Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCP

Cyber AB CMMC-CCP Exam
Certified CMMC Professional (CCP) (Page 3 )

Updated On: 9-Feb-2026
Page 3 of 36
PDF with 171 Questions

A CMMC Level 1 Self-Assessment identified an asset in the OSC's facility that does not process, store, or transmit FCI.
Which type of asset is this considered?

  1. FCI Assets
  2. Specialized Assets
  3. Out-of-Scope Assets
  4. Government-Issued Assets

Answer(s): C

Explanation:

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework categorizes assets based on their interaction with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In a CMMC Level 1 self-assessment, assets are classified based on whether they process, store, or transmit FCI.
FCI Assets­ These assets process, store, or transmit FCI and must meet CMMC Level 1 security requirements (17 practices from FAR 52.204-21).
CUI Assets­ These assets handle Controlled Unclassified Information (CUI) and are subject to CMMC Level 2 requirements, aligned with NIST SP 800-171.
Specialized Assets­ Includes IoT devices, Operational Technology (OT), Government-Furnished Equipment (GFE), and test equipment. These are often categorized separately due to their specific cybersecurity requirements.
Out-of-Scope Assets­ Assets that do not process, store, or transmit FCI or CUI. These do not require compliance with CMMC practices.
Government-Issued Assets­ These are assets provided by the government for contract-specific purposes, often requiring compliance based on government policies. The question specifies that the identified assetdoes not process, store, or transmit FCI. According to CMMC 2.0 guidelines,only assets that handle FCI or CUI are subject to security controls. Assets that are physically located within an OSC's facility but do not interact with FCI or CUI fall into the"Out-of-Scope Assets"category.
These assets do not require CMMC-specific cybersecurity controls, as they have no impact on the security of FCI or CUI.
CMMC Scoping Guide (Nov 2021)­ Definesout-of-scope assetsas those that are within an OSC's environment but have no interaction with FCI or CUI.
CMMC 2.0 Level 1 Guide­ Only requires security controls on FCI assets, meaning assets that do not process, store, or transmit FCI are out of scope.
CMMC Assessment Process (CAP) Guide­ Identifies the classification of assets in an OSC's environment to determine compliance requirements.
Asset Categories as per CMMC 2.0:Why the Correct Answer is C. Out-of-Scope Assets?Relevant CMMC 2.0


Reference:

Final Justification:Since the assetdoes not process, store, or transmit FCI, it does not fall under "FCI Assets" or "Specialized Assets." It is also not a government-issued asset. Therefore, the correct classification under CMMC 2.0 isOut-of-Scope Assets (C).



There are 15 practices that are NOT MET for an OSC's Level 2 Assessment. All practices are applicable to the OSC. Which determination should be reached?

  1. The OSC may have 90 days for remediating NOT MET practices.
  2. The OSC is not eligible for an option to remediate NOT MET practices.
  3. The OSC may be eligible for an option to remediate NOT MET practices.
  4. The OSC is not eligible for an option to remediate after the assessment is canceled.

Answer(s): B

Explanation:

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, achieving Level 2 compliance requires an Organization Seeking Certification (OSC) to implement all 110 security practices outlined in NIST SP 800-171 Revision 2. The CMMC framework allows for a limited use of

Plans of Action and Milestones (POA&Ms) to address certain deficiencies; however, this is contingent upon meeting specific criteria.
According to the final CMMC rule, to obtain a Conditional Level 2 status, an OSC must achieve a minimum score of 88 out of 110 points during the assessment. This scoring system assigns weighted values to each of the 110 security requirements, with some controls deemed critical and others non- critical. The POA&M mechanism permits OSCs to temporarily address non-critical deficiencies, provided the minimum score threshold is met. Critical controls, however, must be fully implemented at the time of assessment; they cannot be deferred and included in a POA&M.
MWE
In the scenario where 15 practices are NOT MET, the OSC's score would fall below the required 88- point threshold, rendering the organization ineligible for Conditional Level 2 status. Consequently, the OSC would not have the option to remediate these deficiencies through a POA&M. Instead, the organization must fully implement and rectify all NOT MET practices before undergoing a subsequent assessment to achieve the necessary compliance level.
This policy ensures that organizations handling Controlled Unclassified Information (CUI) have adequately addressed all critical and non-critical security requirements, thereby maintaining the integrity and security of sensitive information within the Defense Industrial Base. For detailed guidance on assessment criteria and the use of POA&Ms, refer to the CMMC Assessment Guide ­ Level 2 and the official CMMC documentation provided by the Department of Defense.



A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?

  1. "The OSC determines the CMMC Assessment Scope, and the CCP validates the CMMC Assessment Scope."
  2. "The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope."
  3. "The CMMC Lead Assessor determines the CMMC Assessment Scope, and the OSC validates the CMMC Assessment Scope."
  4. "The CMMC C3PAO determines the CMMC Assessment Scope, and the Lead Assessor validates the CMMC Assessment Scope."

Answer(s): B

Explanation:

In aCMMC Level 2 assessment, theOrganization Seeking Certification (OSC)is responsible for identifying theassessment scopebased on theCMMC Scoping Guidanceprovided by theCyber AB (Cyber Accreditation Body) and DoD.
The OSC must determine which assets and systems handleControlled Unclassified Information (CUI)and categorize them accordingly.


Reference:

CMMC Scoping Guidance for Level 2, which outlines asset categorization and scoping considerations. Step 2: Role of the C3PAO in Scope ValidationOnce the OSC has determined itsCMMC assessment scope, aCMMC Third-Party Assessment Organization (C3PAO)is responsible forvalidatingthe scope during theassessment planning phase.
TheC3PAO reviewsthe OSC's scope to ensure it aligns withDoD's scoping guidance, ensuring that all relevant assets, networks, and policies required forCMMC Level 2 certificationare correctly identified.
If there are discrepancies, the C3PAO works with the OSC to adjust the scope before proceeding with the assessment.


CMMC Assessment Process (CAP) Guide, which describes thescope validation responsibilities of a C3PAO.
Step 3: Why Other Answer Choices Are IncorrectChoice A (Incorrect):A CCP (Certified CMMC Professional) doesnothave the authority to validate the scope. Their role is to guide and consult, but final validation is the C3PAO's responsibility.
Choice C (Incorrect):TheCMMC Lead Assessor(part of the C3PAO team) does notdeterminethe scope; instead, the OSC does.
Choice D (Incorrect):TheC3PAO validates the scopebut doesnot determine it--this is the OSC's responsibility.
Final Confirmation of

Answer(s):OSC determines the CMMC Assessment Scope.
C3PAO validates the CMMC Assessment Scope.
Thus, the correct answer isB. "The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope."



When executing a remediation review, the Lead Assessor should:

  1. help OSC to complete planned remediation activities.
  2. plan two consecutive remediation reviews for an OSC.
  3. submit a delta assessment remediation package for C3PAO's internal quality review.
  4. validate that practices previously listed on the POA&M have been removed on an updated Risk Assessment.

Answer(s): C

Explanation:

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, the remediation review process is a critical phase where identified deficiencies from an initial assessment are addressed. The Lead Assessor, representing a Certified Third-Party Assessment Organization (C3PAO), plays a pivotal role in this process.
Role of the Lead Assessor in Remediation Reviews:
Validation of Remediation Efforts:
Objective:Ensure that the Organization Seeking Certification (OSC) has effectively addressed and corrected all deficiencies identified during the initial assessment. Process:The Lead Assessor reviews the evidence provided by the OSC to confirm that each previously unmet practice now meets the required standards. This involves examining updated policies, procedures, system configurations, and other relevant artifacts.
Delta Assessment Remediation Package Submission:
Definition:A delta assessment focuses on evaluating only the components or practices that were previously found non-compliant or deficient.
Responsibility:After validating the remediation efforts, the Lead Assessor compiles a remediation package that includes:
Detailed documentation of the deficiencies identified in the initial assessment.
Evidence of the corrective actions taken by the OSC.
Findings from the reassessment of the remediated practices. Internal Quality Review:This remediation package is then submitted for the C3PAO's internal quality review process. The purpose of this review is to ensure the accuracy, completeness, and consistency of the assessment findings before finalizing the certification decision.
Rationale for Selecting Answer C:
Alignment with CMMC Assessment Process:The submission of a delta assessment remediation package for internal quality review is a standard procedure outlined in the CMMC Assessment Process. This step ensures that all remediated items are thoroughly evaluated and validated, maintaining the integrity of the certification process.
Clarification of Incorrect Options:
Option A:"Help OSC to complete planned remediation activities." The Lead Assessor's role is to assess and validate the OSC's compliance, not to assist in the implementation or completion of remediation activities. Providing such assistance could lead to a conflict of interest and compromise the objectivity of the assessment. Option B:"Plan two consecutive remediation reviews for an OSC." The standard process involves conducting a single remediation review after the OSC has addressed the identified deficiencies. Planning multiple consecutive remediation reviews is not a typical practice and could indicate a lack of proper remediation planning by the OSC. Option D:"Validate that practices previously listed on the POA&M have been removed on an updated Risk Assessment."
While it's essential to ensure that deficiencies are addressed, the primary focus of the Lead Assessor during a remediation review is to validate the implementation of remediated practices. Updating the Risk Assessment is the responsibility of the OSC's internal risk management team, not the Lead Assessor.


Reference:

CMMC Assessment Process v2.0
CyberAB
CMMC Assessment Guide ­ Level 2
Defense Innovation Unit
These documents provide detailed guidelines on the roles and responsibilities of assessors, the remediation review process, and the procedures for submitting assessment findings for quality review within the CMMC framework.



The IT manager is scoping the company's CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI.
Which asset type is being considered by the IT manager?

  1. ESP
  2. People
  3. Facilities
  4. Technology

Answer(s): D

Explanation:

Understanding Asset Types in CMMC 2.0In CMMC 2.0, assets are categorized based on their role in handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI). TheCybersecurity Maturity Model Certification (CMMC) Scoping GuidanceforLevel 1andLevel 2provides asset definitions to help organizations identify what needs protection. According toCMMC Scoping Guidance, there are five primary asset types:
Security Protection Assets (ESP - External Service Providers & Security Systems) People (Personnel who interact with FCI/CUI)
Facilities (Physical locations housing FCI/CUI)
Technology (Hardware, software, and networks that store, process, or transmit FCI/CUI) CUI Assets (For Level 2 assessments, assets specifically storing CUI)

Why "Technology" Is the Correct AnswerThe IT manager is evaluatingservers, laptops, databases, and applications--all of which aretechnology assetsused to store, process, or transmit FCI. According toCMMC Scoping Guidance,Technology assetsinclude:
Endpoints(Laptops, Workstations, Mobile Devices)
Servers(On-premise or cloud-based)
Networking Devices(Routers, Firewalls, Switches)
Applications(Software, Cloud-based tools)
Databases(Storage of FCI or CUI)
Since the IT manager is focusing on these components, the correct asset category isTechnology (Option D).

A . ESP (Security Protection Assets)Incorrect. ESPs refer tosecurity-related assets(e.g., firewalls, monitoring tools, managed security services) thathelp protectFCI/CUI but do notstore, process, or transmitit directly.
B . PeopleIncorrect.
While employees play a role in handling FCI, the question focuses onhardware and software--which falls underTechnology, not People. C . FacilitiesIncorrect. Facilities refer tophysical buildingsor secured areas where FCI/CUI is stored or processed. The question explicitly mentionsservers, laptops, and applications, which arenot physical facilities.
Why the Other Answers Are Incorrect

CMMC Level 1 Scoping Guide (CMMC-AB)­ Defines asset categories, including Technology. CMMC 2.0 Scoping Guidance for Assessors­ Provides clarification on FCI assets.

CMMC Official ReferenceThus,option D (Technology) is the most correct choiceas per official CMMC 2.0 guidance.






Post your Comments and Discuss Cyber AB CMMC-CCP exam prep with other Community members:

Join the CMMC-CCP Discussion