Free Cyber AB CMMC-CCP Practice Exam with Questions & Answers

Understanding NIST SP 800-88 Rev. 1 and Media Sanitization

TheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.

Three Categories of Data Disposal in NIST SP 800-88 Rev. 1

Clear

Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.

Example:Overwriting all datawith binary zeros or ones on a hard drive.

Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.

Purge

Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.

Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).

Applies to:Media that is leaving organizational control or requires a higher level of assurance than "Clear".

Destroy

Physicallydamages the mediaso that data recovery isimpossible.

Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.

Applies to:Highly sensitive data that must be permanently eliminated.

Why "A. Clear, Purge, Destroy" is Correct?

B. Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata disposal.

C. Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level categoryin NIST SP 800-88.

D. Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is missing, making this incorrect.

Conclusion

The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.

Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)

TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.

To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:

A unique identifier (username) for each system user

Mapping of system accounts to specific individuals

Identification of devices and automated processes that access systems

Why "C. User names associated with system accounts assigned to those individuals" is Correct?

This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.

Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.

It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.

Why Other Answers Are Incorrect?

A. Procedures for implementing access control lists (Incorrect)

While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.

B. List of unauthorized users that identifies their identities and roles (Incorrect)

Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.

D. Physical access policy stating "All non-employees must wear a special visitor pass or be escorted" (Incorrect)

This pertains tophysical security, not system-baseduser identification and authentication.

Conclusion

The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.

In the CMMC 2.0 Model , the "Advanced Level" specifically refers to Level 2 . The CMMC model is designed to be cumulative , meaning each level builds upon the requirements of the levels beneath it.

Cumulative Framework : To achieve a certification at a specific level, an Organization Seeking Certification (OSC) must demonstrate compliance with all practices at that level and all practices from the lower levels.

Access Control (AC) Domain : The Access Control domain is one of the 14 domains in CMMC Level 2. It consists of a total of 22 practices :

Level 1 (Foundational) : Contains 4 basic safeguarding practices (mapped to FAR 52.204-21).

Level 2 (Advanced) : Adds 18 additional practices (mapped to NIST SP 800-171), totaling 22 practices for the AC domain at this level.

Defining "Advanced" : The DoD defines the levels as Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Therefore, the "Advanced Level" (Level 2) contains the practices from Level 1 and Level 2, but does not include the "Expert" (Level 3) practices, which are derived from NIST SP 800-172.

Why other options are incorrect :

Option A : While it contains Level 1 practices, it also includes Level 2 practices.

Option B : Level 3 is the "Expert" level, which is separate and higher than the "Advanced" level.

Option D : The Advanced level does not reach the requirements of Level 3.

Reference Documents :

CMMC Model Overview (v2.0) : Section 3.2, "Level 2: Advanced," which describes the 110 practices derived from NIST SP 800-171.

32 CFR Part 170 (CMMC Program Rule) : Details the structure of the levels and the requirement for cumulative compliance.

CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment, clearly identifying which are carried over from Level 1.

===========

Understanding C3PAO Requirements

ACertified Third-Party Assessment Organization (C3PAO)is an entityauthorized by the CMMC Accreditation Body (CMMC-AB)to conductCMMC Level 2 Assessmentsfor organizations handlingControlled Unclassified Information (CUI).

Key Requirements for a C3PAO to Conduct Assessments:

✔Must be authorized by CMMC-AB before conducting assessments.

✔Must meet CMMC-AB and DoD cybersecurity and process requirements.

✔Must comply with ISO/IEC 17020 standards for inspection bodies.

✔Must undergo a rigorous vetting process, including cybersecurity verification.

Why is the Correct Answer "D" (A C3PAO must be authorized by CMMC-AB before being able to conduct assessments)?

A. An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements → Incorrect

C3PAOs must comply with CMMC-AB authorization requirementsbefore performing assessments.

While they must align withISO/IEC 17020, they donotnecessarily meet all requirements upfront.

B. An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements → Incorrect

C3PAOs are not accredited by DoD; they areauthorized by CMMC-ABto perform assessments.

Accreditation follows full compliance with CMMC-AB and ISO/IEC 17020 requirements.

C. A C3PAO must be accredited by DoD before being able to conduct assessments → Incorrect

The DoD does not directly accredit C3PAOs—CMMC-AB is responsible forauthorization and oversight.

D. A C3PAO must be authorized by CMMC-AB before being able to conduct assessments → Correct

CMMC-AB grants authorization to C3PAOs, allowing them to perform assessmentsonly after meeting specific requirements.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Certified Third-Party Assessment Organization (C3PAO) Guidelines

States thatC3PAOs must receive CMMC-AB authorization before conducting assessments.

CMMC 2.0 Assessment Process (CAP) Document

Specifies that onlyC3PAOs authorized by CMMC-AB can conduct official CMMC assessments.

ISO/IEC 17020 Compliance for C3PAOs

Defines theinspection body requirements for C3PAOs, which must be met for accreditation.

TheCMMC Scoping Guide for Level 2outlines thatCUI assetsinclude systems, applications, and services thatstore, process, or transmitControlled Unclassified Information (CUI). These are the three core functions that defineCUI handlingwithin anOrganization Seeking Certification (OSC).

Step-by-Step Breakdown:

✅1. CUI Assets Defined in CMMC

Stored:CUI is saved on hard drives, cloud storage, or databases.

Processed:CUI is actively used, modified, or analyzed by applications and users.

Transmitted:CUI is sent between systems via email, file transfers, or network communication.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Received and transferred❌

Whilereceiving and transferring CUIis part of handling CUI, it does not fully cover all CUI asset responsibilities.

(C) Entered, edited, manipulated, printed, and viewed❌

These arespecific actionswithinprocessingbut do not coverstorage or transmission, which are also required for CMMC scoping.

(D) Located on electronic media, on system component memory, and on paper❌

While CUI can exist inelectronic and physical forms, CMMC scoping focuses onhow CUI is actively managed (stored, processed, transmitted)rather than where it physically resides.

Final Validation from CMMC Documentation:

TheCMMC Level 2 Scoping Guideconfirms thatCUI Assets are categorized based on their role in storing, processing, or transmitting CUI.

NIST SP 800-171also defines these three functions as key components of CUI protection.

The best match is Penetration test team because penetration testing is an authorized, structured security evaluation intended to find vulnerabilities in systems or networks and produce results that enable remediation/mitigation .

Authoritatively, NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) is a primary federal reference for technical security testing. It describes the purpose of technical testing as helping organizations plan and conduct tests , analyze findings , and develop mitigation strategies —which aligns directly with “vulnerability evaluations” and “providing mitigation techniques.” The DoD also points its Components to NIST SP 800-115 as guidance for penetration testing activities.

By contrast, a Red Team is typically framed as an “ethical adversary” that emulates attackers to test detection/response and overall readiness; it is often broader, scenario-driven, and focused on demonstrating what a capable adversary can accomplish rather than performing a scoped vulnerability evaluation with remediation-oriented outputs. A Blue Team is primarily defensive operations (monitoring, detection, response), not the group defined by conducting vulnerability evaluations for customers. “ White hat hackers ” is a general label for ethical hackers, but it is less specific than the established service construct of a penetration test team .

Because the question emphasizes operational network vulnerability evaluations plus mitigation techniques , the most precise and standard term is D: Penetration test team , supported by NIST’s testing-and-mitigation framing.

Planning and preparing for aCMMC assessmentinvolves collaboration between theassessorand theOrganization Seeking Certification (OSC)to determine scope, required evidence, and logistics. This planning process isdynamicand must adapt as new information emerges.

Why the Correct Answer is "D"?

Assessment Scope and Requirements May Change

As assessors gather evidence and analyze the environment,new details about assets, networks, and security controlsmay require adjustments to the assessment plan.

TheCMMC Assessment Process (CAP) Guideemphasizes that assessmentrequirements and scope should be continuously reviewed and updatedto reflect real-time findings.

Assessors Follow an Adaptive Approach

DuringCMMC assessments, organizations may discover additionalFCI or CUI assets, which can change the required security practices to be evaluated.

Assessors shouldrevise the assessment approach accordinglyrather than strictly following an initial, unchangeable plan.

Why Not the Other Options?

A. Scoping an assessment is easy and worry-free→Incorrect

Scoping is acritical and complex processthat requires careful evaluation of the OSC’s information systems and assets.

CMMC Scoping Guidestates thatidentifying in-scope assets is crucial and requires significant effort.

B. The initial plan cannot be changed once agreed upon→Incorrect

Theinitial assessment plan is a starting point, butit must be flexiblebased on real-time findings.

CMMC CAP Guideemphasizescontinuous refinementduring the assessment process.

C. There is a determined amount of time that the OSC's point of contact has to submit evidence and rough order-of-magnitude→Incorrect

While there aretimelines, the key focus is ensuring thatall necessary evidence is gathered accuratelyrather than rushing to meet a strict deadline.

Relevant CMMC 2.0 References:

CMMC Assessment Process (CAP) Guide– States that assessment requirements and planning should be updated as additional information is gathered.

CMMC Scoping Guide (Nov 2021)– Explains that assessors must continually refinein-scope assets and requirementsthroughout the process.

Final Justification:

Assessment planning is a dynamic process.Assessors must continuously review and update the requirements and planas new information emerges, makingDthe correct answer.

According to the CMMC Assessment Process (CAP) and the CMMC Level 2 Assessment Guide, the assessment methodology is derived directly from NIST SP 800-171A. The framework defines three fundamental assessment methods used by a C3PAO (Certified Third-Party Assessment Organization) to determine if a practice is "Met." These are:

Examine: This involves reviewing, inspecting, or analyzing assessment objects. As per the CCP curriculum, these objects include documents (policies, procedures, plans), mechanisms (hardware, software, or firmware safeguards), or activities (logs, system configurations).

Interview: This involves holding discussions with personnel within the Organization Seeking Certification (OSC) to facilitate understanding or obtain evidence.

Test: This involves exercising assessment objects (mechanisms or activities) under specific conditions to compare actual behavior with expected behavior.

Detailed Breakdown of the Options:

Option A is correct because "documents, mechanisms, or activities" are the specific categories of assessment objects defined in the CMMC/NIST 171A methodology that are subjected to the Examine method.

Option B refers to specific technical components, which are types of mechanisms but do not represent the full scope of the assessment methods.

Option C lists specific examples of evidence, but is not the formal definition of the "Examine" method components.

Option D describes specific "Test" or "Interview" activities rather than the categorical objects of the "Examine" method.

Reference Documents:

CMMC Assessment Guide, Level 2: Section on "Assessment Methods" (derived from NIST SP 800-171A).

CMMC Assessment Process (CAP): Defines the evidence collection phase and the application of Examine, Interview, and Test (E-I-T).

NIST SP 800-171A: The source document defining the "Assessment Objects" as specifications (documents), mechanisms, and activities.

CMMC Assessment Process (CAP) and CMMC Code of Professional Conduct emphasize that conflicts of interest (COI) must be disclosed and managed transparently. A Certified CMMC Professional (CCP) is required to:

Inform their organization,

Disclose the COI to the affected stakeholders, and

Take reasonable steps to minimize the impact.

What they must NOT do is conceal it from the Assessment Team Lead or others. Concealing a COI violates the CMMC Code of Professional Conduct and compromises the integrity of the assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

CMMC Code of Professional Conduct, CMMC-AB

Step 1: Understanding CMMC Assessment Scope Determination

In a CMMC Level 2 assessment, the Organization Seeking Certification (OSC) is responsible for identifying the assessment scope based on the CMMC Scoping Guidance provided by the Cyber AB (Cyber Accreditation Body) and DoD.

The OSC must determine which assets and systems handle Controlled Unclassified Information (CUI) and categorize them accordingly.