The CMMC 2.0 model organizes cybersecurity practices into three maturity levels. The Audit and Accountability (AU) domain practices are not required at Level 1, which is based on the 15 basic safeguarding requirements found in FAR 52.204-21. The requirements for creating, protecting, retaining, and reviewing audit records begin at CMMC Level 2. These Level 2 practices are derived directly from the Audit and Accountability control family (3.3) in NIST SP 800-171 Rev 2. While the AU domain also includes practices at Level 3, they are first introduced at Level 2, making 'B' the most accurate answer among the choices.

A. Level 1: This is incorrect. CMMC Level 1 practices are aligned with FAR 52.204-21, which does not include any requirements from the Audit and Accountability domain.

C. Levels 1 and 2: This is incorrect because, as stated, Level 1 does not contain any practices from the Audit and Accountability domain.

D. Levels 1 and 3: This is incorrect because Level 1 has no AU practices. The AU domain has practices in Levels 2 and 3, but not Level 1.

---

1. U.S. Department of Defense (DoD)

Office of the Under Secretary of Defense for Acquisition & Sustainment. (2021). CMMC Model v2.0. Page 5

Table 2 "CMMC Model Construct". This table illustrates that CMMC Level 1 is based on FAR 52.204-21

while Level 2 is based on NIST SP 800-171.

2. National Institute of Standards and Technology (NIST). (2020). NIST Special Publication 800-171

Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Section 3.3

"Audit and Accountability

" pages 21-22. This section details the nine security requirements for this family

which are the basis for the CMMC Level 2 AU practices.

3. U.S. General Services Administration. (2016). Federal Acquisition Regulation (FAR) Case 2011-020

Basic Safeguarding of Covered Contractor Information Systems. FAR 52.204-21. An analysis of the 15 required controls shows no explicit requirement for audit log creation

retention

or review

which are the core of the AU domain.

4. U.S. Department of Defense (DoD)

Office of the Under Secretary of Defense for Acquisition & Sustainment. (2021). CMMC 2.0 Level 2 Assessment Guide. Pages 51-60. This official guide explicitly details the assessment objectives for the nine practices within the Audit and Accountability (AU) domain for a Level 2 assessment.

The CMMC assessment process includes daily checkpoints for status updates and a final out-briefing to present the comprehensive results. According to the official CMMC Assessment Process (CAP), the assessment team has the flexibility to deliver these final, preliminary findings to the Organization Seeking Certification (OSC) in one of two ways: either by using the last scheduled daily checkpoint of the assessment period for this purpose or by scheduling a separate, formal out-briefing meeting dedicated to reviewing all findings and recommendations.

A. This is incorrect because daily checkpoints are for providing progress updates and discussing the next day's activities, not for delivering the consolidated final results of the entire assessment.

B. This is incorrect because final results are presented once at the conclusion of the evidence-gathering phase, not on a daily basis throughout the assessment.

D. This is incorrect because the out-briefing to the OSC presents the assessment team's preliminary findings. The formal C3PAO quality review and approval occur after the out-brief, as part of preparing the final assessment package for submission.

1. Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) for CMMC Level 2

Version 1.0

Department of Defense

December 2021.

Section 4.4.1

Daily Checkpoints (Page 13): "The Assessment Team Lead will conduct daily checkpoints with the OSC POC... The final daily checkpoint may serve as the out-briefing for the assessment."

Section 4.4.2

Out-briefing (Page 13): "The Assessment Team will conduct an out-briefing with the OSC to present the preliminary findings of the assessment... The out-briefing may be conducted as the final daily checkpoint or as a separate meeting." This directly confirms that both scenarios in option C are valid.

The scope of a CMMC assessment for an organization within the Defense Industrial Base (DIB) applies to nonfederal systems. According to NIST SP 800-171, which forms the basis for CMMC Level 2, the requirements are applicable to all components of nonfederal systems that either directly handle Controlled Unclassified Information (CUI) or provide security protection for those components. The CMMC Scoping Guide further clarifies this by defining asset categories, including "CUI Assets" (those that process, store, or transmit CUI) and "Security Protection Assets" (e.g., firewalls, SIEMs), both of which are within the assessment scope. Therefore, the scope must encompass both types of system components.

A. This is incorrect because CMMC applies to nonfederal contractor systems, not federal systems. It also omits security protection components.

B. This is incorrect because it is incomplete. The scope also includes the systems and components that provide security protection for the CUI assets.

C. This is incorrect because CMMC is a framework designed for the nonfederal organizations that make up the Defense Industrial Base (DIB).

1. National Institute of Standards and Technology (NIST). (2020). Special Publication (SP) 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Section 2.2

"APPLICABILITY

" Page 5. Available at: https://doi.org/10.6028/NIST.SP.800-171r2

Quote: "The requirements apply to all components of nonfederal systems that process

store

or transmit CUI

or that provide security protection for such components."

2. Office of the Under Secretary of Defense for Acquisition & Sustainment. (2021). CMMC Scoping Guide

Level 2

Version 2.0. Section 2.1

"Asset Categories

" Page 2.

Content: This section defines "CUI Assets" and "Security Protection Assets

" clarifying that both are part of the CMMC Assessment Scope. Security Protection Assets are defined as those that "provide security functions or services to the CMMC Assessment Scope."

A Plan of Action and Milestones (POA&M) is a formal document used to track and manage the remediation of identified security weaknesses. According to foundational standards like NIST SP 800-53, which heavily influences CMMC, a POA&M's essential components include a description of the weakness, the responsible individual or office (ownership), key milestones, and scheduled completion dates. While the plan may identify the resources required (e.g., personnel, technology), it does not typically contain detailed, line-item budget requirements. Budgeting is a related but separate organizational financial planning process that enables the remediation actions described in the POA&M.

A. Completion dates: These are a fundamental component of a POA&M, establishing a clear timeline for when a security weakness will be fully remediated.

B. Milestones to measure progress: The "M" in POA&M stands for Milestones; they are critical for tracking incremental progress toward the final completion date.

C. Ownership of who is accountable for ensuring plan performance: Assigning a responsible individual or office is essential for accountability and ensuring the plan is executed.

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53

Revision 5). U.S. Department of Commerce.

Reference: Appendix J

"Plan of Action and Milestones

" provides a template and description of the essential elements. The template includes fields for "Scheduled Completion Date

" "Milestones with Completion Dates

" and "Responsible Office

" but does not include a field for "Budget." It lists "Resources Required

" which is a broader category than specific budget figures.

2. National Institute of Standards and Technology (NIST). (2020). Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication 800-171

Revision 2). U.S. Department of Commerce.

Reference: Section 3.12.2 requires organizations to "develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems." The focus is on the corrective actions

timelines

and responsibilities

not the financial accounting for them within the plan itself.

3. Office of Management and Budget (OMB). (2002). Reporting Instructions for the Government Information Security Reform Act and Updated Guidance on Security Plans of Action and Milestones (M-02-01).

Reference: This foundational memorandum outlines the required contents for a POA&M for federal agencies. It specifies fields such as weakness

responsible official

resources required

scheduled completion date

and milestones

but does not mandate the inclusion of specific budget costs within the POA&M document.

During the planning phase, the Lead Assessor establishes the assessment plan, which outlines the methods and evidence required to verify each CMMC practice. The core objective is to ensure that the evidence collected will be sufficient to support a conclusive finding. Sufficiency of evidence refers to the measure of the quantity and quality of evidence gathered. The assessor is pre-determining what types and amount of objective evidence (e.g., from interviews, tests, and examinations of documents) will be necessary to make a credible and defensible judgment on whether a practice is met.

A. Adequacy: This term refers to the effectiveness and suitability of an implemented security control or practice itself, not the evidence used to prove its existence.

C. Process mapping: This is a specific technique or artifact that can be used as a piece of evidence, not the overarching principle of verifying the right amount of evidence.

D. Assessment scope: This defines the people, technology, facilities, and information that are the subject of the assessment, not the criteria for the evidence itself.

1. Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) for CMMC Level 2

Version 2.1 (December 2023). Section 3.3

"Conduct Assessment

" states

"The Assessment Team must collect and document sufficient objective evidence to support the determination of whether a practice is MET or NOT MET." (Page 13).

2. CMMC Level 2 Assessment Guide

Version 2.1 (December 2023). Section 1.4

"Assessment Conduct

" specifies

"The C3PAO assessment team must collect sufficient evidence to support the final score for each CMMC practice." (Page 8).

3. NIST Special Publication 800-171A

Assessing Security Requirements for Controlled Unclassified Information. Section 2.2

"Assessment Procedures

" notes that the use of assessment procedures is intended to "produce sufficient evidence to determine the disposition of the security requirements." This foundational document for CMMC Level 2 assessments emphasizes the principle of sufficiency.

