CMMC Governance and Source Documents for CCP

Sample Practice Questions

1. Question 1

   Which authority leads the CMMC direction, standards, best practices, and knowledge framework for how to map the controls and processes across different Levels that range from basic cyber hygiene to advanced cyber practices?
   1. A. NIST
   2. B. DoD CIO office
   3. C. Federal CIO office
   4. D. Defense Federal Acquisition Regulation Council
   Explanation

   The correct answer is: B. DoD CIO office.

   Under CMMC 2.0, the DoD Chief Information Officer's office is the Office of Primary Responsibility for the CMMC program — setting direction, standards, best practices, and the knowledge framework that maps controls and processes across the three levels. CMMC oversight transitioned from OUSD A&S (Acquisition and Sustainment) to the DoD CIO during the CMMC 2.0 reorganization announced in late 2021. NIST authors the underlying control catalogs (SP 800-171, SP 800-172) but does not lead CMMC program governance. The Federal CIO's office sets government-wide IT policy but is not specific to DoD's CMMC. The Defense Federal Acquisition Regulation Council issues the DFARS clauses that pull CMMC into DoD contracts but does not own the framework's content. The CMMC framework's substantive direction sits with the DoD CIO.

2. Question 2

   What is DFARS clause 252.204-7012 required for?
   1. A. All DoD solicitations and contracts
   2. B. Solicitations and contracts that use FAR part 12 procedures
   3. C. Procurements solely for the acquisition of commercial off-the-shelf
   4. D. Commercial off-the-shelf sold in the marketplace without modifications
   Explanation

   The correct answer is: A. All DoD solicitations and contracts.

   DFARS clause 252.204-7012 ('Safeguarding Covered Defense Information and Cyber Incident Reporting') is required to be included in essentially all DoD solicitations and contracts — including those that use FAR Part 12 commercial-item procedures — with the narrow exception of contracts solely for the acquisition of commercially available off-the-shelf (COTS) items. The clause imposes two main obligations: implement NIST SP 800-171 to safeguard Covered Defense Information (a superset that includes CUI) and report cyber incidents to DoD via DIBNet within 72 hours. The broad applicability is intentional: DoD wants the safeguarding-and-reporting baseline to flow to virtually every supplier touching covered information. The COTS-only carve-out exists because COTS items by definition are sold to the general public unmodified and don't involve the contractor handling government-controlled information. Among the offered options, 'all DoD solicitations and contracts' is the closest characterization of the clause's scope.

3. Question 3

   What is the BEST description of the purpose of FAR clause 52.204-21?
   1. A. It directs all covered contractors to install the cyber security systems listed in that clause.
   2. B. It describes all of the safeguards that contractors must take to secure covered contractor IS.
   3. C. It describes the minimum standard of care that contractors must take to secure covered contractor IS.
   4. D. It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts.
   Explanation

   The correct answer is: C. It describes the minimum standard of care that contractors must take to secure covered contractor IS..

   FAR 52.204-21, 'Basic Safeguarding of Covered Contractor Information Systems,' establishes a minimum standard of care that contractors must meet to protect Federal Contract Information on their information systems. The clause lists 15 basic safeguarding requirements covering access control, identification, media disposal, physical protection, communications protection, and malicious-code defense. The framing as a 'minimum standard' is deliberate: the clause does not direct contractors to install specific products or list every safeguard required for sensitive information — it sets a floor that all FCI-handling contractors must clear. It also does not mandate CMMC certification (that is the role of DFARS 252.204-7021). And it does not 'describe all of the safeguards' a contractor needs — contractors may need additional protections depending on the information they handle. The clause is the FCI baseline, not a comprehensive prescription.

4. Question 4

   Which code or clause requires that a contractor is meeting the basic safeguarding requirements for FCI during a Level 1 Self-Assessment?
   1. A. FAR 52.204-21
   2. B. 22 CFR 120-130
   3. C. DFARS 252.204-7011
   4. D. DFARS 252.204-7021
   Explanation

   The correct answer is: A. FAR 52.204-21.

   FAR 52.204-21, 'Basic Safeguarding of Covered Contractor Information Systems,' is the federal acquisition regulation clause that establishes 15 minimum safeguarding requirements for any contractor handling Federal Contract Information. CMMC Level 1 (Foundational) maps directly to these 15 requirements, and Level 1 is conducted as a self-assessment under the CMMC 2.0 framework. The other options reference different artifacts: 22 CFR 120-130 is the International Traffic in Arms Regulations (ITAR), unrelated to FCI safeguarding; DFARS 252.204-7011 is the Alternative Line Item Structure clause and has nothing to do with cybersecurity; DFARS 252.204-7021 is the CMMC requirement clause that calls out which CMMC level a contract requires — it does not itself contain the basic safeguarding requirements. Only FAR 52.204-21 provides the L1 self-assessment baseline.

5. Question 5

   Which regulation allows for whistleblowers to sue on behalf of the federal government?
   1. A. NIST SP 800-53
   2. B. NIST SP 800-171
   3. C. False Claims Act
   4. D. Code of Professional Conduct
   Explanation

   The correct answer is: C. False Claims Act.

   The False Claims Act (FCA), codified at 31 U.S.C. §§ 3729-3733, contains the qui tam provisions that allow private citizens (called relators) to file lawsuits on behalf of the United States government against contractors who knowingly submit false claims for federal funds. Successful relators may receive a percentage of the recovered damages. In a CMMC context, an OSC that misrepresents its certification status — for example, falsely attesting to NIST SP 800-171 implementation while bidding on a DoD contract — exposes itself to FCA liability, and a current or former employee with direct knowledge of the misrepresentation could file a qui tam action. NIST SP 800-53 and 800-171 are control catalogs, not statutes that grant private rights of action. The Code of Professional Conduct governs CMMC ecosystem ethics but does not provide a statutory whistleblower mechanism.

Other CCP domains

• CMMC Assessment Process (CAP) (69 questions)
• CMMC Model Construct and Implementation Evaluation (46 questions)
• Scoping (21 questions)