Free Cyber AB CMMC-CCP Practice Exam with Questions & Answers | Set: 3

Interview Selection in CMMC AssessmentsDuring aCMMC assessment, theLead Assessormust work with theOrganization Seeking Certification (OSC)to select personnel for interviews. The goal is to:

✅Verify that personnel understand andperform security-related practices.

✅Ensure that individuals canexplain how they implement CMMC requirements.

✅Gain insight intoactual cybersecurity operationsrather than just documented policies.

The best interviewees are those whodirectly engage with security practicesand canclearly explain how they perform their duties.

CMMC assessmentsrely on interviewsto validate that security practices areimplemented effectively.

Themost valuable intervieweesare those who canexplainhow security measures are appliedin day-to-day operations.

CMMC Assessment Process (CAP)emphasizes that assessors should speak tothose actively involved in security practicesrather than just senior management or policy owners.

Why "Providing Clarity and Understanding" Is KeyThus,option D is the correct choicebecause the Lead Assessor should prioritizeinterviewing personnel who can clearly explain how CMMC practices are implemented.

A. Have a security clearance.❌Incorrect.Security clearance is not a requirementfor CMMC assessments. The focus is onpractical implementation of security controls, not classified work.

B. Be a senior person in the company.❌Incorrect. Senior executives may not be involved in theactual implementation of security controls. The best interviewees are those whoperform the work, not just oversee it.

C. Demonstrate expertise on the CMMC requirements.❌Incorrect. Whileunderstanding CMMC is important, expertise alonedoes not guarantee practical knowledgeof security controls. The key is thatinterviewees must provide clarity on how they perform security tasks.

Why the Other Answers Are Incorrect

CMMC Assessment Process (CAP) Document– Guides interview selection based on personnel who perform security functions.

NIST SP 800-171 & CMMC 2.0– Emphasize that cybersecurity controls must beactively implemented, not just documented.

CMMC Official ReferencesThus,option D (Provide clarity and understanding of their practice activities) is the correct answeras per official CMMC assessment guidelines.

CMMC Level 2is designed to alignfullywithNIST SP 800-171, which consists of110 security controls (practices).

This meansall 110 practicesfrom NIST SP 800-171 are required for aCMMC Level 2 certification.

How Many Practices Are Included in CMMC Level 2?Breakdown of Practices in CMMC 2.0CMMC Level

Number of Practices

Level 1

17 practices(Basic Cyber Hygiene)

Level 2

110 practices(Aligned with NIST SP 800-171)

Level 3

Not yet finalized but expected to exceed 110

Since CMMC Level 2 mandatesall 110 NIST SP 800-171 practices, the correct answer isC. 110 practices.

A. 17 practices❌Incorrect.17 practicesapply only toCMMC Level 1, not Level 2.

B. 72 practices❌Incorrect. There is no CMMC level with72 practices.

D. 180 practices❌Incorrect. CMMC Level 2only requires 110 practices, not 180.

Why the Other Answers Are Incorrect

CMMC 2.0 Model– Confirms thatLevel 2 includes 110 practicesaligned withNIST SP 800-171.

NIST SP 800-171 Rev. 2– Outlines the110 security controlsrequired for handlingControlled Unclassified Information (CUI).

CMMC Official ReferencesThus,option C (110 practices) is the correct answer, as per official CMMC guidance.

Understanding the CMMC-AB Code of Professional ConductTheCybersecurity Maturity Model Certification Accreditation Body (CMMC-AB), now referred to asThe Cyber AB, establishes aCode of Professional Conduct (CoPC)for all individuals involved in CMMC assessments, includingCertified Assessors (CAs), Certified Professionals (CPs), and C3PAOs (Certified Third-Party Assessment Organizations).

Thecore principlesoutlined in theCMMC-AB Code of Professional Conductinclude:

Responsibility

CMMC professionals must takefull accountabilityfor their actions, ensuring that assessments are conducted withintegrity and professionalism.

They mustadhere to all ethical and regulatory requirementsestablished by The Cyber AB and the DoD.

Confidentiality

CMMC professionals mustprotect sensitive information, includingControlled Unclassified Information (CUI)andFederal Contract Information (FCI).

They are required toadhere to non-disclosure agreements (NDAs)and avoid improper information sharing.

Information Integrity

All reports, findings, and recommendations in CMMC assessments must beaccurate, unbiased, and truthful.

Assessors mustavoid conflicts of interestand ensure that all data provided in an assessment isverifiable and free from misrepresentation.

Answer A (Incorrect): "Classification" is not a primary principle of the CMMC-AB CoPC. The focus is on protectingCUI and FCI, not on classification procedures.

Answer B (Incorrect): "Objectivity" is important, but it is not explicitly listed as one of the three core principles in theCMMC-AB Code of Professional Conduct.

Answer C (Incorrect): "Classification" is not a guiding principle in the CoPC.

Answer D (Correct):The Code of Professional Conduct explicitly emphasizes responsibility, confidentiality, and information integrity.

The correct answer isD. Responsibility, Confidentiality, and Information Integrity.

These principlesensure that all CMMC professionals maintain ethical standards and uphold the integrity of the certification process.

Understanding Policy Validation in CMMC AssessmentsDuring a CMMC assessment, policies must be evaluated based on:

Who has the authority to approve and enforce them

Whether they are current and implemented effectively

The validity of a policydoes not solely depend on the signatorybut rather onhow the organization assigns authority for policy creation, approval, and enforcement.

Some organizations assignauthority to a specific person, meaning anew signatory may be requiredwhen leadership changes.

Others assign authority to aposition/title(e.g., CISO, IT Director), in which casea new signature may not be requiredas long as the role remains responsible for policy enforcement.

The assessment teammust review the organization's policy management processto determine if the policy remains valid despite leadership turnover.

Key Considerations in Policy Validation:Thus,the correct answer is B, as additional research is needed to confirm whether the organization's policy is tied to the individual or the position.

A. The signatory is the authority to implement and enforce the policy, and since that person is no longer with the company, the policy is not valid.❌Incorrect. This assumes thatauthority is always tied to a person, which is not always the case. Some organizations delegate authorityto a position, not an individual.

C. The signatory does not validate or invalidate the policy. For the purpose of this assessment, ensuring that the policy is current and is being implemented by the individuals who are performing the work is sufficient.❌Incorrect. While implementation is crucial,the authority behind the policy must also be validatedper CMMC documentation requirements.

D. The authority to implement and enforce lies with the position, not the person. As long as that position's authority and responsibilities have not been removed from implementing that domain, it is still a valid policy.❌Incorrect. This assumes thatauthority is always assigned to a position, which is not universally true. More research is required to confirm this.

Why the Other Answers Are Incorrect

CMMC Assessment Process (CAP) Document– Outlines the importance of verifying the authority and enforcement of policies.

NIST SP 800-171 (3.12.1 - Security Policies and Procedures)– Requires that policies be maintained and enforced by appropriate personnel.

CMMC Official ReferencesThus,option B (More research on the company policy is needed) is the correct answer, as per official CMMC policy validation guidance.

Which NIST SP Defines the Assessment Procedures for CMMC?CMMC Level 2 isdirectly based on NIST SP 800-171, and the assessment procedures used in CMMC assessments are derived fromNIST SP 800-171A.

Step-by-Step Breakdown:✅1. NIST SP 800-171A Defines Assessment Procedures

NIST SP 800-171Ais titled"Assessing Security Requirements for Controlled Unclassified Information (CUI)".

It providesdetailed assessment objectives and test proceduresfor evaluating compliance withNIST SP 800-171 security requirements, whichCMMC Level 2 is fully aligned with.

CMMC Assessors use 800-171Aas abaseline for assessing the effectiveness of security controls.

