Cyber AB Updated CMMC-CCP Exam Questions and Answers by osian

In Phase 3 (Post-Assessment), the assessor’s responsibility is to archive or dispose of assessment artifacts according to the C3PAO’s policies and retention requirements. By this point, final findings and results have already been delivered, so the only remaining step is ensuring proper handling of assessment materials.

Supporting Extracts from Official Content:

CAP v2.0, Post-Assessment Activities (§3.17): “The assessor must archive or dispose of any assessment artifacts in accordance with the C3PAO’s retention and destruction policy.”

Why Option D is Correct:

Determining practice pass/fail results and level recommendations occurs earlier in Phases 2 and 3.

The final step left for the assessor is the proper archiving or destruction of artifacts.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 3: Post-Assessment (§3.17).

===========

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.

Why NIST SP 800-171 is Essential for Level 2 Scoping:

Defines the Security Requirements for Protecting CUI:

NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.

These controls are categorized under14 families, including access control, incident response, and risk management.

Establishes the Baseline for CMMC Level 2 Compliance:

CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.

Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.

Provides Guidance for Implementation & Assessment:

TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.

It helps define the scope of an assessment by clarifying how each control should be implemented and verified.

Referenced in CMMC and DFARS Regulations:

DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.

TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.

Explanation of Incorrect Answers:

A. NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")

This documentapplies to federal systems, not nonfederal entities handling CUI.

While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.

B. NIST SP 800-88 ("Guidelines for Media Sanitization")

This documentfocuses on secure data destructionand media sanitization techniques.

While data disposal is important, this standarddoes not define security controls for protecting CUI.

D. NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")

This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).

It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.

Key References for CMMC Level 2 Scoping:

NIST SP 800-171 Rev. 2(NIST Official Site)

NIST SP 800-171A (Assessment Guide)(NIST Official Site)

CMMC 2.0 Level 2 Scoping Guide(Cyber AB)

Conclusion:

SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:

✅C. NIST SP 800-171

Understanding Federal Contract Information (FCI)

Federal Contract Information (FCI) is defined by48 CFR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems). FCI refers to information that:

Is NOT intended for public release.

Is provided by or generated for the government under a contract.

Is necessary to develop or deliver a product or service to the government.

Excludes publicly available government information(such as information on public websites).

Excludes simple transactional information(e.g., necessary to process payments).

In the context ofCMMC 2.0, organizations thatprocess, store, or transmit FCImust meetCMMC Level 1 (Foundational), which requires implementing17 basic safeguarding practicesoutlined inFAR 52.204-21.

Why is the Correct Answer FCI (D)?

A. CDI (Controlled Defense Information)→ Incorrect

This term was used inDFARS 252.204-7012but has been replaced byCUI (Controlled Unclassified Information)in CMMC discussions.

B. CTI (Cyber Threat Intelligence)→ Incorrect

This refers to intelligence on cyber threats, tactics, and indicators, not contractual data.

C. CUI (Controlled Unclassified Information)→ Incorrect

CUI is sensitive information requiring additional safeguarding but is a separate category from FCI.

D. FCI (Federal Contract Information)→Correct

The definition of FCI explicitly matches the description given in the question.

CMMC 2.0 References Supporting this Answer:

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

Defines FCI and the required safeguards.

Establishes17 cybersecurity practicesfor FCI protection.

CMMC 2.0 Framework

Level 1 (Foundational)is required for contractors handlingFCI.

Ensures compliance withbasic safeguarding requirementsoutlined inFAR 52.204-21.

NIST SP 800-171 and DFARS 252.204-7012

FCI doesnotrequire compliance withNIST SP 800-171, butCUI does.

ACertified CMMC Professional (CCP)advising anOrganization Seeking Certification (OSC)must ensure thatFederal Contract Information (FCI)andControlled Unclassified Information (CUI)are properly documented within required security documents.

Step-by-Step Breakdown:

✅1. System Security Plan (SSP)

CMMC Level 2requires anSSPto documenthow CUI is protected, including:

Security controlsimplemented

Asset categorization(CUI Assets, Security Protection Assets, etc.)

Policies and proceduresfor handling CUI

✅2. Asset Inventory

Anasset inventorylistsall relevant IT systems, applications, and hardwarethat store, process, or transmitCUI or FCI.

TheCMMC Scoping Guiderequires OSCs to identifyCUI-relevant assetsas part of their compliance.

✅3. Network Diagram

Anetwork diagramvisually representshow data flows across systems, showing:

WhereCUI is transmitted and stored

Security boundaries protectingCUI Assets

Connectivity betweenCUI Assets and Security Protection Assets

✅4. Why the Other Answer Choices Are Incorrect:

(B) Within the hardware inventory, data flow diagram, and in the network diagram❌

While adata flow diagramis useful,hardware inventory alone is insufficientto document CUI.

(C) Within the asset inventory, in the proposal response, and in the network diagram❌

Aproposal responseis not a required document for CMMC assessments.

(D) In the network diagram, in the SSP, within the base inventory, and in the proposal response❌

Base inventoryis not a specific CMMC documentation requirement.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guideconfirms that FCI and CUI must be documented in:

The SSP

The asset inventory

The network diagram

Thus, the correct answer is:

✅A. "In the SSP, within the asset inventory, and in the network diagram."