DOMAIN 3 CMMC Governance & Source Documents | Questions & Answers (100
%Score) Latest Updated 2024/2025 Comprehensive Questions A+ Graded Answers | 100%
Pass
What does Task 1 include? - ✔✔Demonstrate understanding of Federal Contract Information (FCI) and
Controlled Unclassified Information (CUI) in non-federal unclassified networks.
What does LRP stand for? - ✔✔Legal, Regulatory and Policy Drivers
What are LRP Drivers? - ✔✔The legal foundations and resulting regulations and policies governing
protection of sensitive information.
-Chapter 1 of Title 48 of the Code of Federal Regulations
-Defense Federal Acquisition Regulation Supplement (DFARS)
What is Chapter 1 of Title 48 of the Code of Federal Regulations also known as? - ✔✔48 CFR or the FAR
(Federal Acquisition Regulations)
What does the FAR provide? - ✔✔Provides uniform policies and procedures that apply to all Executive
Branch
departments and agencies regarding acquisitions.
What is the Defense Federal Acquisition Regulation Supplement (DFARS)? - ✔✔- A supplement of the
FAR
- Includes policies and procedures that apply only to the DoD
What does Federal Information Security Management Act (FISMA), amended in 2014 as Federal
Information Security Modernization Act require? - ✔✔Requires the government to protect sensitive
information (such as FCI)
What is the FAR52 (48 CFR § 52.204-21)? - ✔✔-Basic Safeguarding of Covered Contractor Information
Systems
- Explain how contractors can adhere to the law
, What does the FAR52 cover? - ✔✔o Definitions needed to understand the regulations
o Responsibilities when delegating work to a subcontractor (flow down)
o Requirements and procedure contractors must follow to protect FCI, which
include the 15 basic security controls that must be followed (this is the
source of the controls for CMMC L1)
What did Executive Order 13556, Controlled Unclassified Information (EO 13556) do? - ✔✔-
Standardized handling of protected information that is not classified
- CUI is subject to laws governing FCI as well as those specifically for CUI
What does 32 CFR part 2002 do? - ✔✔- Explains how to comply with EO 13556
- Creates overall requirements, governance, and management of CUI
- Appoints NARA to oversee CUI policy
- Created ISOO which publishes CUI notices
National Archives & Records Administration (NARA) Information Security Oversight Office
(ISOO) CUI Notices - ✔✔- CUI Notices are considered federal policy
- Policies stipulate that CUI must be protected in accordance with:
o NIST SP 800-171
o NIST SP 800-171A
o NIST SP 800-172
DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident
Reporting - ✔✔- Requires compliance with NIST SP 800-171 (documented in System Security Plan
(SSP) and Plan of Action and Milestones (POA&M)
- Self-attest only
%Score) Latest Updated 2024/2025 Comprehensive Questions A+ Graded Answers | 100%
Pass
What does Task 1 include? - ✔✔Demonstrate understanding of Federal Contract Information (FCI) and
Controlled Unclassified Information (CUI) in non-federal unclassified networks.
What does LRP stand for? - ✔✔Legal, Regulatory and Policy Drivers
What are LRP Drivers? - ✔✔The legal foundations and resulting regulations and policies governing
protection of sensitive information.
-Chapter 1 of Title 48 of the Code of Federal Regulations
-Defense Federal Acquisition Regulation Supplement (DFARS)
What is Chapter 1 of Title 48 of the Code of Federal Regulations also known as? - ✔✔48 CFR or the FAR
(Federal Acquisition Regulations)
What does the FAR provide? - ✔✔Provides uniform policies and procedures that apply to all Executive
Branch
departments and agencies regarding acquisitions.
What is the Defense Federal Acquisition Regulation Supplement (DFARS)? - ✔✔- A supplement of the
FAR
- Includes policies and procedures that apply only to the DoD
What does Federal Information Security Management Act (FISMA), amended in 2014 as Federal
Information Security Modernization Act require? - ✔✔Requires the government to protect sensitive
information (such as FCI)
What is the FAR52 (48 CFR § 52.204-21)? - ✔✔-Basic Safeguarding of Covered Contractor Information
Systems
- Explain how contractors can adhere to the law
, What does the FAR52 cover? - ✔✔o Definitions needed to understand the regulations
o Responsibilities when delegating work to a subcontractor (flow down)
o Requirements and procedure contractors must follow to protect FCI, which
include the 15 basic security controls that must be followed (this is the
source of the controls for CMMC L1)
What did Executive Order 13556, Controlled Unclassified Information (EO 13556) do? - ✔✔-
Standardized handling of protected information that is not classified
- CUI is subject to laws governing FCI as well as those specifically for CUI
What does 32 CFR part 2002 do? - ✔✔- Explains how to comply with EO 13556
- Creates overall requirements, governance, and management of CUI
- Appoints NARA to oversee CUI policy
- Created ISOO which publishes CUI notices
National Archives & Records Administration (NARA) Information Security Oversight Office
(ISOO) CUI Notices - ✔✔- CUI Notices are considered federal policy
- Policies stipulate that CUI must be protected in accordance with:
o NIST SP 800-171
o NIST SP 800-171A
o NIST SP 800-172
DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident
Reporting - ✔✔- Requires compliance with NIST SP 800-171 (documented in System Security Plan
(SSP) and Plan of Action and Milestones (POA&M)
- Self-attest only
