Free Cyber AB CMMC-CCP Practice Exam with Questions & Answers

Understanding the CMMC Level 2 Final Report RequirementsFor aCMMC Level 2 Assessment, theFinal CMMC Assessment Results Reportmust include:

Assessment findings for each practice

Final ratings (MET or NOT MET) for each practice

A detailed rationale for each practice rated as NOT MET

The CMMC Assessment Process (CAP) Guidestates that if a practice is markedNOT MET, theassessors must provide a rationale explaining why it failed.

This rationale helps theOSC understand what needs remediationand, if applicable, whether the deficiency can be addressed via aPlan of Action & Milestones (POA&M).

TheFinal Report serves as an official recordand must be submitted as part of theresults package.

A. Affirmation for each practice or control (Incorrect)

While the report includes aMET/NOT MET ratingfor each practice,affirmation is not a required component.

C. Suggested improvements for each failed practice (Incorrect)

Assessors do not provide recommendations for improvement—they only document findings and rationale.

Providing suggestions would create aconflict of interestperCMMC-AB Code of Professional Conduct.

D. Gaps or deltas due to any reciprocity model are recorded as met (Incorrect)

If an organization isleveraging reciprocity (e.g., FedRAMP, Joint Surveillance Voluntary Assessments), gapsmust still be documented—not automatically marked as "MET."

The correct answer isB. Documented rationale for each failed practice, as this is amandatory requirement in the Final CMMC Assessment Results Report.

TheU.S. Department of Defense (DoD)is the entity thatrequiresorganizations handlingFederal Contract Information (FCI)orControlled Unclassified Information (CUI)to undergo an assessment to determine their required level ofcybersecurity maturityunderCMMC 2.0.

This requirement stems from theDFARS 252.204-7021 clause, which mandates CMMC certification for contractors handling FCI or CUI.

Understanding the Definition of an Agreement in the CMMC-AB Code of Professional ConductTheCMMC-AB Code of Professional Conductdefines anagreementasany contract between two legal entities. This includes:

✔Contracts between an OSC and a C3PAOfor CMMC assessments.

✔Service agreements between cybersecurity providers and defense contractors.

✔Any formal, legally binding arrangement related to CMMC compliance.

A. Union → Incorrect

Auniontypically refers to anorganization representing workersand is not used to describe acontractual relationship.

B. Accord → Incorrect

While anaccordcan mean an agreement, it isnot the standard legal term for a binding contractin CMMC documentation.

C. Alliance → Incorrect

Analliancerefers to astrategic partnership, but does not necessarily imply alegally binding contract.

D. Agreement → Correct

TheCMMC-AB Code of Professional Conductdefines anagreementas anylegally binding contract between two entities.

Why is the Correct Answer "D. Agreement"?

CMMC-AB Code of Professional Conduct

Defines"Agreement"as alegally binding contract between two parties.

CMMC-AB Licensed Training and Assessment Provider Guidelines

Requires that all engagementsbe governed by a formal agreement (contract) between the parties.

DFARS and CMMC Certification Contracts

States thatOSC-C3PAO relationships must be formalized through a legal agreement.

CMMC 2.0 References Supporting This Answer:

Understanding the CMMC Readiness Review ProcessALead Assessorconducting aCMMC Readiness Reviewevaluates whether anOrganization Seeking Certification (OSC)is prepared for a formal assessment.

After recording theassessment risk statusandoverall assessment feasibility, theminimum remaining criteriato be verified include:

Logistics Planning– Ensuring that the assessment timeline, locations, and necessary resources are in place.

Assessment Team Preparation– Confirming that assessors and required personnel are available and briefed.

Evidence Readiness– Ensuring the OSC has gathered all required artifacts and documentation for review.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Determine the practice pass/fail results.

Happensduringthe formal assessment, not the readiness review.

❌Incorrect

B. Determine the preliminary recommended findings.

Findings are only madeafterthe full assessment.

❌Incorrect

C. Determine the initial model practice ratings and record them.

Ratings are assigned during theassessment, not readiness review.

❌Incorrect

D. Determine the logistics, Assessment Team, and the evidence readiness.

✅Essential readiness criteria that must be confirmedbeforeassessment starts.

✅Correct

TheCMMC Assessment Process Guide (CAP)states that readiness review ensureslogistics, assessment team availability, and evidence readinessare verified.

Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Determine the logistics, Assessment Team, and the evidence readiness.This aligns withCMMC readiness review requirements.

Understanding CMMC 2.0 Incident Response PracticesTheIncident Response (IR) domaininCMMC 2.0 Level 2aligns withNIST SP 800-171, Section 3.6, which defines requirements forestablishing and maintaining an incident response capability.

The documentation provideddescribes an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities.

IR.L2-3.6.1specifically requires organizations toestablish an incident handling processcovering:

Preparation

Detection & Analysis

Containment

Eradication & Recovery

Post-Incident Response

B. IR.L2-3.6.2: Incident Reporting (Incorrect)

Incident reporting focuses on reporting incidents to external parties (e.g., DoD, DIBNet),which isnot what the provided documentation describes.

C. IR.L2-3.6.3: Incident Response Testing (Incorrect)

Incident response testing ensures that the response process is regularly tested and evaluated,which isnot the primary focus of the documentation provided.

D. IR.L2-3.6.4: Incident Spillage (Incorrect)

Incident spillage specifically refers to CUI exposure or handling unauthorized CUI incidents,which isnot the scenario described.

The correct answer isA. IR.L2-3.6.1: Incident Handling, as the documentationattests to the establishment of an incident response capability.

Understanding Restricted Information Systems (IS) in CMMC ScopingInCMMC 2.0,Specialized Assetsrefer to assets that do not fit traditional IT system categories but still play a role inprocessing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The four categories ofSpecialized Assetsin theCMMC Scoping Guideinclude:

Internet of Things (IoT) Devices– Smart or network-connected devices.

Restricted Information Systems (Restricted IS)– Systems that arecontractually requiredto beconfigured to government specifications.

Test Equipment– Devices used for specialized testing or measurement.

Government Property– Equipment owned by theU.S. Governmentbut used by contractors.

The contractor-owned systems in question areconfigured based on government requirementsandused to support a DoD contract.

Restricted ISassets arecontractually requiredto meet government security requirements andhandle DoD-related information.

These systemsdo not fall under general IT assets but instead require special handling, making them a Restricted ISper theCMMC Scoping Guide.

A. IoT (Incorrect)

IoT devices includesmart devices, sensors, and embedded systems, but the contractor's business systems are not classified as IoT.

C. Test Equipment (Incorrect)

The contractor’s systems areused for handling FCI, not for testing or measurement.

D. Government Property (Incorrect)

The systems arecontractor-owned, not owned by theU.S. Government, so they do not qualify asGovernment Property.

The correct answer isB. Restricted IS, as the systems arecontractor-owned but must follow DoD security requirements.

During aCMMC Level 2 assessment, assessors requireobjective evidencethat security controls are implementedin the actual operating environmentwhereControlled Unclassified Information (CUI)is handled.

This means thattests or demonstrations must be conducted in the production environment, where the organization’s real systems and security controls are in use.

Assessment teams need to validate security controls in the actual environment where they are applied, ensuring that security measures are in effect in thereal-world operating conditions.

Option A (Client)is incorrect because "Client" is not a defined assessment environment.

Option C (Development)is incorrect because testing in a development environmentdoes not accurately represent the production security posture.

Option D (Demonstration)is incorrect becausedemonstrations in a separate test environment do not provide valid evidence for CMMC assessments—actual security implementations must be verified in production.

CMMC Assessment Process (CAP) Guide – Section 3.5 (Assessment Methods)

NIST SP 800-171 Assessment Procedures(Verification must occur in the actual system where CUI resides.)

Understanding the Assessment Environment RequirementWhy Option B (Production) is CorrectOfficial CMMC Documentation ReferencesFinal VerificationSinceCMMC assessments require security controls to be validated in the actual production environment, the correct answer isOption B: Production.

Understanding Affirmations in a CMMC AssessmentAffirmations are a type ofevidencecollected during aCMMC assessmentto confirm compliance with required practices. Affirmations are typically collected from:

✅Interviews– Conversations with personnel implementing security practices.

✅Demonstrations– Observing the practice in action.

✅Emails and Messaging– Written communications confirming compliance efforts.

✅Presentations– Documents or briefings explaining security implementations.

✅Screenshots–Visual evidenceof system configurations and security measures.

TheCMMC Assessment Process (CAP) Guidestates that assessors may collectaffirmations via various communication methods, including emails, messaging, and presentations.

Screenshotsare an additional valid form ofobjective evidenceto confirm compliance.

Options A and B are incorrectbecause emails and messaging are explicitlyallowedforms of affirmation.

Option C is incompletebecause it does not mention screenshots, which are also considered valid evidence.

Why "Yes, the affirmations collected by the assessor are all appropriate, as are screenshots" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. No, emails are not appropriate affirmations.

❌Incorrect–Emailsarea valid affirmation method.

B. No, messaging is not an appropriate affirmation.

❌Incorrect–Messagingisallowed for collecting affirmations.

C. Yes, the affirmations collected by the assessor are all appropriate.

❌Incorrect–Screenshots should also be considered valid evidence.

D. Yes, the affirmations collected by the assessor are all appropriate, as are screenshots.

✅Correct – Screenshots are also a valid form of affirmation.

CMMC Assessment Process Guide (CAP)– Defines allowable evidence collection methods, including affirmations through written communication.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Yes, the affirmations collected by the assessor are all appropriate, as are screenshots.This aligns withCMMC 2.0 assessment proceduresfor collecting affirmations.

Understanding CUI Protection ResponsibilitiesControlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.

Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.

TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.

CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.

DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.

A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.

B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.

C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.

The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.

The Cybersecurity Maturity Model Certification (CMMC) Level 2 is designed to ensure that organizations can adequately protect Controlled Unclassified Information (CUI). To achieve this, CMMC Level 2 incorporates specific security requirements.

Step-by-Step Explanation:

Alignment with NIST SP 800-171:

CMMC Level 2 aligns directly with the security requirements outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). This publication, titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," provides a comprehensive framework for safeguarding CUI.

Incorporation of Security Requirements:

The practices required for CMMC Level 2 certification encompass all 110 security requirements specified in NIST SP 800-171. These requirements are organized into 14 families, each addressing different aspects of cybersecurity, such as access control, incident response, and risk assessment.

Purpose of Alignment:

By integrating the NIST SP 800-171 requirements, CMMC Level 2 aims to standardize the implementation of cybersecurity practices across organizations handling CUI, ensuring a consistent and robust approach to protecting sensitive information.