Which statement is NOT a requirement for a Licensed Partner Publisher?
Must have at least two years of history in publishing
Must possess a Dun and Bradstreet number and background check
Must receive CMMC Level 3 certification
Must be approved by CMMC-AB or authorized organization
The correct answer is C because a Licensed Partner Publisher is an ecosystem participant that produces or distributes approved CMMC-related learning or publishing content; it is not the same thing as an Organization Seeking Assessment or a Defense Industrial Base contractor pursuing a CMMC Level 3 certification status. CMMC certification levels apply to organizations handling FCI or CUI in connection with DoD contract performance, not to every training, publishing, or ecosystem-support organization. The CMMC Assessment Process describes CMMC as the DoD initiative for assessing and certifying conformance by companies and organizations in the Defense Industrial Base, specifically to safeguard CUI and FCI processed, stored, or transmitted during DoD contract performance. A publisher may need business validation, authorization, background checks, and approval by the CMMC Accreditation Body or authorized program entity, but requiring CMMC Level 3 certification would be misaligned with the role. Level 3 is an advanced contractor cybersecurity status, not a publishing-partner qualification. Reference/topics: CMMC Ecosystem, Licensed Partner Publisher, Cyber AB ecosystem roles, CMMC certification applicability.
In scoping a CMMC Level 1 Self-Assessment, all of the computers and digital assets that handle FCI are identified. A file cabinet that contains paper FCI is also identified. What can this file cabinet BEST be determined to be?
In scope, because it is an asset that stores FCI
In scope, because it is part of the same physical location
Out of scope, because they are all only paper documents
Out of scope, because it does not process or transmit FCI
According to the CMMC Scoping Guidance, Level 1, the scope of an assessment includes all assets that process, store, or transmit Federal Contract Information (FCI). CMMC is " information-centric, " meaning the security requirements apply to the information itself, regardless of the media it resides on (digital or physical).
Asset Identification: In a Level 1 assessment, assets are categorized as either FCI Assets or Out-of-Scope Assets. Since the file cabinet is explicitly identified as containing paper FCI, it meets the definition of an asset that stores the protected information.
Basic Safeguarding (FAR 52.204-21): The 17 practices of CMMC Level 1 are derived from the FAR clause for the " Basic Safeguarding of Covered Contractor Information Systems. " However, the physical protection requirements within that set (such as PE.L1-3.10.1, which requires limiting physical access to organizational information systems and equipment) extend to the physical storage locations of that data.
Media Neutrality: CMMC documentation emphasizes that " information systems " include the physical components and the information processed by them. If FCI is printed and stored in a cabinet, that cabinet becomes a physical storage asset within the assessment boundary.
Why other options are incorrect:
Option B: Physical location alone does not bring an asset into scope. For example, a coffee machine in the same room as an FCI computer remains out of scope because it doesn ' t handle FCI. Thecontent(FCI) makes the cabinet in-scope, not its proximity.
Option C: CMMC and the underlying FAR clause do not exempt paper-based information. Protected data must be secured whether it is on a hard drive or a printed sheet.
Option D: While a file cabinet may not " process " or " transmit " data like a computer does, it absolutely stores it. The definition of the scope includes all three functions (process, store, or transmit).
Reference Documents:
CMMC Scoping Guidance, Level 1: Section 2.0 (CMMC Level 1 Asset Categories), which defines FCI Assets as those that process, store, or transmit FCI.
CMMC Assessment Guide, Level 1: Discussion on Physical Protection (PE) practices and their application to physical media.
32 CFR Part 170 (CMMC Program Rule): Definitions of FCI and the requirements for contractor self-assessments.
In preparation for a CMMC Level 1 Self-Assessment, the IT manager for a DIB organization is documenting asset types in the company ' s SSP The manager determines that identified machine controllers and assembly machines should be documented as Specialized Assets. Which type of Specialized Assets has the manager identified and documented?
loT
Restricted IS
Test equipment
Operational technology
Understanding Specialized Assets in a CMMC Self-Assessment
DuringCMMC Level 1 Self-Assessments, organizations must classify theirassetsin theSystem Security Plan (SSP).
Specialized Asset Type: Operational Technology (OT)
Operational Technology (OT)includesmachine controllers, industrial control systems (ICS), and assembly machines.
Thesesystems control physical processesin manufacturing, energy, and industrial environments.
OT assets are distinct from traditional IT systemsbecause they haveunique security considerations(e.g., real-time control, legacy system constraints).
Why is the Correct Answer " D. Operational Technology " ?
A. IoT (Internet of Things) → Incorrect
IoT devicesinclude smart home systems, connected sensors, and networked appliances, butmachine controllers and assembly machines fall under OT, not IoT.
B. Restricted IS → Incorrect
Restricted Information Systems (IS) refer to classified or highly controlled systems, whichdoes not apply to standard industrial machines.
C. Test Equipment → Incorrect
Test equipment includes diagnostic tools or measurement devicesused forquality assurance, not industrial machine controllers.
D. Operational Technology → Correct
Machine controllers and assembly machinesare part ofindustrial automation and control systems, which are classified asOperational Technology (OT).
CMMC 2.0 References Supporting This Answer:
CMMC Scoping Guidance for Level 1 & Level 2 Assessments
DefinesOperational Technology (OT) as a category of Specialized Assetsthat requirespecific security considerations.
NIST SP 800-82 (Guide to Industrial Control Systems Security)
Identifiesmachine controllers and assembly machinesas part ofOperational Technology (OT).
CMMC 2.0 Asset Classification Guidelines
Specifies thatOT systems should be documented separately in an organization ' s SSP.
What is the MOST common purpose of assessment procedures?
Obtain evidence.
Define level of effort.
Determine information flow.
Determine value of hardware and software.
Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.
Why " A. Obtain Evidence " is Correct?
CMMC Assessments Require Evidence Collection
TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:
Examine– Reviewing documentation, policies, and system configurations.
Interview– Speaking with personnel to confirm understanding and execution.
Test– Validating controls through operational or technical tests.
All these methods involve obtaining evidenceto support whether a security requirement has been met.
Alignment with NIST SP 800-171A
CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.
Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.
Why Other Answers Are Incorrect?
B. Define level of effort (Incorrect)
Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.
C. Determine information flow (Incorrect)
While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.
D. Determine value of hardware and software (Incorrect)
Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.
Conclusion
The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.
In late September. CA.L2-3.12.1: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application is assessed. Procedure specifies that a security control assessment shall be conducted quarterly. The Lead Assessor is only provided the first quarter assessment report because the person conducting the second quarter ' s assessment is currently out of the office and will return to the office in two hours. Based on this information, the Lead Assessor should determine that the evidence is;
sufficient, and rate the audit finding as MET
insufficient, and rate the audit finding as NOT MET.
sufficient, and re-rate the audit finding after a quarter two assessment report is examined.
insufficient, and re-rate the audit finding after a quarter two assessment report is examined.
Control Reference: CA.L2-3.12.1
CA.L2-3.12.1: " Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. "
This control is derived fromNIST SP 800-171, Requirement 3.12.1, which mandates organizations to performregular security control assessmentsto ensure compliance and effectiveness.
Assessment Criteria & Justification for the Correct Answer:
Evidence Review & Assessment Timeline:
The organization ' s procedureexplicitly statesthat security control assessments must be conductedquarterly(every three months).
Since the Lead Assessor only has access to thefirst-quarter report, the second-quarter report is missing at the time of assessment.
CMMC Audit Requirements:
For an assessor to rate a control asMET, sufficient evidence must bereadily availableat the time of evaluation.
Since the second-quarter report is missingat the time of assessment, the Lead Assessorcannot verify compliancewith the organization ' s own stated frequency of assessment.
Why the Answer is NOT A, C, or D:
A (Sufficient, MET)→Incorrect: The control assessment frequency is quarterly, but the evidence for Q2 is not available. Compliance cannot be confirmed.
C (Sufficient, and re-rate later)→Incorrect: If evidence is not available during the audit, the controlcannot be rated as MET initially. There is no provision in CMMC 2.0 to " conditionally " pass a control pending future evidence.
D (Insufficient, but re-rate later)→Incorrect: Once a control is ratedNOT MET, it staysNOT METuntil a re-assessment is conducted in a new audit cycle. The assessordoes not adjust ratings retroactivelybased on future evidence.
Official CMMC 2.0 References Supporting the Answer:
CMMC Assessment Process (CAP) Guide (2023):
" For a control to be rated as MET, the assessed organization must provide sufficient evidence at the time of the assessment. "
" If evidence is missing or incomplete, the finding shall be rated as NOT MET. "
NIST SP 800-171A (Security Requirement Assessment Guide):
" Evidence must be current, relevant, and sufficient to demonstrate compliance with stated periodicity requirements. "
Since the procedure mandatesquarterly assessments, missing evidence means compliancecannot be validated.
DoD CMMC Scoping Guidance:
" Assessors shall base their determination on the evidence provided at the time of assessment. If required evidence is not available, the control shall be rated as NOT MET. "
Final Conclusion:
Thecorrect answer is Bbecause the required evidence (the second-quarter report) is not availableat the time of assessment, making itinsufficientto validate compliance. The Lead Assessormust rate the control as NOT METin accordance with CMMC 2.0 assessment rules.
A CMMC Level 1 Self-Assessment identified an asset in the OSC ' s facility that does not process, store, or transmit FCI. Which type of asset is this considered?
FCI Assets
Specialized Assets
Out-of-Scope Assets
Government-Issued Assets
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework categorizes assets based on their interaction with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In a CMMC Level 1 self-assessment, assets are classified based on whether they process, store, or transmit FCI.
Asset Categories as per CMMC 2.0:
FCI Assets – These assets process, store, or transmit FCI and must meet CMMC Level 1 security requirements (17 practices from FAR 52.204-21).
CUI Assets – These assets handle Controlled Unclassified Information (CUI) and are subject to CMMC Level 2 requirements, aligned with NIST SP 800-171.
Specialized Assets – Includes IoT devices, Operational Technology (OT), Government-Furnished Equipment (GFE), and test equipment. These are often categorized separately due to their specific cybersecurity requirements.
Out-of-Scope Assets – Assets that do not process, store, or transmit FCI or CUI. These do not require compliance with CMMC practices.
Government-Issued Assets – These are assets provided by the government for contract-specific purposes, often requiring compliance based on government policies.
Why the Correct Answer is C. Out-of-Scope Assets?
The question specifies that the identified asset does not process, store, or transmit FCI.
According to CMMC 2.0 guidelines, only assets that handle FCI or CUI are subject to security controls.
Assets that are physically located within an OSC’s facility but do not interact with FCI or CUI fall into the " Out-of-Scope Assets " category.
These assets do not require CMMC-specific cybersecurity controls, as they have no impact on the security of FCI or CUI.
Relevant CMMC 2.0 References:
CMMC Scoping Guide (Nov 2021) – Defines out-of-scope assets as those that are within an OSC’s environment but have no interaction with FCI or CUI.
CMMC 2.0 Level 1 Guide – Only requires security controls on FCI assets, meaning assets that do not process, store, or transmit FCI are out of scope.
CMMC Assessment Process (CAP) Guide – Identifies the classification of assets in an OSC’s environment to determine compliance requirements.
Final Justification:
Since the asset does not process, store, or transmit FCI, it does not fall under " FCI Assets " or " Specialized Assets. " It is also not a government-issued asset. Therefore, the correct classification under CMMC 2.0 is Out-of-Scope Assets (C).
A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?
Host Unit
Branch Office
Coordinating Unit
Supporting Organization/Units
According to the CMMC Assessment Process (CAP), specifically in the context of scoping and organizational structure, the term Host Unit is used to define the specific entity within an Organization Seeking Certification (OSC) that is the primary subject of the assessment.
Definition of Host Unit: Within the CAP, the Host Unit represents the specific people, processes, and technology that process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) for the contract in scope. It is the " anchor " for the assessment boundary.
Context in High-Level Scoping: During the initial phases of an assessment, a C3PAO must distinguish between the entire corporation (the OSC) and the specific parts of that corporation that are actually performing the DoD work. The Host Unit is that functional or logical division that will be evaluated against the CMMC practices.
Relationship to other units:
Supporting Organization/Units (Option D): These are entities that provide services to the Host Unit (such as an enterprise IT department or a separate HR branch) but are not the primary " Host " of the CUI/FCI. They are in-scope because they provide " Security Protection " or " Administrative " functions to the Host Unit.
Coordinating Unit (Option C): This term is often used in broader organizational contexts but is not a defined scoping term for the " people, processes, and technology " being assessed under the CMMC CAP.
Reference Documents:
CMMC Assessment Process (CAP) v1.0: Glossary and Section 1 (Plan and Prepare Assessment), which defines the relationship between the OSC, the Host Unit, and Supporting Units.
CMMC Level 2 Scoping Guidance: Provides the framework for identifying the " assets " (people, technology, facilities) that reside within the Host Unit boundary.
CCP Study Guide: Section on " Scoping the Assessment, " which explains how to identify the Host Unit versus External Service Providers (ESPs).
While developing an assessment plan for an OSC. it is discovered that the certified assessor will be interviewing a former college roommate. What is the MOST correct action to take?
Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.
Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.
Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.
Inform the OSC and the C3PAO of the possible conflict of interest, document the conflict and mitigation actions in the assessment plan, and if the mitigation actions are acceptable, continue with the assessment.
The Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) outlines strict guidelines regarding conflicts of interest (COI) to ensure the integrity and impartiality of assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs) and Certified Assessors (CAs).
The scenario presented involves a potential conflict of interest due to a prior relationship (former college roommate) between the certified assessor and an individual at the Organization Seeking Certification (OSC). While this prior relationship does not automatically disqualify the assessor, it must be disclosed, documented, and mitigated appropriately.
