Free Practice Questions for Cyber AB CMMC-CCP Exam

Understanding CUI Protection ResponsibilitiesControlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.

Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.

TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.

CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.

DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.

A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.

B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.

C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.

The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.

Step 1: Understand the “CA” Domain – Security AssessmentTheCA (Security Assessment)domain includes practices related to:

Planning security assessments,

Performing periodic reviews,

Managing plans of action and milestones (POA&Ms).

These practices derive fromNIST SP 800-171, specifically:

CA.2.157– Develop, document, and periodically update security plans,

CA.2.158– Periodically assess security controls,

CA.2.159– Develop and implement POA&Ms.

Level 1 (Foundational):

Implements only the17 practicesfromFAR 52.204-21

Doesnot include the CA domain

Level 2 (Advanced):

Implements110 practicesfromNIST SP 800-171, including CA.2.157–159

First levelwhereSecurity Assessment (CA)practices are required

Level 3:

Not yet finalized but intended to include selected controls fromNIST SP 800-172

✅Step 2: Review CMMC Levels

A. Level 1✘ No CA domain practices are present at Level 1.

C. Level 3 / D. Level 4✘ These levels build on CA practices but do not represent thestarting point.

❌Why the Other Options Are Incorrect

TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.

Understanding the Role of the DoD CIO Office in CMMCTheDepartment of Defense (DoD) Chief Information Officer (CIO) officeis theprimary authorityresponsible for leading the direction, standards, and best practices of theCybersecurity Maturity Model Certification (CMMC)framework.

The DoD CIO Oversees CMMC Policy and Implementation

TheDoD CIO Office is responsible for the governance and strategic direction of CMMC.

It ensures thatCMMC aligns with DoD cybersecurity policies, such asDoD Instruction 5200.48 (Controlled Unclassified Information)andNIST SP 800-171.

CMMC Development and Evolution

TheDoD CIO played a critical role in launching CMMCto improve cybersecurity across theDefense Industrial Base (DIB).

The CIO office leadspolicy development and updates to the CMMC framework, including the transition fromCMMC 1.0 to CMMC 2.0.

Alignment of CMMC with Federal Cybersecurity Strategy

The DoD CIO ensures that CMMCintegrates with federal cybersecurity policiesandNIST frameworks.

It provides oversight formapping CMMC Levels (1-2-3) to existing cybersecurity standards and controls.

A. NIST (Incorrect)

TheNational Institute of Standards and Technology (NIST)provides thetechnical framework (NIST SP 800-171, SP 800-172), butNIST does not lead the CMMC program.

C. Federal CIO Office (Incorrect)

TheFederal CIO focuses on broader government IT policiesandnot specifically on DoD cybersecurity requirementslike CMMC.

D. Defense Federal Acquisition Regulation Council (Incorrect)

TheDFARS Counciloverseescontracting regulationsrelated to CMMC (e.g.,DFARS 252.204-7012, 7019, 7020, 7021), but it doesnot lead CMMC standards and best practices.

The correct answer isB. DoD CIO Office, as it isthe lead authority guiding the CMMC framework, standards, and implementation across the Defense Industrial Base (DIB).

The correct answer isA. CMMC Assessment Reporting Requirementsbecause this document specifically outlines thestructured processthat Certified Third-Party Assessment Organizations (C3PAOs) must follow when conducting and reporting CMMC assessments.

Understanding the CMMC Assessment Process

TheLead Assessorbriefs the team on theassessment requirementsand theevaluation criteriabefore the assessment begins.

Throughout the assessment,findings summaries, practice ratings, and level recommendationsare documented and reported.

These findings are internally reviewed by theC3PAObefore they are formally submitted forquality review and final rating approval.

Key Document Stipulating Reporting Requirements: CMMC Assessment Reporting Requirements

This documentspecifically details how assessments must be reportedwithin theCMMC ecosystem.

It describes the structured process for assessment submission, internalC3PAO reviews, andquality checks by the CMMC-ABbefore an organization can receive a final certification decision.

It ensures thatresults are consistent, transparent, and aligned with DoD cybersecurity compliance expectations.

Why Other Options Are Incorrect:

B. DFARS 52.204-21 Assessment Reporting Requirements

This clause only specifiesbasic safeguardingof Federal Contract Information (FCI) but doesnotdictate the reporting process for CMMC assessments.

C. NIST SP 800-171 Revision 2 Assessment Reporting Requirements

WhileNIST SP 800-171 Rev. 2outlines security controls, it doesnotdefine how CMMC assessments must be conducted and reported.

D. DFARS Clause 252.204-7012 Assessment Reporting Requirements

This DFARS clause focuses onincident reportingandcyber incident response requirementsbut does not detail theCMMC assessment reporting process.

CMMC Assessment Reporting Requirements, issued byThe Cyber ABandDoD, governs how C3PAOs must report assessment results.

CMMC Assessment Process (CAP)also outlines reporting workflows for certification.

Step-by-Step Breakdown:Official Reference:Thus, theCMMC Assessment Reporting Requirementsdocument is the authoritative source that dictates the reporting procedures for CMMC assessments.

TheCMMC Scoping Guide for Level 2outlines thatCUI assetsinclude systems, applications, and services thatstore, process, or transmitControlled Unclassified Information (CUI). These are the three core functions that defineCUI handlingwithin anOrganization Seeking Certification (OSC).

Step-by-Step Breakdown:✅1. CUI Assets Defined in CMMC

Stored:CUI is saved on hard drives, cloud storage, or databases.

Processed:CUI is actively used, modified, or analyzed by applications and users.

Transmitted:CUI is sent between systems via email, file transfers, or network communication.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Received and transferred❌

Whilereceiving and transferring CUIis part of handling CUI, it does not fully cover all CUI asset responsibilities.

(C) Entered, edited, manipulated, printed, and viewed❌

These arespecific actionswithinprocessingbut do not coverstorage or transmission, which are also required for CMMC scoping.

(D) Located on electronic media, on system component memory, and on paper❌

While CUI can exist inelectronic and physical forms, CMMC scoping focuses onhow CUI is actively managed (stored, processed, transmitted)rather than where it physically resides.

TheCMMC Level 2 Scoping Guideconfirms thatCUI Assets are categorized based on their role in storing, processing, or transmitting CUI.

NIST SP 800-171also defines these three functions as key components of CUI protection.

Final Validation from CMMC Documentation:

The National Archives and Records Administration (NARA) serves as the authoritative body overseeing the Controlled Unclassified Information (CUI) program within the United States federal government. NARA maintains the CUI Registry, which is the definitive resource for all categories, subcategories, and associated markings of CUI. This registry provides comprehensive guidance on the identification and handling of CUI, ensuring standardized practices across federal agencies and their contractors.

The other options are delineated as follows:

CMMC-AB:The Cybersecurity Maturity Model Certification Accreditation Body is responsible for overseeing the CMMC program but does not manage CUI classifications.

DoD Contractors FAQ:While it may offer guidance to Department of Defense contractors, it is not an authoritative source for CUI data classifications.

OSC's privacy policies:An Organization Seeking Certification's internal policies pertain to its own data handling practices and are not authoritative for CUI classifications.

Therefore, for authoritative information on CUI data classifications, the NARA's CUI Registry is the appropriate resource.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, the remediation review process is a critical phase where identified deficiencies from an initial assessment are addressed. The Lead Assessor, representing a Certified Third-Party Assessment Organization (C3PAO), plays a pivotal role in this process.

Role of the Lead Assessor in Remediation Reviews:

Validation of Remediation Efforts:

Objective:Ensure that the Organization Seeking Certification (OSC) has effectively addressed and corrected all deficiencies identified during the initial assessment.

Process:The Lead Assessor reviews the evidence provided by the OSC to confirm that each previously unmet practice now meets the required standards. This involves examining updated policies, procedures, system configurations, and other relevant artifacts.

Delta Assessment Remediation Package Submission:

Definition:A delta assessment focuses on evaluating only the components or practices that were previously found non-compliant or deficient.

Responsibility:After validating the remediation efforts, the Lead Assessor compiles a remediation package that includes:

Detailed documentation of the deficiencies identified in the initial assessment.

Evidence of the corrective actions taken by the OSC.

Findings from the reassessment of the remediated practices.

Internal Quality Review:This remediation package is then submitted for the C3PAO's internal quality review process. The purpose of this review is to ensure the accuracy, completeness, and consistency of the assessment findings before finalizing the certification decision.

Rationale for Selecting Answer C:

Alignment with CMMC Assessment Process:The submission of a delta assessment remediation package for internal quality review is a standard procedure outlined in the CMMC Assessment Process. This step ensures that all remediated items are thoroughly evaluated and validated, maintaining the integrity of the certification process.

Clarification of Incorrect Options:

Option A:"Help OSC to complete planned remediation activities."

Explanation:The Lead Assessor's role is to assess and validate the OSC's compliance, not to assist in the implementation or completion of remediation activities. Providing such assistance could lead to a conflict of interest and compromise the objectivity of the assessment.

Option B:"Plan two consecutive remediation reviews for an OSC."

Explanation:The standard process involves conducting a single remediation review after the OSC has addressed the identified deficiencies. Planning multiple consecutive remediation reviews is not a typical practice and could indicate a lack of proper remediation planning by the OSC.

Option D:"Validate that practices previously listed on the POA&M have been removed on an updated Risk Assessment."

Explanation:While it's essential to ensure that deficiencies are addressed, the primary focus of the Lead Assessor during a remediation review is to validate the implementation of remediated practices. Updating the Risk Assessment is the responsibility of the OSC's internal risk management team, not the Lead Assessor.

Understanding the Final Review Process in a CMMC AssessmentDuring aCMMC Level 2 Assessment, theAssessment Teamand theOrganization Seeking Certification (OSC)holddaily checkpoint meetingsto discuss progress, review evidence, and ensure transparency.

At theend of the assessment, afinal review meetingis conducted, during which theLead Assessor presents the results. Therecorded Daily Checkpoint logserves as theofficial document summarizing:

Theattendee list

Time, date, and locationof the final review

Final MET or NOT MET ratingsfor all practices

Discussion points, resulting actions, and due datesfor both the OSC and Assessment Team

TheCMMC Assessment Process (CAP) Guidespecifies that all assessment findings and discussions must bedocumented throughout the assessment in daily checkpoint logs.

TheFinal and Recorded Daily Checkpoint Logincludes all necessary details, such as attendee lists, discussion topics, and action items.

This document isused to ensure all discussed topics and agreed-upon actions are properly tracked and recordedbefore submission.

A. Final log report (Incorrect)

There isno specific "Final Log Report"required in CMMC assessments.

B. Final CMMC report (Incorrect)

TheFinal CMMC Reportdocuments the overall assessment results butdoes not serve as the official meeting logfor the final review discussion.

C. Final and recorded OSC CMMC report (Incorrect)

This documentdoes not include detailed discussion points from the daily checkpoint meetings.

The correct answer isD. Final and recorded Daily Checkpoint log, as this is the official document that captures thefinal meeting details, discussions, and action items.

Final Interpretation Authority in the CMMC Assessment ProcessDuring aCMMC Level 2 assessment, several entities are involved in the process, including theOrganization Seeking Certification (OSC), Certified Third-Party Assessment Organization (C3PAO), Assessment Team Members, and the CMMC Accreditation Body (CMMC-AB).

Role of the C3PAO and Assessment Team:

TheCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting the assessment and makinginitial recommended findingsbased on NIST SP 800-171 security requirements.

Assessment Team Members(Lead Assessor and support staff) conduct evaluations and submit theirrecommendationsto the C3PAO.

Final Interpretation Authority – CMMC-AB:

TheCMMC Accreditation Body (CMMC-AB)is responsible for ensuring consistency and accuracy in assessments.

If there is any dispute or need for clarification regarding findings, CMMC-AB provides the final interpretation and guidance.

This ensures uniformity in certification decisions across different C3PAOs.

Why CMMC-AB is the Correct Answer:

CMMC-AB has the ultimate authority over thequality assurance processfor assessments.

It reviewsremediation requests, challenges, or disputesfrom the OSC or C3PAO and makes final determinations.

The CMMC-AB maintains oversight to ensure assessmentsalign with CMMC 2.0 policies and DFARS 252.204-7021 requirements.

A. C3PAO– The C3PAO conducts the assessment and submits findings, butit does not have the final interpretation authority. Findings must pass through theCMMC-AB quality assurance process.

C. OSC Sponsor– The OSC (Organization Seeking Certification)cannot interpret findings; they can only respond to identified deficiencies and appeal assessments through CMMC-AB channels.

D. Assessment Team Members– The assessment teamrecommends findingsbut does not make final interpretations. Their role is limited to conducting evaluations, collecting evidence, and submitting reports to the C3PAO.

Understanding the Definition of a "Practice" in CMMC 2.0In CMMC 2.0, the term"practice"refers to specific cybersecurity activities that organizations must implement to achieve compliance with defined security objectives.

Definition from CMMC Documentation:

According to theCMMC Model Overview, apracticeis defined as:

Step-by-Step Breakdown:"An activity or activities performed to meet defined CMMC objectives."

This means that practices are theactions and implementations required to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

How Practices Fit into CMMC 2.0:

CMMC 2.0 Level 1 consists of17 practices, which align withFAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

CMMC 2.0 Level 2 consists of110 practices, aligned directly withNIST SP 800-171 Rev. 2.

Each practice has anobjectivethat must be met to demonstrate compliance.

Official CMMC 2.0 References:

TheCMMC 2.0 Model Documentationdefines practices as "the fundamental cybersecurity activities necessary to achieve security objectives."

TheCMMC Assessment Process (CAP) Guideoutlines how assessors verify the implementation of these practices during an assessment.

TheNIST SP 800-171A Guideprovidesassessment objectivesfor each practice to ensure they are implemented effectively.

Comparison with Other Answer Choices:

A. A business transaction→ Incorrect. CMMC practices focus on cybersecurity activities, not financial or operational transactions.

B. A condition arrived at by experience or exercise→ Incorrect. While practices evolve over time, they are defined activities, not just experience-based conditions.

C. A series of changes taking place in a defined manner→ Incorrect. A practice is a set of security actions, not just a process of change.

Conclusion:ACMMC practicerefers to specificcybersecurity activities performed to meet defined CMMC objectives. This makesOption Dthe correct answer.