Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCP

Free Cyber AB CMMC-CCP Exam Questions (page: 2)

Page 2 of 23
PDF with 171 Questions

Plan of Action defines the clear goal or objective for the plan.
What information is generally NOT a part of a plan of action?

  1. Completion dates
  2. Milestones to measure progress
  3. Ownership of who is accountable for ensuring plan performance
  4. Budget requirements to implement the plan's remediation actions

Answer(s): D

Explanation:

Under the Cybersecurity Maturity Model Certification (CMMC) 2.0, a Plan of Action (POA) is a critical document that outlines the specific actions a contractor needs to take to remediate cybersecurity deficiencies.
While POAs serve as a roadmap for achieving compliance with required controls, the inclusion of certain elements is standardized.

Key Elements of a Plan of Action (POA)
According to the CMMC guidelines and NIST SP 800-171, which underpins many CMMC requirements, a POA typically includes:

Completion Dates: Identifies target deadlines for resolving deficiencies.

Milestones to Measure Progress: Includes interim steps or markers to ensure progress is monitored over time.
Ownership or Accountability: Clearly assigns responsibility for each action item to specific personnel or teams.
What is Generally NOT Part of a POA?
Budget requirements to implement the plan's remediation actions (Option D) are generally not included in a POA. While budgeting is critical for ensuring the plan's success, it is considered a part of the broaderproject management or resource planning process, not the POA itself. This distinction is intentional to keep the POA focused on actionable items rather than resource allocation.

Supporting Reference
NIST SP 800-171A, Appendix D: Provides an overview of POA components, emphasizing the prioritization of corrective actions, responsibility, and measurable outcomes. CMMC Level 2 Practices (Aligned with NIST SP 800-171): Specifically, the focus is on actions, timelines, and accountability rather than financial planning. By excluding budget details, the POA remains a tactical document that supports immediate action and compliance tracking, separate from financial considerations.



During a Level 2 Assessment, an OSC provides documentation that attests that they utilize multifactor authentication on nonlocal remote maintenance sessions. The OSC feels that they have met the controls for the Level 2 certification.
What additional measures should the OSC perform to fully meet the maintenance requirement?

  1. Connections for nonlocal maintenance sessions should be terminated when maintenance is complete.
  2. Connections for nonlocal maintenance sessions should be unlimited to ensure maintenance is performed properly
  3. The nonlocal maintenance personnel complain that restrictions slow down their response time and should be removed.
  4. The maintenance policy states multifactor authentication must have at least two factors applied for nonlocal maintenance sessions.

Answer(s): A

Explanation:

UnderCMMC 2.0 Level 2, which aligns with the requirements ofNIST SP 800-171, maintaining robust control overnonlocal maintenance sessionsis critical.
While multifactor authentication (MFA) is a required safeguard for secure access, additional measures must be implemented to fully meet the maintenance requirements as outlined inControl 3.3.5:
Key Requirements for Nonlocal Maintenance:
Termination of Nonlocal Maintenance Sessions:
To reduce the attack surface and prevent unauthorized access, nonlocal maintenance connectionsmust be terminated immediately after the maintenance activity is completed. This is a direct requirement to mitigate risks associated with lingering remote sessions that could be exploited by threat actors.
Supporting


Reference:

NIST SP 800-171, Control 3.3.5 states: "Ensure that remote maintenance is conducted in a controlled manner and disable connections immediately after use." Multifactor Authentication (MFA):
OSCs are required to implement MFA for nonlocal remote maintenance sessions. MFA must includeat least two factors(e.g., something you know, something you have, or something you are).
While the OSC's use of MFA satisfies part of the requirement, it does not complete the control unless proper termination procedures are in place.
Policy and Procedure Adherence:
The OSC must also document amaintenance policyand ensure it reflects the need for terminating connections post-maintenance. The policy should outline roles, responsibilities, and steps for ensuring secure nonlocal maintenance practices.
Incorrect Options:
B . Unlimited connections:Allowing unrestricted nonlocal maintenance sessions is a significant security risk and violates the principle of least privilege. C . Removing restrictions:Removing restrictions for convenience directly undermines compliance and security.
D . Multifactor authentication details:While MFA is necessary, the question states the OSC already uses it. Termination of sessions is the missing requirement.
Conclusion:
The requirement toterminate nonlocal maintenance sessions after maintenance is complete(Option A) is critical for compliance withCMMC 2.0 Level 2andNIST SP 800-171, Control 3.3.5. This ensures that nonlocal maintenance activities are secured against unauthorized access and potential vulnerabilities.



While developing an assessment plan for an OSC. it is discovered that the certified assessor will be interviewing a former college roommate.
What is the MOST correct action to take?

  1. Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.
  2. Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.
  3. Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.
  4. Inform the OSC and the C3PAO of the possible conflict of interest, document the conflict and mitigation actions in the assessment plan, and if the mitigation actions are acceptable, continue with the assessment.

Answer(s): D

Explanation:

TheCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP)outlines strict guidelines regardingconflicts of interest (COI)to ensure the integrity and impartiality of assessments conducted byCertified Third-Party Assessment Organizations (C3PAOs)andCertified Assessors (CAs). The scenario presented involves apotential conflict of interestdue to a prior relationship (former college roommate) between thecertified assessorand an individual at theOrganization Seeking Certification (OSC).
While this prior relationship does not automatically disqualify the assessor, it must bedisclosed, documented, and mitigated appropriately.

Inform the OSC and C3PAO of the Potential Conflict of Interest TheCMMC Code of Professional Conduct (CoPC)requires assessors to disclose any potential conflicts of interest.
Transparency ensures that all parties, including theOSC and C3PAO, are aware of the situation. Document the Conflict and Mitigation Actions in the Assessment Plan PerCMMC CAP documentation, potential conflicts should be assessed based on their material impact on the objectivity of the assessment.
The conflict and proposed mitigation strategies must beformally recorded in the assessment planto provide an audit trail.
Determine If the Mitigation Actions Are Acceptable
If theOSC and C3PAOdetermine that the mitigation actions adequatelyeliminate or reduce the risk of bias, the assessment may proceed.
Common mitigation strategies include:
Assigning another assessor forinterviews with the conflicted individual. Ensuring thatdecisions regarding the OSC's compliance are reviewed independently. Proceed with the Assessment If Mitigation Is Acceptable If the mitigation actions sufficiently address the conflict, the assessment may continue understrict adherence to documented procedures.
CMMC Conflict of Interest Handling Process

A . Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.Incorrect. This violates CMMC's integrity requirements and could result indisciplinary actions against the assessor or invalidation of the assessment. Transparency is mandatory. B . Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.Incorrect. The CAP doesnotmandate immediate reassignment unless the conflict isunresolvable. Instead, mitigation strategies should be considered first.
C . Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.Incorrect.The passage of time alone does not automatically eliminate a conflict of interest. Proper documentation and mitigation are still required.
Why the Other Answers Are Incorrect

CMMC Assessment Process (CAP) Document­ Defines COI requirements and mitigation actions. CMMC Code of Professional Conduct (CoPC)­ Outlines ethical responsibilities of assessors. CMMC Accreditation Body (Cyber-AB) Guidance­ Provides rules on conflict resolution. CMMC Official ReferenceThus,option D is the most correct choice, as it aligns with the official CMMC conflict of interest procedures.



A defense contractor needs to share FCI with a subcontractor and sends this data in an email. The email system involved in this process is being used to:

  1. manage FCI.
  2. process FCI.
  3. transmit FCI.
  4. generate FCI

Answer(s): C

Explanation:

Federal Contract Information (FCI) is defined inFAR 52.204-21as information provided by or generated for the government under contract but not intended for public release. UnderCMMC 2.0, organizations handling FCI must implementFAR 52.204-21 Basic Safeguarding Requirements, ensuring proper protection inprocessing, storing, and transmittingFCI. Analyzing the Given OptionsThe question involves an email system that is used tosendFCI to a subcontractor. Let's break down the possible answers:
A . Manage FCI Incorrect
Managing FCI involves activities like organizing, storing, and maintaining access to FCI. Sending an email does not fall under management; it is an act of transmission.
B . Process FCI Incorrect
Processing refers to actively using FCI for operational or analytical purposes, such as analyzing, modifying, or computing data. Simply sending an email does not constitute processing.
C . Transmit FCI Correct
Transmission refers to the act of sending FCI from one entity to another. Since the contractor issendingFCI via email, this falls undertransmittingthe data.


Reference:

NIST SP 800-171 Rev. 2, 3.1.3­ "Control CUI (or FCI) by transmitting it using authorized mechanisms."
D . Generate FCI Incorrect
Generating FCI means creating new contract-related information. The contractor is not creating FCI in this scenario but merely transmitting it.
Official Reference Supporting the Correct AnswerCMMC 2.0 Level 1 Practices (FAR 52.204-21 Basic Safeguarding Controls)
3.1.3: "Control CUI (or FCI) by transmitting it using authorized mechanisms." This confirms that email transmission falls under"transmitting" FCI, not managing or processing. NIST SP 800-171 Rev. 2 (Protecting CUI in Non-Federal Systems) Requirement 3.13.8: "Implement cryptographic methods to protect CUI when transmitted." While this applies more to CUI, FCI should also be protected during transmission, confirming that email is a form oftransmittinginformation.
ConclusionSince the contractor issendingFCI via email, the correct answer isC. Transmit FCI.This aligns withCMMC 2.0 Level 1practices underFAR 52.204-21andNIST SP 800-171, which emphasize securing transmitted data.



Which statement BEST describes an assessor's evidence gathering activities?

  1. Use interviews for assessing a Level 2 practice.
  2. Test all practices or objectives for a Level 2 practice
  3. Test certain assessment objectives to determine findings.
  4. Use examinations, interviews, and tests to gather sufficient evidence.

Answer(s): D

Explanation:

Under theCMMC Assessment Process (CAP)andCMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed throughthree primary assessment methods:
Examination­ Reviewing documents, records, system configurations, and other artifacts. Interviews­ Speaking with personnel to verify processes, responsibilities, and understanding of security controls.
Testing­ Observing system behavior, performing technical validation, and executing controls in real- time to verify effectiveness.
TheCMMC Assessment Process (CAP)states that an assessor must use acombinationof evidence- gathering methods (examinations, interviews, and tests) to determine compliance. CMMC 2.0 Level 2(Aligned withNIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective. Solely relying ononemethod (like interviews in Option A) is insufficient. Testing all practices or objectives (Option B)is unnecessary, as assessors followscoping guidanceto determine which objectives need deeper examination.
Testing only "certain" objectives (Option C)does not fully align with the requirement of gatheringsufficient evidencefrom multiple methods.
CMMC Assessment Process (CAP) Guide, Section 3.5 ­ Assessment Methodsexplicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment. CMMC 2.0 Level 2 Practices and NIST SP 800-171require assessors to validate the presence, implementation, and effectiveness of security controls. CMMC Appendix E: Assessment Proceduresstates that an assessor should use multiple sources of evidence to determine compliance.
Why Option D is CorrectCMMC 2.0 and Official Documentation ReferenceFinal VerificationTo ensure compliance withCMMC 2.0 guidelines and official documentation, an assessor must useexaminations, interviews, and teststo gather evidence effectively, makingOption D the correct answer.



A CMMC Level 1 Self-Assessment identified an asset in the OSC's facility that does not process, store, or transmit FCI.
Which type of asset is this considered?

  1. FCI Assets
  2. Specialized Assets
  3. Out-of-Scope Assets
  4. Government-Issued Assets

Answer(s): C

Explanation:

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework categorizes assets based on their interaction with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In a CMMC Level 1 self-assessment, assets are classified based on whether they process, store, or transmit FCI.
FCI Assets­ These assets process, store, or transmit FCI and must meet CMMC Level 1 security requirements (17 practices from FAR 52.204-21).
CUI Assets­ These assets handle Controlled Unclassified Information (CUI) and are subject to CMMC Level 2 requirements, aligned with NIST SP 800-171.
Specialized Assets­ Includes IoT devices, Operational Technology (OT), Government-Furnished Equipment (GFE), and test equipment. These are often categorized separately due to their specific cybersecurity requirements.
Out-of-Scope Assets­ Assets that do not process, store, or transmit FCI or CUI. These do not require compliance with CMMC practices.
Government-Issued Assets­ These are assets provided by the government for contract-specific purposes, often requiring compliance based on government policies. The question specifies that the identified assetdoes not process, store, or transmit FCI. According to CMMC 2.0 guidelines,only assets that handle FCI or CUI are subject to security controls. Assets that are physically located within an OSC's facility but do not interact with FCI or CUI fall into the"Out-of-Scope Assets"category.
These assets do not require CMMC-specific cybersecurity controls, as they have no impact on the security of FCI or CUI.
CMMC Scoping Guide (Nov 2021)­ Definesout-of-scope assetsas those that are within an OSC's environment but have no interaction with FCI or CUI.
CMMC 2.0 Level 1 Guide­ Only requires security controls on FCI assets, meaning assets that do not process, store, or transmit FCI are out of scope.
CMMC Assessment Process (CAP) Guide­ Identifies the classification of assets in an OSC's environment to determine compliance requirements.
Asset Categories as per CMMC 2.0:Why the Correct Answer is C. Out-of-Scope Assets?Relevant CMMC 2.0


Reference:

Final Justification:Since the assetdoes not process, store, or transmit FCI, it does not fall under "FCI Assets" or "Specialized Assets." It is also not a government-issued asset. Therefore, the correct classification under CMMC 2.0 isOut-of-Scope Assets (C).



There are 15 practices that are NOT MET for an OSC's Level 2 Assessment. All practices are applicable to the OSC. Which determination should be reached?

  1. The OSC may have 90 days for remediating NOT MET practices.
  2. The OSC is not eligible for an option to remediate NOT MET practices.
  3. The OSC may be eligible for an option to remediate NOT MET practices.
  4. The OSC is not eligible for an option to remediate after the assessment is canceled.

Answer(s): B

Explanation:

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, achieving Level 2 compliance requires an Organization Seeking Certification (OSC) to implement all 110 security practices outlined in NIST SP 800-171 Revision 2. The CMMC framework allows for a limited use of

Plans of Action and Milestones (POA&Ms) to address certain deficiencies; however, this is contingent upon meeting specific criteria.
According to the final CMMC rule, to obtain a Conditional Level 2 status, an OSC must achieve a minimum score of 88 out of 110 points during the assessment. This scoring system assigns weighted values to each of the 110 security requirements, with some controls deemed critical and others non- critical. The POA&M mechanism permits OSCs to temporarily address non-critical deficiencies, provided the minimum score threshold is met. Critical controls, however, must be fully implemented at the time of assessment; they cannot be deferred and included in a POA&M.
MWE
In the scenario where 15 practices are NOT MET, the OSC's score would fall below the required 88- point threshold, rendering the organization ineligible for Conditional Level 2 status. Consequently, the OSC would not have the option to remediate these deficiencies through a POA&M. Instead, the organization must fully implement and rectify all NOT MET practices before undergoing a subsequent assessment to achieve the necessary compliance level.
This policy ensures that organizations handling Controlled Unclassified Information (CUI) have adequately addressed all critical and non-critical security requirements, thereby maintaining the integrity and security of sensitive information within the Defense Industrial Base. For detailed guidance on assessment criteria and the use of POA&Ms, refer to the CMMC Assessment Guide ­ Level 2 and the official CMMC documentation provided by the Department of Defense.



A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?

  1. "The OSC determines the CMMC Assessment Scope, and the CCP validates the CMMC Assessment Scope."
  2. "The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope."
  3. "The CMMC Lead Assessor determines the CMMC Assessment Scope, and the OSC validates the CMMC Assessment Scope."
  4. "The CMMC C3PAO determines the CMMC Assessment Scope, and the Lead Assessor validates the CMMC Assessment Scope."

Answer(s): B

Explanation:

In aCMMC Level 2 assessment, theOrganization Seeking Certification (OSC)is responsible for identifying theassessment scopebased on theCMMC Scoping Guidanceprovided by theCyber AB (Cyber Accreditation Body) and DoD.
The OSC must determine which assets and systems handleControlled Unclassified Information (CUI)and categorize them accordingly.


Reference:

CMMC Scoping Guidance for Level 2, which outlines asset categorization and scoping considerations. Step 2: Role of the C3PAO in Scope ValidationOnce the OSC has determined itsCMMC assessment scope, aCMMC Third-Party Assessment Organization (C3PAO)is responsible forvalidatingthe scope during theassessment planning phase.
TheC3PAO reviewsthe OSC's scope to ensure it aligns withDoD's scoping guidance, ensuring that all relevant assets, networks, and policies required forCMMC Level 2 certificationare correctly identified.
If there are discrepancies, the C3PAO works with the OSC to adjust the scope before proceeding with the assessment.


CMMC Assessment Process (CAP) Guide, which describes thescope validation responsibilities of a C3PAO.
Step 3: Why Other Answer Choices Are IncorrectChoice A (Incorrect):A CCP (Certified CMMC Professional) doesnothave the authority to validate the scope. Their role is to guide and consult, but final validation is the C3PAO's responsibility.
Choice C (Incorrect):TheCMMC Lead Assessor(part of the C3PAO team) does notdeterminethe scope; instead, the OSC does.
Choice D (Incorrect):TheC3PAO validates the scopebut doesnot determine it--this is the OSC's responsibility.
Final Confirmation of

Answer(s):OSC determines the CMMC Assessment Scope.
C3PAO validates the CMMC Assessment Scope.
Thus, the correct answer isB. "The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope."



Viewing page 2 of 23



Post your Comments and Discuss Cyber AB CMMC-CCP exam prep with other Community members:

CMMC-CCP Exam Discussions & Posts