Free Cyber AB CMMC-CCP Practice Exam with Questions & Answers | Set: 7

Understanding Asset Categorization in CMMC 2.0

InCMMC 2.0, assets are categorized into different types based on their function, connectivity, and whether they process, store, or transmitFederal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Why "D. Specialized Asset" is Correct?

TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT classificationsbut still exist within the organizational environment.

Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined in CMMC.

Why Other Answers Are Incorrect?

A. FCI Asset (Incorrect)

FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does not.

B. CUI Asset (Incorrect)

CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.

C. In-scope Asset (Incorrect)

In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.

Conclusion

The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into theSpecialized Assetcategory.

CMMC Level 2 Readiness and Certification Requirements

CMMCLevel 2is required forOrganizations Seeking Certification (OSCs) that handle Controlled Unclassified Information (CUI)and aligns withNIST SP 800-171's 110 security controls.

Key Readiness Indicators for a Level 2 Assessment:

The OSC must have implemented all 110 security practices from NIST SP 800-171.

Documented and validated cybersecurity policies and procedures must exist.

The OSC must be prepared to provide objective evidence (artifacts) proving compliance.

Why the OSC in the Question is Not Ready:

They have not won a DoD contract yet→ This means they do not yet have a contractually definedCUI environment, which is the foundation for defining their security scope.

They have only provided FCI-related artifacts(e.g., visitor logs, workstation policies, FedRAMP configurations).

Lack of full documentation of CMMC Level 2 controls→ The assessment requiresevidence for all 110 security practices(e.g., system security plans, incident response records, security awareness training documentation).

Clarification of Incorrect Options:

A. "Ready because there is no need to certify this company until after they win a DoD contract."

Incorrect→ Some organizationsseek certification proactivelybefore winning contracts. However, readiness depends on implementingall 110 required controls, not contract status alone.

B. "Not ready because the OSC is not on contract because they do not know the scope of FCI protection required by the contract."

Incorrect→ CMMC Level 2focuses on CUI, not just FCI. While FCI protection is important, the assessment’s focus is onCUI security requirements, which arenot fully addressed by the provided artifacts.

D. "Ready because all DoD contractors are required to achieve CMMC Level 2; therefore, they are being proactive in seeking certification."

Incorrect→ While it is commendable that the OSC is being proactive,readiness is based on full compliance with NIST SP 800-171, not just intent.

Step 1: Define Roles – CCP and CCA

CCP (Certified CMMC Professional):

Entry-level certification in the CMMC ecosystem.

Supports assessment activities under the supervision of a CCA.

May assist in consulting roles outside of formal assessments.

CCA (Certified CMMC Assessor):

Certified tolead assessmentsunder the CMMC model.

Requiredfor conductingLevel 2 formal assessments.

Can be part of a C3PAO assessment team or lead it.

Source: CMMC Assessment Process (CAP) v1.0, Section 2.3 – Assessment Team Composition

“Level 2 assessments must be led by a Certified CMMC Assessor (CCA), who may be supported by one or more CCPs.”

✅Step 2: Citizenship Requirements

CAP v1.0 – Appendix B: Team Composition and Clearance Requirements

“All team members performing Level 2 assessments must be U.S. citizens when handling CUI, regardless of role.”

But forsupporting team members who do not handle CUIor inFCI-only scoping, there is no automatic exclusion based on citizenship.

So:

TheCCA leadsthe team.

CCPs can be team membersregardless of citizenship,unless restricted by contract or CUI handling needs.

❌Why the Other Options Are Incorrect

A. The CCP leads the Level 2 Assessment Team…

✘Incorrect. CCPscannot leadLevel 2 assessments.

B. The CCA leads… includes 3 CCP with US Citizenship.

✘Incorrect. Citizenship is requiredonly when handling CUI, not a universal requirement.

D. The CCP leads…

✘Again, CCPs donot have the authority to leadformal CMMC assessments.

Only aCertified CMMC Assessor (CCA)may lead aLevel 2 Assessment Team, and theymay include CCPs, evennon-U.S. citizens, if citizenship is not a requirement based on contractual or data sensitivity scope.

The correct document is a Non-Disclosure Agreement (NDA) , because its specific purpose is to restrict a receiving party from disclosing sensitive or confidential information to unauthorized parties. In the official CMMC Assessment Process (CAP) v2.0 , NDAs are called out directly as a required element of the contracting relationship for a Level 2 certification assessment.

CAP v2.0 states that the C3PAO and the OSC must execute a written contractual agreement for the assessment and then specifies that “A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).”

This is important because CMMC assessments can involve access to highly sensitive organizational information, including details about system architectures, security implementations, and potentially CUI handling processes. The CAP’s NDA requirement supports controlling dissemination of that information and reinforces the broader confidentiality expectations placed on assessment participants.

While an “assessment agreement” or generic “legal agreement” might contain confidentiality clauses, CAP v2.0 explicitly identifies the NDA instrument (either embedded or standalone) as the mechanism to protect information exchanged during the assessment engagement. Therefore, the best answer—consistent with CMMC v2.0 official process documentation—is D (Non-disclosure agreement) .

1. Understanding CMMC 2.0 Levels and CUI Handling Requirements

UnderCMMC 2.0, contractors handlingControlled Unclassified Information (CUI)must meet aminimumcertification level to be eligible for contract awards involving CUI.

CMMC 2.0 Levels:

Level 1 (Foundational) – 17 Practices

Covers onlyFederal Contract Information (FCI)security.

Does NOT meet CUI handling requirements.

Level 2 (Advanced) – 110 Practices✅

REQUIRED for handling CUI.

Aligns withNIST SP 800-171, which establishes security controls for protecting CUI.

Contractorsmust achieve Level 2for contracts requiring CUI protection.

Level 3 (Expert) – 110+ Practices

Required for contracts involvinghigh-value CUIandcritical national security information.

Includesadditionalprotections fromNIST SP 800-172.

2. Official CMMC 2.0 References Confirming Level 2 for CUI

TheCMMC 2.0 Model Overviewclearly states that Level 2 is required for contractorshandling CUI.

DFARS 252.204-7012mandates that contractors protecting CUI must implementNIST SP 800-171, which is thefoundation of CMMC Level 2.

TheDoD’s CMMC Assessment Guidefor Level 2 specifies thatorganizations handling CUI must demonstrate full implementation of 110 practices from NIST SP 800-171to qualify for contract awards.

3. Why the Other Options Are Incorrect

A. Level 1❌

Only covers FCI, not CUI.

Does notmeet DoD requirements for protectingCUI.

C. Level 3❌

While Level 3 offersadditional protectionsfor high-risk CUI, it isnot the minimumrequirement.

Level 2 is the minimumneeded to handle CUI.

D. Any level❌

OnlyLevel 2 and higherare eligible for contracts requiring CUI protection.

Level 1 doesnotmeet CUI security standards.

1. Understanding the Validation of Findings in CMMC Assessments

Validation of findings is an essential part of theCMMC assessment process, ensuring that observations and preliminary conclusions drawn by the assessment team are accurate, fair, and based on complete evidence. This process occurs iteratively during theDaily Checkpointsand is fundamental in determining the overall compliance status of theOrganization Seeking Certification (OSC).

2. The Role of Preliminary Findings in the Assessment Process

Preliminary findings arenot finalbut rather a mechanism for ensuring transparency, accuracy, and fairness. These findings serve several key purposes:

Allows for OSC Input & Clarification: The OSC has an opportunity to review andprovide additional evidencethat may address deficiencies identified by the assessment team.

Prevents Misinterpretations: By allowing the OSC to comment, the assessment team can refine or correct their understanding of the OSC's implementation of CMMC practices.

Supports Fair and Informed Ratings: Before finalizing MET or NOT MET determinations, the assessment team ensures they have considered all relevant evidence.

Encourages a Collaborative Assessment Process: This validation activity fosters open communication between assessors and the OSC, reducing disputes and misunderstandings.

3. Why Answer Choice "A" is Correct

The primary purpose of preliminary findings is to allow theOSC to comment and provide additional evidencebefore final determinations are made.

This aligns withCMMC Assessment Process guidance, which emphasizes iterative validation of findings throughDaily Checkpoints and Final Outbriefdiscussions.

The validation of findings ensures thatOSC responses and supplementary evidence are considered, making the assessment process more accurate and fair.

4. Why Other Answer Choices Are Incorrect

Option

Reason for Elimination

B. It determines whether the OSC will be rated MET or NOT MET on their assessment.

Incorrect: Preliminary findings do not directly determine the final rating. The assessment team reviews all collected evidence before making a final decision.

C. It confirms that the Assessment Team's findings are right and cannot be changed.

Incorrect: Findings arenot finalat the preliminary stage. The OSC has the opportunity to challenge findings by providing new or clarifying evidence.

D. It corroborates the Assessment Team's understanding of the CMMC practices and controls.

Partially Correct but Not the Best Answer: While validation helps refine understanding, itsprimary function is to allow OSC input, making optionA the most accurate choice.

5. Official CMMC References Supporting This Answer

CMMC Assessment Process (CAP) Document:

Section 5.3 – Validation of Findings: "The OSC is given the opportunity to provide additional evidence and comments to clarify or supplement preliminary assessment results."

Section 5.4 – Daily Checkpoints: "The assessment team discusses preliminary findings with the OSC, allowing the organization to address concerns in real time."

CMMC 2.0 Level 2 Scoping & Assessment Guide:

Confirms that the assessment process includes continuous dialogue with the OSC before final determinations are made.

6. Conclusion

Preliminary findings are acrucial validation stepin CMMC assessments, ensuring that organizations have the opportunity toprovide additional evidence and clarify potential misunderstandings. This iterative process improves accuracy and fairness in determining compliance with CMMC requirements. Therefore, the correct answer is:

A. It allows the OSC to comment and provide additional evidence.

In CMMC scoping terminology, an HQ Organization is the entity legally responsible for contract performance and delivery of products or services.

Supporting Extracts from Official Content:

CMMC Scoping Guide: “HQ Organization is the legal entity responsible for the performance and delivery of contract requirements.”

Why Option D is Correct:

The HQ Org is legally accountable, while Host Units (option A/B) are subordinate entities.

Option C refers to shared services, not the HQ.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, High-Level Scoping Definitions.

===========

Level 1 only addresses the protection of Federal Contract Information (FCI) and does not include requirements for safeguarding Controlled Unclassified Information (CUI).

Level 2 is explicitly designed to protect Controlled Unclassified Information (CUI). It requires implementation of all 110 security requirements from NIST SP 800-171 Rev. 2, which directly support the safeguarding of CUI and help prevent its unauthorized disclosure or exfiltration.

Level 3 builds on Level 2 by including a subset of requirements from NIST SP 800-172. These additional practices are designed to enhance the protection of CUI against advanced persistent threats (APTs), further strengthening defenses against exfiltration.

Therefore, the levels that focus on protecting CUI from exfiltration are Levels 2 and 3.

Reference Documents:

CMMC Model v2.0 Overview (DoD, December 2021)

NIST SP 800-171 Rev. 2,Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-172,Enhanced Security Requirements for Protecting Controlled Unclassified Information