Pass the Cyber AB CMMC CMMC-CCP Questions and answers with ValidTests

Who Should Be Interviewed During a CMMC Assessment?During assessment planning, theOrganization Seeking Certification (OSC)may suggest personnel for interviews. However, the person interviewedmustbe someone who:

✅Implementsthe practice (directly responsible for executing it).

✅Performsthe practice (carries out day-to-day security operations).

✅Supportsthe practice (provides necessary resources or oversight).

Theassessor needs direct insightsfrom individuals actively involved in the practice.

Funding (Option A)does not providetechnical or operationalinsight into practice execution.

Auditing (Option B)focuses on compliance checks, but auditorsdo not implementthe practice.

Supporting, auditing, and performing (Option C)includesauditors, who arenot necessarily the right interviewees.

Why "Implements, Performs, or Supports That Practice" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Funds that practice.

❌Incorrect–Funding is important but doesnot mean direct involvement.

B. Audits that practice.

❌Incorrect–Auditors check compliance but donot implementpractices.

C. Supports, audits, and performs that practice.

❌Incorrect–Auditing isnot a requirementfor interviewees.

D. Implements, performs, or supports that practice.

✅Correct – The interviewee must have direct involvement in execution.

CMMC Assessment Process Guide (CAP)– Requires that interviewees bedirectly responsiblefor implementing, performing, or supporting the practice.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Implements, performs, or supports that practice, as the interviewee mustactively contribute to the execution of the practice.

Step 1: Understand the “CA” Domain – Security AssessmentTheCA (Security Assessment)domain includes practices related to:

Planning security assessments,

Performing periodic reviews,

Managing plans of action and milestones (POA&Ms).

These practices derive fromNIST SP 800-171, specifically:

CA.2.157– Develop, document, and periodically update security plans,

CA.2.158– Periodically assess security controls,

CA.2.159– Develop and implement POA&Ms.

Level 1 (Foundational):

Implements only the17 practicesfromFAR 52.204-21

Doesnot include the CA domain

Level 2 (Advanced):

Implements110 practicesfromNIST SP 800-171, including CA.2.157–159

First levelwhereSecurity Assessment (CA)practices are required

Level 3:

Not yet finalized but intended to include selected controls fromNIST SP 800-172

✅Step 2: Review CMMC Levels

A. Level 1✘ No CA domain practices are present at Level 1.

C. Level 3 / D. Level 4✘ These levels build on CA practices but do not represent thestarting point.

❌Why the Other Options Are Incorrect

TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.

Understanding Evidence Sufficiency in CMMC Level 2 AssessmentsDuring aCMMC Level 2 Assessment, theLead Assessormust determine whether the evidence collected for each practice issufficientto support an assessment finding. This aligns with theCMMC Assessment Process (CAP) Guide, which requires assessors to evaluate:

Examinations– Reviewing documents, configurations, and system records.

Interviews– Speaking with personnel to confirm implementation and understanding.

Testing– Observing security controls in action to validate effectiveness.

To determine whether evidence issufficient, the assessor ensures that it:

Directly supports the assessment objective.

Demonstrates that the practice is consistently implemented.

Can be independently verified.

Sufficiencyrefers to whetherenoughevidence has been collected to make an accurate determination about compliance.

Option A (Adequacy)is incorrect because adequacy relates tothe qualityof evidence, while sufficiency focuses on whetherenoughevidence exists.

Option C (Process Mapping)is incorrect because process mapping is used for understanding workflows but is not an assessment verification method.

Option D (Assessment Scope)is incorrect because defining the scope happensbeforeevidence collection, during the planning phase.

CMMC Assessment Process (CAP) Guide – Section 3.6 (Determining Sufficiency of Evidence)

CMMC Level 2 Assessment Guide – Evidence Collection and Evaluation

Why Option B (Sufficiency) is CorrectOfficial CMMC Documentation ReferencesFinal VerificationSince theLead Assessor is ensuring enough evidence is available to verify compliance, the correct answer isOption B: Sufficiency.

Understanding Policy Validation in CMMC AssessmentsDuring a CMMC assessment, policies must be evaluated based on:

Who has the authority to approve and enforce them

Whether they are current and implemented effectively

The validity of a policydoes not solely depend on the signatorybut rather onhow the organization assigns authority for policy creation, approval, and enforcement.

Some organizations assignauthority to a specific person, meaning anew signatory may be requiredwhen leadership changes.

Others assign authority to aposition/title(e.g., CISO, IT Director), in which casea new signature may not be requiredas long as the role remains responsible for policy enforcement.

The assessment teammust review the organization's policy management processto determine if the policy remains valid despite leadership turnover.

Key Considerations in Policy Validation:Thus,the correct answer is B, as additional research is needed to confirm whether the organization's policy is tied to the individual or the position.

A. The signatory is the authority to implement and enforce the policy, and since that person is no longer with the company, the policy is not valid.❌Incorrect. This assumes thatauthority is always tied to a person, which is not always the case. Some organizations delegate authorityto a position, not an individual.

C. The signatory does not validate or invalidate the policy. For the purpose of this assessment, ensuring that the policy is current and is being implemented by the individuals who are performing the work is sufficient.❌Incorrect. While implementation is crucial,the authority behind the policy must also be validatedper CMMC documentation requirements.

D. The authority to implement and enforce lies with the position, not the person. As long as that position's authority and responsibilities have not been removed from implementing that domain, it is still a valid policy.❌Incorrect. This assumes thatauthority is always assigned to a position, which is not universally true. More research is required to confirm this.

Why the Other Answers Are Incorrect

CMMC Assessment Process (CAP) Document– Outlines the importance of verifying the authority and enforcement of policies.

NIST SP 800-171 (3.12.1 - Security Policies and Procedures)– Requires that policies be maintained and enforced by appropriate personnel.

CMMC Official ReferencesThus,option B (More research on the company policy is needed) is the correct answer, as per official CMMC policy validation guidance.

In aCMMC Level 2 assessment, theOrganization Seeking Certification (OSC)is responsible for identifying theassessment scopebased on theCMMC Scoping Guidanceprovided by theCyber AB (Cyber Accreditation Body) and DoD.

The OSC must determine which assets and systems handleControlled Unclassified Information (CUI)and categorize them accordingly.

Understanding IA.L2-3.5.3: Multifactor Authentication (MFA) RequirementTheIA.L2-3.5.3practice, derived fromNIST SP 800-171 (Requirement 3.5.3), requires thatmultifactor authentication (MFA) be implemented for both privileged and standard userswhen accessing:

✔Organizational endpoints(e.g., laptops, desktops, mobile devices).

✔Network resources(e.g., VPNs, internal systems).

✔Cloud services containing Controlled Unclassified Information (CUI).

Key Requirement for a "MET" RatingFor IA.L2-3.5.3 to beMet, the organization must:

Require MFA for all privileged users(e.g., system administrators).

Require MFA for standard users accessing endpoints and network resources.

Implement MFA across all relevant systems.

Sincestandard users do not require MFA in the OSC’s current implementation, the practiceis not fully implementedand must be ratedNOT MET.

A. The process is running correctly → Incorrect

MFA isonly applied to privileged users, but it isalso required for standard users. The process isnot fully implemented.

B. It is out of scope as this is a new acquisition → Incorrect

New acquisitionsmust still meet MFA requirementsif they handle CUI or network access.

C. The new acquisition is considered Specialized Assets → Incorrect

Specialized assets (e.g., IoT, legacy systems) may have alternative security controls, but standard users and endpointsmust still comply with MFA.

D. Practice is NOT MET since the objective was not implemented → Correct

MFA must be enabled for both privileged and standard usersaccessing endpoints and network resources. Since standard users are excluded, the practice isNOT MET.

Why is the Correct Answer "D" (Practice is NOT MET since the objective was not implemented)?

CMMC 2.0 Level 2 (Advanced) Requirements

Specifies thatMFA must be applied to all users accessing CUI and network resources.

NIST SP 800-171 (Requirement 3.5.3 – MFA Implementation)

Requires MFA forall user types, including privileged and standard users.

CMMC Assessment Process (CAP) Document

States that a practicemust be fully implemented to be considered MET. Partial implementation meansNOT MET.

CMMC 2.0 References Supporting This Answer:

When preparing forCMMC compliance, organizations must ensure that theirnetwork configurations align with required cybersecurity controls. Ifnetwork administratorsdisagree on certain configurations, the mostobjective and accurateway to resolve the disagreement is by referencingofficial CMMC guidanceandNIST SP 800-171 requirements, which form the foundation of CMMC Level 2.

CMMC Assessment Guides as the Primary Reference

TheCMMC Assessment Guides (Level 1 & Level 2)provide clearinterpretationsof security practices.

Theyexplain how each practice should be implemented and assessedduring certification.

NIST SP 800-171 as the Compliance Baseline

CMMC Level 2is based directly onNIST SP 800-171, which outlines the110 security controlsrequired for protectingControlled Unclassified Information (CUI).

Network configurations must complywith NIST-defined security requirements, including:

Access Control (AC) – Ensuring least privilege principles.

Audit and Accountability (AU) – Logging and monitoring network activity.

System and Communications Protection (SC) – Secure network design and encryption.

Why the Other Answer Choices Are Incorrect:

(A) Consult with the CEO of the company:

ACEO is not necessarily a cybersecurity expertand may not be familiar with CMMC technical requirements.

Technical compliance decisions should be based onCMMC and NISTframeworks, not executive opinions.

(C) Go with the network administrator's ideas with the least stringent controls:

Choosingless stringent controls increases security riskand could lead toCMMC non-compliance.

(D) Go with the network administrator's ideas with the most stringent controls:

While security is important,more stringent controlsmay introduceoperational inefficienciesorunnecessary coststhat are not required for compliance.

The correct approach is to implement what is required by CMMC and NIST SP 800-171, no more and no less.

TheCMMC Assessment GuidesandNIST SP 800-171 Rev. 2areofficial sourcesthat provide the most reliable guidance on compliance.

CMMC Level 2 is entirely based on NIST SP 800-171, making it the definitive source for resolving security disagreements.

Step-by-Step Breakdown:Final Validation from CMMC Documentation:Thus, the correct answer is:

B. Consult the CMMC Assessment Guides and NIST SP 800-171.

Understanding Specialized Assets in CMMCASpecialized Assetis defined asa system, device, or infrastructure component that is not a traditional IT system but still plays a role in cybersecurity or business operations.

Types of Specialized Assets (as per CMMC guidance):✔Operational Technology (OT)– Industrial control systems, SCADA systems.

✔Security Operations Centers (SOCs)– Dedicated cybersecurity monitoring and response centers.

✔IoT Devices– Smart sensors, embedded systems.

✔Restricted IT Systems– Systems with highly controlled access.

A. SOCs → Correct

Security Operations Centers (SOCs) are specialized cybersecurity environmentsused forthreat monitoring, detection, and response.

They oftenoperate outside standard IT infrastructureand are classified asspecialized assetsunder CMMC.

B. Hosted VPN services → Incorrect

VPN services are standard IT infrastructureanddo not qualify as specialized assets.

C. Consultants who provide cybersecurity services → Incorrect

Consultants are personnel, not specialized assets. Specialized assets refer tosystems, devices, or infrastructure.

D. All property owned or leased by the government → Incorrect

Government property is not automatically considered a specialized assetunder CMMC. Specialized assets refer tospecific IT or cybersecurity-related infrastructure.

Why is the Correct Answer "SOCs" (A)?

CMMC 2.0 Assessment Process (CAP) Document

DefinesSpecialized Assetsand includesSOCsin its examples.

CMMC-AB Guidelines

Listssecurity infrastructure like SOCsasSpecialized Assetsdue to their unique cybersecurity function.

NIST SP 800-171 & CMMC 2.0 Security Domains

Recognizesdedicated security monitoring environmentsas part of an organization's cybersecurity posture.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔A. SOCs (Security Operations Centers)

Who Do DoD Contractors Report CUI Breaches To?PerDFARS 252.204-7012, all DoD contractors handlingControlled Unclassified Information (CUI)must report cyber incidents to theDoD Cyber Crime Center (DC3).

Key Reporting Requirements✅Cyber incidents involving CUI must be reported toDC3 within 72 hours.

✅Reports must be submitted via theDoD's Cyber Incident Reporting Portal.

✅Contractors mustpreserve forensic evidencefor potential investigation.

The FBI (Option A) handles criminal investigations, but DoD contractorsmust report cyber incidents to DC3.

NARA (Option B) oversees the CUI Registry, butis not responsible for breach reporting.

The Under Secretary of Defense for Intelligence and Security (Option D) is responsible for intelligence operations, not incident reporting.

Why "DoD Cyber Crime Center" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. FBI

❌Incorrect–The FBI handlescriminal cases, not CUI breach reporting.

B. NARA

❌Incorrect–NARA manages theCUI Registry, butdoes not handle breaches.

C. DoD Cyber Crime Center

✅Correct – Per DFARS 252.204-7012, cyber incidents involving CUI must be reported to DC3.

D. Under Secretary of Defense for Intelligence and Security

❌Incorrect–This office doesnothandle cyber incident reports.

DFARS 252.204-7012– Requires DoD contractors to report CUI-related cyber incidents toDC3.

DoD Cyber Crime Center (DC3) Website– The official platform forcyber incident reporting.

Official References from CMMC 2.0 and DFARS DocumentationFinal Verification and ConclusionThe correct answer isC. DoD Cyber Crime Center, as perDFARS 252.204-7012, which mandates that all DoD contractors reportCUI breaches to DC3 within 72 hours.

What Does the Practice of Professionalism Require in the CMMC Code of Professional Conduct?TheCMMC Code of Professional Conduct (CoPC)sets ethical and professional standards forCertified CMMC Assessors (CCAs) and Certified CMMC Professionals (CCPs).Professionalismrequireshonesty and integrity in all CMMC-related activities.

Step-by-Step Breakdown:✅1. Professionalism Requires Ethical Behavior

TheCoPC states that professionalismincludes:

Acting with integrityin all assessment-related activities.

Providing truthful and objective assessmentsof cybersecurity practices.

Avoiding deceptive or misleading claimsabout assessments or compliance.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Do not copy materials without permission to do so❌

This falls underIntellectual Property (IP) protection, notProfessionalism.

(B) Do not make assertions about assessment outcomes❌

Assessorsmustprovide findings based on evidence. The rule is aboutnot making false or misleading claims, not about avoiding assertions altogether.

(D) Ensure the security of all information discovered or received❌

This falls underConfidentiality, notProfessionalism.

TheCMMC Code of Professional Conduct (CoPC)definesProfessionalism as requiring honesty and integrityin allCMMC-related activities.

Final Validation from CMMC Documentation:Thus, the correct answer is:

✅C. Refrain from dishonesty in all dealings regarding CMMC.