The director of cybersecurity is considering which company offices and data centers store FCI to ensure an accurate scope for their CMMC Level 1 Self-Assessment . Which asset type is the director considering?
An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?
An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice. What can the assessor do?
The practices in CMMC Level 2 consist of the security requirements specified in:
Who makes the final determination of the assessment method used for each practice?
In CMMC High-Level scoping, which definition BEST describes an HQ organization?
Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?
The Advanced Level in CMMC will contain Access Control (AC) practices from:
During the review of information that was published to a publicly accessible site, an OSC correctly identifies that part of the information posted should have been restricted. Which item did the OSC MOST LIKELY identify?
SI.L2-3.14.7: Identify unauthorized use of organizational systems is being assessed using two assessment objectives. The assessment objectives are to determine if authorized use of the system is defined and to determine if unauthorized use of the system is identified. What is the BEST evidence for this practice?
TESTED 19 Jul 2026