CMMC Conflict of Interest Handling Process
Inform the OSC and C3PAO of the Potential Conflict of Interest
The CMMC Code of Professional Conduct (CoPC) requires assessors to disclose any potential conflicts of interest.
Transparency ensures that all parties, including the OSC and C3PAO, are aware of the situation.
Document the Conflict and Mitigation Actions in the Assessment Plan
Per CMMC CAP documentation, potential conflicts should be assessed based on their material impact on the objectivity of the assessment.
The conflict and proposed mitigation strategies must be formally recorded in the assessment plan to provide an audit trail.
Determine If the Mitigation Actions Are Acceptable
If the OSC and C3PAO determine that the mitigation actions adequately eliminate or reduce the risk of bias, the assessment may proceed.
Common mitigation strategies include:
Assigning another assessor for interviews with the conflicted individual.
Ensuring that decisions regarding the OSC’s compliance are reviewed independently.
Proceed with the Assessment If Mitigation Is Acceptable
If the mitigation actions sufficiently address the conflict, the assessment may continue under strict adherence to documented procedures.
Why the Other Answers Are Incorrect
A. Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.
❌Incorrect. This violates CMMC’s integrity requirements and could result in disciplinary actions against the assessor or invalidation of the assessment. Transparency is mandatory.
B. Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.
❌Incorrect. The CAP does not mandate immediate reassignment unless the conflict is unresolvable. Instead, mitigation strategies should be considered first.
C. Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.
❌Incorrect. The passage of time alone does not automatically eliminate a conflict of interest. Proper documentation and mitigation are still required.
CMMC Official References
CMMC Assessment Process (CAP) Document – Defines COI requirements and mitigation actions.
CMMC Code of Professional Conduct (CoPC) – Outlines ethical responsibilities of assessors.
CMMC Accreditation Body (Cyber-AB) Guidance – Provides rules on conflict resolution.
Thus, option D is the most correct choice, as it aligns with the official CMMC conflict of interest procedures.
Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope by categorizing all assets. Which two asset categories are always assessed against CMMC practices?
CUI Assets and Specialized Assets
Security Protection Assets and CUI Assets
Specialized Assets and Contractor Risk Managed Assets
Security Protection Assets and Contractor Risk Managed Assets
Understanding CMMC Asset Scoping Requirements
Before conducting aCMMC Level 2 Assessment, anOrganization Seeking Certification (OSC)must define theassessment scopeby categorizing all assets. This ensures that only relevant systems are assessed againstCMMC practices, reducing unnecessary compliance burdens.
According to theCMMC Scoping Guide for Level 2, there are four asset categories:
CUI Assets– Assets that process, store, or transmitControlled Unclassified Information (CUI).
Security Protection Assets (SPA)– Assets that providesecurity functions(e.g., firewalls, intrusion detection systems, identity management systems).
Contractor Risk Managed Assets (CRMA)– Assets thatdo not directly store/process CUIbut interact with CUI environments (e.g., BYOD devices, personal computers used for remote access).
Specialized Assets– Unique systems such asOperational Technology (OT), IoT, and Government Furnished Equipment (GFE), which may requirelimitedCMMC assessment.
Which Asset Categories Are Always Assessed?
✅1. CUI Assets(ALWAYS ASSESSED)
These are theprimary focusof CMMC Level 2 since they handleCUI.
All110 NIST SP 800-171 controlsapply to these assets.
✅2. Security Protection Assets (SPA)(ALWAYS ASSESSED)
Security tools that protectCUI Assetsarealways includedin the assessment.
Examples includefirewalls, antivirus, endpoint detection and response (EDR) tools, and identity management systems.
Why the Other Answer Choices Are Incorrect:
(A) CUI Assets and Specialized Assets❌
CUI Assets are assessed, butSpecialized Assets are only assessed in a limited manner, depending on their role inCUI security.
(C) Specialized Assets and Contractor Risk Managed Assets❌
Specialized Assets and CRMAsare typicallynot fully assessedagainst CMMC controls unless they directly impactCUI security.
(D) Security Protection Assets and Contractor Risk Managed Assets❌
SPAs are always assessed, butCRMAs are not necessarily assessedunless they directly impact CUI.
Final Validation from CMMC Documentation:
TheCMMC Scoping Guide (Level 2)clearly states thatCUI Assets and Security Protection Assetsarealways assessedagainst CMMC practices.
Thus, the correct answer is:
B. Security Protection Assets and CUI Assets.
During an assessment, the Lead Assessor reviews the evidence for each CMMC in-scope practice that has been reviewed, verified, rated, and discussed with the OSC during the daily reviews. The Assessment Team records the final recommended MET or NOT MET rating and prepares to present the results to the assessment participants during the final review with the OSC and sponsor. As a part of this presentation, which document MUST include the attendee list, time/date, location/meeting link, results from all discussed topics, including any resulting actions, and due dates from the OSC or Assessment Team?
Final log report
Final CMMC report
Final and recorded OSC CMMC report
Final and recorded Daily Checkpoint log
Understanding the Final Review Process in a CMMC Assessment
During aCMMC Level 2 Assessment, theAssessment Teamand theOrganization Seeking Certification (OSC)holddaily checkpoint meetingsto discuss progress, review evidence, and ensure transparency.
At theend of the assessment, afinal review meetingis conducted, during which theLead Assessor presents the results. Therecorded Daily Checkpoint logserves as theofficial document summarizing:
Theattendee list
Time, date, and locationof the final review
Final MET or NOT MET ratingsfor all practices
Discussion points, resulting actions, and due datesfor both the OSC and Assessment Team
Why " D. Final and recorded Daily Checkpoint log " is Correct?
TheCMMC Assessment Process (CAP) Guidespecifies that all assessment findings and discussions must bedocumented throughout the assessment in daily checkpoint logs.
TheFinal and Recorded Daily Checkpoint Logincludes all necessary details, such as attendee lists, discussion topics, and action items.
This document isused to ensure all discussed topics and agreed-upon actions are properly tracked and recordedbefore submission.
Why Other Answers Are Incorrect?
A. Final log report (Incorrect)
There isno specific " Final Log Report " required in CMMC assessments.
B. Final CMMC report (Incorrect)
TheFinal CMMC Reportdocuments the overall assessment results butdoes not serve as the official meeting logfor the final review discussion.
C. Final and recorded OSC CMMC report (Incorrect)
This documentdoes not include detailed discussion points from the daily checkpoint meetings.
Conclusion
The correct answer isD. Final and recorded Daily Checkpoint log, as this is the official document that captures thefinal meeting details, discussions, and action items.
Which document is the BEST source for determining the sources of evidence for a given practice?
NISTSP 800-53
NISTSP 800-53A
CMMC Assessment Scope
CMMC Assessment Guide
TheCMMC Assessment Guideis the best source for determining the sources of evidence for a given practice because it provides specific guidance on how organizations should implement and demonstrate compliance with CMMC practices. Each CMMC level has its own assessment guide (e.g.,CMMC Assessment Guide – Level 1, Level 2), detailing expected evidence and assessment procedures.
Detailed Justification:
CMMC Assessment Guide (Primary Source for Evidence)
TheCMMC Assessment Guideexplicitly outlines the evidence required to verify compliance with each practice.
It provides detailed instructions on assessment objectives, clarifying what assessors should look for when determining compliance.
The guide breaks down each practice intoassessment objectives, helping organizations prepare appropriate documentation and artifacts.
Other Documents and Why They Are Not the Best Choice:
NIST SP 800-53 (Option A)
WhileNIST SP 800-53provides a comprehensive catalog of security and privacy controls, it does not focus on CMMC-specific evidence requirements.
It serves as a foundational cybersecurity framework but does not define the specific artifacts required for CMMC assessment.
NIST SP 800-53A (Option B)
NIST SP 800-53Aprovides guidance on assessing security controls but is not tailored to the CMMC framework.
It includes general control assessment procedures, but theCMMC Assessment Guideis more precise in defining the evidence needed for CMMC compliance.
CMMC Assessment Scope (Option C)
TheCMMC Assessment Scopedocument outlines which systems, assets, and processes are subject to assessment.
While important for defining boundaries, it does not provide details on specific evidence requirements for each practice.
References from Official CMMC Documents:
CMMC Assessment Guide (Level 2) – Section on " Assessment Objectives "
This document details how evidence is collected and evaluated for each CMMC practice.
Example: ForAC.L2-3.1.1 (Access Control – Limit System Access), the guide specifies that assessors should verify documented policies, system configurations, and audit logs.
CMMC Model Overview (Official DoD Documents)
Emphasizes thatCMMC Assessment Guidesare the official reference for determining sources of evidence.
Conclusion:
TheCMMC Assessment Guideis the most authoritative source for determining the required evidence for a given practice in CMMC assessments. It provides detailed breakdowns of assessment objectives, required artifacts, and verification steps necessary for compliance.
When are data and documents with legacy markings from or for the DoD required to be re-marked or redacted?
When under the control of the DoD
When the document is considered secret
When a document is being shared outside of the organization
When a derivative document ' s original information is not CUI
Background on Legacy Markings and CUI
Legacy markings refer to classification labels used before the implementation of the Controlled Unclassified Information (CUI) Program under DoD Instruction 5200.48.
Documents with legacy markings (such as “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU)) must be reviewed for re-marking or redaction to align with CUI requirements.
When Must Legacy Markings Be Updated?
If the document is retained internally (Answer A - Incorrect): Documents under DoD control do not require immediate re-marking unless they are being shared externally.
If the document is classified as Secret (Answer B - Incorrect): This question is about CUI, not classified information. Secret-level documents follow different marking rules under DoD Manual 5200.01.
If a document is being shared externally (Answer C - Correct):
According to DoD Instruction 5200.48, Section 3.6(a), organizations must review legacy markings before sharing documents outside the organization.
The document must be re-marked in compliance with the CUI Program before dissemination.
If the original document does not contain CUI (Answer D - Incorrect): The original source document ' s status does not affect the requirement to re-mark a derivative document if it contains CUI.
Conclusion
The correct answer is C: Documents with legacy markings must be re-marked or redacted when being shared outside the organization to comply with DoD CUI guidelines.
An employee is the primary system administrator for an OSC. The employee will be a core part of the assessment, as they perform most of the duties in managing and maintaining the systems. What would the employee be BEST categorized as?
Analyzer
Inspector
Applicable staff
Demonstration staff
In the context of a Cybersecurity Maturity Model Certification (CMMC) assessment, the roles and responsibilities of individuals involved are clearly delineated to ensure a structured and effective evaluation process. The term " applicable staff " refers to personnel within the Organization Seeking Certification (OSC) who possess specific knowledge or expertise pertinent to the assessment. These individuals are integral to the assessment process as they provide essential information, demonstrate the implementation of security practices, and facilitate the assessment team ' s understanding of the organization ' s cybersecurity posture.
In this scenario, the employee serving as the primary system administrator is responsible for managing and maintaining the organization ' s systems. Given their comprehensive understanding of the system configurations, security controls, and operational procedures, this individual is best categorized as " applicable staff. " Their involvement is crucial during the assessment, as they can provide detailed insights, demonstrate compliance measures, and address technical inquiries from the assessment team.
The other options can be delineated as follows:
Analyzer:Typically refers to individuals who analyze data or security incidents, often as part of a security operations center. This role is not specifically defined within the CMMC assessment context.
Inspector:Generally denotes a person who examines or inspects systems and processes, possibly as part of an internal audit or compliance check. This term is not a standard designation within the CMMC assessment framework.
Demonstration staff:While this could imply personnel responsible for demonstrating systems or processes, it is not a recognized role within the CMMC assessment process.
Therefore, the primary system administrator, by virtue of their role and responsibilities, aligns with the " applicable staff " category, playing a pivotal role in facilitating a successful CMMC assessment.
A server is used to store FCI with a cloud provider long-term. What is the server considered?
In scope, because the cloud provider will be storing the FCI data
Out of scope, because the cloud provider stores the FCI data long-term
In scope, because the cloud provider is required to be CMMC Level 2 certified
Out of scope, because encryption is always used when the cloud provider stores the FCI data
Assets that store, process, or transmit FCI or CUI are always in scope for CMMC. If a server with a cloud provider is used for long-term storage of FCI, that server is considered in scope because it directly holds covered data.
Supporting Extracts from Official Content:
CMMC Scoping Guide for Level 1: “Assets that store, process, or transmit FCI are in scope.”
CMMC Scoping Guide for Level 2: confirms the same rule applies for CUI.
Why Option A is Correct:
The server stores FCI, making it automatically in scope.
Option B is incorrect because long-term storage does not make an asset out of scope.
Option C is incorrect — Level 1 (FCI) does not require a Level 2 certified provider.
Option D is incorrect because encryption does not remove scope requirements.
References (Official CMMC v2.0 Content):
CMMC Scoping Guide, Level 1.
CMMC Model v2.0, Scoping and Implementation guidance.
===========
The CMMC Level 2 assessment methods include examination and can include:
documents, mechanisms, or activities.
specific hardware, software, or firmware safeguards employed within a system.
policies, procedures, security plans, penetration tests, and security requirements.
observation of system backup operations, exercising a contingency plan, and monitoring network traffic.
According to the CMMC Assessment Process (CAP) and the CMMC Level 2 Assessment Guide, the assessment methodology is derived directly from NIST SP 800-171A. The framework defines three fundamental assessment methods used by a C3PAO (Certified Third-Party Assessment Organization) to determine if a practice is " Met. " These are:
Examine: This involves reviewing, inspecting, or analyzing assessment objects. As per the CCP curriculum, these objects include documents (policies, procedures, plans), mechanisms (hardware, software, or firmware safeguards), or activities (logs, system configurations).
Interview: This involves holding discussions with personnel within the Organization Seeking Certification (OSC) to facilitate understanding or obtain evidence.
Test: This involves exercising assessment objects (mechanisms or activities) under specific conditions to compare actual behavior with expected behavior.
Detailed Breakdown of the Options:
Option A is correct because " documents, mechanisms, or activities " are the specific categories of assessment objects defined in the CMMC/NIST 171A methodology that are subjected to the Examine method.
Option B refers to specific technical components, which are types of mechanisms but do not represent the full scope of the assessment methods.
Option C lists specific examples of evidence, but is not the formal definition of the " Examine " method components.
Option D describes specific " Test " or " Interview " activities rather than the categorical objects of the " Examine " method.
Reference Documents:
CMMC Assessment Guide, Level 2: Section on " Assessment Methods " (derived from NIST SP 800-171A).
CMMC Assessment Process (CAP): Defines the evidence collection phase and the application of Examine, Interview, and Test (E-I-T).
NIST SP 800-171A: The source document defining the " Assessment Objects " as specifications (documents), mechanisms, and activities.
A CCP is consulting with an OSC. In the course of an interview, the OSC representative asks the CCP what basic safeguarding requirements must be met with respect to CMMC Level 1. The CCP tells the representative that this publication contains all the requirements from:
NIST SP 800-171.
DFARS Clause 252.202-7014.
DFARS Clause 252.204-7012.
FAR Clause 52.204-21.
The correct answer is D because CMMC Level 1 is based on the basic safeguarding requirements in FAR Clause 52.204-21 , not on the full NIST SP 800-171 or DFARS 252.204-7012 requirements. The official CMMC Model Overview states that Level 1 focuses on protecting Federal Contract Information (FCI) and consists of security requirements that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 , commonly referred to as the FAR Clause. It also states that Level 2 is the level that incorporates the 110 security requirements from NIST SP 800-171 Rev. 2 for protection of Controlled Unclassified Information (CUI) .
FAR 52.204-21 applies to covered contractor information systems that process, store, or transmit Federal Contract Information. The clause requires contractors to apply basic safeguarding requirements and procedures, including limiting system access to authorized users, controlling external connections, protecting information on publicly accessible systems, identifying and authenticating users, and sanitizing or destroying media containing FCI before disposal or reuse.
Option A is incorrect because NIST SP 800-171 is associated with CMMC Level 2, not Level 1. Option B is incorrect because the cited DFARS clause number is not the CMMC Level 1 source. Option C is incorrect because DFARS 252.204-7012 is tied to safeguarding covered defense information and implementing NIST SP 800-171 for CUI, not the Level 1 basic safeguarding baseline.
When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?
Conduct a penetration test
Interview the intrusion detection system ' s supplier.
Upload known malicious code and observe the system response.
Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
Understanding SI.L2-3.14.6: Monitor Communications for Attacks
The practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:
✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)
✅Log analysis and network monitoring
✅Incident response planningfor detected threats
As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.
Why " Review an artifact to check key references for the configuration of the IDS or IPS " is Correct?
TheCCA must collect sufficient objective evidenceto determine compliance.
Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.
Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.
Breakdown of Answer Choices
Option
Description
Correct?
A. Conduct a penetration test
❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor ' s responsibilities.
B. Interview the intrusion detection system ' s supplier.
❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.
C. Upload known malicious code and observe the system response.
❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.
D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.
Official References from CMMC 2.0 and NIST SP 800-171 Documentation
NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.
CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.
Final Verification and Conclusion
The correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.
In many organizations, the protection of FCI includes devices that are used to scan physical documentation into digital form and print physical copies of digital FCI. What technical control can be used to limit multi-function device (MFD) access to only the systems authorized to access the MFD?
Virtual LAN restrictions
Single administrative account
Documentation showing MFD configuration
Access lists only known to the IT administrator
Understanding Multi-Function Device (MFD) Security in CMMC
Multi-function devices (MFDs), such asscanners, printers, and copiers,process, store, and transmit FCI, making them apotential attack surfacefor unauthorized access.
Thebest technical controlto limit MFD access to only authorized systems isVirtual LAN (VLAN) restrictions, whichsegment and isolate network traffic.
Why the Correct Answer is " A. Virtual LAN (VLAN) Restrictions " ?
VLAN Restrictions Provide Network Segmentation
VLANsisolate the MFDfrom unauthorized systems, ensuringonly approved devicescan communicate with it.
Prevents unauthorized network access bylimiting connectionsto specific IPs or subnets.
Meets CMMC 2.0 Network Security Controls
Aligns withCMMC System and Communications Protection (SC) Practicesfor network segmentation and access control.
Reducesthe risk of unauthorized access to scanned and printed FCI.
Why Not the Other Options?
B. Single administrative account→Incorrect
Asingle admin accountdoes not restrict accessbetween devices, only controlswho can configurethe MFD.
C. Documentation showing MFD configuration→Incorrect
Documentation helps with compliance butdoes not actively restrict access.
D. Access lists only known to the IT administrator→Incorrect
Access lists should besystem-enforced, not just " known " to the administrator.
Relevant CMMC 2.0 References:
CMMC Practice SC.3.192 (Network Segmentation)– Requires restricting access usingnetwork segmentation techniques such as VLANs.
NIST SP 800-171 (SC Family)– Supportsisolation of sensitive devicesusing VLANs and other segmentation controls.
Final Justification:
SinceVirtual LAN (VLAN) restrictions enforce access control at the network level, the correct answer isA. Virtual LAN (VLAN) restrictions.
An OSC lead has provided company information, identified that they are seeking CMMC Level 2, stated that they handle FCI. identified stakeholders, and provided assessment logistics. The OSC has provided the company ' s cyber hygiene practices that are posted on every workstation, visitor logs, and screenshots of the configuration of their FedRAMP-approved applications. The OSC has not won any DoD government contracts yet but is working on two proposals Based on this information, which statement BEST describes the CMMC Level 2 Assessment requirements?
Ready because there is no need to certify this company until after they win a DoD contract.
Not ready because the OSC is not on contract because they do not know the scope of FCI protection required by the contract.
Not ready because the OSC still lacks artifacts that prove they have implemented all the CMMC Level 2 Assessment requirements.
Ready because all DoD contractors are required to achieve CMMC Level 2; therefore, they are being proactive in seeking certification.
CMMC Level 2 Readiness and Certification Requirements
CMMCLevel 2is required forOrganizations Seeking Certification (OSCs) that handle Controlled Unclassified Information (CUI)and aligns withNIST SP 800-171 ' s 110 security controls.
Key Readiness Indicators for a Level 2 Assessment:
The OSC must have implemented all 110 security practices from NIST SP 800-171.
Documented and validated cybersecurity policies and procedures must exist.
The OSC must be prepared to provide objective evidence (artifacts) proving compliance.
Why the OSC in the Question is Not Ready:
They have not won a DoD contract yet→ This means they do not yet have a contractually definedCUI environment, which is the foundation for defining their security scope.
They have only provided FCI-related artifacts(e.g., visitor logs, workstation policies, FedRAMP configurations).
Lack of full documentation of CMMC Level 2 controls→ The assessment requiresevidence for all 110 security practices(e.g., system security plans, incident response records, security awareness training documentation).
Clarification of Incorrect Options:
A. " Ready because there is no need to certify this company until after they win a DoD contract. "
Incorrect→ Some organizationsseek certification proactivelybefore winning contracts. However, readiness depends on implementingall 110 required controls, not contract status alone.
B. " Not ready because the OSC is not on contract because they do not know the scope of FCI protection required by the contract. "
Incorrect→ CMMC Level 2focuses on CUI, not just FCI. While FCI protection is important, the assessment’s focus is onCUI security requirements, which arenot fully addressed by the provided artifacts.
D. " Ready because all DoD contractors are required to achieve CMMC Level 2; therefore, they are being proactive in seeking certification. "
Incorrect→ While it is commendable that the OSC is being proactive,readiness is based on full compliance with NIST SP 800-171, not just intent.
During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?
Host Unit
Organization
Coordinating Unit
Supporting Organization/Unit
In the context of the Cybersecurity Maturity Model Certification (CMMC) Assessment Process, understanding the roles of various entities associated with an Organization Seeking Certification (OSC) is crucial during the planning phase. When a Certified Third-Party Assessment Organization (C3PAO) staff reviews these entities for a CMMC Level 2 Assessment, it ' s essential to distinguish between internal components and external participants.
Step-by-Step Explanation:
Definition of the HQ Organization:
The HQ Organization refers to the entire legal entity delivering services under the terms of a Department of Defense (DoD) contract. This entity is responsible for ensuring compliance with CMMC requirements.
Identification of External Entities:
External entities encompass people, processes, and technology that are not part of the HQ Organization but support its operations. These entities participate in the assessment process due to their involvement in handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) related to the DoD contract.
Role of Supporting Organizations/Units:
According to the CMMC Assessment Process documentation, Supporting Organizations are defined as " the people, procedures, and technology external to the HQ Organization that support the Host Unit. " These external entities are integral to the operations of the Host Unit but are not encompassed within the HQ Organization ' s immediate structure.
Assessment Implications:
While Supporting Organizations/Units play a vital role in supporting the Host Unit, they do not receive a separate CMMC Level certification unless an enterprise assessment is conducted. In such cases, the assessment would encompass both the HQ Organization and its Supporting Organizations to ensure comprehensive compliance across all associated entities.
What is DFARS clause 252.204-7012 required for?
All DoD solicitations and contracts
Solicitations and contracts that use FAR part 12 procedures
Procurements solely for the acquisition of commercial off-the-shelf
Commercial off-the-shelf sold in the marketplace without modifications
The Level 1 practice description in CMMC is Foundational. What is the Level 2 practice description?
Expert
Advanced
Optimizing
Continuously Improved
Understanding CMMC 2.0 Levels and Their Descriptions
TheCybersecurity Maturity Model Certification (CMMC) 2.0consists ofthree levels, each representing increasing cybersecurity maturity:
Level 1 – Foundational
Focuses onbasic cyber hygiene
Implements17 practicesaligned withFAR 52.204-21
Primarily protectsFederal Contract Information (FCI)
Level 2 – Advanced(Correct Answer)
Focuses onprotecting Controlled Unclassified Information (CUI)
Implements110 practicesaligned withNIST SP 800-171
Requirestriennial third-party assessments for critical programs
Level 3 – Expert
Focuses onadvanced cybersecurityagainstAPT (Advanced Persistent Threats)
ImplementsNIST SP 800-171 and additional NIST SP 800-172 controls
Requirestriennial government-led assessments
Why " B. Advanced " is Correct?
TheCMMC 2.0 framework explicitly describes Level 2 as " Advanced. "
Italigns with NIST SP 800-171to ensure robustCUI protection.
Why Other Answers Are Incorrect?
A. Expert (Incorrect)– This describesLevel 3, not Level 2.
C. Optimizing (Incorrect)– Not a defined CMMC level description.
D. Continuously Improved (Incorrect)– CMMC does not use this terminology.
Conclusion
The correct answer isB. Advanced, which accurately describesCMMC Level 2.
The Lead Assessor interviews a network security specialist of an OSC. The incident monitoring report for the month shows that no security incidents were reported from OSC ' s external SOC service provider. This is provided as evidence for RA.L2-3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Based on this information, the Lead Assessor should conclude that the evidence is:
inadequate because it is irrelevant to the practice.
adequate because it fits well for expected artifacts.
adequate because no security incidents were reported.
inadequate because the OSC ' s service provider should be interviewed.
Understanding RA.L2-3.11.2: Vulnerability Scanning
TheRA.L2-3.11.2practice requires organizations to:
✔Regularly scan for vulnerabilitiesin systems and applications.
✔Perform scans when new vulnerabilities are identified.
✔Use vulnerability scanning tools or servicesto proactively detect security weaknesses.
Why Is an Incident Monitoring Report Irrelevant?
Anincident monitoring reporttrackssecurity incidents, notvulnerability scanning activities.
Vulnerability scanning reportsshould include:
✔A list of vulnerabilities detected.
✔Remediation actions taken.
✔Scan frequency and schedule.
Theabsence of reported security incidentsdoesnotconfirm that vulnerability scans were performed.
Why is the Correct Answer " A. Inadequate because it is irrelevant to the practice " ?
A. Inadequate because it is irrelevant to the practice → Correct
Alack of reported security incidents does not confirm that vulnerability scanning was performed.
B. Adequate because it fits well for expected artifacts → Incorrect
Incident monitoring reportsare not expected artifactsfor this control.Vulnerability scan reportsare required instead.
C. Adequate because no security incidents were reported → Incorrect
The absence of incidents does not mean the OSC is performing vulnerability scanning. This isnot valid evidence.
D. Inadequate because the OSC ' s service provider should be interviewed → Incorrect
While interviewing the provider may be useful, themain issue is that the provided evidence is irrelevant. Thecorrect evidence (vulnerability scan reports) is missing.
CMMC 2.0 References Supporting This Answer:
NIST SP 800-171 (Requirement 3.11.2 – Vulnerability Scanning)
Defines the requirement toscan for vulnerabilities periodically and when new threats emerge.
CMMC Assessment Guide for Level 2
Specifies that evidence for RA.L2-3.11.2 should includevulnerability scan reports, not incident monitoring reports.
CMMC 2.0 Model Overview
Confirms that organizationsmust proactively identify vulnerabilities through scanning, not just rely on incident detection.
Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?