✅2. Why the Other Answer Choices Are Incorrect:

(A) NIST SP 800-53❌

800-53 defines security controlsfor federal information systems, but it doesnot provide assessment procedures specific to CMMC.

(B) NIST SP 800-53A❌

800-53A provides assessment procedures for 800-53 controls, butCMMC is based on NIST SP 800-171, not 800-53.

(C) NIST SP 800-171❌

800-171 defines security requirements, butit does not provide assessment procedures. Theassessment proceduresare in800-171A.

TheCMMC Assessment Guide (Level 2)explicitly states that assessment procedures are derived fromNIST SP 800-171A.

Final Validation from CMMC Documentation:Thus, the correct answer is:

Step 1: Understand the Definitions of Evidence Evaluation CriteriaTheCMMC Assessment Process (CAP)introduces two key criteria for evaluating evidence:

Adequacy– Does the evidencealign with the practice?

Sufficiency– Is the evidencecomprehensive enoughin terms ofcoverage across systems, users, and scope?

CAP v1.0 – Section 3.5.4:

“Evidence must be evaluated for bothadequacy(is it the right evidence?) andsufficiency(is there enough of it across all in-scope assets and areas?) to score a practice as MET.”

✅Step 2: Applying to the ScenarioIn the question, the Lead Assessor is asking the team toverify that evidence is sufficient across:

Domains

Practices

Host Units

Supporting Organizations

Enclaves

➡️ This is adirect reference to sufficiency, which evaluates whether thebreadth and depthof evidence is enough to make an informed judgment that the control is truly implemented across theentire assessed environment.

A. Adequacy✘ Adequacy refers to therelevanceof the evidence to the specific practice — not itscoverageacross scope.

B. Capability✘ Not a term used in evidence validation within CMMC CAP documentation.

D. Objectivity✘ While objectivity is important, it refers to theunbiased nature of assessment activities, not to theextent of evidence coverage.

❌Why the Other Options Are Incorrect

When an assessor evaluates whether the evidence is broad enough across all necessary systems, units, and enclaves to score a practice as MET, they are evaluatingsufficiency— one of the two core criteria for evidence validity in a CMMC assessment.

The Controlled Unclassified Information (CUI) Program, established by Executive Order 13556, standardizes the handling and marking of unclassified information that requires safeguarding or dissemination controls across federal agencies and their contractors. The National Archives and Records Administration (NARA) serves as the Executive Agent responsible for implementing the CUI Program.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to protect CUI by adhering to the security requirements outlined in NIST Special Publication 800-171. This includes proper marking of CUI to ensure that all personnel recognize and handle such information appropriately.

The NARA CUI Introduction to Marking provides comprehensive guidance on the correct procedures for marking documents and communications containing CUI. This resource is essential for training purposes, as it offers detailed instructions and examples to help personnel understand and implement proper CUI markings. By referring the sales team to the NARA CUI Introduction to Marking, the director of sales ensures that the team receives authoritative and standardized training on how to appropriately mark emails and other documents containing CUI, thereby maintaining compliance with federal regulations and CMMC requirements.

CMMCLevel 1focuses onbasic cyber hygieneand includes17 practicesderived fromNIST SP 800-171 Rev. 2butonly covers the protection of Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).

UnlikeLevel 2, which aligns fully withNIST SP 800-171,Level 1 does not require third-party certificationand can beself-assessedby the organization.

Domains Covered in a Level 1 Self-AssessmentCMMC Level 1 practices fall underthree specific domains:

Access Control (AC)– Ensures that only authorized individuals can access FCI.

Physical Protection (PE)– Protects physical access to systems and facilities storing FCI.

Identification and Authentication (IA)– Verifies the identity of users accessing systems containing FCI.

These domains focus on foundational security controls necessary toprotect FCI from unauthorized access.

CMMC Model v2.0states thatLevel 1 includes only 17 practicesmapped toNIST SP 800-171requirements specific toAccess Control (AC), Physical Protection (PE), and Identification and Authentication (IA).

CMMC Assessment Guide, Level 1confirms thatRisk Management (RM) and Media Protection (MP) are not included in Level 1, as they pertain to more advanced security measures needed for handlingCUI (Level 2).

A. Access Control (AC), Risk Management (RM), and Media Protection (MP)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

B. Risk Management (RM), Access Control (AC), and Physical Protection (PE)→ Incorrect.Risk Management (RM) is not part of Level 1.

C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)→Correct.These are thethree domains covered in CMMC Level 1 self-assessments.

D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

Official CMMC 2.0 Documentation ReferencesBreakdown of Answer ChoicesConclusionThecorrect answer is C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA), as these are theonly three domains included in a CMMC Level 1 Self-Assessmentaccording toCMMC 2.0 documentation and NIST SP 800-171 mapping.

CMMC 2.0 Model Overview – DoD Official Documentation

CMMC Assessment Guide, Level 1

NIST SP 800-171 Rev. 2 (Basic Security Requirements for FCI)

Reference Documents for Further Reading

TheCMMC Scoping Guide for Level 2outlines thatCUI assetsinclude systems, applications, and services thatstore, process, or transmitControlled Unclassified Information (CUI). These are the three core functions that defineCUI handlingwithin anOrganization Seeking Certification (OSC).

Step-by-Step Breakdown:✅1. CUI Assets Defined in CMMC

Stored:CUI is saved on hard drives, cloud storage, or databases.

Processed:CUI is actively used, modified, or analyzed by applications and users.

Transmitted:CUI is sent between systems via email, file transfers, or network communication.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Received and transferred❌

Whilereceiving and transferring CUIis part of handling CUI, it does not fully cover all CUI asset responsibilities.

(C) Entered, edited, manipulated, printed, and viewed❌

These arespecific actionswithinprocessingbut do not coverstorage or transmission, which are also required for CMMC scoping.

(D) Located on electronic media, on system component memory, and on paper❌

While CUI can exist inelectronic and physical forms, CMMC scoping focuses onhow CUI is actively managed (stored, processed, transmitted)rather than where it physically resides.

TheCMMC Level 2 Scoping Guideconfirms thatCUI Assets are categorized based on their role in storing, processing, or transmitting CUI.

NIST SP 800-171also defines these three functions as key components of CUI protection.

Final Validation from CMMC Documentation:

In theCMMC 2.0 Assessment Process, after theAssessment Final Recommended Findings Brief, theLead Assessor and Assessment Team Membersmustreview the accuracy and validity of the Organization Seeking Certification (OSC)’s updated Plan of Action & Milestones (POA&M) and any accompanying evidence or scheduled collectionswithin180 days.

TheCMMC Assessment Process (CAP)outlines that organizations haveup to 180 daysto address identifieddeficienciesafter their initial assessment.

During this time, the OSC can update itsPOA&M with additional evidenceto demonstrate compliance.

Relevant CMMC 2.0 Reference:

A. 90 days → Incorrect

The CMMC CAP does not impose a90-day limiton POA&M updates; instead,180 daysis the standard timeframe.

B. 180 days → Correct

PerCMMC Assessment Process guidelines, theLead Assessor and Teammust review updateswithin 180 days.

C. 270 days → Incorrect

No official CMMC documentation mentions a270-dayreview period.

D. 360 days → Incorrect

The process must be completedfar sooner than 360 daysto maintain compliance.

Why is the Correct Answer 180 Days (B)?

CMMC Assessment Process (CAP) Document

Defines the180-day windowfor the OSC to update itsPOA&M and submit evidencefor review.

CMMC 2.0 Official Guidelines

Specifies that organizations are givenup to 180 daysto remediate deficiencies before reassessment.

CMMC 2.0 References Supporting this Answer: