CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.
Why NIST SP 800-171 is Essential for Level 2 Scoping:
Defines the Security Requirements for Protecting CUI:
NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.
These controls are categorized under14 families, including access control, incident response, and risk management.
Establishes the Baseline for CMMC Level 2 Compliance:
CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.
Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.
Provides Guidance for Implementation & Assessment:
TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.
It helps define the scope of an assessment by clarifying how each control should be implemented and verified.
Referenced in CMMC and DFARS Regulations:
DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.
TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.
Explanation of Incorrect Answers:
A. NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")
This documentapplies to federal systems, not nonfederal entities handling CUI.
While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.
B. NIST SP 800-88 ("Guidelines for Media Sanitization")
This documentfocuses on secure data destructionand media sanitization techniques.
While data disposal is important, this standarddoes not define security controls for protecting CUI.
D. NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")
This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).
It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.
Key References for CMMC Level 2 Scoping:
NIST SP 800-171 Rev. 2(NIST Official Site)
NIST SP 800-171A (Assessment Guide)(NIST Official Site)
CMMC 2.0 Level 2 Scoping Guide(Cyber AB)
Conclusion:
SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:
✅C. NIST SP 800-171
Submit