Question 2 - Cyber AB CMMC-CCP Real Exam Questions [March 2026 Update]

Q: 2

Which standard and regulation requirements are the CMMC Model 2.0 based on?

Options

Correct Answer:

Explanation

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is directly aligned with specific National Institute of Standards and Technology (NIST) Special Publications. CMMC Level 2 (Advanced) requirements are identical to the 110 security controls outlined in NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." CMMC Level 3 (Expert) builds upon Level 2 by incorporating a subset of the enhanced security requirements from NIST SP 800-172, "Enhanced Security Requirements for Protecting Controlled Unclassified Information," which are designed to counter advanced persistent threats (APTs). This structure streamlines compliance for defense contractors by using well-established and widely accepted federal standards as its foundation.

Why Incorrect

B. This option is incorrect because FIPS 100 is an obsolete standard related to data network interfaces, withdrawn in 1996, and is not relevant to CMMC.

C. This option is too general. "NIST" is an agency, not a specific standard. While Carnegie Mellon University was involved in CMMC 1.0 development, it is not a source standard for CMMC 2.0 requirements.

D. This option is incorrect as it combines the errors from options B and C, including the irrelevant FIPS 100 standard and the improper citation of Carnegie Mellon University as a source document.

References

1. U.S. Department of Defense

Office of the Under Secretary of Defense for Acquisition & Sustainment. (2021). CMMC Model 2.0. "CMMC 2.0 Model" section. The official model documentation states: "Level 2 (Advanced)...is aligned with NIST SP 800-171" and "Level 3 (Expert)...will be based on a subset of NIST SP 800-172 requirements." (Available on the official DoD CMMC website).

2. U.S. Department of Defense. (2023

December 26). Cybersecurity Maturity Model Certification (CMMC) Program. Federal Register

88(245)

89058-89119. Section: "II. Background

" Subsection: "B. CMMC Program Framework." This notice states

"The CMMC Model is aligned with and builds upon the CUI security requirements specified in NIST SP 800-171 Rev 2... and the enhanced security requirements in NIST SP 800-172."

3. National Institute of Standards and Technology (NIST). (2021

February). NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information. Introduction

Page 1. The document's purpose is to provide a supplement to NIST SP 800-171 for systems requiring enhanced security

which directly corresponds to the basis for CMMC Level 3.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE