In the CMMC 2.0 Model , the "Advanced Level" specifically refers to Level 2 . The CMMC model is designed to be cumulative , meaning each level builds upon the requirements of the levels beneath it.
Cumulative Framework : To achieve a certification at a specific level, an Organization Seeking Certification (OSC) must demonstrate compliance with all practices at that level and all practices from the lower levels.
Access Control (AC) Domain : The Access Control domain is one of the 14 domains in CMMC Level 2. It consists of a total of 22 practices :
Level 1 (Foundational) : Contains 4 basic safeguarding practices (mapped to FAR 52.204-21).
Level 2 (Advanced) : Adds 18 additional practices (mapped to NIST SP 800-171), totaling 22 practices for the AC domain at this level.
Defining "Advanced" : The DoD defines the levels as Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Therefore, the "Advanced Level" (Level 2) contains the practices from Level 1 and Level 2, but does not include the "Expert" (Level 3) practices, which are derived from NIST SP 800-172.
Why other options are incorrect :
Option A : While it contains Level 1 practices, it also includes Level 2 practices.
Option B : Level 3 is the "Expert" level, which is separate and higher than the "Advanced" level.
Option D : The Advanced level does not reach the requirements of Level 3.
Reference Documents :
CMMC Model Overview (v2.0) : Section 3.2, "Level 2: Advanced," which describes the 110 practices derived from NIST SP 800-171.
32 CFR Part 170 (CMMC Program Rule) : Details the structure of the levels and the requirement for cumulative compliance.
CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment, clearly identifying which are carried over from Level 1.
===========
