ACertified CMMC Professional (CCP)advising anOrganization Seeking Certification (OSC)must ensure thatFederal Contract Information (FCI)andControlled Unclassified Information (CUI)are properly documented within required security documents.

Step-by-Step Breakdown:✅1. System Security Plan (SSP)

CMMC Level 2requires anSSPto documenthow CUI is protected, including:

Security controlsimplemented

Asset categorization(CUI Assets, Security Protection Assets, etc.)

Policies and proceduresfor handling CUI

✅2. Asset Inventory

Anasset inventorylistsall relevant IT systems, applications, and hardwarethat store, process, or transmitCUI or FCI.

TheCMMC Scoping Guiderequires OSCs to identifyCUI-relevant assetsas part of their compliance.

✅3. Network Diagram

Anetwork diagramvisually representshow data flows across systems, showing:

WhereCUI is transmitted and stored

Security boundaries protectingCUI Assets

Connectivity betweenCUI Assets and Security Protection Assets

✅4. Why the Other Answer Choices Are Incorrect:

(B) Within the hardware inventory, data flow diagram, and in the network diagram❌

While adata flow diagramis useful,hardware inventory alone is insufficientto document CUI.

(C) Within the asset inventory, in the proposal response, and in the network diagram❌

Aproposal responseis not a required document for CMMC assessments.

(D) In the network diagram, in the SSP, within the base inventory, and in the proposal response❌

Base inventoryis not a specific CMMC documentation requirement.

TheCMMC Assessment Guideconfirms that FCI and CUI must be documented in:

The SSP

The asset inventory

The network diagram

Final Validation from CMMC Documentation:Thus, the correct answer is:

✅A. "In the SSP, within the asset inventory, and in the network diagram."