Last updated: May 15, 2026Latest Frontend Version: 2.16.17
Example Training Quiz: CMMC/NIST Compliant Enclave
For Training Administrators
This is an example quiz designed for institutions running a secure research enclave that handles Controlled Unclassified Information (CUI). These questions can be imported into your institution's LMS or CMS (Canvas, Blackboard, Moodle, etc.) for formal security awareness training. Adapt questions to reflect your organization's specific policies, CUI categories, and enclave configuration.
Compliance context: Under NIST SP 800-171 Rev 2 (controls 3.2.1 through 3.2.3) and CMMC Level 2 (practices AT.L2-3.2.1 through AT.L2-3.2.3), organizations handling CUI must deliver documented security awareness training, verify comprehension, and provide insider threat recognition training. A graded quiz with timestamps satisfies the comprehension verification requirement that CMMC assessors will request.
Governing references:
NIST SP 800-171 Rev 2: Protecting CUI in Nonfederal Systems
DoDI 5200.48: Controlled Unclassified Information
DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
32 CFR Part 2002: CUI Federal Regulation
Question 1
What is Controlled Unclassified Information (CUI)?
Question 2
Which marking is required at the top and bottom of every page of a document containing CUI?
Question 3
Who is responsible for applying CUI markings and dissemination instructions to a document?
Question 4
You receive a dataset from a collaborator that was generated under a DoD-funded project. It has no CUI marking. What should you do?
Question 5
What level of confidentiality impact is required for systems that process CUI?
Question 6
NIST SP 800-171 Control 3.5.3 requires multi-factor authentication. Which of the following is a valid multi-factor combination?
Question 7
NIST SP 800-171 Control 3.1.10 requires session locks after a period of inactivity. What is the best practice when you finish working in a CUI enclave?
Question 8
NIST SP 800-171 Control 3.1.3 requires controlling the flow of CUI. Which of the following is an approved method for transferring CUI into a secure enclave?
Question 9
Before sharing CUI with another user, what must you verify to comply with NIST SP 800-171 Control 3.1.2?
Question 10
NIST SP 800-171 Control 3.4.1 requires organizations to maintain baseline configurations. How does this apply to virtual machines in a CUI enclave?
Question 11
Which of the following is a potential indicator of an insider threat under NIST SP 800-171 Control 3.2.3?
Question 12
You receive an email that appears to be from your system administrator asking you to send your credentials 'for a required system upgrade.' What should you do?
Question 13
Under DFARS 252.204-7012, how quickly must a cyber incident involving covered defense information be reported to the Department of Defense?
Question 14
What constitutes a reportable security incident under NIST SP 800-171 and DFARS 252.204-7012?
Question 15
Which of the following best describes your personal responsibility for protecting CUI in a CMMC Level 2 compliant environment?
Pass: Strong understanding of CUI handling and enclave security.
11 to 13 correct
Conditional pass: Review the questions you missed and retake within 30 days.
10 or fewer
Retake required: Complete the training modules and retake the quiz.
Integrating This Quiz Into Your LMS
Import these questions into your institution's LMS (Canvas, Blackboard, Moodle, etc.) to track completion and generate compliance evidence. During a CMMC Level 2 assessment, assessors will verify that:
Training was delivered to all personnel with CUI access (AT.L2-3.2.1, AT.L2-3.2.2)
Comprehension was verified through testing. A graded quiz with timestamps satisfies this requirement.
Insider threat awareness was specifically covered (AT.L2-3.2.3)
Recommended cadence: Administer upon initial onboarding, annually thereafter, and whenever there is a significant change to enclave policies or CUI handling procedures.
Customization guidance: Add questions specific to your CUI categories (for example, ITAR, CTI, or Export Controlled) and your organization's incident reporting chain.