Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCP

Free Cyber AB CMMC-CCP Exam Questions (page: 3)

Page 3 of 23
PDF with 171 Questions

When executing a remediation review, the Lead Assessor should:

  1. help OSC to complete planned remediation activities.
  2. plan two consecutive remediation reviews for an OSC.
  3. submit a delta assessment remediation package for C3PAO's internal quality review.
  4. validate that practices previously listed on the POA&M have been removed on an updated Risk Assessment.

Answer(s): C

Explanation:

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, the remediation review process is a critical phase where identified deficiencies from an initial assessment are addressed. The Lead Assessor, representing a Certified Third-Party Assessment Organization (C3PAO), plays a pivotal role in this process.
Role of the Lead Assessor in Remediation Reviews:
Validation of Remediation Efforts:
Objective:Ensure that the Organization Seeking Certification (OSC) has effectively addressed and corrected all deficiencies identified during the initial assessment. Process:The Lead Assessor reviews the evidence provided by the OSC to confirm that each previously unmet practice now meets the required standards. This involves examining updated policies, procedures, system configurations, and other relevant artifacts.
Delta Assessment Remediation Package Submission:
Definition:A delta assessment focuses on evaluating only the components or practices that were previously found non-compliant or deficient.
Responsibility:After validating the remediation efforts, the Lead Assessor compiles a remediation package that includes:
Detailed documentation of the deficiencies identified in the initial assessment.
Evidence of the corrective actions taken by the OSC.
Findings from the reassessment of the remediated practices. Internal Quality Review:This remediation package is then submitted for the C3PAO's internal quality review process. The purpose of this review is to ensure the accuracy, completeness, and consistency of the assessment findings before finalizing the certification decision.
Rationale for Selecting Answer C:
Alignment with CMMC Assessment Process:The submission of a delta assessment remediation package for internal quality review is a standard procedure outlined in the CMMC Assessment Process. This step ensures that all remediated items are thoroughly evaluated and validated, maintaining the integrity of the certification process.
Clarification of Incorrect Options:
Option A:"Help OSC to complete planned remediation activities." The Lead Assessor's role is to assess and validate the OSC's compliance, not to assist in the implementation or completion of remediation activities. Providing such assistance could lead to a conflict of interest and compromise the objectivity of the assessment. Option B:"Plan two consecutive remediation reviews for an OSC." The standard process involves conducting a single remediation review after the OSC has addressed the identified deficiencies. Planning multiple consecutive remediation reviews is not a typical practice and could indicate a lack of proper remediation planning by the OSC. Option D:"Validate that practices previously listed on the POA&M have been removed on an updated Risk Assessment."
While it's essential to ensure that deficiencies are addressed, the primary focus of the Lead Assessor during a remediation review is to validate the implementation of remediated practices. Updating the Risk Assessment is the responsibility of the OSC's internal risk management team, not the Lead Assessor.


Reference:

CMMC Assessment Process v2.0
CyberAB
CMMC Assessment Guide ­ Level 2
Defense Innovation Unit
These documents provide detailed guidelines on the roles and responsibilities of assessors, the remediation review process, and the procedures for submitting assessment findings for quality review within the CMMC framework.



The IT manager is scoping the company's CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI.
Which asset type is being considered by the IT manager?

  1. ESP
  2. People
  3. Facilities
  4. Technology

Answer(s): D

Explanation:

Understanding Asset Types in CMMC 2.0In CMMC 2.0, assets are categorized based on their role in handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI). TheCybersecurity Maturity Model Certification (CMMC) Scoping GuidanceforLevel 1andLevel 2provides asset definitions to help organizations identify what needs protection. According toCMMC Scoping Guidance, there are five primary asset types:
Security Protection Assets (ESP - External Service Providers & Security Systems) People (Personnel who interact with FCI/CUI)
Facilities (Physical locations housing FCI/CUI)
Technology (Hardware, software, and networks that store, process, or transmit FCI/CUI) CUI Assets (For Level 2 assessments, assets specifically storing CUI)

Why "Technology" Is the Correct AnswerThe IT manager is evaluatingservers, laptops, databases, and applications--all of which aretechnology assetsused to store, process, or transmit FCI. According toCMMC Scoping Guidance,Technology assetsinclude:
Endpoints(Laptops, Workstations, Mobile Devices)
Servers(On-premise or cloud-based)
Networking Devices(Routers, Firewalls, Switches)
Applications(Software, Cloud-based tools)
Databases(Storage of FCI or CUI)
Since the IT manager is focusing on these components, the correct asset category isTechnology (Option D).