Access control
Physical access control
Mandatory access control
Discretionary access control
Understanding Access Control in CMMC
Access control refers to the process ofgranting or denyingspecific requests to:
Obtain and use information
Access information processing services
Enter specific physical locations
TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:
✅Implement policies for granting and revoking access.
✅Restrict access to authorized personnel only.
✅Protect physical and digital assets from unauthorized access.
Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.
Why the Other Answers Are Incorrect
B. Physical access control
❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.
C. Mandatory access control (MAC)
❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.
D. Discretionary access control (DAC)
❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.
CMMC Official References
CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.
NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.
Thus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.
Who is responsible for ensuring that subcontractors have a valid CMMC Certification?
CMMC-AB
OUSD A & S
DoD agency or client
Contractor organization
Under DFARS and CMMC requirements, the prime contractor is responsible for ensuring its subcontractors meet the required CMMC level. Neither the DoD, The Cyber AB, nor OUSD A & S directly manages subcontractor certification.
Supporting Extracts from Official Content:
DFARS 252.204-7021: “The contractor shall ensure that its subcontractors have the appropriate CMMC level certification for the information they will handle.”
Why Option D is Correct:
Compliance responsibility flows through the contractor supply chain.
CMMC-AB (The Cyber AB) accredits assessors but does not police subcontractors.
OUSD A & S sets policy, not enforcement at contract level.
DoD agencies only require compliance at award/contract oversight level.
References (Official CMMC v2.0 Content):
DFARS 252.204-7021.
CMMC Model v2.0 governance guidance.
===========
What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?
CDI
CTI
CUI
FCI
Understanding Federal Contract Information (FCI)
Federal Contract Information (FCI) is defined by48 CFR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems). FCI refers to information that:
Is NOT intended for public release.
Is provided by or generated for the government under a contract.
Is necessary to develop or deliver a product or service to the government.
Excludes publicly available government information(such as information on public websites).
Excludes simple transactional information(e.g., necessary to process payments).
In the context ofCMMC 2.0, organizations thatprocess, store, or transmit FCImust meetCMMC Level 1 (Foundational), which requires implementing17 basic safeguarding practicesoutlined inFAR 52.204-21.
Why is the Correct Answer FCI (D)?
A. CDI (Controlled Defense Information)→ Incorrect
This term was used inDFARS 252.204-7012but has been replaced byCUI (Controlled Unclassified Information)in CMMC discussions.
B. CTI (Cyber Threat Intelligence)→ Incorrect
This refers to intelligence on cyber threats, tactics, and indicators, not contractual data.
C. CUI (Controlled Unclassified Information)→ Incorrect
CUI is sensitive information requiring additional safeguarding but is a separate category from FCI.
D. FCI (Federal Contract Information)→Correct
The definition of FCI explicitly matches the description given in the question.
CMMC 2.0 References Supporting this Answer:
FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)
Defines FCI and the required safeguards.
Establishes17 cybersecurity practicesfor FCI protection.
CMMC 2.0 Framework
Level 1 (Foundational)is required for contractors handlingFCI.
Ensures compliance withbasic safeguarding requirementsoutlined inFAR 52.204-21.
NIST SP 800-171 and DFARS 252.204-7012
FCI doesnotrequire compliance withNIST SP 800-171, butCUI does.
When an OSC requests an assessment by a C3PAO, who selects the Lead Assessor for the assessment?
OSC
C3PAO
C3PAO and OSC
OSC and Lead Assessor
The CAP specifies that the C3PAO is responsible for assigning the Lead Assessor to an OSC’s assessment. While the OSC contracts with the C3PAO, the authority to appoint the Lead Assessor resides solely with the C3PAO.
Supporting Extracts from Official Content:
CAP v2.0, Assessment Team Composition (§2.10): “The C3PAO shall designate a qualified Lead Assessor to lead the assessment.”
Why Option B is Correct:
Only the C3PAO has the authority to select and assign the Lead Assessor.
The OSC may influence scheduling and planning but cannot appoint assessors.
Options A, C, and D are inconsistent with CAP requirements.
References (Official CMMC v2.0 Content):
CMMC Assessment Process (CAP) v2.0, Assessment Team Roles and Responsibilities (§2.10).
During the assessment process, who is the final interpretation authority for recommended findings?
C3PAO
CMMC-AB
OSC sponsor
Assessment Team Members
According to the CMMC Assessment Process (CAP) and the roles defined within the CMMC Ecosystem, the responsibility for the final determination of assessment findings rests with the C3PAO (Certified Third-Party Assessment Organization).
While the Assessment Team (Lead Assessor and Assessor) performs the legwork—conducting interviews, examining documents, and testing mechanisms—the C3PAO is the legal entity contracted by the OSC (Organization Seeking Certification) to conduct the assessment and issue the recommendation for certification.
Role of the C3PAO: The C3PAO provides the quality assurance and oversight. Once the Assessment Team completes the draft findings, the C3PAO performs a quality or " peer " review to ensure the findings are consistent with CMMC requirements. They hold the final authority over the Recommended Finding (Met, Not Met, or N/A) before it is uploaded to the eMASS (Enterprise Mission Assurance Support Service) or the designated DoD database.
Role of the Cyber AB (formerly CMMC-AB): The Board provides the accreditation for the C3PAOs and manages the ecosystem, but they do not participate in individual assessments or overrule specific technical findings of an assessment unless there is a formal appeal or ethics complaint.
Role of the Assessment Team Members: They collect evidence and make initial determinations, but their findings are subject to the C3PAO’s internal quality management system (QMS) review.
Role of the OSC Sponsor: The OSC is the entity being assessed; they have no authority over the interpretation of findings, though they may provide additional evidence during the remediation period.
Reference Documents:
CMMC Assessment Process (CAP) v1.0: Section on " Phase 3: Conduct Assessment " and " Phase 4: Reporting Results, " which details the C3PAO’s responsibility for the final package.
C3PAO Authorization Requirements: Outlines the requirement for a quality management review of all assessment findings by the C3PAO before submission to the DoD.
Which MINIMUM Level of certification must a contractor successfully achieve to receive a contract award requiring the handling of CUI?
Level 1
Level 2
Level 3
Any level
1. Understanding CMMC 2.0 Levels and CUI Handling Requirements
UnderCMMC 2.0, contractors handlingControlled Unclassified Information (CUI)must meet aminimumcertification level to be eligible for contract awards involving CUI.
CMMC 2.0 Levels:
Level 1 (Foundational) – 17 Practices
Covers onlyFederal Contract Information (FCI)security.
Does NOT meet CUI handling requirements.
Level 2 (Advanced) – 110 Practices✅
REQUIRED for handling CUI.
Aligns withNIST SP 800-171, which establishes security controls for protecting CUI.
Contractorsmust achieve Level 2for contracts requiring CUI protection.
Level 3 (Expert) – 110+ Practices
Required for contracts involvinghigh-value CUIandcritical national security information.
Includesadditionalprotections fromNIST SP 800-172.
2. Official CMMC 2.0 References Confirming Level 2 for CUI
TheCMMC 2.0 Model Overviewclearly states that Level 2 is required for contractorshandling CUI.
DFARS 252.204-7012mandates that contractors protecting CUI must implementNIST SP 800-171, which is thefoundation of CMMC Level 2.
TheDoD’s CMMC Assessment Guidefor Level 2 specifies thatorganizations handling CUI must demonstrate full implementation of 110 practices from NIST SP 800-171to qualify for contract awards.
3. Why the Other Options Are Incorrect
A. Level 1❌
Only covers FCI, not CUI.
Does notmeet DoD requirements for protectingCUI.
C. Level 3❌
While Level 3 offersadditional protectionsfor high-risk CUI, it isnot the minimumrequirement.
Level 2 is the minimumneeded to handle CUI.
D. Any level❌
OnlyLevel 2 and higherare eligible for contracts requiring CUI protection.
Level 1 doesnotmeet CUI security standards.
Which government agency are DoD contractors required to report breaches of CUI to?
FBI
NARA
DoD Cyber Crime Center
Under Secretary of Defense for Intelligence and Security
Who Do DoD Contractors Report CUI Breaches To?
PerDFARS 252.204-7012, all DoD contractors handlingControlled Unclassified Information (CUI)must report cyber incidents to theDoD Cyber Crime Center (DC3).
Key Reporting Requirements
✅Cyber incidents involving CUI must be reported toDC3 within 72 hours.
✅Reports must be submitted via theDoD ' s Cyber Incident Reporting Portal.
✅Contractors mustpreserve forensic evidencefor potential investigation.
Why " DoD Cyber Crime Center " is Correct?
The FBI (Option A) handles criminal investigations, but DoD contractorsmust report cyber incidents to DC3.
NARA (Option B) oversees the CUI Registry, butis not responsible for breach reporting.
The Under Secretary of Defense for Intelligence and Security (Option D) is responsible for intelligence operations, not incident reporting.
Breakdown of Answer Choices
Option
Description
Correct?
A. FBI
❌Incorrect–The FBI handlescriminal cases, not CUI breach reporting.
B. NARA
❌Incorrect–NARA manages theCUI Registry, butdoes not handle breaches.
C. DoD Cyber Crime Center
✅Correct – Per DFARS 252.204-7012, cyber incidents involving CUI must be reported to DC3.
D. Under Secretary of Defense for Intelligence and Security
❌Incorrect–This office doesnothandle cyber incident reports.
Official References from CMMC 2.0 and DFARS Documentation
DFARS 252.204-7012– Requires DoD contractors to report CUI-related cyber incidents toDC3.
DoD Cyber Crime Center (DC3) Website– The official platform forcyber incident reporting.
Final Verification and Conclusion
The correct answer isC. DoD Cyber Crime Center, as perDFARS 252.204-7012, which mandates that all DoD contractors reportCUI breaches to DC3 within 72 hours.
The Assessment Team has completed Phase 2 of the Assessment Process. In conducting Phase 3 of the Assessment Process, the Assessment Team is reviewing evidence to address Limited Practice Deficiency Corrections. How should the team score practices in which the evidence shows the deficiencies have been corrected?
MET
POA & M
NOT MET
NOT APPLICABLE
Understanding the CMMC Assessment Process (CAP) Phases
TheCMMC Assessment Process (CAP)consists ofthree primary phases:
Phase 1 - Planning(Pre-assessment activities)
Phase 2 - Conducting the Assessment(Evidence collection and analysis)
Phase 3 - Reporting and Finalizing Results
DuringPhase 3, the Assessment Teamreviews evidenceto confirm if anyLimited Practice Deficiency Correctionshave been successfully implemented.
Scoring Practices in Phase 3
The CAP document specifies that a practice can bescored as METif:
✅The deficiency identified in Phase 2 has been fully corrected before final scoring.
✅Sufficient evidence is provided to demonstrate compliance with the CMMC requirement.
✅The correction is notmerely plannedbutfully implemented and validatedby the assessors.
Since the evidence shows thatdeficiencies have been corrected, the correct score isMET.
Why the Other Answers Are Incorrect
B. POA & M (Plan of Action & Milestones)
❌Incorrect. APOA & M (Plan of Action and Milestones)is usedonly when a deficiency remains unresolved. Since the deficiency is already corrected, this option does not apply.
C. NOT MET
❌Incorrect. A practice is scoredNOT METonly if the deficiency hasnotbeen corrected by the end of the assessment.
D. NOT APPLICABLE
❌Incorrect. A practice is markedNOT APPLICABLE (N/A)only if it doesnot apply to the organization’s environment, which is not the case here.
CMMC Official References
CMMC Assessment Process (CAP) Document– Defines scoring criteria for MET, NOT MET, and POA & M.
Thus,option A (MET) is the correct answer, as the deficiencies have been corrected before final scoring.
Which term describes the prevention of damage to. protection of, and restoration of computers and electronic communications systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation?
Cybersecurity
Data security
Network security
Information security
The term that describes " the prevention of damage to, protection of, and restoration of computers and electronic communication systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation " isCybersecurity.
Step-by-Step Breakdown:
✅1. Cybersecurity Defined
Cybersecurityfocuses onprotecting networks, systems, and datafrom cyber threats.
It includes measures to ensure:
Availability(data is accessible when needed).
Integrity(data is accurate and unaltered).
Authentication(verifying users ' identities).
Confidentiality(ensuring only authorized access).
Non-repudiation(preventing denial of actions).
The definition in the questionaligns directly with cybersecurity principles, making it the best answer.
✅2. Why the Other Answer Choices Are Incorrect:
(B) Data Security❌
Data securityfocusesspecificallyon protectingstored information(e.g., encryption, access controls), but cybersecurity is broader—it includesnetworks, systems, and communication services.
(C) Network Security❌
Network securityis asubset of cybersecuritythat focuses on protectingnetwork infrastructure(e.g., firewalls, intrusion detection systems).
The definition in the question includesmore than just networks, so cybersecurity is the better choice.
(D) Information Security❌
Information security (InfoSec)is related but broader than cybersecurity.
InfoSeccoversphysical and organizational security(e.g., policies, procedures) in addition todigital protections.
Final Validation from CMMC Documentation:
CMMC and NIST SP 800-171 define cybersecurityas the protection ofsystems, networks, and data from cyber threats.
DoD Cybersecurity Definitions(aligned with NIST) confirm that cybersecurity is the term thatbest fits the definition in the question.
The evidence needed for each practice and/or process is weighed for:
Adequacy and sufficiency
Adequacy and thoroughness
Sufficiency and thoroughness
Sufficiency and appropriateness
The CAP makes clear that evidence collected during the assessment is evaluated for both adequacy (does the evidence align with the requirement) and sufficiency (is there enough evidence to make a confident determination).
Supporting Extracts from Official Content:
CAP v2.0, Evidence Collection Guidance: “Evidence must be evaluated for adequacy… and for sufficiency, to ensure enough information is available to support the assessor’s determination.”
Why Option A is Correct:
Evidence is assessed based on two qualities only: adequacy and sufficiency.
“Thoroughness” and “appropriateness” are not official CAP terms for evidence evaluation.
References (Official CMMC v2.0 Content):
CMMC Assessment Process (CAP) v2.0, Evidence Evaluation section.
===========
What service is the MOST comprehensive that the RPO provides?
Training services
Education services
Consulting services
Assessment services
Understanding the Role of a Registered Provider Organization (RPO)
ARegistered Provider Organization (RPO)is an entity recognized by theCMMC Accreditation Body (CMMC-AB)to provideconsulting servicesto organizations seekingCMMC certification.
Key Functions of an RPO
✅Consulting servicesto help companies prepare for CMMC assessments.
✅Guidance on security controlsrequired for compliance.
✅Assistance with documentation, policy development, and gap analysis.
✅Preparation for third-party CMMC assessmentsbutdoes not conduct official CMMC assessments(this is the role of a C3PAO).
Why " Consulting Services " is the Correct Answer?
Consulting servicesare thebroadest and most comprehensivefunction of an RPO.
RPOs do not conduct assessments(eliminating option D).
Training and educationmay be part of consulting but arenot the primary function(eliminating A and B).
Consulting includes training, guidance, documentation assistance, and security readiness, making it themost comprehensive service offered.
Breakdown of Answer Choices
Option
Description
Correct?
A. Training services
❌Incorrect–RPOs may provide training, but this isnot their primary function.
B. Education services
❌Incorrect–Similar to training, butnot the most comprehensive service.
C. Consulting services
✅Correct – The core function of an RPO is consulting, which includes various readiness services.
D. Assessment services
❌Incorrect–Only aC3PAO (Certified Third-Party Assessment Organization)can conductofficial CMMC assessments.
Official References from CMMC 2.0 Documentation
TheCMMC-AB RPO Programdefines an RPO as aconsulting organization that assists companies in preparing for CMMC certificationbutdoes not perform assessments.
Final Verification and Conclusion
The correct answer isC. Consulting services, asRPOs primarily provide advisory and readiness supportto organizations preparing forCMMC compliance.
Who is the FedRAMP certification program for?
IT contractors risk management self-assessments
Cloud service providers for cloud products and services
IT contractors for cybersecurity self-assessments
Cloud service providers for on-premise products and services
The correct answer is B because FedRAMP is a federal authorization program for cloud services, not a self-assessment framework for ordinary IT contractors and not a program for on-premise products. In the CMMC context, FedRAMP becomes especially important when a contractor uses an external cloud service provider to store, process, or transmit covered defense information or CUI. DFARS 252.204-7012 requires the contractor to ensure that the cloud service provider meets security requirements equivalent to the FedRAMP Moderate baseline when covered defense information is handled in an external cloud service. FedRAMP itself also maintains a marketplace of certified cloud services, authorizing agencies, and recognized assessors. Therefore, the target participants are cloud service providers offering cloud products and services that need federal authorization or recognition. Options A and C incorrectly frame FedRAMP as a contractor self-assessment model. Option D is wrong because FedRAMP is focused on cloud service offerings, not traditional on-premise products or services. Reference/topics: FedRAMP, cloud service providers, DFARS 252.204-7012, external cloud services, FedRAMP Moderate baseline.
Prior to initiating an OSC ' s CMMC Assessment, the Lead Assessor briefed the team on the most important requirements of the assessment. The assessor also insisted that the same results of the findings summary, practice ratings, and Level recommendations must be submitted to the C3PAO for initial processes and review. After several weeks of assessment, the C3PAO completes the internal review, the recommended results are then submitted through the C3PAO for final quality review and rating approval. Which document stipulates these reporting requirements?
CMMC Assessment reporting requirements
DFARS 52.204-21 assessment reporting requirements
NISTSP 800-171 Revision 2 assessment reporting requirements
DFARS clause 252.204-7012 assessment reporting requirements
The correct answer isA. CMMC Assessment Reporting Requirementsbecause this document specifically outlines thestructured processthat Certified Third-Party Assessment Organizations (C3PAOs) must follow when conducting and reporting CMMC assessments.
Step-by-Step Breakdown:
Understanding the CMMC Assessment Process
TheLead Assessorbriefs the team on theassessment requirementsand theevaluation criteriabefore the assessment begins.
Throughout the assessment,findings summaries, practice ratings, and level recommendationsare documented and reported.
These findings are internally reviewed by theC3PAObefore they are formally submitted forquality review and final rating approval.
Key Document Stipulating Reporting Requirements: CMMC Assessment Reporting Requirements
This documentspecifically details how assessments must be reportedwithin theCMMC ecosystem.
It describes the structured process for assessment submission, internalC3PAO reviews, andquality checks by the CMMC-ABbefore an organization can receive a final certification decision.
It ensures thatresults are consistent, transparent, and aligned with DoD cybersecurity compliance expectations.
Why Other Options Are Incorrect:
B. DFARS 52.204-21 Assessment Reporting Requirements
This clause only specifiesbasic safeguardingof Federal Contract Information (FCI) but doesnotdictate the reporting process for CMMC assessments.
C. NIST SP 800-171 Revision 2 Assessment Reporting Requirements
WhileNIST SP 800-171 Rev. 2outlines security controls, it doesnotdefine how CMMC assessments must be conducted and reported.
D. DFARS Clause 252.204-7012 Assessment Reporting Requirements
This DFARS clause focuses onincident reportingandcyber incident response requirementsbut does not detail theCMMC assessment reporting process.
Official Reference:
CMMC Assessment Reporting Requirements, issued byThe Cyber ABandDoD, governs how C3PAOs must report assessment results.
CMMC Assessment Process (CAP)also outlines reporting workflows for certification.
Thus, theCMMC Assessment Reporting Requirementsdocument is the authoritative source that dictates the reporting procedures for CMMC assessments.
Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?
Phase 1: Plan and Prepare Assessment
Phase 2: Conduct Assessment
Phase 3: Report Recommended Assessment Results
Phase 4: Remediation of Outstanding Assessment Issues
Understanding the CMMC Assessment Process
TheCMMC Assessment Process (CAP)consists offour phases, each with specific tasks and objectives.
Phase 1: Plan and Prepare Assessment– Planning, scheduling, and preparing for the assessment.
Phase 2: Conduct Assessment–Gathering and verifying evidence, conducting interviews, and evaluating compliance.
Phase 3: Report Recommended Assessment Results– Documenting findings and reporting results.
Phase 4: Remediation of Outstanding Assessment Issues– Allowing the organization to address any deficiencies.
Why " Phase 2: Conduct Assessment " is Correct?
DuringPhase 2: Conduct Assessment, theAssessment Teamperforms key activities, including:
✅Identifying required evidencefor compliance verification.
✅Obtaining and reviewing artifacts(e.g., security policies, configurations, logs).
✅Verifying the sufficiency of evidenceagainst CMMC practice requirements.
✅Interviewing key personneland observing cybersecurity implementations.
Since the question specifically mentions " identify, obtain inventory, and verify evidence, " this task directly falls underPhase 2: Conduct Assessment.
Breakdown of Answer Choices
Option
Description
Correct?
A. Phase 1: Plan and Prepare Assessment
❌Incorrect–This phase focuses onscheduling, logistics, and planning, not evidence collection.
B. Phase 2: Conduct Assessment
✅Correct – This phase involves gathering, verifying, and reviewing evidence.
C. Phase 3: Report Recommended Assessment Results
❌Incorrect–This phasedocumentsresults but doesnotcollect evidence.
D. Phase 4: Remediation of Outstanding Assessment Issues
❌Incorrect–This phase focuses oncorrective actions, not evidence collection.
Official References from CMMC 2.0 Documentation
CMMC Assessment Process Guide (CAP)–Phase 2: Conduct Assessmentexplicitly includes tasks such asgathering and verifying evidence.
Final Verification and Conclusion
The correct answer isB. Phase 2: Conduct Assessment, as this phase includesidentifying, obtaining, and verifying evidence, which is critical for determining CMMC compliance.
An Assessment Team is conducting a Level 2 Assessment at the request of an OSC. The team has begun to score practices based on the evidence provided. At a MINIMUM what is required of the Assessment Team to determine if a practice is scored as MET?
All three types of evidence are documented for every control.
Examine and accept evidence from one of the three evidence types.
Complete one of the following; examine two artifacts, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.
Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.
This question pertains to theminimum evidence requirementsneeded by a CMMCAssessment Teamto score a practice asMETduring aLevel 2 Assessment.
The CMMC Level 2 assessment must align withNIST SP 800-171and follow the procedures outlined in theCMMC Assessment Process (CAP) Guide v1.0, particularly aroundevidence collection and scoring methodology.
✅Step 1: Refer to the CMMC Assessment Process (CAP) Guide v1.0
CAP v1.0 – Section 3.5.4: Evaluate Evidence and Score Practices
“To assign a MET determination, the Assessment Team must collect and corroborate at least two types of objective evidence: either through examination of artifacts, interviews (affirmation), or testing (demonstration).”
This meansat least two typesof the following evidence are required:
Examine(documentation/artifacts),
Interview(affirmation from personnel),
Test(demonstration of implementation).
✅Step 2: Clarify the Official Minimum Standard for a Practice to be Scored MET
The CAP explicitly states:
“A practice can only be scored MET when a minimum oftwo types of evidencefrom the E-I-T (Examine, Interview, Test) triad are successfully collected and evaluated.”
Theevidence types must come from two different categories, for example:
An artifact(Examine)+ an interview affirmation(Interview),
A demonstration(Test)+ an interview(Interview),
Etc.
This cross-validation ensures that the control isimplemented, documented, and understoodby personnel — a core principle in assessing effective cybersecurity implementation.
❌Why the Other Options Are Incorrect
A. All three types of evidence are documented for every control
✘Incorrect:While collecting all three types (E-I-T) strengthens the assessment, theminimum requirementis onlytwo. Collecting all three isnot requiredfor a practice to be scoredMET.
B. Examine and accept evidence from one of the three evidence types
✘Incorrect:This fails to meet theminimum two-evidence-type requirementset by the CAP. Single-source evidence is not sufficient to score a practice as MET.
C. Complete one of the following; examine two artifacts, observe one demonstration, or receive one affirmation
✘Incorrect:Even if two artifacts are examined,this is still only one type of evidence(Examine). The CAP requires twotypes— not two instances of the same type.
✅Why D is Correct
D. Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.
✔This directly reflects theCAP’s requirement for collecting two different types of objective evidenceto determine a practice is MET.
BLUF (Bottom Line Up Front):
To score a CMMC Level 2 practice asMET, the Assessment Team must collecta minimum of two distinct types of evidence— from theExamine, Interview, Test (E-I-T)categories. This requirement is clearly stated in the CMMC Assessment Process (CAP) v1.0.
During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC ' s WiFi network. What type of asset is this?
FCI Asset
CUI Asset
In-scope Asset
Specialized Asset
Understanding Asset Categorization in CMMC 2.0
InCMMC 2.0, assets are categorized into different types based on their function, connectivity, and whether they process, store, or transmitFederal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Why " D. Specialized Asset " is Correct?
TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT classificationsbut still exist within the organizational environment.
Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined in CMMC.
Why Other Answers Are Incorrect?
A. FCI Asset (Incorrect)
FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does not.
B. CUI Asset (Incorrect)
CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.
C. In-scope Asset (Incorrect)
In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.
Conclusion
The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into theSpecialized Assetcategory.
As part of CMMC 2.0, the change to Level 1 Self-Assessments supports " reduced assessment costs " allows all companies at Level 1 (Foundational) to:
to conduct self-assessments.
opt out of CMMC Assessments.
have assessment costs reimbursed by the DoD.
pay no more than $500.00 for their annual assessment.
Step 1: Review CMMC 2.0 Reforms (Level 1 – Foundational)
As part ofCMMC 2.0, the DoD announced changes toreduce burden and costsfor companies that only handleFederal Contract Information (FCI):
DoD Statement (CMMC 2.0 Overview):
“Level 1 (Foundational) will only require an annual self-assessment, affirming implementation of the 17 FAR 52.204-21 controls.”
✅Step 2: Intent of “Reduced Assessment Costs”
The move to allowself-assessments at Level 1was explicitly designed toeliminate the costof hiring third-party assessors for organizations that only handle FCI.
Level 1 self-assessments are:
Conductedinternally by the OSC,
Affirmed annuallyby a senior company official,
Submitted via SPRS(Supplier Performance Risk System).
❌Why the Other Options Are Incorrect
B. Opt out of CMMC Assessments
✘Incorrect. Organizations must still perform aself-assessmentannually — they cannot opt out entirely.
C. Have assessment costs reimbursed by the DoD
✘No such reimbursement mechanism exists.
D. Pay no more than $500.00…
✘No such fixed cost is set or guaranteed in CMMC documentation.
UnderCMMC 2.0, all companies atLevel 1 (Foundational)are permitted toconduct self-assessmentsannually to demonstrate compliance, supporting the DoD’s goal ofreducing assessment costsfor low-risk contractors.
An assessor is collecting affirmations. So far, the assessor has collected interviews, demonstrations, emails, messaging, and presentations. Are these appropriate approaches to collecting affirmations?
No, emails are not appropriate affirmations.
No, messaging is not an appropriate affirmation.
Yes, the affirmations collected by the assessor are all appropriate.
Yes, the affirmations collected by the assessor are all appropriate, as are screenshots.
According to the CMMC Assessment Process (CAP) and the CMMC Level 2 Assessment Guide, an assessment finding is built upon evidence collected through three primary methods: Examine, Interview, and Test. The term " affirmation " in this context refers to the verbal or written statements provided by the Organization Seeking Certification (OSC) personnel to confirm that a practice is implemented as described.
Broad Definition of Evidence: The CAP allows for a wide variety of artifacts to be used as evidence. " Affirmations " are typically captured during the Interview process or found within Examine objects.
Validity of Formats:
Interviews: Direct verbal affirmations from subject matter experts (SMEs).
Emails and Messaging (Chat/Slack/Teams): These are considered valid " Examine " objects (records/artifacts) that serve as written affirmations or evidence of an activity (e.g., an email chain approving a firewall change or a message confirming a system update).
Presentations and Demonstrations: These fall under " Examine " (the presentation slides) and " Test/Examine " (the demonstration of a mechanism).
Why Option C is correct: The CMMC framework does not disqualify digital communications like emails or messaging as evidence. In fact, these are often the primary artifacts used to prove that a process (like an approval workflow or notification) is occurring in practice. As long as the assessor can verify the authenticity and integrity of these communications, they are appropriate for collecting affirmations.
Why Option D is less accurate: While screenshots are indeed used as evidence, the core question asks if thespecificlist (interviews, demonstrations, emails, messaging, presentations) is appropriate. Option C directly validates the list provided in the prompt without introducing extraneous elements like screenshots, which—while valid—are not the focus of the " appropriate " determination for the items listed.
Reference Documents:
CMMC Assessment Process (CAP) v1.0: Section 3.4 (Collect and Verify Evidence), which discusses the types of artifacts and " human evidence " (interviews) that support findings.
CMMC Level 2 Assessment Guide: " Assessment Methods " section, clarifying that evidence can include any records (electronic or physical) that demonstrate the implementation of a practice.
NIST SP 800-171A: The underlying standard for assessment procedures, which encourages the use of various evidence types to satisfy assessment objectives.
Which example represents a Specialized Asset?
SOCs
Hosted VPN services
Consultants who provide cybersecurity services
All property owned or leased by the government
According to the CMMC Scoping Guidance, Level 2, assets are categorized into specific groups to determine how they are treated during an assessment. One of these categories is Specialized Assets.
The CMMC Scoping Guidance defines Specialized Assets as a specific group that includes:
Government Property: Any property owned or leased by the government and provided to the contractor (Government Furnished Equipment or GFE).
Internet of Things (IoT): Physical objects that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data.
Operational Technology (OT): Programmable systems or devices that interact with the physical environment (e.g., Industrial Control Systems).
Restricted Information Systems: Systems that have specific configurations or constraints that prevent standard security controls from being applied (e.g., legacy systems).
Test Equipment: Specialized equipment used for testing, such as oscilloscopes or signal generators.
Why other options are incorrect:
Option A (SOCs): A Security Operations Center is typically considered a Security Protection Asset (SPA) because it provides security functions (monitoring/response) for the assessment scope.
Option B (Hosted VPN services): These are generally categorized as External Service Providers (ESPs) or part of the Security Protection Assets, depending on how they are managed and their role in protecting CUI.
Option C (Consultants): These are External Service Providers (ESP) (personnel/organizations), not specialized hardware/software assets.
Treatment of Specialized Assets: Under CMMC Level 2 scoping rules, Specialized Assets must be identified in the Asset Inventory and documented in the System Security Plan (SSP), but they are generally not managed against the CMMC practices unless they process, store, or transmit CUI in a way that falls outside their specialized function.
Reference Documents:
CMMC Scoping Guidance, Level 2 (Version 2.0/2.1): Section 3.1, " Specialized Assets " and Table 3.
32 CFR Part 170 (CMMC Program Rule): Definitions of asset categories and their associated assessment requirements.
When a conflict of interest is unavoidable, a CCP should NOT:
Inform their organization
Take action to minimize its impact
Disclose it to affected stakeholders
Conceal it from the Assessment Team lead
CMMC Assessment Process (CAP) and CMMC Code of Professional Conduct emphasize that conflicts of interest (COI) must be disclosed and managed transparently. A Certified CMMC Professional (CCP) is required to:
Inform their organization,
Disclose the COI to the affected stakeholders, and
Take reasonable steps to minimize the impact.
What they must NOT do is conceal it from the Assessment Team Lead or others. Concealing a COI violates the CMMC Code of Professional Conduct and compromises the integrity of the assessment.
Reference Documents:
CMMC Assessment Process (CAP), v1.0
CMMC Code of Professional Conduct, CMMC-AB
Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?
DoD
CISA
NIST
CMMC-AB
Step 1: Understanding the Role of the DoD in CMMC
TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.
This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.
When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:
have a security clearance.
be a senior person in the company.
demonstrate expertise on the CMMC requirements.
provide clarity and understanding of their practice activities.
Interview Selection in CMMC Assessments
During aCMMC assessment, theLead Assessormust work with theOrganization Seeking Certification (OSC)to select personnel for interviews. The goal is to:
✅Verify that personnel understand andperform security-related practices.
✅Ensure that individuals canexplain how they implement CMMC requirements.
✅Gain insight intoactual cybersecurity operationsrather than just documented policies.
The best interviewees are those whodirectly engage with security practicesand canclearly explain how they perform their duties.
Why " Providing Clarity and Understanding " Is Key
CMMC assessmentsrely on interviewsto validate that security practices areimplemented effectively.
Themost valuable intervieweesare those who canexplainhow security measures are appliedin day-to-day operations.
CMMC Assessment Process (CAP)emphasizes that assessors should speak tothose actively involved in security practicesrather than just senior management or policy owners.
Thus,option D is the correct choicebecause the Lead Assessor should prioritizeinterviewing personnel who can clearly explain how CMMC practices are implemented.
Why the Other Answers Are Incorrect
A. Have a security clearance.
❌Incorrect.Security clearance is not a requirementfor CMMC assessments. The focus is onpractical implementation of security controls, not classified work.
B. Be a senior person in the company.
❌Incorrect. Senior executives may not be involved in theactual implementation of security controls. The best interviewees are those whoperform the work, not just oversee it.
C. Demonstrate expertise on the CMMC requirements.
❌Incorrect. Whileunderstanding CMMC is important, expertise alonedoes not guarantee practical knowledgeof security controls. The key is thatinterviewees must provide clarity on how they perform security tasks.
CMMC Official References
CMMC Assessment Process (CAP) Document– Guides interview selection based on personnel who perform security functions.
NIST SP 800-171 & CMMC 2.0– Emphasize that cybersecurity controls must beactively implemented, not just documented.
Thus,option D (Provide clarity and understanding of their practice activities) is the correct answeras per official CMMC assessment guidelines.
Which DFARS clause considers Safeguarding CDI and Cyber Incident Reporting?
252.204-7022
252.204-7020
252.204-7012
252.204-7021
The correct answer is C because DFARS 252.204-7012 is explicitly titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This clause is one of the core governance and source-document foundations for CMMC because it establishes contractor obligations for protecting covered defense information, including CUI/CDI, on covered contractor information systems. It defines covered contractor information systems as unclassified systems owned or operated by or for a contractor that process, store, or transmit covered defense information. It also requires contractors to provide adequate security and implement NIST SP 800-171 security requirements where applicable. In addition, it requires contractors to rapidly report cyber incidents affecting covered contractor systems or covered defense information, with “rapidly report” defined as within 72 hours of discovery. Options A, B, and D are not the clause titled for safeguarding CDI and cyber incident reporting. DFARS 252.204-7020 relates to NIST SP 800-171 DoD assessment requirements, while DFARS 252.204-7021 addresses CMMC requirements. Reference/topics: DFARS 252.204-7012, CDI/CUI safeguarding, cyber incident reporting, CMMC source documents.
What type of criteria is used to answer the question " Does the Assessment Team have the right evidence? "
Adequacy criteria
Objectivity criteria
Sufficiency criteria
Subjectivity criteria
According to the CMMC Assessment Process (CAP), specifically during the Phase 3: Conduct Assessment (Evidence Collection and Verification), the Assessment Team must evaluate all collected artifacts, interview notes, and test results against two primary dimensions: Adequacy and Sufficiency.
Adequacy (The " Right " Evidence): This criterion focuses on the quality, relevance, and validity of the evidence. It addresses whether the evidence actually maps to the specific CMMC practice being assessed and whether it is authoritative (e.g., signed, current, and from a trusted source). If an assessor asks, " Is this therightpiece of information to prove this practice is met? " they are testing for Adequacy.
Sufficiency (The " Enough " Evidence): This criterion focuses on the quantity and scope of the evidence. It addresses whether the Assessment Team has collected enough data points (across the required number of assets and using the required methods of Examine, Interview, and Test) to reach a confident conclusion. If an assessor asks, " Do I haveenoughexamples of this practice in action across the entire enclave? " they are testing for Sufficiency.
Why other options are incorrect:
B and D (Objectivity/Subjectivity): While assessors must remain objective, these are not the formal " criteria " used to categorize the evidence collection quality within the CAP framework.
C (Sufficiency): As noted above, Sufficiency is about theamountof evidence, not whether it is thecorrect type(the " right " evidence).
Reference Documents:
CMMC Assessment Process (CAP) v1.0: Section 3.4, " Collect and Verify Evidence, " which explicitly defines the requirement for evidence to be both adequate and sufficient.
CMMC Level 2 Assessment Guide: Guidance on the application of the Examine, Interview, and Test (E-I-T) methods to ensure evidence quality.
NIST SP 800-171A: The foundation for CMMC assessment procedures, which emphasizes the need for relevant (adequate) evidence to support findings.
Which statement BEST describes an assessor ' s evidence gathering activities?
Use interviews for assessing a Level 2 practice.
Test all practices or objectives for a Level 2 practice
Test certain assessment objectives to determine findings.
Use examinations, interviews, and tests to gather sufficient evidence.
Under the CMMC Assessment Process (CAP) and CMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed through three primary assessment methods:
Examination – Reviewing documents, records, system configurations, and other artifacts.
Interviews – Speaking with personnel to verify processes, responsibilities, and understanding of security controls.
Testing – Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.
Why Option D is Correct
The CMMC Assessment Process (CAP) states that an assessor must use a combination of evidence-gathering methods (examinations, interviews, and tests) to determine compliance.
CMMC 2.0 Level 2 (Aligned with NIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.
Solely relying on one method (like interviews in Option A) is insufficient.
Testing all practices or objectives (Option B) is unnecessary, as assessors follow scoping guidance to determine which objectives need deeper examination.
Testing only " certain " objectives (Option C) does not fully align with the requirement of gathering sufficient evidence from multiple methods.
CMMC 2.0 and Official Documentation References
CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods explicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.
CMMC 2.0 Level 2 Practices and NIST SP 800-171 require assessors to validate the presence, implementation, and effectiveness of security controls.
CMMC Appendix E: Assessment Procedures states that an assessor should use multiple sources of evidence to determine compliance.
Final Verification
To ensure compliance with CMMC 2.0 guidelines and official documentation, an assessor must use examinations, interviews, and tests to gather evidence effectively, making Option D the correct answer.
A contractor provides services and data to the DoD. The transactions that occur to handle FCI take place over the contractor ' s business network, but the work is performed on contractor-owned systems, which must be configured based on government requirements and are used to support a contract. What type of Specialized Asset are these systems?
loT
Restricted IS
Test equipment
Government property
Understanding Restricted Information Systems (IS) in CMMC Scoping
InCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:
Internet of Things (IoT) Devices– Smart or network-connected devices.
Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.
Test Equipment– Devices used for specialized testing or measurement.
Government Property– Equipment owned by theU.S. Governmentbut used by contractors.
Why " B. Restricted IS " is Correct?
The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.
Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.
These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.
Why Other Answers Are Incorrect?
A. IoT (Incorrect)
IoT devices includesmart devices, sensors, and embedded systems, but the contractor ' s business systems are not classified as IoT.
C. Test Equipment (Incorrect)
The contractor’s systems areused for handling FCI, not for testing or measurement.
D. Government Property (Incorrect)
The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.
Conclusion
The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.
When executing a remediation review, the Lead Assessor should:
help OSC to complete planned remediation activities.
plan two consecutive remediation reviews for an OSC.
submit a delta assessment remediation package for C3PAO ' s internal quality review.
validate that practices previously listed on the POA & M have been removed on an updated Risk Assessment.
In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, the remediation review process is a critical phase where identified deficiencies from an initial assessment are addressed. The Lead Assessor, representing a Certified Third-Party Assessment Organization (C3PAO), plays a pivotal role in this process.
Role of the Lead Assessor in Remediation Reviews:
Validation of Remediation Efforts:
Objective: Ensure that the Organization Seeking Certification (OSC) has effectively addressed and corrected all deficiencies identified during the initial assessment.
Process: The Lead Assessor reviews the evidence provided by the OSC to confirm that each previously unmet practice now meets the required standards. This involves examining updated policies, procedures, system configurations, and other relevant artifacts.
Delta Assessment Remediation Package Submission:
Definition: A delta assessment focuses on evaluating only the components or practices that were previously found non-compliant or deficient.
Responsibility: After validating the remediation efforts, the Lead Assessor compiles a remediation package that includes:
Detailed documentation of the deficiencies identified in the initial assessment.
Evidence of the corrective actions taken by the OSC.
Findings from the reassessment of the remediated practices.
Internal Quality Review: This remediation package is then submitted for the C3PAO ' s internal quality review process. The purpose of this review is to ensure the accuracy, completeness, and consistency of the assessment findings before finalizing the certification decision.
