Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCP

Cyber AB CMMC-CCP Exam
Certified CMMC Professional (CCP) (Page 5 )

Updated On: 9-Feb-2026
Page 5 of 36
PDF with 171 Questions

When scoping a Level 2 assessment, which document is useful for understanding the process to successfully implement practices required for the various Levels of CMMC?

  1. NISTSP 800-53
  2. NISTSP 800-88
  3. NISTSP 800-171
  4. NISTSP 800-172

Answer(s): C

Explanation:

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.
Defines the Security Requirements for Protecting CUI:
NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.
These controls are categorized under14 families, including access control, incident response, and risk management.
Establishes the Baseline for CMMC Level 2 Compliance:
CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements. Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.
Provides Guidance for Implementation & Assessment:
TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.
It helps define the scope of an assessment by clarifying how each control should be implemented and verified.
Referenced in CMMC and DFARS Regulations:
DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements. TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.
A . NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")
This documentapplies to federal systems, not nonfederal entities handling CUI.
While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.
B . NIST SP 800-88 ("Guidelines for Media Sanitization") This documentfocuses on secure data destructionand media sanitization techniques.
While data disposal is important, this standarddoes not define security controls for protecting CUI. D . NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI") This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats). It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.
NIST SP 800-171 Rev. 2(NIST Official Site)
NIST SP 800-171A (Assessment Guide)(NIST Official Site) CMMC 2.0 Level 2 Scoping Guide(Cyber AB)
Why NIST SP 800-171 is Essential for Level 2 Scoping:Explanation of Incorrect Answers:Key Reference for CMMC Level 2 Scoping:Conclusion:SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments.
Therefore, the correct answer is:
C . NIST SP 800-171



A company has a government services division and a commercial services division. The government services division interacts exclusively with federal clients and regularly receives FCI. The commercial services division interacts exclusively with non-federal clients and processes only publicly available information. For this company's CMMC Level 1 Self-Assessment, how should the assets supporting the commercial services division be categorized?

  1. FCI Assets
  2. Specialized Assets
  3. Out-of-Scope Assets
  4. Operational Technology Assets

Answer(s): C

Explanation:

Understanding CMMC Asset CategorizationTheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).
In this scenario:
Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin- scopefor CMMC Level 1.
Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI--this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of- Scope Assets.
CMMC 2.0 Definition of Out-of-Scope AssetsAs per theCMMC Scoping Guide, assets that:
Do not store, process, or transmit FCI/CUI
Do not directly impact the security of in-scope assets Are completely segregated from the FCI/CUI environment are classified asOut-of-Scope Assets.
Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.

A . FCI AssetsIncorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify. B . Specialized AssetsIncorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division. D . Operational Technology AssetsIncorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment--which are not relevant to this scenario.
Why the Other Answers Are Incorrect
CMMC 2.0 Scoping Guide ­ Level 1 & Level 2
CMMC Assessment Process (CAP) Document
CMMC Official ReferenceThus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.



In performing scoping, what should the assessor ensure that the scope of the assessment covers?

  1. All assets documented in the business plan
  2. All assets regardless if they do or do not process, store, or transmit FCI/CUI
  3. All entities, regardless of the line of business, associated with the organization
  4. All assets processing, storing, or transmitting FCI/CUI and security protection assets

Answer(s): D

Explanation:

Scoping Requirements in CMMC AssessmentsTheCMMC 2.0 Scoping GuideandCMMC Assessment Process (CAP) Documentclearly define what should be included in the scope of an assessment.
The assessment scope must cover:
All assets that process, store, or transmit FCI/CUI
Security Protection Assets (ESP)­ these assets help protect FCI/CUI, such as firewalls, endpoint detection systems, and encryption mechanisms.
Thus, thecorrect scope includes both:
FCI/CUI Assets(Data storage, processing, or transmission assets) Security Protection Assets (ESP)(Firewalls, security tools, etc.)

A . All assets documented in the business planIncorrect.Business plans may include assets unrelated to FCI/CUI, making this scopetoo broad. Only assets relevant to FCI/CUI should be assessed.
B . All assets regardless if they do or do not process, store, or transmit FCI/CUIIncorrect. CMMC doesnotrequire organizations to include assets thathave no connection to FCI/CUI. C . All entities, regardless of the line of business, associated with the organizationIncorrect.Only the assets relevant to FCI/CUI or security protection should be assessed. Unrelated business divisions (like a non-federal commercial division) areout-of-scope.
Why the Other Answers Are Incorrect

CMMC 2.0 Scoping Guide ­ Level 1 & Level 2
CMMC Assessment Process (CAP) Document
CMMC Official ReferenceThus,option D (All assets processing, storing, or transmitting FCI/CUI and security protection assets) is the correct answeras per official CMMC assessment scoping requirements.



An Assessment Team Member is conducting a CMMC Level 2 Assessment for an OSC that is in the process of inspecting Assessment Objects for AC.L1-3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) to determine the adequacy of evidence provided by the OSC. Which Assessment Method does this activity fall under?

  1. Test
  2. Observe
  3. Examine
  4. Interview

Answer(s): C

Explanation:

Understanding Assessment Methods in CMMC 2.0According to theCMMC Assessment Process (CAP) Guide, assessors usethree primary assessment methodsto determine compliance with security practices:
Examine­ Reviewing documents, policies, configurations, and system records. Interview­ Speaking with personnel to gather insights into security processes. Test­ Performing technical validation of system functions and security controls. TheAssessment Team Memberis inspectingAssessment Objects(e.g., system configurations, user access control settings, policies) to determine if the OSC's evidence is sufficient forAC.L1-3.1.1 (Access Control ­ Authorized Users).
This activity aligns directly with theExaminemethod, which involves reviewing artifacts such as:
Access control lists (ACLs)
System user authentication logs
Account management policies
Role-based access control settings
"Observe" (Option B)is incorrect because "observing" is not an official assessment method in CMMC. "Test" (Option A)is incorrect because the assessment is not actively executing a function but ratherreviewingevidence.
"Interview" (Option D)is incorrect because no personnel are being questioned--only documentation is being reviewed.
CMMC Assessment Process (CAP) Guide, Section 3.5 ­ Assessment Methods CMMC Level 2 Assessment Guide ­ Access Control Practices (AC.L1-3.1.1) Why Option C (Examine) is CorrectOfficial CMMC Documentation ReferenceFinal VerificationSince the activity involves reviewing documents and records to verify access control measures, it falls under theExaminemethod, makingOption C the correct answer.



In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI.

What is the ESP employee considered?

  1. In scope
  2. Out of scope
  3. OSC point of contact
  4. Assessment Team Member

Answer(s): A

Explanation:

Federal Contract Information (FCI)is any informationnot intended for public releasethat is provided or generated under aU.S. Government contracttodevelop or deliver a product or service. Enhanced Security Personnel (ESP)refers to employees, contractors, or third parties whohave access to FCIwithin anOrganization Seeking Certification (OSC). UnderCMMC 2.0 Scoping Guidance, anypersonnel, system, or asset with access to FCI is considered in scopefor a CMMC Level 1 assessment.
Since theESP employee has access to FCI, theymustbe included in the assessment scope. Option B (Out of scope)is incorrect because anyone with access to FCI is automatically considered part of theCMMC Level 1 boundary.
Option C (OSC point of contact)is incorrect because thepoint of contactis typically an administrative or compliance representative, not necessarily someone with FCI access. Option D (Assessment Team Member)is incorrect because anESP employee is not part of the assessment team but rather a subject of the assessment. CMMC Level 1 Scoping Guide, Section 2 ­ Defining Scope for FCI CMMC Assessment Process (CAP) Guide ­ Roles and Responsibilities Federal Acquisition Regulation (FAR) 52.204-21(Basic Safeguarding of FCI) Understanding Scoping in CMMC Level 1 Self-AssessmentsWhy Option A (In scope) is CorrectOfficial CMMC Documentation ReferenceFinal VerificationSince theESP employee has access to FCI, they are consideredin scopefor the CMMC Level 1 self-assessment, makingOption A the correct answer.






Post your Comments and Discuss Cyber AB CMMC-CCP exam prep with other Community members:

Join the CMMC-CCP Discussion