CMMC-CCP Certified CMMC Professional (CCP) Exam Question and Answers

DoDI 5200.48 specifies that Authorized Holders of CUI are responsible for applying appropriate CUI markings. An authorized holder is an individual who has lawful government purpose access to the information. This ensures that responsibility for correctly marking information rests with those who create or handle the material, not only with original classification authorities (which apply to classified information, not CUI).

Reference Documents:

DoDI 5200.48,Controlled Unclassified Information (CUI)

During aCMMC assessment, assessors rely on interviews to validate the implementation of cybersecurity practices within anOrganization Seeking Certification (OSC). Ensuringconfidentiality and non-attributionallows employees to speak freely without fear of retaliation or bias, leading to more accurate and candid responses.

Step-by-Step Breakdown:

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide(Level 2) states thatinterviews are a key methodto verify compliance with security controls.

Employees may hesitate to provide truthful information if they fear negative consequences.

To obtain accurate information, assessors must create an environment where team members feel safe.

Ensuring Non-Attribution for Accurate Responses

DoD Assessment Methodologyhighlights thatinterviewees should remain anonymousin reports.

Non-attribution reduces the risk of OSC leadership influencing responses or retaliating against employees.

Employees are more likely to provideaccurateandhonestdescriptions of their responsibilities when confidentiality is guaranteed.

Why the Other Answer Choices Are Incorrect:

(A) Interview groups of people to get collective answers:

Group interviews may limit honest responses due topeer pressure or management presence.

Employees mayhesitate to contradictsupervisors or peers in a group setting.

(B) Understand that testing is more important than interviews:

While testing (e.g., reviewing logs, configurations, and security settings) is crucial, interviews providecontexton how security practices are implemented and followed.

Interviewscomplementtesting rather than being less important.

(D) Let team members know the questions prior to the assessment:

Advanced notice may allow employees toprepare rehearsed answers, which might not reflect actual practices.

This couldreduce the effectivenessof the interview process.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guideand DoDAssessment Methodologyemphasize the importance of confidentiality in interviews to ensure accuracy.Non-attribution protects employees and ensures assessors get honest, unfiltered answers.

Thus, the correct answer is:

C. Ensure confidentiality and non-attribution of team members.

Interview Selection in CMMC Assessments

During aCMMC assessment, theLead Assessormust work with theOrganization Seeking Certification (OSC)to select personnel for interviews. The goal is to:

✅Verify that personnel understand andperform security-related practices.

✅Ensure that individuals canexplain how they implement CMMC requirements.

✅Gain insight intoactual cybersecurity operationsrather than just documented policies.

The best interviewees are those whodirectly engage with security practicesand canclearly explain how they perform their duties.

Why "Providing Clarity and Understanding" Is Key

CMMC assessmentsrely on interviewsto validate that security practices areimplemented effectively.

Themost valuable intervieweesare those who canexplainhow security measures are appliedin day-to-day operations.

CMMC Assessment Process (CAP)emphasizes that assessors should speak tothose actively involved in security practicesrather than just senior management or policy owners.

Thus,option D is the correct choicebecause the Lead Assessor should prioritizeinterviewing personnel who can clearly explain how CMMC practices are implemented.

Why the Other Answers Are Incorrect

A. Have a security clearance.

❌Incorrect.Security clearance is not a requirementfor CMMC assessments. The focus is onpractical implementation of security controls, not classified work.

B. Be a senior person in the company.

❌Incorrect. Senior executives may not be involved in theactual implementation of security controls. The best interviewees are those whoperform the work, not just oversee it.

C. Demonstrate expertise on the CMMC requirements.

❌Incorrect. Whileunderstanding CMMC is important, expertise alonedoes not guarantee practical knowledgeof security controls. The key is thatinterviewees must provide clarity on how they perform security tasks.

CMMC Official References

CMMC Assessment Process (CAP) Document– Guides interview selection based on personnel who perform security functions.

NIST SP 800-171 & CMMC 2.0– Emphasize that cybersecurity controls must beactively implemented, not just documented.

Thus,option D (Provide clarity and understanding of their practice activities) is the correct answeras per official CMMC assessment guidelines.

Contractors that handle Covered Defense Information (CDI) are required to report cyber incidents to the Department of Defense within 72 hours of discovery.

Supporting Extracts from Official Content:

DFARS 252.204-7012(c)(1): “When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, the Contractor shall conduct a review… and rapidly report the cyber incident to DoD within 72 hours of discovery.”

Why Option C is Correct:

The regulation explicitly specifies 72 hours.

Options A (24 hrs), B (48 hrs), and D (96 hrs) do not align with DFARS requirements.

References (Official CMMC v2.0 Content and Source Documents):

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

CMMC v2.0 Governance – Source Documents list includes DFARS 252.204-7012.

===========

The Cybersecurity Maturity Model Certification (CMMC) Level 2 is designed to ensure that organizations can adequately protect Controlled Unclassified Information (CUI). To achieve this, CMMC Level 2 incorporates specific security requirements.

Step-by-Step Explanation:

Alignment with NIST SP 800-171:

CMMC Level 2 aligns directly with the security requirements outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). This publication, titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," provides a comprehensive framework for safeguarding CUI.

Incorporation of Security Requirements:

The practices required for CMMC Level 2 certification encompass all 110 security requirements specified in NIST SP 800-171. These requirements are organized into 14 families, each addressing different aspects of cybersecurity, such as access control, incident response, and risk assessment.

Purpose of Alignment:

By integrating the NIST SP 800-171 requirements, CMMC Level 2 aims to standardize the implementation of cybersecurity practices across organizations handling CUI, ensuring a consistent and robust approach to protecting sensitive information.

Understanding NIST SP 800-88 Rev. 1 and Media Sanitization

TheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.

Three Categories of Data Disposal in NIST SP 800-88 Rev. 1

Clear

Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.

Example:Overwriting all datawith binary zeros or ones on a hard drive.

Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.

Purge

Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.

Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).

Applies to:Media that is leaving organizational control or requires a higher level of assurance than "Clear".

Destroy

Physicallydamages the mediaso that data recovery isimpossible.

Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.

Applies to:Highly sensitive data that must be permanently eliminated.

Why "A. Clear, Purge, Destroy" is Correct?

B. Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata disposal.

C. Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level categoryin NIST SP 800-88.

D. Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is missing, making this incorrect.

Conclusion

The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.

The term that describes"the prevention of damage to, protection of, and restoration of computers and electronic communication systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation"isCybersecurity.

Step-by-Step Breakdown:

✅1. Cybersecurity Defined

Cybersecurityfocuses onprotecting networks, systems, and datafrom cyber threats.

It includes measures to ensure:

Availability(data is accessible when needed).

Integrity(data is accurate and unaltered).

Authentication(verifying users' identities).

Confidentiality(ensuring only authorized access).

Non-repudiation(preventing denial of actions).

The definition in the questionaligns directly with cybersecurity principles, making it the best answer.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Data Security❌

Data securityfocusesspecificallyon protectingstored information(e.g., encryption, access controls), but cybersecurity is broader—it includesnetworks, systems, and communication services.

(C) Network Security❌

Network securityis asubset of cybersecuritythat focuses on protectingnetwork infrastructure(e.g., firewalls, intrusion detection systems).

The definition in the question includesmore than just networks, so cybersecurity is the better choice.

(D) Information Security❌

Information security (InfoSec)is related but broader than cybersecurity.

InfoSeccoversphysical and organizational security(e.g., policies, procedures) in addition todigital protections.

Final Validation from CMMC Documentation:

CMMC and NIST SP 800-171 define cybersecurityas the protection ofsystems, networks, and data from cyber threats.

DoD Cybersecurity Definitions(aligned with NIST) confirm that cybersecurity is the term thatbest fits the definition in the question.

In theCMMC 2.0 Assessment Process, after theAssessment Final Recommended Findings Brief, theLead Assessor and Assessment Team Membersmustreview the accuracy and validity of the Organization Seeking Certification (OSC)’s updated Plan of Action & Milestones (POA & M) and any accompanying evidence or scheduled collectionswithin180 days.

Relevant CMMC 2.0 Reference:

TheCMMC Assessment Process (CAP)outlines that organizations haveup to 180 daysto address identifieddeficienciesafter their initial assessment.

During this time, the OSC can update itsPOA & M with additional evidenceto demonstrate compliance.

Why is the Correct Answer 180 Days (B)?

A. 90 days → Incorrect

The CMMC CAP does not impose a90-day limiton POA & M updates; instead,180 daysis the standard timeframe.

B. 180 days → Correct

PerCMMC Assessment Process guidelines, theLead Assessor and Teammust review updateswithin 180 days.

C. 270 days → Incorrect

No official CMMC documentation mentions a270-dayreview period.

D. 360 days → Incorrect

The process must be completedfar sooner than 360 daysto maintain compliance.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines the180-day windowfor the OSC to update itsPOA & M and submit evidencefor review.

CMMC 2.0 Official Guidelines

Specifies that organizations are givenup to 180 daysto remediate deficiencies before reassessment.

Understanding SC.L2-3.13.14 – Control and Monitor the Use of VoIP Technologies

TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.

If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.

Why Option D is Correct

When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.

No assessment procedures are neededsince there is no VoIP system to evaluate.

Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14—only VoIP is within scope.

Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.

Option C (VoIP in scope but using FIPS-validated encryption, so it doesn’t need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.

Official CMMC Documentation References

CMMC 2.0 Level 2 Assessment Guide – SC.L2-3.13.14

NIST SP 800-171, Security Requirement 3.13.14

CMMC Scoping Guidance – Determining Not Applicable (N/A) Practices

Final Verification

IfVoIP is not used within the OSC’s system boundary, the control does not require assessment, making Option D the correct answer.

According to the CMMC Scoping Guidance, Level 1, the scope of an assessment includes all assets that process, store, or transmit Federal Contract Information (FCI). CMMC is "information-centric," meaning the security requirements apply to the information itself, regardless of the media it resides on (digital or physical).

Asset Identification: In a Level 1 assessment, assets are categorized as either FCI Assets or Out-of-Scope Assets. Since the file cabinet is explicitly identified as containing paper FCI, it meets the definition of an asset that stores the protected information.

Basic Safeguarding (FAR 52.204-21): The 17 practices of CMMC Level 1 are derived from the FAR clause for the "Basic Safeguarding of Covered Contractor Information Systems." However, the physical protection requirements within that set (such as PE.L1-3.10.1, which requires limiting physical access to organizational information systems and equipment) extend to the physical storage locations of that data.

Media Neutrality: CMMC documentation emphasizes that "information systems" include the physical components and the information processed by them. If FCI is printed and stored in a cabinet, that cabinet becomes a physical storage asset within the assessment boundary.

Why other options are incorrect:

Option B: Physical location alone does not bring an asset into scope. For example, a coffee machine in the same room as an FCI computer remains out of scope because it doesn't handle FCI. Thecontent(FCI) makes the cabinet in-scope, not its proximity.

Option C: CMMC and the underlying FAR clause do not exempt paper-based information. Protected data must be secured whether it is on a hard drive or a printed sheet.

Option D: While a file cabinet may not "process" or "transmit" data like a computer does, it absolutely stores it. The definition of the scope includes all three functions (process, store, or transmit).

Reference Documents:

CMMC Scoping Guidance, Level 1: Section 2.0 (CMMC Level 1 Asset Categories), which defines FCI Assets as those that process, store, or transmit FCI.

CMMC Assessment Guide, Level 1: Discussion on Physical Protection (PE) practices and their application to physical media.

32 CFR Part 170 (CMMC Program Rule): Definitions of FCI and the requirements for contractor self-assessments.

A Certified CMMC Instructor (CCI) is only authorized to deliver CMMC-AB (now The Cyber AB) approved training courses through a Licensed Training Provider (LTP). CCI instructors do not deliver DFARS or NARA CUI training under CMMC authorization—only formally approved CMMC courses.

Supporting Extracts from Official Content:

CMMC Ecosystem Roles: “CCIs are authorized to deliver CMMC-AB approved training courses through an LTP.”

Why Option A is Correct:

CCIs teach only CMMC-AB approved training.

Options B, C, and D include external trainings (DFARS or NARA CUI) that are not within the CCI’s scope.

References (Official CMMC v2.0 Content):

CMMC Ecosystem documentation – Roles and Responsibilities of LTPs and CCIs.

===========

Understanding Assessment Methods in CMMC 2.0

According to theCMMC Assessment Process (CAP) Guide, assessors usethree primary assessment methodsto determine compliance with security practices:

Examine– Reviewing documents, policies, configurations, and system records.

Interview– Speaking with personnel to gather insights into security processes.

Test– Performing technical validation of system functions and security controls.

Why Option C (Examine) is Correct

TheAssessment Team Memberis inspectingAssessment Objects(e.g., system configurations, user access control settings, policies) to determine if the OSC's evidence is sufficient forAC.L1-3.1.1 (Access Control – Authorized Users).

This activity aligns directly with theExaminemethod, which involves reviewing artifacts such as:

Access control lists (ACLs)

System user authentication logs

Account management policies

Role-based access control settings

"Observe" (Option B)is incorrect because "observing" is not an official assessment method in CMMC.

"Test" (Option A)is incorrect because the assessment is not actively executing a function but ratherreviewingevidence.

"Interview" (Option D)is incorrect because no personnel are being questioned—only documentation is being reviewed.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods

CMMC Level 2 Assessment Guide – Access Control Practices (AC.L1-3.1.1)

Final Verification

Since the activity involves reviewing documents and records to verify access control measures, it falls under theExaminemethod, makingOption C the correct answer.

Understanding Access Control in CMMC

Access control refers to the process ofgranting or denyingspecific requests to:

Obtain and use information

Access information processing services

Enter specific physical locations

TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:

✅Implement policies for granting and revoking access.

✅Restrict access to authorized personnel only.

✅Protect physical and digital assets from unauthorized access.

Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.

Why the Other Answers Are Incorrect

B. Physical access control

❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.

C. Mandatory access control (MAC)

❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.

D. Discretionary access control (DAC)

❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.

CMMC Official References

CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.

NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.

Thus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.

TheCMMC Scoping Guide for Level 2outlines thatCUI assetsinclude systems, applications, and services thatstore, process, or transmitControlled Unclassified Information (CUI). These are the three core functions that defineCUI handlingwithin anOrganization Seeking Certification (OSC).

Step-by-Step Breakdown:

✅1. CUI Assets Defined in CMMC

Stored:CUI is saved on hard drives, cloud storage, or databases.

Processed:CUI is actively used, modified, or analyzed by applications and users.

Transmitted:CUI is sent between systems via email, file transfers, or network communication.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Received and transferred❌

Whilereceiving and transferring CUIis part of handling CUI, it does not fully cover all CUI asset responsibilities.

(C) Entered, edited, manipulated, printed, and viewed❌

These arespecific actionswithinprocessingbut do not coverstorage or transmission, which are also required for CMMC scoping.

(D) Located on electronic media, on system component memory, and on paper❌

While CUI can exist inelectronic and physical forms, CMMC scoping focuses onhow CUI is actively managed (stored, processed, transmitted)rather than where it physically resides.

Final Validation from CMMC Documentation:

TheCMMC Level 2 Scoping Guideconfirms thatCUI Assets are categorized based on their role in storing, processing, or transmitting CUI.

NIST SP 800-171also defines these three functions as key components of CUI protection.

Understanding the Reporting Process in a CMMC 2.0 Level 2 Assessment

ACMMC Level 2 Assessmentconducted by aCertified Third-Party Assessor Organization (C3PAO)follows a structured approach to gathering evidence, evaluating compliance, and reporting findings to theOrganization Seeking Certification (OSC). The reporting process is outlined in theCMMC Assessment Process (CAP) Guide, which specifies how findings should be communicated.

Assessment Communication Structure

Daily Checkpoints:

Throughout the assessment, the assessor team holdsdaily checkpoint meetingswith the OSC to provide updates on progress, observations, and preliminary findings.

These checkpoints help ensure transparency and allow the OSC to address minor issues as they arise.

Final Results Delivery:

Thefinal assessment resultsare typically shared during thefinal daily checkpointOR in aseparately scheduled findings and recommendations reviewmeeting.

This ensures that the OSC receives a structured and complete summary of the assessment findings before the official report is submitted.

Why Option C is Correct

TheCMMC Assessment Process (CAP) Guide, Section 4.5clearly states that assessment findings should be presentedeither at the last daily checkpoint or during a separately scheduled final review.

This aligns with best practices formaintaining transparency and ensuring the OSC has clarity on their assessment resultsbefore the final report submission.

Option A (End of every day)is incorrect because while assessors do provide updates, they do not deliver the "final results" daily.

Option B (Daily and a separate final review)is misleading, as the CAP Guide allows assessors tochoosebetween the final daily checkpoint OR a separate findings review—not both.

Option D (After C3PAO approval)is incorrect because theC3PAO does not approve findings before they are communicated to the OSC. The assessment team directly presents the results first.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide, Section 4.5: Reporting and Findings Communication

CMMC 2.0 Level 2 Assessment Process Overview

CMMC Assessment Final Report Guidelines

Final Verification

Based on officialCMMC 2.0 documentation, thefinal assessment results should be presented to the OSC either at the last daily checkpoint or in a separately scheduled review session, making Option C the correct answer.

A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.

Supporting Extracts from Official Content:

CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”

Why Option B is Correct:

The Windows 95 system is an example of a restricted IS, so it can be scoped out.

Option A is incorrect — the asset is not handling CUI in this case.

Option C is incorrect — government property designation does not define scope.

Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.

===========

Understanding the Definition of a "Practice" in CMMC 2.0

In CMMC 2.0, the term"practice"refers to specific cybersecurity activities that organizations must implement to achieve compliance with defined security objectives.

Step-by-Step Breakdown:

Definition from CMMC Documentation:

According to theCMMC Model Overview, apracticeis defined as:

"An activity or activities performed to meet defined CMMC objectives."

This means that practices are theactions and implementations required to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

How Practices Fit into CMMC 2.0:

CMMC 2.0 Level 1 consists of17 practices, which align withFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

CMMC 2.0 Level 2 consists of110 practices, aligned directly withNIST SP 800-171 Rev. 2.

Each practice has anobjectivethat must be met to demonstrate compliance.

Official CMMC 2.0 References:

TheCMMC 2.0 Model Documentationdefines practices as "the fundamental cybersecurity activities necessary to achieve security objectives."

TheCMMC Assessment Process (CAP) Guideoutlines how assessors verify the implementation of these practices during an assessment.

TheNIST SP 800-171A Guideprovidesassessment objectivesfor each practice to ensure they are implemented effectively.

Comparison with Other Answer Choices:

A. A business transaction→ Incorrect. CMMC practices focus on cybersecurity activities, not financial or operational transactions.

B. A condition arrived at by experience or exercise→ Incorrect. While practices evolve over time, they are defined activities, not just experience-based conditions.

C. A series of changes taking place in a defined manner→ Incorrect. A practice is a set of security actions, not just a process of change.

Conclusion:

ACMMC practicerefers to specificcybersecurity activities performed to meet defined CMMC objectives. This makesOption Dthe correct answer.

The Controlled Unclassified Information (CUI) Program, established by Executive Order 13556, standardizes the handling and marking of unclassified information that requires safeguarding or dissemination controls across federal agencies and their contractors. The National Archives and Records Administration (NARA) serves as the Executive Agent responsible for implementing the CUI Program.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to protect CUI by adhering to the security requirements outlined in NIST Special Publication 800-171. This includes proper marking of CUI to ensure that all personnel recognize and handle such information appropriately.

The NARA CUI Introduction to Marking provides comprehensive guidance on the correct procedures for marking documents and communications containing CUI. This resource is essential for training purposes, as it offers detailed instructions and examples to help personnel understand and implement proper CUI markings. By referring the sales team to the NARA CUI Introduction to Marking, the director of sales ensures that the team receives authoritative and standardized training on how to appropriately mark emails and other documents containing CUI, thereby maintaining compliance with federal regulations and CMMC requirements.

Understanding Restricted Information Systems (IS) in CMMC Scoping

InCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:

Internet of Things (IoT) Devices– Smart or network-connected devices.

Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.

Test Equipment– Devices used for specialized testing or measurement.

Government Property– Equipment owned by theU.S. Governmentbut used by contractors.

Why "B. Restricted IS" is Correct?

The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.

Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.

These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.

Why Other Answers Are Incorrect?

A. IoT (Incorrect)

IoT devices includesmart devices, sensors, and embedded systems, but the contractor's business systems are not classified as IoT.

C. Test Equipment (Incorrect)

The contractor’s systems areused for handling FCI, not for testing or measurement.

D. Government Property (Incorrect)

The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.

Conclusion

The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.

