Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCP

Cyber AB CMMC-CCP Exam
Certified CMMC Professional (CCP) (Page 4 )

Updated On: 9-Feb-2026
Page 4 of 36
PDF with 171 Questions

Which term describes "the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to. or modification of information"?

  1. Adopted security
  2. Adaptive security
  3. Adequate security
  4. Advanced security

Answer(s): C

Explanation:

Understanding the Concept of Security in CMMC 2.0CMMC 2.0 aligns with federal cybersecurity standards, particularlyFISMA (Federal Information Security Modernization Act), NIST SP 800-171, and FAR 52.204-21. One key principle in these frameworks is the implementation of security measures that are appropriate for the risk level associated with the data being protected. The question describes security measures that are proportionate to therisk of loss, misuse, unauthorized access, or modificationof information. This matches the definition of"Adequate Security."
A . Adopted security Incorrect
The term"adopted security"is not officially recognized in CMMC, NIST, or FISMA. Organizations adopt security policies, but the concept does not directly align with the question's definition.
B . Adaptive security Incorrect
Adaptive securityrefers to adynamic cybersecurity modelwhere security measures continuously evolve based on real-time threats.
While important, it does not directly match the definition in the question.
C . Adequate securityCorrect
The term"adequate security"is defined inNIST SP 800-171, DFARS 252.204-7012, and FISMAas the level of protection that isproportional to the consequences and likelihood of a security incident.

This aligns perfectly with the definition in the question.
D . Advanced security Incorrect
Advanced securitytypically refers tohighly sophisticated cybersecurity mechanisms, such as AI-driven threat detection. However, the term does not explicitly relate to the concept of risk-based proportional security.
FISMA (44 U.S.C. § 3552(b)(3))
Definesadequate securityas"protective measures commensurate with the risk and potential impact of unauthorized access, use, disclosure, disruption, modification, or destruction of information." This directly matches the question's wording.
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) Mandates that contractors apply"adequate security"to protect Controlled Unclassified Information (CUI).

NIST SP 800-171 Rev. 2, Requirement 3.1.1
States that organizations must "limit system access to authorized users and implement adequate security protections to prevent unauthorized disclosure." CMMC 2.0 Documentation (Level 1 and Level 2 Requirements) Requires that organizationsapply adequate security measures in accordance with NIST SP 800-171to meet compliance standards.
Analyzing the Given OptionsOfficial Reference Supporting the Correct AnswerConclusionThe term"adequate security"is the correct answer because it is explicitly defined in federal cybersecurity frameworks asprotection proportional to risk and potential consequences. Thus, the verified answer is:



A Level 2 Assessment of an OSC is winding down and the final results are being prepared to present to the OSC. When should the final results be delivered to the OSC?

  1. At the end of every day of the assessment
  2. Daily and during a final separately scheduled review
  3. Either at the final Daily Checkpoint, or during a separately scheduled findings and recommendation review
  4. Either after approval from the C3PAO. or during a separately scheduled final recommended findings review

Answer(s): C

Explanation:

Understanding the Reporting Process in a CMMC 2.0 Level 2 AssessmentACMMC Level 2 Assessmentconducted by aCertified Third-Party Assessor Organization (C3PAO)follows a structured approach to gathering evidence, evaluating compliance, and reporting findings to theOrganization Seeking Certification (OSC). The reporting process is outlined in theCMMC Assessment Process (CAP) Guide, which specifies how findings should be communicated.
Daily Checkpoints:
Throughout the assessment, the assessor team holdsdaily checkpoint meetingswith the OSC to provide updates on progress, observations, and preliminary findings. These checkpoints help ensure transparency and allow the OSC to address minor issues as they arise.
Final Results Delivery:
Thefinal assessment resultsare typically shared during thefinal daily checkpointOR in aseparately scheduled findings and recommendations reviewmeeting.
This ensures that the OSC receives a structured and complete summary of the assessment findings before the official report is submitted.
TheCMMC Assessment Process (CAP) Guide, Section 4.5clearly states that assessment findings should be presentedeither at the last daily checkpoint or during a separately scheduled final review. This aligns with best practices formaintaining transparency and ensuring the OSC has clarity on their assessment resultsbefore the final report submission.
Option A (End of every day)is incorrect because while assessors do provide updates, they do not deliver the "final results" daily.
Option B (Daily and a separate final review)is misleading, as the CAP Guide allows assessors tochoosebetween the final daily checkpoint OR a separate findings review--not both. Option D (After C3PAO approval)is incorrect because theC3PAO does not approve findings before they are communicated to the OSC. The assessment team directly presents the results first. CMMC Assessment Process (CAP) Guide, Section 4.5: Reporting and Findings Communication CMMC 2.0 Level 2 Assessment Process Overview
CMMC Assessment Final Report Guidelines
Assessment Communication StructureWhy Option C is CorrectOfficial CMMC Documentation ReferenceFinal VerificationBased on officialCMMC 2.0 documentation, thefinal assessment results should be presented to the OSC either at the last daily checkpoint or in a separately scheduled review session, making Option C the correct answer.



Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI are sanitized or destroyed before disposal or release for reuse. After a thorough review, the CCP tells the Lead Assessor that all supporting documents fully reflect the performance of the practice and should be accepted because the evidence is:

  1. official.
  2. adequate.
  3. compliant.
  4. subjective.

Answer(s): B

Explanation:

CMMC Level 1 includes 17 practices derived fromFAR 52.204-21. Among them, theMedia Protection (MP) practicerequires organizations to ensure thatmedia containing FCI is sanitized or destroyed before disposal or release for reuseto prevent unauthorized access. This requirement ensures that any storage devices, hard drives, USBs, or physical documents containingFederal Contract Information (FCI)areproperly disposed of or sanitizedto prevent data leakage.
The evidence collected for this practice should demonstrate that an organization has established and followed propermedia sanitization or destruction procedures.
Why the Correct Answer is "B. Adequate"?TheCMMC Assessment Process (CAP) Guideoutlines that for an assessment to be considered complete, all submitted evidence must meet the standard ofadequacybefore it is accepted by the Lead Assessor.
Definition of "Adequate" Evidence in CMMC:
Evidence isadequatewhen itfully demonstrates that a practice has been performed as requiredby CMMC guidelines.
TheLead Assessorevaluates whether the submitted documentation meets the CMMC 2.0 Level 1 requirements.

If the evidenceaccurately and completely demonstrates the sanitization or destruction of media containing FCI, then it meets the standard ofadequacy.
Why Not the Other Options?
A . Official­ While the evidence may come from an official source, the CMMCdoes not require evidence to be "official", only that it beadequateto confirm compliance. C . Compliant­ Compliance is the final result of an assessment, but before compliance is determined, the evidence must first beadequatefor evaluation.
D . Subjective­ CMMC evidence isobjective, meaning it should be based on verifiable documents, policies, logs, and procedures--not opinions or interpretations. CMMC 2.0 Scoping Guide (Nov 2021)­ Specifies that Media Protection (MP) at Level 1 applies only to assets that process, store, or transmit FCI.
CMMC Assessment Process (CAP) Guide­ Definesadequate evidenceas documentation that completely and clearly supports the implementation of a required security practice. FAR 52.204-21­ The source of the Level 1 requirements, which includessanitization and destruction of media containing FCI.
Relevant CMMC 2.0


Reference:

Final Justification:The CCP's statement that the evidence"fully reflects the performance of the practice"aligns with the definition ofadequate evidenceunder CMMC. Since adequacy is the key standard used before final compliance decisions are made, the correct answer isB. Adequate.



A CMMC Assessment is being conducted at an OSC's HQ. which is a shared workspace in a multi- tenant building. The OSC is renting four offices on the first floor that can be locked individually. The first-floor conference room is shared with other tenants but has been reserved to conduct the assessment. The conference room has a desk with a drawer that does not lock. At the end of the day, an evidence file that had been sent by email is reviewed.
What is the BEST way to handle this file?

  1. Review it. print it, and put it in the desk drawer.
  2. Review it, and make notes on the computer provided by the client.
  3. Review it, print it, make notes, and then shred it in cross-cut shredder in the print room.
  4. Review it. print it, and leave it in a folder on the table together with the other documents.

Answer(s): C

Explanation:

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to implement stringent controls to protect Controlled Unclassified Information (CUI). This includes adhering to specific practices related to media protection and physical security.
Media Protection (MP):
MP.L2-3.8.1 ­ Media Protection:Organizations must protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. This ensures that sensitive information is not accessible to unauthorized individuals.
Defense Innovation Unit

MP.L2-3.8.3 ­ Media Disposal:It is imperative to sanitize or destroy information system media containing CUI before disposal or release for reuse. This practice prevents potential data breaches from discarded or repurposed media.
Defense Innovation Unit
Physical Protection (PE):
PE.L2-3.10.2 ­ Monitor Facility:Organizations are required to protect and monitor the physical facility and support infrastructure for organizational systems. This includes ensuring that areas where CUI is processed or stored are secure and access is controlled.
Defense Innovation Unit
Application to the Scenario:
Given that the Organization Seeking Certification (OSC) operates within a shared, multi-tenant building and utilizes a common conference room for assessments, the following considerations are crucial:
Reviewing the Evidence File:The evidence file, which contains CUI, should be reviewed on a secure, authorized device to prevent unauthorized access or potential data leakage. Printing the Evidence File:If printing is necessary, ensure that the printer is located in a secure area, and the printed documents are retrieved immediately to prevent unauthorized viewing. Making Notes:Any notes derived from the evidence file should be treated with the same level of security as the original document, especially if they contain CUI. Disposal of Printed Materials:After the assessment, all printed materials and notes containing CUI must be destroyed using a cross-cut shredder. Cross-cut shredding ensures that the information cannot be reconstructed, thereby maintaining confidentiality.
totem.tech
Options A and D are inadequate as they involve leaving sensitive information in unsecured locations, which violates CMMC physical security requirements. Option B, while secure in terms of digital handling, does not address the proper disposal of any physical copies that may have been made. Therefore, Option C is the best practice, aligning with CMMC 2.0 guidelines by ensuring that all physical media containing CUI are properly reviewed, securely stored during use, and thoroughly destroyed when no longer needed.



Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?

  1. DoD
  2. CISA
  3. NIST
  4. CMMC-AB

Answer(s): A

Explanation:

TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0. This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.


Reference:

DoD CMMC 2.0 Program Overview
DFARS 252.204-7021 (CMMC Requirements)
Step 2: DoD's Cybersecurity Maturity LevelsTheDoD determinestherequired cybersecurity maturity levelfor a contract based on the sensitivity of the information involved:
CMMC Level 1­ Required for organizations handlingFCI(Basic Cyber Hygiene). CMMC Level 2­ Required for organizations handlingCUI(Aligned with NIST SP 800-171). CMMC Level 3­ Required for organizations handlinghigh-value CUIand facingAdvanced Persistent Threats (APT)(Aligned with a subset ofNIST SP 800-172).


CMMC 2.0 Model Documentation
NIST SP 800-171 & 800-172for security controls
Step 3: Why Other Answer Choices Are IncorrectB. CISA (Incorrect):
TheCybersecurity and Infrastructure Security Agency (CISA)is responsible fornational cybersecuritybut does not mandate CMMC assessments.
C . NIST (Incorrect):
TheNational Institute of Standards and Technology (NIST)provides the security framework (e.g.,NIST SP 800-171) but does not enforce CMMC compliance.
D . CMMC-AB (Incorrect):
TheCyber AB (formerly CMMC-AB)is responsible for accreditingC3PAOsand overseeing theCMMC ecosystem, but it does not determine which organizations require assessments. Final Confirmation of Answer(s); The DoD mandates CMMC compliance for organizations handling FCI or CUI.
CMMC requirements are enforced through DFARS clauses in DoD contracts.
Thus, the correct answer is:A. DoD






Post your Comments and Discuss Cyber AB CMMC-CCP exam prep with other Community members:

Join the CMMC-CCP Discussion