Answer:

C

Answer:

A

Explanation:
Understanding Federal Contract Information (FCI) and Publicly Accessible InformationFederal
Contract Information (FCI)isnon-public informationprovided by or generated for the U.S.
governmentunder a contractthat isnot intended for public release.
✔
Key Characteristics of FCI:
FCI includesdetails related togovernment contracts, project specifics,
and performance data.
✔
It must be protected under FAR 52.204-21, which requiresbasic safeguarding measuresto prevent
unauthorized access.
✔
Posting FCI on a public site is a security violationsince it ismeant to be restrictedfrom public
disclosure.
A . FCI → Correct
FCI must be protected from unauthorized access, and if it wasincorrectly published online, it should
have been restricted.
B . Change of leadership in the organization → Incorrect
Leadership changes are typically public informationand do not require restriction unless they involve
sensitive government-related security clearances.
C . Launching of their new business service line → Incorrect
Marketing and business announcementsare generallypublicly availableandnot restricted information.
D . Public releases identifying major deals signed with commercial entities → Incorrect
Commercial contracts and business deals are not considered FCIunless they involvegovernment
contracts.
Why is the Correct Answer "A. FCI (Federal Contract Information)"?
FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)
DefinesFCI as sensitive but unclassified informationthat must beprotected from public disclosure.
CMMC 2.0 Level 1 Requirements
Requires contractors toprotect FCI under basic cybersecurity standardsto prevent unauthorized
exposure.
DoD Guidance on FCI Protection
States thatpublishing FCI on public websites violates federal cybersecurity requirements.
CMMC 2.0 Reference Supporting This Answer:

Answer:

A

Explanation:
When a company usesthird-party IT providersto manage their infrastructure, these organizations are
classified asExternal Service Providers (ESPs)underCMMC scoping guidelines.
✅
Step-by-Step Breakdown:
1. What is an ESP?
External Service Providers (ESPs)arethird-party organizationsthat:
ProvideIT services, cloud hosting, and managed security solutions.
Process, store, or transmit FCI or CUIon behalf of a contractor.
Mustmeet the same security requirementsas the OSC if they handle FCI or CUI.
If a company relies ona hosting provider to manage IT infrastructure, that provider is
anESPunderCMMC scoping guidelines.
✅
2. Why the Other Answer Choices Are Incorrect:
❌
(B) People
Incorrect:ESPs areorganizations, not individual people.
❌
(C) Facilities
Incorrect:Facilities refer tophysical locationslike office buildings or data centers, not third-
partyservice providers.
❌
(D) Technology
Incorrect:While ESPs provide technology services, the correct term forthird-party IT providersunder
CMMC isESPs, not just "Technology."
TheCMMC Level 1 Scoping GuidedefinesExternal Service Providers (ESPs)asthird-party organizations
that manage IT infrastructure and security services.
Final Validation from CMMC Documentation:Thus, the correct answer is:
✅
A. ESPs (External Service Providers).

Answer:

B

Explanation:
This question deals withasset categorizationduring aCMMC Level 1 Self-Assessment. The
organization is manufacturingspecialized partsfor the DoD, butLevel 1of CMMC only concernsFederal
Contract Information (FCI)—notControlled Unclassified Information (CUI). Therefore, asset
categorization should follow theCMMC Scoping Guidance for Level 1.
✅
Step 1: Understand CMMC Level 1 and FCI
Level 1 Objective:
Implement basic safeguarding requirements as perFAR 52.204-21.
Applies to systems thatstore, process, or transmit FCI.
Self-assessments are permitted and required annually.
Source Reference:
CMMC Scoping Guidance – Level 1 (v1.0)
https://dodcio.defense.gov/CMMC
✅
Step 2: What is an “In-scope Asset”?
CMMC Scoping Guidance – Level 1definesIn-scope assetsas:
“Assets that process, store, or transmit FCI or provide security protection for such assets.”
In this scenario:
The machining company isperforming contract work(manufacturing DoD parts).
Thetesting is done internally, implying the systems and equipment used in testing and
documentation aredirectly supporting the contract.
These systems likely handleFCIsuch as technical specifications, purchase orders, or test reports.
➡️
Therefore, the equipment and systems used in testing are consideredIn-scope Assetsunder Level
1.
❌
Why the Other Options Are Incorrect
A . CUI Asset
✘
Incorrect forLevel 1:
CUI is only in scope atCMMC Level 2 and Level 3.
Level 1 is concerned withFCI, not CUI.
C . Specialized Asset
✘
Incorrect definition:
Specialized assets(defined inCMMC Level 2 Scoping) include IoT, OT, ICS, GFE, and similar types of
non-enterprise assets that may require alternative treatment.
This classification isnot used in Level 1 Scoping.
D . Contractor Risk Managed Asset
✘
Incorrect:
Also defined underCMMC Level 2 Scopingonly.
These are assets that are not security-protected but are managed via risk-based decisions.
This term isnot applicableforCMMC Level 1 assessments.
✅
Step 3: Alignment with Official Documentation
According to theCMMC Scoping Guidance for Level 1:
“The assets within the self-assessment scope are those that process, store, or transmit FCI. These
assets are considered ‘in-scope.’”
No other asset categorization (such as CUI asset, specialized asset, or contractor risk managed asset)
is used atLevel 1.
BLUF (Bottom Line Up Front):
For aCMMC Level 1 Self-Assessment, theonlyasset category officially recognized is theIn-scope
Asset— any asset that handles or protects FCI. Since the company's internal testing operations are
part of fulfilling the DoD contract, the systems and staff involved arein scope.

