Understanding the Concept of Security in CMMC 2.0CMMC 2.0 aligns with federal cybersecurity standards, particularlyFISMA (Federal Information Security Modernization Act), NIST SP 800-171, and FAR 52.204-21. One key principle in these frameworks is the implementation of security measures that are appropriate for the risk level associated with the data being protected.
The question describes security measures that are proportionate to therisk of loss, misuse, unauthorized access, or modificationof information. This matches the definition of"Adequate Security."
A. Adopted security→ Incorrect
The term"adopted security"is not officially recognized in CMMC, NIST, or FISMA. Organizations adopt security policies, but the concept does not directly align with the question’s definition.
B. Adaptive security→ Incorrect
Adaptive securityrefers to adynamic cybersecurity modelwhere security measures continuously evolve based on real-time threats. While important, it does not directly match the definition in the question.
C. Adequate security→Correct
The term"adequate security"is defined inNIST SP 800-171, DFARS 252.204-7012, and FISMAas the level of protection that isproportional to the consequences and likelihood of a security incident.
This aligns perfectly with the definition in the question.
D. Advanced security→ Incorrect
Advanced securitytypically refers tohighly sophisticated cybersecurity mechanisms, such as AI-driven threat detection. However, the term does not explicitly relate to the concept of risk-based proportional security.
FISMA (44 U.S.C. § 3552(b)(3))
Definesadequate securityas"protective measures commensurate with the risk and potential impact of unauthorized access, use, disclosure, disruption, modification, or destruction of information."
This directly matches the question's wording.
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
Mandates that contractors apply"adequate security"to protect Controlled Unclassified Information (CUI).
NIST SP 800-171 Rev. 2, Requirement 3.1.1
States that organizations must "limit system access to authorized users and implement adequate security protections to prevent unauthorized disclosure."
CMMC 2.0 Documentation (Level 1 and Level 2 Requirements)
Requires that organizationsapply adequate security measures in accordance with NIST SP 800-171to meet compliance standards.
Analyzing the Given OptionsOfficial References Supporting the Correct AnswerConclusionThe term"adequate security"is the correct answer because it is explicitly defined in federal cybersecurity frameworks asprotection proportional to risk and potential consequences. Thus, the verified answer is:
