Understanding Access Control in CMMC

Access control refers to the process ofgranting or denyingspecific requests to:

Obtain and use information

Access information processing services

Enter specific physical locations

TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:

✅Implement policies for granting and revoking access.

✅Restrict access to authorized personnel only.

✅Protect physical and digital assets from unauthorized access.

Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.

Why the Other Answers Are Incorrect

B. Physical access control

❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.

C. Mandatory access control (MAC)

❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.

D. Discretionary access control (DAC)

❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.

CMMC Official References

CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.

NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.

Thus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.

What Does the Practice of Professionalism Require in the CMMC Code of Professional Conduct?

TheCMMC Code of Professional Conduct (CoPC)sets ethical and professional standards forCertified CMMC Assessors (CCAs) and Certified CMMC Professionals (CCPs).Professionalismrequireshonesty and integrity in all CMMC-related activities.

Step-by-Step Breakdown:

✅1. Professionalism Requires Ethical Behavior

TheCoPC states that professionalismincludes:

Acting with integrityin all assessment-related activities.

Providing truthful and objective assessmentsof cybersecurity practices.

Avoiding deceptive or misleading claimsabout assessments or compliance.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Do not copy materials without permission to do so❌

This falls underIntellectual Property (IP) protection, notProfessionalism.

(B) Do not make assertions about assessment outcomes❌

Assessorsmustprovide findings based on evidence. The rule is aboutnot making false or misleading claims, not about avoiding assertions altogether.

(D) Ensure the security of all information discovered or received❌

This falls underConfidentiality, notProfessionalism.

Final Validation from CMMC Documentation:

TheCMMC Code of Professional Conduct (CoPC)definesProfessionalism as requiring honesty and integrityin allCMMC-related activities.

Thus, the correct answer is:

✅C. Refrain from dishonesty in all dealings regarding CMMC.

Understanding the Role of the DoD CIO Office in CMMC

TheDepartment of Defense (DoD) Chief Information Officer (CIO) officeis theprimary authorityresponsible for leading the direction, standards, and best practices of theCybersecurity Maturity Model Certification (CMMC)framework.

Why "B. DoD CIO Office" is Correct?

The DoD CIO Oversees CMMC Policy and Implementation

TheDoD CIO Office is responsible for the governance and strategic direction of CMMC.

It ensures thatCMMC aligns with DoD cybersecurity policies, such asDoD Instruction 5200.48 (Controlled Unclassified Information)andNIST SP 800-171.

CMMC Development and Evolution

TheDoD CIO played a critical role in launching CMMCto improve cybersecurity across theDefense Industrial Base (DIB).

The CIO office leadspolicy development and updates to the CMMC framework, including the transition fromCMMC 1.0 to CMMC 2.0.

Alignment of CMMC with Federal Cybersecurity Strategy

The DoD CIO ensures that CMMCintegrates with federal cybersecurity policiesandNIST frameworks.

It provides oversight formapping CMMC Levels (1-2-3) to existing cybersecurity standards and controls.

Why Other Answers Are Incorrect?

A. NIST (Incorrect)

TheNational Institute of Standards and Technology (NIST)provides thetechnical framework (NIST SP 800-171, SP 800-172), butNIST does not lead the CMMC program.

C. Federal CIO Office (Incorrect)

TheFederal CIO focuses on broader government IT policiesandnot specifically on DoD cybersecurity requirementslike CMMC.

D. Defense Federal Acquisition Regulation Council (Incorrect)

TheDFARS Counciloverseescontracting regulationsrelated to CMMC (e.g.,DFARS 252.204-7012, 7019, 7020, 7021), but it doesnot lead CMMC standards and best practices.

Conclusion

The correct answer isB. DoD CIO Office, as it isthe lead authority guiding the CMMC framework, standards, and implementation across the Defense Industrial Base (DIB).

Understanding the Assessment Results Package Submission

After completing aCMMC Level 2 Assessment, theCertified Third-Party Assessment Organization (C3PAO)mustsubmit the final assessment results packageto theEnterprise Mission Assurance Support Service (eMASS)system.

Key Required Document: Final Report

TheFinal Reportis themandatory documentthatcontains all assessment details, findings, and scoring.

It serves as theofficial record of the assessmentanddetermines certification eligibility.

Why is the Correct Answer "Final Report" (A)?

A. Final Report → Correct

TheFinal Report is requiredin the submission package todocument assessment results officially.

It includes asummary of findings, scoring, and recommendations.

B. Certification rating → Incorrect

The C3PAO does not issue certification ratings—theDoDandCMMC-ABdetermine certification status after reviewing the Final Report.

C. Summary-level findings → Incorrect

While the Final Reportincludessummary findings, astandalone summary-level findings document is not a required upload.

D. All Daily Checkpoint logs → Incorrect

Checkpoint logsare part of the internal assessment process butare not required in the final eMASS submission.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

Specifies that theFinal Report must be submitted to eMASSafter a Level 2 assessment.

CMMC-AB Guidelines for C3PAOs

States that theFinal Report is the key document used to determine certification status.

DFARS 252.204-7021 (CMMC Requirements Clause)

Requires the assessment results to be documented in an official report and submitted via eMASS.

Final Answer:

✔A. Final Report

CMMCLevel 1focuses onbasic cyber hygieneand includes17 practicesderived fromNIST SP 800-171 Rev. 2butonly covers the protection of Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).

UnlikeLevel 2, which aligns fully withNIST SP 800-171,Level 1 does not require third-party certificationand can beself-assessedby the organization.

Domains Covered in a Level 1 Self-Assessment

CMMC Level 1 practices fall underthree specific domains:

Access Control (AC)– Ensures that only authorized individuals can access FCI.

Physical Protection (PE)– Protects physical access to systems and facilities storing FCI.

Identification and Authentication (IA)– Verifies the identity of users accessing systems containing FCI.

These domains focus on foundational security controls necessary toprotect FCI from unauthorized access.

Official CMMC 2.0 Documentation References

CMMC Model v2.0states thatLevel 1 includes only 17 practicesmapped toNIST SP 800-171requirements specific toAccess Control (AC), Physical Protection (PE), and Identification and Authentication (IA).

CMMC Assessment Guide, Level 1confirms thatRisk Management (RM) and Media Protection (MP) are not included in Level 1, as they pertain to more advanced security measures needed for handlingCUI (Level 2).

Breakdown of Answer Choices

A. Access Control (AC), Risk Management (RM), and Media Protection (MP)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

B. Risk Management (RM), Access Control (AC), and Physical Protection (PE)→ Incorrect.Risk Management (RM) is not part of Level 1.

C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)→Correct.These are thethree domains covered in CMMC Level 1 self-assessments.

D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

Conclusion

Thecorrect answer is C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA), as these are theonly three domains included in a CMMC Level 1 Self-Assessmentaccording toCMMC 2.0 documentation and NIST SP 800-171 mapping.

Reference Documents for Further Reading

CMMC 2.0 Model Overview – DoD Official Documentation

CMMC Assessment Guide, Level 1

NIST SP 800-171 Rev. 2 (Basic Security Requirements for FCI)

The core protection principle for OSC-provided assessment information (including PCI/CUI, assessment workpapers/notes, and the assessment results package ) is confidentiality / non-disclosure . The CMMC rules require assessors not to disclose OSC information outside the assessment participants, except as required by law. For example, CMMC assessor requirements include not sharing information about an OSC obtained during pre-assessment and assessment activities with anyone not involved in that specific assessment .

For retention, the authoritative requirement in the CMMC Program rule (32 CFR Part 170) is that assessment-related records are maintained for six (6) years , unless disposition is otherwise authorized by the CMMC PMO. This record set includes assessment materials and working papers generated during Level 2 certification assessments, and it also includes contractual agreements.

Important correction to the multiple-choice options: none of the answers list the official six-year retention period. The best available option is therefore B because it correctly captures the required confidentiality/non-disclosure principle—but the “ 3 years ” duration in the option does not match the official CMMC v2.0 retention requirement (which is 6 years ).

===========

Understanding C3PAO Requirements

ACertified Third-Party Assessment Organization (C3PAO)is an entityauthorized by the CMMC Accreditation Body (CMMC-AB)to conductCMMC Level 2 Assessmentsfor organizations handlingControlled Unclassified Information (CUI).

Key Requirements for a C3PAO to Conduct Assessments:

✔Must be authorized by CMMC-AB before conducting assessments.

✔Must meet CMMC-AB and DoD cybersecurity and process requirements.

✔Must comply with ISO/IEC 17020 standards for inspection bodies.

✔Must undergo a rigorous vetting process, including cybersecurity verification.

Why is the Correct Answer "D" (A C3PAO must be authorized by CMMC-AB before being able to conduct assessments)?

A. An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements → Incorrect

C3PAOs must comply with CMMC-AB authorization requirementsbefore performing assessments.

While they must align withISO/IEC 17020, they donotnecessarily meet all requirements upfront.

B. An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements → Incorrect

C3PAOs are not accredited by DoD; they areauthorized by CMMC-ABto perform assessments.

Accreditation follows full compliance with CMMC-AB and ISO/IEC 17020 requirements.

C. A C3PAO must be accredited by DoD before being able to conduct assessments → Incorrect

The DoD does not directly accredit C3PAOs—CMMC-AB is responsible forauthorization and oversight.

D. A C3PAO must be authorized by CMMC-AB before being able to conduct assessments → Correct

CMMC-AB grants authorization to C3PAOs, allowing them to perform assessmentsonly after meeting specific requirements.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Certified Third-Party Assessment Organization (C3PAO) Guidelines

States thatC3PAOs must receive CMMC-AB authorization before conducting assessments.

CMMC 2.0 Assessment Process (CAP) Document

Specifies that onlyC3PAOs authorized by CMMC-AB can conduct official CMMC assessments.

ISO/IEC 17020 Compliance for C3PAOs

Defines theinspection body requirements for C3PAOs, which must be met for accreditation.