reflects the need for terminating connections post-maintenance. The policy should outline roles, responsibilities, and steps for ensuring secure nonlocal maintenance practices.

Incorrect Options:

B. Unlimited connections: Allowing unrestricted nonlocal maintenance sessions is a significant security risk and violates the principle of least privilege.

C. Removing restrictions: Removing restrictions for convenience directly undermines compliance and security.

D. Multifactor authentication details: While MFA is necessary, the question states the OSC already uses it. Termination of sessions is the missing requirement.

Conclusion:

The requirement to terminate nonlocal maintenance sessions after maintenance is complete (Option A) is critical for compliance with CMMC 2.0 Level 2 and NIST SP 800-171, Control 3.3.5. This ensures that nonlocal maintenance activities are secured against unauthorized access and potential vulnerabilities.

What Does the Practice of Professionalism Require in the CMMC Code of Professional Conduct?

TheCMMC Code of Professional Conduct (CoPC)sets ethical and professional standards forCertified CMMC Assessors (CCAs) and Certified CMMC Professionals (CCPs).Professionalismrequireshonesty and integrity in all CMMC-related activities.

Step-by-Step Breakdown:

✅1. Professionalism Requires Ethical Behavior

TheCoPC states that professionalismincludes:

Acting with integrityin all assessment-related activities.

Providing truthful and objective assessmentsof cybersecurity practices.

Avoiding deceptive or misleading claimsabout assessments or compliance.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Do not copy materials without permission to do so❌

This falls underIntellectual Property (IP) protection, notProfessionalism.

(B) Do not make assertions about assessment outcomes❌

Assessorsmustprovide findings based on evidence. The rule is aboutnot making false or misleading claims, not about avoiding assertions altogether.

(D) Ensure the security of all information discovered or received❌

This falls underConfidentiality, notProfessionalism.

Final Validation from CMMC Documentation:

TheCMMC Code of Professional Conduct (CoPC)definesProfessionalism as requiring honesty and integrityin allCMMC-related activities.

Thus, the correct answer is:

✅C. Refrain from dishonesty in all dealings regarding CMMC.

Planning and preparing for aCMMC assessmentinvolves collaboration between theassessorand theOrganization Seeking Certification (OSC)to determine scope, required evidence, and logistics. This planning process isdynamicand must adapt as new information emerges.

Why the Correct Answer is "D"?

Assessment Scope and Requirements May Change

As assessors gather evidence and analyze the environment,new details about assets, networks, and security controlsmay require adjustments to the assessment plan.

TheCMMC Assessment Process (CAP) Guideemphasizes that assessmentrequirements and scope should be continuously reviewed and updatedto reflect real-time findings.

Assessors Follow an Adaptive Approach

DuringCMMC assessments, organizations may discover additionalFCI or CUI assets, which can change the required security practices to be evaluated.

Assessors shouldrevise the assessment approach accordinglyrather than strictly following an initial, unchangeable plan.

Why Not the Other Options?

A. Scoping an assessment is easy and worry-free→Incorrect

Scoping is acritical and complex processthat requires careful evaluation of the OSC’s information systems and assets.

CMMC Scoping Guidestates thatidentifying in-scope assets is crucial and requires significant effort.

B. The initial plan cannot be changed once agreed upon→Incorrect

Theinitial assessment plan is a starting point, butit must be flexiblebased on real-time findings.

CMMC CAP Guideemphasizescontinuous refinementduring the assessment process.

C. There is a determined amount of time that the OSC's point of contact has to submit evidence and rough order-of-magnitude→Incorrect

While there aretimelines, the key focus is ensuring thatall necessary evidence is gathered accuratelyrather than rushing to meet a strict deadline.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– States that assessment requirements and planning should be updated as additional information is gathered.

CMMC Scoping Guide (Nov 2021)– Explains that assessors must continually refinein-scope assets and requirementsthroughout the process.

Final Justification:

Assessment planning is a dynamic process.Assessors must continuously review and update the requirements and planas new information emerges, makingDthe correct answer.

Understanding Asset Types in CMMC 2.0

In CMMC 2.0, assets are categorized based on their role in handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The Cybersecurity Maturity Model Certification (CMMC) Scoping Guidance for Level 1 and Level 2 provides asset definitions to help organizations identify what needs protection.

According to CMMC Scoping Guidance, there are five primary asset types:

Security Protection Assets (ESP - External Service Providers & Security Systems)

People (Personnel who interact with FCI/CUI)

Facilities (Physical locations housing FCI/CUI)

Technology (Hardware, software, and networks that store, process, or transmit FCI/CUI)

CUI Assets (For Level 2 assessments, assets specifically storing CUI)

Why "Technology" Is the Correct Answer

The IT manager is evaluating servers, laptops, databases, and applications—all of which are technology assets used to store, process, or transmit FCI.

According to CMMC Scoping Guidance, Technology assets include:

✅Endpoints (Laptops, Workstations, Mobile Devices)

✅Servers (On-premise or cloud-based)

✅Networking Devices (Routers, Firewalls, Switches)

✅Applications (Software, Cloud-based tools)

✅Databases (Storage of FCI or CUI)

Since the IT manager is focusing on these components, the correct asset category is Technology (Option D).

Why the Other Answers Are Incorrect

A. ESP (Security Protection Assets)

❌Incorrect. ESPs refer to security-related assets (e.g., firewalls, monitoring tools, managed security services) that help protect FCI/CUI but do not store, process, or transmit it directly.

B. People

❌Incorrect. While employees play a role in handling FCI, the question focuses on hardware and software—which falls under Technology, not People.

C. Facilities

❌Incorrect. Facilities refer to physical buildings or secured areas where FCI/CUI is stored or processed. The question explicitly mentions servers, laptops, and applications, which are not physical facilities.

CMMC Official References

CMMC Level 1 Scoping Guide (CMMC-AB) – Defines asset categories, including Technology.

CMMC 2.0 Scoping Guidance for Assessors – Provides clarification on FCI assets.

Thus, option D (Technology) is the most correct choice as per official CMMC 2.0 guidance.

Understanding Multi-Function Device (MFD) Security in CMMC

Multi-function devices (MFDs), such asscanners, printers, and copiers,process, store, and transmit FCI, making them apotential attack surfacefor unauthorized access.

Thebest technical controlto limit MFD access to only authorized systems isVirtual LAN (VLAN) restrictions, whichsegment and isolate network traffic.

Why the Correct Answer is "A. Virtual LAN (VLAN) Restrictions"?

VLAN Restrictions Provide Network Segmentation

VLANsisolate the MFDfrom unauthorized systems, ensuringonly approved devicescan communicate with it.

Prevents unauthorized network access bylimiting connectionsto specific IPs or subnets.

Meets CMMC 2.0 Network Security Controls

Aligns withCMMC System and Communications Protection (SC) Practicesfor network segmentation and access control.

Reducesthe risk of unauthorized access to scanned and printed FCI.

Why Not the Other Options?

B. Single administrative account→Incorrect

Asingle admin accountdoes not restrict accessbetween devices, only controlswho can configurethe MFD.

C. Documentation showing MFD configuration→Incorrect

Documentation helps with compliance butdoes not actively restrict access.

D. Access lists only known to the IT administrator→Incorrect

Access lists should besystem-enforced, not just "known" to the administrator.

Relevant CMMC 2.0 References:

CMMC Practice SC.3.192 (Network Segmentation)– Requires restricting access usingnetwork segmentation techniques such as VLANs.

NIST SP 800-171 (SC Family)– Supportsisolation of sensitive devicesusing VLANs and other segmentation controls.

Final Justification:

SinceVirtual LAN (VLAN) restrictions enforce access control at the network level, the correct answer isA. Virtual LAN (VLAN) restrictions.

Per the CMMC Scoping Guidance, External Service Providers (ESPs) must be included in scope if they process, store, or transmit CUI or FCI on behalf of the OSC. However, ESPs do not themselves receive a separate CMMC certification unless they undergo their own assessment or an enterprise-level certification is conducted. Their environment is assessed only as part of the OSC’s scope.

Reference Documents:

CMMC Scoping Guidance for Level 2

CMMC Model v2.0 Overview

Understanding Licensed Training Providers (LTPs) in CMMC

ALicensed Training Provider (LTP)is an entity that is authorized by theCybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)todeliver CMMC trainingbased on anapproved curriculum.

Key Responsibilities of an LTP:

Provides CMMC-AB-approved training programsfor individuals seeking CMMC certifications.

Uses an official CMMC curriculumthat aligns with theCMMC Body of Knowledge (BoK)and other CMMC-AB guidance.

Prepares students for CMMC roles, such asCertified CMMC Assessors (CCA) and Certified CMMC Professionals (CCP).

Why is the Correct Answer "Instructs a curriculum approved by CMMC-AB" (B)?

A. Creates DoD-licensed training → Incorrect

TheCMMC-AB, not the DoD, manages LTP licensing. LTPsdo not create new training contentbut mustfollow an approved curriculum.

B. Instructs a curriculum approved by CMMC-AB → Correct

LTPsteacha curriculum that has beenapproved by the CMMC-AB, ensuring consistency in CMMC training.

C. May market itself as a CMMC-AB Licensed Provider for testing → Incorrect

LTPs provide training, not testing. Testing is handled byLicensed Partner Publishers (LPPs)and exam bodies.

D. Delivers training using some CMMC body of knowledge objectives → Incorrect

LTPs mustfully adhereto theCMMC-AB-approved curriculum, not just "some" objectives.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Licensed Training Provider (LTP) Program Guidelines

Defines LTPs as entities thatdeliver CMMC-AB-approved training programs.

CMMC Body of Knowledge (BoK)

Specifies that training must follow theCMMC-AB-approved curriculumto ensure standardization.

CMMC-AB Training & Certification Framework

Requires LTPs todeliver structured training that meets CMMC-AB guidelines.

Final Answer:

✔B. Instructs a curriculum approved by CMMC-AB

Understanding the Definition of an Agreement in the CMMC-AB Code of Professional Conduct

TheCMMC-AB Code of Professional Conductdefines anagreementasany contract between two legal entities. This includes:

✔Contracts between an OSC and a C3PAOfor CMMC assessments.

✔Service agreements between cybersecurity providers and defense contractors.

✔Any formal, legally binding arrangement related to CMMC compliance.

Why is the Correct Answer "D. Agreement"?

A. Union → Incorrect

Auniontypically refers to anorganization representing workersand is not used to describe acontractual relationship.

B. Accord → Incorrect

While anaccordcan mean an agreement, it isnot the standard legal term for a binding contractin CMMC documentation.

C. Alliance → Incorrect

Analliancerefers to astrategic partnership, but does not necessarily imply alegally binding contract.

D. Agreement → Correct

TheCMMC-AB Code of Professional Conductdefines anagreementas anylegally binding contract between two entities.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Code of Professional Conduct

Defines"Agreement"as alegally binding contract between two parties.

CMMC-AB Licensed Training and Assessment Provider Guidelines

Requires that all engagementsbe governed by a formal agreement (contract) between the parties.

DFARS and CMMC Certification Contracts

States thatOSC-C3PAO relationships must be formalized through a legal agreement.

Understanding Specialized Assets in a CMMC Self-Assessment

DuringCMMC Level 1 Self-Assessments, organizations must classify theirassetsin theSystem Security Plan (SSP).

Specialized Asset Type: Operational Technology (OT)

Operational Technology (OT)includesmachine controllers, industrial control systems (ICS), and assembly machines.

Thesesystems control physical processesin manufacturing, energy, and industrial environments.

OT assets are distinct from traditional IT systemsbecause they haveunique security considerations(e.g., real-time control, legacy system constraints).

Why is the Correct Answer "D. Operational Technology"?

A. IoT (Internet of Things) → Incorrect

IoT devicesinclude smart home systems, connected sensors, and networked appliances, butmachine controllers and assembly machines fall under OT, not IoT.

B. Restricted IS → Incorrect

Restricted Information Systems (IS) refer to classified or highly controlled systems, whichdoes not apply to standard industrial machines.

C. Test Equipment → Incorrect

Test equipment includes diagnostic tools or measurement devicesused forquality assurance, not industrial machine controllers.

D. Operational Technology → Correct

Machine controllers and assembly machinesare part ofindustrial automation and control systems, which are classified asOperational Technology (OT).

CMMC 2.0 References Supporting This Answer:

CMMC Scoping Guidance for Level 1 & Level 2 Assessments

DefinesOperational Technology (OT) as a category of Specialized Assetsthat requirespecific security considerations.

NIST SP 800-82 (Guide to Industrial Control Systems Security)

Identifiesmachine controllers and assembly machinesas part ofOperational Technology (OT).

CMMC 2.0 Asset Classification Guidelines

Specifies thatOT systems should be documented separately in an organization's SSP.

When a company usesthird-party IT providersto manage their infrastructure, these organizations are classified asExternal Service Providers (ESPs)underCMMC scoping guidelines.

Step-by-Step Breakdown:

✅1. What is an ESP?

External Service Providers (ESPs)arethird-party organizationsthat:

ProvideIT services, cloud hosting, and managed security solutions.

Process, store, or transmit FCI or CUIon behalf of a contractor.

Mustmeet the same security requirementsas the OSC if they handle FCI or CUI.

If a company relies ona hosting provider to manage IT infrastructure, that provider is anESPunderCMMC scoping guidelines.

✅2. Why the Other Answer Choices Are Incorrect:

(B) People❌

Incorrect:ESPs areorganizations, not individual people.

(C) Facilities❌

Incorrect:Facilities refer tophysical locationslike office buildings or data centers, not third-partyservice providers.

(D) Technology❌

Incorrect:While ESPs provide technology services, the correct term forthird-party IT providersunder CMMC isESPs, not just "Technology."

Final Validation from CMMC Documentation:

TheCMMC Level 1 Scoping GuidedefinesExternal Service Providers (ESPs)asthird-party organizations that manage IT infrastructure and security services.

Thus, the correct answer is:

✅A. ESPs (External Service Providers).

Step 1: Understand the Definitions of Evidence Evaluation Criteria

TheCMMC Assessment Process (CAP)introduces two key criteria for evaluating evidence:

Adequacy– Does the evidencealign with the practice?

Sufficiency– Is the evidencecomprehensive enoughin terms ofcoverage across systems, users, and scope?

CAP v1.0 – Section 3.5.4:

“Evidence must be evaluated for bothadequacy(is it the right evidence?) andsufficiency(is there enough of it across all in-scope assets and areas?) to score a practice as MET.”

✅Step 2: Applying to the Scenario

In the question, the Lead Assessor is asking the team toverify that evidence is sufficient across:

Domains

Practices

Host Units

Supporting Organizations

Enclaves

➡️This is adirect reference to sufficiency, which evaluates whether thebreadth and depthof evidence is enough to make an informed judgment that the control is truly implemented across theentire assessed environment.

❌Why the Other Options Are Incorrect

A. Adequacy

✘Adequacy refers to therelevanceof the evidence to the specific practice — not itscoverageacross scope.

B. Capability

✘Not a term used in evidence validation within CMMC CAP documentation.

D. Objectivity

✘While objectivity is important, it refers to theunbiased nature of assessment activities, not to theextent of evidence coverage.

When an assessor evaluates whether the evidence is broad enough across all necessary systems, units, and enclaves to score a practice as MET, they are evaluatingsufficiency— one of the two core criteria for evidence validity in a CMMC assessment.

The CMMC Code of Professional Conduct applies to all CMMC assessors, practitioners, and ecosystem participants. Its guiding principles are: Objectivity, Information Integrity, and Higher Accountability.

Supporting Extracts from Official Content:

CMMC Code of Professional Conduct: “Guiding principles… include Objectivity, Information Integrity, and Higher Accountability.”

Why Option A is Correct:

These three principles are the official guiding values documented in the Code of Professional Conduct.

Options B, C, and D insert terms (“proper use of methods”) that are not part of the official guiding principles.

References (Official CMMC v2.0 Content):

CMMC Code of Professional Conduct.

===========

What Happens in Phase 4 of the CMMC Assessment Process?

Phase 4 of theCMMC Assessment Process (CAP)is theFinal Reporting and Decision Phase. During this phase, theLead Assessormust:

Review all assessment findings

Determine the Organization Seeking Certification’s (OSC) eligibility for certification

Make a recommendation to the C3PAO (Certified Third-Party Assessment Organization)

Key Responsibilities of the Lead Assessor in Phase 4:

Ensure that the OSC hasmet the required practices and processes.

Confirm that anydeficiencieshave been corrected or appropriately documented.

Recommendwhether the OSC is eligible for certificationbased on assessment results.

Since theLead Assessor must determine and recommend the OSC’s eligibilityto the C3PAO, the correct answer isB. Eligibility.

Why the Other Answers Are Incorrect

A. Ability

❌Incorrect. While assessing an OSC’s ability to meet CMMC requirements is part of the process, the final determination in Phase 4 is abouteligibilityfor certification.

C. Capability

❌Incorrect. Capability refers to an organization'stechnical and operational readiness. The Lead Assessor is making a recommendation oneligibility, not just capability.

D. Suitability

❌Incorrect. Suitability is not a defined term in theCMMC CAP processfor final assessment recommendations. The correct term iseligibility.

CMMC Official References

CMMC Assessment Process (CAP) Document– Specifies that the Lead Assessor must determine and recommend theeligibilityof the OSC in Phase 4.

CMMC 2.0 Model– Defines the assessment process, including certification decision-making.

Thus,option B (Eligibility) is the correct answer, as per official CMMC guidance.

Understanding the False Claims Act (FCA) and Whistleblower Protections

TheFalse Claims Act (FCA)(31 U.S.C. §§ 3729–3733) is aU.S. federal lawthat allowswhistleblowers (also known as "relators")to sue on behalf of the federal government if they believe a company issubmitting fraudulent claimsfor government funds.

The FCA includes a"qui tam" provision, which:

✅Allows private individuals to file lawsuits on behalf of the U.S. government.

✅Provides financial rewards to whistleblowersif the lawsuit results in recovered funds.

✅Protects whistleblowers from employer retaliation.

In the context ofCMMC and cybersecurity compliance, theFCA has been used to hold companies accountableformisrepresenting their cybersecurity compliancewhen working with federal contracts.

For example:

If a companyfalsely claimscompliance withCMMC, NIST SP 800-171, or DFARS 252.204-7012butfails to meet security requirements, it could beliable under the FCA.

TheDepartment of Justice (DOJ)has pursued cases under theCyber-Fraud Initiative, using theFCA against defense contractorsfor cybersecurity noncompliance.

Thus, the correct answer isC. False Claims Actbecause it specifically allows whistleblowers tosue on behalf of the federal government.

Why the Other Answers Are Incorrect

A. NIST SP 800-53

❌Incorrect.NIST SP 800-53provides security controls for federal agencies butdoes notcontain whistleblower provisions.

B. NIST SP 800-171

❌Incorrect.NIST SP 800-171outlines security requirements for protectingCUI, but itdoes not have legal mechanismsfor whistleblower lawsuits.

D. Code of Professional Conduct

❌Incorrect. TheCMMC Code of Professional Conductapplies toC3PAOs and assessorsbut doesnot provide a legal basis for whistleblower lawsuits.

CMMC Official References

False Claims Act (31 U.S.C. §§ 3729–3733)– Establishes whistleblower protections and qui tam lawsuits.

DOJ Cyber-Fraud Initiative– Uses the FCA to enforce cybersecurity compliance in government contracts.

DFARS 252.204-7012 & CMMC– Require accurate reporting of cybersecurity compliance, which can lead to FCA violations if misrepresented.

Thus,option C (False Claims Act) is the correct answeras per official legal guidance.

Understanding Asset Categorization in CMMC 2.0

InCMMC 2.0, assets are categorized into different types based on their function, connectivity, and whether they process, store, or transmitFederal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Why "D. Specialized Asset" is Correct?

TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT classificationsbut still exist within the organizational environment.

Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined in CMMC.

Why Other Answers Are Incorrect?

A. FCI Asset (Incorrect)

FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does not.

B. CUI Asset (Incorrect)

CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.

C. In-scope Asset (Incorrect)

In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.

Conclusion

The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into theSpecialized Assetcategory.

Which NIST SP Defines the Assessment Procedures for CMMC?

CMMC Level 2 isdirectly based on NIST SP 800-171, and the assessment procedures used in CMMC assessments are derived fromNIST SP 800-171A.

Step-by-Step Breakdown:

✅1. NIST SP 800-171A Defines Assessment Procedures

NIST SP 800-171Ais titled"Assessing Security Requirements for Controlled Unclassified Information (CUI)".

It providesdetailed assessment objectives and test proceduresfor evaluating compliance withNIST SP 800-171 security requirements, whichCMMC Level 2 is fully aligned with.

CMMC Assessors use 800-171Aas abaseline for assessing the effectiveness of security controls.

✅2. Why the Other Answer Choices Are Incorrect:

(A) NIST SP 800-53❌

800-53 defines security controlsfor federal information systems, but it doesnot provide assessment procedures specific to CMMC.

(B) NIST SP 800-53A❌

800-53A provides assessment procedures for 800-53 controls, butCMMC is based on NIST SP 800-171, not 800-53.

(C) NIST SP 800-171❌

800-171 defines security requirements, butit does not provide assessment procedures. Theassessment proceduresare in800-171A.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guide (Level 2)explicitly states that assessment procedures are derived fromNIST SP 800-171A.

Thus, the correct answer is:

In CMMC scoping terminology, an HQ Organization is the entity legally responsible for contract performance and delivery of products or services.

Supporting Extracts from Official Content:

CMMC Scoping Guide: “HQ Organization is the legal entity responsible for the performance and delivery of contract requirements.”

Why Option D is Correct:

The HQ Org is legally accountable, while Host Units (option A/B) are subordinate entities.

Option C refers to shared services, not the HQ.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, High-Level Scoping Definitions.

===========

The Certified Third-Party Assessment Organization (C3PAO) enters into a contractual relationship with the OSC. As part of that contract, the C3PAO maintains a non-disclosure agreement (NDA) to protect sensitive and proprietary information reviewed during the assessment.

Supporting Extracts from Official Content:

CAP v2.0, Roles and Responsibilities (§2.8): “The C3PAO maintains a non-disclosure agreement with the OSC to protect all sensitive information disclosed during the assessment.”

Why Option B is Correct:

Only the C3PAO contracts directly with the OSC and is bound to protect assessment data.

NIST, The Cyber AB (formerly CMMC-AB), and OUSD A & S do not enter NDAs directly with OSCs.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Section on OSC–C3PAO agreements.

===========

Understanding CUI Markings and the Role of NARA

What Does "CUI//SP-PRVCY//FED Only" Mean?

The email containsControlled Unclassified Information (CUI)withspecific categories and dissemination controls.

CUI//SP-PRVCY//FED Onlybreaks down as follows:

CUI→ Controlled Unclassified Information designation.

SP-PRVCY→Specifiedcategory forPrivacy Information(SP stands for "Specified").

FED Only→ Restriction forFederal Government use only(not for contractors or the public).

Who Maintains the Official CUI Registry?

TheNational Archives and Records Administration (NARA) oversees the CUI Programand maintains the officialCUI Registry(https://www.archives.gov/cui).

The CUI Registry providesdefinitions, marking guidance, and categoriesfor all CUI labels, including "SP-PRVCY" and dissemination controls like "FED Only."

Why NARA is the Correct Answer:

NARA is the governing body responsible for defining and managing CUI markings.

Any organization handling CUI shouldrefer to the NARA CUI Registryfor official marking interpretations.

DoD contractors and other organizationsmust comply with NARA guidelines when handling, marking, and disseminating CUI.

Clarification of Incorrect Options:

B. CMMC-AB– TheCMMC Accreditation Bodymanages certification assessments butdoes not define or interpret CUI markings.

C. DoD Contractors FAQ Page– The DoD may provide general contractor guidance, butCUI markings are governed by NARA, not an FAQ page.

D. DoD 239.7601 Definitions Page– This refers to generalDoD acquisition definitions, butCUI categories and markings fall under NARA’s authority.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework categorizes assets based on their interaction with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In a CMMC Level 1 self-assessment, assets are classified based on whether they process, store, or transmit FCI.

Asset Categories as per CMMC 2.0:

FCI Assets – These assets process, store, or transmit FCI and must meet CMMC Level 1 security requirements (17 practices from FAR 52.204-21).

CUI Assets – These assets handle Controlled Unclassified Information (CUI) and are subject to CMMC Level 2 requirements, aligned with NIST SP 800-171.

Specialized Assets – Includes IoT devices, Operational Technology (OT), Government-Furnished Equipment (GFE), and test equipment. These are often categorized separately due to their specific cybersecurity requirements.

Out-of-Scope Assets – Assets that do not process, store, or transmit FCI or CUI. These do not require compliance with CMMC practices.

Government-Issued Assets – These are assets provided by the government for contract-specific purposes, often requiring compliance based on government policies.

Why the Correct Answer is C. Out-of-Scope Assets?

The question specifies that the identified asset does not process, store, or transmit FCI.

According to CMMC 2.0 guidelines, only assets that handle FCI or CUI are subject to security controls.

Assets that are physically located within an OSC’s facility but do not interact with FCI or CUI fall into the "Out-of-Scope Assets" category.

These assets do not require CMMC-specific cybersecurity controls, as they have no impact on the security of FCI or CUI.

Relevant CMMC 2.0 References:

CMMC Scoping Guide (Nov 2021) – Defines out-of-scope assets as those that are within an OSC’s environment but have no interaction with FCI or CUI.

CMMC 2.0 Level 1 Guide – Only requires security controls on FCI assets, meaning assets that do not process, store, or transmit FCI are out of scope.

CMMC Assessment Process (CAP) Guide – Identifies the classification of assets in an OSC’s environment to determine compliance requirements.

Final Justification:

Since the asset does not process, store, or transmit FCI, it does not fall under "FCI Assets" or "Specialized Assets." It is also not a government-issued asset. Therefore, the correct classification under CMMC 2.0 is Out-of-Scope Assets (C).

Understanding SC.L2-3.13.14 – Control and Monitor the Use of VoIP Technologies

TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.

If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.

Why Option D is Correct

When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.

No assessment procedures are neededsince there is no VoIP system to evaluate.

Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14—only VoIP is within scope.

Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.

Option C (VoIP in scope but using FIPS-validated encryption, so it doesn’t need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.

Official CMMC Documentation References

CMMC 2.0 Level 2 Assessment Guide – SC.L2-3.13.14

NIST SP 800-171, Security Requirement 3.13.14

CMMC Scoping Guidance – Determining Not Applicable (N/A) Practices

Final Verification

IfVoIP is not used within the OSC’s system boundary, the control does not require assessment, making Option D the correct answer.

1. Understanding Basic Safeguarding Requirements for FCI in CMMC Level 1

Federal Contract Information (FCI) is defined as information provided by or generated for the government under a contract that isnot intended for public release.

CMMCLevel 1is designed to ensurebasic safeguardingof FCI, aligning with15 security requirementsfound inFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

Contractors handlingonly FCImust meetCMMC Level 1, which alignsdirectlywith the safeguarding requirements set inFAR 52.204-21.

2. FAR 52.204-21 and Its Role in CMMC Level 1 Compliance

FAR 52.204-21establishes the baseline cybersecurity controls that contractors must implement to protectFCI.

The15 basic safeguarding requirementsinclude:

Limiting information accessto authorized users.

Identifying and authenticating usersbefore allowing system access.

Protecting transmitted FCIfrom unauthorized disclosure.

Monitoring and controlling connectionsto external systems.

Applying boundary protectionand cybersecurity measures.

Sanitizing mediabefore disposal.

Updating security configurationsto reduce vulnerabilities.

Providing physical securityprotections.

Controlling physical accessto systems that process FCI.

Enforcing multi-factor authentication (MFA) where applicable.

Patching vulnerabilitiesin software and hardware.

Limiting the use of removable media.

Creating and retaining system audit logs.

Performing risk-based security assessments.

Developing an incident response plan.

These 15 practices form thefoundationof CMMCLevel 1 Self-Assessment, ensuring contractorsmeet minimum cybersecurity expectationsfor handling FCI.

3. Why the Other Options Are Incorrect

B. 22 CFR 120-130:

This refers toInternational Traffic in Arms Regulations (ITAR), which controls the export of defense-related articles and services,notFCI safeguarding requirements.

C. DFARS 252.204-7011:

This clause refers toalternative line item structuresand does not pertain to cybersecurity or safeguarding FCI.

D. DFARS 252.204-7021:

This clause enforcesCMMC requirementsbut doesnot definebasic safeguarding controls. It requires compliance with CMMC but does not specify the foundational requirements (which come fromFAR 52.204-21for Level 1).

4. Official CMMC 2.0 Reference & Study Guide Alignment

TheCMMC 2.0 model documentationconfirms that Level 1 is focused on the15 practices from FAR 52.204-21.

TheDoD’s official CMMC Assessment Guidefor Level 1 explicitly states that meeting FAR 52.204-21 is therequirement for passing a Level 1 Self-Assessment.

TheCMMC 2.0 Scoping Guideclarifies that contractors handling onlyFCIand seekingLevel 1 certificationmust implementonly FAR 52.204-21security controls.

Final Confirmation:

The correct answer isA. FAR 52.204-21, as it directly governs the basic safeguarding ofFCIand is the foundational requirement for aLevel 1 Self-Assessmentin CMMC 2.0.

According to the CMMC Scoping Guidance, Level 2, assets are categorized into specific groups to determine how they are treated during an assessment. One of these categories is Specialized Assets.

The CMMC Scoping Guidance defines Specialized Assets as a specific group that includes:

Government Property: Any property owned or leased by the government and provided to the contractor (Government Furnished Equipment or GFE).

Internet of Things (IoT): Physical objects that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (e.g., Industrial Control Systems).

Restricted Information Systems: Systems that have specific configurations or constraints that prevent standard security controls from being applied (e.g., legacy systems).

Test Equipment: Specialized equipment used for testing, such as oscilloscopes or signal generators.

Why other options are incorrect:

Option A (SOCs): A Security Operations Center is typically considered a Security Protection Asset (SPA) because it provides security functions (monitoring/response) for the assessment scope.

Option B (Hosted VPN services): These are generally categorized as External Service Providers (ESPs) or part of the Security Protection Assets, depending on how they are managed and their role in protecting CUI.

Option C (Consultants): These are External Service Providers (ESP) (personnel/organizations), not specialized hardware/software assets.

Treatment of Specialized Assets: Under CMMC Level 2 scoping rules, Specialized Assets must be identified in the Asset Inventory and documented in the System Security Plan (SSP), but they are generally not managed against the CMMC practices unless they process, store, or transmit CUI in a way that falls outside their specialized function.

Reference Documents:

CMMC Scoping Guidance, Level 2 (Version 2.0/2.1): Section 3.1, "Specialized Assets" and Table 3.

32 CFR Part 170 (CMMC Program Rule): Definitions of asset categories and their associated assessment requirements.

Understanding C3PAO Requirements

ACertified Third-Party Assessment Organization (C3PAO)is an entityauthorized by the CMMC Accreditation Body (CMMC-AB)to conductCMMC Level 2 Assessmentsfor organizations handlingControlled Unclassified Information (CUI).

Key Requirements for a C3PAO to Conduct Assessments:

✔Must be authorized by CMMC-AB before conducting assessments.

✔Must meet CMMC-AB and DoD cybersecurity and process requirements.

✔Must comply with ISO/IEC 17020 standards for inspection bodies.

✔Must undergo a rigorous vetting process, including cybersecurity verification.

Why is the Correct Answer "D" (A C3PAO must be authorized by CMMC-AB before being able to conduct assessments)?

A. An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements → Incorrect

C3PAOs must comply with CMMC-AB authorization requirementsbefore performing assessments.

While they must align withISO/IEC 17020, they donotnecessarily meet all requirements upfront.

B. An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements → Incorrect

C3PAOs are not accredited by DoD; they areauthorized by CMMC-ABto perform assessments.

Accreditation follows full compliance with CMMC-AB and ISO/IEC 17020 requirements.

C. A C3PAO must be accredited by DoD before being able to conduct assessments → Incorrect

The DoD does not directly accredit C3PAOs—CMMC-AB is responsible forauthorization and oversight.

D. A C3PAO must be authorized by CMMC-AB before being able to conduct assessments → Correct

CMMC-AB grants authorization to C3PAOs, allowing them to perform assessmentsonly after meeting specific requirements.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Certified Third-Party Assessment Organization (C3PAO) Guidelines

States thatC3PAOs must receive CMMC-AB authorization before conducting assessments.

CMMC 2.0 Assessment Process (CAP) Document

Specifies that onlyC3PAOs authorized by CMMC-AB can conduct official CMMC assessments.

ISO/IEC 17020 Compliance for C3PAOs

Defines theinspection body requirements for C3PAOs, which must be met for accreditation.

Understanding the Role of a Registered Provider Organization (RPO)

ARegistered Provider Organization (RPO)is an entity recognized by theCMMC Accreditation Body (CMMC-AB)to provideconsulting servicesto organizations seekingCMMC certification.

Key Functions of an RPO

✅Consulting servicesto help companies prepare for CMMC assessments.

✅Guidance on security controlsrequired for compliance.

✅Assistance with documentation, policy development, and gap analysis.

✅Preparation for third-party CMMC assessmentsbutdoes not conduct official CMMC assessments(this is the role of a C3PAO).

Why "Consulting Services" is the Correct Answer?

Consulting servicesare thebroadest and most comprehensivefunction of an RPO.

RPOs do not conduct assessments(eliminating option D).

Training and educationmay be part of consulting but arenot the primary function(eliminating A and B).

Consulting includes training, guidance, documentation assistance, and security readiness, making it themost comprehensive service offered.

Breakdown of Answer Choices

Option

Description

Correct?

A. Training services

❌Incorrect–RPOs may provide training, but this isnot their primary function.

B. Education services

❌Incorrect–Similar to training, butnot the most comprehensive service.

C. Consulting services

✅Correct – The core function of an RPO is consulting, which includes various readiness services.

D. Assessment services

❌Incorrect–Only aC3PAO (Certified Third-Party Assessment Organization)can conductofficial CMMC assessments.

Official References from CMMC 2.0 Documentation

TheCMMC-AB RPO Programdefines an RPO as aconsulting organization that assists companies in preparing for CMMC certificationbutdoes not perform assessments.

Final Verification and Conclusion

The correct answer isC. Consulting services, asRPOs primarily provide advisory and readiness supportto organizations preparing forCMMC compliance.

ACertified CMMC Professional (CCP)advising anOrganization Seeking Certification (OSC)must ensure thatFederal Contract Information (FCI)andControlled Unclassified Information (CUI)are properly documented within required security documents.

Step-by-Step Breakdown:

✅1. System Security Plan (SSP)

CMMC Level 2requires anSSPto documenthow CUI is protected, including:

Security controlsimplemented

Asset categorization(CUI Assets, Security Protection Assets, etc.)

Policies and proceduresfor handling CUI

✅2. Asset Inventory

Anasset inventorylistsall relevant IT systems, applications, and hardwarethat store, process, or transmitCUI or FCI.

TheCMMC Scoping Guiderequires OSCs to identifyCUI-relevant assetsas part of their compliance.

✅3. Network Diagram

Anetwork diagramvisually representshow data flows across systems, showing:

WhereCUI is transmitted and stored

Security boundaries protectingCUI Assets

Connectivity betweenCUI Assets and Security Protection Assets

✅4. Why the Other Answer Choices Are Incorrect:

(B) Within the hardware inventory, data flow diagram, and in the network diagram❌

While adata flow diagramis useful,hardware inventory alone is insufficientto document CUI.

(C) Within the asset inventory, in the proposal response, and in the network diagram❌

Aproposal responseis not a required document for CMMC assessments.

(D) In the network diagram, in the SSP, within the base inventory, and in the proposal response❌

Base inventoryis not a specific CMMC documentation requirement.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guideconfirms that FCI and CUI must be documented in:

The SSP

The asset inventory

The network diagram

Thus, the correct answer is:

✅A. "In the SSP, within the asset inventory, and in the network diagram."

The term that describes"the prevention of damage to, protection of, and restoration of computers and electronic communication systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation"isCybersecurity.

Step-by-Step Breakdown:

✅1. Cybersecurity Defined

Cybersecurityfocuses onprotecting networks, systems, and datafrom cyber threats.

It includes measures to ensure:

Availability(data is accessible when needed).

Integrity(data is accurate and unaltered).

Authentication(verifying users' identities).

Confidentiality(ensuring only authorized access).

Non-repudiation(preventing denial of actions).

The definition in the questionaligns directly with cybersecurity principles, making it the best answer.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Data Security❌

Data securityfocusesspecificallyon protectingstored information(e.g., encryption, access controls), but cybersecurity is broader—it includesnetworks, systems, and communication services.

(C) Network Security❌

Network securityis asubset of cybersecuritythat focuses on protectingnetwork infrastructure(e.g., firewalls, intrusion detection systems).

The definition in the question includesmore than just networks, so cybersecurity is the better choice.

(D) Information Security❌

Information security (InfoSec)is related but broader than cybersecurity.

InfoSeccoversphysical and organizational security(e.g., policies, procedures) in addition todigital protections.

Final Validation from CMMC Documentation:

CMMC and NIST SP 800-171 define cybersecurityas the protection ofsystems, networks, and data from cyber threats.

DoD Cybersecurity Definitions(aligned with NIST) confirm that cybersecurity is the term thatbest fits the definition in the question.

According to the CMMC Assessment Process (CAP), the Lead Assessor must use the CMMC Findings Brief to formally present assessment results to the Organization Seeking Certification (OSC). The Findings Brief ensures consistency across assessments and provides the OSC with an official, standardized presentation of results, including observed strengths, weaknesses, and any non-conformities.

Other options are incorrect because:

POA & M Brief is not part of the official CAP presentation.

CMMC Assessment Tracker Tool is an internal tool used by assessors, not for presentation to the OSC.

Recommended Findings template is not a recognized deliverable in CAP.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Who Determines the Assessment Method for Each Practice?

In aCMMC Level 2 Assessment, theLead Assessorhas thefinal authorityin determining theassessment methodused to evaluate each practice.

Key Responsibilities of the Lead Assessor

✅Ensures theCMMC Assessment Process (CAP) Guideis followed.

✅Determines whether a practice is evaluated usinginterviews, demonstrations, or document reviews.

✅Directs theCertified CMMC Professionals (CCPs)and other assessors on themethodologyfor gathering evidence.

✅Works under aCertified Third-Party Assessment Organization (C3PAO)to ensure proper assessment execution.

Why "Lead Assessor" is Correct?

CCP (Option A) assists in the assessment but does not make final decisionson methods.

OSC (Option B) is the Organization Seeking Certification, and they do not control assessment methodology.

Site Manager (Option C) may coordinate logistics but has no authority over assessment decisions.

Breakdown of Answer Choices

Option

Description

Correct?

A. CCP

❌Incorrect–A CCPassistsbut doesnot determine assessment methods.

B. OSC

❌Incorrect–The OSC is beingassessedand does not decide assessment methods.

C. Site Manager

❌Incorrect–The Site Manager handles logistics butdoes not control assessment methods.

D. Lead Assessor

✅Correct – The Lead Assessor has the final say on the assessment method used.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– Defines theLead Assessor’s rolein determining assessment methods.

Final Verification and Conclusion

The correct answer isD. Lead Assessor, as they havefinal decision-making authority over the assessment methodology.

Understanding the “Verify Evidence and Record Gaps” Activity in a CMMC Assessment

During aCMMC Level 2 Assessment, theAssessment Teamfollows a structured methodology toverify evidenceand determine whether theOrganization Seeking Certification (OSC)has met all required practices. One of the key activities in this process is"Verify Evidence and Record Gaps", which ensures that the assessment findings accurately reflect any missing or inadequate compliance evidence.

Step-by-Step Breakdown:

✅1. Primary Intent: Identifying Gaps Between Required and Collected Evidence

TheAssessment Teamcompares the evidence provided by the OSC against theCMMC practice requirements.

If evidence ismissing, insufficient, or inconsistent, assessors mustdocument the gapand describe what is lacking.

This ensures that compliance deficiencies are clearly identified, allowing the OSC to understand what must be corrected.

✅2. How This Process Works in a CMMC Assessment

Assessorsreview collected documentation, system configurations, policies, and interview responses.

They verify that the evidencematches the expected implementationof a practice.

If gaps exist, they arerecordedfor discussion and potential remediation before assessment completion.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Map test and demonstration responses to CMMC practices.❌

Incorrect:While mapping evidence to CMMC practices is part of the assessment, theprimary intentof the "Verify Evidence and Record Gaps" step is toidentify deficiencies, not just mapping responses.

(B) Conduct interviews to test process implementation knowledge.❌

Incorrect:Interviews are a method used during evidence collection, but they arenot the primary focusof the verification and gap analysis step.

(C) Determine the one-to-one relationship between a practice and an assessment object.❌

Incorrect:The assessment teamreviews multiple sources of evidencefor each practice, and some practices require multiple assessment objects. The goal isnot a strict one-to-one mappingbut rathera holistic validation of compliance.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guidestates that"Verify Evidence and Record Gaps"is the step where assessorscompare expected evidence against what has been provided and document discrepancies. This ensurestransparent assessment findings and remediation planning.

Thus, the correct answer is:

D. Identify and describe differences between what the Assessment Team required and the evidence collected.

Understanding the Media Protection (MP) Domain

TheMedia Protection (MP) domaininCMMC 2.0focuses on the security requirements needed to handlephysical or digital mediacontainingControlled Unclassified Information (CUI).

This domain includes controls for:

Protecting digital and physical mediathat store CUI.

Sanitizing and destroying mediabefore disposal or reuse.

Restricting access to CUI mediato authorized personnel only.

Why the Correct Answer is "A. Media Protection (MP)"?

TheMP domaindirectly addresses the requirements for handlingCUI media, includingencryption, access control, storage, and disposal.

CMMC 2.0Level 2aligns withNIST SP 800-171, which includesMP controlsfor managing media containing CUI.

Why Not the Other Options?

B. Physical Protection (PE)→Incorrect

PEfocuses onphysical security(e.g., facility access, visitor logs, physical barriers),not the handling of CUI on media.

C. System and Information Integrity (SI)→Incorrect

SIdeals withsystem monitoring, vulnerability management, and incident response, not media protection.

D. System and Communications Protection (SC)→Incorrect

SCcoversnetwork security, encryption, and secure communications, but does not specifically focus on media handling.

Relevant CMMC 2.0 References:

CMMC Level 2 Practice MP.3.125– Protects CUI by ensuring proper handling ofmedia containing CUI.

NIST SP 800-171 (MP Family)– Establishes security requirements for handlingdigital and physical mediacontaining CUI.

CMMC Scoping Guide (Nov 2021)– ConfirmsMP controls apply to all media that store, process, or transmit CUI.

Final Justification:

SinceMedia Protection (MP) directly addresses the handling of assets containing CUI, the correct answer isA. Media Protection (MP).

According to the CMMC Assessment Process (CAP), specifically during the Phase 3: Conduct Assessment (Evidence Collection and Verification), the Assessment Team must evaluate all collected artifacts, interview notes, and test results against two primary dimensions: Adequacy and Sufficiency.

Adequacy (The "Right" Evidence): This criterion focuses on the quality, relevance, and validity of the evidence. It addresses whether the evidence actually maps to the specific CMMC practice being assessed and whether it is authoritative (e.g., signed, current, and from a trusted source). If an assessor asks, "Is this therightpiece of information to prove this practice is met?" they are testing for Adequacy.

Sufficiency (The "Enough" Evidence): This criterion focuses on the quantity and scope of the evidence. It addresses whether the Assessment Team has collected enough data points (across the required number of assets and using the required methods of Examine, Interview, and Test) to reach a confident conclusion. If an assessor asks, "Do I haveenoughexamples of this practice in action across the entire enclave?" they are testing for Sufficiency.

Why other options are incorrect:

B and D (Objectivity/Subjectivity): While assessors must remain objective, these are not the formal "criteria" used to categorize the evidence collection quality within the CAP framework.

C (Sufficiency): As noted above, Sufficiency is about theamountof evidence, not whether it is thecorrect type(the "right" evidence).

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4, "Collect and Verify Evidence," which explicitly defines the requirement for evidence to be both adequate and sufficient.

CMMC Level 2 Assessment Guide: Guidance on the application of the Examine, Interview, and Test (E-I-T) methods to ensure evidence quality.

NIST SP 800-171A: The foundation for CMMC assessment procedures, which emphasizes the need for relevant (adequate) evidence to support findings.

In the CAP v2.0 “preliminary proceedings,” the assessment is “framed” before Phase 1/Phase 2 execution. CAP states the C3PAO works with the OSC’s leadership point(s) of contact (the Affirming Official and/or OSC POC ) “to determine the purview and planning details of the assessment,” explicitly including schedule , personnel , logistics , relevant contractual requirements, and the prospective CMMC Assessment Scope .

Although the question uses the term “OSC sponsor,” the CAP’s official role language is Affirming Official / OSC POC , and the Lead CCA (Lead Assessor) is the assessor counterpart. CAP further explains that the In-Brief Meeting establishes a common understanding of objectives, roles/responsibilities, and the schedule , and the Lead CCA must (at minimum) review the schedule and confirm assessment scope with the OSC.

Option A is incomplete because team assignment is a C3PAO responsibility, but CAP’s “plan” emphasis here is broader framing: availability of personnel/evidence, documentation readiness, timing, and logistics. Option C is incorrect because CAP states C3PAOs are ultimately responsible for managing conflicts of interest and this responsibility cannot be delegated to the assessment team or the OSC. Option D is incorrect because CAP requires evaluation methods and evidence planning activities to be established during Phase 1 planning, not deferred until onsite work.

===========

Step 1: Understand the Assessment Phases (CAP v1.0)

TheCMMC Assessment Process (CAP)outlines a structured lifecycle for assessments, including:

Plan and Prepare Phase– Develop the assessment plan (before the assessment starts).

Conduct Assessment Phase– Execute the actual assessment activities.

Report Results Phase– Finalize and deliver the assessment outcomes.

CAP v1.0 – Section 3.5 (Conduct Assessment):

“The assessment team collects, examines, and evaluates evidence to determine if practices are MET or NOT MET.”

✅Step 2: Why “Collect and Examine Evidence” Is the Primary Activity

During the“Conduct Assessment” phase, the main activity is to:

Collect evidence(documentation, interviews, testing),

Validate adequacy and sufficiency,

Score practicesas MET/NOT MET.

This is thecore responsibilityof assessorswhile conductingan assessment.

❌Why the Other Options Are Incorrect

A. Develop assessment plan

✘This occurs in thePlan and Preparephasebeforeconducting the assessment.

C. Verify readiness to conduct assessment

✘Readiness verification is part ofpre-assessment activities, not during the assessment itself.

D. Deliver recommended assessment results

✘This is done during theReport Resultsphase after the assessment has been conducted.

Theprimary activity performed during the actual executionof a CMMC assessment iscollecting and examining evidenceto determine compliance with practices.

Understanding the CMMC Assessment Process

TheCMMC Assessment Process (CAP)consists offour phases, each with specific tasks and objectives.

Phase 1: Plan and Prepare Assessment– Planning, scheduling, and preparing for the assessment.

Phase 2: Conduct Assessment–Gathering and verifying evidence, conducting interviews, and evaluating compliance.

Phase 3: Report Recommended Assessment Results– Documenting findings and reporting results.

Phase 4: Remediation of Outstanding Assessment Issues– Allowing the organization to address any deficiencies.

Why "Phase 2: Conduct Assessment" is Correct?

DuringPhase 2: Conduct Assessment, theAssessment Teamperforms key activities, including:

✅Identifying required evidencefor compliance verification.

✅Obtaining and reviewing artifacts(e.g., security policies, configurations, logs).

✅Verifying the sufficiency of evidenceagainst CMMC practice requirements.

✅Interviewing key personneland observing cybersecurity implementations.