Answer:

A

Explanation:
Understanding CMMC 2.0 Incident Response PracticesTheIncident Response (IR) domaininCMMC 2.0
Level 2aligns withNIST SP 800-171, Section 3.6, which defines requirements forestablishing and
maintaining an incident response capability.
The documentation provideddescribes an incident response capability that includes preparation,
detection, analysis, containment, recovery, and user response activities.
IR.L2-3.6.1specifically requires organizations toestablish an incident handling processcovering:
Preparation
Detection & Analysis
Containment
Eradication & Recovery
Post-Incident Response
B . IR.L2-3.6.2: Incident Reporting (Incorrect)
Incident reporting focuses on reporting incidents to external parties (e.g., DoD, DIBNet),which isnot
what the provided documentation describes.
C . IR.L2-3.6.3: Incident Response Testing (Incorrect)
Incident response testing ensures that the response process is regularly tested and evaluated,which
isnot the primary focus of the documentation provided.
D . IR.L2-3.6.4: Incident Spillage (Incorrect)
Incident spillage specifically refers to CUI exposure or handling unauthorized CUI incidents,which
isnot the scenario described.
The correct answer isA. IR.L2-3.6.1: Incident Handling, as the documentationattests to the
establishment of an incident response capability.
Reference:
CMMC 2.0 Level 2 Practices (NIST SP 800-171, Section 3.6)
CMMC Assessment Process (CAP) Guide

Answer:

D

Explanation:
Understanding Asset Categorization in CMMC 2.0InCMMC 2.0, assets are categorized into different
types based on their function, connectivity, and whether they process, store, or transmitFederal
Contract Information (FCI) or Controlled Unclassified Information (CUI).
TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT
classificationsbut still exist within the organizational environment.
Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined
in CMMC.
A . FCI Asset (Incorrect)
FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does
not.
B . CUI Asset (Incorrect)
CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.
C . In-scope Asset (Incorrect)
In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.
The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into
theSpecialized Assetcategory.
Reference:
CMMC 2.0 Scoping Guide
DoD Cybersecurity Guidelines on IoT Devices

Answer:

D

Explanation:
Understanding FCI and Asset CategorizationFederal Contract Information (FCI)is any informationnot
intended for public releasethat is provided by or generated for thegovernmentunder aDoD contract.
Acompany-issued laptopused by a sales representative to enter FCI into aspreadsheetis considered
anFCI assetbecause it:
✅
Stores FCI– The spreadsheet contains sensitive information.
✅
Processes FCI– The representative is entering data into the spreadsheet.
✅
Organizes FCI– The spreadsheet helps structure and manage FCI data.
Processing (Option B and C)is occurring, but since the laptop is primarily being used toorganize
data,Option D is the most comprehensive.
Transmission (Option A and C)is not explicitly mentioned, soOption D is the best fit.
Why "Store, Process, and Organize FCI" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A . Process and transmit FCI.
❌
Incorrect–No indication oftransmissionis provided.
B . Process and organize FCI.
❌
Incorrect–Storage is also a key function of the laptop.
C . Store, process, and transmit FCI.
❌
Incorrect–Transmission is not confirmed in the scenario.
D . Store, process, and organize FCI.
✅
Correct – The laptop is used to store, process, and organize FCI in a spreadsheet.
CMMC Asset Categorization Guidelines– DefinesFCI assetsbased onstorage, processing, and
organization functions.
Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct
answer isD. Store, process, and organize FCI, as the laptop is used tostore information, enter
(process) data, and structure (organize) FCI within a spreadsheet.

Answer:

C

Explanation:
Understanding CMMC Assessment MethodsTheCMMC Assessment Process (CAP)definesthree
primary assessment methodsused to verify compliance with cybersecurity practices:
Examine– Reviewing documents, policies, configurations, and logs.
Interview– Engaging with subject matter experts (SMEs) to clarify processes and verify
implementation.
Test– Observing technical implementations, such as system configurations and security measures.
Since the question asks for a method thatgathers information from SMEs to facilitate understanding
and achieve clarification, the correct method isInterview.
✅
Why "Interview" is Correct?
Interviewsare specifically designed togather information from SMEsto
confirm understanding and clarify security processes.
✅
TheCMMC Assessment Guiderequires assessors tointerview key personnelresponsible for
cybersecurity practices.
✅
Examine (Option B)andTest (Option A)are also valid assessment methods, but they donot focus on
gathering insights directly from SMEs.
Breakdown of Answer ChoicesOption
Description
Correct?
A . Test
❌
Incorrect–This method involvestechnical verification, not gathering SME insights.
B . Examine
❌
Incorrect–This method focuses ondocument review, not SME interaction.
C . Interview
✅
Correct – The method used to gather information from SMEs and achieve clarification.
D . Assessment
❌
Incorrect–This is a general term,not a specific assessment method.
CMMC Assessment Process Guide (CAP)– DefinesInterviewas the method for obtaining information
from SMEs.
Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct
answer isC. Interview, as this methodgathers insights from subject matter expertsto verify
cybersecurity implementations.

Answer:

D

Explanation:
Last Step in Developing an Assessment Plan for an OSCDeveloping anassessment planinvolves:
Defining the assessment scope(e.g., systems, networks, locations).
Planning test activities(e.g., interviews, evidence review, technical testing).
Verifying the OSC’s readiness(e.g., ensuring required documents are available).
Updating the assessment plan and schedule as needed.
Final Step: Obtaining and recording the OSC’s commitment to the assessment plan.
✔
Why is obtaining commitment the last step?
Theassessment cannot proceed unless the OSC
agrees to the finalized plan.
✔
This ensuresOSC leadership understands the scope, timeline, and responsibilities.
✔
TheC3PAO must document this commitmentto formalize the agreement.
A . Verify the readiness to conduct the assessment → Incorrect
Readiness verification happens earlierin the planning process, not as the last step.
B . Perform certification assessment readiness review → Incorrect
Areadiness review is conducted before finalizing the plan, not at the very end.
C . Update the assessment plan and schedule as needed → Incorrect
Updating the plan happens before commitment is obtained; it is not the final step.
D . Obtain and record commitment to the assessment plan → Correct
This is the final step before conducting the assessment. The OSC must formally agree to the plan.
Why is the Correct Answer "D. Obtain and record commitment to the assessment plan"?
CMMC Assessment Process (CAP) Document
States that theOSC must confirm agreement to the assessment plan before execution.
CMMC-AB Guidelines for C3PAOs
Specifies thatfinalizing the assessment plan requires documented commitment from the OSC.
CMMC Assessment Guide
Outlines thatassessments cannot begin without formal approval of the plan.
CMMC 2.0 Reference Supporting This Answer:
✔
Final Answer:
D. Obtain and record commitment to the assessment plan.

Answer:

C

Explanation:
nderstanding Objectivity in CMMC-AB ActivitiesObjectivityin CMMC-AB activities refers to
therequirement that assessors and C3PAOs remain impartial, unbiased, and free from conflicts of
interestwhile conducting assessments and providing CMMC-related services.
✔
Key Aspects of Objectivity in CMMC Assessments:
No conflicts of interest—Assessors must not
assess organizations they havefinancial, professional, or personal ties to.
✔
Unbiased reporting—Findings must bebased solely on evidence, with no external influence.
✔
Avoiding even the appearance of a conflict—If there isany perception of bias, it must be
addressed.
A . Ensuring full disclosure → Incorrect
Full disclosure is importantbut doesnot define objectivity. Objectivity meansremaining neutral and
free from conflicts.
B . Reporting results of CMMC services completely → Incorrect
Whileaccurate reporting is required,objectivity focuses on impartiality, not just completeness.
C . Avoiding the appearance of or actual, conflicts of interest → Correct
Objectivity in CMMC-AB activities is primarily about preventing bias and ensuring fair assessments.
Avoiding conflicts of interest ensures thatassessments are credible and trustworthy.
D . Demonstrating integrity in the use of materials as described in policy → Incorrect
Integrity is important, butobjectivity is specifically about avoiding bias and conflicts of interest.
Why is the Correct Answer "C. Avoiding the appearance of or actual, conflicts of interest"?
CMMC-AB Code of Professional Conduct
Requiresassessors and C3PAOs to avoid conflicts of interestand maintainimpartiality.
CMMC Assessment Process (CAP) Document
Emphasizes that assessments must befree from external influence and conflicts of interest.
ISO/IEC 17020 Requirements for Inspection Bodies
Definesobjectivity as avoiding conflicts of interest in the assessment process.
CMMC 2.0 Reference Supporting This Answer:

Answer:

C

Explanation:
What Does the Practice of Professionalism Require in the CMMC Code of Professional
Conduct?TheCMMC Code of Professional Conduct (CoPC)sets ethical and professional standards
forCertified CMMC Assessors (CCAs) and Certified CMMC Professionals
(CCPs).Professionalismrequireshonesty and integrity in all CMMC-related activities.
✅
Step-by-Step Breakdown:
1. Professionalism Requires Ethical Behavior
TheCoPC states that professionalismincludes:
Acting with integrityin all assessment-related activities.
Providing truthful and objective assessmentsof cybersecurity practices.
Avoiding deceptive or misleading claimsabout assessments or compliance.
✅
2. Why the Other Answer Choices Are Incorrect:
❌
(A) Do not copy materials without permission to do so
This falls underIntellectual Property (IP) protection, notProfessionalism.
❌
(B) Do not make assertions about assessment outcomes
Assessorsmustprovide findings based on evidence. The rule is aboutnot making false or misleading
claims, not about avoiding assertions altogether.
❌
(D) Ensure the security of all information discovered or received
This falls underConfidentiality, notProfessionalism.
TheCMMC Code of Professional Conduct (CoPC)definesProfessionalism as requiring honesty and
integrityin allCMMC-related activities.
Final Validation from CMMC Documentation:Thus, the correct answer is:
✅
C. Refrain from dishonesty in all dealings regarding CMMC.

Answer:

D

Explanation:
Which NIST SP Defines the Assessment Procedures for CMMC?CMMC Level 2 isdirectly based on
NIST SP 800-171, and the assessment procedures used in CMMC assessments are derived fromNIST
SP 800-171A.
✅
Step-by-Step Breakdown:
1. NIST SP 800-171A Defines Assessment Procedures
NIST SP 800-171Ais titled"Assessing Security Requirements for Controlled Unclassified Information
(CUI)".
It providesdetailed assessment objectives and test proceduresfor evaluating compliance withNIST SP
800-171 security requirements, whichCMMC Level 2 is fully aligned with.
CMMC Assessors use 800-171Aas abaseline for assessing the effectiveness of security controls.
✅
2. Why the Other Answer Choices Are Incorrect:
❌
(A) NIST SP 800-53
800-53 defines security controlsfor federal information systems, but it doesnot provide assessment
procedures specific to CMMC.
❌
(B) NIST SP 800-53A
800-53A provides assessment procedures for 800-53 controls, butCMMC is based on NIST SP 800-
171, not 800-53.
❌
(C) NIST SP 800-171
800-171 defines security requirements, butit does not provide assessment procedures.
Theassessment proceduresare in800-171A.
TheCMMC Assessment Guide (Level 2)explicitly states that assessment procedures are derived
fromNIST SP 800-171A.
Final Validation from CMMC Documentation:Thus, the correct answer is:

Answer:

B

Explanation:
Understanding the CMMC Level 2 Final Report RequirementsFor aCMMC Level 2 Assessment,
theFinal CMMC Assessment Results Reportmust include:
Assessment findings for each practice
Final ratings (MET or NOT MET) for each practice
A detailed rationale for each practice rated as NOT MET
The CMMC Assessment Process (CAP) Guidestates that if a practice is markedNOT MET, theassessors
must provide a rationale explaining why it failed.
This rationale helps theOSC understand what needs remediationand, if applicable, whether the
deficiency can be addressed via aPlan of Action & Milestones (POA&M).
TheFinal Report serves as an official recordand must be submitted as part of theresults package.
A . Affirmation for each practice or control (Incorrect)
While the report includes aMET/NOT MET ratingfor each practice,affirmation is not a required
component.
C . Suggested improvements for each failed practice (Incorrect)
Assessors do not provide recommendations for improvement—they only document findings and
rationale.
Providing suggestions would create aconflict of interestperCMMC-AB Code of Professional Conduct.
D . Gaps or deltas due to any reciprocity model are recorded as met (Incorrect)
If an organization isleveraging reciprocity (e.g., FedRAMP, Joint Surveillance Voluntary Assessments),
gapsmust still be documented—not automatically marked as "MET."
The correct answer isB. Documented rationale for each failed practice, as this is amandatory
requirement in the Final CMMC Assessment Results Report.
Reference:
CMMC Assessment Process (CAP) Guide
DFARS 252.204-7021

Answer:

D

Explanation:
Understanding the Final Review Process in a CMMC AssessmentDuring aCMMC Level 2 Assessment,
theAssessment Teamand theOrganization Seeking Certification (OSC)holddaily checkpoint
meetingsto discuss progress, review evidence, and ensure transparency.
At theend of the assessment, afinal review meetingis conducted, during which theLead Assessor
presents the results. Therecorded Daily Checkpoint logserves as theofficial document summarizing:
Theattendee list
Time, date, and locationof the final review
Final MET or NOT MET ratingsfor all practices
Discussion points, resulting actions, and due datesfor both the OSC and Assessment Team
TheCMMC Assessment Process (CAP) Guidespecifies that all assessment findings and discussions
must bedocumented throughout the assessment in daily checkpoint logs.
TheFinal and Recorded Daily Checkpoint Logincludes all necessary details, such as attendee lists,
discussion topics, and action items.
This document isused to ensure all discussed topics and agreed-upon actions are properly tracked
and recordedbefore submission.
A . Final log report (Incorrect)
There isno specific "Final Log Report"required in CMMC assessments.
B . Final CMMC report (Incorrect)
TheFinal CMMC Reportdocuments the overall assessment results butdoes not serve as the official
meeting logfor the final review discussion.
C . Final and recorded OSC CMMC report (Incorrect)
This documentdoes not include detailed discussion points from the daily checkpoint meetings.
The correct answer isD. Final and recorded Daily Checkpoint log, as this is the official document that
captures thefinal meeting details, discussions, and action items.
Reference:
CMMC Assessment Process (CAP) Guide
CMMC 2.0 Scoping and Assessment Guidelines

Answer:

D

Explanation:
Understanding Access Control (AC) in CMMC Advanced (Level 3)TheCMMC Advanced Level (Level
3)is designed for organizations handlinghigh-value Controlled Unclassified Information (CUI)and
aligns with a subset ofNIST SP 800-172for advanced cybersecurity protections.
✅
Access Control (AC) Practices in CMMC Level 3
CMMC Level 1 includesbasic AC practices fromFAR
52.204-21(e.g., restricting access to authorized users).
✅
CMMC Level 2 includesallAccess Control (AC) practices from NIST SP 800-171(e.g., managing
privileged access).
✅
CMMC Level 3 expands on Levels 1 and 2, incorporatingadditional protections from NIST SP 800-
172, such as enhanced monitoring and adversary deception techniques.
CMMC Level 3 builds upon all previous levels, includingAccess Control (AC) practices from Levels 1
and 2.
Options A, B, and C are incorrectbecause Level 3 includesallprevious AC practices fromLevels 1 and 2,
plus additional ones.
Why "Levels 1, 2, and 3" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A . Level 1
❌
Incorrect–Level 3 includes AC practices fromLevels 1 and 2, not just Level 1.
B . Level 3
❌
Incorrect – Level 3 builds onLevels 1 and 2, not just Level 3 practices.
C . Levels 1 and 2
❌
Incorrect–Level 3 containsadditionalAC practices beyond Levels 1 and 2.
D . Levels 1, 2, and 3
✅
Correct – Level 3 contains all AC practices from Levels 1 and 2, plus additional ones.
CMMC Model Framework– Outlines howLevel 3 builds upon Level 1 and 2 practices.
NIST SP 800-172– Definesadvanced cybersecurity controlsrequired inCMMC Level 3.
Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct
answer isD. Levels 1, 2, and 3, as CMMC Level 3 includesAccess Control (AC) practices from all
previous levels plus additional enhancements.