Free Cyber AB CMMC-CCP Practice Exam with Questions & Answers | Set: 4

Step 1: Understand the Assessment Phases (CAP v1.0)TheCMMC Assessment Process (CAP)outlines a structured lifecycle for assessments, including:

Plan and Prepare Phase– Develop the assessment plan (before the assessment starts).

Conduct Assessment Phase– Execute the actual assessment activities.

Report Results Phase– Finalize and deliver the assessment outcomes.

CAP v1.0 – Section 3.5 (Conduct Assessment):

“The assessment team collects, examines, and evaluates evidence to determine if practices are MET or NOT MET.”

During the“Conduct Assessment” phase, the main activity is to:

Collect evidence(documentation, interviews, testing),

Validate adequacy and sufficiency,

Score practicesas MET/NOT MET.

✅Step 2: Why “Collect and Examine Evidence” Is the Primary ActivityThis is thecore responsibilityof assessorswhile conductingan assessment.

A. Develop assessment plan✘ This occurs in thePlan and Preparephasebeforeconducting the assessment.

C. Verify readiness to conduct assessment✘ Readiness verification is part ofpre-assessment activities, not during the assessment itself.

D. Deliver recommended assessment results✘ This is done during theReport Resultsphase after the assessment has been conducted.

❌Why the Other Options Are Incorrect

Theprimary activity performed during the actual executionof a CMMC assessment iscollecting and examining evidenceto determine compliance with practices.

TheCybersecurity Maturity Model Certification (CMMC) 2.0is primarily based on two key National Institute of Standards and Technology (NIST) Special Publications:

NIST SP 800-171– "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations"

NIST SP 800-172– "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171"

NIST SP 800-171

This document is thecore foundationof CMMC 2.0 and establishes the security requirements for protectingControlled Unclassified Information (CUI)in non-federal systems.

The 110 security controls fromNIST SP 800-171 Rev. 2are mapped directly toCMMC Level 2.

NIST SP 800-172

This supplement includesenhanced security requirementsfor organizations handlinghigh-value CUIthat faces advanced persistent threats (APTs).

These enhanced requirements apply toCMMC Level 3under the 2.0 model.

B. DFARS, FIPS 100, and NIST SP 800-171→Incorrect

WhileDFARS 252.204-7012mandates compliance withNIST SP 800-171,FIPS 100 does not existas a relevant cybersecurity standard.

C. DFARS, NIST, and Carnegie Mellon University→Incorrect

CMMC is aligned with DFARS and NIST but isnot developed or directly influenced by Carnegie Mellon University.

D. DFARS, FIPS 100, NIST SP 800-171, and Carnegie Mellon University→Incorrect

Again,FIPS 100 is not relevant, andCarnegie Mellon Universityis not a defining entity in the CMMC framework.

CMMC 2.0 Scoping Guide (2023)confirms thatCMMC Level 2 is entirely based on NIST SP 800-171.

CMMC 2.0 Level 3 Draft Documentationexplicitly referencesNIST SP 800-172for enhanced security requirements.

DoD Interim Rule (DFARS 252.204-7021)mandates that organizations meetNIST SP 800-171 for CUI protection.

Reference and Breakdown:Eliminating Incorrect Answer Choices:Official CMMC 2.0 References Supporting the Answer:Final Conclusion:The CMMC 2.0 model is derivedsolely from NIST SP 800-171 and NIST SP 800-172, makingAnswer A the only correct choice.

Understanding Ethical Responsibility in the CMMC EcosystemEthics in theCMMC ecosystemis ashared responsibilitybetween theCMMC Accreditation Body (CMMC-AB)and itsmembers. TheCMMC-AB Code of Professional Conductoutlines ethical obligations forassessors, consultants, and other ecosystem participantsto ensure integrity, fairness, and professionalism.

CMMC-AB ensures the accreditation process remains fair, unbiased, and ethical.

CMMC ecosystem members (assessors, consultants, and organizations) are responsible for upholding ethical practices in assessments and implementations.

Ethical violations can result indisciplinary actions, revocation of certification, or legal consequences.

Key Ethical Responsibilities Include:

A. DoD and CMMC-AB → Incorrect

TheDoD oversees CMMC implementation, butit is not responsible for the ethical conduct of CMMC assessments.

B. OSC and Sponsors → Incorrect

TheOrganization Seeking Certification (OSC)is responsible for compliance but doesnot oversee ethics in the CMMC ecosystem.

C. CMMC-AB and Members of the CMMC Ecosystem → Correct

Ethics is explicitly stated as ajoint responsibility of the CMMC-AB and its ecosystem membersin official CMMC guidance.

D. Members of the CMMC Ecosystem and Lead Assessors → Incorrect

Lead Assessors are part of theCMMC ecosystem, butCMMC-AB is the governing body responsible for ethical oversight.

Why is the Correct Answer "CMMC-AB and Members of the CMMC Ecosystem" (C)?

CMMC-AB Code of Professional Conduct

Defines ethical responsibilities forassessors, consultants, and ecosystem members.

CMMC Ecosystem Governance Policies

Ethics isjointly managed by CMMC-AB and its accredited ecosystem members.

CMMC Assessment Process (CAP) Document

Outlines ethical expectations forassessors and consultantsduring certification assessments.

CMMC 2.0 References Supporting this Answer:

Understanding the CMMC Assessment Process (CAP) PhasesTheCMMC Assessment Process (CAP)consists ofthree primary phases:

Phase 1 - Planning(Pre-assessment activities)

Phase 2 - Conducting the Assessment(Evidence collection and analysis)

Phase 3 - Reporting and Finalizing Results

DuringPhase 3, the Assessment Teamreviews evidenceto confirm if anyLimited Practice Deficiency Correctionshave been successfully implemented.

Scoring Practices in Phase 3The CAP document specifies that a practice can bescored as METif:

✅The deficiency identified in Phase 2 has been fully corrected before final scoring.

✅Sufficient evidence is provided to demonstrate compliance with the CMMC requirement.

✅The correction is notmerely plannedbutfully implemented and validatedby the assessors.

Since the evidence shows thatdeficiencies have been corrected, the correct score isMET.

B. POA&M (Plan of Action & Milestones)❌Incorrect. APOA&M (Plan of Action and Milestones)is usedonly when a deficiency remains unresolved. Since the deficiency is already corrected, this option does not apply.

C. NOT MET❌Incorrect. A practice is scoredNOT METonly if the deficiency hasnotbeen corrected by the end of the assessment.

D. NOT APPLICABLE❌Incorrect. A practice is markedNOT APPLICABLE (N/A)only if it doesnot apply to the organization’s environment, which is not the case here.

Why the Other Answers Are Incorrect

CMMC Assessment Process (CAP) Document– Defines scoring criteria for MET, NOT MET, and POA&M.

CMMC Official ReferencesThus,option A (MET) is the correct answer, as the deficiencies have been corrected before final scoring.

Understanding RA.L2-3.11.1 Risk Assessment Scope in CMMC Level 2TheCMMC Level 2 control RA.L2-3.11.1aligns withNIST SP 800-171, Requirement 3.11.1, which mandates that organizationsperiodically assess risks to operations, assets, and individuals arising from the processing, storage, or transmission of CUI.

What is Required for Compliance?

The organization must performrisk assessments on all assets and entities involved in handling CUI.

Risk assessments mustevaluate potential threats, vulnerabilities, and impacts on CUI security.

The scopemust include people, processes, physical locations, and IT systemsto ensure comprehensive risk management.

Why the Correct Answer is "Processes, people, physical entities, and IT systems in which CUI is processed, stored, or transmitted":

CUIcan be exposed to risk in multiple ways—not just IT systems but also human error, physical security gaps, and process weaknesses.

Risk assessmentsmust evaluate all areas that could impact CUI security, including:

Personnel security risks(e.g., insider threats, phishing attacks).

Process vulnerabilities(e.g., mishandling of CUI, policy weaknesses).

Physical security risks(e.g., unauthorized access to servers, storage rooms).

IT systems(e.g., networks, servers, cloud environments processing CUI).

A. "IT systems"→Too narrow.Risk assessmentmust cover more than just IT systems, includingpeople, physical assets, and processesaffecting CUI.

B. "Enterprise systems"→Too broad.While enterprise systems might be assessed, thefocus is specifically on areas handling CUI, not all enterprise operations.

C. "CUI Marking processes"→Incorrect focus.While marking CUI correctly is important,RA.L2-3.11.1 pertains to risk assessments, not data classification.

TheCMMC Model consists of 14 domains, which are based on theNIST SP 800-171 control familieswith additional cybersecurity practices.

Eachdomaincontainspractices and processesthat define cybersecurity requirements for organizations seeking CMMC certification.

Understanding NIST SP 800-88 Rev. 1 and Media SanitizationTheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.

Clear

Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.

Example:Overwriting all datawith binary zeros or ones on a hard drive.

Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.

Purge

Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.

Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).

Applies to:Media that is leaving organizational control or requires a higher level of assurance than "Clear".

Destroy

Physicallydamages the mediaso that data recovery isimpossible.

Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.

Applies to:Highly sensitive data that must be permanently eliminated.

B. Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata disposal.

C. Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level categoryin NIST SP 800-88.

D. Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is missing, making this incorrect.

The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.

Understanding CMMC 2.0 Levels and Their DescriptionsTheCybersecurity Maturity Model Certification (CMMC) 2.0consists ofthree levels, each representing increasing cybersecurity maturity:

Level 1 – Foundational

Focuses onbasic cyber hygiene

Implements17 practicesaligned withFAR 52.204-21

Primarily protectsFederal Contract Information (FCI)

Level 2 – Advanced(Correct Answer)

Focuses onprotecting Controlled Unclassified Information (CUI)

Implements110 practicesaligned withNIST SP 800-171

Requirestriennial third-party assessments for critical programs

Level 3 – Expert

Focuses onadvanced cybersecurityagainstAPT (Advanced Persistent Threats)

ImplementsNIST SP 800-171 and additional NIST SP 800-172 controls

Requirestriennial government-led assessments

TheCMMC 2.0 framework explicitly describes Level 2 as "Advanced."

Italigns with NIST SP 800-171to ensure robustCUI protection.

A. Expert (Incorrect)– This describesLevel 3, not Level 2.

C. Optimizing (Incorrect)– Not a defined CMMC level description.

D. Continuously Improved (Incorrect)– CMMC does not use this terminology.

The correct answer isB. Advanced, which accurately describesCMMC Level 2.

During aCMMC assessment, organizations must provide evidence to demonstrate compliance with requiredpractices and processes. Assessors evaluate this evidence based on two key criteria:

Adequacy– Does the evidence meet the intent of the security requirement?

Sufficiency– Is there enough evidence to reasonably conclude that the practice/process is effectively implemented?

These principles are outlined in theCMMC Assessment Process Guide, which provides a structured approach for evaluating compliance.

Step-by-Step Breakdown:✅1. Adequacy – Does the evidence fully meet the requirement?

Adequacyrefers to whether the evidence properly demonstrates that the security practice has been implemented as required.

Example: If an organization claims to enforceMulti-Factor Authentication (MFA), an assessor would checksystem configurations, login policies, and user authentication logsto confirm that MFA is actually in use.

✅2. Sufficiency – Is there enough evidence to support the claim?

Sufficiencymeans that there isenough supporting evidenceto prove compliance.

Example: If an organization providesonly one screenshot of an MFA login screen, that alone may not besufficient—additional logs, policies, and user records would help strengthen the case.

(B) Adequacy and Thoroughness❌

Thoroughnessis not a defined metric in CMMC evidence evaluation.

The focus is onwhether the evidence meets the requirement (adequacy)and if there isenough of it (sufficiency).

(C) Sufficiency and Thoroughness❌

Thoroughnessis not a recognized term in CMMC compliance validation.

Evidence must beadequate and sufficient, not just thorough.

(D) Sufficiency and Appropriateness❌

Appropriatenessis not a CMMC-defined criterion.

Thecorrect terms used in CMMC assessmentsareAdequacy(Does it meet the requirement?) andSufficiency(Is there enough proof?).

Why the Other Answer Choices Are Incorrect:

CMMC Assessment Process Guideexplicitly states that evidence must be evaluated based onadequacyandsufficiencyto confirm compliance with security practices.

Final Validation from CMMC Documentation:

The presence of badge readers, PIN code pads, and keys directly corresponds to controlling and managing physical access devices, which maps to PE.L1-3.10.5 under the Physical Protection (PE) domain. This practice ensures that only authorized individuals have access to physical areas containing information systems.

The other options address unrelated requirements:

MP.L2-3.8.5 addresses marking CUI media,

SI.L2-3.14.3 addresses monitoring security alerts,

PS.L2-3.9.2 addresses protections during personnel changes.

Reference Documents:

CMMC Model v2.0, Level 1–3 Practices

NIST SP 800-171 Rev. 2, Control PE-3