Step 1: Understand the “CA” Domain – Security AssessmentTheCA (Security Assessment)domain includes practices related to:
Planning security assessments,
Performing periodic reviews,
Managing plans of action and milestones (POA&Ms).
These practices derive fromNIST SP 800-171, specifically:
CA.2.157– Develop, document, and periodically update security plans,
CA.2.158– Periodically assess security controls,
CA.2.159– Develop and implement POA&Ms.
Level 1 (Foundational):
Implements only the17 practicesfromFAR 52.204-21
Doesnot include the CA domain
Level 2 (Advanced):
Implements110 practicesfromNIST SP 800-171, including CA.2.157–159
First levelwhereSecurity Assessment (CA)practices are required
Level 3:
Not yet finalized but intended to include selected controls fromNIST SP 800-172
✅Step 2: Review CMMC Levels
A. Level 1✘ No CA domain practices are present at Level 1.
C. Level 3 / D. Level 4✘ These levels build on CA practices but do not represent thestarting point.
❌Why the Other Options Are Incorrect
TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.
Submit