CMMC-CCP Cyber AB Certified CMMC Professional (CCP) Exam Free Practice Exam Questions (2025 Updated)

Who Verifies the Adequacy and Sufficiency of Evidence?In the CMMC assessment process, it is theAssessment Teamthat is responsible for verifying whether thepractices and related componentshave been met for each in-scopeHost Unit, Supporting Organization/Unit, or enclave.

TheCMMC Assessment Teamis composed of certified assessors and led by aCertified CMMC Assessor (CCA). Their primary role is to:

Review evidenceprovided by theOrganization Seeking Certification (OSC).

Determine compliancewith required CMMC practices and processes.

Evaluate the sufficiencyof evidence to confirm that all required practices have been properly implemented.

Document and report findingsto the CMMC Accreditation Body (CMMC-AB).

Breakdown of Answer ChoicesOption

Description

Correct?

A. OSC (Organization Seeking Certification)

The OSC provides documentation and evidence but doesnotverify its adequacy.

❌Incorrect

B. Assessment Team

✅Responsible for verifying the adequacy and sufficiency of evidence.

✅Correct

C. Authorizing Official

Typically refers to an official responsible for system accreditation underNIST RMF, not CMMC.

❌Incorrect

D. Assessment Official

Not a defined role in the CMMC framework.

❌Incorrect

TheCMMC Assessment Process Guide(CAP) outlines theAssessment Team'sresponsibility in verifying evidence.

TheCMMC Assessment Teamevaluates whether theorganization's cybersecurity practices meet CMMC requirements.

Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isB. Assessment Team, as per CMMC 2.0 documentation and official assessment processes.

Step 1: Understand the Assessor’s Role and Chain of ResponsibilityDuring a CMMC assessment, the assessor ispart of the team organized by a C3PAO (Certified Third-Party Assessment Organization). If the assessor determines thatevidence is insufficient or inadequate, they arenot authorizedto act independently in terms of halting or postponing the assessment.

Source Reference: CMMC Assessment Process (CAP) v1.0 – Section 3.5.4 & 3.5.6

"If the Assessment Team identifies gaps in the sufficiency or adequacy of evidence, they must work with the Lead Assessor and C3PAO to determine the appropriate course of action."

The C3PAO is responsible for overseeing the assessment lifecycle.

If evidence isnot adequate, the assessor mustescalate within their organization(i.e., to the Lead Assessor or C3PAO point of contact) to:

Request clarifications from the OSC,

Determine if additional evidence can be requested,

Decide on continuing, pausing, or modifying the assessment schedule.

✅Step 2: Why Contacting the C3PAO Is the Correct Action

A. Notify the CMMC-AB✘ Incorrect. The Cyber AB (formerly CMMC-AB) isnot involved in operational aspectsof assessments. They do not manage day-to-day assessment decisions.

B. Cancel the assessment✘ Incorrect. An assessorcannot unilaterally cancelan assessment. Only theC3PAO, in consultation with all parties, may take such action.

C. Postpone the assessment✘ Incorrect. Postponements are logistical decisions that must be managed through theC3PAO, not an individual assessor.

❌Why the Other Options Are Incorrect

When an assessor determines that the evidence submitted by an OSC is inadequate or insufficient to meet a CMMC practice, thecorrect and required course of action is to consult with the C3PAO. The C3PAO will provide guidance or coordinate appropriate next steps.

Understanding Multi-Function Device (MFD) Security in CMMCMulti-function devices (MFDs), such asscanners, printers, and copiers,process, store, and transmit FCI, making them apotential attack surfacefor unauthorized access.

Thebest technical controlto limit MFD access to only authorized systems isVirtual LAN (VLAN) restrictions, whichsegment and isolate network traffic.

VLAN Restrictions Provide Network Segmentation

VLANsisolate the MFDfrom unauthorized systems, ensuringonly approved devicescan communicate with it.

Prevents unauthorized network access bylimiting connectionsto specific IPs or subnets.

