Free Cyber AB CMMC-CCP Practice Exam with Questions & Answers | Set: 6

Per the CMMC Assessment Process (CAP), when planning an assessment, the Lead Assessor must coordinate with the Organization Seeking Certification (OSC) to select interview participants who can provide clarity and understanding of their practice activities. The intent is to interview individuals directly involved with and knowledgeable about the processes and practices under review, rather than selecting personnel based solely on rank, clearance, or formal expertise in CMMC.

This ensures the assessment is evidence-based and grounded in how practices are actually performed within the OSC.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

For a practice to beadequately implementedin aCMMC Level 2 assessment, theresponsible personnel must demonstrate knowledge of deployment, maintenance, and operationof security tools such asantivirus programs. Simply having the tool in place isnot sufficient—there must be evidence that it isproperly configured, updated, and monitoredto protect against threats.

Step-by-Step Breakdown:

✅1. Relevant CMMC and NIST SP 800-171 Requirements

CMMC Level 2 aligns with NIST SP 800-171, which includes:

Requirement 3.14.5 (System and Information Integrity - SI-3):

"Employautomatedmechanisms toidentify, report, and correctsystem flaws in a timely manner."

Requirement 3.14.6 (SI-3(2)):

"Employautomated toolsto detect and prevent malware execution."

These requirements imply that theperson responsible for antivirus must understand how it is deployed and maintainedto ensure compliance.

✅2. Why the Team Member’s Knowledge is Insufficient

Antivirus tools requireregular updates,configuration adjustments, andmonitoringto function properly.

The responsible team member must:

Knowhow the antivirus was deployedacross systems.

Be able toconfirm updates, logs, and alerts are monitored.

Understand how torespond to malware detectionsand failures.

If the team member lacks this knowledge, assessors maydetermine the practice is not fully implemented.

✅3. Why the Other Answer Choices Are Incorrect:

(A) Yes, the antivirus program is available, so it is sufficient.❌

Incorrect:Just having antivirus softwareinstalleddoes not prove compliance. It must bemanaged and maintained.

(B) Yes, antivirus programs are automated to run independently.❌

Incorrect:While automation helps, security toolsrequire oversight, updates, and configuration.

(D) No, the team member's interview answers about deployment and maintenance are insufficient.❌

Partially correct but incomplete:Themain issueis that the team membermust have sufficient knowledge, not just that their answers are weak.

Final Validation from CMMC Documentation:

TheCMMC Assessment Guide for SI-3 and SI-3(2)states that personnel mustunderstand the function, deployment, and maintenance of security toolsto ensure proper implementation.

Thus, the correct answer is:

Key References for a Lead Assessor in a CMMC Assessment

ALead Assessorconducting aCMMC assessmentmust rely onofficial CMMC guidance documentsto evaluate whether anOrganization Seeking Certification (OSC)meets the required cybersecurity practices.

Most Relevant Reference: CMMC Assessment Guide

TheCMMC Assessment Guideprovidesdetailed descriptionsof eachpractice and processat the specificCMMC level being assessed.

It defines:

✔Theassessment objectivesfor each practice.

✔Therequired evidencefor compliance.

✔Thescoring criteriato determine if a practice isMET or NOT MET.

Why is the Correct Answer "D. Published CMMC Assessment Guide practice descriptions for the desired certification level"?

A. DoD adequate security checklist for covered defense information → Incorrect

TheDoD adequate security checklistis related toDFARS 252.204-7012 compliance, butCMMC assessmentsfollow theCMMC Assessment Guide.

B. CMMC Model Overview as it provides assessment methods and objects → Incorrect

TheCMMC Model Overviewprovideshigh-level guidance, butdoes not contain specific assessment criteria.

C. Safeguarding requirements from FAR Clause 52.204-21 for a Level 2 Assessment → Incorrect

FAR 52.204-21is relevant toCMMC Level 1 (FCI protection), butCMMC Level 2 follows NIST SP 800-171and requiresCMMC Assessment Guidesfor validation.

D. Published CMMC Assessment Guide practice descriptions for the desired certification level → Correct

TheCMMC Assessment Guideis theofficial documentused to determine if anOSC meets the required security practices for certification.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

Specifies thatLead Assessors must use the CMMC Assessment Guidefor official scoring.

