Cyber AB Updated CMMC-CCP Exam Questions and Answers by alessandro

Under DFARS and CMMC requirements, the prime contractor is responsible for ensuring its subcontractors meet the required CMMC level. Neither the DoD, The Cyber AB, nor OUSD A & S directly manages subcontractor certification.

Supporting Extracts from Official Content:

DFARS 252.204-7021: “The contractor shall ensure that its subcontractors have the appropriate CMMC level certification for the information they will handle.”

Why Option D is Correct:

Compliance responsibility flows through the contractor supply chain.

CMMC-AB (The Cyber AB) accredits assessors but does not police subcontractors.

OUSD A & S sets policy, not enforcement at contract level.

DoD agencies only require compliance at award/contract oversight level.

References (Official CMMC v2.0 Content):

DFARS 252.204-7021.

CMMC Model v2.0 governance guidance.

===========

CMMCLevel 1focuses onbasic cyber hygieneand includes17 practicesderived fromNIST SP 800-171 Rev. 2butonly covers the protection of Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).

UnlikeLevel 2, which aligns fully withNIST SP 800-171,Level 1 does not require third-party certificationand can beself-assessedby the organization.

Domains Covered in a Level 1 Self-Assessment

CMMC Level 1 practices fall underthree specific domains:

Access Control (AC)– Ensures that only authorized individuals can access FCI.

Physical Protection (PE)– Protects physical access to systems and facilities storing FCI.

Identification and Authentication (IA)– Verifies the identity of users accessing systems containing FCI.

These domains focus on foundational security controls necessary toprotect FCI from unauthorized access.

Official CMMC 2.0 Documentation References

CMMC Model v2.0states thatLevel 1 includes only 17 practicesmapped toNIST SP 800-171requirements specific toAccess Control (AC), Physical Protection (PE), and Identification and Authentication (IA).

CMMC Assessment Guide, Level 1confirms thatRisk Management (RM) and Media Protection (MP) are not included in Level 1, as they pertain to more advanced security measures needed for handlingCUI (Level 2).

Breakdown of Answer Choices

A. Access Control (AC), Risk Management (RM), and Media Protection (MP)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

B. Risk Management (RM), Access Control (AC), and Physical Protection (PE)→ Incorrect.Risk Management (RM) is not part of Level 1.

C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)→Correct.These are thethree domains covered in CMMC Level 1 self-assessments.

D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

Conclusion

Thecorrect answer is C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA), as these are theonly three domains included in a CMMC Level 1 Self-Assessmentaccording toCMMC 2.0 documentation and NIST SP 800-171 mapping.

Reference Documents for Further Reading

CMMC 2.0 Model Overview – DoD Official Documentation

CMMC Assessment Guide, Level 1

NIST SP 800-171 Rev. 2 (Basic Security Requirements for FCI)

Understanding FAR Clause 52.204-21

TheFederal Acquisition Regulation (FAR) Clause 52.204-21is titled"Basic Safeguarding of Covered Contractor Information Systems."This clause establishesminimum cybersecurity requirementsforfederal contractorsthat handleFederal Contract Information (FCI).

Key Purpose of FAR Clause 52.204-21

Theprimary objectiveof FAR 52.204-21 is to ensure that contractors applybasic cybersecurity protectionsto theirinformation systemsthat process, store, or transmitFCI. Theseminimum safeguarding requirementsserve as abaseline security standardfor contractors doing business with theU.S. government.

Why "Minimum Standard of Care" is Correct?

FAR 52.204-21 doesnotrequire contractors to install specific cybersecurity tools (eliminating option A).

Itoutlines only the minimum safeguards, notallcybersecurity controls needed for complete security (eliminating option B).

CMMC certification isnotmandated by this clause alone (eliminating option D).

Instead, it establishesa baseline "standard of care"that all federal contractorsmust followto protectFCI(making option C correct).

Breakdown of Answer Choices

Option

Description

Correct?

A. It directs all covered contractors to install the cybersecurity systems listed in that clause.

❌Incorrect–The clause doesnotspecify tools or require specific cybersecurity systems.

B. It describes all of the safeguards that contractors must take to secure covered contractor IS.

❌Incorrect–It only setsminimumrequirements, notall possiblesecurity measures.

C. It describes the minimum standard of care that contractors must take to secure covered contractor IS.

✅Correct – The clause defines basic safeguards as a minimum security standard.

D. It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts.

❌Incorrect–FAR 52.204-21 doesnot mandateCMMC certification; that requirement comes from DFARS 252.204-7012 and 7021.

Minimum Safeguarding Requirements Under FAR 52.204-21

The clause defines15 basic security controls, which align withCMMC Level 1. Some examples include:

✅Access Control– Limit access to authorized users.

✅Identification & Authentication– Authenticate system users.

✅Media Protection– Sanitize media before disposal.

✅System & Communications Protection– Monitor and control network connections.

Official References from CMMC 2.0 and FAR Documentation

FAR 52.204-21– Establishes thebasic safeguarding requirementsfor FCI.

CMMC 2.0 Level 1– Directly aligns withFAR 52.204-21 controls.

Final Verification and Conclusion

The correct answer isC. It describes the minimum standard of care that contractors must take to secure covered contractor IS.This aligns withFAR 52.204-21 requirementsas abaseline security standard for FCI.

According to the CMMC Assessment Process (CAP), specifically during the Phase 3: Conduct Assessment (Evidence Collection and Verification), the Assessment Team must evaluate all collected artifacts, interview notes, and test results against two primary dimensions: Adequacy and Sufficiency.

Adequacy (The "Right" Evidence): This criterion focuses on the quality, relevance, and validity of the evidence. It addresses whether the evidence actually maps to the specific CMMC practice being assessed and whether it is authoritative (e.g., signed, current, and from a trusted source). If an assessor asks, "Is this therightpiece of information to prove this practice is met?" they are testing for Adequacy.

Sufficiency (The "Enough" Evidence): This criterion focuses on the quantity and scope of the evidence. It addresses whether the Assessment Team has collected enough data points (across the required number of assets and using the required methods of Examine, Interview, and Test) to reach a confident conclusion. If an assessor asks, "Do I haveenoughexamples of this practice in action across the entire enclave?" they are testing for Sufficiency.

Why other options are incorrect:

B and D (Objectivity/Subjectivity): While assessors must remain objective, these are not the formal "criteria" used to categorize the evidence collection quality within the CAP framework.

C (Sufficiency): As noted above, Sufficiency is about theamountof evidence, not whether it is thecorrect type(the "right" evidence).

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4, "Collect and Verify Evidence," which explicitly defines the requirement for evidence to be both adequate and sufficient.

CMMC Level 2 Assessment Guide: Guidance on the application of the Examine, Interview, and Test (E-I-T) methods to ensure evidence quality.

NIST SP 800-171A: The foundation for CMMC assessment procedures, which emphasizes the need for relevant (adequate) evidence to support findings.