The best resource for identifying the category of Controlled Unclassified Information (CUI) is NARA , because NARA is the CUI Executive Agent for the federal CUI Program and maintains the authoritative CUI Registry . The Registry is specifically where the government publishes the approved CUI categories (and related markings and handling guidance) used across the Executive Branch.

NARA’s own CUI FAQs explicitly point users to the CUI Registry as the place that “lists all authorized CUI Categories (basic and specified).” Likewise, NIST’s CUI-related FAQ page also points to the NARA CUI Registry for CUI categories, reinforcing that the Registry is the correct source for determining which category applies to a given type of information.

By contrast, DFARS Part 252 (including clauses like 252.204-7012) addresses contractual safeguarding and cyber reporting requirements, not the authoritative categorization list itself. The CMMC Assessment Guide is about how to assess controls for CMMC levels, not how to determine CUI categories. And the Cyber AB (formerly CMMC-AB) administers the ecosystem and assessment processes, not the federal CUI category taxonomy. Therefore, NARA is the best answer.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to implement stringent controls to protect Controlled Unclassified Information (CUI). This includes adhering to specific practices related to media protection and physical security.

Media Protection (MP):

MP.L2-3.8.1 – Media Protection: Organizations must protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. This ensures that sensitive information is not accessible to unauthorized individuals.

Defense Innovation Unit

MP.L2-3.8.3 – Media Disposal: It is imperative to sanitize or destroy information system media containing CUI before disposal or release for reuse. This practice prevents potential data breaches from discarded or repurposed media.

Defense Innovation Unit

Physical Protection (PE):

PE.L2-3.10.2 – Monitor Facility: Organizations are required to protect and monitor the physical facility and support infrastructure for organizational systems. This includes ensuring that areas where CUI is processed or stored are secure and access is controlled.

Defense Innovation Unit

Application to the Scenario:

Given that the Organization Seeking Certification (OSC) operates within a shared, multi-tenant building and utilizes a common conference room for assessments, the following considerations are crucial:

Reviewing the Evidence File: The evidence file, which contains CUI, should be reviewed on a secure, authorized device to prevent unauthorized access or potential data leakage.

Printing the Evidence File: If printing is necessary, ensure that the printer is located in a secure area, and the printed documents are retrieved immediately to prevent unauthorized viewing.

Making Notes: Any notes derived from the evidence file should be treated with the same level of security as the original document, especially if they contain CUI.

Disposal of Printed Materials: After the assessment, all printed materials and notes containing CUI must be destroyed using a cross-cut shredder. Cross-cut shredding ensures that the information cannot be reconstructed, thereby maintaining confidentiality.

totem.tech

Options A and D are inadequate as they involve leaving sensitive information in unsecured locations, which violates CMMC physical security requirements. Option B, while secure in terms of digital handling, does not address the proper disposal of any physical copies that may have been made. Therefore, Option C is the best practice, aligning with CMMC 2.0 guidelines by ensuring that all physical media containing CUI are properly reviewed, securely stored during use, and thoroughly destroyed when no longer needed.

Understanding Federal Contract Information (FCI)

Federal Contract Information (FCI) is defined by48 CFR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems). FCI refers to information that:

Is NOT intended for public release.

Is provided by or generated for the government under a contract.

Is necessary to develop or deliver a product or service to the government.

Excludes publicly available government information(such as information on public websites).

Excludes simple transactional information(e.g., necessary to process payments).

In the context ofCMMC 2.0, organizations thatprocess, store, or transmit FCImust meetCMMC Level 1 (Foundational), which requires implementing17 basic safeguarding practicesoutlined inFAR 52.204-21.

Why is the Correct Answer FCI (D)?

A. CDI (Controlled Defense Information)→ Incorrect

This term was used inDFARS 252.204-7012but has been replaced byCUI (Controlled Unclassified Information)in CMMC discussions.

B. CTI (Cyber Threat Intelligence)→ Incorrect

This refers to intelligence on cyber threats, tactics, and indicators, not contractual data.

C. CUI (Controlled Unclassified Information)→ Incorrect

CUI is sensitive information requiring additional safeguarding but is a separate category from FCI.

D. FCI (Federal Contract Information)→Correct

The definition of FCI explicitly matches the description given in the question.

CMMC 2.0 References Supporting this Answer:

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

Defines FCI and the required safeguards.

Establishes17 cybersecurity practicesfor FCI protection.

CMMC 2.0 Framework

Level 1 (Foundational)is required for contractors handlingFCI.

Ensures compliance withbasic safeguarding requirementsoutlined inFAR 52.204-21.

NIST SP 800-171 and DFARS 252.204-7012

FCI doesnotrequire compliance withNIST SP 800-171, butCUI does.

In this scenario, the primary concern is the protection of Controlled Unclassified Information (CUI) in an environment that lacks sufficient physical security controls (specifically, a lack of a locked cabinet or drawer). According to the CMMC Assessment Process (CAP) and NIST SP 800-171 (specifically the Physical Protection (PE) family), CUI must be protected from unauthorized access at all times.

Responsibility of the Assessor: CMMC Professionals (CCPs and CCAs) are bound by the CMMC Code of Professional Conduct and the C3PAO's internal security protocols to ensure that any CUI provided by the Organization Seeking Certification (OSC) is handled securely.

Physical Protection (PE.L2-3.10.1 and PE.L2-3.10.2): These practices require that an organization limit physical access to systems and equipment to authorized users and protect the physical facility. If the provided "hoteling space" does not offer a locked container (like a cabinet) to secure the CUI overnight, leaving it in an unlocked drawer (Option C) or on the desk (Option B) would be a violation of CUI handling requirements and a security risk.

Why Option A is the best "Next" step: In the absence of on-site secure storage, the assessor must maintain positive control of the CUI. Taking the document to a secure location (such as the assessor's hotel room or person) where they can ensure it remains under their control is the only viable way to prevent unauthorized access by janitorial staff or other unauthorized personnel at the client site overnight.

Why other options are incorrect:

Option B and C: Both fail to protect the CUI from unauthorized access in a non-secure, shared environment.

Option D: Taking a picture of CUI on a personal phone is a major security violation (spillage), as personal devices are generally not authorized to store or process CUI.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section regarding "Assessor Responsibilities for CUI and Proprietary Information."

NIST SP 800-171 Rev 2: Physical Protection (PE) family (3.10.1, 3.10.2).

DoD Instruction 5200.48: "Controlled Unclassified Information (CUI)," which specifies that CUI must be protected by at least one physical barrier when not in the direct control of an authorized individual.

In the context of the Cybersecurity Maturity Model Certification (CMMC) Assessment Process, understanding the roles of various entities associated with an Organization Seeking Certification (OSC) is crucial during the planning phase. When a Certified Third-Party Assessment Organization (C3PAO) staff reviews these entities for a CMMC Level 2 Assessment, it's essential to distinguish between internal components and external participants.

Step-by-Step Explanation:

Definition of the HQ Organization:

The HQ Organization refers to the entire legal entity delivering services under the terms of a Department of Defense (DoD) contract. This entity is responsible for ensuring compliance with CMMC requirements.

Identification of External Entities:

External entities encompass people, processes, and technology that are not part of the HQ Organization but support its operations. These entities participate in the assessment process due to their involvement in handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) related to the DoD contract.

Role of Supporting Organizations/Units:

According to the CMMC Assessment Process documentation, Supporting Organizations are defined as "the people, procedures, and technology external to the HQ Organization that support the Host Unit." These external entities are integral to the operations of the Host Unit but are not encompassed within the HQ Organization's immediate structure.

Assessment Implications:

While Supporting Organizations/Units play a vital role in supporting the Host Unit, they do not receive a separate CMMC Level certification unless an enterprise assessment is conducted. In such cases, the assessment would encompass both the HQ Organization and its Supporting Organizations to ensure comprehensive compliance across all associated entities.

Understanding the Role of a Registered Provider Organization (RPO)

ARegistered Provider Organization (RPO)is an entity recognized by theCMMC Accreditation Body (CMMC-AB)to provideconsulting servicesto organizations seekingCMMC certification.

Key Functions of an RPO

✅Consulting servicesto help companies prepare for CMMC assessments.

✅Guidance on security controlsrequired for compliance.

✅Assistance with documentation, policy development, and gap analysis.

✅Preparation for third-party CMMC assessmentsbutdoes not conduct official CMMC assessments(this is the role of a C3PAO).

Why "Consulting Services" is the Correct Answer?

Consulting servicesare thebroadest and most comprehensivefunction of an RPO.

RPOs do not conduct assessments(eliminating option D).

Training and educationmay be part of consulting but arenot the primary function(eliminating A and B).

Consulting includes training, guidance, documentation assistance, and security readiness, making it themost comprehensive service offered.

Breakdown of Answer Choices

Option

Description

Correct?

A. Training services

❌Incorrect–RPOs may provide training, but this isnot their primary function.

B. Education services

❌Incorrect–Similar to training, butnot the most comprehensive service.

C. Consulting services

✅Correct – The core function of an RPO is consulting, which includes various readiness services.

D. Assessment services

❌Incorrect–Only aC3PAO (Certified Third-Party Assessment Organization)can conductofficial CMMC assessments.

Official References from CMMC 2.0 Documentation

TheCMMC-AB RPO Programdefines an RPO as aconsulting organization that assists companies in preparing for CMMC certificationbutdoes not perform assessments.

Final Verification and Conclusion

The correct answer isC. Consulting services, asRPOs primarily provide advisory and readiness supportto organizations preparing forCMMC compliance.

During aCMMC assessment, organizations must provide evidence to demonstrate compliance with requiredpractices and processes. Assessors evaluate this evidence based on two key criteria:

Adequacy– Does the evidence meet the intent of the security requirement?

Sufficiency– Is there enough evidence to reasonably conclude that the practice/process is effectively implemented?

These principles are outlined in theCMMC Assessment Process Guide, which provides a structured approach for evaluating compliance.

Step-by-Step Breakdown:

✅1. Adequacy – Does the evidence fully meet the requirement?

Adequacyrefers to whether the evidence properly demonstrates that the security practice has been implemented as required.

Example: If an organization claims to enforceMulti-Factor Authentication (MFA), an assessor would checksystem configurations, login policies, and user authentication logsto confirm that MFA is actually in use.

✅2. Sufficiency – Is there enough evidence to support the claim?

Sufficiencymeans that there isenough supporting evidenceto prove compliance.

Example: If an organization providesonly one screenshot of an MFA login screen, that alone may not besufficient—additional logs, policies, and user records would help strengthen the case.

Why the Other Answer Choices Are Incorrect:

(B) Adequacy and Thoroughness❌

Thoroughnessis not a defined metric in CMMC evidence evaluation.

The focus is onwhether the evidence meets the requirement (adequacy)and if there isenough of it (sufficiency).

(C) Sufficiency and Thoroughness❌

Thoroughnessis not a recognized term in CMMC compliance validation.

Evidence must beadequate and sufficient, not just thorough.

(D) Sufficiency and Appropriateness❌

Appropriatenessis not a CMMC-defined criterion.

Thecorrect terms used in CMMC assessmentsareAdequacy(Does it meet the requirement?) andSufficiency(Is there enough proof?).

Final Validation from CMMC Documentation:

CMMC Assessment Process Guideexplicitly states that evidence must be evaluated based onadequacyandsufficiencyto confirm compliance with security practices.

The Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) outlines strict guidelines regarding conflicts of interest (COI) to ensure the integrity and impartiality of assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs) and Certified Assessors (CAs).

The scenario presented involves a potential conflict of interest due to a prior relationship (former college roommate) between the certified assessor and an individual at the Organization Seeking Certification (OSC). While this prior relationship does not automatically disqualify the assessor, it must be disclosed, documented, and mitigated appropriately.

CMMC Conflict of Interest Handling Process

Inform the OSC and C3PAO of the Potential Conflict of Interest

The CMMC Code of Professional Conduct (CoPC) requires assessors to disclose any potential conflicts of interest.

Transparency ensures that all parties, including the OSC and C3PAO, are aware of the situation.

Document the Conflict and Mitigation Actions in the Assessment Plan

Per CMMC CAP documentation, potential conflicts should be assessed based on their material impact on the objectivity of the assessment.

The conflict and proposed mitigation strategies must be formally recorded in the assessment plan to provide an audit trail.

Determine If the Mitigation Actions Are Acceptable

If the OSC and C3PAO determine that the mitigation actions adequately eliminate or reduce the risk of bias, the assessment may proceed.

Common mitigation strategies include:

Assigning another assessor for interviews with the conflicted individual.

Ensuring that decisions regarding the OSC’s compliance are reviewed independently.

Proceed with the Assessment If Mitigation Is Acceptable

If the mitigation actions sufficiently address the conflict, the assessment may continue under strict adherence to documented procedures.

Why the Other Answers Are Incorrect

A. Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.

❌Incorrect. This violates CMMC’s integrity requirements and could result in disciplinary actions against the assessor or invalidation of the assessment. Transparency is mandatory.

B. Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.

❌Incorrect. The CAP does not mandate immediate reassignment unless the conflict is unresolvable. Instead, mitigation strategies should be considered first.

C. Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.

❌Incorrect. The passage of time alone does not automatically eliminate a conflict of interest. Proper documentation and mitigation are still required.

CMMC Official References

CMMC Assessment Process (CAP) Document – Defines COI requirements and mitigation actions.

CMMC Code of Professional Conduct (CoPC) – Outlines ethical responsibilities of assessors.

CMMC Accreditation Body (Cyber-AB) Guidance – Provides rules on conflict resolution.

Thus, option D is the most correct choice, as it aligns with the official CMMC conflict of interest procedures.

Understanding the CMMC Level 2 Final Report Requirements

For aCMMC Level 2 Assessment, theFinal CMMC Assessment Results Reportmust include:

Assessment findings for each practice

Final ratings (MET or NOT MET) for each practice

A detailed rationale for each practice rated as NOT MET

Why "B. Documented rationale for each failed practice" is Correct?

The CMMC Assessment Process (CAP) Guidestates that if a practice is markedNOT MET, theassessors must provide a rationale explaining why it failed.

This rationale helps theOSC understand what needs remediationand, if applicable, whether the deficiency can be addressed via aPlan of Action & Milestones (POA & M).

TheFinal Report serves as an official recordand must be submitted as part of theresults package.

Why Other Answers Are Incorrect?

A. Affirmation for each practice or control (Incorrect)

While the report includes aMET/NOT MET ratingfor each practice,affirmation is not a required component.

C. Suggested improvements for each failed practice (Incorrect)

Assessors do not provide recommendations for improvement—they only document findings and rationale.

Providing suggestions would create aconflict of interestperCMMC-AB Code of Professional Conduct.

D. Gaps or deltas due to any reciprocity model are recorded as met (Incorrect)

If an organization isleveraging reciprocity (e.g., FedRAMP, Joint Surveillance Voluntary Assessments), gapsmust still be documented—not automatically marked as "MET."

Conclusion

The correct answer isB. Documented rationale for each failed practice, as this is amandatory requirement in the Final CMMC Assessment Results Report.

CMMC Level 1 includes 17 practices derived fromFAR 52.204-21. Among them, theMedia Protection (MP) practicerequires organizations to ensure thatmedia containing FCI is sanitized or destroyed before disposal or release for reuseto prevent unauthorized access.

This requirement ensures that any storage devices, hard drives, USBs, or physical documents containingFederal Contract Information (FCI)areproperly disposed of or sanitizedto prevent data leakage.

The evidence collected for this practice should demonstrate that an organization has established and followed propermedia sanitization or destruction procedures.

Why the Correct Answer is "B. Adequate"?

TheCMMC Assessment Process (CAP) Guideoutlines that for an assessment to be considered complete, all submitted evidence must meet the standard ofadequacybefore it is accepted by the Lead Assessor.

Definition of "Adequate" Evidence in CMMC:

Evidence isadequatewhen itfully demonstrates that a practice has been performed as requiredby CMMC guidelines.

TheLead Assessorevaluates whether the submitted documentation meets the CMMC 2.0 Level 1 requirements.

If the evidenceaccurately and completely demonstrates the sanitization or destruction of media containing FCI, then it meets the standard ofadequacy.

Why Not the Other Options?

A. Official– While the evidence may come from an official source, the CMMCdoes not require evidence to be "official", only that it beadequateto confirm compliance.

C. Compliant– Compliance is the final result of an assessment, but before compliance is determined, the evidence must first beadequatefor evaluation.

D. Subjective– CMMC evidence isobjective, meaning it should be based on verifiable documents, policies, logs, and procedures—not opinions or interpretations.

Relevant CMMC 2.0 References:

CMMC 2.0 Scoping Guide (Nov 2021)– Specifies that Media Protection (MP) at Level 1 applies only to assets that process, store, or transmit FCI.

CMMC Assessment Process (CAP) Guide– Definesadequate evidenceas documentation that completely and clearly supports the implementation of a required security practice.

FAR 52.204-21– The source of the Level 1 requirements, which includessanitization and destruction of media containing FCI.

Final Justification:

The CCP’s statement that the evidence"fully reflects the performance of the practice"aligns with the definition ofadequate evidenceunder CMMC. Since adequacy is the key standard used before final compliance decisions are made, the correct answer isB. Adequate.

Understanding SI.L2-3.14.6: Monitor Communications for Attacks

The practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:

✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)

✅Log analysis and network monitoring

✅Incident response planningfor detected threats

As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.

Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?

TheCCA must collect sufficient objective evidenceto determine compliance.

Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.

Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.

Breakdown of Answer Choices

Option

Description

Correct?

A. Conduct a penetration test

❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.

B. Interview the intrusion detection system's supplier.

❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.

C. Upload known malicious code and observe the system response.

❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.

D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.

Official References from CMMC 2.0 and NIST SP 800-171 Documentation

NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.

CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.

Final Verification and Conclusion

The correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.

Per the CMMC Assessment Process (CAP), when planning an assessment, the Lead Assessor must coordinate with the Organization Seeking Certification (OSC) to select interview participants who can provide clarity and understanding of their practice activities. The intent is to interview individuals directly involved with and knowledgeable about the processes and practices under review, rather than selecting personnel based solely on rank, clearance, or formal expertise in CMMC.

This ensures the assessment is evidence-based and grounded in how practices are actually performed within the OSC.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Step 1: Understand the “CA” Domain – Security Assessment

TheCA (Security Assessment)domain includes practices related to:

Planning security assessments,

Performing periodic reviews,

Managing plans of action and milestones (POA & Ms).

These practices derive fromNIST SP 800-171, specifically:

CA.2.157– Develop, document, and periodically update security plans,

CA.2.158– Periodically assess security controls,

CA.2.159– Develop and implement POA & Ms.

✅Step 2: Review CMMC Levels

Level 1 (Foundational):

Implements only the17 practicesfromFAR 52.204-21

Doesnot include the CA domain

Level 2 (Advanced):

Implements110 practicesfromNIST SP 800-171, including CA.2.157–159

First levelwhereSecurity Assessment (CA)practices are required

Level 3:

Not yet finalized but intended to include selected controls fromNIST SP 800-172

❌Why the Other Options Are Incorrect

A. Level 1

✘No CA domain practices are present at Level 1.

C. Level 3 / D. Level 4

✘These levels build on CA practices but do not represent thestarting point.

TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.

The Cyber AB (formerly CMMC-AB) Code of Professional Conduct (CoPC) is a mandatory agreement that all CMMC ecosystem members—including Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs)—must adhere to. This code ensures the reliability and trustworthiness of the assessment process.

The fundamental principles that form the foundation of the CoPC include:

Responsibility: This refers to the obligation of the CMMC professional to act in the best interest of the CMMC program, the Department of Defense (DoD), and the public. It includes maintaining professional competence and performing duties with due care.

Confidentiality: Assessors and professionals are granted access to sensitive information, including Controlled Unclassified Information (CUI) and proprietary business data of the Organization Seeking Certification (OSC). They must ensure this information is protected from unauthorized disclosure.

Information Integrity: This principle requires that all data, findings, and reports generated during the assessment are accurate, complete, and have not been tampered with. It ensures that the "Met" or "Not Met" determinations are based on honest evidence.

Why other options are incorrect:

Options A and B (Objectivity): While "Objectivity" is a crucialbehavioralrequirement for an assessor (remaining unbiased), the specific high-level triad often emphasized in the CMMC Professional training and the formal CoPC documentation focuses on the Responsibility-Confidentiality-Integrity framework to align with standard professional ethics and information security pillars.

Options A and C (Classification): "Classification" is a process used for National Security Information (Classified info), whereas CMMC is primarily focused on unclassified information (CUI and FCI). Classification is not a core principle of the professional code of conduct.

Options A and C (Information Accuracy): While accuracy is vital, it is considered a subset of Information Integrity within the formal definitions provided in the CCP curriculum.

Reference Documents:

CMMC-AB (The Cyber AB) Code of Professional Conduct: The official ethical framework for all credentialed individuals.

CMMC Professional (CCP) Study Guide: Section on "Ethics and the Code of Professional Conduct."

CMMC Assessment Process (CAP): References the ethical standards required to maintain the integrity of the assessment ecosystem.

Understanding "Adequate Evidence" in the CMMC Assessment Process

In aCMMC assessment,adequate evidencerefers to the proof required to demonstrate that a specific cybersecurity practice has been implemented correctly. Evidence can come from:

Artifacts(e.g., security policies, system configurations, logs).

Interview responses(e.g., verbal confirmation from personnel about their responsibilities).

Demonstrations(e.g., showing how a security control is implemented in real time).

Testing(e.g., verifying technical security mechanisms such as multi-factor authentication).

Thegoalof evidence collection is to determinewhether a CMMC practice is met—not just whether the organization operates within the assessment scope.

Why is the Correct Answer "Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice" (D)?

A. Verify, based on an assessment and organizational scope → Incorrect

Theassessment scopedefineswhat is evaluated, but adequacy of evidence is based oncompliance with specific CMMC practices.

B. Verify, based on an assessment and organizational practice → Incorrect

CMMC assessments focus on cybersecurity practices defined in the CMMC framework, not just general organizational practices.

C. Determine if a given artifact, interview response, demonstration, or test meets the CMMC scope → Incorrect

Thescopedefines the assessment boundaries, but theassessment team's job is to confirm whether CMMC practices are satisfied.

D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice → Correct

TheCMMC assessment process focuses on ensuring that required practices are implemented, making this the correct answer.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines "adequate evidence" asproof that a CMMC practice has been correctly implemented.

CMMC 2.0 Assessment Criteria

Specifies that evidence must beevaluated against specific cybersecurity practices.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Provides guidance on evaluating artifacts, interviews, demonstrations, and testing to confirm compliance with required practices.

Final Answer:

✔D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, the remediation review process is a critical phase where identified deficiencies from an initial assessment are addressed. The Lead Assessor, representing a Certified Third-Party Assessment Organization (C3PAO), plays a pivotal role in this process.

Role of the Lead Assessor in Remediation Reviews:

Validation of Remediation Efforts:

Objective: Ensure that the Organization Seeking Certification (OSC) has effectively addressed and corrected all deficiencies identified during the initial assessment.

Process: The Lead Assessor reviews the evidence provided by the OSC to confirm that each previously unmet practice now meets the required standards. This involves examining updated policies, procedures, system configurations, and other relevant artifacts.

Delta Assessment Remediation Package Submission:

Definition: A delta assessment focuses on evaluating only the components or practices that were previously found non-compliant or deficient.

Responsibility: After validating the remediation efforts, the Lead Assessor compiles a remediation package that includes:

Detailed documentation of the deficiencies identified in the initial assessment.

Evidence of the corrective actions taken by the OSC.

Findings from the reassessment of the remediated practices.

Internal Quality Review: This remediation package is then submitted for the C3PAO's internal quality review process. The purpose of this review is to ensure the accuracy, completeness, and consistency of the assessment findings before finalizing the certification decision.

Rationale for Selecting Answer C:

Alignment with CMMC Assessment Process: The submission of a delta assessment remediation package for internal quality review is a standard procedure outlined in the CMMC Assessment Process. This step ensures that all remediated items are thoroughly evaluated and validated, maintaining the integrity of the certification process.

Clarification of Incorrect Options:

Option A: "Help OSC to complete planned remediation activities."

The Lead Assessor's role is to assess and validate the OSC's compliance, not to assist in the implementation or completion of remediation activities. Providing such assistance could lead to a conflict of interest and compromise the objectivity of the assessment.

Option B: "Plan two consecutive remediation reviews for an OSC."

The standard process involves conducting a single remediation review after the OSC has addressed the identified deficiencies. Planning multiple consecutive remediation reviews is not a typical practice and could indicate a lack of proper remediation planning by the OSC.

Option D: "Validate that practices previously listed on the POA & M have been removed on an updated Risk Assessment."

While it's essential to ensure that deficiencies are addressed, the primary focus of the Lead Assessor during a remediation review is to validate the implementation of remediated practices. Updating the Risk Assessment is the responsibility of the OSC's internal risk management team, not the Lead Assessor.

Scoping Requirements in CMMC Assessments

TheCMMC 2.0 Scoping GuideandCMMC Assessment Process (CAP) Documentclearly define what should be included in the scope of an assessment.

The assessment scope must cover:

All assets that process, store, or transmit FCI/CUI

Security Protection Assets (ESP)– these assets help protect FCI/CUI, such as firewalls, endpoint detection systems, and encryption mechanisms.

Thus, thecorrect scope includes both:

✅FCI/CUI Assets(Data storage, processing, or transmission assets)

✅Security Protection Assets (ESP)(Firewalls, security tools, etc.)

Why the Other Answers Are Incorrect

A. All assets documented in the business plan

❌Incorrect.Business plans may include assets unrelated to FCI/CUI, making this scopetoo broad. Only assets relevant to FCI/CUI should be assessed.

B. All assets regardless if they do or do not process, store, or transmit FCI/CUI

❌Incorrect. CMMC doesnotrequire organizations to include assets thathave no connection to FCI/CUI.

C. All entities, regardless of the line of business, associated with the organization

❌Incorrect.Only the assets relevant to FCI/CUI or security protection should be assessed. Unrelated business divisions (like a non-federal commercial division) areout-of-scope.

CMMC Official References

CMMC 2.0 Scoping Guide – Level 1 & Level 2

CMMC Assessment Process (CAP) Document

Thus,option D (All assets processing, storing, or transmitting FCI/CUI and security protection assets) is the correct answeras per official CMMC assessment scoping requirements.

1. Understanding Basic Safeguarding Requirements for FCI in CMMC Level 1

Federal Contract Information (FCI) is defined as information provided by or generated for the government under a contract that isnot intended for public release.

CMMCLevel 1is designed to ensurebasic safeguardingof FCI, aligning with15 security requirementsfound inFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

Contractors handlingonly FCImust meetCMMC Level 1, which alignsdirectlywith the safeguarding requirements set inFAR 52.204-21.

2. FAR 52.204-21 and Its Role in CMMC Level 1 Compliance

FAR 52.204-21establishes the baseline cybersecurity controls that contractors must implement to protectFCI.

The15 basic safeguarding requirementsinclude:

Limiting information accessto authorized users.

Identifying and authenticating usersbefore allowing system access.

Protecting transmitted FCIfrom unauthorized disclosure.

Monitoring and controlling connectionsto external systems.

Applying boundary protectionand cybersecurity measures.

Sanitizing mediabefore disposal.

Updating security configurationsto reduce vulnerabilities.

Providing physical securityprotections.

Controlling physical accessto systems that process FCI.

Enforcing multi-factor authentication (MFA) where applicable.

Patching vulnerabilitiesin software and hardware.

Limiting the use of removable media.

Creating and retaining system audit logs.

Performing risk-based security assessments.

Developing an incident response plan.

These 15 practices form thefoundationof CMMCLevel 1 Self-Assessment, ensuring contractorsmeet minimum cybersecurity expectationsfor handling FCI.

3. Why the Other Options Are Incorrect

B. 22 CFR 120-130:

This refers toInternational Traffic in Arms Regulations (ITAR), which controls the export of defense-related articles and services,notFCI safeguarding requirements.

C. DFARS 252.204-7011:

This clause refers toalternative line item structuresand does not pertain to cybersecurity or safeguarding FCI.

D. DFARS 252.204-7021:

This clause enforcesCMMC requirementsbut doesnot definebasic safeguarding controls. It requires compliance with CMMC but does not specify the foundational requirements (which come fromFAR 52.204-21for Level 1).

4. Official CMMC 2.0 Reference & Study Guide Alignment

TheCMMC 2.0 model documentationconfirms that Level 1 is focused on the15 practices from FAR 52.204-21.

TheDoD’s official CMMC Assessment Guidefor Level 1 explicitly states that meeting FAR 52.204-21 is therequirement for passing a Level 1 Self-Assessment.

TheCMMC 2.0 Scoping Guideclarifies that contractors handling onlyFCIand seekingLevel 1 certificationmust implementonly FAR 52.204-21security controls.

Final Confirmation:

The correct answer isA. FAR 52.204-21, as it directly governs the basic safeguarding ofFCIand is the foundational requirement for aLevel 1 Self-Assessmentin CMMC 2.0.

According to the CMMC Assessment Process (CAP) and the CMMC Level 2 Assessment Guide, an assessment finding is built upon evidence collected through three primary methods: Examine, Interview, and Test. The term "affirmation" in this context refers to the verbal or written statements provided by the Organization Seeking Certification (OSC) personnel to confirm that a practice is implemented as described.

Broad Definition of Evidence: The CAP allows for a wide variety of artifacts to be used as evidence. "Affirmations" are typically captured during the Interview process or found within Examine objects.

Validity of Formats:

Interviews: Direct verbal affirmations from subject matter experts (SMEs).

Emails and Messaging (Chat/Slack/Teams): These are considered valid "Examine" objects (records/artifacts) that serve as written affirmations or evidence of an activity (e.g., an email chain approving a firewall change or a message confirming a system update).

Presentations and Demonstrations: These fall under "Examine" (the presentation slides) and "Test/Examine" (the demonstration of a mechanism).

Why Option C is correct: The CMMC framework does not disqualify digital communications like emails or messaging as evidence. In fact, these are often the primary artifacts used to prove that a process (like an approval workflow or notification) is occurring in practice. As long as the assessor can verify the authenticity and integrity of these communications, they are appropriate for collecting affirmations.

Why Option D is less accurate: While screenshots are indeed used as evidence, the core question asks if thespecificlist (interviews, demonstrations, emails, messaging, presentations) is appropriate. Option C directly validates the list provided in the prompt without introducing extraneous elements like screenshots, which—while valid—are not the focus of the "appropriate" determination for the items listed.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4 (Collect and Verify Evidence), which discusses the types of artifacts and "human evidence" (interviews) that support findings.

CMMC Level 2 Assessment Guide: "Assessment Methods" section, clarifying that evidence can include any records (electronic or physical) that demonstrate the implementation of a practice.

NIST SP 800-171A: The underlying standard for assessment procedures, which encourages the use of various evidence types to satisfy assessment objectives.

Understanding the Role of a CCP in CMMC Assessments

ACertified CMMC Professional (CCP)is responsible for assistingCertified CMMC Assessors (CCA)in evaluating anOrganization Seeking Certification (OSC)during a CMMC assessment. One key aspect of this process isconducting interviewswith Subject Matter Experts (SMEs) to verify security practices.

Ensuring that interviewees canspeak freely without fear of retaliationiscriticalto obtainingaccurate and unbiased informationabout the implementation of security controls.

Step-by-Step Breakdown:

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide (Level 2)outlines that interviews are conducted to confirm that security practices are effectively implemented.

Interviewees mustfeel comfortable sharing candid responseswithout concern that their statements will lead tonegative consequenceswithin the organization.

Ensuring Confidentiality and Non-Attribution

DoD Assessment Methodologyspecifies that interviews should be conductedconfidentiallytoprotect the identity of interviewees.

TheCMMC Code of Professional Conduct (CoPC)for assessors and professionals reinforces the requirement to maintain theconfidentialityof assessment participants.

Non-attributionensures that responses are used for evaluation purposeswithout linking statements to specific individuals.

Why the Other Answer Choices Are Incorrect:

(A) Performed in groups for more efficient use of resources:

Group interviews may prevent individuals from speaking openly.

Employees might be hesitant to contradict leadership or peers.

(B) Recorded for inclusion in the Final Recommended Findings report:

Interviews arenot directly recorded or attributedin assessment reports.

Instead, findings are documentedwithout identifying specific individuals.

(D) Mapped to specific CMMC practices to clearly delineate which practice is being evaluated:

While responsesinformwhich practices are being assessed, theprimary goalof an interview is to ensure accurate,unbiased information gathering.

Final Validation from CMMC Documentation:

According to theCMMC Assessment Guide and DoD Assessment Methodology, interview confidentiality iscrucialto gatheringaccurateandunbiasedresponses. This makesconfidentiality and non-attributionthe correct answer.

Thus, the correct answer is:

C. Confidential and non-attributable so interviewees can speak without fear of reprisal.

The Lead Assessor is responsible for protecting and maintaining all assessment records, notes, and information gathered during the assessment process. This includes working papers and supplemental documentation that may be needed for auditability or dispute resolution.

Supporting Extracts from Official Content:

CAP v2.0, Post-Assessment Responsibilities (§3.17): “The Lead Assessor must ensure that all assessment artifacts, notes, and information are archived or disposed of in accordance with C3PAO policy.”

Why Option A is Correct:

The CAP specifies that notes and information from the assessment must be preserved or disposed of according to policy.

Options B, C, and D list items not required in the CAP. The “letter” and “quality control report” are not part of the Lead Assessor’s required maintained materials.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 3 Post-Assessment (§3.17).

===========

Who is Responsible for Marking CUI?

According toDoDI 5200.48 (Controlled Unclassified Information (CUI)), the responsibility for marking CUI falls on theauthorized holder of the information.

Step-by-Step Breakdown:

Definition of an Authorized Holder

PerDoDI 5200.48, Section 3.4, anauthorized holderis anyone who has beengranted accessto CUI and is responsible for handling, safeguarding, and marking it according toDoD CUI policy.

The authorized holder may be:

ADoD employee

Acontractorhandling CUI

Anyorganization or individual authorizedto access and manage CUI

DoD Guidance on CUI Marking Responsibilities

DoDI 5200.48, Section 4.2:

The individual creating or handling CUImust apply the appropriate markings as per the DoD CUI Registry guidelines.

DoDI 5200.48, Section 5.2:

Themarking responsibility is NOT limited to a specific positionlike an Information Disclosure Official or a high-level DoD office.

Instead, it is theresponsibility of the person or entity generating, handling, or disseminatingthe CUI.

Why the Other Answer Choices Are Incorrect:

(A) DoD OUSD (Office of the Under Secretary of Defense):

The OUSD plays apolicy-setting rolebut doesnot directly mark CUI.

(C) Information Disclosure Official:

This role is responsible forpublic release of information, but marking CUI is the duty of theauthorized holdermanaging the data.

(D) Presidential authorized Original Classification Authority (OCA):

OCAs classifynational security information (Confidential, Secret, Top Secret), not CUI, which isnot classified information.

Final Validation from DoDI 5200.48:

PerDoDI 5200.48, authorized holders are explicitly responsible for marking CUI, making this the correct answer.

UnderDFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), if acontractoruses acloud-based serviceto store, process, or transmitControlled Unclassified Information (CUI), the cloud providermustmeet the security requirements ofFedRAMP Moderate or equivalent.

Key Requirements from DFARS 252.204-7012 (c)(1):

CUI stored in the cloud must be protected according to FedRAMP Moderate (or higher) requirements.

The cloud provider must meetFedRAMP Moderate baseline security controls, which align withNIST SP 800-53moderate impact level requirements.

The cloud provider must also ensure compliance withincident reportingandcyber incident response requirementsin DFARS 252.204-7012.

Why is the Correct Answer "FedRAMP Moderate" (B)?

A. FedRAMP Low → Incorrect

FedRAMP Lowis intended for systems withlow confidentiality, integrity, and availability risks, making itinadequate for CUI protection.

B. FedRAMP Moderate → Correct

FedRAMP Moderate is the minimum required level for CUIunder DFARS 252.204-7012.

It provides a security baseline for protectingsensitive but unclassified government data.

C. FedRAMP High → Incorrect

FedRAMP Highapplies to systems handlinghighly sensitive information (e.g., classified or national security data), which is not necessarily required for CUI.

D. FedRAMP Secure → Incorrect

There isno official FedRAMP Secure categoryin FedRAMP guidelines.

CMMC 2.0 References Supporting this Answer:

DFARS 252.204-7012(c)(1)

Specifies thatcontractors using external cloud services for CUI must meet FedRAMP Moderate or equivalent.

CMMC 2.0 Level 2 Requirements

CUI must be protected using NIST SP 800-171 security requirements, whichalign with FedRAMP Moderate controls.

FedRAMP Security Baselines

FedRAMP Moderateis designed for systems that handlesensitive government data, including CUI.

Step 1: Review CMMC 2.0 Reforms (Level 1 – Foundational)

As part ofCMMC 2.0, the DoD announced changes toreduce burden and costsfor companies that only handleFederal Contract Information (FCI):

DoD Statement (CMMC 2.0 Overview):

“Level 1 (Foundational) will only require an annual self-assessment, affirming implementation of the 17 FAR 52.204-21 controls.”

✅Step 2: Intent of “Reduced Assessment Costs”

The move to allowself-assessments at Level 1was explicitly designed toeliminate the costof hiring third-party assessors for organizations that only handle FCI.

Level 1 self-assessments are:

Conductedinternally by the OSC,

Affirmed annuallyby a senior company official,

Submitted via SPRS(Supplier Performance Risk System).

❌Why the Other Options Are Incorrect

B. Opt out of CMMC Assessments

✘Incorrect. Organizations must still perform aself-assessmentannually — they cannot opt out entirely.

C. Have assessment costs reimbursed by the DoD

✘No such reimbursement mechanism exists.

D. Pay no more than $500.00…

✘No such fixed cost is set or guaranteed in CMMC documentation.

UnderCMMC 2.0, all companies atLevel 1 (Foundational)are permitted toconduct self-assessmentsannually to demonstrate compliance, supporting the DoD’s goal ofreducing assessment costsfor low-risk contractors.

Under the CMMC Assessment Process (CAP) and CMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed through three primary assessment methods:

Examination – Reviewing documents, records, system configurations, and other artifacts.

Interviews – Speaking with personnel to verify processes, responsibilities, and understanding of security controls.

Testing – Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.

Why Option D is Correct

The CMMC Assessment Process (CAP) states that an assessor must use a combination of evidence-gathering methods (examinations, interviews, and tests) to determine compliance.

CMMC 2.0 Level 2 (Aligned with NIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.

Solely relying on one method (like interviews in Option A) is insufficient.

Testing all practices or objectives (Option B) is unnecessary, as assessors follow scoping guidance to determine which objectives need deeper examination.

Testing only "certain" objectives (Option C) does not fully align with the requirement of gathering sufficient evidence from multiple methods.

CMMC 2.0 and Official Documentation References

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods explicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.

CMMC 2.0 Level 2 Practices and NIST SP 800-171 require assessors to validate the presence, implementation, and effectiveness of security controls.

CMMC Appendix E: Assessment Procedures states that an assessor should use multiple sources of evidence to determine compliance.

Final Verification

To ensure compliance with CMMC 2.0 guidelines and official documentation, an assessor must use examinations, interviews, and tests to gather evidence effectively, making Option D the correct answer.

Under the CMMC Assessment Process (CAP) v2.0 , the assessment results are not supposed to be delivered to the OSC as “initial” or unchecked findings. Instead, CAP v2.0 requires that the C3PAO conducts a formal quality assurance (QA) review of the certification assessment results prior to the Out-Brief Meeting with the OSC . This QA step is mandatory and is explicitly sequenced before results are conveyed to the OSC.

After the results are compiled and quality-reviewed, the Lead CCA convenes the Out-Brief Meeting specifically “to convey the results of the assessment to the OSC.” CAP v2.0 further requires the team to prepare and deliver an “Assessment Results Briefing” for the Out-Brief, and it lists the required contents (including final MET/NOT MET/NA determinations for each security requirement , POA & M status (if applicable), and the certificate determination).

Therefore, the best answer is D because CAP v2.0 makes clear that results must undergo C3PAO QA review before they are formally presented to the OSC during the Out-Brief.

The CAP specifies that the C3PAO is responsible for assigning the Lead Assessor to an OSC’s assessment. While the OSC contracts with the C3PAO, the authority to appoint the Lead Assessor resides solely with the C3PAO.

Supporting Extracts from Official Content:

CAP v2.0, Assessment Team Composition (§2.10): “The C3PAO shall designate a qualified Lead Assessor to lead the assessment.”

Why Option B is Correct:

Only the C3PAO has the authority to select and assign the Lead Assessor.

The OSC may influence scheduling and planning but cannot appoint assessors.

Options A, C, and D are inconsistent with CAP requirements.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Assessment Team Roles and Responsibilities (§2.10).

For a practice to beadequately implementedin aCMMC Level 2 assessment, theresponsible personnel must demonstrate knowledge of deployment, maintenance, and operationof security tools such asantivirus programs. Simply having the tool in place isnot sufficient—there must be evidence that it isproperly configured, updated, and monitoredto protect against threats.

Step-by-Step Breakdown:

✅1. Relevant CMMC and NIST SP 800-171 Requirements

CMMC Level 2 aligns with NIST SP 800-171, which includes:

Requirement 3.14.5 (System and Information Integrity - SI-3):

"Employautomatedmechanisms toidentify, report, and correctsystem flaws in a timely manner."

Requirement 3.14.6 (SI-3(2)):

"Employautomated toolsto detect and prevent malware execution."

These requirements imply that theperson responsible for antivirus must understand how it is deployed and maintainedto ensure compliance.

✅2. Why the Team Member’s Knowledge is Insufficient

Antivirus tools requireregular updates,configuration adjustments, andmonitoringto function properly.

The responsible team member must:

Knowhow the antivirus was deployedacross systems.

Be able toconfirm updates, logs, and alerts are monitored.

Understand how torespond to malware detectionsand failures.

If the team member lacks this knowledge, assessors maydetermine the practice is not fully implemented.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Yes, the antivirus program is available, so it is sufficient.❌

Incorrect:Just having antivirus softwareinstalleddoes not prove compliance. It must bemanaged and maintained.

(B) Yes, antivirus programs are automated to run independently.❌

Incorrect:While automation helps, security toolsrequire oversight, updates, and configuration.

(D) No, the team member's interview answers about deployment and maintenance are insufficient.❌

Partially correct but incomplete:Themain issueis that the team membermust have sufficient knowledge, not just that their answers are weak.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guide for SI-3 and SI-3(2)states that personnel mustunderstand the function, deployment, and maintenance of security toolsto ensure proper implementation.

Thus, the correct answer is:

Under Title 44 U.S.C. Chapter 33 (Records Management) and NARA directives, agencies and organizations must establish policies and procedures for the disposal of all recorded information, regardless of form or characteristics. This includes paper records, electronic documents, digital media, audiovisual files, and any other information format. The requirement ensures consistent handling, retention, and lawful disposal of both federal records and CUI.

Reference Documents:

Title 44, U.S. Code, Chapter 33: Records Management

NARA Records Management Directive

Understanding the “Verify Evidence and Record Gaps” Activity in a CMMC Assessment

During aCMMC Level 2 Assessment, theAssessment Teamfollows a structured methodology toverify evidenceand determine whether theOrganization Seeking Certification (OSC)has met all required practices. One of the key activities in this process is"Verify Evidence and Record Gaps", which ensures that the assessment findings accurately reflect any missing or inadequate compliance evidence.

Step-by-Step Breakdown:

✅1. Primary Intent: Identifying Gaps Between Required and Collected Evidence

TheAssessment Teamcompares the evidence provided by the OSC against theCMMC practice requirements.

If evidence ismissing, insufficient, or inconsistent, assessors mustdocument the gapand describe what is lacking.

This ensures that compliance deficiencies are clearly identified, allowing the OSC to understand what must be corrected.

✅2. How This Process Works in a CMMC Assessment

Assessorsreview collected documentation, system configurations, policies, and interview responses.

They verify that the evidencematches the expected implementationof a practice.

If gaps exist, they arerecordedfor discussion and potential remediation before assessment completion.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Map test and demonstration responses to CMMC practices.❌

Incorrect:While mapping evidence to CMMC practices is part of the assessment, theprimary intentof the "Verify Evidence and Record Gaps" step is toidentify deficiencies, not just mapping responses.

(B) Conduct interviews to test process implementation knowledge.❌

Incorrect:Interviews are a method used during evidence collection, but they arenot the primary focusof the verification and gap analysis step.

(C) Determine the one-to-one relationship between a practice and an assessment object.❌

Incorrect:The assessment teamreviews multiple sources of evidencefor each practice, and some practices require multiple assessment objects. The goal isnot a strict one-to-one mappingbut rathera holistic validation of compliance.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guidestates that"Verify Evidence and Record Gaps"is the step where assessorscompare expected evidence against what has been provided and document discrepancies. This ensurestransparent assessment findings and remediation planning.

Thus, the correct answer is:

D. Identify and describe differences between what the Assessment Team required and the evidence collected.

Under the CMMC Assessment Process (CAP) v2.0 , the C3PAO holds the initial (and ultimate) responsibility to identify and manage conflicts of interest (COI) related to a CMMC Level 2 certification assessment. CAP v2.0 includes an explicit pre-assessment activity titled “Identify and Manage Initial Conflicts of Interest (COI)” and states that C3PAOs are ultimately responsible for managing impartiality and identifying conflicts of interest for the assessment.

CAP v2.0 further clarifies that this responsibility cannot be delegated to the assessment team (including the Lead Assessor/Lead CCA) or to the OSC. In other words, while the Lead Assessor participates in executing the process and the OSC must cooperate (e.g., disclose relationships or prior services that could create COI), CAP places the duty to run the COI identification/mitigation process squarely on the C3PAO as the assessment organization.

This aligns with the intent of impartiality controls in certification programs: the certification body (here, the C3PAO) must ensure objective assessments by identifying conflicts early, applying mitigation (or avoidance), and documenting the resolution before the assessment proceeds. Since the question asks who has the initial responsibility , the CAP’s direct assignment of COI management to the C3PAO makes B the correct answer.

===========

Per the CMMC Scoping Guidance, External Service Providers (ESPs) must be included in scope if they process, store, or transmit CUI or FCI on behalf of the OSC. However, ESPs do not themselves receive a separate CMMC certification unless they undergo their own assessment or an enterprise-level certification is conducted. Their environment is assessed only as part of the OSC’s scope.

Reference Documents:

CMMC Scoping Guidance for Level 2

CMMC Model v2.0 Overview

Understanding the Phases of the CMMC Assessment Process

TheCMMC Assessment Process (CAP)consists of multiple phases, with each phase focusing on a different aspect of the assessment.Developing the assessment planoccurs inPhase 1, which is thePre-Assessment Phase.

Key Activities in Phase 1 – Pre-Assessment Phase

Engagement Agreement: TheOSC (Organization Seeking Certification)and theCertified Third-Party Assessment Organization (C3PAO)formalize the assessment contract.

Developing the Assessment Plan: TheLead Assessorand the assessment team create anAssessment Plan, which outlines:

Scope of the assessment

CMMC Level requirements

Assessment methodology

Timeline and logistics

Initial Data Collection: Review of system documentation, policies, and relevant security controls.

Why is the Correct Answer "Phase 1" (A)?

A. Phase 1 → Correct

Phase 1 is where the assessment plan is developed.

It ensuresclarity on scope, methodology, and logistics before the assessment begins.

B. Phase 2 → Incorrect

Phase 2 is theAssessment Conduct Phase, where assessorsexecutethe plan by examining evidence and interviewing personnel.

C. Phase 3 → Incorrect

Phase 3 is thePost-Assessment Phase, which involvesfinalizing findings and submitting reports, not developing the plan.

D. Phase (Incomplete Answer) → Incorrect

The question requires a specific phase, and the correct one isPhase 1.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

DefinesPhase 1as the stage where the assessment plan is developed.

CMMC Accreditation Body (CMMC-AB) Guidelines

Specifies thatplanning and pre-assessment activities occur in Phase 1.

CMMC 2.0 Certification Workflow

Outlines the assessment planning process as part of theinitial engagementbetween theC3PAO and the OSC.

Understanding CUI Protection Responsibilities

Controlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.

Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.

Why "D. Safeguarding" is Correct?

TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.

CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.

DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.

Why Other Answers Are Incorrect?

A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.

B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.

C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.

Conclusion

The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.

Under NIST SP 800-171, Personnel Security (PS) family, requirement PS.L2-3.9.1, organizations must screen individuals prior to granting access to CUI. The screening is intended to evaluate conduct, integrity, and loyalty to ensure that individuals can be trusted with sensitive information.

Supporting Extracts from Official Content:

NIST SP 800-171 Rev. 2, PS.L2-3.9.1: “Screen individuals prior to authorizing access to organizational systems containing CUI… Screening is intended to assess an individual’s conduct, integrity, judgment, loyalty, and reliability.”

CMMC Level 2 Assessment Guide (Personnel Security practices): confirms that screening covers conduct, integrity, and loyalty.

Why Option C is Correct:

The key attributes explicitly listed are conduct, integrity, and loyalty.

Options A and B describe subjective or informal measures, not compliance criteria.

Option D uses terms not aligned with the official requirement.

References (Official CMMC v2.0 Content):

NIST SP 800-171 Rev. 2, Personnel Security controls.

CMMC Assessment Guide, Level 2 – PS.L2-3.9.1.

===========

CMMC Level 2 Readiness and Certification Requirements

CMMCLevel 2is required forOrganizations Seeking Certification (OSCs) that handle Controlled Unclassified Information (CUI)and aligns withNIST SP 800-171's 110 security controls.

Key Readiness Indicators for a Level 2 Assessment:

The OSC must have implemented all 110 security practices from NIST SP 800-171.

Documented and validated cybersecurity policies and procedures must exist.

The OSC must be prepared to provide objective evidence (artifacts) proving compliance.

Why the OSC in the Question is Not Ready:

They have not won a DoD contract yet→ This means they do not yet have a contractually definedCUI environment, which is the foundation for defining their security scope.

They have only provided FCI-related artifacts(e.g., visitor logs, workstation policies, FedRAMP configurations).

Lack of full documentation of CMMC Level 2 controls→ The assessment requiresevidence for all 110 security practices(e.g., system security plans, incident response records, security awareness training documentation).

Clarification of Incorrect Options:

A. "Ready because there is no need to certify this company until after they win a DoD contract."

Incorrect→ Some organizationsseek certification proactivelybefore winning contracts. However, readiness depends on implementingall 110 required controls, not contract status alone.

B. "Not ready because the OSC is not on contract because they do not know the scope of FCI protection required by the contract."

Incorrect→ CMMC Level 2focuses on CUI, not just FCI. While FCI protection is important, the assessment’s focus is onCUI security requirements, which arenot fully addressed by the provided artifacts.

D. "Ready because all DoD contractors are required to achieve CMMC Level 2; therefore, they are being proactive in seeking certification."

Incorrect→ While it is commendable that the OSC is being proactive,readiness is based on full compliance with NIST SP 800-171, not just intent.

Understanding the Media Protection (MP) Domain

TheMedia Protection (MP) domaininCMMC 2.0focuses on the security requirements needed to handlephysical or digital mediacontainingControlled Unclassified Information (CUI).

This domain includes controls for:

Protecting digital and physical mediathat store CUI.

Sanitizing and destroying mediabefore disposal or reuse.

Restricting access to CUI mediato authorized personnel only.

Why the Correct Answer is "A. Media Protection (MP)"?

TheMP domaindirectly addresses the requirements for handlingCUI media, includingencryption, access control, storage, and disposal.

CMMC 2.0Level 2aligns withNIST SP 800-171, which includesMP controlsfor managing media containing CUI.

Why Not the Other Options?

B. Physical Protection (PE)→Incorrect

PEfocuses onphysical security(e.g., facility access, visitor logs, physical barriers),not the handling of CUI on media.

C. System and Information Integrity (SI)→Incorrect

SIdeals withsystem monitoring, vulnerability management, and incident response, not media protection.

D. System and Communications Protection (SC)→Incorrect

SCcoversnetwork security, encryption, and secure communications, but does not specifically focus on media handling.

Relevant CMMC 2.0 References:

CMMC Level 2 Practice MP.3.125– Protects CUI by ensuring proper handling ofmedia containing CUI.

NIST SP 800-171 (MP Family)– Establishes security requirements for handlingdigital and physical mediacontaining CUI.

CMMC Scoping Guide (Nov 2021)– ConfirmsMP controls apply to all media that store, process, or transmit CUI.

Final Justification:

SinceMedia Protection (MP) directly addresses the handling of assets containing CUI, the correct answer isA. Media Protection (MP).

CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 1 is designed to protectFederal Contract Information (FCI)and consists of17 foundational cybersecurity practices. These practices are directly derived fromFAR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems), which outlines minimum security requirements for contractors handling FCI.

Breakdown of CMMC Level 1 Practices

The17 practicesin Level 1 focus on basic cybersecurity hygiene and fall under the following6 domains:

Access Control (AC)– 4 practices

AC.L1-3.1.1: Limit system access to authorized users

AC.L1-3.1.2: Limit user access to authorized transactions and functions

AC.L1-3.1.20: Verify and control connections to external systems

AC.L1-3.1.22: Control information posted or processed on publicly accessible systems

Identification and Authentication (IA)– 2 practices

IA.L1-3.5.1: Identify and authenticate system users

IA.L1-3.5.2: Use multifactor authentication for local and network access

Media Protection (MP)– 1 practice

MP.L1-3.8.3: Sanitize media before disposal or reuse

Physical Protection (PE)– 4 practices

PE.L1-3.10.1: Limit physical access to systems containing FCI

PE.L1-3.10.3: Escort visitors and monitor visitor activity

PE.L1-3.10.4: Maintain audit logs of physical access

PE.L1-3.10.5: Control and manage physical access devices

System and Communications Protection (SC)– 2 practices

SC.L1-3.13.1: Monitor and control communications at system boundaries

SC.L1-3.13.5: Implement subnetworks for publicly accessible system components

System and Information Integrity (SI)– 4 practices

SI.L1-3.14.1: Identify, report, and correct system flaws in a timely manner

SI.L1-3.14.2: Provide protection from malicious code at designated locations

SI.L1-3.14.4: Update malicious code protection mechanisms periodically

SI.L1-3.14.5: Perform scans of system components and real-time file scans

Official Reference from CMMC 2.0 Documentation

The 17 practices forCMMC Level 1are explicitly listed in theCMMC 2.0 Appendices and Assessment Guide for Level 1, as well as in theFAR 52.204-21 requirements. These practices representbasic safeguarding measuresthat all DoD contractors handlingFCImust implement.

🔹 CMMC 2.0 Level 1 Summary:

Focus:Basic safeguarding of FCI

Total Practices:17

Derived From:FAR 52.204-21

Assessment Type:Self-assessment (annual)

Final Verification and Conclusion

The correct answer isB. 17 practicesas verified from theCMMC 2.0 official documentsandFAR 52.204-21 requirements.

Under DFARS and CMMC requirements, the prime contractor is responsible for ensuring its subcontractors meet the required CMMC level. Neither the DoD, The Cyber AB, nor OUSD A & S directly manages subcontractor certification.

Supporting Extracts from Official Content:

DFARS 252.204-7021: “The contractor shall ensure that its subcontractors have the appropriate CMMC level certification for the information they will handle.”

Why Option D is Correct:

Compliance responsibility flows through the contractor supply chain.

CMMC-AB (The Cyber AB) accredits assessors but does not police subcontractors.

OUSD A & S sets policy, not enforcement at contract level.

DoD agencies only require compliance at award/contract oversight level.

References (Official CMMC v2.0 Content):

DFARS 252.204-7021.

CMMC Model v2.0 governance guidance.

===========

TheCMMC Assessment Guideis the best source for determining the sources of evidence for a given practice because it provides specific guidance on how organizations should implement and demonstrate compliance with CMMC practices. Each CMMC level has its own assessment guide (e.g.,CMMC Assessment Guide – Level 1, Level 2), detailing expected evidence and assessment procedures.

Detailed Justification:

CMMC Assessment Guide (Primary Source for Evidence)

TheCMMC Assessment Guideexplicitly outlines the evidence required to verify compliance with each practice.

It provides detailed instructions on assessment objectives, clarifying what assessors should look for when determining compliance.

The guide breaks down each practice intoassessment objectives, helping organizations prepare appropriate documentation and artifacts.

Other Documents and Why They Are Not the Best Choice:

NIST SP 800-53 (Option A)

WhileNIST SP 800-53provides a comprehensive catalog of security and privacy controls, it does not focus on CMMC-specific evidence requirements.

It serves as a foundational cybersecurity framework but does not define the specific artifacts required for CMMC assessment.

NIST SP 800-53A (Option B)

NIST SP 800-53Aprovides guidance on assessing security controls but is not tailored to the CMMC framework.

It includes general control assessment procedures, but theCMMC Assessment Guideis more precise in defining the evidence needed for CMMC compliance.

CMMC Assessment Scope (Option C)

TheCMMC Assessment Scopedocument outlines which systems, assets, and processes are subject to assessment.

While important for defining boundaries, it does not provide details on specific evidence requirements for each practice.

References from Official CMMC Documents:

CMMC Assessment Guide (Level 2) – Section on "Assessment Objectives"

This document details how evidence is collected and evaluated for each CMMC practice.

Example: ForAC.L2-3.1.1 (Access Control – Limit System Access), the guide specifies that assessors should verify documented policies, system configurations, and audit logs.

CMMC Model Overview (Official DoD Documents)

Emphasizes thatCMMC Assessment Guidesare the official reference for determining sources of evidence.

Conclusion:

TheCMMC Assessment Guideis the most authoritative source for determining the required evidence for a given practice in CMMC assessments. It provides detailed breakdowns of assessment objectives, required artifacts, and verification steps necessary for compliance.

According to the CMMC Assessment Process (CAP) and the CMMC Level 2 Assessment Guide, the assessment methodology is derived directly from NIST SP 800-171A. The framework defines three fundamental assessment methods used by a C3PAO (Certified Third-Party Assessment Organization) to determine if a practice is "Met." These are:

Examine: This involves reviewing, inspecting, or analyzing assessment objects. As per the CCP curriculum, these objects include documents (policies, procedures, plans), mechanisms (hardware, software, or firmware safeguards), or activities (logs, system configurations).

Interview: This involves holding discussions with personnel within the Organization Seeking Certification (OSC) to facilitate understanding or obtain evidence.

Test: This involves exercising assessment objects (mechanisms or activities) under specific conditions to compare actual behavior with expected behavior.

Detailed Breakdown of the Options:

Option A is correct because "documents, mechanisms, or activities" are the specific categories of assessment objects defined in the CMMC/NIST 171A methodology that are subjected to the Examine method.

Option B refers to specific technical components, which are types of mechanisms but do not represent the full scope of the assessment methods.

Option C lists specific examples of evidence, but is not the formal definition of the "Examine" method components.

Option D describes specific "Test" or "Interview" activities rather than the categorical objects of the "Examine" method.

Reference Documents:

CMMC Assessment Guide, Level 2: Section on "Assessment Methods" (derived from NIST SP 800-171A).

CMMC Assessment Process (CAP): Defines the evidence collection phase and the application of Examine, Interview, and Test (E-I-T).

NIST SP 800-171A: The source document defining the "Assessment Objects" as specifications (documents), mechanisms, and activities.

Understanding the Best Source for CMMC Practice Descriptions

TheCMMC Assessment Guide (Levels 1 and 2)is theprimaryandmost authoritativedocument for detailed descriptions of each practice and process within the variousCMMC domains.

Step-by-Step Breakdown:

✅1. What is the CMMC Assessment Guide?

TheCMMC Assessment Guideprovides detailed explanations of:

EachCMMC practicewithin its respectivedomain.

Theassessment objectivesfor verifying implementation.

Examples ofevidence requiredto demonstrate compliance.

CMMC 2.0 includes two levels:

Level 1: 17 basic cybersecurity practices.

Level 2: 110 practices aligned withNIST SP 800-171.

TheAssessment Guidedefines howassessorsevaluate compliance.

✅2. Why the Other Answer Choices Are Incorrect:

(A) CMMC Glossary❌

TheGlossaryprovidesdefinitions of termsused in CMMC but does not describe specific practices in detail.

(B) CMMC Appendices❌

Appendicesinclude supplementary information likereferences and scoping guidance, but they do not provide full descriptions of practices.

(C) CMMC Assessment Process❌

TheAssessment Process Guideexplainshowassessments are conducted, but it doesnot describe each practicein detail.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guide (Levels 1 and 2)is theofficialsource for descriptions of eachCMMC practice and process, making it thebest referencefor understanding compliance requirements.

In CMMC v2.0, the closeout activity for remediating previously unmet requirements is handled through the POA & M closeout process described in the CMMC Assessment Process (CAP) v2.0 . CAP v2.0 makes clear that the C3PAO must follow DoD’s POA & M closeout procedures and that the Assessment Team performs the closeout work, with the assessment results then undergoing a required quality assurance (QA) review .

Operationally, the person who must ensure that each previously failed requirement is adequately addressed during the closeout assessment is the Lead Assessor (Lead CCA) , because the Lead CCA is the individual designated to oversee and manage the Assessment Team on behalf of the C3PAO for the conduct of the certification assessment. In other words, while team members may test controls and collect evidence, the Lead CCA is accountable for directing the assessment effort and ensuring that remediation evidence supports updated determinations.

CAP v2.0 also states that a QA individual performs a quality assurance review of the POA & M closeout “upon completion by the Assessment Team,” including checks on the accuracy and completeness of evaluation of POA & M security requirements before upload to eMASS. This reinforces that verification occurs through the assessment team’s work, led by the Lead Assessor , and then independently quality-checked by QA.

===========