The scenario involves handling a sensitive evidence file, which should be treated as Controlled Unclassified Information (CUI), in a physically non-secure, shared environment. The primary responsibility is to protect this information from unauthorized disclosure. Reviewing the document, making necessary notes, and then immediately destroying the physical copy via a cross-cut shredder is the only option that ensures the CUI is not left unattended or stored in an insecure location (unlocked drawer, open table) overnight. This action directly aligns with the CMMC principles of media protection, which mandate the secure handling and sanitization or destruction of media containing sensitive information when no longer needed for the immediate task.

A. Placing the document in an unlocked desk drawer in a shared conference room fails to meet the requirement to physically protect and securely store media containing CUI.

B. Creating notes on a client-provided computer introduces a new digital artifact that may not be properly secured or controlled by the assessor, creating a potential data spillage.

D. Leaving a sensitive document on a table in a shared space is a direct violation of physical and media protection controls, as it allows for potential unauthorized access.

1. NIST SP 800-171 Rev. 2

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Section 3.8.3 (MP.L2-3.8.3): "Protect system media containing CUI

both paper and digital." The discussion notes state that this includes secure storage. An unlocked drawer or an open table in a shared space does not constitute secure storage.

Section 3.8.1 (MP.L1-3.8.1): "Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse." This principle extends to CUI

and shredding is a recognized method of destruction for paper media.

2. NIST SP 800-88 Rev. 1

Guidelines for Media Sanitization.

Section 4.5

Destruction: "After the media is sanitized

it is no longer usable as originally intended... For paper

destruction can be accomplished by a variety of methods

including... shredding using a cross-cut shredder."

Table A-1

"Media/Sanitization Decision Matrix": Lists "Shred (Cross Cut)" as a valid "Destroy" technique for paper media.

3. CMMC Model Version 2.0

CMMC Practices.

Practice MP.L2-3.8.3 (from NIST SP 800-171 3.8.3): "Protect system media containing CUI

both paper and digital." This practice requires implementing physical controls to prevent unauthorized access to CUI

which options A and D fail to do. Option C fulfills this by eliminating the physical media after use.

In the context of CMMC scoping, assets are categorized to identify the assessment boundary. The question lists servers, laptops, databases, and applications, which are all forms of hardware and software used to store, process, or transmit Federal Contract Information (FCI). According to official CMMC scoping guidance, these items are classified under the "Technology" asset category. The IT manager is correctly identifying the technological components that make up the CMMC assessment scope for the Level 1 Self-Assessment.

A. ESP: This refers to External Service Providers, which are third-party entities providing services, not the internal hardware or software assets themselves.

B. People: This asset category includes the personnel (e.g., employees, contractors) who interact with FCI and the systems, not the systems themselves.

C. Facilities: This category refers to the physical locations, such as buildings or data centers, where the technology assets are located and operated.

1. U.S. Department of Defense

"CMMC Scoping Guidance Level 1

" Version 2.0

December 2021.

Page 3

Section 2

"Scoping CMMC Level 1": This section explicitly defines the asset categories for scoping: "Assets are categorized as: People

Technology

Facilities

and External Service Providers (ESPs)." The items listed in the question (servers

laptops

databases

applications) are quintessential examples of the "Technology" category.

2. U.S. Department of Defense

"CMMC Scoping Guidance Level 2

" Version 2.0

December 2021.

Page 4

Section 2.1

"Asset Categories": This guide provides further clarification

stating

"Technology includes all information systems

system components

and other information technology or operational technology assets..." This definition directly encompasses the assets mentioned in the question.

The scenario describes a failure in visitor management. The CMMC Assessment Team, as external personnel, are considered visitors. The receptionist did not check their credentials, did not provide visitor identification, and most critically, did not escort them or ensure they were monitored. This is a direct violation of practice PE.L1-3.10.3, which explicitly requires organizations to "Escort visitors and monitor visitor activity." This control is fundamental to physical security, ensuring that non-authorized individuals do not gain unsupervised access to facilities where Controlled Unclassified Information (CUI) may be present or accessible. The receptionist's actions created a security gap by allowing unescorted individuals into the facility.

B. This practice concerns the management of items like keys, locks, and electronic card readers, which were not mentioned as the point of failure in the scenario.

C. This practice relates to formal screening processes like background checks before granting individuals long-term, authorized access to systems, not the immediate handling of daily visitors.

D. This practice is about securing systems during personnel changes like employee terminations or transfers, which is irrelevant to the visitor check-in process described.

1. U.S. Department of Defense (DoD). (2021

December). CMMC Model v2.0.

Page 27

Practice PE.L1-3.10.3: The document lists the practice as "Escort visitors and monitor visitor activity." This is a direct match to the failure described.

Page 26

Practice PS.L2-3.9.1 & PS.L2-3.9.2: These practices are clearly defined under the Personnel Security domain

focusing on screening and personnel actions

respectively

distinguishing them from the physical visitor control issue.

2. National Institute of Standards and Technology (NIST). (2020

February). NIST Special Publication 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Page 27

Section 3.10.3: This is the source requirement for the CMMC practice in question. It states

"Escort visitors and monitor visitor activity." The discussion section clarifies this is to control physical access by individuals without a need-to-know.

Page 27

Section 3.10.5: This requirement is detailed as "Control and manage physical access devices

" clearly separating it from visitor procedures.

Page 26

Section 3.9.1 & 3.9.2: These requirements detail personnel screening and termination/transfer actions

confirming they are distinct from the physical escorting of visitors.

The scenario describes systems that are contractor-owned, configured based on specific government requirements, and used to support a particular contract. According to the official CMMC Level 2 Scoping Guide, this is the precise definition of a "Restricted Information System." This category is a type of Specialized Asset, which may have limited CMMC assessment requirements if it cannot be fully configured to meet all CMMC practices. The key identifiers are the government-mandated configuration and its dedicated use for a contract, distinguishing it from general corporate IT assets.

A. IoT: These are non-traditional computing devices (e.g., sensors, smart appliances). The systems described are used for business network transactions, which implies more traditional IT infrastructure.

C. Test equipment: This category is for systems used to test products or components. The systems in the question are used to perform the actual contract work, not for testing purposes.

D. Government property: This refers to assets owned by and furnished by the government for contract performance. The question explicitly states the systems are "contractor-owned."

---

1. Cybersecurity Maturity Model Certification (CMMC) Scoping Guide

Level 2

Version 2.0

December 2021.

Page 8

Section 2.3

"Specialized Assets": Lists "Restricted Information Systems" as one of the five categories of Specialized Assets.

Page 9

Section 2.3

"Specialized Assets": Defines Restricted Information Systems as "systems that are configured based on government requirements (e.g.

security or privacy) and are used to support a contract." This directly matches the question's scenario.

2. Carnegie Mellon University

Software Engineering Institute (SEI). "CMMC 2.0: What’s New and What’s the Same?" (Webcast

December 2021).

The webcast and associated materials discuss the asset categories for scoping in CMMC 2.0

reinforcing the definitions provided in the official DoD guides. The concept of Specialized Assets

including Restricted Information Systems

is explained as a key change for more flexible and logical scoping. (Reference to the general content of the official SEI training materials on CMMC 2.0).

The primary intent of the "verify evidence and record gaps" activity is to perform a comparative analysis. The Assessment Team systematically evaluates the objective evidence collected from the Organization Seeking Certification (OSC) against the explicit requirements defined by the CMMC practices and their associated assessment objectives. This verification process is designed to identify any discrepancies, deficiencies, or "gaps" where the provided evidence is insufficient to prove that a requirement has been met. Documenting these differences is crucial for determining the final assessment score and providing the OSC with a clear understanding of areas needing remediation.

A. Mapping evidence to practices is an organizational task that typically precedes or occurs concurrently with evidence analysis, not the primary intent of gap identification.

B. Conducting interviews is a method for collecting evidence, which happens before the activity of verifying that evidence and recording gaps.

C. Determining the relationship between a practice and an assessment object is a foundational part of the assessment methodology, established during the planning phase.

1. U.S. Department of Defense

Office of the Under Secretary of Defense for Acquisition & Sustainment. (2021). CMMC Assessment Process (CAP) for CMMC Level 2

Version 1.0. Section 4.3.4

"Make and Document Determination

" page 16. This section states

"If the Assessment Team determines that the evidence is insufficient to satisfy an assessment objective

the Assessment Team documents the deficiency..." This directly describes the process of identifying and recording differences (gaps) between required standards and collected evidence.

2. U.S. Department of Defense. (2021). CMMC Model Version 2.0

Assessment Guide

Level 2. Introduction

page 1. The guide explains that its purpose is to provide assessment procedures for CMMC practices. The assessment process inherently involves using these procedures to "verify that the required CMMC practices and processes are in place

" which necessitates identifying where they are not—i.e.

finding the gaps.