Cyber AB Certified CMMC Professional (CCP) CMMC-CCP Exam Questions

Page: 1 / 14
Total 221 questions

Want more questions? Get Premium Access.
()

Question 1

A contractor has implemented IA.L2-3.5.3: Multifactor Authentication practice for their privileged users, however, during the assessment it was discovered that the OSC's standard users do not require MFA to access their endpoints and network resources. What would be the BEST finding?

AThe process is running correctly.

BIt is out of scope as this is a new acquisition.

CThe new acquisition is considered Specialized Assets.

DPractice is NOT MET since the objective was not implemented.

Answer : D

Understanding IA.L2-3.5.3: Multifactor Authentication (MFA) Requirement

TheIA.L2-3.5.3practice, derived fromNIST SP 800-171 (Requirement 3.5.3), requires thatmultifactor authentication (MFA) be implemented for both privileged and standard userswhen accessing:

Organizational endpoints(e.g., laptops, desktops, mobile devices).

Network resources(e.g., VPNs, internal systems).

Cloud services containing Controlled Unclassified Information (CUI).

Key Requirement for a 'MET' Rating

For IA.L2-3.5.3 to beMet, the organization must:

Require MFA for all privileged users(e.g., system administrators).

Require MFA for standard users accessing endpoints and network resources.

Implement MFA across all relevant systems.

Sincestandard users do not require MFA in the OSC's current implementation, the practiceis not fully implementedand must be ratedNOT MET.

Why is the Correct Answer 'D' (Practice is NOT MET since the objective was not implemented)?

A . The process is running correctly Incorrect

MFA isonly applied to privileged users, but it isalso required for standard users. The process isnot fully implemented.

B . It is out of scope as this is a new acquisition Incorrect

New acquisitionsmust still meet MFA requirementsif they handle CUI or network access.

C . The new acquisition is considered Specialized Assets Incorrect

Specialized assets (e.g., IoT, legacy systems) may have alternative security controls, but standard users and endpointsmust still comply with MFA.

D . Practice is NOT MET since the objective was not implemented Correct

MFA must be enabled for both privileged and standard usersaccessing endpoints and network resources. Since standard users are excluded, the practice isNOT MET.

CMMC 2.0 Reference Supporting This Answer:

CMMC 2.0 Level 2 (Advanced) Requirements

Specifies thatMFA must be applied to all users accessing CUI and network resources.

NIST SP 800-171 (Requirement 3.5.3 -- MFA Implementation)

Requires MFA forall user types, including privileged and standard users.

CMMC Assessment Process (CAP) Document

States that a practicemust be fully implemented to be considered MET. Partial implementation meansNOT MET.

Question 2

During Phase 4 of the Assessment process, what MUST the Lead Assessor determine and recommend to the C3PAO concerning the OSC?

AAbility

BEligibility

CCapability

DSuitability

Answer : B

What Happens in Phase 4 of the CMMC Assessment Process?

Phase 4 of theCMMC Assessment Process (CAP)is theFinal Reporting and Decision Phase. During this phase, theLead Assessormust:

Review all assessment findings

Determine the Organization Seeking Certification's (OSC) eligibility for certification

Make a recommendation to the C3PAO (Certified Third-Party Assessment Organization)

Key Responsibilities of the Lead Assessor in Phase 4:

Ensure that the OSC hasmet the required practices and processes.

Confirm that anydeficiencieshave been corrected or appropriately documented.

Recommendwhether the OSC is eligible for certificationbased on assessment results.

Since theLead Assessor must determine and recommend the OSC's eligibilityto the C3PAO, the correct answer isB. Eligibility.

Why the Other Answers Are Incorrect

A . Ability

Incorrect. While assessing an OSC's ability to meet CMMC requirements is part of the process, the final determination in Phase 4 is abouteligibilityfor certification.

C . Capability

Incorrect. Capability refers to an organization'stechnical and operational readiness. The Lead Assessor is making a recommendation oneligibility, not just capability.

D . Suitability

Incorrect. Suitability is not a defined term in theCMMC CAP processfor final assessment recommendations. The correct term iseligibility.

CMMC Official Reference

CMMC Assessment Process (CAP) Document-- Specifies that the Lead Assessor must determine and recommend theeligibilityof the OSC in Phase 4.

CMMC 2.0 Model-- Defines the assessment process, including certification decision-making.

Thus,option B (Eligibility) is the correct answer, as per official CMMC guidance.

Question 3

Which CMMC Levels focus on protecting CUI from exfiltration?

ALevels 1 and 2

BLevels 1 and 3

CLevels 2 and 3

DLevels 1, 2, and 3

Answer : C

Level 1 only addresses the protection of Federal Contract Information (FCI) and does not include requirements for safeguarding Controlled Unclassified Information (CUI).

Level 2 is explicitly designed to protect Controlled Unclassified Information (CUI). It requires implementation of all 110 security requirements from NIST SP 800-171 Rev. 2, which directly support the safeguarding of CUI and help prevent its unauthorized disclosure or exfiltration.

Level 3 builds on Level 2 by including a subset of requirements from NIST SP 800-172. These additional practices are designed to enhance the protection of CUI against advanced persistent threats (APTs), further strengthening defenses against exfiltration.

Therefore, the levels that focus on protecting CUI from exfiltration are Levels 2 and 3.

Reference Documents:

CMMC Model v2.0 Overview (DoD, December 2021)

NIST SP 800-171 Rev. 2,Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-172,Enhanced Security Requirements for Protecting Controlled Unclassified Information

Question 4

While conducting a CMMC Level 2 Assessment, the Lead Assessor determines that the OSC has badge readers, pin code pads, and keys for various access points as well as documentation to demonstrate meeting the practice. Which CMMC practice has the OSC MET?

APE.L1-3.10.5: Control and manage physical access devices

BMP.L2-3.8.5: Mark media with necessary CUI markings and distribution limitations

CSI.L2-3.14.3: Monitor system security alerts and advisories and take action in response

DPS.L2-3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers

Answer : A

The presence of badge readers, PIN code pads, and keys directly corresponds to controlling and managing physical access devices, which maps to PE.L1-3.10.5 under the Physical Protection (PE) domain. This practice ensures that only authorized individuals have access to physical areas containing information systems.

The other options address unrelated requirements:

MP.L2-3.8.5 addresses marking CUI media,

SI.L2-3.14.3 addresses monitoring security alerts,

PS.L2-3.9.2 addresses protections during personnel changes.

Reference Documents:

CMMC Model v2.0, Level 1--3 Practices

NIST SP 800-171 Rev. 2, Control PE-3

Question 5

Which principles are included in defining the CMMC-AB Code of Professional Conduct?

AObjectivity, classification, and information accuracy

BObjectivity, confidentiality, and information integrity

CResponsibility, classification, and information accuracy

DResponsibility, confidentiality, and information integrity

Answer : D

The Cyber AB (formerly CMMC-AB) Code of Professional Conduct (CoPC) is a mandatory agreement that all CMMC ecosystem members---including Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs)---must adhere to. This code ensures the reliability and trustworthiness of the assessment process.

The fundamental principles that form the foundation of the CoPC include:

Responsibility: This refers to the obligation of the CMMC professional to act in the best interest of the CMMC program, the Department of Defense (DoD), and the public. It includes maintaining professional competence and performing duties with due care.

Confidentiality: Assessors and professionals are granted access to sensitive information, including Controlled Unclassified Information (CUI) and proprietary business data of the Organization Seeking Certification (OSC). They must ensure this information is protected from unauthorized disclosure.

Information Integrity: This principle requires that all data, findings, and reports generated during the assessment are accurate, complete, and have not been tampered with. It ensures that the 'Met' or 'Not Met' determinations are based on honest evidence.

Why other options are incorrect:

Options A and B (Objectivity): While 'Objectivity' is a crucialbehavioralrequirement for an assessor (remaining unbiased), the specific high-level triad often emphasized in the CMMC Professional training and the formal CoPC documentation focuses on the Responsibility-Confidentiality-Integrity framework to align with standard professional ethics and information security pillars.

Options A and C (Classification): 'Classification' is a process used for National Security Information (Classified info), whereas CMMC is primarily focused on unclassified information (CUI and FCI). Classification is not a core principle of the professional code of conduct.

Options A and C (Information Accuracy): While accuracy is vital, it is considered a subset of Information Integrity within the formal definitions provided in the CCP curriculum.

Reference Documents:

CMMC-AB (The Cyber AB) Code of Professional Conduct: The official ethical framework for all credentialed individuals.

CMMC Professional (CCP) Study Guide: Section on 'Ethics and the Code of Professional Conduct.'

CMMC Assessment Process (CAP): Reference the ethical standards required to maintain the integrity of the assessment ecosystem.

Question 6

Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1. Guidelines for Media Sanitation?

AClear, purge, destroy

BClear redact, destroy

CClear, overwrite, purge

DClear, overwrite, destroy

Answer : A

Understanding NIST SP 800-88 Rev. 1 and Media Sanitization

TheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.

Three Categories of Data Disposal in NIST SP 800-88 Rev. 1

Clear

Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.

Example:Overwriting all datawith binary zeros or ones on a hard drive.

Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.

Purge

Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.

Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).

Applies to:Media that is leaving organizational control or requires a higher level of assurance than 'Clear'.

Destroy

Physicallydamages the mediaso that data recovery isimpossible.

Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.

Applies to:Highly sensitive data that must be permanently eliminated.

Why 'A. Clear, Purge, Destroy' is Correct?

B . Clear, Redact, Destroy (Incorrect)-- 'Redact' is a term used for document sanitization,notdata disposal.

C . Clear, Overwrite, Purge (Incorrect)-- 'Overwrite' is a method within 'Clear,' but it isnot a top-level categoryin NIST SP 800-88.

D . Clear, Overwrite, Destroy (Incorrect)-- 'Overwrite' is a sub-method of 'Clear,' but 'Purge' is missing, making this incorrect.

Conclusion

The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.

NIST SP 800-88 Rev. 1 -- Guidelines for Media Sanitization

CMMC 2.0 Security Practices Related to Media Disposal(Aligned with NIST guidance)

Question 7

Within how many days from the Assessment Final Recommended Findings Brief should the Lead Assessor and Assessment Team Members, if necessary, review the accuracy and validity of (he OSC's updated POA&M with any accompanying evidence or scheduled collections?

A90 days

B180 days

C270 days

D360 days

Answer : B

In theCMMC 2.0 Assessment Process, after theAssessment Final Recommended Findings Brief, theLead Assessor and Assessment Team Membersmustreview the accuracy and validity of the Organization Seeking Certification (OSC)'s updated Plan of Action & Milestones (POA&M) and any accompanying evidence or scheduled collectionswithin180 days.

Relevant CMMC 2.0 Reference:

TheCMMC Assessment Process (CAP)outlines that organizations haveup to 180 daysto address identifieddeficienciesafter their initial assessment.

During this time, the OSC can update itsPOA&M with additional evidenceto demonstrate compliance.

Why is the Correct Answer 180 Days (B)?

A . 90 days Incorrect

The CMMC CAP does not impose a90-day limiton POA&M updates; instead,180 daysis the standard timeframe.

B . 180 days Correct

PerCMMC Assessment Process guidelines, theLead Assessor and Teammust review updateswithin 180 days.

C . 270 days Incorrect

No official CMMC documentation mentions a270-dayreview period.

D . 360 days Incorrect

The process must be completedfar sooner than 360 daysto maintain compliance.

CMMC 2.0 Reference Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines the180-day windowfor the OSC to update itsPOA&M and submit evidencefor review.

CMMC 2.0 Official Guidelines

Specifies that organizations are givenup to 180 daysto remediate deficiencies before reassessment.