Free Cyber AB CMMC-CCP Practice Exam with Questions & Answers | Set: 6

Under theCMMC Assessment Process (CAP)andCMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed throughthree primary assessment methods:

Examination– Reviewing documents, records, system configurations, and other artifacts.

Interviews– Speaking with personnel to verify processes, responsibilities, and understanding of security controls.

Testing– Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.

TheCMMC Assessment Process (CAP)states that an assessor must use acombinationof evidence-gathering methods (examinations, interviews, and tests) to determine compliance.

CMMC 2.0 Level 2(Aligned withNIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.

Solely relying ononemethod (like interviews in Option A) is insufficient.

Testing all practices or objectives (Option B)is unnecessary, as assessors followscoping guidanceto determine which objectives need deeper examination.

Testing only "certain" objectives (Option C)does not fully align with the requirement of gatheringsufficient evidencefrom multiple methods.

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methodsexplicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.

CMMC 2.0 Level 2 Practices and NIST SP 800-171require assessors to validate the presence, implementation, and effectiveness of security controls.

CMMC Appendix E: Assessment Proceduresstates that an assessor should use multiple sources of evidence to determine compliance.

Why Option D is CorrectCMMC 2.0 and Official Documentation ReferencesFinal VerificationTo ensure compliance withCMMC 2.0 guidelines and official documentation, an assessor must useexaminations, interviews, and teststo gather evidence effectively, makingOption D the correct answer.

Understanding SI.L2-3.14.6: Monitor Communications for AttacksThe practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:

✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)

✅Log analysis and network monitoring

✅Incident response planningfor detected threats

As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.

TheCCA must collect sufficient objective evidenceto determine compliance.

Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.

Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.

Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Conduct a penetration test

❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.

B. Interview the intrusion detection system's supplier.

❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.

C. Upload known malicious code and observe the system response.

❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.

D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.

NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.

CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.

Official References from CMMC 2.0 and NIST SP 800-171 DocumentationFinal Verification and ConclusionThe correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.

Understanding the Definition of a "Practice" in CMMC 2.0In CMMC 2.0, the term"practice"refers to specific cybersecurity activities that organizations must implement to achieve compliance with defined security objectives.

Definition from CMMC Documentation:

According to theCMMC Model Overview, apracticeis defined as:

Step-by-Step Breakdown:"An activity or activities performed to meet defined CMMC objectives."

This means that practices are theactions and implementations required to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

How Practices Fit into CMMC 2.0:

CMMC 2.0 Level 1 consists of17 practices, which align withFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

CMMC 2.0 Level 2 consists of110 practices, aligned directly withNIST SP 800-171 Rev. 2.

Each practice has anobjectivethat must be met to demonstrate compliance.

Official CMMC 2.0 References:

TheCMMC 2.0 Model Documentationdefines practices as "the fundamental cybersecurity activities necessary to achieve security objectives."

TheCMMC Assessment Process (CAP) Guideoutlines how assessors verify the implementation of these practices during an assessment.

TheNIST SP 800-171A Guideprovidesassessment objectivesfor each practice to ensure they are implemented effectively.

Comparison with Other Answer Choices:

A. A business transaction→ Incorrect. CMMC practices focus on cybersecurity activities, not financial or operational transactions.

B. A condition arrived at by experience or exercise→ Incorrect. While practices evolve over time, they are defined activities, not just experience-based conditions.

C. A series of changes taking place in a defined manner→ Incorrect. A practice is a set of security actions, not just a process of change.

Conclusion:ACMMC practicerefers to specificcybersecurity activities performed to meet defined CMMC objectives. This makesOption Dthe correct answer.

Under DFARS and CMMC requirements, the prime contractor is responsible for ensuring its subcontractors meet the required CMMC level. Neither the DoD, The Cyber AB, nor OUSD A&S directly manages subcontractor certification.

Supporting Extracts from Official Content:

DFARS 252.204-7021: “The contractor shall ensure that its subcontractors have the appropriate CMMC level certification for the information they will handle.”

Why Option D is Correct:

Compliance responsibility flows through the contractor supply chain.

CMMC-AB (The Cyber AB) accredits assessors but does not police subcontractors.

OUSD A&S sets policy, not enforcement at contract level.

DoD agencies only require compliance at award/contract oversight level.

References (Official CMMC v2.0 Content):

DFARS 252.204-7021.

CMMC Model v2.0 governance guidance.

===========

TheLimited Practice Deficiency Correction Evaluationprocess occurs when anOrganization Seeking Certification (OSC)has undergone aCMMC Level 2 Assessmentby aCertified Third-Party Assessment Organization (C3PAO)and hasunresolved deficienciesin some security practices.

According toCMMC 2.0 policy and DFARS 252.204-7021, OSCs can still achieveInterim Certificationif they meet theminimum thresholdof security practices while addressing deficiencies through aPlan of Action & Milestones (POA&M).

TheCMMC 2.0 Interim Rulestates that an OSCmust meet at least 100 out of 110 practicesto qualify for aPOA&M-based remediation.

A maximum of 10 practices can be listed in the POA&Mfor later correction.

Failure to meet at least 100 practices results in failing the assessment outright, requiring a full reassessment after remediation.

The Lead Assessor can recommend POA&M placementonly if the OSC meets at least 100 practices.

Less than 100 practices scored as MET means the OSC does not qualify for a POA&Mand mustretest completely.

DFARS 252.204-7021 and CMMC 2.0 policiesconfirm the100-practice thresholdfor conditional certification.

A. 80 practices (Incorrect)– Falls well below the 100-practice requirement.

B. 88 practices (Incorrect)– Still below the POA&M eligibility threshold.

D. 110 practices (Incorrect)– While meeting 110 practices would be ideal,CMMC allows a POA&M option at 100 practices.

The correct answer isC. 100 practices, as this meets theminimum threshold for POA&M-based Interim Certification.

A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.

Supporting Extracts from Official Content:

CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”

Why Option B is Correct:

The Windows 95 system is an example of a restricted IS, so it can be scoped out.

Option A is incorrect — the asset is not handling CUI in this case.

Option C is incorrect — government property designation does not define scope.

Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.

===========

Per the CMMC Assessment Process (CAP), the Assessment Team is responsible for determining the adequacy and sufficiency of evidence collected during the assessment. The team validates whether practices and components for each in-scope Host Unit, Supporting Organization, or enclave meet the target CMMC level. The OSC (Organization Seeking Certification) provides evidence, but only the Assessment Team makes the verification and scoring determination.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

The CMMC Assessment Process uses three methods: Examine, Interview, and Test. The method that involves analyzing artifacts (documents, system configurations, records, logs, etc.) is Examine.

Supporting Extracts from Official Content:

CMMC Assessment Guide: “Examine consists of reviewing, inspecting, or analyzing assessment objects such as documents, system configurations, or other artifacts to evaluate compliance.”

Why Option B is Correct:

Examine = analyzing artifacts.

Interview = discussions with personnel.

Test = executing technical checks.

Behavior is not an assessment method.

References (Official CMMC v2.0 Content):

CMMC Assessment Guide, Levels 1 and 2 — Assessment Methods (Examine, Interview, Test).

===========

TheU.S. Department of Defense (DoD)determines the requiredCMMC Levelbased on thesensitivity of the information involved in a contract.

The required CMMC Level isspecified in Requests for Information (RFIs) and Requests for Proposals (RFPs).

In the CMMC assessment process, conflicts of interest must be identified early to ensure an impartial and objective evaluation of an organization's compliance with CMMC 2.0 requirements. The appropriate phase for identifying conflicts of interest is during the"Verify Readiness to Conduct Assessment"phase.

Assessment Planning & Conflict of Interest Consideration

Before an assessment begins, theC3PAO (Certified Third-Party Assessment Organization)or theDIBCAC (Defense Industrial Base Cybersecurity Assessment Center) for DOD-led assessmentsmust confirm that there are no conflicts of interest between assessors and the organization being assessed.

A conflict of interest may arise if an assessor haspreviously worked for, consulted with, or provided direct assistance tothe organization under review.

CMMC Assessment Process and PhasesThe CMMC assessment process involves multiple steps, and the verification of readiness is acritical early phaseto ensure that the assessment is unbiased:

Analyze Requirements:This phase focuses on defining the assessment scope, but it does not include conflict of interest verification.

Develop Assessment Plan:This phase focuses on structuring the assessment methodology, not on identifying conflicts.

Verify Readiness to Conduct Assessment (Correct Answer):

At this stage, theC3PAO or assessment team must review potential conflicts of interest.

TheDefense Industrial Base Cybersecurity Assessment Center (DIBCAC)also ensures assessors do not have any prior relationships that could compromise the objectivity of the evaluation.

Generate Final Recommended Assessment Results:This phase occurs at the end of the process, after the assessment is complete, so conflict of interest identification is too late by this stage.

Official CMMC Documentation & References

CMMC Assessment Process (CAP) Guide– The CAP details procedures assessors must follow, including conflict of interest verification.

CMMC 2.0 Scoping and Assessment Guides– Published by the Cyber AB and DoD, these guides reinforce the need for impartiality and independence in assessments.

DoD Instruction 5200.48 (Controlled Unclassified Information Program)– Outlines requirements for ensuring objective cybersecurity assessments.

Step-by-Step Explanation:By ensuring conflicts of interest are identified in the"Verify Readiness to Conduct Assessment"phase, the integrity of the CMMC certification process is maintained, ensuring that assessments are conductedfairly, independently, and in accordance with DoD cybersecurity policies.