Rationale for Selecting Answer C:
Alignment with CMMC Assessment Process: The submission of a delta assessment remediation package for internal quality review is a standard procedure outlined in the CMMC Assessment Process. This step ensures that all remediated items are thoroughly evaluated and validated, maintaining the integrity of the certification process.
Clarification of Incorrect Options:
Option A: " Help OSC to complete planned remediation activities. "
The Lead Assessor ' s role is to assess and validate the OSC ' s compliance, not to assist in the implementation or completion of remediation activities. Providing such assistance could lead to a conflict of interest and compromise the objectivity of the assessment.
Option B: " Plan two consecutive remediation reviews for an OSC. "
The standard process involves conducting a single remediation review after the OSC has addressed the identified deficiencies. Planning multiple consecutive remediation reviews is not a typical practice and could indicate a lack of proper remediation planning by the OSC.
Option D: " Validate that practices previously listed on the POA & M have been removed on an updated Risk Assessment. "
While it ' s essential to ensure that deficiencies are addressed, the primary focus of the Lead Assessor during a remediation review is to validate the implementation of remediated practices. Updating the Risk Assessment is the responsibility of the OSC ' s internal risk management team, not the Lead Assessor.
A dedicated local printer is used to print out documents with FCI in an organization. This is considered an FCI Asset Which function BEST describes what the printer does with the FCI?
Encrypt
Manage
Process
Distribute
Understanding the Role of an FCI Asset in CMMC
Adedicated local printer used to print Federal Contract Information (FCI)is considered anFCI Asset. UnderCMMC Level 1, FCI assets are required to meetbasic cybersecurity controlsto ensure that FCI is properlyprotected from unauthorized access.
Step-by-Step Breakdown:
✅1. Why " Process " is the Best Answer
The printerreceives digital FCI, converts it into a physical format (paper), and outputs the document.
This aligns with thedefinition of " processing " in CMMC, which includes:
Transforming or modifying data
Generating output (e.g., printed documents)
Using systems to interpret or manipulate information
✅2. Why the Other Answer Choices Are Incorrect:
(A) Encrypt❌
Aprinter does not encryptFCI—it simply prints it. Encryption applies todigital storage and transmission, not printing.
(B) Manage❌
Managing FCI typically refers togovernance, access control, and oversight, which is not the function of a printer.
(D) Distribute❌
While a printed documentcould be distributed, theprinter itself is not responsible for distributing FCI—it only processes the data for output.
Final Validation from CMMC Documentation:
CMMC Assessment Guide (Level 1)confirms thatprocessing FCI includes using systems that convert or transform information, such as printers.
NIST SP 800-171definesprocessingas an action thatchanges or manipulates information, which applies to printing.
Where can a listing of all federal agencies ' CUI indices and categories be found?
32 CFR Section 2002
Official CUI Registry
Executive Order 13556
Official CMMC Registry
Understanding the Official CUI Registry
TheControlled Unclassified Information (CUI) Registryis theauthoritative sourcefor all federal agencies ' CUI categories and indices. It is maintained by theNational Archives and Records Administration (NARA)and provides:
✅Acomprehensive listof CUI categories and subcategories.
✅Details onwho can handle, store, and share CUI.
✅Guidance onCUI marking and safeguarding requirements.
Why " Official CUI Registry " is Correct?
TheOfficial CUI Registryis theonly federal resourcethat listsall CUI categories and agencies that use them.
32 CFR Section 2002(Option A) definesCUI policiesbut doesnotprovide a full listing of CUI categories.
Executive Order 13556(Option C) established theCUI Programbut doesnotmaintain an active list of categories.
The " Official CMMC Registry " (Option D) does not exist—CMMC is a security framework, not a CUI classification system.
Breakdown of Answer Choices
Option
Description
Correct?
A. 32 CFR Section 2002
❌Incorrect–Defines CUI program rules butdoes not listcategories.
B. Official CUI Registry
✅Correct – The registry contains the full list of CUI categories.
C. Executive Order 13556
❌Incorrect–Established the CUI program butdoes not maintain a category list.
D. Official CMMC Registry
❌Incorrect–No such registry exists; CMMC is a cybersecurity framework, not a CUI classification system.
Official References from CMMC 2.0 and Federal Documentation
National Archives (NARA) CUI Registry– The authoritative source forall federal agency CUI categories.
32 CFR 2002– Provides CUIpolicy guidancebut refers agencies to theOfficial CUI Registryfor classification.
Final Verification and Conclusion
The correct answer isB. Official CUI Registry, as it is theonly official source listing all federal agencies ' CUI indices and categories.
During an assessment, which phase of the process identifies conflicts of interest?
Analyze requirements.
Develop assessment plan.
Verify readiness to conduct assessment.
Generate final recommended assessment results.
In the CMMC assessment process, conflicts of interest must be identified early to ensure an impartial and objective evaluation of an organization ' s compliance with CMMC 2.0 requirements. The appropriate phase for identifying conflicts of interest is during the " Verify Readiness to Conduct Assessment " phase.
Step-by-Step Explanation:
Assessment Planning & Conflict of Interest Consideration
Before an assessment begins, theC3PAO (Certified Third-Party Assessment Organization)or theDIBCAC (Defense Industrial Base Cybersecurity Assessment Center) for DOD-led assessmentsmust confirm that there are no conflicts of interest between assessors and the organization being assessed.
A conflict of interest may arise if an assessor haspreviously worked for, consulted with, or provided direct assistance tothe organization under review.
CMMC Assessment Process and Phases
The CMMC assessment process involves multiple steps, and the verification of readiness is acritical early phaseto ensure that the assessment is unbiased:
Analyze Requirements:This phase focuses on defining the assessment scope, but it does not include conflict of interest verification.
Develop Assessment Plan:This phase focuses on structuring the assessment methodology, not on identifying conflicts.
Verify Readiness to Conduct Assessment (Correct Answer):
At this stage, theC3PAO or assessment team must review potential conflicts of interest.
TheDefense Industrial Base Cybersecurity Assessment Center (DIBCAC)also ensures assessors do not have any prior relationships that could compromise the objectivity of the evaluation.
Generate Final Recommended Assessment Results:This phase occurs at the end of the process, after the assessment is complete, so conflict of interest identification is too late by this stage.
Official CMMC Documentation & References
CMMC Assessment Process (CAP) Guide– The CAP details procedures assessors must follow, including conflict of interest verification.
CMMC 2.0 Scoping and Assessment Guides– Published by the Cyber AB and DoD, these guides reinforce the need for impartiality and independence in assessments.
DoD Instruction 5200.48 (Controlled Unclassified Information Program)– Outlines requirements for ensuring objective cybersecurity assessments.
By ensuring conflicts of interest are identified in the " Verify Readiness to Conduct Assessment " phase, the integrity of the CMMC certification process is maintained, ensuring that assessments are conductedfairly, independently, and in accordance with DoD cybersecurity policies.
A client uses an external cloud-based service to store, process, or transmit data that is reasonably believed to qualify as CUI. According to DFARS clause 252.204-7012. what set of established security requirements MUST that cloud provider meet?
FedRAMP Low
FedRAMP Moderate
FedRAMP High
FedRAMP Secure
UnderDFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), if acontractoruses acloud-based serviceto store, process, or transmitControlled Unclassified Information (CUI), the cloud providermustmeet the security requirements ofFedRAMP Moderate or equivalent.
Key Requirements from DFARS 252.204-7012 (c)(1):
CUI stored in the cloud must be protected according to FedRAMP Moderate (or higher) requirements.
The cloud provider must meetFedRAMP Moderate baseline security controls, which align withNIST SP 800-53moderate impact level requirements.
The cloud provider must also ensure compliance withincident reportingandcyber incident response requirementsin DFARS 252.204-7012.
Why is the Correct Answer " FedRAMP Moderate " (B)?
A. FedRAMP Low → Incorrect
FedRAMP Lowis intended for systems withlow confidentiality, integrity, and availability risks, making itinadequate for CUI protection.
B. FedRAMP Moderate → Correct
FedRAMP Moderate is the minimum required level for CUIunder DFARS 252.204-7012.
It provides a security baseline for protectingsensitive but unclassified government data.
C. FedRAMP High → Incorrect
FedRAMP Highapplies to systems handlinghighly sensitive information (e.g., classified or national security data), which is not necessarily required for CUI.
D. FedRAMP Secure → Incorrect
There isno official FedRAMP Secure categoryin FedRAMP guidelines.
CMMC 2.0 References Supporting this Answer:
DFARS 252.204-7012(c)(1)
Specifies thatcontractors using external cloud services for CUI must meet FedRAMP Moderate or equivalent.
CMMC 2.0 Level 2 Requirements
CUI must be protected using NIST SP 800-171 security requirements, whichalign with FedRAMP Moderate controls.
FedRAMP Security Baselines
FedRAMP Moderateis designed for systems that handlesensitive government data, including CUI.
Recording evidence as adequate is defined as the criteria needed to:
verify, based on an assessment and organizational scope.
verify, based on an assessment and organizational practice.
determine if a given artifact, interview response, demonstration, or test meets the CMMC scope.
determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.
Understanding " Adequate Evidence " in the CMMC Assessment Process
In aCMMC assessment,adequate evidencerefers to the proof required to demonstrate that a specific cybersecurity practice has been implemented correctly. Evidence can come from:
Artifacts(e.g., security policies, system configurations, logs).
Interview responses(e.g., verbal confirmation from personnel about their responsibilities).
Demonstrations(e.g., showing how a security control is implemented in real time).
Testing(e.g., verifying technical security mechanisms such as multi-factor authentication).
Thegoalof evidence collection is to determinewhether a CMMC practice is met—not just whether the organization operates within the assessment scope.
Why is the Correct Answer " Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice " (D)?
A. Verify, based on an assessment and organizational scope → Incorrect
Theassessment scopedefineswhat is evaluated, but adequacy of evidence is based oncompliance with specific CMMC practices.
B. Verify, based on an assessment and organizational practice → Incorrect
CMMC assessments focus on cybersecurity practices defined in the CMMC framework, not just general organizational practices.
C. Determine if a given artifact, interview response, demonstration, or test meets the CMMC scope → Incorrect
Thescopedefines the assessment boundaries, but theassessment team ' s job is to confirm whether CMMC practices are satisfied.
D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice → Correct
TheCMMC assessment process focuses on ensuring that required practices are implemented, making this the correct answer.
CMMC 2.0 References Supporting this Answer:
CMMC Assessment Process (CAP) Document
Defines " adequate evidence " asproof that a CMMC practice has been correctly implemented.
CMMC 2.0 Assessment Criteria
Specifies that evidence must beevaluated against specific cybersecurity practices.
NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)
Provides guidance on evaluating artifacts, interviews, demonstrations, and testing to confirm compliance with required practices.
Final Answer:
✔D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.
After a CMMC Level 2 certification assessment, the Lead Assessor (Lead CCA) is preparing to present the Final Recommended Findings to the OSC . Which statement BEST describes the Lead Assessor’s responsibility for delivering the assessment findings to the OSC?
Summary recommendations presented using the CMMC Assessment Findings Brief are sufficient.
Detailed findings must be presented to the OSC along with clear evidence of how the ratings map to the assessor’s findings.
The initial report delivered to the OSC will only include an overall assessment MET or NOT MET score along with a score for each practice.
The Lead Assessor is required to submit their initial assessment findings to the C3PAO for review before they can be shared with the OSC.
Under the CMMC Assessment Process (CAP) v2.0 , the assessment results are not supposed to be delivered to the OSC as “initial” or unchecked findings. Instead, CAP v2.0 requires that the C3PAO conducts a formal quality assurance (QA) review of the certification assessment results prior to the Out-Brief Meeting with the OSC . This QA step is mandatory and is explicitly sequenced before results are conveyed to the OSC.
After the results are compiled and quality-reviewed, the Lead CCA convenes the Out-Brief Meeting specifically “to convey the results of the assessment to the OSC.” CAP v2.0 further requires the team to prepare and deliver an “Assessment Results Briefing” for the Out-Brief, and it lists the required contents (including final MET/NOT MET/NA determinations for each security requirement , POA & M status (if applicable), and the certificate determination).
Therefore, the best answer is D because CAP v2.0 makes clear that results must undergo C3PAO QA review before they are formally presented to the OSC during the Out-Brief.
While determining the scope for a company ' s CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third-party organization?
ESPs
People
Facilities
Technology
When a company usesthird-party IT providersto manage their infrastructure, these organizations are classified asExternal Service Providers (ESPs)underCMMC scoping guidelines.
Step-by-Step Breakdown:
✅1. What is an ESP?
External Service Providers (ESPs)arethird-party organizationsthat:
ProvideIT services, cloud hosting, and managed security solutions.
Process, store, or transmit FCI or CUIon behalf of a contractor.
Mustmeet the same security requirementsas the OSC if they handle FCI or CUI.
If a company relies ona hosting provider to manage IT infrastructure, that provider is anESPunderCMMC scoping guidelines.
✅2. Why the Other Answer Choices Are Incorrect:
(B) People❌
Incorrect:ESPs areorganizations, not individual people.
(C) Facilities❌
Incorrect:Facilities refer tophysical locationslike office buildings or data centers, not third-partyservice providers.
(D) Technology❌
Incorrect:While ESPs provide technology services, the correct term forthird-party IT providersunder CMMC isESPs, not just " Technology. "
Final Validation from CMMC Documentation:
TheCMMC Level 1 Scoping GuidedefinesExternal Service Providers (ESPs)asthird-party organizations that manage IT infrastructure and security services.
Thus, the correct answer is:
✅A. ESPs (External Service Providers).
Who is responsible for identifying and verifying Assessment Team Member qualifications?
C3PAO
CMMC-AB
Lead Assessor
CMMC Marketplace
Understanding the Role of the Lead Assessor in CMMC Assessments
TheLead Assessoris responsible for managing theAssessment Teamand ensuring that all team members meet the required qualifications as defined by theCMMC Accreditation Body (CMMC-AB)and theCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) Guide.
Why the Correct Answer is " C. Lead Assessor " ?
Lead Assessor’s Key Responsibilities (Per CAP Guide)
Verify team member qualificationsto ensure compliance with CMMC-AB guidelines.
Assignappropriate assessment tasksbased on team members’ expertise.
Ensure that theassessment is conducted in accordance with CMMC procedures.
Why Not the Other Options?
A. C3PAO (Certified Third-Party Assessor Organization)→Incorrect
AC3PAOis responsible fororganizing assessmentsand ensuring their execution, but itdoes not verify individual team member qualifications—that responsibility belongs to theLead Assessor.
B. CMMC-AB (CMMC Accreditation Body)→Incorrect
TheCMMC-ABestablishestraining and certification requirements, but itdoes not verify individual assessment team members—that responsibility is given to theLead Assessor.
D. CMMC Marketplace→Incorrect
TheCMMC Marketplacelists authorizedC3PAOs, Registered Practitioners (RPs), and Certified Professionals (CCPs)butdoes not verify assessment team qualifications.
Relevant CMMC 2.0 References:
CMMC Assessment Process (CAP) Guide– Defines theLead Assessor’s responsibilityfor verifying assessment team qualifications.
CMMC-AB Certification Guide– Specifies that the Lead Assessor must ensure all assessment team members meet CMMC-AB qualification standards.
Final Justification:
Since theLead Assessor is responsible for verifying assessment team member qualifications, the correct answer isC. Lead Assessor.
A contractor stores security policies, system configuration files, and audit logs in a centralized file repository for later review. According to CMMC terminology, the file repository is being used to:
protect CUI.
transmit CUI.
store CUI.
generate CUI
When assessing SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems, evidence shows that all of the OSC ' s workstations and servers have antivirus software installed for malicious code protection. A centralized console for the antivirus software management is in place and records show that all devices have received the most updated antivirus patterns. What is the BEST determination that the Lead Assessor should reach regarding the evidence?
It is sufficient, and the audit finding can be rated as MET.
It is insufficient, and the audit finding can be rated NOT MET.
It is sufficient, and the Lead Assessor should seek more evidence.
It is insufficient, and the Lead Assessor should seek more evidence.
Understanding SI.L1-3.14.2: Provide Protection from Malicious Code
The CMMC Level 1 practiceSI.L1-3.14.2is based onNIST SP 800-171 Requirement 3.14.2, which requires organizations to:
Implement malicious code protection(e.g., antivirus, endpoint security software).
Ensure coverage across all appropriate locations(e.g., workstations, servers, network entry points).
Keep protection mechanisms updated(e.g., regular signature updates, policy enforcement).
Assessment Criteria for a " MET " Rating:
To determine whether the practice isMET, the Lead Assessor must confirm that:
✔Antivirus or endpoint protection software is installedon all workstations and servers.
✔The solution is centrally managed, ensuring consistent policy enforcement.
✔Signature updates are current, meaning systems are protected against new threats.
✔Logs or reports demonstrate active monitoring and updates.
Why is the Correct Answer " A. It is sufficient, and the audit finding can be rated as MET " ?
The provided evidenceconfirms all necessary requirementsfor SI.L1-3.14.2:
✔All workstations and servers have antivirus installed→Meets installation requirement.
✔A centralized management console is in place→Ensures consistent enforcement.
✔Records show antivirus signatures are up to date→Confirms system protection is current.
Because the evidencemeets the requirement, the practice should berated as MET.
Why Are the Other Answers Incorrect?
B. It is insufficient, and the audit finding can be rated NOT MET → Incorrect
The evidence providedmeets all necessary requirements, so the practiceshould not be rated as NOT MET.
C. It is sufficient, and the Lead Assessor should seek more evidence → Incorrect
Ifadequate evidence already exists,additional evidence is unnecessary.
D. It is insufficient, and the Lead Assessor should seek more evidence → Incorrect
The evidence providedmeets the control requirements, making itsufficient.
CMMC 2.0 References Supporting This Answer:
CMMC Assessment Process (CAP) Document
Specifies that a practice can be marked asMET if sufficient evidence is provided.
NIST SP 800-171 (Requirement 3.14.2)
Defines the standard formalicious code protection, which ismet by antivirus with active updates.
CMMC 2.0 Level 1 (Foundational) Requirements
Clarifies that basic cybersecurity measures likeantivirus installation and updatesmeet compliance forSI.L1-3.14.2.
Final Answer:
✔A. It is sufficient, and the audit finding can be rated as MET.
A machining company has been awarded a contract with the DoD to build specialized parts. Testing of the parts will be done by the company using in-house staff and equipment. For a Level 1 Self-Assessment, what type of asset is this?
CUI Asset
In-scope Asset
Specialized Asset
Contractor Risk Managed Asset
According to the CMMC Scoping Guidance, Level 1, the categorization of assets is much simpler than at Level 2. At Level 1, there are only two primary categories for assets within the Organization Seeking Certification (OSC): In-Scope Assets (FCI Assets) and Out-of-Scope Assets.
FCI Asset Definition: An asset is considered " In-Scope " for Level 1 if it processes, stores, or transmits Federal Contract Information (FCI). Since the company is building specialized parts under a DoD contract and using in-house staff and equipment for testing, the information related to that contract (the specifications, schedules, and test results) constitutes FCI.
The Level 1 Universe:
Level 1 does not use the complex sub-categories found in Level 2 scoping, such as " Specialized Assets " (OT/IoT/Test Equipment) or " Contractor Risk Managed Assets. " Those distinctions are specific to CMMC Level 2 Scoping.
In a Level 1 environment, any piece of equipment or software that handles the contract ' s information is simply termed an FCI Asset, which falls under the broader umbrella of In-Scope Assets.
Why other options are incorrect:
Option A (CUI Asset): Level 1 is focused exclusively on FCI. CUI (Controlled Unclassified Information) is the focus of Level 2 and Level 3.
Option C (Specialized Asset) and Option D (Contractor Risk Managed Asset): These are specific scoping categories defined in the CMMC Level 2 Scoping Guidance. In Level 1, these categories do not exist; an asset either handles FCI (In-Scope) or it does not (Out-of-Scope).
Reference Documents:
CMMC Scoping Guidance, Level 1 (Version 2.0): Section 2.0 (CMMC Level 1 Asset Categories), which defines FCI Assets and Out-of-Scope Assets.
32 CFR Part 170 (CMMC Program Rule): Establishes the simplified scoping requirements for Level 1 self-assessments.
CMMC Level 1 Assessment Guide: Clarifies that the scope includes all " information systems " (including test equipment) used by the contractor to process, store, or transmit FCI.
According to the Configuration Management (CM) domain, which principle is the basis for defining essential system capabilities?
Least privilege
Essential concern
Least functionality
Separation of duties
Understanding the Principle of Least Functionality in the CM Domain
TheConfiguration Management (CM) domainin CMMC 2.0 focuses on maintaining the security and integrity of an organization’s systems through controlled configurations and restrictions on system capabilities.
The principle ofLeast Functionalityrefers to limiting a system’s features, services, and applications to only those necessary for its intended purpose. This principle reduces the attack surface by minimizing unnecessary components that could be exploited by attackers.
Justification for the Correct Answer: Least Functionality (C)
CMMC Practice CM.L2-3.4.6 (Use Least Functionality)explicitly states:
" Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. "
Thegoalis to prevent unauthorized or unnecessary applications, services, and ports from running on the system.
Examples of Implementation:
Disabling unnecessary services, such as remote desktop access if not required.
Restricting software installation to approved applications.
Blocking unused network ports and protocols.
Why Other Options Are Incorrect
A. Least Privilege
This principle (associated with Access Control) ensures that users and processes have only the minimum level of access necessary to perform their jobs.
It is relevant to CMMC PracticeAC.L2-3.1.5 (Least Privilege)but does not define system capabilities.
B. Essential Concern
There is no officially recognized cybersecurity principle called " Essential Concern " in CMMC, NIST, or related frameworks.
D. Separation of Duties
This principle (covered under CMMCAC.L2-3.1.4) ensures that no single individual has unchecked control over critical functions, reducing the risk of fraud or abuse.
While important for security, it does not define essential system capabilities.
Official CMMC and NIST References
CMMC 2.0 Level 2 Assessment Guide – Configuration Management (CM) Domain
CM.L2-3.4.6 mandatesleast functionalityto enhance security by removing unnecessary features.
NIST SP 800-171 (which CMMC is based on) – Requirement 3.4.6
States: " Limit system functionality to only the essential capabilities required for organizational missions or business functions. "
NIST SP 800-53 – Control CM-7 (Least Functionality)
Provides detailed recommendations on configuring systems to operate with only necessary features.
Conclusion
Theprinciple of Least Functionality (C)is the basis for defining essential system capabilities in theConfiguration Management (CM) domainof CMMC 2.0. By applying this principle, organizations reduce security risks by ensuring that only the necessary functions, services, and applications are enabled.
Within what amount of time MUST convictions, guilty pleas, or no contest pleas to crimes of fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or a similar offense in any legal proceeding, civil or criminal, whether or not connected with activities that relate to carrying out a Lead Assessor role, be reported to the CMMC Accreditation Body?
90 days.
30 days.
3 days.
7 days.
The correct answer is B , 30 days. The official CMMC Program rule at 32 CFR Part 170 , Subpart C, requires CMMC ecosystem members to report certain criminal matters to the Accreditation Body within 30 days . The rule specifically includes convictions, guilty pleas, and no contest pleas involving crimes such as fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or similar offenses in civil or criminal legal proceedings. This requirement applies whether or not the offense is directly connected to the individual’s CMMC ecosystem role.
This requirement is important because CMMC ecosystem roles, including Lead Assessors, depend on trustworthiness, professional integrity, impartiality, and reliability. A Lead Assessor participates in activities that may affect whether an OSC receives a CMMC certification, so criminal conduct involving dishonesty or misuse of funds is highly relevant to the integrity of the ecosystem. Option A , 90 days, is incorrect because the reporting window is shorter. Option C , 3 days, and option D , 7 days, are also incorrect because they do not match the official 30-day reporting requirement. Although older training materials may use the term “CMMC-AB,” the current terminology commonly refers to the Accreditation Body or The Cyber AB. The required reporting period remains 30 days .
===========
For CMMC Assessments, during Phase 1 of the CMMC Assessment Process, which are responsible for identifying potential conflicts of information?
C3PAO and OSC
OSC and CMMC-AB
CMMC-AB and C3PAO
Lead Assessor and Assessment Team Members
In Phase 1 (Planning) of the CMMC Assessment Process, the Lead Assessor is responsible for managing the team and identifying conflicts of interest. Assessment team members must also disclose potential conflicts.
Supporting Extracts from Official Content:
CAP v2.0, Planning (§2.5–2.8): “The Lead Assessor and Assessment Team Members must identify and disclose any conflicts of interest prior to conducting the assessment.”
Why Option D is Correct:
Only the Lead Assessor and assessment team are responsible for identifying conflicts of interest during Phase 1.
Options A, B, and C incorrectly assign this role to organizations that do not hold the responsibility.
References (Official CMMC v2.0 Content):
CMMC Assessment Process (CAP) v2.0, Phase 1 Planning responsibilities.
===========
When scoping the organizational system, the scope of applicability for the cybersecurity CUI practices applies to the components of:
federal systems that process, store, or transmit CUI.
nonfederal systems that process, store, or transmit CUI.
federal systems that process, store, or transmit CUI. or that provide protection for the system components.
nonfederal systems that process, store, or transmit CUI. or that provide protection for the system components.
Understanding Scoping in CMMC 2.0
TheCMMC 2.0 framework applies to nonfederal systemsthat process, store, or transmitCUI.
Scoping determineswhich system components must comply with CMMC practices.
If a systemprocesses, stores, or transmits CUI, orprovides security for those systems, itmust be included in the assessment scope.
Why the Correct Answer is " D. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components " ?
CMMC Applies to Contractors, Not Federal Systems
CMMC isdesigned for Department of Defense (DoD) contractors, notfederal systems.
Federal systems arealready governed by NIST SP 800-53and other regulations.
Scope Includes Systems That Process CUI AND Those That Protect Them
Systemsprocessing, storing, or transmitting CUIare in scope.
Systems thatprovide protection for CUI systems(e.g., firewalls, monitoring tools, security appliances) arealso in scope.
Why Not the Other Options?
A. Federal systems that process, store, or transmit CUI.→Incorrect
CMMCdoes not apply to federal systems.
B. Nonfederal systems that process, store, or transmit CUI.→Partially correct but incomplete
Itexcludes security systemsthat protect CUI assets, whichare also in scope.
C. Federal systems that process, store, or transmit CUI, or that provide protection for the system components.→Incorrect
CMMConly applies to nonfederal systems.
Relevant CMMC 2.0 References:
CMMC Scoping Guide (Nov 2021)– Confirms that CMMCapplies to nonfederal systemsprocessingCUI.
NIST SP 800-171 Rev. 2– Specifies security requirements fornonfederal systemshandling CUI.
DFARS 252.204-7012– Requires DoD contractors to implementNIST SP 800-171onnonfederal systemshandling CUI.
Final Justification:
SinceCMMC applies to nonfederal systems that process CUI or protect those systems, the correct answer isD. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.
TESTED 12 Jul 2026
Copyright © 2014-2026 DumpsTool. All Rights Reserved