Which term describes "the protective measures that are commensurate with the consequences and
probability of loss, misuse, or unauthorized access to. or modification of information"?
C
Explanation:
Understanding the Concept of Security in CMMC 2.0CMMC 2.0 aligns with federal cybersecurity
standards, particularlyFISMA (Federal Information Security Modernization Act), NIST SP 800-171, and
FAR 52.204-21. One key principle in these frameworks is the implementation of security measures
that are appropriate for the risk level associated with the data being protected.
The question describes security measures that are proportionate to therisk of loss, misuse,
unauthorized access, or modificationof information. This matches the definition of"Adequate
Security."
A . Adopted security→ Incorrect
The term"adopted security"is not officially recognized in CMMC, NIST, or FISMA. Organizations adopt
security policies, but the concept does not directly align with the question’s definition.
B . Adaptive security→ Incorrect
Adaptive securityrefers to adynamic cybersecurity modelwhere security measures continuously
evolve based on real-time threats. While important, it does not directly match the definition in the
question.
C . Adequate security→Correct
The term"adequate security"is defined inNIST SP 800-171, DFARS 252.204-7012, and FISMAas the
level of protection that isproportional to the consequences and likelihood of a security incident.
This aligns perfectly with the definition in the question.
D . Advanced security→ Incorrect
Advanced securitytypically refers tohighly sophisticated cybersecurity mechanisms, such as AI-driven
threat detection. However, the term does not explicitly relate to the concept of risk-based
proportional security.
FISMA (44 U.S.C. § 3552(b)(3))
Definesadequate securityas"protective measures commensurate with the risk and potential impact
of unauthorized access, use, disclosure, disruption, modification, or destruction of information."
This directly matches the question's wording.
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
Mandates that contractors apply"adequate security"to protect Controlled Unclassified Information
(CUI).
NIST SP 800-171 Rev. 2, Requirement 3.1.1
States that organizations must "limit system access to authorized users and implement adequate
security protections to prevent unauthorized disclosure."
CMMC 2.0 Documentation (Level 1 and Level 2 Requirements)
Requires that organizationsapply adequate security measures in accordance with NIST SP 800-171to
meet compliance standards.
Analyzing the Given OptionsOfficial Reference Supporting the Correct AnswerConclusionThe
term"adequate security"is the correct answer because it is explicitly defined in federal cybersecurity
frameworks asprotection proportional to risk and potential consequences. Thus, the verified answer
is:
A Level 2 Assessment of an OSC is winding down and the final results are being prepared to present
to the OSC. When should the final results be delivered to the OSC?
C
Explanation:
Understanding the Reporting Process in a CMMC 2.0 Level 2 AssessmentACMMC Level 2
Assessmentconducted by aCertified Third-Party Assessor Organization (C3PAO)follows a structured
approach to gathering evidence, evaluating compliance, and reporting findings to theOrganization
Seeking Certification (OSC). The reporting process is outlined in theCMMC Assessment Process (CAP)
Guide, which specifies how findings should be communicated.
Daily Checkpoints:
Throughout the assessment, the assessor team holdsdaily checkpoint meetingswith the OSC to
provide updates on progress, observations, and preliminary findings.
These checkpoints help ensure transparency and allow the OSC to address minor issues as they arise.
Final Results Delivery:
Thefinal assessment resultsare typically shared during thefinal daily checkpointOR in aseparately
scheduled findings and recommendations reviewmeeting.
This ensures that the OSC receives a structured and complete summary of the assessment findings
before the official report is submitted.
TheCMMC Assessment Process (CAP) Guide, Section 4.5clearly states that assessment findings
should be presentedeither at the last daily checkpoint or during a separately scheduled final review.
This aligns with best practices formaintaining transparency and ensuring the OSC has clarity on their
assessment resultsbefore the final report submission.
Option A (End of every day)is incorrect because while assessors do provide updates, they do not
deliver the "final results" daily.
Option B (Daily and a separate final review)is misleading, as the CAP Guide allows assessors
tochoosebetween the final daily checkpoint OR a separate findings review—not both.
Option D (After C3PAO approval)is incorrect because theC3PAO does not approve findings before
they are communicated to the OSC. The assessment team directly presents the results first.
CMMC Assessment Process (CAP) Guide, Section 4.5: Reporting and Findings Communication
CMMC 2.0 Level 2 Assessment Process Overview
CMMC Assessment Final Report Guidelines
Assessment Communication StructureWhy Option C is CorrectOfficial CMMC Documentation
ReferenceFinal VerificationBased on officialCMMC 2.0 documentation, thefinal assessment results
should be presented to the OSC either at the last daily checkpoint or in a separately scheduled
review session, making Option C the correct answer.
Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to
review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI
are sanitized or destroyed before disposal or release for reuse. After a thorough review, the CCP tells
the Lead Assessor that all supporting documents fully reflect the performance of the practice and
should be accepted because the evidence is:
B
Explanation:
CMMC Level 1 includes 17 practices derived fromFAR 52.204-21. Among them, theMedia Protection
(MP) practicerequires organizations to ensure thatmedia containing FCI is sanitized or destroyed
before disposal or release for reuseto prevent unauthorized access.
This requirement ensures that any storage devices, hard drives, USBs, or physical documents
containingFederal Contract Information (FCI)areproperly disposed of or sanitizedto prevent data
leakage.
The evidence collected for this practice should demonstrate that an organization has established and
followed propermedia sanitization or destruction procedures.
Why the Correct Answer is "B. Adequate"?TheCMMC Assessment Process (CAP) Guideoutlines that
for an assessment to be considered complete, all submitted evidence must meet the standard
ofadequacybefore it is accepted by the Lead Assessor.
Definition of "Adequate" Evidence in CMMC:
Evidence isadequatewhen itfully demonstrates that a practice has been performed as requiredby
CMMC guidelines.
TheLead Assessorevaluates whether the submitted documentation meets the CMMC 2.0 Level 1
requirements.
If the evidenceaccurately and completely demonstrates the sanitization or destruction of media
containing FCI, then it meets the standard ofadequacy.
Why Not the Other Options?
A . Official– While the evidence may come from an official source, the CMMCdoes not require
evidence to be "official", only that it beadequateto confirm compliance.
C . Compliant– Compliance is the final result of an assessment, but before compliance is determined,
the evidence must first beadequatefor evaluation.
D . Subjective– CMMC evidence isobjective, meaning it should be based on verifiable documents,
policies, logs, and procedures—not opinions or interpretations.
CMMC 2.0 Scoping Guide (Nov 2021)– Specifies that Media Protection (MP) at Level 1 applies only to
assets that process, store, or transmit FCI.
CMMC Assessment Process (CAP) Guide– Definesadequate evidenceas documentation that
completely and clearly supports the implementation of a required security practice.
FAR 52.204-21– The source of the Level 1 requirements, which includessanitization and destruction
of media containing FCI.
Relevant CMMC 2.0 Reference:Final Justification:The CCP’s statement that the evidence"fully reflects
the performance of the practice"aligns with the definition ofadequate evidenceunder CMMC. Since
adequacy is the key standard used before final compliance decisions are made, the correct answer
isB. Adequate.
A CMMC Assessment is being conducted at an OSC's HQ. which is a shared workspace in a multi-
tenant building. The OSC is renting four offices on the first floor that can be locked individually. The
first-floor conference room is shared with other tenants but has been reserved to conduct the
assessment. The conference room has a desk with a drawer that does not lock. At the end of the day,
an evidence file that had been sent by email is reviewed. What is the BEST way to handle this file?
C
Explanation:
In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2,
organizations are required to implement stringent controls to protect Controlled Unclassified
Information (CUI). This includes adhering to specific practices related to media protection and
physical security.
Media Protection (MP):
MP.L2-3.8.1 – Media Protection:Organizations must protect (i.e., physically control and securely
store) system media containing CUI, both paper and digital. This ensures that sensitive information is
not accessible to unauthorized individuals.
Defense Innovation Unit
MP.L2-3.8.3 – Media Disposal:It is imperative to sanitize or destroy information system media
containing CUI before disposal or release for reuse. This practice prevents potential data breaches
from discarded or repurposed media.
Defense Innovation Unit
Physical Protection (PE):
PE.L2-3.10.2 – Monitor Facility:Organizations are required to protect and monitor the physical facility
and support infrastructure for organizational systems. This includes ensuring that areas where CUI is
processed or stored are secure and access is controlled.
Defense Innovation Unit
Application to the Scenario:
Given that the Organization Seeking Certification (OSC) operates within a shared, multi-tenant
building and utilizes a common conference room for assessments, the following considerations are
crucial:
Reviewing the Evidence File:The evidence file, which contains CUI, should be reviewed on a secure,
authorized device to prevent unauthorized access or potential data leakage.
Printing the Evidence File:If printing is necessary, ensure that the printer is located in a secure area,
and the printed documents are retrieved immediately to prevent unauthorized viewing.
Making Notes:Any notes derived from the evidence file should be treated with the same level of
security as the original document, especially if they contain CUI.
Disposal of Printed Materials:After the assessment, all printed materials and notes containing CUI
must be destroyed using a cross-cut shredder. Cross-cut shredding ensures that the information
cannot be reconstructed, thereby maintaining confidentiality.
totem.tech
Options A and D are inadequate as they involve leaving sensitive information in unsecured locations,
which violates CMMC physical security requirements. Option B, while secure in terms of digital
handling, does not address the proper disposal of any physical copies that may have been made.
Therefore, Option C is the best practice, aligning with CMMC 2.0 guidelines by ensuring that all
physical media containing CUI are properly reviewed, securely stored during use, and thoroughly
destroyed when no longer needed.
Which entity requires that organizations handling FCI or CUI be assessed to determine a required
Level of cybersecurity maturity?
A
Explanation:
TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal
Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to
determine their required level ofcybersecurity maturityunderCMMC 2.0.
This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification
for contractors handling FCI or CUI.
Reference:
DoD CMMC 2.0 Program Overview
DFARS 252.204-7021 (CMMC Requirements)
Step 2: DoD's Cybersecurity Maturity LevelsTheDoD determinestherequired cybersecurity maturity
levelfor a contract based on the sensitivity of the information involved:
CMMC Level 1– Required for organizations handlingFCI(Basic Cyber Hygiene).
CMMC Level 2– Required for organizations handlingCUI(Aligned with NIST SP 800-171).
CMMC Level 3– Required for organizations handlinghigh-value CUIand facingAdvanced Persistent
Threats (APT)(Aligned with a subset ofNIST SP 800-172).
Reference:
CMMC 2.0 Model Documentation
NIST SP 800-171 & 800-172for security controls
Step 3: Why Other Answer Choices Are IncorrectB. CISA (Incorrect):
TheCybersecurity and Infrastructure Security Agency (CISA)is responsible fornational
cybersecuritybut does not mandate CMMC assessments.
C . NIST (Incorrect):
TheNational Institute of Standards and Technology (NIST)provides the security framework (e.g.,NIST
SP 800-171) but does not enforce CMMC compliance.
D . CMMC-AB (Incorrect):
TheCyber AB (formerly CMMC-AB)is responsible for accreditingC3PAOsand overseeing theCMMC
ecosystem, but it does not determine which organizations require assessments.
Final Confirmation of Correct Answer:The DoD mandates CMMC compliance for organizations
handling FCI or CUI.
CMMC requirements are enforced through DFARS clauses in DoD contracts.
Thus, the correct answer is:A. DoD
When scoping a Level 2 assessment, which document is useful for understanding the process to
successfully implement practices required for the various Levels of CMMC?
C
Explanation:
CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting
Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations
seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security
requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.
Defines the Security Requirements for Protecting CUI:
NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled
Unclassified Information (CUI)in nonfederal systems.
These controls are categorized under14 families, including access control, incident response, and risk
management.
Establishes the Baseline for CMMC Level 2 Compliance:
CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.
Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171
Rev. 2.
Provides Guidance for Implementation & Assessment:
TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs
in preparing for CMMC evaluations.
It helps define the scope of an assessment by clarifying how each control should be implemented
and verified.
Referenced in CMMC and DFARS Regulations:
DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.
TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring
consistency with DoD cybersecurity expectations.
A . NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and
Organizations")
This documentapplies to federal systems, not nonfederal entities handling CUI.
While it is the foundation for other security standards, it isnot the basis of CMMC Level
2assessments.
B . NIST SP 800-88 ("Guidelines for Media Sanitization")
This documentfocuses on secure data destructionand media sanitization techniques.
While data disposal is important, this standarddoes not define security controls for protecting CUI.
D . NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")
This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity
protections(e.g., targeting Advanced Persistent Threats).
It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171
compliance.
NIST SP 800-171 Rev. 2(NIST Official Site)
NIST SP 800-171A (Assessment Guide)(NIST Official Site)
CMMC 2.0 Level 2 Scoping Guide(Cyber AB)
Why NIST SP 800-171 is Essential for Level 2 Scoping:Explanation of Incorrect Answers:Key Reference
for CMMC Level 2 Scoping:Conclusion:SinceCMMC 2.0 Level 2 assessments are based entirely on
NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments.
Therefore, the correct answer is:
✅
C. NIST SP 800-171
A company has a government services division and a commercial services division. The government
services division interacts exclusively with federal clients and regularly receives FCI. The commercial
services division interacts exclusively with non-federal clients and processes only publicly available
information. For this company's CMMC Level 1 Self-Assessment, how should the assets supporting
the commercial services division be categorized?
C
Explanation:
Understanding CMMC Asset CategorizationTheCMMC 2.0 Scoping Guidedefines how assets are
categorized based on their involvement withFederal Contract Information (FCI)andControlled
Unclassified Information (CUI).
In this scenario:
Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-
scopefor CMMC Level 1.
Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this
means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-
Scope Assets.
CMMC 2.0 Definition of Out-of-Scope AssetsAs per theCMMC Scoping Guide, assets that:
✅
Do not store, process, or transmit FCI/CUI
✅
Do not directly impact the security of in-scope assets
✅
Are completely segregated from the FCI/CUI environment
are classified asOut-of-Scope Assets.
Since thecommercial services divisiononly processespublicly available information and has no
interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.
❌
A . FCI Assets
Incorrect. FCI assets areonly those that store, process, or transmit FCI. The
commercial services division doesnothandle FCI, so its assets donotqualify.
❌
B . Specialized Assets
Incorrect. Specialized assets refer toInternet of Things (IoT), Operational
Technology (OT), and test equipment. These donot applyto a general commercial services division.
❌
D . Operational Technology Assets
Incorrect.Operational Technology (OT) Assetsinvolveindustrial
control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.
Why the Other Answers Are Incorrect
CMMC 2.0 Scoping Guide – Level 1 & Level 2
CMMC Assessment Process (CAP) Document
CMMC Official ReferenceThus,option C (Out-of-Scope Assets) is the correct answerbased on official
CMMC scoping guidance.
In performing scoping, what should the assessor ensure that the scope of the assessment covers?
D
Explanation:
Scoping Requirements in CMMC AssessmentsTheCMMC 2.0 Scoping GuideandCMMC Assessment
Process (CAP) Documentclearly define what should be included in the scope of an assessment.
The assessment scope must cover:
All assets that process, store, or transmit FCI/CUI
Security Protection Assets (ESP)– these assets help protect FCI/CUI, such as firewalls, endpoint
detection systems, and encryption mechanisms.
Thus, thecorrect scope includes both:
✅
FCI/CUI Assets(Data storage, processing, or transmission assets)
✅
Security Protection Assets (ESP)(Firewalls, security tools, etc.)
❌
A . All assets documented in the business plan
Incorrect.Business plans may include assets
unrelated to FCI/CUI, making this scopetoo broad. Only assets relevant to FCI/CUI should be
assessed.
❌
B . All assets regardless if they do or do not process, store, or transmit FCI/CUI
Incorrect. CMMC
doesnotrequire organizations to include assets thathave no connection to FCI/CUI.
❌
C . All entities, regardless of the line of business, associated with the organization
Incorrect.Only
the assets relevant to FCI/CUI or security protection should be assessed. Unrelated business divisions
(like a non-federal commercial division) areout-of-scope.
Why the Other Answers Are Incorrect
CMMC 2.0 Scoping Guide – Level 1 & Level 2
CMMC Assessment Process (CAP) Document
CMMC Official ReferenceThus,option D (All assets processing, storing, or transmitting FCI/CUI and
security protection assets) is the correct answeras per official CMMC assessment scoping
requirements.
An Assessment Team Member is conducting a CMMC Level 2 Assessment for an OSC that is in the
process of inspecting Assessment Objects for AC.L1-3.1.1: Limit information system access to
authorized users, processes acting on behalf of authorized users, or devices (including other
information systems) to determine the adequacy of evidence provided by the OSC. Which
Assessment Method does this activity fall under?
C
Explanation:
Understanding Assessment Methods in CMMC 2.0According to theCMMC Assessment Process (CAP)
Guide, assessors usethree primary assessment methodsto determine compliance with security
practices:
Examine– Reviewing documents, policies, configurations, and system records.
Interview– Speaking with personnel to gather insights into security processes.
Test– Performing technical validation of system functions and security controls.
TheAssessment Team Memberis inspectingAssessment Objects(e.g., system configurations, user
access control settings, policies) to determine if the OSC's evidence is sufficient forAC.L1-3.1.1
(Access Control – Authorized Users).
This activity aligns directly with theExaminemethod, which involves reviewing artifacts such as:
Access control lists (ACLs)
System user authentication logs
Account management policies
Role-based access control settings
"Observe" (Option B)is incorrect because "observing" is not an official assessment method in CMMC.
"Test" (Option A)is incorrect because the assessment is not actively executing a function but
ratherreviewingevidence.
"Interview" (Option D)is incorrect because no personnel are being questioned—only documentation
is being reviewed.
CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods
CMMC Level 2 Assessment Guide – Access Control Practices (AC.L1-3.1.1)
Why Option C (Examine) is CorrectOfficial CMMC Documentation ReferenceFinal VerificationSince
the activity involves reviewing documents and records to verify access control measures, it falls
under theExaminemethod, makingOption C the correct answer.
In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI.
What is the ESP employee considered?
A
Explanation:
Federal Contract Information (FCI)is any informationnot intended for public releasethat is provided
or generated under aU.S. Government contracttodevelop or deliver a product or service.
Enhanced Security Personnel (ESP)refers to employees, contractors, or third parties whohave access
to FCIwithin anOrganization Seeking Certification (OSC).
UnderCMMC 2.0 Scoping Guidance, anypersonnel, system, or asset with access to FCI is considered
in scopefor a CMMC Level 1 assessment.
Since theESP employee has access to FCI, theymustbe included in the assessment scope.
Option B (Out of scope)is incorrect because anyone with access to FCI is automatically considered
part of theCMMC Level 1 boundary.
Option C (OSC point of contact)is incorrect because thepoint of contactis typically an administrative
or compliance representative, not necessarily someone with FCI access.
Option D (Assessment Team Member)is incorrect because anESP employee is not part of the
assessment team but rather a subject of the assessment.
CMMC Level 1 Scoping Guide, Section 2 – Defining Scope for FCI
CMMC Assessment Process (CAP) Guide – Roles and Responsibilities
Federal Acquisition Regulation (FAR) 52.204-21(Basic Safeguarding of FCI)
Understanding Scoping in CMMC Level 1 Self-AssessmentsWhy Option A (In scope) is CorrectOfficial
CMMC Documentation ReferenceFinal VerificationSince theESP employee has access to FCI, they are
consideredin scopefor the CMMC Level 1 self-assessment, makingOption A the correct answer.