Free Practice Questions for Cyber AB CMMC-CCP Exam

In the context of a Cybersecurity Maturity Model Certification (CMMC) Level 2 Assessment, specific practices must be evaluated to ensure compliance with established security requirements. One such practice is AC.L2-3.1.19, which mandates the encryption of Controlled Unclassified Information (CUI) on mobile devices and mobile computing platforms.

Step-by-Step Explanation:

Requirement Overview:

Practice AC.L2-3.1.19 requires organizations to "Encrypt CUI on mobile devices and mobile computing platforms." This ensures that any CUI accessed, stored, or transmitted via mobile devices is protected through encryption, mitigating risks associated with data breaches or unauthorized access.

Assessment of Provided Evidence:

During the assessment, the Organization Seeking Certification (OSC) provided an inventory list encompassing servers, workstations, and network devices. Notably, this list lacks any mention of mobile devices or mobile computing platforms.

Implications of the Omission:

The absence of mobile devices in the inventory suggests that the OSC may not have accounted for all assets that process, store, or transmit CUI. Without a comprehensive inventory that includes mobile devices, it's challenging to verify whether the OSC has implemented the necessary encryption measures for CUI on these platforms.

Assessment Determination:

Given the incomplete inventory, the evidence is insufficient to make a definitive scoring determination for practice AC.L2-3.1.19. The OSC must provide a detailed inventory that encompasses all relevant devices, including mobile devices and computing platforms, to demonstrate compliance with the encryption requirements for CUI.

Understanding Affirmations in a CMMC AssessmentAffirmations are a type ofevidencecollected during aCMMC assessmentto confirm compliance with required practices. Affirmations are typically collected from:

✅Interviews– Conversations with personnel implementing security practices.

✅Demonstrations– Observing the practice in action.

✅Emails and Messaging– Written communications confirming compliance efforts.

✅Presentations– Documents or briefings explaining security implementations.

✅Screenshots–Visual evidenceof system configurations and security measures.

TheCMMC Assessment Process (CAP) Guidestates that assessors may collectaffirmations via various communication methods, including emails, messaging, and presentations.

Screenshotsare an additional valid form ofobjective evidenceto confirm compliance.

Options A and B are incorrectbecause emails and messaging are explicitlyallowedforms of affirmation.

Option C is incompletebecause it does not mention screenshots, which are also considered valid evidence.

Why "Yes, the affirmations collected by the assessor are all appropriate, as are screenshots" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. No, emails are not appropriate affirmations.

❌Incorrect–Emailsarea valid affirmation method.

B. No, messaging is not an appropriate affirmation.

❌Incorrect–Messagingisallowed for collecting affirmations.

C. Yes, the affirmations collected by the assessor are all appropriate.

❌Incorrect–Screenshots should also be considered valid evidence.

D. Yes, the affirmations collected by the assessor are all appropriate, as are screenshots.

✅Correct – Screenshots are also a valid form of affirmation.

CMMC Assessment Process Guide (CAP)– Defines allowable evidence collection methods, including affirmations through written communication.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Yes, the affirmations collected by the assessor are all appropriate, as are screenshots.This aligns withCMMC 2.0 assessment proceduresfor collecting affirmations.

Understanding the CMMC Level 2 Final Report RequirementsFor aCMMC Level 2 Assessment, theFinal CMMC Assessment Results Reportmust include:

Assessment findings for each practice

Final ratings (MET or NOT MET) for each practice

A detailed rationale for each practice rated as NOT MET

The CMMC Assessment Process (CAP) Guidestates that if a practice is markedNOT MET, theassessors must provide a rationale explaining why it failed.

This rationale helps theOSC understand what needs remediationand, if applicable, whether the deficiency can be addressed via aPlan of Action & Milestones (POA&M).

TheFinal Report serves as an official recordand must be submitted as part of theresults package.

A. Affirmation for each practice or control (Incorrect)

While the report includes aMET/NOT MET ratingfor each practice,affirmation is not a required component.

C. Suggested improvements for each failed practice (Incorrect)

Assessors do not provide recommendations for improvement—they only document findings and rationale.

Providing suggestions would create aconflict of interestperCMMC-AB Code of Professional Conduct.

D. Gaps or deltas due to any reciprocity model are recorded as met (Incorrect)

If an organization isleveraging reciprocity (e.g., FedRAMP, Joint Surveillance Voluntary Assessments), gapsmust still be documented—not automatically marked as "MET."

The correct answer isB. Documented rationale for each failed practice, as this is amandatory requirement in the Final CMMC Assessment Results Report.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, achieving Level 2 compliance requires an Organization Seeking Certification (OSC) to implement all 110 security practices outlined in NIST SP 800-171 Revision 2. The CMMC framework allows for a limited use of Plans of Action and Milestones (POA&Ms) to address certain deficiencies; however, this is contingent upon meeting specific criteria.

According to the final CMMC rule, to obtain a Conditional Level 2 status, an OSC must achieve a minimum score of 88 out of 110 points during the assessment. This scoring system assigns weighted values to each of the 110 security requirements, with some controls deemed critical and others non-critical. The POA&M mechanism permits OSCs to temporarily address non-critical deficiencies, provided the minimum score threshold is met. Critical controls, however, must be fully implemented at the time of assessment; they cannot be deferred and included in a POA&M.

MWE

In the scenario where 15 practices are NOT MET, the OSC's score would fall below the required 88-point threshold, rendering the organization ineligible for Conditional Level 2 status. Consequently, the OSC would not have the option to remediate these deficiencies through a POA&M. Instead, the organization must fully implement and rectify all NOT MET practices before undergoing a subsequent assessment to achieve the necessary compliance level.

This policy ensures that organizations handling Controlled Unclassified Information (CUI) have adequately addressed all critical and non-critical security requirements, thereby maintaining the integrity and security of sensitive information within the Defense Industrial Base.

For detailed guidance on assessment criteria and the use of POA&Ms, refer to the CMMC Assessment Guide – Level 2 and the official CMMC documentation provided by the Department of Defense.

nderstanding Objectivity in CMMC-AB ActivitiesObjectivityin CMMC-AB activities refers to therequirement that assessors and C3PAOs remain impartial, unbiased, and free from conflicts of interestwhile conducting assessments and providing CMMC-related services.

Key Aspects of Objectivity in CMMC Assessments:✔No conflicts of interest—Assessors must not assess organizations they havefinancial, professional, or personal ties to.

✔Unbiased reporting—Findings must bebased solely on evidence, with no external influence.

✔Avoiding even the appearance of a conflict—If there isany perception of bias, it must be addressed.

A. Ensuring full disclosure → Incorrect

Full disclosure is importantbut doesnot define objectivity. Objectivity meansremaining neutral and free from conflicts.

B. Reporting results of CMMC services completely → Incorrect

Whileaccurate reporting is required,objectivity focuses on impartiality, not just completeness.

C. Avoiding the appearance of or actual, conflicts of interest → Correct

Objectivity in CMMC-AB activities is primarily about preventing bias and ensuring fair assessments.

Avoiding conflicts of interest ensures thatassessments are credible and trustworthy.

D. Demonstrating integrity in the use of materials as described in policy → Incorrect

Integrity is important, butobjectivity is specifically about avoiding bias and conflicts of interest.

Why is the Correct Answer "C. Avoiding the appearance of or actual, conflicts of interest"?

CMMC-AB Code of Professional Conduct

Requiresassessors and C3PAOs to avoid conflicts of interestand maintainimpartiality.

CMMC Assessment Process (CAP) Document

Emphasizes that assessments must befree from external influence and conflicts of interest.

ISO/IEC 17020 Requirements for Inspection Bodies

Definesobjectivity as avoiding conflicts of interest in the assessment process.

CMMC 2.0 References Supporting This Answer:

Understanding FCI and Asset CategorizationFederal Contract Information (FCI)is any informationnot intended for public releasethat is provided by or generated for thegovernmentunder aDoD contract.

Acompany-issued laptopused by a sales representative to enter FCI into aspreadsheetis considered anFCI assetbecause it:

✅Stores FCI– The spreadsheet contains sensitive information.

✅Processes FCI– The representative is entering data into the spreadsheet.

✅Organizes FCI– The spreadsheet helps structure and manage FCI data.

Processing (Option B and C)is occurring, but since the laptop is primarily being used toorganize data,Option D is the most comprehensive.

Transmission (Option A and C)is not explicitly mentioned, soOption D is the best fit.

Why "Store, Process, and Organize FCI" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Process and transmit FCI.

❌Incorrect–No indication oftransmissionis provided.

B. Process and organize FCI.

❌Incorrect–Storage is also a key function of the laptop.

C. Store, process, and transmit FCI.

❌Incorrect–Transmission is not confirmed in the scenario.

D. Store, process, and organize FCI.

✅Correct – The laptop is used to store, process, and organize FCI in a spreadsheet.

CMMC Asset Categorization Guidelines– DefinesFCI assetsbased onstorage, processing, and organization functions.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Store, process, and organize FCI, as the laptop is used tostore information, enter (process) data, and structure (organize) FCI within a spreadsheet.

Understanding Access Control in CMMCAccess control refers to the process ofgranting or denyingspecific requests to:

Obtain and use information

Access information processing services

Enter specific physical locations

TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:

✅Implement policies for granting and revoking access.

✅Restrict access to authorized personnel only.

✅Protect physical and digital assets from unauthorized access.

Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.

B. Physical access control❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.

C. Mandatory access control (MAC)❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.

D. Discretionary access control (DAC)❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.

Why the Other Answers Are Incorrect

CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.

NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.

CMMC Official ReferencesThus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.

Understanding CMMC 2.0 Incident Response PracticesTheIncident Response (IR) domaininCMMC 2.0 Level 2aligns withNIST SP 800-171, Section 3.6, which defines requirements forestablishing and maintaining an incident response capability.

The documentation provideddescribes an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities.

IR.L2-3.6.1specifically requires organizations toestablish an incident handling processcovering:

Preparation

Detection & Analysis

Containment

Eradication & Recovery

Post-Incident Response

B. IR.L2-3.6.2: Incident Reporting (Incorrect)

Incident reporting focuses on reporting incidents to external parties (e.g., DoD, DIBNet),which isnot what the provided documentation describes.

C. IR.L2-3.6.3: Incident Response Testing (Incorrect)

Incident response testing ensures that the response process is regularly tested and evaluated,which isnot the primary focus of the documentation provided.

D. IR.L2-3.6.4: Incident Spillage (Incorrect)

Incident spillage specifically refers to CUI exposure or handling unauthorized CUI incidents,which isnot the scenario described.

The correct answer isA. IR.L2-3.6.1: Incident Handling, as the documentationattests to the establishment of an incident response capability.

Who is Responsible for Marking CUI?According toDoDI 5200.48 (Controlled Unclassified Information (CUI)), the responsibility for marking CUI falls on theauthorized holder of the information.

Definition of an Authorized Holder

PerDoDI 5200.48, Section 3.4, anauthorized holderis anyone who has beengranted accessto CUI and is responsible for handling, safeguarding, and marking it according toDoD CUI policy.

The authorized holder may be:

ADoD employee

Acontractorhandling CUI

Anyorganization or individual authorizedto access and manage CUI

DoD Guidance on CUI Marking Responsibilities

DoDI 5200.48, Section 4.2:

The individual creating or handling CUImust apply the appropriate markings as per the DoD CUI Registry guidelines.

DoDI 5200.48, Section 5.2:

Themarking responsibility is NOT limited to a specific positionlike an Information Disclosure Official or a high-level DoD office.

Instead, it is theresponsibility of the person or entity generating, handling, or disseminatingthe CUI.

Why the Other Answer Choices Are Incorrect:

(A) DoD OUSD (Office of the Under Secretary of Defense):

The OUSD plays apolicy-setting rolebut doesnot directly mark CUI.

(C) Information Disclosure Official:

This role is responsible forpublic release of information, but marking CUI is the duty of theauthorized holdermanaging the data.

(D) Presidential authorized Original Classification Authority (OCA):

OCAs classifynational security information (Confidential, Secret, Top Secret), not CUI, which isnot classified information.

Step-by-Step Breakdown:Final Validation from DoDI 5200.48:PerDoDI 5200.48, authorized holders are explicitly responsible for marking CUI, making this the correct answer.

During aCMMC readiness review, anOrganization Seeking Certification (OSC)may argue that a specificenclave (network segment or system) is out of scopefor assessment. TheLead Assessor is responsible for verifying and approving this request.

Certified CMMC Professional (CCP)

A CCP supports OSCs inpreparing for assessmentsbutdoes not make final scope determinations.

Certified Third-Party Assessment Organization (C3PAO)

The C3PAOoversees the assessmentbut doesnot personally verify scope exclusions—that falls under theLead Assessor’s role.

Lead Assessor (Correct Answer)

TheLead Assessor has the authorityto determine if anenclave is out of scopebased on OSC-provided evidence.

The Lead Assessor followsCMMC Assessment Process (CAP) guidelinesto ensure proper scoping.

Advisory Board

TheCMMC-AB (Advisory Board) does not make scope determinations. It focuses onprogram oversightandcertification processes.

CMMC Assessment Process (CAP) v1.0

TheLead Assessor is responsible for confirming the assessment scopeand determining enclave applicability.

CMMC Scoping Guidance for Level 2 Assessments

Requires theLead Assessor to review and approve any enclave exclusionsbefore finalizing the assessment scope.

Roles and Responsibilities in CMMC Assessments:Official References Supporting the Correct Answer:Conclusion:TheLead Assessoris the correct answer because they have the authority to verify scope determinations during the assessment.

✅Correct Answer: C. Lead Assessor