Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCP

Cyber AB CMMC-CCP Exam
Certified CMMC Professional (CCP) (Page 11 )

Updated On: 9-Feb-2026
Page 7 of 36
PDF with 171 Questions

How many domains does the CMMC Model consist of?

  1. 14 domains
  2. 43 domains
  3. 72 domains
  4. 110 domains

Answer(s): A

Explanation:

TheCMMC Model consists of 14 domains, which are based on theNIST SP 800-171 control familieswith additional cybersecurity practices.
Eachdomaincontainspractices and processesthat define cybersecurity requirements for organizations seeking CMMC certification.


Reference:

CMMC 2.0 Model Documentation
NIST SP 800-171 Framework
Step 2: List of 14 CMMC DomainsAccess Control (AC)
Asset Management (AM)(Introduced in CMMC 2.0 for scoping guidance) Audit and Accountability (AU)
Awareness and Training (AT)
Configuration Management (CM)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)

Physical Protection (PE)
Risk Management (RM)
Security Assessment (CA)
System and Communications Protection (SC)
Step 3: Why Other Answer Choices Are IncorrectB. 43 domains (Incorrect):
The CMMC model does not have43 domains; this number is incorrect.
C . 72 domains (Incorrect):
There are72 practices in CMMC Level 2, but not72 domains.
D . 110 domains (Incorrect):
110 refers to the number of security controls in NIST SP 800-171, which aligns withCMMC Level 2, but these are controls, not domains.
Final Confirmation of Answer(s); The CMMC Model consists of 14 domains based on NIST SP

800-171 control families.
Thus, the correct answer is:A. 14 domains



During the assessment process, who is the final interpretation authority for recommended findings?

  1. C3PAO
  2. CMMC-AB
  3. OSC sponsor
  4. Assessment Team Members

Answer(s): B

Explanation:

Final Interpretation Authority in the CMMC Assessment ProcessDuring aCMMC Level 2 assessment, several entities are involved in the process, including theOrganization Seeking Certification (OSC), Certified Third-Party Assessment Organization (C3PAO), Assessment Team Members, and the CMMC Accreditation Body (CMMC-AB).
Role of the C3PAO and Assessment Team:
TheCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting the assessment and makinginitial recommended findingsbased on NIST SP 800-171 security requirements.
Assessment Team Members(Lead Assessor and support staff) conduct evaluations and submit theirrecommendationsto the C3PAO.
Final Interpretation Authority ­ CMMC-AB:
TheCMMC Accreditation Body (CMMC-AB)is responsible for ensuring consistency and accuracy in assessments.
If there is any dispute or need for clarification regarding findings, CMMC-AB provides the final interpretation and guidance.
This ensures uniformity in certification decisions across different C3PAOs.
Why CMMC-AB is the Answer(s);


CMMC-AB has the ultimate authority over thequality assurance processfor assessments.

It reviewsremediation requests, challenges, or disputesfrom the OSC or C3PAO and makes final determinations.
The CMMC-AB maintains oversight to ensure assessmentsalign with CMMC 2.0 policies and DFARS 252.204-7021 requirements.
A . C3PAO­ The C3PAO conducts the assessment and submits findings, butit does not have the final interpretation authority. Findings must pass through theCMMC-AB quality assurance process. C . OSC Sponsor­ The OSC (Organization Seeking Certification)cannot interpret findings; they can only respond to identified deficiencies and appeal assessments through CMMC-AB channels. D . Assessment Team Members­ The assessment teamrecommends findingsbut does not make final interpretations. Their role is limited to conducting evaluations, collecting evidence, and submitting reports to the C3PAO.


Reference:

CMMC Assessment Process Guide (CAP v2.0)­Cyber AB

DFARS 252.204-7021(DoD Regulation on CMMC Requirements) CMMC 2.0 Model Overview(DoD CIO Site)
Final Answer(s); B. CMMC-AB



An OSC receives an email with "CUI//SP-PRVCY//FED Only" in the body of the message Which organization's website should the OSC go to identify what this marking means?

  1. NARA
  2. CMMC-AB
  3. DoD Contractors FAQ page
  4. DoD 239.7601 Definitions page

Answer(s): A

Explanation:

What Does "CUI//SP-PRVCY//FED Only" Mean?
The email containsControlled Unclassified Information (CUI)withspecific categories and dissemination controls.
CUI//SP-PRVCY//FED Onlybreaks down as follows:
CUI Controlled Unclassified Information designation.
SP-PRVCYSpecifiedcategory forPrivacy Information(SP stands for "Specified"). FED Only Restriction forFederal Government use only(not for contractors or the public).
Who Maintains the Official CUI Registry?
TheNational Archives and Records Administration (NARA) oversees the CUI Programand maintains the officialCUI Registry(https://www.archives.gov/cui). The CUI Registry providesdefinitions, marking guidance, and categoriesfor all CUI labels, including "SP-PRVCY" and dissemination controls like "FED Only." Why NARA is the Answer(s);


NARA is the governing body responsible for defining and managing CUI markings.

Any organization handling CUI shouldrefer to the NARA CUI Registryfor official marking interpretations.
DoD contractors and other organizationsmust comply with NARA guidelines when handling, marking, and disseminating CUI.
B . CMMC-AB­ TheCMMC Accreditation Bodymanages certification assessments butdoes not define or interpret CUI markings.
C . DoD Contractors FAQ Page­ The DoD may provide general contractor guidance, butCUI markings are governed by NARA, not an FAQ page.
D . DoD 239.7601 Definitions Page­ This refers to generalDoD acquisition definitions, butCUI categories and markings fall under NARA's authority.


Reference:

NARA CUI Registry(https://www.archives.gov/cui)

DoD CUI Program Guidance(DoD CIO Site)
CMMC 2.0 Level 2 Compliance Requirements(Cyber AB)
Final answer; (A). NARA



Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?

  1. Organizational operations, business assets, and employees
  2. Organizational operations, business processes, and employees
  3. Organizational operations, organizational assets, and individuals
  4. Organizational operations, organizational processes, and individuals

Answer(s): C

Explanation:

TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.
TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:
"Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI." This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:
Organizational operations(e.g., mission, business continuity, functions) Organizational assets(e.g., data, IT systems, intellectual property) Individuals(e.g., employees, contractors, customers affected by security risks) Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.

A . Organizational operations, business assets, and employeesIncorrect."Business assets"is not the correct terminology used in CMMC/NIST SP 800-171. Instead,"organizational assets"is the proper term.
B . Organizational operations, business processes, and employeesIncorrect."Business processes"is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.
D . Organizational operations, organizational processes, and individualsIncorrect.
While processes are important,organizational assetsmust be considered in the assessment, not just processes.
Why the Other Answers Are Incorrect

CMMC 2.0 Model (Level 2 - RA.3.144)­ Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.
NIST SP 800-171 (3.11.1)­ Reinforces the same risk assessment scope.

CMMC Official ReferenceThus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.



In the CMMC Model, how many practices are included in Level 2?

  1. 17 practices
  2. 72 practices
  3. 110 practices
  4. 180 practices

Answer(s): C

Explanation:

CMMC Level 2is designed to alignfullywithNIST SP 800-171, which consists of110 security controls (practices).
This meansall 110 practicesfrom NIST SP 800-171 are required for aCMMC Level 2 certification. How Many Practices Are Included in CMMC Level 2?Breakdown of Practices in CMMC 2.0CMMC Level
Number of Practices
Level 1
17 practices(Basic Cyber Hygiene)
Level 2
110 practices(Aligned with NIST SP 800-171)
Level 3
Not yet finalized but expected to exceed 110
Since CMMC Level 2 mandatesall 110 NIST SP 800-171 practices, the correct answer isC. 110 practices.

A . 17 practicesIncorrect.17 practicesapply only toCMMC Level 1, not Level 2. B . 72 practicesIncorrect. There is no CMMC level with72 practices. D . 180 practicesIncorrect. CMMC Level 2only requires 110 practices, not 180.
Why the Other Answers Are Incorrect

CMMC 2.0 Model­ Confirms thatLevel 2 includes 110 practicesaligned withNIST SP 800-171. NIST SP 800-171 Rev. 2­ Outlines the110 security controlsrequired for handlingControlled Unclassified Information (CUI).
CMMC Official ReferenceThus,option C (110 practices) is the correct answer, as per official CMMC guidance.






Post your Comments and Discuss Cyber AB CMMC-CCP exam prep with other Community members:

Join the CMMC-CCP Discussion