Meets CMMC 2.0 Network Security Controls

Aligns withCMMC System and Communications Protection (SC) Practicesfor network segmentation and access control.

Reducesthe risk of unauthorized access to scanned and printed FCI.

B. Single administrative account→Incorrect

Asingle admin accountdoes not restrict accessbetween devices, only controlswho can configurethe MFD.

C. Documentation showing MFD configuration→Incorrect

Documentation helps with compliance butdoes not actively restrict access.

D. Access lists only known to the IT administrator→Incorrect

Access lists should besystem-enforced, not just "known" to the administrator.

CMMC Practice SC.3.192 (Network Segmentation)– Requires restricting access usingnetwork segmentation techniques such as VLANs.

NIST SP 800-171 (SC Family)– Supportsisolation of sensitive devicesusing VLANs and other segmentation controls.

Why the Correct Answer is "A. Virtual LAN (VLAN) Restrictions"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:SinceVirtual LAN (VLAN) restrictions enforce access control at the network level, the correct answer isA. Virtual LAN (VLAN) restrictions.

NIST SP 800-88 Rev. 1 is the authoritative guide for media sanitization. It defines three categories of data disposal: Clear, Purge, and Destroy.

Supporting Extracts from Official Content:

NIST SP 800-88 Rev. 1: “Media sanitization techniques are divided into three categories: Clear, Purge, and Destroy.”

Why Option A is Correct:

“Clear, Purge, Destroy” are the exact three categories named.

Redact and Overwrite are not categories; Overwriting is a technique that may fall under Clear.

References (Official CMMC v2.0 Content and Source Documents):

NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization.

===========

Understanding the Definition of an Agreement in the CMMC-AB Code of Professional ConductTheCMMC-AB Code of Professional Conductdefines anagreementasany contract between two legal entities. This includes:

✔Contracts between an OSC and a C3PAOfor CMMC assessments.

✔Service agreements between cybersecurity providers and defense contractors.

✔Any formal, legally binding arrangement related to CMMC compliance.

A. Union → Incorrect

Auniontypically refers to anorganization representing workersand is not used to describe acontractual relationship.

B. Accord → Incorrect

While anaccordcan mean an agreement, it isnot the standard legal term for a binding contractin CMMC documentation.

C. Alliance → Incorrect

Analliancerefers to astrategic partnership, but does not necessarily imply alegally binding contract.

D. Agreement → Correct

TheCMMC-AB Code of Professional Conductdefines anagreementas anylegally binding contract between two entities.

Why is the Correct Answer "D. Agreement"?

CMMC-AB Code of Professional Conduct

Defines"Agreement"as alegally binding contract between two parties.

CMMC-AB Licensed Training and Assessment Provider Guidelines

Requires that all engagementsbe governed by a formal agreement (contract) between the parties.

DFARS and CMMC Certification Contracts

States thatOSC-C3PAO relationships must be formalized through a legal agreement.

CMMC 2.0 References Supporting This Answer:

Understanding the Concept of Security in CMMC 2.0CMMC 2.0 aligns with federal cybersecurity standards, particularlyFISMA (Federal Information Security Modernization Act), NIST SP 800-171, and FAR 52.204-21. One key principle in these frameworks is the implementation of security measures that are appropriate for the risk level associated with the data being protected.

The question describes security measures that are proportionate to therisk of loss, misuse, unauthorized access, or modificationof information. This matches the definition of"Adequate Security."

A. Adopted security→ Incorrect

The term"adopted security"is not officially recognized in CMMC, NIST, or FISMA. Organizations adopt security policies, but the concept does not directly align with the question’s definition.

B. Adaptive security→ Incorrect

Adaptive securityrefers to adynamic cybersecurity modelwhere security measures continuously evolve based on real-time threats. While important, it does not directly match the definition in the question.

C. Adequate security→Correct

The term"adequate security"is defined inNIST SP 800-171, DFARS 252.204-7012, and FISMAas the level of protection that isproportional to the consequences and likelihood of a security incident.

This aligns perfectly with the definition in the question.

D. Advanced security→ Incorrect

Advanced securitytypically refers tohighly sophisticated cybersecurity mechanisms, such as AI-driven threat detection. However, the term does not explicitly relate to the concept of risk-based proportional security.

FISMA (44 U.S.C. § 3552(b)(3))

Definesadequate securityas"protective measures commensurate with the risk and potential impact of unauthorized access, use, disclosure, disruption, modification, or destruction of information."

This directly matches the question's wording.

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)

Mandates that contractors apply"adequate security"to protect Controlled Unclassified Information (CUI).

NIST SP 800-171 Rev. 2, Requirement 3.1.1

States that organizations must "limit system access to authorized users and implement adequate security protections to prevent unauthorized disclosure."

CMMC 2.0 Documentation (Level 1 and Level 2 Requirements)

Requires that organizationsapply adequate security measures in accordance with NIST SP 800-171to meet compliance standards.

Analyzing the Given OptionsOfficial References Supporting the Correct AnswerConclusionThe term"adequate security"is the correct answer because it is explicitly defined in federal cybersecurity frameworks asprotection proportional to risk and potential consequences. Thus, the verified answer is:

The False Claims Act (31 U.S.C. §§ 3729–3733) imposes liability on companies that knowingly misrepresent compliance in order to receive or retain federal contracts. Penalties include treble damages (three times the government’s losses) plus additional penalties per claim.

Supporting Extracts from Official Content:

False Claims Act: “Any person who knowingly submits false claims to the Government is liable for three times the Government’s damages plus a penalty.”

DOJ Cyber-Fraud Initiative (2021): confirms the FCA is applied to cases of misrepresenting compliance with cybersecurity requirements.

Why Option D is Correct:

The applicable law is the False Claims Act, not a “Cyber Claims Act” (which does not exist).

The FCA specifies treble damages plus penalties, which exactly matches Option D.

References (Official CMMC v2.0 Governance and Source Documents):

False Claims Act (31 U.S.C. §§ 3729–3733).

DOJ Cyber-Fraud Initiative (2021), applied to CMMC-related compliance misrepresentation.

===========

The Certified Third-Party Assessment Organization (C3PAO) enters into a contractual relationship with the OSC. As part of that contract, the C3PAO maintains a non-disclosure agreement (NDA) to protect sensitive and proprietary information reviewed during the assessment.

Supporting Extracts from Official Content:

CAP v2.0, Roles and Responsibilities (§2.8): “The C3PAO maintains a non-disclosure agreement with the OSC to protect all sensitive information disclosed during the assessment.”

Why Option B is Correct:

Only the C3PAO contracts directly with the OSC and is bound to protect assessment data.

NIST, The Cyber AB (formerly CMMC-AB), and OUSD A&S do not enter NDAs directly with OSCs.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Section on OSC–C3PAO agreements.

===========

Best Practices for Handling Sensitive Assessment InformationCMMC assessments involve handlingsensitive and potentially CUI-related documents. Assessors must follow strictsecurity policiesto avoid unauthorized access, data leaks, or non-compliance withCMMC 2.0 and NIST SP 800-171 requirements.

Why Logging into the Client VPN on the Client Laptop is the Best Approach:

Ensures Data Protection:The client laptop is likely configured to meet security controls required for handling assessment-related materials.

Prevents Data Spillage:Keeping all assessment-related activities within the client’s secured environment reduces the risk ofdata leakage or unauthorized storage.

Maintains Compliance with CMMC/NIST Guidelines:Using aproperly configured client laptop and secured connectionensures compliance withNIST SP 800-171 controls on secure remote access(Requirement3.13.12).

A. "Log into the secure cloud storage service to save copies of the documents on both the work and client laptops."

Incorrect→Sensitive data should not be duplicated across multiple systems, especially a non-client-approved laptop. Storing it on an unauthorized systemviolates data handling best practices.

C. "Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service."

Incorrect→ Theassessor’s laptop may not be authorizedorsecuredto handle client data. CMMC guidelines emphasizeusing approved, secured systemsfor assessment-related information.

D. "Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick."

Incorrect→

Transferring sensitive documents via USBintroduces security risks, including unauthorized data storage and potential malware contamination.

Home office workstationsare unlikely to be authorized for handling CMMC-sensitive data.

Who Has the Final Authority Over Assessment Results?During aCMMC Level 2 assessment, theCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting and finalizing the assessment results.

Key Responsibilities of a C3PAO✅Leads the assessmentand ensures it follows the CMMC Assessment Process (CAP).

✅Validates compliancewith CMMC Level 2 requirements based onNIST SP 800-171controls.

✅Finalizes the assessment resultsand submits them to theCMMC-ABand theDoD.

✅Handles disagreementsfrom the OSC but hasfinal decision-making authorityon results.

The C3PAO has final authority over the assessment resultsafter considering all evidence and findings.

TheCMMC-AB (Option B) does not finalize assessments—it accredits C3PAOs and manages the certification ecosystem.

TheAssessment Team (Option C) supports the C3PAO but does not have final decision authority.

TheAssessment Sponsor (Option D) is a representative from the OSC and does not control the results.

Why "C3PAO" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. C3PAO

✅Correct – C3PAOs finalize and submit assessment results.

B. CMMC-AB

❌Incorrect–The CMMC-AB accredits C3PAOs but doesnot finalize results.

C. Assessment Team

❌Incorrect–They conduct the assessment, but the C3PAO makes final decisions.

D. Assessment Sponsor

❌Incorrect–This is arepresentative of the OSC, not the assessment authority.

CMMC Assessment Process Guide (CAP)– DefinesC3PAO authorityover final assessment results.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isA. C3PAO, as theC3PAO has final decision-making authority over CMMC assessment results.

Understanding C3PAO RequirementsACertified Third-Party Assessment Organization (C3PAO)is an entityauthorized by the CMMC Accreditation Body (CMMC-AB)to conductCMMC Level 2 Assessmentsfor organizations handlingControlled Unclassified Information (CUI).

Key Requirements for a C3PAO to Conduct Assessments:✔Must be authorized by CMMC-AB before conducting assessments.

✔Must meet CMMC-AB and DoD cybersecurity and process requirements.

✔Must comply with ISO/IEC 17020 standards for inspection bodies.

✔Must undergo a rigorous vetting process, including cybersecurity verification.

A. An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements → Incorrect

C3PAOs must comply with CMMC-AB authorization requirementsbefore performing assessments.

While they must align withISO/IEC 17020, they donotnecessarily meet all requirements upfront.

B. An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements → Incorrect

C3PAOs are not accredited by DoD; they areauthorized by CMMC-ABto perform assessments.

Accreditation follows full compliance with CMMC-AB and ISO/IEC 17020 requirements.

C. A C3PAO must be accredited by DoD before being able to conduct assessments → Incorrect

The DoD does not directly accredit C3PAOs—CMMC-AB is responsible forauthorization and oversight.

D. A C3PAO must be authorized by CMMC-AB before being able to conduct assessments → Correct

CMMC-AB grants authorization to C3PAOs, allowing them to perform assessmentsonly after meeting specific requirements.

Why is the Correct Answer "D" (A C3PAO must be authorized by CMMC-AB before being able to conduct assessments)?

CMMC-AB Certified Third-Party Assessment Organization (C3PAO) Guidelines

States thatC3PAOs must receive CMMC-AB authorization before conducting assessments.

CMMC 2.0 Assessment Process (CAP) Document

Specifies that onlyC3PAOs authorized by CMMC-AB can conduct official CMMC assessments.

ISO/IEC 17020 Compliance for C3PAOs

Defines theinspection body requirements for C3PAOs, which must be met for accreditation.

CMMC 2.0 References Supporting This Answer:

Understanding the Role of "Discussion" and "Further Discussion" Sections in CMMC AssessmentsWhen assessing anOrganization Seeking Certification (OSC)forCMMC compliance, theLead Assessorrelies on various sources of guidance.

Eachpracticein the CMMC model includes:

The Practice Statement– The official requirement the OSC must meet.

Discussion Section– Providesclarifications, interpretations, and guidancefor implementation.

Further Discussion Section– Expands on the practice,offering additional details, best practices, and examples.

These sections arenot mandatory, but they help assessorsinterpret and evaluatewhether an OSC has met the practice requirements.

TheDiscussion and Further Discussion sectionsprovidecontext, explanations, and examplesto assist theLead Assessorin understanding how an OSC might demonstrate compliance.

Theyhelp guide the assessment processbut arenot prescriptiveormandatoryfor an OSC.

Theassessor uses these sectionsto verify whether theOSC's implementation meets the intent of the requirement.

Why "Provides Additional Information to Facilitate the Assessment" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Is normative for an OSC to follow.

❌Incorrect–The sections areguidance, notnormative (mandatory)requirements.

B. Contains examples that an OSC must implement.

❌Incorrect–Examples aresuggestions, notmandatory implementations.

C. Is mandatory and aligns with FAR Clause 52.204-21.

❌Incorrect–The "Discussion" sections arenot mandatoryand arenot tied directlyto FAR 52.204-21.

D. Provides additional information to facilitate the assessment of the practice.

✅Correct – These sections help the assessor evaluate compliance but do not mandate specific implementations.

TheCMMC Assessment Guidestates that theDiscussion and Further Discussion sections provide clarificationsto help both assessors and OSCs.

These sections arenot bindingbut serve asinterpretive guidanceto assist in assessments.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Provides additional information to facilitate the assessment of the practice.This aligns withCMMC 2.0 documentation and assessment guidelines.

Understanding CMMC Assessment MethodsTheCMMC Assessment Process (CAP)definesthree primary assessment methodsused to verify compliance with cybersecurity practices:

Examine– Reviewing documents, policies, configurations, and logs.

Interview– Engaging with subject matter experts (SMEs) to clarify processes and verify implementation.

Test– Observing technical implementations, such as system configurations and security measures.

Since the question asks for a method thatgathers information from SMEs to facilitate understanding and achieve clarification, the correct method isInterview.

Why "Interview" is Correct?✅Interviewsare specifically designed togather information from SMEsto confirm understanding and clarify security processes.

✅TheCMMC Assessment Guiderequires assessors tointerview key personnelresponsible for cybersecurity practices.

✅Examine (Option B)andTest (Option A)are also valid assessment methods, but they donot focus on gathering insights directly from SMEs.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Test

❌Incorrect–This method involvestechnical verification, not gathering SME insights.

B. Examine

❌Incorrect–This method focuses ondocument review, not SME interaction.

C. Interview

✅Correct – The method used to gather information from SMEs and achieve clarification.

D. Assessment

❌Incorrect–This is a general term,not a specific assessment method.

CMMC Assessment Process Guide (CAP)– DefinesInterviewas the method for obtaining information from SMEs.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isC. Interview, as this methodgathers insights from subject matter expertsto verify cybersecurity implementations.

Per the CMMC Assessment Process (CAP), the Assessment Team is responsible for determining the adequacy and sufficiency of evidence collected during the assessment. The team validates whether practices and components for each in-scope Host Unit, Supporting Organization, or enclave meet the target CMMC level. The OSC (Organization Seeking Certification) provides evidence, but only the Assessment Team makes the verification and scoring determination.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Understanding CUI Protection ResponsibilitiesControlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.

Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.

TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.

CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.

DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.

A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.

B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.

C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.

The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.

Interview Selection in CMMC AssessmentsDuring aCMMC assessment, theLead Assessormust work with theOrganization Seeking Certification (OSC)to select personnel for interviews. The goal is to:

✅Verify that personnel understand andperform security-related practices.

✅Ensure that individuals canexplain how they implement CMMC requirements.

✅Gain insight intoactual cybersecurity operationsrather than just documented policies.

The best interviewees are those whodirectly engage with security practicesand canclearly explain how they perform their duties.

CMMC assessmentsrely on interviewsto validate that security practices areimplemented effectively.

Themost valuable intervieweesare those who canexplainhow security measures are appliedin day-to-day operations.

CMMC Assessment Process (CAP)emphasizes that assessors should speak tothose actively involved in security practicesrather than just senior management or policy owners.

Why "Providing Clarity and Understanding" Is KeyThus,option D is the correct choicebecause the Lead Assessor should prioritizeinterviewing personnel who can clearly explain how CMMC practices are implemented.

A. Have a security clearance.❌Incorrect.Security clearance is not a requirementfor CMMC assessments. The focus is onpractical implementation of security controls, not classified work.

B. Be a senior person in the company.❌Incorrect. Senior executives may not be involved in theactual implementation of security controls. The best interviewees are those whoperform the work, not just oversee it.

C. Demonstrate expertise on the CMMC requirements.❌Incorrect. Whileunderstanding CMMC is important, expertise alonedoes not guarantee practical knowledgeof security controls. The key is thatinterviewees must provide clarity on how they perform security tasks.

Why the Other Answers Are Incorrect

CMMC Assessment Process (CAP) Document– Guides interview selection based on personnel who perform security functions.

NIST SP 800-171 & CMMC 2.0– Emphasize that cybersecurity controls must beactively implemented, not just documented.

CMMC Official ReferencesThus,option D (Provide clarity and understanding of their practice activities) is the correct answeras per official CMMC assessment guidelines.

UnderCMMC Level 2, contractors are required toidentify, document, and categorize assetsinvolved in handlingControlled Unclassified Information (CUI). This is part of thescoping process, which ensures that all security-relevant assets are properly protected and accounted for in the System Security Plan (SSP), asset inventory, and network diagram.

CMMC Scoping Requirements for Level 2 Assessments:

TheCMMC Scoping Guide(CMMC v2.0) identifies four asset categories:

CUI Assets:Systems that store, process, or transmit CUI.

Security Protection Assets (SPA):Systems providing security functions for CUI Assets (e.g., firewalls, SIEMs).

Contractor Risk Managed Assets (CRMA):Assets that interact with CUI but arenot directly controlledby the organization (e.g., personal devices).

Specialized Assets:These include IoT devices, OT systems, and Government Furnished Equipment (GFE) thatmay require specific security controls.

Where Documentation is Required:

The contractor mustdocument all assets (except out-of-scope assets)in:

The System Security Plan (SSP):A key document detailing security controls and asset categorization.

An asset inventory:Lists all in-scope assets (CUI Assets, SPAs, CRMA, and Specialized Assets).

The network diagram:Provides a visual representation of system connectivity and security boundaries.

Why Out-of-Scope Assets Are Excluded:

TheCMMC Scoping Guidespecifically states that Out-of-Scope Assets arenot required to be documentedin these compliance artifacts because they haveno direct or indirect interaction with CUI.

These assets do not require CMMC controls because they are completely isolated from CUI handling environments.

Why the Other Answer Choices Are Incorrect:

(A) GUI Assets:There is no specific "GUI Asset" category in CMMC scoping.

(B) CUI and Security Protection Asset categories:While these are included, this answerexcludesContractor Risk Managed and Specialized Assets, which are also required.

(D) Contractor Risk Managed Assets and Specialized Assets:These assetsare included in scopingbut this answer excludes CUI Assets and Security Protection Assets, making it incomplete.

Step-by-Step Breakdown:Final Validation from CMMC Documentation:According to theCMMC Assessment Scope Level 2 Guide, allin-scope assetsmust be documented in the SSP, inventory, and network diagram.The only assets excluded are Out-of-Scope Assets.

Thus, the correct answer is:

C. All asset categories except for the Out-of-Scope Assets.

Understanding the False Claims Act (FCA) and Whistleblower ProtectionsTheFalse Claims Act (FCA)(31 U.S.C. §§ 3729–3733) is aU.S. federal lawthat allowswhistleblowers (also known as "relators")to sue on behalf of the federal government if they believe a company issubmitting fraudulent claimsfor government funds.

The FCA includes a"qui tam" provision, which:

✅Allows private individuals to file lawsuits on behalf of the U.S. government.

✅Provides financial rewards to whistleblowersif the lawsuit results in recovered funds.

✅Protects whistleblowers from employer retaliation.

In the context ofCMMC and cybersecurity compliance, theFCA has been used to hold companies accountableformisrepresenting their cybersecurity compliancewhen working with federal contracts.

For example:

If a companyfalsely claimscompliance withCMMC, NIST SP 800-171, or DFARS 252.204-7012butfails to meet security requirements, it could beliable under the FCA.

TheDepartment of Justice (DOJ)has pursued cases under theCyber-Fraud Initiative, using theFCA against defense contractorsfor cybersecurity noncompliance.

Thus, the correct answer isC. False Claims Actbecause it specifically allows whistleblowers tosue on behalf of the federal government.

A. NIST SP 800-53❌Incorrect.NIST SP 800-53provides security controls for federal agencies butdoes notcontain whistleblower provisions.

B. NIST SP 800-171❌Incorrect.NIST SP 800-171outlines security requirements for protectingCUI, but itdoes not have legal mechanismsfor whistleblower lawsuits.

D. Code of Professional Conduct❌Incorrect. TheCMMC Code of Professional Conductapplies toC3PAOs and assessorsbut doesnot provide a legal basis for whistleblower lawsuits.

Why the Other Answers Are Incorrect

False Claims Act (31 U.S.C. §§ 3729–3733)– Establishes whistleblower protections and qui tam lawsuits.

DOJ Cyber-Fraud Initiative– Uses the FCA to enforce cybersecurity compliance in government contracts.

DFARS 252.204-7012 & CMMC– Require accurate reporting of cybersecurity compliance, which can lead to FCA violations if misrepresented.

CMMC Official ReferencesThus,option C (False Claims Act) is the correct answeras per official legal guidance.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework categorizes assets based on their interaction with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In a CMMC Level 1 self-assessment, assets are classified based on whether they process, store, or transmit FCI.

FCI Assets– These assets process, store, or transmit FCI and must meet CMMC Level 1 security requirements (17 practices from FAR 52.204-21).

CUI Assets– These assets handle Controlled Unclassified Information (CUI) and are subject to CMMC Level 2 requirements, aligned with NIST SP 800-171.

Specialized Assets– Includes IoT devices, Operational Technology (OT), Government-Furnished Equipment (GFE), and test equipment. These are often categorized separately due to their specific cybersecurity requirements.

Out-of-Scope Assets– Assets that do not process, store, or transmit FCI or CUI. These do not require compliance with CMMC practices.

Government-Issued Assets– These are assets provided by the government for contract-specific purposes, often requiring compliance based on government policies.

The question specifies that the identified assetdoes not process, store, or transmit FCI.

According to CMMC 2.0 guidelines,only assets that handle FCI or CUI are subject to security controls.

Assets that are physically located within an OSC’s facility but do not interact with FCI or CUI fall into the"Out-of-Scope Assets"category.

These assets do not require CMMC-specific cybersecurity controls, as they have no impact on the security of FCI or CUI.

CMMC Scoping Guide (Nov 2021)– Definesout-of-scope assetsas those that are within an OSC’s environment but have no interaction with FCI or CUI.

CMMC 2.0 Level 1 Guide– Only requires security controls on FCI assets, meaning assets that do not process, store, or transmit FCI are out of scope.

CMMC Assessment Process (CAP) Guide– Identifies the classification of assets in an OSC’s environment to determine compliance requirements.

Asset Categories as per CMMC 2.0:Why the Correct Answer is C. Out-of-Scope Assets?Relevant CMMC 2.0 References:Final Justification:Since the assetdoes not process, store, or transmit FCI, it does not fall under "FCI Assets" or "Specialized Assets." It is also not a government-issued asset. Therefore, the correct classification under CMMC 2.0 isOut-of-Scope Assets (C).