Free Cyber AB CMMC-CCP Practice Exam with Questions & Answers

Assets that store, process, or transmit FCI or CUI are always in scope for CMMC. If a server with a cloud provider is used for long-term storage of FCI, that server is considered in scope because it directly holds covered data.

Supporting Extracts from Official Content:

CMMC Scoping Guide for Level 1: “Assets that store, process, or transmit FCI are in scope.”

CMMC Scoping Guide for Level 2: confirms the same rule applies for CUI.

Why Option A is Correct:

The server stores FCI, making it automatically in scope.

Option B is incorrect because long-term storage does not make an asset out of scope.

Option C is incorrect — Level 1 (FCI) does not require a Level 2 certified provider.

Option D is incorrect because encryption does not remove scope requirements.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1.

CMMC Model v2.0, Scoping and Implementation guidance.

===========

According to the CMMC Assessment Process (CAP) v2.0, assessors are required to conduct Daily Checkpoint Meetings at the end of each day to summarize progress with the OSC (Organization Seeking Certification). The final Daily Checkpoint is where preliminary practice ratings are shared, before the quality assurance review and Out-Brief. The Out-Brief is reserved for the presentation of final results. Additionally, Department of Defense regulations (32 CFR §170.17(c)(2)) provide a 10-business-day re-evaluation window for requirements marked NOT MET before the final report is delivered, which necessitates that the OSC see preliminary ratings during the assessment process itself.

Supporting Extracts from Official Content:

CAP v2.0, §2.23: “The assessment team shall host a Daily Checkpoint Meeting with the OSC at the end of each assessment day to summarize progress.”

CAP v2.0, §3.7: “The C3PAO shall conduct the quality assurance review… prior to the conduct of the Out-Brief Meeting.”

CAP v2.0, §3.10: “The purpose of the Out-Brief Meeting is to convey the results of the assessment to the OSC.”

32 CFR §170.17(c)(2): “A security requirement assessed as NOT MET may be re-evaluated… for 10 business days… if the CMMC Assessment Findings Report has not been delivered.”

Why Option A is Correct:

The CAP specifies that Daily Checkpoint Meetings are the formal, structured mechanism for assessors to communicate progress and preliminary findings to the OSC.

The final Daily Checkpoint provides the OSC with visibility into the preliminary practice ratings before they are finalized, ensuring transparency and alignment.

The Out-Brief is explicitly for conveying the final assessment results after the C3PAO has completed QA.

Federal regulation (32 CFR §170.17(c)(2)) requires the OSC to have access to preliminary results so they can provide additional evidence for re-evaluation before the report is locked, further confirming that this exchange must occur at the final Daily Checkpoint.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0: Sections 2.23 (Daily Checkpoints), 3.7–3.10 (QA and Out-Brief).

32 CFR §170.17(c)(2): Security Requirement Re-evaluation Window.

DoD CMMC Assessment Guide – Level 2 (v2.13): Guidance on MET/NOT MET determinations and findings.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to implement stringent controls to protect Controlled Unclassified Information (CUI). This includes adhering to specific practices related to media protection and physical security.

Media Protection (MP):

MP.L2-3.8.1 – Media Protection: Organizations must protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. This ensures that sensitive information is not accessible to unauthorized individuals.

Defense Innovation Unit

MP.L2-3.8.3 – Media Disposal: It is imperative to sanitize or destroy information system media containing CUI before disposal or release for reuse. This practice prevents potential data breaches from discarded or repurposed media.

Defense Innovation Unit

Physical Protection (PE):

PE.L2-3.10.2 – Monitor Facility: Organizations are required to protect and monitor the physical facility and support infrastructure for organizational systems. This includes ensuring that areas where CUI is processed or stored are secure and access is controlled.

Defense Innovation Unit

Application to the Scenario:

Given that the Organization Seeking Certification (OSC) operates within a shared, multi-tenant building and utilizes a common conference room for assessments, the following considerations are crucial:

Reviewing the Evidence File: The evidence file, which contains CUI, should be reviewed on a secure, authorized device to prevent unauthorized access or potential data leakage.

