Pass the Cyber AB CMMC CMMC-CCP Questions and answers with ValidTests

Planning and preparing for aCMMC assessmentinvolves collaboration between theassessorand theOrganization Seeking Certification (OSC)to determine scope, required evidence, and logistics. This planning process isdynamicand must adapt as new information emerges.

Assessment Scope and Requirements May Change

As assessors gather evidence and analyze the environment,new details about assets, networks, and security controlsmay require adjustments to the assessment plan.

TheCMMC Assessment Process (CAP) Guideemphasizes that assessmentrequirements and scope should be continuously reviewed and updatedto reflect real-time findings.

Assessors Follow an Adaptive Approach

DuringCMMC assessments, organizations may discover additionalFCI or CUI assets, which can change the required security practices to be evaluated.

Assessors shouldrevise the assessment approach accordinglyrather than strictly following an initial, unchangeable plan.

A. Scoping an assessment is easy and worry-free→Incorrect

Scoping is acritical and complex processthat requires careful evaluation of the OSC’s information systems and assets.

CMMC Scoping Guidestates thatidentifying in-scope assets is crucial and requires significant effort.

B. The initial plan cannot be changed once agreed upon→Incorrect

Theinitial assessment plan is a starting point, butit must be flexiblebased on real-time findings.

CMMC CAP Guideemphasizescontinuous refinementduring the assessment process.

C. There is a determined amount of time that the OSC's point of contact has to submit evidence and rough order-of-magnitude→Incorrect

While there aretimelines, the key focus is ensuring thatall necessary evidence is gathered accuratelyrather than rushing to meet a strict deadline.

CMMC Assessment Process (CAP) Guide– States that assessment requirements and planning should be updated as additional information is gathered.

CMMC Scoping Guide (Nov 2021)– Explains that assessors must continually refinein-scope assets and requirementsthroughout the process.

Why the Correct Answer is "D"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:Assessment planning is a dynamic process.Assessors must continuously review and update the requirements and planas new information emerges, makingDthe correct answer.

Federal Contract Information (FCI) is defined inFAR 52.204-21as information provided by or generated for the government under contract but not intended for public release. UnderCMMC 2.0, organizations handling FCI must implementFAR 52.204-21 Basic Safeguarding Requirements, ensuring proper protection inprocessing, storing, and transmittingFCI.

Analyzing the Given OptionsThe question involves an email system that is used tosendFCI to a subcontractor. Let’s break down the possible answers:

A. Manage FCI→ Incorrect

Managing FCI involves activities like organizing, storing, and maintaining access to FCI. Sending an email does not fall under management; it is an act of transmission.

B. Process FCI→ Incorrect

Processing refers to actively using FCI for operational or analytical purposes, such as analyzing, modifying, or computing data. Simply sending an email does not constitute processing.

C. Transmit FCI→ Correct

Transmission refers to the act of sending FCI from one entity to another. Since the contractor issendingFCI via email, this falls undertransmittingthe data.

In the context of a Cybersecurity Maturity Model Certification (CMMC) Level 2 Assessment, specific practices must be evaluated to ensure compliance with established security requirements. One such practice is AC.L2-3.1.19, which mandates the encryption of Controlled Unclassified Information (CUI) on mobile devices and mobile computing platforms.

Step-by-Step Explanation:

Requirement Overview:

Practice AC.L2-3.1.19 requires organizations to "Encrypt CUI on mobile devices and mobile computing platforms." This ensures that any CUI accessed, stored, or transmitted via mobile devices is protected through encryption, mitigating risks associated with data breaches or unauthorized access.

Assessment of Provided Evidence:

During the assessment, the Organization Seeking Certification (OSC) provided an inventory list encompassing servers, workstations, and network devices. Notably, this list lacks any mention of mobile devices or mobile computing platforms.

Implications of the Omission:

The absence of mobile devices in the inventory suggests that the OSC may not have accounted for all assets that process, store, or transmit CUI. Without a comprehensive inventory that includes mobile devices, it's challenging to verify whether the OSC has implemented the necessary encryption measures for CUI on these platforms.

Assessment Determination:

Given the incomplete inventory, the evidence is insufficient to make a definitive scoring determination for practice AC.L2-3.1.19. The OSC must provide a detailed inventory that encompasses all relevant devices, including mobile devices and computing platforms, to demonstrate compliance with the encryption requirements for CUI.

Step 1: Define CUI (Controlled Unclassified Information)CUI is information thatrequires safeguarding or dissemination controlspursuant to and consistent with applicable law, regulations, and government-wide policies, butis not classifiedunder Executive Order 13526 or the Atomic Energy Act.

✅Step 2: Authority over CUI — NARA’s RoleNARA – National Archives and Records Administration, specifically theInformation Security Oversight Office (ISOO), is thegovernment-wide executive agentresponsible for implementing the CUI program.

Source:

32 CFR Part 2002 – Controlled Unclassified Information (CUI)

Executive Order 13556 – Controlled Unclassified Information

CUI Registry – https://www.archives.gov/cui

NARA:

Maintains theCUI Registry,

Issuesmarking and handling guidance,

DefinesCUI categoriesand their authority under law or regulation,

Trains and informs Federal agencies and contractors on CUI policy.

B. NIST✘ NIST (National Institute of Standards and Technology) developstechnical standards(e.g., SP 800-171), but it doesnot define or mark CUI. It helps secure CUI once it’s identified.

C. CMMC-AB (now Cyber AB)✘ The Cyber AB is theCMMC ecosystem’s accreditation body, not a government agency, and hasno authority over CUI classification or marking.

D. Department of Homeland Security (DHS)✘ While DHS mayhandle and protect CUI internally, it is not the executive agent for the CUI program.

❌Why the Other Options Are Incorrect

NARAis theofficial U.S. government authorityresponsible for defining, categorizing, and marking CUI via theCUI Registryand associated policies underExecutive Order 13556.

AC.L1-3.1.22states:"Control information posted or processed on publicly accessible systems."

This control requires organizations toensure that FCI (Federal Contract Information) is not publicly postedor made accessible in an uncontrolled manner.

FCI must beprotected from unauthorized disclosure, even if it is not classified or CUI.

Understanding the “Verify Evidence and Record Gaps” Activity in a CMMC AssessmentDuring aCMMC Level 2 Assessment, theAssessment Teamfollows a structured methodology toverify evidenceand determine whether theOrganization Seeking Certification (OSC)has met all required practices. One of the key activities in this process is"Verify Evidence and Record Gaps", which ensures that the assessment findings accurately reflect any missing or inadequate compliance evidence.

Step-by-Step Breakdown:✅1. Primary Intent: Identifying Gaps Between Required and Collected Evidence

TheAssessment Teamcompares the evidence provided by the OSC against theCMMC practice requirements.

If evidence ismissing, insufficient, or inconsistent, assessors mustdocument the gapand describe what is lacking.

This ensures that compliance deficiencies are clearly identified, allowing the OSC to understand what must be corrected.

✅2. How This Process Works in a CMMC Assessment

Assessorsreview collected documentation, system configurations, policies, and interview responses.

They verify that the evidencematches the expected implementationof a practice.

If gaps exist, they arerecordedfor discussion and potential remediation before assessment completion.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Map test and demonstration responses to CMMC practices.❌

Incorrect:While mapping evidence to CMMC practices is part of the assessment, theprimary intentof the "Verify Evidence and Record Gaps" step is toidentify deficiencies, not just mapping responses.

(B) Conduct interviews to test process implementation knowledge.❌

Incorrect:Interviews are a method used during evidence collection, but they arenot the primary focusof the verification and gap analysis step.

(C) Determine the one-to-one relationship between a practice and an assessment object.❌

Incorrect:The assessment teamreviews multiple sources of evidencefor each practice, and some practices require multiple assessment objects. The goal isnot a strict one-to-one mappingbut rathera holistic validation of compliance.

Final Validation from CMMC Documentation:TheCMMC Assessment Process Guidestates that"Verify Evidence and Record Gaps"is the step where assessorscompare expected evidence against what has been provided and document discrepancies. This ensurestransparent assessment findings and remediation planning.

Thus, the correct answer is:

D. Identify and describe differences between what the Assessment Team required and the evidence collected.

Step 1: Understand the “CA” Domain – Security AssessmentTheCA (Security Assessment)domain includes practices related to:

Planning security assessments,

Performing periodic reviews,

Managing plans of action and milestones (POA&Ms).

These practices derive fromNIST SP 800-171, specifically:

CA.2.157– Develop, document, and periodically update security plans,

CA.2.158– Periodically assess security controls,

CA.2.159– Develop and implement POA&Ms.

Level 1 (Foundational):

Implements only the17 practicesfromFAR 52.204-21

Doesnot include the CA domain

Level 2 (Advanced):

Implements110 practicesfromNIST SP 800-171, including CA.2.157–159

First levelwhereSecurity Assessment (CA)practices are required

Level 3:

Not yet finalized but intended to include selected controls fromNIST SP 800-172

✅Step 2: Review CMMC Levels

A. Level 1✘ No CA domain practices are present at Level 1.

C. Level 3 / D. Level 4✘ These levels build on CA practices but do not represent thestarting point.

❌Why the Other Options Are Incorrect

TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.

The prime contractor (contractor organization)is responsible for ensuring thatits subcontractorshave the requiredCMMC certification levelbefore engaging them inDoD contracts that involve FCI or CUI.

This requirement is enforced throughflow-down clausesinDFARS 252.204-7021, which mandates that subcontractors handlingCUImeet the necessaryCMMC Level 2 or Level 3 requirements.

TheCMMC Scoping Guide for Level 2outlines thatCUI assetsinclude systems, applications, and services thatstore, process, or transmitControlled Unclassified Information (CUI). These are the three core functions that defineCUI handlingwithin anOrganization Seeking Certification (OSC).

Step-by-Step Breakdown:✅1. CUI Assets Defined in CMMC

Stored:CUI is saved on hard drives, cloud storage, or databases.

Processed:CUI is actively used, modified, or analyzed by applications and users.

Transmitted:CUI is sent between systems via email, file transfers, or network communication.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Received and transferred❌

Whilereceiving and transferring CUIis part of handling CUI, it does not fully cover all CUI asset responsibilities.

(C) Entered, edited, manipulated, printed, and viewed❌

These arespecific actionswithinprocessingbut do not coverstorage or transmission, which are also required for CMMC scoping.

(D) Located on electronic media, on system component memory, and on paper❌

While CUI can exist inelectronic and physical forms, CMMC scoping focuses onhow CUI is actively managed (stored, processed, transmitted)rather than where it physically resides.

TheCMMC Level 2 Scoping Guideconfirms thatCUI Assets are categorized based on their role in storing, processing, or transmitting CUI.

NIST SP 800-171also defines these three functions as key components of CUI protection.

Final Validation from CMMC Documentation: