CMMC Level 2 Assessment MethodsCMMC Level 2 assessments focus on verifying compliance withNIST SP 800-171 requirements. TheCMMC Assessment Process (CAP) Documentspecifies that assessments at this level include:
Examination– Reviewing documents, mechanisms, and activities.
Interview– Speaking with personnel to validate implementation.
Testing– Observing and verifying security controls in action.
What Does "Examination" Include?According toCMMC Assessment Methodology, examination involves reviewing:
✅Documents(Policies, procedures, security plans)
✅Mechanisms(Security controls, authentication systems)
✅Activities(Backup operations, network monitoring, security training)
Sinceexamination includes reviewing documents, mechanisms, and activities, the correct answer isA.
B. Specific hardware, software, or firmware safeguards employed within a system.❌Incorrect. While safeguardsmaybe examined, CMMC does not limit examination to only hardware, software, or firmware. The definition is broader.
C. Policies, procedures, security plans, penetration tests, and security requirements.❌Incorrect. Whilesome of these itemsare examined, penetration tests arenot requiredin a CMMC Level 2 assessment.
D. Observation of system backup operations, exercising a contingency plan, and monitoring network traffic.❌Incorrect. These activities fall undertesting and interviews, not just examination.
Why the Other Answers Are Incorrect
CMMC Assessment Process (CAP) Document– Defines "examination" as reviewingdocuments, mechanisms, and activities.
CMMC Official ReferencesThus,option A (documents, mechanisms, or activities) is the correct answer, as it aligns with CMMC Level 2 assessment methodology.
