Free Practice Questions for Cyber AB CMMC-CCP Exam

Under theCMMC Assessment Process (CAP)andCMMC 2.0 guidelines, assessors must gather objective evidence to validate that an organization meets the required security practices and processes. This evidence collection is performed throughthree primary assessment methods:

Examination– Reviewing documents, records, system configurations, and other artifacts.

Interviews– Speaking with personnel to verify processes, responsibilities, and understanding of security controls.

Testing– Observing system behavior, performing technical validation, and executing controls in real-time to verify effectiveness.

TheCMMC Assessment Process (CAP)states that an assessor must use acombinationof evidence-gathering methods (examinations, interviews, and tests) to determine compliance.

CMMC 2.0 Level 2(Aligned withNIST SP 800-171) requires assessors to verify not only that policies and procedures exist but also that they are implemented and effective.

Solely relying ononemethod (like interviews in Option A) is insufficient.

Testing all practices or objectives (Option B)is unnecessary, as assessors followscoping guidanceto determine which objectives need deeper examination.

Testing only "certain" objectives (Option C)does not fully align with the requirement of gatheringsufficient evidencefrom multiple methods.

CMMC Assessment Process (CAP) Guide, Section 3.5 – Assessment Methodsexplicitly defines the use of examinations, interviews, and tests as the foundation of an effective assessment.

CMMC 2.0 Level 2 Practices and NIST SP 800-171require assessors to validate the presence, implementation, and effectiveness of security controls.

CMMC Appendix E: Assessment Proceduresstates that an assessor should use multiple sources of evidence to determine compliance.

Why Option D is CorrectCMMC 2.0 and Official Documentation ReferencesFinal VerificationTo ensure compliance withCMMC 2.0 guidelines and official documentation, an assessor must useexaminations, interviews, and teststo gather evidence effectively, makingOption D the correct answer.

Understanding the CMMC-AB Code of Professional ConductTheCybersecurity Maturity Model Certification Accreditation Body (CMMC-AB), now referred to asThe Cyber AB, establishes aCode of Professional Conduct (CoPC)for all individuals involved in CMMC assessments, includingCertified Assessors (CAs), Certified Professionals (CPs), and C3PAOs (Certified Third-Party Assessment Organizations).

Thecore principlesoutlined in theCMMC-AB Code of Professional Conductinclude:

Responsibility

CMMC professionals must takefull accountabilityfor their actions, ensuring that assessments are conducted withintegrity and professionalism.

They mustadhere to all ethical and regulatory requirementsestablished by The Cyber AB and the DoD.

Confidentiality

CMMC professionals mustprotect sensitive information, includingControlled Unclassified Information (CUI)andFederal Contract Information (FCI).

They are required toadhere to non-disclosure agreements (NDAs)and avoid improper information sharing.

Information Integrity

All reports, findings, and recommendations in CMMC assessments must beaccurate, unbiased, and truthful.

Assessors mustavoid conflicts of interestand ensure that all data provided in an assessment isverifiable and free from misrepresentation.

Answer A (Incorrect): "Classification" is not a primary principle of the CMMC-AB CoPC. The focus is on protectingCUI and FCI, not on classification procedures.

Answer B (Incorrect): "Objectivity" is important, but it is not explicitly listed as one of the three core principles in theCMMC-AB Code of Professional Conduct.

Answer C (Incorrect): "Classification" is not a guiding principle in the CoPC.

Answer D (Correct):The Code of Professional Conduct explicitly emphasizes responsibility, confidentiality, and information integrity.

The correct answer isD. Responsibility, Confidentiality, and Information Integrity.

These principlesensure that all CMMC professionals maintain ethical standards and uphold the integrity of the certification process.

Understanding SI.L2-3.14.6: Monitor Communications for AttacksThe practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:

✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)

✅Log analysis and network monitoring

✅Incident response planningfor detected threats

As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.

TheCCA must collect sufficient objective evidenceto determine compliance.

Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.

Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.

Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Conduct a penetration test

❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.

B. Interview the intrusion detection system's supplier.

❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.

C. Upload known malicious code and observe the system response.

❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.

D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.

NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.

CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.

Official References from CMMC 2.0 and NIST SP 800-171 DocumentationFinal Verification and ConclusionThe correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.

Background on Legacy Markings and CUI

Legacy markings refer to classification labels used before the implementation of theControlled Unclassified Information (CUI) ProgramunderDoD Instruction 5200.48.

Documents with legacy markings (such as “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU)) must be reviewed for re-marking or redaction to align withCUI requirements.

When Must Legacy Markings Be Updated?

If the document is retained internally (Answer A - Incorrect): Documents under DoD control do not require immediate re-marking unless they are being shared externally.

If the document is classified as Secret (Answer B - Incorrect): This question is aboutCUI, not classified information. Secret-level documents follow different marking rules underDoD Manual 5200.01.

If a document is being shared externally (Answer C - Correct):

According toDoD Instruction 5200.48, Section 3.6(a), organizations mustreview legacy markings before sharing documents outside the organization.

The document must bere-markedin compliance with the CUI Program before dissemination.

If the original document does not contain CUI (Answer D - Incorrect): The original source document's status does not affect the requirement to re-mark a derivative document if it contains CUI.

Conclusion

The correct answer isC: Documents with legacy markings must bere-marked or redacted when being shared outside the organizationto comply with DoD CUI guidelines.

DoD Instruction 5200.48(Controlled Unclassified Information)

CUI Marking Handbook by NARA(National Archives and Records Administration)

CMMC 2.0 Scoping Guide for CUI Environments

TheCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP)outlines strict guidelines regardingconflicts of interest (COI)to ensure the integrity and impartiality of assessments conducted byCertified Third-Party Assessment Organizations (C3PAOs)andCertified Assessors (CAs).

The scenario presented involves apotential conflict of interestdue to a prior relationship (former college roommate) between thecertified assessorand an individual at theOrganization Seeking Certification (OSC). While this prior relationship does not automatically disqualify the assessor, it must bedisclosed, documented, and mitigated appropriately.

Inform the OSC and C3PAO of the Potential Conflict of Interest

TheCMMC Code of Professional Conduct (CoPC)requires assessors to disclose any potential conflicts of interest.

Transparency ensures that all parties, including theOSC and C3PAO, are aware of the situation.

Document the Conflict and Mitigation Actions in the Assessment Plan

PerCMMC CAP documentation, potential conflicts should be assessed based on their material impact on the objectivity of the assessment.

The conflict and proposed mitigation strategies must beformally recorded in the assessment planto provide an audit trail.

Determine If the Mitigation Actions Are Acceptable

If theOSC and C3PAOdetermine that the mitigation actions adequatelyeliminate or reduce the risk of bias, the assessment may proceed.

Common mitigation strategies include:

Assigning another assessor forinterviews with the conflicted individual.

Ensuring thatdecisions regarding the OSC’s compliance are reviewed independently.

Proceed with the Assessment If Mitigation Is Acceptable

If the mitigation actions sufficiently address the conflict, the assessment may continue understrict adherence to documented procedures.

CMMC Conflict of Interest Handling Process

A. Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.❌Incorrect. This violates CMMC’s integrity requirements and could result indisciplinary actions against the assessor or invalidation of the assessment. Transparency is mandatory.

B. Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.❌Incorrect. The CAP doesnotmandate immediate reassignment unless the conflict isunresolvable. Instead, mitigation strategies should be considered first.

C. Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.❌Incorrect.The passage of time alone does not automatically eliminate a conflict of interest. Proper documentation and mitigation are still required.

Why the Other Answers Are Incorrect

CMMC Assessment Process (CAP) Document– Defines COI requirements and mitigation actions.

CMMC Code of Professional Conduct (CoPC)– Outlines ethical responsibilities of assessors.

CMMC Accreditation Body (Cyber-AB) Guidance– Provides rules on conflict resolution.

CMMC Official ReferencesThus,option D is the most correct choice, as it aligns with the official CMMC conflict of interest procedures.

Understanding Specialized Assets in CMMCASpecialized Assetis defined asa system, device, or infrastructure component that is not a traditional IT system but still plays a role in cybersecurity or business operations.

Types of Specialized Assets (as per CMMC guidance):✔Operational Technology (OT)– Industrial control systems, SCADA systems.

✔Security Operations Centers (SOCs)– Dedicated cybersecurity monitoring and response centers.

✔IoT Devices– Smart sensors, embedded systems.

✔Restricted IT Systems– Systems with highly controlled access.

A. SOCs → Correct

Security Operations Centers (SOCs) are specialized cybersecurity environmentsused forthreat monitoring, detection, and response.

They oftenoperate outside standard IT infrastructureand are classified asspecialized assetsunder CMMC.

B. Hosted VPN services → Incorrect

VPN services are standard IT infrastructureanddo not qualify as specialized assets.

C. Consultants who provide cybersecurity services → Incorrect

Consultants are personnel, not specialized assets. Specialized assets refer tosystems, devices, or infrastructure.

D. All property owned or leased by the government → Incorrect

Government property is not automatically considered a specialized assetunder CMMC. Specialized assets refer tospecific IT or cybersecurity-related infrastructure.

Why is the Correct Answer "SOCs" (A)?

CMMC 2.0 Assessment Process (CAP) Document

DefinesSpecialized Assetsand includesSOCsin its examples.

CMMC-AB Guidelines

Listssecurity infrastructure like SOCsasSpecialized Assetsdue to their unique cybersecurity function.

NIST SP 800-171 & CMMC 2.0 Security Domains

Recognizesdedicated security monitoring environmentsas part of an organization's cybersecurity posture.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔A. SOCs (Security Operations Centers)

What Does "CUI//SP-PRVCY//FED Only" Mean?

The email containsControlled Unclassified Information (CUI)withspecific categories and dissemination controls.

CUI//SP-PRVCY//FED Onlybreaks down as follows:

CUI→ Controlled Unclassified Information designation.

SP-PRVCY→Specifiedcategory forPrivacy Information(SP stands for "Specified").

FED Only→ Restriction forFederal Government use only(not for contractors or the public).

Who Maintains the Official CUI Registry?

TheNational Archives and Records Administration (NARA) oversees the CUI Programand maintains the officialCUI Registry(https://www.archives.gov/cui).

The CUI Registry providesdefinitions, marking guidance, and categoriesfor all CUI labels, including "SP-PRVCY" and dissemination controls like "FED Only."

Why NARA is the Correct Answer:

NARA is the governing body responsible for defining and managing CUI markings.

Any organization handling CUI shouldrefer to the NARA CUI Registryfor official marking interpretations.

DoD contractors and other organizationsmust comply with NARA guidelines when handling, marking, and disseminating CUI.

B. CMMC-AB– TheCMMC Accreditation Bodymanages certification assessments butdoes not define or interpret CUI markings.

C. DoD Contractors FAQ Page– The DoD may provide general contractor guidance, butCUI markings are governed by NARA, not an FAQ page.

D. DoD 239.7601 Definitions Page– This refers to generalDoD acquisition definitions, butCUI categories and markings fall under NARA’s authority.

Understanding NIST SP 800-88 Rev. 1 and Media SanitizationTheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.

Clear

Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.

Example:Overwriting all datawith binary zeros or ones on a hard drive.

Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.

Purge

Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.

Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).

Applies to:Media that is leaving organizational control or requires a higher level of assurance than "Clear".

Destroy

Physicallydamages the mediaso that data recovery isimpossible.

Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.

Applies to:Highly sensitive data that must be permanently eliminated.

B. Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata disposal.

C. Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level categoryin NIST SP 800-88.

D. Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is missing, making this incorrect.

The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.

AC3PAO (Certified Third-Party Assessment Organization)is responsible for conductingCMMC Level 2 assessments.

After completing theassessment, theC3PAO generates the Final Recommended Assessment Results, which include key documentation reviewed by theCMMC Quality Assurance Professional (CQAP)for quality control.

Understanding Training Requirements in CMMCThe requirement for ensuring thatpersonnel are trained to carry out their assigned information security-related duties and responsibilitiesfirst appears inCMMC Level 2as part ofNIST SP 800-171 control AT.L2-3.2.1.

Key Details on the Training Requirement:✔AT.L2-3.2.1: "Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities."

✔This control is derived fromNIST SP 800-171and applies toCMMC Level 2 (Advanced).

✔It ensures that employees handlingControlled Unclassified Information (CUI)understand theircybersecurity responsibilities.

A. Level 1 → Incorrect

CMMC Level 1 does not include this training requirement.Level 1 focuses on basic safeguarding ofFederal Contract Information (FCI)but doesnot require formal cybersecurity training.

B. Level 2 → Correct

The training requirement (AT.L2-3.2.1) first appears in CMMC Level 2, which aligns withNIST SP 800-171.

C. Level 3 → Incorrect

The training requirementalready exists in Level 2. Level 3 builds on Level 2 with additionalrisk management and advanced cybersecurity controls, but training is introduced at Level 2.

D. All levels → Incorrect

CMMC Level 1 does not include this requirement—it is first introduced in Level 2.

Why is the Correct Answer "B. Level 2"?

NIST SP 800-171 (Requirement 3.2.1)

Defines themandatory training requirementfor personnel handling CUI.

CMMC Assessment Guide for Level 2

ListsAT.L2-3.2.1as a required practice under Level 2.

CMMC 2.0 Model Overview

Confirms thatCMMC Level 2 aligns with NIST SP 800-171, which includes security training requirements.

CMMC 2.0 References Supporting This Answer: