The correct document is a Non-Disclosure Agreement (NDA) , because its specific purpose is to restrict a receiving party from disclosing sensitive or confidential information to unauthorized parties. In the official CMMC Assessment Process (CAP) v2.0 , NDAs are called out directly as a required element of the contracting relationship for a Level 2 certification assessment.
CAP v2.0 states that the C3PAO and the OSC must execute a written contractual agreement for the assessment and then specifies that “A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).”
This is important because CMMC assessments can involve access to highly sensitive organizational information, including details about system architectures, security implementations, and potentially CUI handling processes. The CAP’s NDA requirement supports controlling dissemination of that information and reinforces the broader confidentiality expectations placed on assessment participants.
While an “assessment agreement” or generic “legal agreement” might contain confidentiality clauses, CAP v2.0 explicitly identifies the NDA instrument (either embedded or standalone) as the mechanism to protect information exchanged during the assessment engagement. Therefore, the best answer—consistent with CMMC v2.0 official process documentation—is D (Non-disclosure agreement) .