Since the question specifically mentions"identify, obtain inventory, and verify evidence,"this task directly falls underPhase 2: Conduct Assessment.

Breakdown of Answer Choices

Option

Description

Correct?

A. Phase 1: Plan and Prepare Assessment

❌Incorrect–This phase focuses onscheduling, logistics, and planning, not evidence collection.

B. Phase 2: Conduct Assessment

✅Correct – This phase involves gathering, verifying, and reviewing evidence.

C. Phase 3: Report Recommended Assessment Results

❌Incorrect–This phasedocumentsresults but doesnotcollect evidence.

D. Phase 4: Remediation of Outstanding Assessment Issues

❌Incorrect–This phase focuses oncorrective actions, not evidence collection.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)–Phase 2: Conduct Assessmentexplicitly includes tasks such asgathering and verifying evidence.

Final Verification and Conclusion

The correct answer isB. Phase 2: Conduct Assessment, as this phase includesidentifying, obtaining, and verifying evidence, which is critical for determining CMMC compliance.

Understanding CMMC Asset Scoping Requirements

Before conducting aCMMC Level 2 Assessment, anOrganization Seeking Certification (OSC)must define theassessment scopeby categorizing all assets. This ensures that only relevant systems are assessed againstCMMC practices, reducing unnecessary compliance burdens.

According to theCMMC Scoping Guide for Level 2, there are four asset categories:

CUI Assets– Assets that process, store, or transmitControlled Unclassified Information (CUI).

Security Protection Assets (SPA)– Assets that providesecurity functions(e.g., firewalls, intrusion detection systems, identity management systems).

Contractor Risk Managed Assets (CRMA)– Assets thatdo not directly store/process CUIbut interact with CUI environments (e.g., BYOD devices, personal computers used for remote access).

Specialized Assets– Unique systems such asOperational Technology (OT), IoT, and Government Furnished Equipment (GFE), which may requirelimitedCMMC assessment.

Which Asset Categories Are Always Assessed?

✅1. CUI Assets(ALWAYS ASSESSED)

These are theprimary focusof CMMC Level 2 since they handleCUI.

All110 NIST SP 800-171 controlsapply to these assets.

✅2. Security Protection Assets (SPA)(ALWAYS ASSESSED)

Security tools that protectCUI Assetsarealways includedin the assessment.

Examples includefirewalls, antivirus, endpoint detection and response (EDR) tools, and identity management systems.

Why the Other Answer Choices Are Incorrect:

(A) CUI Assets and Specialized Assets❌

CUI Assets are assessed, butSpecialized Assets are only assessed in a limited manner, depending on their role inCUI security.

(C) Specialized Assets and Contractor Risk Managed Assets❌

Specialized Assets and CRMAsare typicallynot fully assessedagainst CMMC controls unless they directly impactCUI security.

(D) Security Protection Assets and Contractor Risk Managed Assets❌

SPAs are always assessed, butCRMAs are not necessarily assessedunless they directly impact CUI.

Final Validation from CMMC Documentation:

TheCMMC Scoping Guide (Level 2)clearly states thatCUI Assets and Security Protection Assetsarealways assessedagainst CMMC practices.

Thus, the correct answer is:

B. Security Protection Assets and CUI Assets.

Understanding the Phases of the CMMC Assessment Process

TheCMMC Assessment Process (CAP)consists of multiple phases, with each phase focusing on a different aspect of the assessment.Developing the assessment planoccurs inPhase 1, which is thePre-Assessment Phase.

Key Activities in Phase 1 – Pre-Assessment Phase

Engagement Agreement: TheOSC (Organization Seeking Certification)and theCertified Third-Party Assessment Organization (C3PAO)formalize the assessment contract.

Developing the Assessment Plan: TheLead Assessorand the assessment team create anAssessment Plan, which outlines:

Scope of the assessment

CMMC Level requirements

Assessment methodology

Timeline and logistics

Initial Data Collection: Review of system documentation, policies, and relevant security controls.

Why is the Correct Answer "Phase 1" (A)?

A. Phase 1 → Correct

Phase 1 is where the assessment plan is developed.

It ensuresclarity on scope, methodology, and logistics before the assessment begins.

B. Phase 2 → Incorrect

Phase 2 is theAssessment Conduct Phase, where assessorsexecutethe plan by examining evidence and interviewing personnel.

C. Phase 3 → Incorrect

Phase 3 is thePost-Assessment Phase, which involvesfinalizing findings and submitting reports, not developing the plan.

D. Phase (Incomplete Answer) → Incorrect

The question requires a specific phase, and the correct one isPhase 1.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

DefinesPhase 1as the stage where the assessment plan is developed.

CMMC Accreditation Body (CMMC-AB) Guidelines

Specifies thatplanning and pre-assessment activities occur in Phase 1.

CMMC 2.0 Certification Workflow

Outlines the assessment planning process as part of theinitial engagementbetween theC3PAO and the OSC.

Step 1: Review CMMC 2.0 Reforms (Level 1 – Foundational)

As part ofCMMC 2.0, the DoD announced changes toreduce burden and costsfor companies that only handleFederal Contract Information (FCI):

DoD Statement (CMMC 2.0 Overview):

“Level 1 (Foundational) will only require an annual self-assessment, affirming implementation of the 17 FAR 52.204-21 controls.”

✅Step 2: Intent of “Reduced Assessment Costs”

The move to allowself-assessments at Level 1was explicitly designed toeliminate the costof hiring third-party assessors for organizations that only handle FCI.

Level 1 self-assessments are:

Conductedinternally by the OSC,

Affirmed annuallyby a senior company official,

Submitted via SPRS(Supplier Performance Risk System).

❌Why the Other Options Are Incorrect

B. Opt out of CMMC Assessments

✘Incorrect. Organizations must still perform aself-assessmentannually — they cannot opt out entirely.

C. Have assessment costs reimbursed by the DoD

✘No such reimbursement mechanism exists.

D. Pay no more than $500.00…

✘No such fixed cost is set or guaranteed in CMMC documentation.

UnderCMMC 2.0, all companies atLevel 1 (Foundational)are permitted toconduct self-assessmentsannually to demonstrate compliance, supporting the DoD’s goal ofreducing assessment costsfor low-risk contractors.

Who Verifies the Adequacy and Sufficiency of Evidence?

In the CMMC assessment process, it is theAssessment Teamthat is responsible for verifying whether thepractices and related componentshave been met for each in-scopeHost Unit, Supporting Organization/Unit, or enclave.

TheCMMC Assessment Teamis composed of certified assessors and led by aCertified CMMC Assessor (CCA). Their primary role is to:

Review evidenceprovided by theOrganization Seeking Certification (OSC).

Determine compliancewith required CMMC practices and processes.

Evaluate the sufficiencyof evidence to confirm that all required practices have been properly implemented.

Document and report findingsto the CMMC Accreditation Body (CMMC-AB).

Breakdown of Answer Choices

Option

Description

Correct?

A. OSC (Organization Seeking Certification)

The OSC provides documentation and evidence but doesnotverify its adequacy.

❌Incorrect

B. Assessment Team

✅Responsible for verifying the adequacy and sufficiency of evidence.

✅Correct

C. Authorizing Official

Typically refers to an official responsible for system accreditation underNIST RMF, not CMMC.

❌Incorrect

D. Assessment Official

Not a defined role in the CMMC framework.

❌Incorrect

Official Reference from CMMC 2.0 Documentation

TheCMMC Assessment Process Guide(CAP) outlines theAssessment Team'sresponsibility in verifying evidence.

TheCMMC Assessment Teamevaluates whether theorganization's cybersecurity practices meet CMMC requirements.

Final Verification and Conclusion

The correct answer isB. Assessment Team, as per CMMC 2.0 documentation and official assessment processes.

Under the Cybersecurity Maturity Model Certification (CMMC) 2.0, a Plan of Action (POA) is a critical document that outlines the specific actions a contractor needs to take to remediate cybersecurity deficiencies. While POAs serve as a roadmap for achieving compliance with required controls, the inclusion of certain elements is standardized.

Key Elements of a Plan of Action (POA)

According to the CMMC guidelines and NIST SP 800-171, which underpins many CMMC requirements, a POA typically includes:

Completion Dates: Identifies target deadlines for resolving deficiencies.

Milestones to Measure Progress: Includes interim steps or markers to ensure progress is monitored over time.

Ownership or Accountability: Clearly assigns responsibility for each action item to specific personnel or teams.

What is Generally NOT Part of a POA?

Budget requirements to implement the plan's remediation actions (Option D) are generally not included in a POA. While budgeting is critical for ensuring the plan's success, it is considered a part of the broaderproject management or resource planning process, not the POA itself. This distinction is intentional to keep the POA focused on actionable items rather than resource allocation.

Supporting Reference

NIST SP 800-171A, Appendix D: Provides an overview of POA components, emphasizing the prioritization of corrective actions, responsibility, and measurable outcomes.

CMMC Level 2 Practices (Aligned with NIST SP 800-171): Specifically, the focus is on actions, timelines, and accountability rather than financial planning.

By excluding budget details, the POA remains a tactical document that supports immediate action and compliance tracking, separate from financial considerations.

Understanding CUI Protection Responsibilities

Controlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.

Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.

Why "D. Safeguarding" is Correct?

TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.

CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.

DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.

Why Other Answers Are Incorrect?

A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.

B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.

C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.

Conclusion

The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.

Understanding the Role of the DoD CIO Office in CMMC

TheDepartment of Defense (DoD) Chief Information Officer (CIO) officeis theprimary authorityresponsible for leading the direction, standards, and best practices of theCybersecurity Maturity Model Certification (CMMC)framework.

Why "B. DoD CIO Office" is Correct?

The DoD CIO Oversees CMMC Policy and Implementation

TheDoD CIO Office is responsible for the governance and strategic direction of CMMC.

It ensures thatCMMC aligns with DoD cybersecurity policies, such asDoD Instruction 5200.48 (Controlled Unclassified Information)andNIST SP 800-171.

CMMC Development and Evolution

TheDoD CIO played a critical role in launching CMMCto improve cybersecurity across theDefense Industrial Base (DIB).

The CIO office leadspolicy development and updates to the CMMC framework, including the transition fromCMMC 1.0 to CMMC 2.0.

Alignment of CMMC with Federal Cybersecurity Strategy

The DoD CIO ensures that CMMCintegrates with federal cybersecurity policiesandNIST frameworks.

It provides oversight formapping CMMC Levels (1-2-3) to existing cybersecurity standards and controls.

Why Other Answers Are Incorrect?

A. NIST (Incorrect)

TheNational Institute of Standards and Technology (NIST)provides thetechnical framework (NIST SP 800-171, SP 800-172), butNIST does not lead the CMMC program.

C. Federal CIO Office (Incorrect)

TheFederal CIO focuses on broader government IT policiesandnot specifically on DoD cybersecurity requirementslike CMMC.

D. Defense Federal Acquisition Regulation Council (Incorrect)

TheDFARS Counciloverseescontracting regulationsrelated to CMMC (e.g.,DFARS 252.204-7012, 7019, 7020, 7021), but it doesnot lead CMMC standards and best practices.

Conclusion

The correct answer isB. DoD CIO Office, as it isthe lead authority guiding the CMMC framework, standards, and implementation across the Defense Industrial Base (DIB).

Understanding Scoping in CMMC 2.0

TheCMMC 2.0 framework applies to nonfederal systemsthat process, store, or transmitCUI.

Scoping determineswhich system components must comply with CMMC practices.

If a systemprocesses, stores, or transmits CUI, orprovides security for those systems, itmust be included in the assessment scope.

Why the Correct Answer is "D. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components"?

CMMC Applies to Contractors, Not Federal Systems

CMMC isdesigned for Department of Defense (DoD) contractors, notfederal systems.

Federal systems arealready governed by NIST SP 800-53and other regulations.

Scope Includes Systems That Process CUI AND Those That Protect Them

Systemsprocessing, storing, or transmitting CUIare in scope.

Systems thatprovide protection for CUI systems(e.g., firewalls, monitoring tools, security appliances) arealso in scope.

Why Not the Other Options?

A. Federal systems that process, store, or transmit CUI.→Incorrect

CMMCdoes not apply to federal systems.

B. Nonfederal systems that process, store, or transmit CUI.→Partially correct but incomplete

Itexcludes security systemsthat protect CUI assets, whichare also in scope.

C. Federal systems that process, store, or transmit CUI, or that provide protection for the system components.→Incorrect

CMMConly applies to nonfederal systems.

Relevant CMMC 2.0 References:

CMMC Scoping Guide (Nov 2021)– Confirms that CMMCapplies to nonfederal systemsprocessingCUI.

NIST SP 800-171 Rev. 2– Specifies security requirements fornonfederal systemshandling CUI.

DFARS 252.204-7012– Requires DoD contractors to implementNIST SP 800-171onnonfederal systemshandling CUI.

Final Justification:

SinceCMMC applies to nonfederal systems that process CUI or protect those systems, the correct answer isD. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.

Understanding the Official CUI Registry

TheControlled Unclassified Information (CUI) Registryis theauthoritative sourcefor all federal agencies'CUI categories and indices. It is maintained by theNational Archives and Records Administration (NARA)and provides:

✅Acomprehensive listof CUI categories and subcategories.

✅Details onwho can handle, store, and share CUI.

✅Guidance onCUI marking and safeguarding requirements.

Why "Official CUI Registry" is Correct?

TheOfficial CUI Registryis theonly federal resourcethat listsall CUI categories and agencies that use them.

32 CFR Section 2002(Option A) definesCUI policiesbut doesnotprovide a full listing of CUI categories.

Executive Order 13556(Option C) established theCUI Programbut doesnotmaintain an active list of categories.

The "Official CMMC Registry" (Option D) does not exist—CMMC is a security framework, not a CUI classification system.

Breakdown of Answer Choices

Option

Description

Correct?

A. 32 CFR Section 2002

❌Incorrect–Defines CUI program rules butdoes not listcategories.

B. Official CUI Registry

✅Correct – The registry contains the full list of CUI categories.

C. Executive Order 13556

❌Incorrect–Established the CUI program butdoes not maintain a category list.

D. Official CMMC Registry

❌Incorrect–No such registry exists; CMMC is a cybersecurity framework, not a CUI classification system.

Official References from CMMC 2.0 and Federal Documentation

National Archives (NARA) CUI Registry– The authoritative source forall federal agency CUI categories.

32 CFR 2002– Provides CUIpolicy guidancebut refers agencies to theOfficial CUI Registryfor classification.

Final Verification and Conclusion

The correct answer isB. Official CUI Registry, as it is theonly official source listing all federal agencies' CUI indices and categories.

Under the CMMC Assessment Process (CAP) and CMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed through three primary assessment methods:

Examination – Reviewing documents, records, system configurations, and other artifacts.

Interviews – Speaking with personnel to verify processes, responsibilities, and understanding of security controls.

Testing – Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.

Why Option D is Correct

The CMMC Assessment Process (CAP) states that an assessor must use a combination of evidence-gathering methods (examinations, interviews, and tests) to determine compliance.

CMMC 2.0 Level 2 (Aligned with NIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.

Solely relying on one method (like interviews in Option A) is insufficient.

Testing all practices or objectives (Option B) is unnecessary, as assessors follow scoping guidance to determine which objectives need deeper examination.

Testing only "certain" objectives (Option C) does not fully align with the requirement of gathering sufficient evidence from multiple methods.

CMMC 2.0 and Official Documentation References

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods explicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.

CMMC 2.0 Level 2 Practices and NIST SP 800-171 require assessors to validate the presence, implementation, and effectiveness of security controls.

CMMC Appendix E: Assessment Procedures states that an assessor should use multiple sources of evidence to determine compliance.

Final Verification

To ensure compliance with CMMC 2.0 guidelines and official documentation, an assessor must use examinations, interviews, and tests to gather evidence effectively, making Option D the correct answer.

In the CMMC 2.0 framework, the "Advanced" level is synonymous with CMMC Level 2 . The model is designed to be cumulative , meaning each higher level incorporates the requirements of the level(s) below it.

Cumulative Structure : For an organization to achieve a Level 2 Certification, it must demonstrate that it meets all 17 practices from Level 1 (Foundational) plus the additional 93 practices introduced at Level 2, totaling 110 practices (aligned with NIST SP 800-171 ).

Access Control (AC) Domain Breakdown :

Level 1 : Contains 4 AC practices (e.g., limiting system access to authorized users).

Level 2 : Contains 22 AC practices total. This includes the original 4 from Level 1 and 18 additional practices (e.g., controlling the use of privileged functions, limiting unsuccessful logon attempts).

Level 3 (Expert) : This level adds even more practices from NIST SP 800-172 . While Level 3 "contains" Level 2, the question asks specifically about what the Advanced Level (Level 2) contains. Therefore, it contains Level 1 and Level 2 practices.

Why other options are incorrect :

Option A : Level 2 is not just Level 1; it includes the additional NIST 800-171 requirements.

Option B : Level 3 practices are part of the "Expert" level, not the "Advanced" level.

Option D : The "Advanced" level (Level 2) does not include the "Expert" (Level 3) practices.

Reference Documents :

CMMC Model Overview (v2.0/v2.1) : Section 3.2, "Level 2: Advanced," which explicitly states the level consists of the 110 practices from NIST SP 800-171, which includes the Level 1 requirements.

32 CFR Part 170 (CMMC Program Rule) : Defines the mapping of the 14 domains and the cumulative nature of the certification levels.

CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment.

Understanding Restricted Information Systems (IS) in CMMC Scoping

InCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:

Internet of Things (IoT) Devices– Smart or network-connected devices.

Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.

Test Equipment– Devices used for specialized testing or measurement.

Government Property– Equipment owned by theU.S. Governmentbut used by contractors.

Why "B. Restricted IS" is Correct?

The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.

Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.

These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.

Why Other Answers Are Incorrect?

A. IoT (Incorrect)

IoT devices includesmart devices, sensors, and embedded systems, but the contractor's business systems are not classified as IoT.

C. Test Equipment (Incorrect)

The contractor’s systems areused for handling FCI, not for testing or measurement.

D. Government Property (Incorrect)

The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.

Conclusion

The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.

This question aligns to the CMMC requirement to control information posted or processed on publicly accessible information systems , which appears in the CMMC Model Overview as AC.L1-3.1.22 (Control Public Information) and maps to FAR 52.204-21(b)(1)(iv) and NIST SP 800-171 Rev. 2 / r2 requirement 3.1.22 .

NIST explains that publicly accessible systems are typically those accessible to the public without identification or authentication , and that individuals authorized to post nonpublic information (including CUI/FCI and proprietary information) are designated . It also emphasizes controlling what gets posted and ensuring nonpublic information is not exposed.

The most direct technical way to “limit individuals who are authorized to post or process information” is to implement role-based administrative access (least privilege) to the website/CMS/admin console—granting publish/edit privileges only to approved roles (e.g., “Web Publisher,” “Content Approver”), and keeping all other users read-only or without access to posting functions. This directly enforces the requirement by using access control to restrict who can post/process content on the public system.

Options B and C are helpful procedural/administrative controls , but the question asks for technical means . Option A (cookies) does not control authorization to post; it’s not an access control mechanism. Therefore, D is best.

TheCMMC Assessment Guideis the best source for determining the sources of evidence for a given practice because it provides specific guidance on how organizations should implement and demonstrate compliance with CMMC practices. Each CMMC level has its own assessment guide (e.g.,CMMC Assessment Guide – Level 1, Level 2), detailing expected evidence and assessment procedures.

Detailed Justification:

CMMC Assessment Guide (Primary Source for Evidence)

TheCMMC Assessment Guideexplicitly outlines the evidence required to verify compliance with each practice.

It provides detailed instructions on assessment objectives, clarifying what assessors should look for when determining compliance.

The guide breaks down each practice intoassessment objectives, helping organizations prepare appropriate documentation and artifacts.

Other Documents and Why They Are Not the Best Choice:

NIST SP 800-53 (Option A)

WhileNIST SP 800-53provides a comprehensive catalog of security and privacy controls, it does not focus on CMMC-specific evidence requirements.

It serves as a foundational cybersecurity framework but does not define the specific artifacts required for CMMC assessment.

NIST SP 800-53A (Option B)

NIST SP 800-53Aprovides guidance on assessing security controls but is not tailored to the CMMC framework.

It includes general control assessment procedures, but theCMMC Assessment Guideis more precise in defining the evidence needed for CMMC compliance.

CMMC Assessment Scope (Option C)

TheCMMC Assessment Scopedocument outlines which systems, assets, and processes are subject to assessment.

While important for defining boundaries, it does not provide details on specific evidence requirements for each practice.

References from Official CMMC Documents:

CMMC Assessment Guide (Level 2) – Section on "Assessment Objectives"

This document details how evidence is collected and evaluated for each CMMC practice.

Example: ForAC.L2-3.1.1 (Access Control – Limit System Access), the guide specifies that assessors should verify documented policies, system configurations, and audit logs.

CMMC Model Overview (Official DoD Documents)

Emphasizes thatCMMC Assessment Guidesare the official reference for determining sources of evidence.

Conclusion:

TheCMMC Assessment Guideis the most authoritative source for determining the required evidence for a given practice in CMMC assessments. It provides detailed breakdowns of assessment objectives, required artifacts, and verification steps necessary for compliance.

For SI.L2-3.14.7 (Identify Unauthorized Use) , the assessment objectives focus on two outcomes: (a) the organization has defined authorized use of the system, and (b) the organization identifies unauthorized use when it occurs. The strongest evidence is therefore evidence that the organization actively monitors systems and can detect and recognize activity outside the defined authorized-use baseline.

In the DoD CMMC Assessment Guide – Level 2 (v2.13) , the “Potential Assessment Methods and Objects” for SI.L2-3.14.7 emphasize artifacts that are directly tied to monitoring and detection—such as a continuous monitoring strategy , system and information integrity policy , procedures addressing system monitoring tools and techniques , and technical monitoring capabilities (e.g., tools/techniques like IDS/IPS , audit record monitoring , and network monitoring ).

These artifacts are exactly what demonstrate that unauthorized use is being identified in practice (alerts, logs, correlation, and review processes) and that authorized use is defined (policies/standards that establish what “authorized” looks like so “unauthorized” can be recognized).

By contrast, risk assessment/response and incident response may be related program elements, but they are not the primary evidence that the organization is continuously detecting unauthorized use. The assessment guide’s focus on monitoring artifacts makes System monitoring the best evidence.

In the context of the Cybersecurity Maturity Model Certification (CMMC) Assessment Process, understanding the roles of various entities associated with an Organization Seeking Certification (OSC) is crucial during the planning phase. When a Certified Third-Party Assessment Organization (C3PAO) staff reviews these entities for a CMMC Level 2 Assessment, it's essential to distinguish between internal components and external participants.

Step-by-Step Explanation:

Definition of the HQ Organization:

The HQ Organization refers to the entire legal entity delivering services under the terms of a Department of Defense (DoD) contract. This entity is responsible for ensuring compliance with CMMC requirements.

Identification of External Entities:

External entities encompass people, processes, and technology that are not part of the HQ Organization but support its operations. These entities participate in the assessment process due to their involvement in handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) related to the DoD contract.

Role of Supporting Organizations/Units:

According to the CMMC Assessment Process documentation, Supporting Organizations are defined as "the people, procedures, and technology external to the HQ Organization that support the Host Unit." These external entities are integral to the operations of the Host Unit but are not encompassed within the HQ Organization's immediate structure.

Assessment Implications:

While Supporting Organizations/Units play a vital role in supporting the Host Unit, they do not receive a separate CMMC Level certification unless an enterprise assessment is conducted. In such cases, the assessment would encompass both the HQ Organization and its Supporting Organizations to ensure comprehensive compliance across all associated entities.

For a practice to beadequately implementedin aCMMC Level 2 assessment, theresponsible personnel must demonstrate knowledge of deployment, maintenance, and operationof security tools such asantivirus programs. Simply having the tool in place isnot sufficient—there must be evidence that it isproperly configured, updated, and monitoredto protect against threats.

Step-by-Step Breakdown:

✅1. Relevant CMMC and NIST SP 800-171 Requirements

CMMC Level 2 aligns with NIST SP 800-171, which includes:

Requirement 3.14.5 (System and Information Integrity - SI-3):

"Employautomatedmechanisms toidentify, report, and correctsystem flaws in a timely manner."

Requirement 3.14.6 (SI-3(2)):

"Employautomated toolsto detect and prevent malware execution."

These requirements imply that theperson responsible for antivirus must understand how it is deployed and maintainedto ensure compliance.

✅2. Why the Team Member’s Knowledge is Insufficient

Antivirus tools requireregular updates,configuration adjustments, andmonitoringto function properly.

The responsible team member must:

Knowhow the antivirus was deployedacross systems.

Be able toconfirm updates, logs, and alerts are monitored.

Understand how torespond to malware detectionsand failures.

If the team member lacks this knowledge, assessors maydetermine the practice is not fully implemented.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Yes, the antivirus program is available, so it is sufficient.❌

Incorrect:Just having antivirus softwareinstalleddoes not prove compliance. It must bemanaged and maintained.

(B) Yes, antivirus programs are automated to run independently.❌

Incorrect:While automation helps, security toolsrequire oversight, updates, and configuration.

(D) No, the team member's interview answers about deployment and maintenance are insufficient.❌

Partially correct but incomplete:Themain issueis that the team membermust have sufficient knowledge, not just that their answers are weak.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guide for SI-3 and SI-3(2)states that personnel mustunderstand the function, deployment, and maintenance of security toolsto ensure proper implementation.

Thus, the correct answer is:

Anorganization seeking helpto address security gaps—such asphysical access control deficiencies—needs acertified professional who can provide implementation supportwithoutbeing involved in the actual CMMC assessment.

Role of a Registered Practitioner (RP)

A Registered Practitioner (RP)is a CMMC-certified individualwho provides consulting and implementation supportto organizations butdoes not perform assessments.

RPs work independently from C3PAOsand canassist in fixing gapsin security controlsbeforeorafteran assessment.

Since RPs are not assessors, they can provide direct remediation supportwithout any conflict of interest.

Why "B. RP of an Organization Not Part of the Assessment" is Correct?

The OSC needs assistance in implementing security controls(not assessment).

An RP is trained and authorized to provide remediation and advisory services.

Conflict of interest rules prevent the assessing C3PAO from providing implementation support.

Why Other Answers Are Incorrect?

A. CCA of the C3PAO performing the assessment (Incorrect)

ACertified CMMC Assessor (CCA)is responsible for conducting the assessmentonly.

TheC3PAO performing the assessment cannot also provide remediationdue to aconflict of interest.

C. Practitioner of the Organization Performing the Assessment LTP (Incorrect)

The assessmentLead Technical Practitioner (LTP)cannot provide remediation support for an OSC they are assessing.

D. DoD Contract Official of the Organization Performing the Assessment (Incorrect)

DoD Contract Officialsoversee contract compliance butdo not provide cybersecurity implementation support.

Conclusion

The correct answer isB. RP of an organization not part of the assessment, asonly independent RPs can assist with remediation and implementation support.

In the Cybersecurity Maturity Model Certification (CMMC) assessment process, the presentation of the Final Recommended Assessment Findings is a critical step. According to the CMMC Assessment Process guidelines, the Lead Assessor is responsible for compiling and presenting these findings. The prescribed method for this presentation is the utilization of the standardized CMMC Findings Brief template.

Step-by-Step Explanation:

Responsibility of the Lead Assessor:

The Lead Assessor oversees the assessment process and is tasked with compiling the Final Recommended Assessment Findings.

Utilization of the CMMC Findings Brief Template:

To ensure consistency and adherence to CMMC standards, the Lead Assessor must use the official CMMC Findings Brief template when presenting the assessment findings.

Presentation of Findings:

The findings, documented in the CMMC Findings Brief template, are then presented to the Organization Seeking Certification (OSC). This presentation ensures that the OSC receives a clear and standardized report of the assessment outcomes.

The best resource for identifying the category of Controlled Unclassified Information (CUI) is NARA , because NARA is the CUI Executive Agent for the federal CUI Program and maintains the authoritative CUI Registry . The Registry is specifically where the government publishes the approved CUI categories (and related markings and handling guidance) used across the Executive Branch.

NARA’s own CUI FAQs explicitly point users to the CUI Registry as the place that “lists all authorized CUI Categories (basic and specified).” Likewise, NIST’s CUI-related FAQ page also points to the NARA CUI Registry for CUI categories, reinforcing that the Registry is the correct source for determining which category applies to a given type of information.

By contrast, DFARS Part 252 (including clauses like 252.204-7012) addresses contractual safeguarding and cyber reporting requirements, not the authoritative categorization list itself. The CMMC Assessment Guide is about how to assess controls for CMMC levels, not how to determine CUI categories. And the Cyber AB (formerly CMMC-AB) administers the ecosystem and assessment processes, not the federal CUI category taxonomy. Therefore, NARA is the best answer.