Crucial Exams

ISC2 Governance, Risk and Compliance (CGRC) Practice Question

Your company will process Controlled Unclassified Information (CUI) for a low-priority Department of Defense contract that is subject to CMMC 2.0 Level 2. Given current DoD policy, which approach to meeting the requirement is appropriate?

  • Adopt ISO/IEC 27001 controls and obtain ISO certification; this is accepted as an alternative path to satisfy CMMC Level 2 requirements.

  • Implement all NIST SP 800-171 controls and obtain a triennial C3PAO certification because every Level 2 environment must undergo third-party assessment.

  • Implement all NIST SP 800-171 controls and complete an annual self-assessment because third-party certification is required only for prioritized Level 2 contracts.

  • Implement only the 15 basic FAR 52.204-21 safeguarding practices and file a self-assessment; Level 2 permits the same baseline as Level 1.

ISC2 Governance, Risk and Compliance (CGRC)
Security and Privacy Governance, Risk Management, and Compliance Program
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot