Free Cyber AB CMMC-CCP Practice Exam with Questions & Answers | Set: 3

Under the CMMC Assessment Process (CAP) and CMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed through three primary assessment methods:

Examination – Reviewing documents, records, system configurations, and other artifacts.

Interviews – Speaking with personnel to verify processes, responsibilities, and understanding of security controls.

Testing – Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.

Why Option D is Correct

The CMMC Assessment Process (CAP) states that an assessor must use a combination of evidence-gathering methods (examinations, interviews, and tests) to determine compliance.

CMMC 2.0 Level 2 (Aligned with NIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.

Solely relying on one method (like interviews in Option A) is insufficient.

Testing all practices or objectives (Option B) is unnecessary, as assessors follow scoping guidance to determine which objectives need deeper examination.

Testing only "certain" objectives (Option C) does not fully align with the requirement of gathering sufficient evidence from multiple methods.

CMMC 2.0 and Official Documentation References

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methods explicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.

CMMC 2.0 Level 2 Practices and NIST SP 800-171 require assessors to validate the presence, implementation, and effectiveness of security controls.

CMMC Appendix E: Assessment Procedures states that an assessor should use multiple sources of evidence to determine compliance.

Final Verification

To ensure compliance with CMMC 2.0 guidelines and official documentation, an assessor must use examinations, interviews, and tests to gather evidence effectively, making Option D the correct answer.

CMMC Assessment Process (CAP) and CMMC Code of Professional Conduct emphasize that conflicts of interest (COI) must be disclosed and managed transparently. A Certified CMMC Professional (CCP) is required to:

Inform their organization,

Disclose the COI to the affected stakeholders, and

Take reasonable steps to minimize the impact.

What they must NOT do is conceal it from the Assessment Team Lead or others. Concealing a COI violates the CMMC Code of Professional Conduct and compromises the integrity of the assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

CMMC Code of Professional Conduct, CMMC-AB

The CMMC Assessment Process uses three methods: Examine, Interview, and Test. The method that involves analyzing artifacts (documents, system configurations, records, logs, etc.) is Examine.

Supporting Extracts from Official Content:

CMMC Assessment Guide: “Examine consists of reviewing, inspecting, or analyzing assessment objects such as documents, system configurations, or other artifacts to evaluate compliance.”

Why Option B is Correct:

Examine = analyzing artifacts.

Interview = discussions with personnel.

Test = executing technical checks.

Behavior is not an assessment method.

References (Official CMMC v2.0 Content):

CMMC Assessment Guide, Levels 1 and 2 — Assessment Methods (Examine, Interview, Test).

===========

CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 1 is designed to protectFederal Contract Information (FCI)and consists of17 foundational cybersecurity practices. These practices are directly derived fromFAR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems), which outlines minimum security requirements for contractors handling FCI.

Breakdown of CMMC Level 1 Practices

The17 practicesin Level 1 focus on basic cybersecurity hygiene and fall under the following6 domains:

Access Control (AC)– 4 practices

AC.L1-3.1.1: Limit system access to authorized users

AC.L1-3.1.2: Limit user access to authorized transactions and functions

AC.L1-3.1.20: Verify and control connections to external systems

AC.L1-3.1.22: Control information posted or processed on publicly accessible systems

Identification and Authentication (IA)– 2 practices

IA.L1-3.5.1: Identify and authenticate system users

IA.L1-3.5.2: Use multifactor authentication for local and network access

Media Protection (MP)– 1 practice

MP.L1-3.8.3: Sanitize media before disposal or reuse

Physical Protection (PE)– 4 practices

PE.L1-3.10.1: Limit physical access to systems containing FCI

PE.L1-3.10.3: Escort visitors and monitor visitor activity

PE.L1-3.10.4: Maintain audit logs of physical access

PE.L1-3.10.5: Control and manage physical access devices

System and Communications Protection (SC)– 2 practices

SC.L1-3.13.1: Monitor and control communications at system boundaries

SC.L1-3.13.5: Implement subnetworks for publicly accessible system components

System and Information Integrity (SI)– 4 practices

SI.L1-3.14.1: Identify, report, and correct system flaws in a timely manner

SI.L1-3.14.2: Provide protection from malicious code at designated locations

SI.L1-3.14.4: Update malicious code protection mechanisms periodically

SI.L1-3.14.5: Perform scans of system components and real-time file scans

Official Reference from CMMC 2.0 Documentation

The 17 practices forCMMC Level 1are explicitly listed in theCMMC 2.0 Appendices and Assessment Guide for Level 1, as well as in theFAR 52.204-21 requirements. These practices representbasic safeguarding measuresthat all DoD contractors handlingFCImust implement.

???? CMMC 2.0 Level 1 Summary:

Focus:Basic safeguarding of FCI

Total Practices:17

Derived From:FAR 52.204-21

Assessment Type:Self-assessment (annual)

Final Verification and Conclusion

The correct answer isB. 17 practicesas verified from theCMMC 2.0 official documentsandFAR 52.204-21 requirements.

Step 1: Understanding AC.L1-3.1.22

AC.L1-3.1.22states:"Control information posted or processed on publicly accessible systems."

This control requires organizations toensure that FCI (Federal Contract Information) is not publicly postedor made accessible in an uncontrolled manner.

FCI must beprotected from unauthorized disclosure, even if it is not classified or CUI.

In a CMMC Level 2 Assessment, an assessor must achieve a high level of confidence that a practice is both implemented and institutionalized. This is determined through the Examine, Interview, and Test (E-I-T) methods as outlined in NIST SP 800-171A and the CMMC Assessment Process (CAP).

Conflict of Evidence: The scenario presents a direct conflict between the three pillars of evidence. The Policy/Documentation (Examine) states the practice occurs monthly. The Logs/Artifacts (Examine/Test) show it occurs quarterly. The Interviews claim it happens monthly but is only recorded quarterly.

The "Not Met" Determination: Under the CAP, if the evidence collected does not consistently support the assessment objective, the practice cannot be marked as "Met." Specifically:

Adequacy and Sufficiency: The logs (the primary proof of performance) are insufficient to prove the monthly requirement stated in the documentation.

Inconsistency: Assessors look for "corroboration." When interviews contradict the physical artifacts (the logs), the objective evidence (the logs) carries significant weight. If a practice is required monthly but only recorded quarterly, the assessor cannot verify that it was actually performed during the missing months.

Why other options are incorrect:

Option B: The practice isnotbeing done as documented because the documentation says "monthly" and the logs only show "quarterly."

Option C: This is a common misconception. Not all three methods (E, I, and T) are required foreverysingle practice (the Assessment Guide specifies which are required), but allusedmethods must yield consistent "Met" results.

Option D: Interviews alone are almost never sufficient to pass a practice that requires technical or administrative artifacts (logs).

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section 3.4 (Collect and Verify Evidence) and Section 3.5 (Determine Findings).

CMMC Level 2 Assessment Guide: Introduction to Assessment Methods, emphasizing that findings must be supported by the "preponderance of evidence."

NIST SP 800-171A: Chapter 2, "Assessment Procedures," regarding the necessity of artifacts to prove implementation over time.

Understanding the “Verify Evidence and Record Gaps” Activity in a CMMC Assessment

During aCMMC Level 2 Assessment, theAssessment Teamfollows a structured methodology toverify evidenceand determine whether theOrganization Seeking Certification (OSC)has met all required practices. One of the key activities in this process is"Verify Evidence and Record Gaps", which ensures that the assessment findings accurately reflect any missing or inadequate compliance evidence.

Step-by-Step Breakdown:

✅1. Primary Intent: Identifying Gaps Between Required and Collected Evidence

TheAssessment Teamcompares the evidence provided by the OSC against theCMMC practice requirements.

If evidence ismissing, insufficient, or inconsistent, assessors mustdocument the gapand describe what is lacking.

This ensures that compliance deficiencies are clearly identified, allowing the OSC to understand what must be corrected.

✅2. How This Process Works in a CMMC Assessment

Assessorsreview collected documentation, system configurations, policies, and interview responses.

They verify that the evidencematches the expected implementationof a practice.

If gaps exist, they arerecordedfor discussion and potential remediation before assessment completion.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Map test and demonstration responses to CMMC practices.❌

Incorrect:While mapping evidence to CMMC practices is part of the assessment, theprimary intentof the "Verify Evidence and Record Gaps" step is toidentify deficiencies, not just mapping responses.

(B) Conduct interviews to test process implementation knowledge.❌

Incorrect:Interviews are a method used during evidence collection, but they arenot the primary focusof the verification and gap analysis step.

(C) Determine the one-to-one relationship between a practice and an assessment object.❌

Incorrect:The assessment teamreviews multiple sources of evidencefor each practice, and some practices require multiple assessment objects. The goal isnot a strict one-to-one mappingbut rathera holistic validation of compliance.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guidestates that"Verify Evidence and Record Gaps"is the step where assessorscompare expected evidence against what has been provided and document discrepancies. This ensurestransparent assessment findings and remediation planning.

Thus, the correct answer is:

D. Identify and describe differences between what the Assessment Team required and the evidence collected.

Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)

TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.

To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:

A unique identifier (username) for each system user

Mapping of system accounts to specific individuals

Identification of devices and automated processes that access systems

Why "C. User names associated with system accounts assigned to those individuals" is Correct?

This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.

Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.

It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.

Why Other Answers Are Incorrect?

A. Procedures for implementing access control lists (Incorrect)

While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.

B. List of unauthorized users that identifies their identities and roles (Incorrect)

Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.

D. Physical access policy stating "All non-employees must wear a special visitor pass or be escorted" (Incorrect)

This pertains tophysical security, not system-baseduser identification and authentication.

Conclusion

The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.

Contractors that handle Covered Defense Information (CDI) are required to report cyber incidents to the Department of Defense within 72 hours of discovery.

Supporting Extracts from Official Content:

DFARS 252.204-7012(c)(1): “When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, the Contractor shall conduct a review… and rapidly report the cyber incident to DoD within 72 hours of discovery.”

Why Option C is Correct:

The regulation explicitly specifies 72 hours.

Options A (24 hrs), B (48 hrs), and D (96 hrs) do not align with DFARS requirements.

References (Official CMMC v2.0 Content and Source Documents):

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

CMMC v2.0 Governance – Source Documents list includes DFARS 252.204-7012.

===========

Understanding "Adequate Evidence" in the CMMC Assessment Process

In aCMMC assessment,adequate evidencerefers to the proof required to demonstrate that a specific cybersecurity practice has been implemented correctly. Evidence can come from:

Artifacts(e.g., security policies, system configurations, logs).

Interview responses(e.g., verbal confirmation from personnel about their responsibilities).

Demonstrations(e.g., showing how a security control is implemented in real time).

Testing(e.g., verifying technical security mechanisms such as multi-factor authentication).

Thegoalof evidence collection is to determinewhether a CMMC practice is met—not just whether the organization operates within the assessment scope.

Why is the Correct Answer "Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice" (D)?

A. Verify, based on an assessment and organizational scope → Incorrect

Theassessment scopedefineswhat is evaluated, but adequacy of evidence is based oncompliance with specific CMMC practices.

B. Verify, based on an assessment and organizational practice → Incorrect

CMMC assessments focus on cybersecurity practices defined in the CMMC framework, not just general organizational practices.

C. Determine if a given artifact, interview response, demonstration, or test meets the CMMC scope → Incorrect

Thescopedefines the assessment boundaries, but theassessment team's job is to confirm whether CMMC practices are satisfied.

D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice → Correct

TheCMMC assessment process focuses on ensuring that required practices are implemented, making this the correct answer.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines "adequate evidence" asproof that a CMMC practice has been correctly implemented.

CMMC 2.0 Assessment Criteria

Specifies that evidence must beevaluated against specific cybersecurity practices.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Provides guidance on evaluating artifacts, interviews, demonstrations, and testing to confirm compliance with required practices.

Final Answer:

✔D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.