Plan of Action defines the clear goal or objective for the plan. What information is generally NOT a
part of a plan of action?
D
Explanation:
Under the Cybersecurity Maturity Model Certification (CMMC) 2.0, a Plan of Action (POA) is a critical
document that outlines the specific actions a contractor needs to take to remediate cybersecurity
deficiencies. While POAs serve as a roadmap for achieving compliance with required controls, the
inclusion of certain elements is standardized.
Key Elements of a Plan of Action (POA)
According to the CMMC guidelines and NIST SP 800-171, which underpins many CMMC
requirements, a POA typically includes:
Completion Dates: Identifies target deadlines for resolving deficiencies.
Milestones to Measure Progress: Includes interim steps or markers to ensure progress is monitored
over time.
Ownership or Accountability: Clearly assigns responsibility for each action item to specific personnel
or teams.
What is Generally NOT Part of a POA?
Budget requirements to implement the plan's remediation actions (Option D) are generally not
included in a POA. While budgeting is critical for ensuring the plan's success, it is considered a part of
the broaderproject management or resource planning process, not the POA itself. This distinction is
intentional to keep the POA focused on actionable items rather than resource allocation.
Supporting Reference
NIST SP 800-171A, Appendix D: Provides an overview of POA components, emphasizing the
prioritization of corrective actions, responsibility, and measurable outcomes.
CMMC Level 2 Practices (Aligned with NIST SP 800-171): Specifically, the focus is on actions,
timelines, and accountability rather than financial planning.
By excluding budget details, the POA remains a tactical document that supports immediate action
and compliance tracking, separate from financial considerations.
During a Level 2 Assessment, an OSC provides documentation that attests that they utilize
multifactor authentication on nonlocal remote maintenance sessions. The OSC feels that they have
met the controls for the Level 2 certification. What additional measures should the OSC perform to
fully meet the maintenance requirement?
A
Explanation:
UnderCMMC 2.0 Level 2, which aligns with the requirements ofNIST SP 800-171, maintaining robust
control overnonlocal maintenance sessionsis critical. While multifactor authentication (MFA) is a
required safeguard for secure access, additional measures must be implemented to fully meet the
maintenance requirements as outlined inControl 3.3.5:
Key Requirements for Nonlocal Maintenance:
Termination of Nonlocal Maintenance Sessions:
To reduce the attack surface and prevent unauthorized access, nonlocal maintenance
connectionsmust be terminated immediately after the maintenance activity is completed. This is a
direct requirement to mitigate risks associated with lingering remote sessions that could be
exploited by threat actors.
Supporting Reference:NIST SP 800-171, Control 3.3.5 states: "Ensure that remote maintenance is
conducted in a controlled manner and disable connections immediately after use."
Multifactor Authentication (MFA):
OSCs are required to implement MFA for nonlocal remote maintenance sessions. MFA must includeat
least two factors(e.g., something you know, something you have, or something you are).
While the OSC’s use of MFA satisfies part of the requirement, it does not complete the control unless
proper termination procedures are in place.
Policy and Procedure Adherence:
The OSC must also document amaintenance policyand ensure it reflects the need for terminating
connections post-maintenance. The policy should outline roles, responsibilities, and steps for
ensuring secure nonlocal maintenance practices.
Incorrect Options:
B . Unlimited connections:Allowing unrestricted nonlocal maintenance sessions is a significant
security risk and violates the principle of least privilege.
C . Removing restrictions:Removing restrictions for convenience directly undermines compliance and
security.
D . Multifactor authentication details:While MFA is necessary, the question states the OSC already
uses it. Termination of sessions is the missing requirement.
Conclusion:
The requirement toterminate nonlocal maintenance sessions after maintenance is complete(Option
A) is critical for compliance withCMMC 2.0 Level 2andNIST SP 800-171, Control 3.3.5. This ensures
that nonlocal maintenance activities are secured against unauthorized access and potential
vulnerabilities.
While developing an assessment plan for an OSC. it is discovered that the certified assessor will be
interviewing a former college roommate. What is the MOST correct action to take?
D
Explanation:
TheCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP)outlines strict
guidelines regardingconflicts of interest (COI)to ensure the integrity and impartiality of assessments
conducted byCertified Third-Party Assessment Organizations (C3PAOs)andCertified Assessors (CAs).
The scenario presented involves apotential conflict of interestdue to a prior relationship (former
college roommate) between thecertified assessorand an individual at theOrganization Seeking
Certification (OSC). While this prior relationship does not automatically disqualify the assessor, it
must bedisclosed, documented, and mitigated appropriately.
Inform the OSC and C3PAO of the Potential Conflict of Interest
TheCMMC Code of Professional Conduct (CoPC)requires assessors to disclose any potential conflicts
of interest.
Transparency ensures that all parties, including theOSC and C3PAO, are aware of the situation.
Document the Conflict and Mitigation Actions in the Assessment Plan
PerCMMC CAP documentation, potential conflicts should be assessed based on their material impact
on the objectivity of the assessment.
The conflict and proposed mitigation strategies must beformally recorded in the assessment planto
provide an audit trail.
Determine If the Mitigation Actions Are Acceptable
If theOSC and C3PAOdetermine that the mitigation actions adequatelyeliminate or reduce the risk of
bias, the assessment may proceed.
Common mitigation strategies include:
Assigning another assessor forinterviews with the conflicted individual.
Ensuring thatdecisions regarding the OSC’s compliance are reviewed independently.
Proceed with the Assessment If Mitigation Is Acceptable
If the mitigation actions sufficiently address the conflict, the assessment may continue understrict
adherence to documented procedures.
CMMC Conflict of Interest Handling Process
A . Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as
❌
planned.
Incorrect. This violates CMMC’s integrity requirements and could result indisciplinary
actions against the assessor or invalidation of the assessment. Transparency is mandatory.
B . Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process
❌
over without the conflicted team member.
Incorrect. The CAP doesnotmandate immediate
reassignment unless the conflict isunresolvable. Instead, mitigation strategies should be considered
first.
C . Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an
acceptable amount of time since college, no conflict of interest exists, and continue as
❌
planned.
Incorrect.The passage of time alone does not automatically eliminate a conflict of
interest. Proper documentation and mitigation are still required.
Why the Other Answers Are Incorrect
CMMC Assessment Process (CAP) Document– Defines COI requirements and mitigation actions.
CMMC Code of Professional Conduct (CoPC)– Outlines ethical responsibilities of assessors.
CMMC Accreditation Body (Cyber-AB) Guidance– Provides rules on conflict resolution.
CMMC Official ReferenceThus,option D is the most correct choice, as it aligns with the official CMMC
conflict of interest procedures.
A defense contractor needs to share FCI with a subcontractor and sends this data in an email. The
email system involved in this process is being used to:
C
Explanation:
Federal Contract Information (FCI) is defined inFAR 52.204-21as information provided by or
generated for the government under contract but not intended for public release. UnderCMMC 2.0,
organizations handling FCI must implementFAR 52.204-21 Basic Safeguarding Requirements,
ensuring proper protection inprocessing, storing, and transmittingFCI.
Analyzing the Given OptionsThe question involves an email system that is used tosendFCI to a
subcontractor. Let’s break down the possible answers:
A . Manage FCI→ Incorrect
Managing FCI involves activities like organizing, storing, and maintaining access to FCI. Sending an
email does not fall under management; it is an act of transmission.
B . Process FCI→ Incorrect
Processing refers to actively using FCI for operational or analytical purposes, such as analyzing,
modifying, or computing data. Simply sending an email does not constitute processing.
C . Transmit FCI→ Correct
Transmission refers to the act of sending FCI from one entity to another. Since the contractor
issendingFCI via email, this falls undertransmittingthe data.
Reference:NIST SP 800-171 Rev. 2, 3.1.3– "Control CUI (or FCI) by transmitting it using authorized
mechanisms."
D . Generate FCI→ Incorrect
Generating FCI means creating new contract-related information. The contractor is not creating FCI
in this scenario but merely transmitting it.
Official Reference Supporting the Correct AnswerCMMC 2.0 Level 1 Practices (FAR 52.204-21 Basic
Safeguarding Controls)
3.1.3: "Control CUI (or FCI) by transmitting it using authorized mechanisms."
This confirms that email transmission falls under"transmitting" FCI, not managing or processing.
NIST SP 800-171 Rev. 2 (Protecting CUI in Non-Federal Systems)
Requirement 3.13.8: "Implement cryptographic methods to protect CUI when transmitted."
While this applies more to CUI, FCI should also be protected during transmission, confirming that
email is a form oftransmittinginformation.
ConclusionSince the contractor issendingFCI via email, the correct answer isC. Transmit FCI.This
aligns withCMMC 2.0 Level 1practices underFAR 52.204-21andNIST SP 800-171, which emphasize
securing transmitted data.
Which statement BEST describes an assessor's evidence gathering activities?
D
Explanation:
Under theCMMC Assessment Process (CAP)andCMMC 2.0 guidelines, assessors must gather
objective evidence to validate that an organization meets the required security practices and
processes. This evidence collection is performed throughthree primary assessment methods:
Examination– Reviewing documents, records, system configurations, and other artifacts.
Interviews– Speaking with personnel to verify processes, responsibilities, and understanding of
security controls.
Testing– Observing system behavior, performing technical validation, and executing controls in real-
time to verify effectiveness.
TheCMMC Assessment Process (CAP)states that an assessor must use acombinationof evidence-
gathering methods (examinations, interviews, and tests) to determine compliance.
CMMC 2.0 Level 2(Aligned withNIST SP 800-171) requires assessors to verify not only that policies
and procedures exist but also that they are implemented and effective.
Solely relying ononemethod (like interviews in Option A) is insufficient.
Testing all practices or objectives (Option B)is unnecessary, as assessors followscoping guidanceto
determine which objectives need deeper examination.
Testing only "certain" objectives (Option C)does not fully align with the requirement of
gatheringsufficient evidencefrom multiple methods.
CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methodsexplicitly defines the use
of examinations, interviews, and tests as the foundation of an effective assessment.
CMMC 2.0 Level 2 Practices and NIST SP 800-171require assessors to validate the presence,
implementation, and effectiveness of security controls.
CMMC Appendix E: Assessment Proceduresstates that an assessor should use multiple sources of
evidence to determine compliance.
Why Option D is CorrectCMMC 2.0 and Official Documentation ReferenceFinal VerificationTo ensure
compliance withCMMC 2.0 guidelines and official documentation, an assessor must
useexaminations, interviews, and teststo gather evidence effectively, makingOption D the correct
answer.
A CMMC Level 1 Self-Assessment identified an asset in the OSC's facility that does not process, store,
or transmit FCI. Which type of asset is this considered?
C
Explanation:
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework categorizes assets based on
their interaction with Federal Contract Information (FCI) and Controlled Unclassified Information
(CUI). In a CMMC Level 1 self-assessment, assets are classified based on whether they process, store,
or transmit FCI.
FCI Assets– These assets process, store, or transmit FCI and must meet CMMC Level 1 security
requirements (17 practices from FAR 52.204-21).
CUI Assets– These assets handle Controlled Unclassified Information (CUI) and are subject to CMMC
Level 2 requirements, aligned with NIST SP 800-171.
Specialized Assets– Includes IoT devices, Operational Technology (OT), Government-Furnished
Equipment (GFE), and test equipment. These are often categorized separately due to their specific
cybersecurity requirements.
Out-of-Scope Assets– Assets that do not process, store, or transmit FCI or CUI. These do not require
compliance with CMMC practices.
Government-Issued Assets– These are assets provided by the government for contract-specific
purposes, often requiring compliance based on government policies.
The question specifies that the identified assetdoes not process, store, or transmit FCI.
According to CMMC 2.0 guidelines,only assets that handle FCI or CUI are subject to security controls.
Assets that are physically located within an OSC’s facility but do not interact with FCI or CUI fall into
the"Out-of-Scope Assets"category.
These assets do not require CMMC-specific cybersecurity controls, as they have no impact on the
security of FCI or CUI.
CMMC Scoping Guide (Nov 2021)– Definesout-of-scope assetsas those that are within an OSC’s
environment but have no interaction with FCI or CUI.
CMMC 2.0 Level 1 Guide– Only requires security controls on FCI assets, meaning assets that do not
process, store, or transmit FCI are out of scope.
CMMC Assessment Process (CAP) Guide– Identifies the classification of assets in an OSC’s
environment to determine compliance requirements.
Asset Categories as per CMMC 2.0:Why the Correct Answer is C. Out-of-Scope Assets?Relevant
CMMC 2.0 Reference:Final Justification:Since the assetdoes not process, store, or transmit FCI, it
does not fall under "FCI Assets" or "Specialized Assets." It is also not a government-issued asset.
Therefore, the correct classification under CMMC 2.0 isOut-of-Scope Assets (C).
There are 15 practices that are NOT MET for an OSC's Level 2 Assessment. All practices are applicable
to the OSC. Which determination should be reached?
B
Explanation:
In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, achieving Level 2
compliance requires an Organization Seeking Certification (OSC) to implement all 110 security
practices outlined in NIST SP 800-171 Revision 2. The CMMC framework allows for a limited use of
Plans of Action and Milestones (POA&Ms) to address certain deficiencies; however, this is contingent
upon meeting specific criteria.
According to the final CMMC rule, to obtain a Conditional Level 2 status, an OSC must achieve a
minimum score of 88 out of 110 points during the assessment. This scoring system assigns weighted
values to each of the 110 security requirements, with some controls deemed critical and others non-
critical. The POA&M mechanism permits OSCs to temporarily address non-critical deficiencies,
provided the minimum score threshold is met. Critical controls, however, must be fully implemented
at the time of assessment; they cannot be deferred and included in a POA&M.
MWE
In the scenario where 15 practices are NOT MET, the OSC's score would fall below the required 88-
point threshold, rendering the organization ineligible for Conditional Level 2 status. Consequently,
the OSC would not have the option to remediate these deficiencies through a POA&M. Instead, the
organization must fully implement and rectify all NOT MET practices before undergoing a subsequent
assessment to achieve the necessary compliance level.
This policy ensures that organizations handling Controlled Unclassified Information (CUI) have
adequately addressed all critical and non-critical security requirements, thereby maintaining the
integrity and security of sensitive information within the Defense Industrial Base.
For detailed guidance on assessment criteria and the use of POA&Ms, refer to the CMMC
Assessment Guide – Level 2 and the official CMMC documentation provided by the Department of
Defense.
A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for
a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the
CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP
respond?
B
Explanation:
In aCMMC Level 2 assessment, theOrganization Seeking Certification (OSC)is responsible for
identifying theassessment scopebased on theCMMC Scoping Guidanceprovided by theCyber AB
(Cyber Accreditation Body) and DoD.
The OSC must determine which assets and systems handleControlled Unclassified Information
(CUI)and categorize them accordingly.
Reference:
CMMC Scoping Guidance for Level 2, which outlines asset categorization and scoping considerations.
Step 2: Role of the C3PAO in Scope ValidationOnce the OSC has determined itsCMMC assessment
scope, aCMMC Third-Party Assessment Organization (C3PAO)is responsible forvalidatingthe scope
during theassessment planning phase.
TheC3PAO reviewsthe OSC’s scope to ensure it aligns withDoD’s scoping guidance, ensuring that all
relevant assets, networks, and policies required forCMMC Level 2 certificationare correctly
identified.
If there are discrepancies, the C3PAO works with the OSC to adjust the scope before proceeding with
the assessment.
Reference:
CMMC Assessment Process (CAP) Guide, which describes thescope validation responsibilities of a
C3PAO.
Step 3: Why Other Answer Choices Are IncorrectChoice A (Incorrect):A CCP (Certified CMMC
Professional) doesnothave the authority to validate the scope. Their role is to guide and consult, but
final validation is the C3PAO's responsibility.
Choice C (Incorrect):TheCMMC Lead Assessor(part of the C3PAO team) does notdeterminethe scope;
instead, the OSC does.
Choice D (Incorrect):TheC3PAO validates the scopebut doesnot determine it—this is the OSC’s
responsibility.
Final Confirmation of Correct Answer:OSC determines the CMMC Assessment Scope.
C3PAO validates the CMMC Assessment Scope.
Thus, the correct answer isB. "The OSC determines the CMMC Assessment Scope, and the C3PAO
validates the CMMC Assessment Scope."
When executing a remediation review, the Lead Assessor should:
C
Explanation:
In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, the remediation review
process is a critical phase where identified deficiencies from an initial assessment are addressed. The
Lead Assessor, representing a Certified Third-Party Assessment Organization (C3PAO), plays a pivotal
role in this process.
Role of the Lead Assessor in Remediation Reviews:
Validation of Remediation Efforts:
Objective:Ensure that the Organization Seeking Certification (OSC) has effectively addressed and
corrected all deficiencies identified during the initial assessment.
Process:The Lead Assessor reviews the evidence provided by the OSC to confirm that each previously
unmet practice now meets the required standards. This involves examining updated policies,
procedures, system configurations, and other relevant artifacts.
Delta Assessment Remediation Package Submission:
Definition:A delta assessment focuses on evaluating only the components or practices that were
previously found non-compliant or deficient.
Responsibility:After validating the remediation efforts, the Lead Assessor compiles a remediation
package that includes:
Detailed documentation of the deficiencies identified in the initial assessment.
Evidence of the corrective actions taken by the OSC.
Findings from the reassessment of the remediated practices.
Internal Quality Review:This remediation package is then submitted for the C3PAO's internal quality
review process. The purpose of this review is to ensure the accuracy, completeness, and consistency
of the assessment findings before finalizing the certification decision.
Rationale for Selecting Answer C:
Alignment with CMMC Assessment Process:The submission of a delta assessment remediation
package for internal quality review is a standard procedure outlined in the CMMC Assessment
Process. This step ensures that all remediated items are thoroughly evaluated and validated,
maintaining the integrity of the certification process.
Clarification of Incorrect Options:
Option A:"Help OSC to complete planned remediation activities."
The Lead Assessor's role is to assess and validate the OSC's compliance, not to assist in the
implementation or completion of remediation activities. Providing such assistance could lead to a
conflict of interest and compromise the objectivity of the assessment.
Option B:"Plan two consecutive remediation reviews for an OSC."
The standard process involves conducting a single remediation review after the OSC has addressed
the identified deficiencies. Planning multiple consecutive remediation reviews is not a typical
practice and could indicate a lack of proper remediation planning by the OSC.
Option D:"Validate that practices previously listed on the POA&M have been removed on an updated
Risk Assessment."
While it's essential to ensure that deficiencies are addressed, the primary focus of the Lead Assessor
during a remediation review is to validate the implementation of remediated practices. Updating the
Risk Assessment is the responsibility of the OSC's internal risk management team, not the Lead
Assessor.
Reference:
CMMC Assessment Process v2.0
CyberAB
CMMC Assessment Guide – Level 2
Defense Innovation Unit
These documents provide detailed guidelines on the roles and responsibilities of assessors, the
remediation review process, and the procedures for submitting assessment findings for quality
review within the CMMC framework.
The IT manager is scoping the company's CMMC Level 1 Self-Assessment. The manager considers
which servers, laptops. databases, and applications are used to store, process, or transmit FCI. Which
asset type is being considered by the IT manager?
D
Explanation:
Understanding Asset Types in CMMC 2.0In CMMC 2.0, assets are categorized based on their role in
handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI).
TheCybersecurity Maturity Model Certification (CMMC) Scoping GuidanceforLevel 1andLevel
2provides asset definitions to help organizations identify what needs protection.
According toCMMC Scoping Guidance, there are five primary asset types:
Security Protection Assets (ESP - External Service Providers & Security Systems)
People (Personnel who interact with FCI/CUI)
Facilities (Physical locations housing FCI/CUI)
Technology (Hardware, software, and networks that store, process, or transmit FCI/CUI)
CUI Assets (For Level 2 assessments, assets specifically storing CUI)
Why "Technology" Is the Correct AnswerThe IT manager is evaluatingservers, laptops, databases, and
applications—all of which aretechnology assetsused to store, process, or transmit FCI.
According toCMMC Scoping Guidance,Technology assetsinclude:
✅
Endpoints(Laptops, Workstations, Mobile Devices)
✅
Servers(On-premise or cloud-based)
✅
Networking Devices(Routers, Firewalls, Switches)
✅
Applications(Software, Cloud-based tools)
✅
Databases(Storage of FCI or CUI)
Since the IT manager is focusing on these components, the correct asset category isTechnology
(Option D).
