TheCybersecurity Maturity Model Certification (CMMC) 2.0is primarily based on two key National Institute of Standards and Technology (NIST) Special Publications:
NIST SP 800-171- "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations" NIST SP 800-172- "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171" NIST SP 800-171 This document is thecore foundationof CMMC 2.0 and establishes the security requirements for protectingControlled Unclassified Information (CUI)in non-federal systems.
The 110 security controls fromNIST SP 800-171 Rev. 2are mapped directly toCMMC Level 2.
NIST SP 800-172
This supplement includesenhanced security requirementsfor organizations handlinghigh-value CUIthat faces advanced persistent threats (APTs).
These enhanced requirements apply toCMMC Level 3under the 2.0 model.
B). DFARS, FIPS 100, and NIST SP 800-171#Incorrect
WhileDFARS 252.204-7012mandates compliance withNIST SP 800-171,FIPS 100 does not existas a relevant cybersecurity standard.
C). DFARS, NIST, and Carnegie Mellon University#Incorrect
CMMC is aligned with DFARS and NIST but isnot developed or directly influenced by Carnegie Mellon University.
D). DFARS, FIPS 100, NIST SP 800-171, and Carnegie Mellon University#Incorrect Again,FIPS 100 is not relevant, andCarnegie Mellon Universityis not a defining entity in the CMMC framework.
CMMC 2.0 Scoping Guide (2023)confirms thatCMMC Level 2 is entirely based on NIST SP 800-171.
CMMC 2.0 Level 3 Draft Documentationexplicitly referencesNIST SP 800-172for enhanced security requirements.
DoD Interim Rule (DFARS 252.204-7021)mandates that organizations meetNIST SP 800-171 for CUI protection.
Reference and Breakdown:Eliminating Incorrect Answer Choices:Official CMMC 2.0 References Supporting the Answer Final Conclusion:The CMMC 2.0 model is derivedsolely from NIST SP 800-171 and NIST SP
800-172, makingAnswer A the only correct choice.