CMMC Assessment Guide for Level 1 & Level 2

Providesdetailed descriptions, assessment methods, and scoring criteriafor each practice.

CMMC-AB Guidance for Certified Third-Party Assessment Organizations (C3PAOs)

Confirms thatCMMC assessments must follow the Assessment Guide, not general DoD security policies.

Final Answer:

✔D. Published CMMC Assessment Guide practice descriptions for the desired certification level.

Understanding the Role of Configuration Management (CM) in CMMC 2.0

TheConfiguration Management (CM) domainin CMMC 2.0 ensures that systems aresecurely configured and maintainedto prevent unauthorized or unnecessary changes that could introduce vulnerabilities. One key requirement in CM is torestrict, disable, or prevent the use of nonessential programsto reduce security risks.

Relevant CMMC 2.0 Practice:

CM.L2-3.4.1 – Establish and enforce security configuration settings for information technology products employed in organizational systems.

This practicerequires organizations to control system configurations, including the removal or restriction ofnonessential programs, functions, ports, and servicestoreduce attack surfaces.

The goal is tominimize exposure to cyber threatsby ensuring only necessary and approved software is running on the system.

Why is the Correct Answer CM (D)?

A. Access Control (AC) → Incorrect

Access Control (AC) focuses onmanaging user permissions and accessto systems and data, not restricting programs.

B. Media Protection (MP) → Incorrect

Media Protection (MP) deals withprotecting and controlling removable media(e.g., USBs, hard drives) rather than software or system configurations.

C. Asset Management (AM) → Incorrect

Asset Management (AM) is aboutidentifying and tracking IT assets, not configuring or restricting software.

D. Configuration Management (CM) → Correct

CM explicitly coverssecuring system configurationsbyrestricting nonessential programs, ports, services, and functions, making it the correct answer.

CMMC 2.0 References Supporting this Answer:

CMMC 2.0 Practice CM.L2-3.4.1(Security Configuration Management)

Requires organizations toenforce security configuration settingsandremove unnecessary programsto protect systems.

NIST SP 800-171 Requirement 3.4.1

Supportssecure configuration settingsandrestricting unauthorized applicationsto prevent security risks.

CMMC 2.0 Level 2 Requirement

This practice is aLevel 2 (Advanced) requirement, meaningorganizations handling Controlled Unclassified Information (CUI)must comply with it.

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.

Why NIST SP 800-171 is Essential for Level 2 Scoping:

Defines the Security Requirements for Protecting CUI:

NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.

These controls are categorized under14 families, including access control, incident response, and risk management.

Establishes the Baseline for CMMC Level 2 Compliance:

CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.

Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.

Provides Guidance for Implementation & Assessment:

TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.

It helps define the scope of an assessment by clarifying how each control should be implemented and verified.

Referenced in CMMC and DFARS Regulations:

DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.

TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.

Explanation of Incorrect Answers:

A. NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")

This documentapplies to federal systems, not nonfederal entities handling CUI.

While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.

B. NIST SP 800-88 ("Guidelines for Media Sanitization")

This documentfocuses on secure data destructionand media sanitization techniques.

While data disposal is important, this standarddoes not define security controls for protecting CUI.

D. NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")

This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).

It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.

Key References for CMMC Level 2 Scoping:

NIST SP 800-171 Rev. 2(NIST Official Site)

NIST SP 800-171A (Assessment Guide)(NIST Official Site)

CMMC 2.0 Level 2 Scoping Guide(Cyber AB)

Conclusion:

SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:

✅C. NIST SP 800-171

Understanding the Phases of the CMMC Assessment Process

TheCMMC Assessment Process (CAP)consists of multiple phases, with each phase focusing on a different aspect of the assessment.Developing the assessment planoccurs inPhase 1, which is thePre-Assessment Phase.

Key Activities in Phase 1 – Pre-Assessment Phase

Engagement Agreement: TheOSC (Organization Seeking Certification)and theCertified Third-Party Assessment Organization (C3PAO)formalize the assessment contract.

Developing the Assessment Plan: TheLead Assessorand the assessment team create anAssessment Plan, which outlines:

Scope of the assessment

CMMC Level requirements

Assessment methodology

Timeline and logistics

Initial Data Collection: Review of system documentation, policies, and relevant security controls.

Why is the Correct Answer "Phase 1" (A)?

A. Phase 1 → Correct

Phase 1 is where the assessment plan is developed.

It ensuresclarity on scope, methodology, and logistics before the assessment begins.

B. Phase 2 → Incorrect

Phase 2 is theAssessment Conduct Phase, where assessorsexecutethe plan by examining evidence and interviewing personnel.

C. Phase 3 → Incorrect

Phase 3 is thePost-Assessment Phase, which involvesfinalizing findings and submitting reports, not developing the plan.

D. Phase (Incomplete Answer) → Incorrect

The question requires a specific phase, and the correct one isPhase 1.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

DefinesPhase 1as the stage where the assessment plan is developed.

CMMC Accreditation Body (CMMC-AB) Guidelines

Specifies thatplanning and pre-assessment activities occur in Phase 1.

CMMC 2.0 Certification Workflow

Outlines the assessment planning process as part of theinitial engagementbetween theC3PAO and the OSC.

Best Practices for Handling Sensitive Assessment Information

CMMC assessments involve handlingsensitive and potentially CUI-related documents. Assessors must follow strictsecurity policiesto avoid unauthorized access, data leaks, or non-compliance withCMMC 2.0 and NIST SP 800-171 requirements.

Why Logging into the Client VPN on the Client Laptop is the Best Approach:

Ensures Data Protection:The client laptop is likely configured to meet security controls required for handling assessment-related materials.

Prevents Data Spillage:Keeping all assessment-related activities within the client’s secured environment reduces the risk ofdata leakage or unauthorized storage.

Maintains Compliance with CMMC/NIST Guidelines:Using aproperly configured client laptop and secured connectionensures compliance withNIST SP 800-171 controls on secure remote access(Requirement3.13.12).

Clarification of Incorrect Options:

A. "Log into the secure cloud storage service to save copies of the documents on both the work and client laptops."

Incorrect→Sensitive data should not be duplicated across multiple systems, especially a non-client-approved laptop. Storing it on an unauthorized systemviolates data handling best practices.

C. "Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service."

Incorrect→ Theassessor’s laptop may not be authorizedorsecuredto handle client data. CMMC guidelines emphasizeusing approved, secured systemsfor assessment-related information.

D. "Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick."

Incorrect→

Transferring sensitive documents via USBintroduces security risks, including unauthorized data storage and potential malware contamination.

Home office workstationsare unlikely to be authorized for handling CMMC-sensitive data.

TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.

TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:

"Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI."

This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:

✅Organizational operations(e.g., mission, business continuity, functions)

✅Organizational assets(e.g., data, IT systems, intellectual property)

✅Individuals(e.g., employees, contractors, customers affected by security risks)

Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.

Why the Other Answers Are Incorrect

A. Organizational operations, business assets, and employees

❌Incorrect."Business assets"is not the correct terminology used in CMMC/NIST SP 800-171. Instead,"organizational assets"is the proper term.

B. Organizational operations, business processes, and employees

❌Incorrect."Business processes"is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.

D. Organizational operations, organizational processes, and individuals

❌Incorrect. While processes are important,organizational assetsmust be considered in the assessment, not just processes.

CMMC Official References

CMMC 2.0 Model (Level 2 - RA.3.144)– Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.

NIST SP 800-171 (3.11.1)– Reinforces the same risk assessment scope.

Thus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.

According to the CMMC Assessment Process (CAP), the Lead Assessor must use the CMMC Findings Brief to formally present assessment results to the Organization Seeking Certification (OSC). The Findings Brief ensures consistency across assessments and provides the OSC with an official, standardized presentation of results, including observed strengths, weaknesses, and any non-conformities.

Other options are incorrect because:

POA & M Brief is not part of the official CAP presentation.

CMMC Assessment Tracker Tool is an internal tool used by assessors, not for presentation to the OSC.

Recommended Findings template is not a recognized deliverable in CAP.

Reference Documents:

CMMC Assessment Process (CAP), v1.0