Printing the Evidence File: If printing is necessary, ensure that the printer is located in a secure area, and the printed documents are retrieved immediately to prevent unauthorized viewing.

Making Notes: Any notes derived from the evidence file should be treated with the same level of security as the original document, especially if they contain CUI.

Disposal of Printed Materials: After the assessment, all printed materials and notes containing CUI must be destroyed using a cross-cut shredder. Cross-cut shredding ensures that the information cannot be reconstructed, thereby maintaining confidentiality.

totem.tech

Options A and D are inadequate as they involve leaving sensitive information in unsecured locations, which violates CMMC physical security requirements. Option B, while secure in terms of digital handling, does not address the proper disposal of any physical copies that may have been made. Therefore, Option C is the best practice, aligning with CMMC 2.0 guidelines by ensuring that all physical media containing CUI are properly reviewed, securely stored during use, and thoroughly destroyed when no longer needed.

The presence of badge readers, PIN code pads, and keys directly corresponds to controlling and managing physical access devices, which maps to PE.L1-3.10.5 under the Physical Protection (PE) domain. This practice ensures that only authorized individuals have access to physical areas containing information systems.

The other options address unrelated requirements:

MP.L2-3.8.5 addresses marking CUI media,

SI.L2-3.14.3 addresses monitoring security alerts,

PS.L2-3.9.2 addresses protections during personnel changes.

Reference Documents:

CMMC Model v2.0, Level 1–3 Practices

NIST SP 800-171 Rev. 2, Control PE-3

For SI.L2-3.14.7 (Identify Unauthorized Use) , the assessment objectives focus on two outcomes: (a) the organization has defined authorized use of the system, and (b) the organization identifies unauthorized use when it occurs. The strongest evidence is therefore evidence that the organization actively monitors systems and can detect and recognize activity outside the defined authorized-use baseline.

In the DoD CMMC Assessment Guide – Level 2 (v2.13) , the “Potential Assessment Methods and Objects” for SI.L2-3.14.7 emphasize artifacts that are directly tied to monitoring and detection—such as a continuous monitoring strategy , system and information integrity policy , procedures addressing system monitoring tools and techniques , and technical monitoring capabilities (e.g., tools/techniques like IDS/IPS , audit record monitoring , and network monitoring ).

These artifacts are exactly what demonstrate that unauthorized use is being identified in practice (alerts, logs, correlation, and review processes) and that authorized use is defined (policies/standards that establish what “authorized” looks like so “unauthorized” can be recognized).

By contrast, risk assessment/response and incident response may be related program elements, but they are not the primary evidence that the organization is continuously detecting unauthorized use. The assessment guide’s focus on monitoring artifacts makes System monitoring the best evidence.

Understanding Multi-Function Device (MFD) Security in CMMC

Multi-function devices (MFDs), such asscanners, printers, and copiers,process, store, and transmit FCI, making them apotential attack surfacefor unauthorized access.

Thebest technical controlto limit MFD access to only authorized systems isVirtual LAN (VLAN) restrictions, whichsegment and isolate network traffic.

Why the Correct Answer is "A. Virtual LAN (VLAN) Restrictions"?

VLAN Restrictions Provide Network Segmentation

VLANsisolate the MFDfrom unauthorized systems, ensuringonly approved devicescan communicate with it.

Prevents unauthorized network access bylimiting connectionsto specific IPs or subnets.

Meets CMMC 2.0 Network Security Controls

Aligns withCMMC System and Communications Protection (SC) Practicesfor network segmentation and access control.

Reducesthe risk of unauthorized access to scanned and printed FCI.

Why Not the Other Options?

B. Single administrative account→Incorrect

Asingle admin accountdoes not restrict accessbetween devices, only controlswho can configurethe MFD.

C. Documentation showing MFD configuration→Incorrect

Documentation helps with compliance butdoes not actively restrict access.

D. Access lists only known to the IT administrator→Incorrect

Access lists should besystem-enforced, not just "known" to the administrator.

Relevant CMMC 2.0 References:

CMMC Practice SC.3.192 (Network Segmentation)– Requires restricting access usingnetwork segmentation techniques such as VLANs.

NIST SP 800-171 (SC Family)– Supportsisolation of sensitive devicesusing VLANs and other segmentation controls.

Final Justification:

SinceVirtual LAN (VLAN) restrictions enforce access control at the network level, the correct answer isA. Virtual LAN (VLAN) restrictions.

Planning and preparing for aCMMC assessmentinvolves collaboration between theassessorand theOrganization Seeking Certification (OSC)to determine scope, required evidence, and logistics. This planning process isdynamicand must adapt as new information emerges.

Why the Correct Answer is "D"?

Assessment Scope and Requirements May Change

As assessors gather evidence and analyze the environment,new details about assets, networks, and security controlsmay require adjustments to the assessment plan.

TheCMMC Assessment Process (CAP) Guideemphasizes that assessmentrequirements and scope should be continuously reviewed and updatedto reflect real-time findings.

Assessors Follow an Adaptive Approach

DuringCMMC assessments, organizations may discover additionalFCI or CUI assets, which can change the required security practices to be evaluated.

Assessors shouldrevise the assessment approach accordinglyrather than strictly following an initial, unchangeable plan.

Why Not the Other Options?

A. Scoping an assessment is easy and worry-free→Incorrect

Scoping is acritical and complex processthat requires careful evaluation of the OSC’s information systems and assets.

CMMC Scoping Guidestates thatidentifying in-scope assets is crucial and requires significant effort.

B. The initial plan cannot be changed once agreed upon→Incorrect

Theinitial assessment plan is a starting point, butit must be flexiblebased on real-time findings.

CMMC CAP Guideemphasizescontinuous refinementduring the assessment process.

C. There is a determined amount of time that the OSC's point of contact has to submit evidence and rough order-of-magnitude→Incorrect

While there aretimelines, the key focus is ensuring thatall necessary evidence is gathered accuratelyrather than rushing to meet a strict deadline.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– States that assessment requirements and planning should be updated as additional information is gathered.

CMMC Scoping Guide (Nov 2021)– Explains that assessors must continually refinein-scope assets and requirementsthroughout the process.

Final Justification:

Assessment planning is a dynamic process.Assessors must continuously review and update the requirements and planas new information emerges, makingDthe correct answer.

CMMC Level 2 requires full implementation of the 110 security requirements specified in NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. These practices form the foundation for safeguarding CUI across defense contractor systems.

NIST SP 800-53 is a broader catalog of security controls for federal systems, not specific to CUI in the defense contractor environment.

48 CFR 52.204-21 establishes basic safeguarding requirements for Federal Contract Information (FCI) and corresponds to CMMC Level 1.

DFARS 252.204-7012 defines safeguarding and incident reporting obligations but does not enumerate the specific security practices required.

Thus, Level 2 practices are aligned to NIST SP 800-171.

Reference Documents:

CMMC Model v2.0 Overview, December 2021

NIST SP 800-171 Rev. 2

The Lead Assessor has the authority to make the final determination in situations where assessors cannot agree on a rating. CAP specifies that the Lead Assessor ensures consistency, resolves disputes, and provides the authoritative interpretation during the assessment process. Escalation to the CMMC-AB or Quality Assurance would only occur in rare post-assessment review cases, not during an active assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Under DFARS and CMMC requirements, the prime contractor is responsible for ensuring its subcontractors meet the required CMMC level. Neither the DoD, The Cyber AB, nor OUSD A & S directly manages subcontractor certification.

Supporting Extracts from Official Content:

DFARS 252.204-7021: “The contractor shall ensure that its subcontractors have the appropriate CMMC level certification for the information they will handle.”

Why Option D is Correct:

Compliance responsibility flows through the contractor supply chain.

CMMC-AB (The Cyber AB) accredits assessors but does not police subcontractors.

OUSD A & S sets policy, not enforcement at contract level.

DoD agencies only require compliance at award/contract oversight level.

References (Official CMMC v2.0 Content):

DFARS 252.204-7021.

CMMC Model v2.0 governance guidance.

===========