Understanding Access Control (AC) in CMMC Advanced (Level 3)TheCMMC Advanced Level (Level 3)is designed for organizations handlinghigh-value Controlled Unclassified Information (CUI)and aligns with a subset ofNIST SP 800-172for advanced cybersecurity protections.
Access Control (AC) Practices in CMMC Level 3✅CMMC Level 1 includesbasic AC practices fromFAR 52.204-21(e.g., restricting access to authorized users).
✅CMMC Level 2 includesallAccess Control (AC) practices from NIST SP 800-171(e.g., managing privileged access).
✅CMMC Level 3 expands on Levels 1 and 2, incorporatingadditional protections from NIST SP 800-172, such as enhanced monitoring and adversary deception techniques.
CMMC Level 3 builds upon all previous levels, includingAccess Control (AC) practices from Levels 1 and 2.
Options A, B, and C are incorrectbecause Level 3 includesallprevious AC practices fromLevels 1 and 2, plus additional ones.
Why "Levels 1, 2, and 3" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A. Level 1
❌Incorrect–Level 3 includes AC practices fromLevels 1 and 2, not just Level 1.
B. Level 3
❌Incorrect – Level 3 builds onLevels 1 and 2, not just Level 3 practices.
C. Levels 1 and 2
❌Incorrect–Level 3 containsadditionalAC practices beyond Levels 1 and 2.
D. Levels 1, 2, and 3
✅Correct – Level 3 contains all AC practices from Levels 1 and 2, plus additional ones.
CMMC Model Framework– Outlines howLevel 3 builds upon Level 1 and 2 practices.
NIST SP 800-172– Definesadvanced cybersecurity controlsrequired inCMMC Level 3.
Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Levels 1, 2, and 3, as CMMC Level 3 includesAccess Control (AC) practices from all previous levels plus additional enhancements.
Submit