The Cyber AB Code of Professional Conduct, in its definitions section, explicitly defines the term "Agreement" as "Any contract between two legal entities." This definition is used throughout the document to establish the scope of contractual and ethical obligations for individuals and organizations certified or accredited by the Cyber AB. The code uses this specific term to ensure clarity and consistent application of its principles regarding professional relationships and commitments.

A. Union: This term is not defined within the Cyber AB Code of Professional Conduct and typically refers to a different type of association, such as a labor union.

B. Accord: This term is not defined in the Code of Professional Conduct; in legal contexts, it usually refers to an agreement to settle a dispute.

C. Alliance: This term is not defined in the Code of Professional Conduct and generally describes a cooperative partnership, which may or may not be a formal contract.

1. The Cyber AB. (2022

June 28). Cyber AB Code of Professional Conduct. Version 2.2. Section 2

"Definitions

" page 3. Retrieved from the official Cyber AB website. (This document defines "Agreement" as "Any contract between two legal entities.")

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is directly aligned with specific National Institute of Standards and Technology (NIST) Special Publications. CMMC Level 2 (Advanced) requirements are identical to the 110 security controls outlined in NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." CMMC Level 3 (Expert) builds upon Level 2 by incorporating a subset of the enhanced security requirements from NIST SP 800-172, "Enhanced Security Requirements for Protecting Controlled Unclassified Information," which are designed to counter advanced persistent threats (APTs). This structure streamlines compliance for defense contractors by using well-established and widely accepted federal standards as its foundation.

B. This option is incorrect because FIPS 100 is an obsolete standard related to data network interfaces, withdrawn in 1996, and is not relevant to CMMC.

C. This option is too general. "NIST" is an agency, not a specific standard. While Carnegie Mellon University was involved in CMMC 1.0 development, it is not a source standard for CMMC 2.0 requirements.

D. This option is incorrect as it combines the errors from options B and C, including the irrelevant FIPS 100 standard and the improper citation of Carnegie Mellon University as a source document.

1. U.S. Department of Defense

Office of the Under Secretary of Defense for Acquisition & Sustainment. (2021). CMMC Model 2.0. "CMMC 2.0 Model" section. The official model documentation states: "Level 2 (Advanced)...is aligned with NIST SP 800-171" and "Level 3 (Expert)...will be based on a subset of NIST SP 800-172 requirements." (Available on the official DoD CMMC website).

2. U.S. Department of Defense. (2023

December 26). Cybersecurity Maturity Model Certification (CMMC) Program. Federal Register

88(245)

89058-89119. Section: "II. Background

" Subsection: "B. CMMC Program Framework." This notice states

"The CMMC Model is aligned with and builds upon the CUI security requirements specified in NIST SP 800-171 Rev 2... and the enhanced security requirements in NIST SP 800-172."

3. National Institute of Standards and Technology (NIST). (2021

February). NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information. Introduction

Page 1. The document's purpose is to provide a supplement to NIST SP 800-171 for systems requiring enhanced security

which directly corresponds to the basis for CMMC Level 3.

The CMMC Assessment Process (CAP) outlines the specific criteria for a readiness review conducted by the Lead Assessor. This review occurs during Phase 1 (Plan and Prepare). The question states that the assessment risk status and overall assessment feasibility have already been determined. According to the CAP, the final minimum criterion to be verified during the readiness review is the determination of logistics, the composition and readiness of the Assessment Team, and the readiness of the evidence provided by the Organization Seeking Certification (OSC). This step ensures all practical and evidentiary prerequisites are met before the assessment begins.

A. Determining practice pass/fail results is an activity performed during Phase 3 (Conduct the Assessment), not the Phase 1 readiness review.

B. Determining preliminary recommended findings occurs after evidence has been reviewed and practices have been scored during the assessment itself (Phase 3/4).

C. Determining and recording initial model practice ratings (e.g., MET, NOT MET) is a core function of conducting the assessment (Phase 3), not preparing for it.

1. Cybersecurity Maturity Model Certification (CMMC) Program

"CMMC Assessment Process (CAP) for CMMC Level 2

" Version 1.0

December 2021. Section 2.1.1

"Conduct Readiness Review

" page 10

states the readiness review includes: "Confirming the assessment scope... Determining the assessment risk status... Determining the overall assessment feasibility... Determining the logistics

Assessment Team

and the evidence readiness." This explicitly lists the components of the readiness review.

2. Carnegie Mellon University

Software Engineering Institute (SEI)

"Preparing for a CMMC Assessment

" Blog Post by Andrew F. Hoover

2021. This resource discusses the preparatory steps for an assessment

emphasizing the importance of having logistics and evidence organized prior to the formal evaluation

aligning with the activities described in the correct answer. (Note: While a blog

SEI is a foundational institution for CMMC

making its guidance highly reputable).

CMMC Level 1 (Foundational) is focused on the protection of Federal Contract Information (FCI). The 15 security practices required for a Level 1 Self-Assessment are taken directly from the basic safeguarding requirements stipulated in Federal Acquisition Regulation (FAR) clause 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems." This FAR clause is the foundational contractual requirement for all federal contractors to protect FCI on their nonfederal information systems. Therefore, it is the specific clause that requires a contractor to meet these basic safeguarding requirements.

B. 22CFR 120-130: This citation refers to the International Traffic in Arms Regulations (ITAR), which governs the export of defense articles and services, not the general safeguarding of FCI.

C. DFARS 252.204-7011: This Defense Federal Acquisition Regulation Supplement (DFARS) clause, "Alternative Line Item Structure," pertains to how contract line items are organized and is unrelated to cybersecurity.

D. DFARS 252.204-7021: This DFARS clause, "Cybersecurity Maturity Model Certification Requirement," is the mechanism that enforces CMMC assessments within DoD contracts but does not originate the FCI safeguarding requirements themselves.

1. U.S. Department of Defense (DoD). (2021). Cybersecurity Maturity Model Certification (CMMC) Model Version 2.0. Page 4

"CMMC Level 1

Foundational

" states

"CMMC Level 1 is equivalent to all of the safeguarding requirements specified in Federal Acquisition Regulation (FAR) clause 52.204-21."

2. General Services Administration

DoD

NASA. (2016). Federal Acquisition Regulation; Basic Safeguarding of Covered Contractor Information Systems. 48 C.F.R. § 52.204-21. This document is the primary source text for the 15 basic safeguarding requirements for FCI.

3. Johns Hopkins University Applied Physics Laboratory & DoD. (2023). CMMC Assessment Process (CAP) for CMMC Level 1 Version 2.1. Page 1

Section 1.1

"The CMMC Level 1 assessment scope is focused on FCI assets

which are information systems

system components

or assets that process

store

or transmit FCI. The CMMC Level 1 requirements are from FAR 52.204-21."

The most correct action is to ensure full transparency and follow a documented process for managing potential conflicts of interest (COI). The assessor must immediately inform their C3PAO and the Organization Seeking Certification (OSC) of the prior relationship. This disclosure allows all parties to assess the risk to impartiality. The potential COI and the agreed-upon mitigation actions (e.g., having another assessor conduct that specific interview) must be formally documented in the assessment plan. If the mitigation is accepted by all parties as sufficient to ensure objectivity, the assessment can proceed. This approach upholds the integrity and impartiality of the assessment process as required by the Cyber AB.

A. Hiding a potential COI is a direct violation of the Cyber AB Code of Professional Conduct, which mandates objectivity and disclosure of any potential conflicts.

B. This is an extreme and premature action. The entire process does not need to be restarted if the specific conflict can be effectively mitigated and managed.

C. The assessor cannot unilaterally decide that a potential COI is non-existent. The perception of a conflict can be as damaging as an actual one, and all parties must agree on the path forward.

1. The Cyber AB

Code of Professional Conduct

Version 2.1 (June 28

2022).

Section 3.3

Conflicts of Interest: "Cyber AB Professionals shall proactively disclose any actual or potential conflicts of interest that may arise and take appropriate action to mitigate any such conflict." This directly supports the requirement to inform

document

and mitigate.

2. The Cyber AB

CMMC Assessment Process (CAP) for CMMC Level 2

Version 1.0 (July 21

2022).

Section 2.3.2

Conflict of Interest (COI) and Organizational Independence: This section requires the C3PAO to have a process to "identify

analyze

and document potential COIs arising from relationships" and "demonstrate how it will eliminate or mitigate such threats." This aligns with documenting the conflict and mitigation in the assessment plan.

3. ISO/IEC 17021-1:2015

Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements.

Section 5.2

Impartiality: This international standard

upon which CMMC assessment principles are based

requires certification bodies to "identify

analyse

document and eliminate or minimize threats to its impartiality on an ongoing basis." This reinforces the structured approach of identification

documentation

and mitigation described in the correct answer.

The Assessment Team, operating under a Certified Third-Party Assessor Organization (C3PAO), is formally tasked with conducting the CMMC assessment. A core responsibility during the "Conduct Assessment" phase is to collect, review, and analyze objective evidence to verify its adequacy and sufficiency. Based on this evaluation, the Assessment Team determines whether the Organization Seeking Certification (OSC) has successfully met the CMMC practices and objectives for all in-scope assets. This process is fundamental to the integrity of the assessment and the final recommendation for certification.

A. OSC: The Organization Seeking Certification (OSC) is the entity being assessed; it provides evidence but does not have the authority to verify its own sufficiency for certification.

C. Authorizing official: This term is specific to other frameworks like the Risk Management Framework (RMF) and is not a defined role within the CMMC assessment process for verifying evidence.

D. Assessment official: This is a generic and imprecise term. The official CMMC documentation specifically designates the "Assessment Team" as the responsible party for conducting the assessment activities.

1. U.S. Department of Defense. (2023

July). CMMC Assessment Process (CAP) for CMMC Level 2

Version 1.0. Section 3.3

"Conduct Assessment

" Page 10. This section explicitly states

"During this phase

the Assessment Team collects and analyzes evidence to determine if the OSC has met the CMMC requirements included in the assessment scope."

2. U.S. Department of Defense. (2021

November). Cybersecurity Maturity Model Certification (CMMC) Model Overview

Version 2.0. Page 5. This document outlines the CMMC ecosystem

noting that C3PAOs and the certified assessors that comprise their assessment teams are responsible for conducting CMMC assessments.

The CMMC assessment is a point-in-time evaluation based on objective evidence presented. The assessment takes place in late September, by which time the first, second, and third quarters have passed. The organization's procedure mandates quarterly security control assessments. To satisfy the practice CA.L2-3.12.1, the organization must provide sufficient evidence that assessments are conducted periodically (quarterly). Presenting only the first quarter's report is insufficient to demonstrate adherence to this required frequency. The promise of providing the second quarter's report later is not considered valid evidence at the time of assessment. Therefore, the Lead Assessor must find the evidence insufficient and rate the practice as NOT MET.

A. sufficient, and rate the audit finding as MET

This is incorrect because one report does not provide sufficient evidence to verify a recurring quarterly process has been followed for the elapsed time.

C. sufficient, and re-rate the audit finding after a quarter two assessment report is examined.

This is incorrect because the evidence is insufficient, not sufficient. Findings are based on the evidence available, not on promises of future evidence.

D. insufficient, and re-rate the audit finding after a quarter two assessment report is examined.

This is incorrect because while the evidence is insufficient, the definitive finding at that moment must be NOT MET. An assessor cannot leave a finding open based on a promise.

1. Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) for CMMC Level 2

Version 2.0

The Cyber AB

December 2021.

Section 3.3.3

Analyze and Score Assessment Findings

Page 15: "The Assessment Team makes a MET or NOT MET determination for each practice based on the sufficiency of the objective evidence collected during the assessment." This establishes that a finding is based on the sufficiency of evidence collected

not promised.

Section 3.3.2

Collect Objective Evidence

Page 14: "The Assessment Team collects objective evidence for each practice in the assessment scope... If the OSC does not provide sufficient evidence to support a practice

the Assessment Team cannot award a MET for that practice." This directly supports the conclusion that insufficient evidence leads to a NOT MET finding.

2. CMMC Model v2.0

Level 2 Assessment Guide

Department of Defense

December 2021.

CA.L2-3.12.1 Assessment Objectives

Page 178: The objectives are to determine if "[a] the security controls in organizational systems are assessed periodically" and "[b] the effectiveness of the controls in their application is determined." Providing only one report when more were required by policy fails to demonstrate the "periodically" objective

making the evidence insufficient.

In the context of the CMMC Assessment Process, a "Supporting Organization/Unit" refers to an external entity that provides people, processes, or technology to the Organization Seeking Certification (OSC). These supporting elements are included within the assessment scope because they handle, process, or protect Controlled Unclassified Information (CUI) on behalf of the OSC. However, the supporting organization itself does not receive a CMMC certification from the OSC's assessment. Its compliance is evaluated solely in relation to the services it provides to the OSC. This is a common scenario with External Service Providers (ESPs) like cloud vendors or managed service providers.

A. Host Unit: This is not a defined term within the CMMC framework or its associated assessment process documentation.

B. Organization: This term is too general. The question asks for the specific term describing an external entity that supports the primary organization being assessed.

C. Coordinating Unit: This is not an official CMMC term used to describe an external entity that is part of the assessment scope.

1. U.S. Department of Defense (DoD)

CMMC Level 2 Scoping Guide

Version 2.0

December 2

2022.

Section 3.3

"External Service Provider (ESP) Considerations" (Page 10): This section details how external organizations that provide services to the OSC are handled within the assessment scope. It states

"The OSC is responsible for CUI protection when leveraging external services... The C3PAO assesses the OSC’s implementation of CMMC practices that apply to the services provided by the ESP." This describes the function of a "Supporting Organization/Unit."

2. U.S. Department of Defense (DoD)

CMMC Assessment Process (CAP) for CMMC Level 2

Version 2.0

December 2

2022.

Section 2.2

"Assessment Planning" (Page 13): This section outlines the planning activities

which include defining the assessment scope. The identification of all external dependencies and supporting entities that handle CUI is a critical part of this phase

reinforcing the concept of evaluating supporting organizations as part of the OSC's assessment.

Virtual LANs (VLANs) are a technical control used to logically segment a physical network into separate broadcast domains. By placing multi-function devices (MFDs) on a dedicated, restricted VLAN, an organization can enforce strict access control. Network policies and Access Control Lists (ACLs) can then be applied to the router or layer-3 switch managing inter-VLAN traffic, ensuring that only explicitly authorized systems or subnets can communicate with the MFDs. This method directly addresses the requirement to limit MFD access to only authorized systems, thereby protecting the Federal Contract Information (FCI) they process.

B. Single administrative account: This is a poor administrative practice that violates the principles of individual accountability and non-repudiation; it does not control system-level network access.

C. Documentation showing MFD configuration: Documentation is an administrative control, not a technical one. It describes the security posture but does not actively enforce any access restrictions.

D. Access lists only known to the IT administrator: While access lists are a valid technical control, this option suggests security through obscurity, which is not a robust security principle. VLANs provide a more structured and comprehensive segmentation framework.

---

1. National Institute of Standards and Technology (NIST) Special Publication 800-171

Revision 2

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Reference: Control 3.1.3

"Control the flow of CUI in accordance with approved authorizations." The discussion section states

"Flow control restrictions include... separating CUI into separate physical domains or logical domains (e.g.

subnets)." VLANs are a primary technology for implementing logical domains/subnets to control information flow. (Page 17)

2. Cybersecurity and Infrastructure Security Agency (CISA)

Network Segmentation Cheat Sheet.

Reference: The document outlines network segmentation as a key defensive strategy. It states

"Virtual Local Area Networks (VLANs) are the most common method of network segmentation... VLANs allow network administrators to partition their switched network based on functional requirements... regardless of the users’ physical location." This supports using VLANs to isolate devices like MFDs. (Page 1)

3. Carnegie Mellon University

Software Engineering Institute (SEI)

Network Segmentation and Segregation for Information System Protection

CMU/SEI-2016-TN-017.

Reference: Section 3.2

"Virtual Local Area Networks (VLANs)." This section describes VLANs as a fundamental technology for logical network segmentation to create security zones and control traffic between them using access control lists

directly aligning with the scenario. (Page 7)

During Phase 4 (Closeout) of the CMMC assessment, the Lead Assessor, on behalf of the C3PAO, finalizes the assessment results. This involves confirming that the Organization Seeking Certification (OSC) has met all applicable CMMC practices and objectives for the target level. The final recommendation submitted to the C3PAO is a formal attestation of whether the OSC has met the stringent, predefined criteria of the CMMC standard. This determination of meeting all requirements is fundamentally a conclusion on the OSC's eligibility for certification.

A. Ability: This term is too general. The assessment verifies the actual implementation of controls, not just the potential or general ability to be secure.

C. Capability: While the assessment evaluates the OSC's cybersecurity capabilities, the final recommendation is a formal judgment on qualification, which is more precisely termed eligibility.

D. Suitability: This implies a subjective judgment of appropriateness. The CMMC assessment is an objective verification against a standard to determine if the OSC qualifies, making eligibility the correct term.

---

1. Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) for CMMC Level 2

Version 2.1

Section 4.4

"Closeout" (p. 16). This section describes the final reporting and recommendation activities. The C3PAO's "certification recommendation" is the direct output

which is predicated on the Lead Assessor's determination that the OSC has met all requirements

thus establishing its eligibility for certification.

2. Cyber AB

CMMC Code of Professional Conduct (CoPC)

Version 2.1

Section 3

"Responsibility to the Profession" (p. 4). This document requires assessors to "Provide diligent and competent services" and "Maintain objectivity." This objective evaluation against the CMMC standard is the process of determining an OSC's eligibility for certification

not its general ability or suitability.