TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.
This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.
[Reference:, DoD CMMC 2.0 Program Overview, DFARS 252.204-7021 (CMMC Requirements), Step 2: DoD's Cybersecurity Maturity LevelsTheDoD determinestherequired cybersecurity maturity levelfor a contract based on the sensitivity of the information involved:, CMMC Level 1– Required for organizations handlingFCI(Basic Cyber Hygiene)., CMMC Level 2– Required for organizations handlingCUI(Aligned with NIST SP 800-171)., CMMC Level 3– Required for organizations handlinghigh-value CUIand facingAdvanced Persistent Threats (APT)(Aligned with a subset ofNIST SP 800-172)., Reference:, CMMC 2.0 Model Documentation, NIST SP 800-171 & 800-172for security controls, Step 3: Why Other Answer Choices Are IncorrectB. CISA (Incorrect):, TheCybersecurity and Infrastructure Security Agency (CISA)is responsible fornational cybersecuritybut does not mandate CMMC assessments., C. NIST (Incorrect):, TheNational Institute of Standards and Technology (NIST)provides the security framework (e.g.,NIST SP 800-171) but does not enforce CMMC compliance., D. CMMC-AB (Incorrect):, TheCyber AB (formerly CMMC-AB)is responsible for accreditingC3PAOsand overseeing theCMMC ecosystem, but it does not determine which organizations require assessments., Final Confirmation of Correct Answer:The DoD mandates CMMC compliance for organizations handling FCI or CUI., CMMC requirements are enforced through DFARS clauses in DoD contracts., Thus, the correct answer is:A. DoD, , , ]