❌
A . ESP (Security Protection Assets)
Incorrect. ESPs refer tosecurity-related assets(e.g., firewalls,
monitoring tools, managed security services) thathelp protectFCI/CUI but do notstore, process, or
transmitit directly.
❌
B . People
Incorrect. While employees play a role in handling FCI, the question focuses
onhardware and software—which falls underTechnology, not People.
❌
C . Facilities
Incorrect. Facilities refer tophysical buildingsor secured areas where FCI/CUI is stored
or processed. The question explicitly mentionsservers, laptops, and applications, which arenot
physical facilities.
Why the Other Answers Are Incorrect
CMMC Level 1 Scoping Guide (CMMC-AB)– Defines asset categories, including Technology.
CMMC 2.0 Scoping Guidance for Assessors– Provides clarification on FCI assets.
CMMC Official ReferenceThus,option D (Technology) is the most correct choiceas per official CMMC
2.0 guidance.
Which term describes "the protective measures that are commensurate with the consequences and
probability of loss, misuse, or unauthorized access to. or modification of information"?
C
Explanation:
Understanding the Concept of Security in CMMC 2.0CMMC 2.0 aligns with federal cybersecurity
standards, particularlyFISMA (Federal Information Security Modernization Act), NIST SP 800-171, and
FAR 52.204-21. One key principle in these frameworks is the implementation of security measures
that are appropriate for the risk level associated with the data being protected.
The question describes security measures that are proportionate to therisk of loss, misuse,
unauthorized access, or modificationof information. This matches the definition of"Adequate
Security."
A . Adopted security→ Incorrect
The term"adopted security"is not officially recognized in CMMC, NIST, or FISMA. Organizations adopt
security policies, but the concept does not directly align with the question’s definition.
B . Adaptive security→ Incorrect
Adaptive securityrefers to adynamic cybersecurity modelwhere security measures continuously
evolve based on real-time threats. While important, it does not directly match the definition in the
question.
C . Adequate security→Correct
The term"adequate security"is defined inNIST SP 800-171, DFARS 252.204-7012, and FISMAas the
level of protection that isproportional to the consequences and likelihood of a security incident.
This aligns perfectly with the definition in the question.
D . Advanced security→ Incorrect
Advanced securitytypically refers tohighly sophisticated cybersecurity mechanisms, such as AI-driven
threat detection. However, the term does not explicitly relate to the concept of risk-based
proportional security.
FISMA (44 U.S.C. § 3552(b)(3))
Definesadequate securityas"protective measures commensurate with the risk and potential impact
of unauthorized access, use, disclosure, disruption, modification, or destruction of information."
This directly matches the question's wording.
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
Mandates that contractors apply"adequate security"to protect Controlled Unclassified Information
(CUI).
NIST SP 800-171 Rev. 2, Requirement 3.1.1
States that organizations must "limit system access to authorized users and implement adequate
security protections to prevent unauthorized disclosure."
CMMC 2.0 Documentation (Level 1 and Level 2 Requirements)
Requires that organizationsapply adequate security measures in accordance with NIST SP 800-171to
meet compliance standards.
Analyzing the Given OptionsOfficial Reference Supporting the Correct AnswerConclusionThe
term"adequate security"is the correct answer because it is explicitly defined in federal cybersecurity
frameworks asprotection proportional to risk and potential consequences. Thus, the verified answer
is:
A Level 2 Assessment of an OSC is winding down and the final results are being prepared to present
to the OSC. When should the final results be delivered to the OSC?
C
Explanation:
Understanding the Reporting Process in a CMMC 2.0 Level 2 AssessmentACMMC Level 2
Assessmentconducted by aCertified Third-Party Assessor Organization (C3PAO)follows a structured
approach to gathering evidence, evaluating compliance, and reporting findings to theOrganization
Seeking Certification (OSC). The reporting process is outlined in theCMMC Assessment Process (CAP)
Guide, which specifies how findings should be communicated.
Daily Checkpoints:
Throughout the assessment, the assessor team holdsdaily checkpoint meetingswith the OSC to
provide updates on progress, observations, and preliminary findings.
These checkpoints help ensure transparency and allow the OSC to address minor issues as they arise.
Final Results Delivery:
Thefinal assessment resultsare typically shared during thefinal daily checkpointOR in aseparately
scheduled findings and recommendations reviewmeeting.
This ensures that the OSC receives a structured and complete summary of the assessment findings
before the official report is submitted.
TheCMMC Assessment Process (CAP) Guide, Section 4.5clearly states that assessment findings
should be presentedeither at the last daily checkpoint or during a separately scheduled final review.
This aligns with best practices formaintaining transparency and ensuring the OSC has clarity on their
assessment resultsbefore the final report submission.
Option A (End of every day)is incorrect because while assessors do provide updates, they do not
deliver the "final results" daily.
Option B (Daily and a separate final review)is misleading, as the CAP Guide allows assessors
tochoosebetween the final daily checkpoint OR a separate findings review—not both.
Option D (After C3PAO approval)is incorrect because theC3PAO does not approve findings before
they are communicated to the OSC. The assessment team directly presents the results first.
CMMC Assessment Process (CAP) Guide, Section 4.5: Reporting and Findings Communication
CMMC 2.0 Level 2 Assessment Process Overview
CMMC Assessment Final Report Guidelines
Assessment Communication StructureWhy Option C is CorrectOfficial CMMC Documentation
ReferenceFinal VerificationBased on officialCMMC 2.0 documentation, thefinal assessment results
should be presented to the OSC either at the last daily checkpoint or in a separately scheduled
review session, making Option C the correct answer.
Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to
review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI
are sanitized or destroyed before disposal or release for reuse. After a thorough review, the CCP tells
the Lead Assessor that all supporting documents fully reflect the performance of the practice and
should be accepted because the evidence is:
B
Explanation:
CMMC Level 1 includes 17 practices derived fromFAR 52.204-21. Among them, theMedia Protection
(MP) practicerequires organizations to ensure thatmedia containing FCI is sanitized or destroyed
before disposal or release for reuseto prevent unauthorized access.
This requirement ensures that any storage devices, hard drives, USBs, or physical documents
containingFederal Contract Information (FCI)areproperly disposed of or sanitizedto prevent data
leakage.
The evidence collected for this practice should demonstrate that an organization has established and
followed propermedia sanitization or destruction procedures.
Why the Correct Answer is "B. Adequate"?TheCMMC Assessment Process (CAP) Guideoutlines that
for an assessment to be considered complete, all submitted evidence must meet the standard
ofadequacybefore it is accepted by the Lead Assessor.
Definition of "Adequate" Evidence in CMMC:
Evidence isadequatewhen itfully demonstrates that a practice has been performed as requiredby
CMMC guidelines.
TheLead Assessorevaluates whether the submitted documentation meets the CMMC 2.0 Level 1
requirements.
If the evidenceaccurately and completely demonstrates the sanitization or destruction of media
containing FCI, then it meets the standard ofadequacy.
Why Not the Other Options?
A . Official– While the evidence may come from an official source, the CMMCdoes not require
evidence to be "official", only that it beadequateto confirm compliance.
C . Compliant– Compliance is the final result of an assessment, but before compliance is determined,
the evidence must first beadequatefor evaluation.
D . Subjective– CMMC evidence isobjective, meaning it should be based on verifiable documents,
policies, logs, and procedures—not opinions or interpretations.
CMMC 2.0 Scoping Guide (Nov 2021)– Specifies that Media Protection (MP) at Level 1 applies only to
assets that process, store, or transmit FCI.
CMMC Assessment Process (CAP) Guide– Definesadequate evidenceas documentation that
completely and clearly supports the implementation of a required security practice.
FAR 52.204-21– The source of the Level 1 requirements, which includessanitization and destruction
of media containing FCI.
Relevant CMMC 2.0 Reference:Final Justification:The CCP’s statement that the evidence"fully reflects
the performance of the practice"aligns with the definition ofadequate evidenceunder CMMC. Since
adequacy is the key standard used before final compliance decisions are made, the correct answer
isB. Adequate.
A CMMC Assessment is being conducted at an OSC's HQ. which is a shared workspace in a multi-
tenant building. The OSC is renting four offices on the first floor that can be locked individually. The
first-floor conference room is shared with other tenants but has been reserved to conduct the
assessment. The conference room has a desk with a drawer that does not lock. At the end of the day,
an evidence file that had been sent by email is reviewed. What is the BEST way to handle this file?
C
Explanation:
In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2,
organizations are required to implement stringent controls to protect Controlled Unclassified
Information (CUI). This includes adhering to specific practices related to media protection and
physical security.
Media Protection (MP):
MP.L2-3.8.1 – Media Protection:Organizations must protect (i.e., physically control and securely
store) system media containing CUI, both paper and digital. This ensures that sensitive information is
not accessible to unauthorized individuals.
Defense Innovation Unit
MP.L2-3.8.3 – Media Disposal:It is imperative to sanitize or destroy information system media
containing CUI before disposal or release for reuse. This practice prevents potential data breaches
from discarded or repurposed media.
Defense Innovation Unit
Physical Protection (PE):
PE.L2-3.10.2 – Monitor Facility:Organizations are required to protect and monitor the physical facility
and support infrastructure for organizational systems. This includes ensuring that areas where CUI is
processed or stored are secure and access is controlled.
Defense Innovation Unit
Application to the Scenario:
Given that the Organization Seeking Certification (OSC) operates within a shared, multi-tenant
building and utilizes a common conference room for assessments, the following considerations are
crucial:
Reviewing the Evidence File:The evidence file, which contains CUI, should be reviewed on a secure,
authorized device to prevent unauthorized access or potential data leakage.
Printing the Evidence File:If printing is necessary, ensure that the printer is located in a secure area,
and the printed documents are retrieved immediately to prevent unauthorized viewing.
Making Notes:Any notes derived from the evidence file should be treated with the same level of
security as the original document, especially if they contain CUI.
Disposal of Printed Materials:After the assessment, all printed materials and notes containing CUI
must be destroyed using a cross-cut shredder. Cross-cut shredding ensures that the information
cannot be reconstructed, thereby maintaining confidentiality.
totem.tech
Options A and D are inadequate as they involve leaving sensitive information in unsecured locations,
which violates CMMC physical security requirements. Option B, while secure in terms of digital
handling, does not address the proper disposal of any physical copies that may have been made.
Therefore, Option C is the best practice, aligning with CMMC 2.0 guidelines by ensuring that all
physical media containing CUI are properly reviewed, securely stored during use, and thoroughly
destroyed when no longer needed.
Which entity requires that organizations handling FCI or CUI be assessed to determine a required
Level of cybersecurity maturity?
A
Explanation:
TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal
Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to
determine their required level ofcybersecurity maturityunderCMMC 2.0.
This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification
for contractors handling FCI or CUI.
Reference:
DoD CMMC 2.0 Program Overview
DFARS 252.204-7021 (CMMC Requirements)
Step 2: DoD's Cybersecurity Maturity LevelsTheDoD determinestherequired cybersecurity maturity
levelfor a contract based on the sensitivity of the information involved:
CMMC Level 1– Required for organizations handlingFCI(Basic Cyber Hygiene).
CMMC Level 2– Required for organizations handlingCUI(Aligned with NIST SP 800-171).
CMMC Level 3– Required for organizations handlinghigh-value CUIand facingAdvanced Persistent
Threats (APT)(Aligned with a subset ofNIST SP 800-172).
Reference:
CMMC 2.0 Model Documentation
NIST SP 800-171 & 800-172for security controls
Step 3: Why Other Answer Choices Are IncorrectB. CISA (Incorrect):
TheCybersecurity and Infrastructure Security Agency (CISA)is responsible fornational
cybersecuritybut does not mandate CMMC assessments.
C . NIST (Incorrect):
TheNational Institute of Standards and Technology (NIST)provides the security framework (e.g.,NIST
SP 800-171) but does not enforce CMMC compliance.
D . CMMC-AB (Incorrect):
TheCyber AB (formerly CMMC-AB)is responsible for accreditingC3PAOsand overseeing theCMMC
ecosystem, but it does not determine which organizations require assessments.
Final Confirmation of Correct Answer:The DoD mandates CMMC compliance for organizations
handling FCI or CUI.
CMMC requirements are enforced through DFARS clauses in DoD contracts.
Thus, the correct answer is:A. DoD