The CMMC 2.0 model organizes cybersecurity practices into three maturity levels. The Audit and Accountability (AU) domain practices are not required at Level 1, which is based on the 15 basic safeguarding requirements found in FAR 52.204-21. The requirements for creating, protecting, retaining, and reviewing audit records begin at CMMC Level 2. These Level 2 practices are derived directly from the Audit and Accountability control family (3.3) in NIST SP 800-171 Rev 2. While the AU domain also includes practices at Level 3, they are first introduced at Level 2, making 'B' the most accurate answer among the choices.

A. Level 1: This is incorrect. CMMC Level 1 practices are aligned with FAR 52.204-21, which does not include any requirements from the Audit and Accountability domain.

C. Levels 1 and 2: This is incorrect because, as stated, Level 1 does not contain any practices from the Audit and Accountability domain.

D. Levels 1 and 3: This is incorrect because Level 1 has no AU practices. The AU domain has practices in Levels 2 and 3, but not Level 1.

---

1. U.S. Department of Defense (DoD)

Office of the Under Secretary of Defense for Acquisition & Sustainment. (2021). CMMC Model v2.0. Page 5

Table 2 "CMMC Model Construct". This table illustrates that CMMC Level 1 is based on FAR 52.204-21

while Level 2 is based on NIST SP 800-171.

2. National Institute of Standards and Technology (NIST). (2020). NIST Special Publication 800-171

Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Section 3.3

"Audit and Accountability

" pages 21-22. This section details the nine security requirements for this family

which are the basis for the CMMC Level 2 AU practices.

3. U.S. General Services Administration. (2016). Federal Acquisition Regulation (FAR) Case 2011-020

Basic Safeguarding of Covered Contractor Information Systems. FAR 52.204-21. An analysis of the 15 required controls shows no explicit requirement for audit log creation

retention

or review

which are the core of the AU domain.

4. U.S. Department of Defense (DoD)

Office of the Under Secretary of Defense for Acquisition & Sustainment. (2021). CMMC 2.0 Level 2 Assessment Guide. Pages 51-60. This official guide explicitly details the assessment objectives for the nine practices within the Audit and Accountability (AU) domain for a Level 2 assessment.