CMMC CCP Study Terms | Questions & Answers (100 %Score) Latest Updated 2024/2025
Comprehensive Questions A+ Graded Answers | 100% Pass
AC - ✔✔Access control
AT - ✔✔Awareness and training
AU - ✔✔Audit and accountability
CM - ✔✔Configuration management
IA - ✔✔Identification and authentication
IR - ✔✔Incident response
MA - ✔✔Maintenance
MP - ✔✔Media protection
PS - ✔✔Personnel security
PE - ✔✔Physical protection
RA - ✔✔Risk assessment
CA - ✔✔Security assessment
SC - ✔✔System and communications protection
,SI - ✔✔System and information integrity
What are FCI Assets in L1 Scoping? - ✔✔Federal Contract Information (FCI) Assets process, store, or
transmit FCI as follows:
• Process - FCI can be used by an asset (e.g., accessed, entered, edited, generated, manipulated, or
printed).
• Store - FCI is inactive or at rest on an asset (e.g., located on electronic media, in system component
memory, or in physical format such as paper documents).
• Transmit - FCI is being transferred from one asset to another asset (e.g., data in transit using physical
or digital transport methods).
FCI Assets are part of the CMMC Self-Assessment Scope and are assessed against applicable CMMC
practices.
What are Out-of-Scope Assets in L1 Scoping? - ✔✔Out-of-Scope Assets do not process, store, or
transmit FCI. Out-of-Scope Assets are outside of the CMMC Self-Assessment Scope and should not be
part of the CMMC self-assessment. These assets are out of scope when evaluating their conformity with
applicable CMMC practices. There are no documentation requirements for Out-of-Scope Assets.
Specialized assets, as discussed in the next section, are out of scope for a Level 1 Self-Assessment.
What are Specialized Assets in L1 Scoping? - ✔✔The following are considered specialized assets for a
CMMC Level 1 self-assessment when properly documented.
•
Internet of Things (IoT) or Industrial Internet of Things (IIoT) are interconnected devices having physical
or virtual representation in the digital world, sensing/actuation capability, and programmability
features. They are uniquely identifiable and may include smart electric grids, lighting, heating, air
conditioning, and fire and smoke detectors [Reference: iot.ieee.org/definition; National Institute of
Standards and Technology (NIST) 800-183].
• Government Property is all property owned or leased by the government. Government property
includes both government-furnished and contractor-acquired property. Government property includes
material, equipment, special tooling, special test equipment, and real property. Government property
does not include intellectual property or software [Reference: Federal Acquisition Regulation (FAR)
52.245-1].
Identifying the CMMC Self-Assessment Scope
CMMC Self-Assessment Scope - Level 1 | Version 2.0 2
•
, Operational Technology (OT)1 is used in manufacturing systems, industrial control systems (ICS), or
supervisory control and data acquisition (SCADA) systems. OT may include programmable logic
controllers (PLCs), computerized numerical control (CNC) devices, machine controllers, fabricators,
assemblers, and machining.
•
Restricted Information Systems can include systems (and associated IT components comprising the
system) that are configured based entirely on government requirements (i.e., connected to something
that was required to support a functional requirement) and are used to support a contract (e.g., fielded
systems, obsolete systems, and product deliverable replicas).
• Test Equipment can include hardware and/or associated IT components used in the testing of
products,
What Additional Guidance on Level 1 Scoping Activities need to be reviewed? - ✔✔• People -
Employees, contractors, vendors, and external service provider personnel
• Technology - Servers, client computers, mobile devices, network appliances (e.g., firewalls, switches,
APs, and routers), VoIP devices, applications, virtual machines, and database systems
• Facilities - Physical office locations, satellite offices, server rooms, datacenters, manufacturing plants,
and secured rooms
• External Service Provider (ESP) - External people, technology, or facilities that the organization uses,
including cloud services, co-located data centers, hosting providers, and managed security service
providers.
Assets that process, store, or transmit FCI are considered in the self-assessment scope. Using the asset
types approach allows a contractor to determine and iterate on how they will satisfy the CMMC Level 1
practices. Because FCI is a broad category of information, the contractor will likely focus the self-
assessment on their entire environment.
OSC Assessment Official - ✔✔The most senior representative of an Organization Seeking Certification
who is directly and actively responsible for leading and managing the OSC's engagement in the
Assessment and who possesses decision-making authority for the OSC with regard to the CMMC
Assessment. The OSC Assessment Official must be an employee of the organization that is being
assessed.
OSC Point of Contact (OSC POC) - ✔✔The individual within the OSC who provides daily coordination and
liaison support between the OSC and the Assessment Team. The OSC POC does not necessarily have to
be an employee of the organization that is being assessed, but rather could be a contractor, consultant,
or advisor like a CMMC Registered Practitioner (RP).
Comprehensive Questions A+ Graded Answers | 100% Pass
AC - ✔✔Access control
AT - ✔✔Awareness and training
AU - ✔✔Audit and accountability
CM - ✔✔Configuration management
IA - ✔✔Identification and authentication
IR - ✔✔Incident response
MA - ✔✔Maintenance
MP - ✔✔Media protection
PS - ✔✔Personnel security
PE - ✔✔Physical protection
RA - ✔✔Risk assessment
CA - ✔✔Security assessment
SC - ✔✔System and communications protection
,SI - ✔✔System and information integrity
What are FCI Assets in L1 Scoping? - ✔✔Federal Contract Information (FCI) Assets process, store, or
transmit FCI as follows:
• Process - FCI can be used by an asset (e.g., accessed, entered, edited, generated, manipulated, or
printed).
• Store - FCI is inactive or at rest on an asset (e.g., located on electronic media, in system component
memory, or in physical format such as paper documents).
• Transmit - FCI is being transferred from one asset to another asset (e.g., data in transit using physical
or digital transport methods).
FCI Assets are part of the CMMC Self-Assessment Scope and are assessed against applicable CMMC
practices.
What are Out-of-Scope Assets in L1 Scoping? - ✔✔Out-of-Scope Assets do not process, store, or
transmit FCI. Out-of-Scope Assets are outside of the CMMC Self-Assessment Scope and should not be
part of the CMMC self-assessment. These assets are out of scope when evaluating their conformity with
applicable CMMC practices. There are no documentation requirements for Out-of-Scope Assets.
Specialized assets, as discussed in the next section, are out of scope for a Level 1 Self-Assessment.
What are Specialized Assets in L1 Scoping? - ✔✔The following are considered specialized assets for a
CMMC Level 1 self-assessment when properly documented.
•
Internet of Things (IoT) or Industrial Internet of Things (IIoT) are interconnected devices having physical
or virtual representation in the digital world, sensing/actuation capability, and programmability
features. They are uniquely identifiable and may include smart electric grids, lighting, heating, air
conditioning, and fire and smoke detectors [Reference: iot.ieee.org/definition; National Institute of
Standards and Technology (NIST) 800-183].
• Government Property is all property owned or leased by the government. Government property
includes both government-furnished and contractor-acquired property. Government property includes
material, equipment, special tooling, special test equipment, and real property. Government property
does not include intellectual property or software [Reference: Federal Acquisition Regulation (FAR)
52.245-1].
Identifying the CMMC Self-Assessment Scope
CMMC Self-Assessment Scope - Level 1 | Version 2.0 2
•
, Operational Technology (OT)1 is used in manufacturing systems, industrial control systems (ICS), or
supervisory control and data acquisition (SCADA) systems. OT may include programmable logic
controllers (PLCs), computerized numerical control (CNC) devices, machine controllers, fabricators,
assemblers, and machining.
•
Restricted Information Systems can include systems (and associated IT components comprising the
system) that are configured based entirely on government requirements (i.e., connected to something
that was required to support a functional requirement) and are used to support a contract (e.g., fielded
systems, obsolete systems, and product deliverable replicas).
• Test Equipment can include hardware and/or associated IT components used in the testing of
products,
What Additional Guidance on Level 1 Scoping Activities need to be reviewed? - ✔✔• People -
Employees, contractors, vendors, and external service provider personnel
• Technology - Servers, client computers, mobile devices, network appliances (e.g., firewalls, switches,
APs, and routers), VoIP devices, applications, virtual machines, and database systems
• Facilities - Physical office locations, satellite offices, server rooms, datacenters, manufacturing plants,
and secured rooms
• External Service Provider (ESP) - External people, technology, or facilities that the organization uses,
including cloud services, co-located data centers, hosting providers, and managed security service
providers.
Assets that process, store, or transmit FCI are considered in the self-assessment scope. Using the asset
types approach allows a contractor to determine and iterate on how they will satisfy the CMMC Level 1
practices. Because FCI is a broad category of information, the contractor will likely focus the self-
assessment on their entire environment.
OSC Assessment Official - ✔✔The most senior representative of an Organization Seeking Certification
who is directly and actively responsible for leading and managing the OSC's engagement in the
Assessment and who possesses decision-making authority for the OSC with regard to the CMMC
Assessment. The OSC Assessment Official must be an employee of the organization that is being
assessed.
OSC Point of Contact (OSC POC) - ✔✔The individual within the OSC who provides daily coordination and
liaison support between the OSC and the Assessment Team. The OSC POC does not necessarily have to
be an employee of the organization that is being assessed, but rather could be a contractor, consultant,
or advisor like a CMMC Registered Practitioner (RP).