A . ESP (Security Protection Assets)Incorrect. ESPs refer tosecurity-related assets(e.g., firewalls, monitoring tools, managed security services) thathelp protectFCI/CUI but do notstore, process, or transmitit directly.
B . PeopleIncorrect.
While employees play a role in handling FCI, the question focuses onhardware and software--which falls underTechnology, not People. C . FacilitiesIncorrect. Facilities refer tophysical buildingsor secured areas where FCI/CUI is stored or processed. The question explicitly mentionsservers, laptops, and applications, which arenot physical facilities.
Why the Other Answers Are Incorrect

CMMC Level 1 Scoping Guide (CMMC-AB)­ Defines asset categories, including Technology. CMMC 2.0 Scoping Guidance for Assessors­ Provides clarification on FCI assets.

CMMC Official ReferenceThus,option D (Technology) is the most correct choiceas per official CMMC 2.0 guidance.



Which term describes "the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to. or modification of information"?

  1. Adopted security
  2. Adaptive security
  3. Adequate security
  4. Advanced security

Answer(s): C

Explanation:

Understanding the Concept of Security in CMMC 2.0CMMC 2.0 aligns with federal cybersecurity standards, particularlyFISMA (Federal Information Security Modernization Act), NIST SP 800-171, and FAR 52.204-21. One key principle in these frameworks is the implementation of security measures that are appropriate for the risk level associated with the data being protected. The question describes security measures that are proportionate to therisk of loss, misuse, unauthorized access, or modificationof information. This matches the definition of"Adequate Security."
A . Adopted security Incorrect
The term"adopted security"is not officially recognized in CMMC, NIST, or FISMA. Organizations adopt security policies, but the concept does not directly align with the question's definition.
B . Adaptive security Incorrect
Adaptive securityrefers to adynamic cybersecurity modelwhere security measures continuously evolve based on real-time threats.
While important, it does not directly match the definition in the question.
C . Adequate securityCorrect
The term"adequate security"is defined inNIST SP 800-171, DFARS 252.204-7012, and FISMAas the level of protection that isproportional to the consequences and likelihood of a security incident.

This aligns perfectly with the definition in the question.
D . Advanced security Incorrect
Advanced securitytypically refers tohighly sophisticated cybersecurity mechanisms, such as AI-driven threat detection. However, the term does not explicitly relate to the concept of risk-based proportional security.
FISMA (44 U.S.C. § 3552(b)(3))
Definesadequate securityas"protective measures commensurate with the risk and potential impact of unauthorized access, use, disclosure, disruption, modification, or destruction of information." This directly matches the question's wording.
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) Mandates that contractors apply"adequate security"to protect Controlled Unclassified Information (CUI).

NIST SP 800-171 Rev. 2, Requirement 3.1.1
States that organizations must "limit system access to authorized users and implement adequate security protections to prevent unauthorized disclosure." CMMC 2.0 Documentation (Level 1 and Level 2 Requirements) Requires that organizationsapply adequate security measures in accordance with NIST SP 800-171to meet compliance standards.
Analyzing the Given OptionsOfficial Reference Supporting the Correct AnswerConclusionThe term"adequate security"is the correct answer because it is explicitly defined in federal cybersecurity frameworks asprotection proportional to risk and potential consequences. Thus, the verified answer is:



A Level 2 Assessment of an OSC is winding down and the final results are being prepared to present to the OSC. When should the final results be delivered to the OSC?

  1. At the end of every day of the assessment
  2. Daily and during a final separately scheduled review
  3. Either at the final Daily Checkpoint, or during a separately scheduled findings and recommendation review
  4. Either after approval from the C3PAO. or during a separately scheduled final recommended findings review

Answer(s): C

Explanation:

Understanding the Reporting Process in a CMMC 2.0 Level 2 AssessmentACMMC Level 2 Assessmentconducted by aCertified Third-Party Assessor Organization (C3PAO)follows a structured approach to gathering evidence, evaluating compliance, and reporting findings to theOrganization Seeking Certification (OSC). The reporting process is outlined in theCMMC Assessment Process (CAP) Guide, which specifies how findings should be communicated.
Daily Checkpoints:
Throughout the assessment, the assessor team holdsdaily checkpoint meetingswith the OSC to provide updates on progress, observations, and preliminary findings. These checkpoints help ensure transparency and allow the OSC to address minor issues as they arise.
Final Results Delivery:
Thefinal assessment resultsare typically shared during thefinal daily checkpointOR in aseparately scheduled findings and recommendations reviewmeeting.
This ensures that the OSC receives a structured and complete summary of the assessment findings before the official report is submitted.
TheCMMC Assessment Process (CAP) Guide, Section 4.5clearly states that assessment findings should be presentedeither at the last daily checkpoint or during a separately scheduled final review. This aligns with best practices formaintaining transparency and ensuring the OSC has clarity on their assessment resultsbefore the final report submission.
Option A (End of every day)is incorrect because while assessors do provide updates, they do not deliver the "final results" daily.
Option B (Daily and a separate final review)is misleading, as the CAP Guide allows assessors tochoosebetween the final daily checkpoint OR a separate findings review--not both. Option D (After C3PAO approval)is incorrect because theC3PAO does not approve findings before they are communicated to the OSC. The assessment team directly presents the results first. CMMC Assessment Process (CAP) Guide, Section 4.5: Reporting and Findings Communication CMMC 2.0 Level 2 Assessment Process Overview
CMMC Assessment Final Report Guidelines
Assessment Communication StructureWhy Option C is CorrectOfficial CMMC Documentation ReferenceFinal VerificationBased on officialCMMC 2.0 documentation, thefinal assessment results should be presented to the OSC either at the last daily checkpoint or in a separately scheduled review session, making Option C the correct answer.



Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI are sanitized or destroyed before disposal or release for reuse. After a thorough review, the CCP tells the Lead Assessor that all supporting documents fully reflect the performance of the practice and should be accepted because the evidence is:

  1. official.
  2. adequate.
  3. compliant.
  4. subjective.

Answer(s): B

Explanation:

CMMC Level 1 includes 17 practices derived fromFAR 52.204-21. Among them, theMedia Protection (MP) practicerequires organizations to ensure thatmedia containing FCI is sanitized or destroyed before disposal or release for reuseto prevent unauthorized access. This requirement ensures that any storage devices, hard drives, USBs, or physical documents containingFederal Contract Information (FCI)areproperly disposed of or sanitizedto prevent data leakage.
The evidence collected for this practice should demonstrate that an organization has established and followed propermedia sanitization or destruction procedures.
Why the Correct Answer is "B. Adequate"?TheCMMC Assessment Process (CAP) Guideoutlines that for an assessment to be considered complete, all submitted evidence must meet the standard ofadequacybefore it is accepted by the Lead Assessor.
Definition of "Adequate" Evidence in CMMC:
Evidence isadequatewhen itfully demonstrates that a practice has been performed as requiredby CMMC guidelines.
TheLead Assessorevaluates whether the submitted documentation meets the CMMC 2.0 Level 1 requirements.

If the evidenceaccurately and completely demonstrates the sanitization or destruction of media containing FCI, then it meets the standard ofadequacy.
Why Not the Other Options?
A . Official­ While the evidence may come from an official source, the CMMCdoes not require evidence to be "official", only that it beadequateto confirm compliance. C . Compliant­ Compliance is the final result of an assessment, but before compliance is determined, the evidence must first beadequatefor evaluation.
D . Subjective­ CMMC evidence isobjective, meaning it should be based on verifiable documents, policies, logs, and procedures--not opinions or interpretations. CMMC 2.0 Scoping Guide (Nov 2021)­ Specifies that Media Protection (MP) at Level 1 applies only to assets that process, store, or transmit FCI.
CMMC Assessment Process (CAP) Guide­ Definesadequate evidenceas documentation that completely and clearly supports the implementation of a required security practice. FAR 52.204-21­ The source of the Level 1 requirements, which includessanitization and destruction of media containing FCI.
Relevant CMMC 2.0


Reference:

Final Justification:The CCP's statement that the evidence"fully reflects the performance of the practice"aligns with the definition ofadequate evidenceunder CMMC. Since adequacy is the key standard used before final compliance decisions are made, the correct answer isB. Adequate.



A CMMC Assessment is being conducted at an OSC's HQ. which is a shared workspace in a multi- tenant building. The OSC is renting four offices on the first floor that can be locked individually. The first-floor conference room is shared with other tenants but has been reserved to conduct the assessment. The conference room has a desk with a drawer that does not lock. At the end of the day, an evidence file that had been sent by email is reviewed.
What is the BEST way to handle this file?

  1. Review it. print it, and put it in the desk drawer.
  2. Review it, and make notes on the computer provided by the client.
  3. Review it, print it, make notes, and then shred it in cross-cut shredder in the print room.
  4. Review it. print it, and leave it in a folder on the table together with the other documents.

Answer(s): C

Explanation:

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to implement stringent controls to protect Controlled Unclassified Information (CUI). This includes adhering to specific practices related to media protection and physical security.
Media Protection (MP):
MP.L2-3.8.1 ­ Media Protection:Organizations must protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. This ensures that sensitive information is not accessible to unauthorized individuals.
Defense Innovation Unit

MP.L2-3.8.3 ­ Media Disposal:It is imperative to sanitize or destroy information system media containing CUI before disposal or release for reuse. This practice prevents potential data breaches from discarded or repurposed media.
Defense Innovation Unit
Physical Protection (PE):
PE.L2-3.10.2 ­ Monitor Facility:Organizations are required to protect and monitor the physical facility and support infrastructure for organizational systems. This includes ensuring that areas where CUI is processed or stored are secure and access is controlled.
Defense Innovation Unit
Application to the Scenario:
Given that the Organization Seeking Certification (OSC) operates within a shared, multi-tenant building and utilizes a common conference room for assessments, the following considerations are crucial:
Reviewing the Evidence File:The evidence file, which contains CUI, should be reviewed on a secure, authorized device to prevent unauthorized access or potential data leakage. Printing the Evidence File:If printing is necessary, ensure that the printer is located in a secure area, and the printed documents are retrieved immediately to prevent unauthorized viewing. Making Notes:Any notes derived from the evidence file should be treated with the same level of security as the original document, especially if they contain CUI. Disposal of Printed Materials:After the assessment, all printed materials and notes containing CUI must be destroyed using a cross-cut shredder. Cross-cut shredding ensures that the information cannot be reconstructed, thereby maintaining confidentiality.
totem.tech
Options A and D are inadequate as they involve leaving sensitive information in unsecured locations, which violates CMMC physical security requirements. Option B, while secure in terms of digital handling, does not address the proper disposal of any physical copies that may have been made. Therefore, Option C is the best practice, aligning with CMMC 2.0 guidelines by ensuring that all physical media containing CUI are properly reviewed, securely stored during use, and thoroughly destroyed when no longer needed.



Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?

  1. DoD
  2. CISA
  3. NIST
  4. CMMC-AB

Answer(s): A

Explanation:

TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0. This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.


Reference:

DoD CMMC 2.0 Program Overview
DFARS 252.204-7021 (CMMC Requirements)
Step 2: DoD's Cybersecurity Maturity LevelsTheDoD determinestherequired cybersecurity maturity levelfor a contract based on the sensitivity of the information involved:
CMMC Level 1­ Required for organizations handlingFCI(Basic Cyber Hygiene). CMMC Level 2­ Required for organizations handlingCUI(Aligned with NIST SP 800-171). CMMC Level 3­ Required for organizations handlinghigh-value CUIand facingAdvanced Persistent Threats (APT)(Aligned with a subset ofNIST SP 800-172).


CMMC 2.0 Model Documentation
NIST SP 800-171 & 800-172for security controls
Step 3: Why Other Answer Choices Are IncorrectB. CISA (Incorrect):
TheCybersecurity and Infrastructure Security Agency (CISA)is responsible fornational cybersecuritybut does not mandate CMMC assessments.
C . NIST (Incorrect):
TheNational Institute of Standards and Technology (NIST)provides the security framework (e.g.,NIST SP 800-171) but does not enforce CMMC compliance.
D . CMMC-AB (Incorrect):
TheCyber AB (formerly CMMC-AB)is responsible for accreditingC3PAOsand overseeing theCMMC ecosystem, but it does not determine which organizations require assessments. Final Confirmation of Answer(s); The DoD mandates CMMC compliance for organizations handling FCI or CUI.
CMMC requirements are enforced through DFARS clauses in DoD contracts.
Thus, the correct answer is:A. DoD



When scoping a Level 2 assessment, which document is useful for understanding the process to successfully implement practices required for the various Levels of CMMC?

  1. NISTSP 800-53
  2. NISTSP 800-88
  3. NISTSP 800-171
  4. NISTSP 800-172

Answer(s): C

Explanation:

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.
Defines the Security Requirements for Protecting CUI:
NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.
These controls are categorized under14 families, including access control, incident response, and risk management.
Establishes the Baseline for CMMC Level 2 Compliance:
CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements. Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.
Provides Guidance for Implementation & Assessment:
TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.
It helps define the scope of an assessment by clarifying how each control should be implemented and verified.
Referenced in CMMC and DFARS Regulations:
DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements. TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.
A . NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")
This documentapplies to federal systems, not nonfederal entities handling CUI.
While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.
B . NIST SP 800-88 ("Guidelines for Media Sanitization") This documentfocuses on secure data destructionand media sanitization techniques.
While data disposal is important, this standarddoes not define security controls for protecting CUI. D . NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI") This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats). It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.
NIST SP 800-171 Rev. 2(NIST Official Site)
NIST SP 800-171A (Assessment Guide)(NIST Official Site) CMMC 2.0 Level 2 Scoping Guide(Cyber AB)
Why NIST SP 800-171 is Essential for Level 2 Scoping:Explanation of Incorrect Answers:Key Reference for CMMC Level 2 Scoping:Conclusion:SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments.
Therefore, the correct answer is:
C . NIST SP 800-171



Viewing page 3 of 23
Viewing questions 17 - 24 out of 171 questions



Post your Comments and Discuss Cyber AB CMMC-CCP exam prep with other Community members:

CMMC-CCP Exam Discussions & Posts