Cyber AB Certified CMMC Professional (CCP) CMMC-CCP Exam Questions

Answer : C

Level 1 only addresses the protection of Federal Contract Information (FCI) and does not include requirements for safeguarding Controlled Unclassified Information (CUI).

Level 2 is explicitly designed to protect Controlled Unclassified Information (CUI). It requires implementation of all 110 security requirements from NIST SP 800-171 Rev. 2, which directly support the safeguarding of CUI and help prevent its unauthorized disclosure or exfiltration.

Level 3 builds on Level 2 by including a subset of requirements from NIST SP 800-172. These additional practices are designed to enhance the protection of CUI against advanced persistent threats (APTs), further strengthening defenses against exfiltration.

Therefore, the levels that focus on protecting CUI from exfiltration are Levels 2 and 3.

Reference Documents:

CMMC Model v2.0 Overview (DoD, December 2021)

NIST SP 800-171 Rev. 2,Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-172,Enhanced Security Requirements for Protecting Controlled Unclassified Information

Answer : A

NIST SP 800-88 Rev. 1 is the authoritative guide for media sanitization. It defines three categories of data disposal: Clear, Purge, and Destroy.

Supporting Extracts from Official Content:

NIST SP 800-88 Rev. 1: ''Media sanitization techniques are divided into three categories: Clear, Purge, and Destroy.''

Why Option A is Correct:

''Clear, Purge, Destroy'' are the exact three categories named.

Redact and Overwrite are not categories; Overwriting is a technique that may fall under Clear.

Reference (Official CMMC v2.0 Content and Source Documents):

NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization.

===========

Answer : C

Understanding Assessment Methods in CMMC 2.0

According to theCMMC Assessment Process (CAP) Guide, assessors usethree primary assessment methodsto determine compliance with security practices:

Examine-- Reviewing documents, policies, configurations, and system records.

Interview-- Speaking with personnel to gather insights into security processes.

Test-- Performing technical validation of system functions and security controls.

Why Option C (Examine) is Correct

TheAssessment Team Memberis inspectingAssessment Objects(e.g., system configurations, user access control settings, policies) to determine if the OSC's evidence is sufficient forAC.L1-3.1.1 (Access Control -- Authorized Users).

This activity aligns directly with theExaminemethod, which involves reviewing artifacts such as:

Access control lists (ACLs)

System user authentication logs

Account management policies

Role-based access control settings

'Observe' (Option B)is incorrect because 'observing' is not an official assessment method in CMMC.

'Test' (Option A)is incorrect because the assessment is not actively executing a function but ratherreviewingevidence.

'Interview' (Option D)is incorrect because no personnel are being questioned---only documentation is being reviewed.

Official CMMC Documentation Reference

CMMC Assessment Process (CAP) Guide, Section 3.5 -- Assessment Methods

CMMC Level 2 Assessment Guide -- Access Control Practices (AC.L1-3.1.1)

Final Verification

Since the activity involves reviewing documents and records to verify access control measures, it falls under theExaminemethod, makingOption C the correct answer.

Answer : B

CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 1 is designed to protectFederal Contract Information (FCI)and consists of17 foundational cybersecurity practices. These practices are directly derived fromFAR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems), which outlines minimum security requirements for contractors handling FCI.

Breakdown of CMMC Level 1 Practices

The17 practicesin Level 1 focus on basic cybersecurity hygiene and fall under the following6 domains:

Access Control (AC)-- 4 practices

AC.L1-3.1.1: Limit system access to authorized users

AC.L1-3.1.2: Limit user access to authorized transactions and functions

AC.L1-3.1.20: Verify and control connections to external systems

AC.L1-3.1.22: Control information posted or processed on publicly accessible systems

Identification and Authentication (IA)-- 2 practices

IA.L1-3.5.1: Identify and authenticate system users

IA.L1-3.5.2: Use multifactor authentication for local and network access

Media Protection (MP)-- 1 practice

MP.L1-3.8.3: Sanitize media before disposal or reuse

Physical Protection (PE)-- 4 practices

PE.L1-3.10.1: Limit physical access to systems containing FCI

PE.L1-3.10.3: Escort visitors and monitor visitor activity

PE.L1-3.10.4: Maintain audit logs of physical access

PE.L1-3.10.5: Control and manage physical access devices

System and Communications Protection (SC)-- 2 practices

SC.L1-3.13.1: Monitor and control communications at system boundaries

SC.L1-3.13.5: Implement subnetworks for publicly accessible system components

System and Information Integrity (SI)-- 4 practices

SI.L1-3.14.1: Identify, report, and correct system flaws in a timely manner

SI.L1-3.14.2: Provide protection from malicious code at designated locations

SI.L1-3.14.4: Update malicious code protection mechanisms periodically

SI.L1-3.14.5: Perform scans of system components and real-time file scans

Official Reference from CMMC 2.0 Documentation

The 17 practices forCMMC Level 1are explicitly listed in theCMMC 2.0 Appendices and Assessment Guide for Level 1, as well as in theFAR 52.204-21 requirements. These practices representbasic safeguarding measuresthat all DoD contractors handlingFCImust implement.

CMMC 2.0 Level 1 Summary:

Focus:Basic safeguarding of FCI

Total Practices:17

Derived From:FAR 52.204-21

Assessment Type:Self-assessment (annual)

Final Verification and Conclusion

The correct answer isB. 17 practicesas verified from theCMMC 2.0 official documentsandFAR 52.204-21 requirements.

Answer : A

The CMMC Code of Professional Conduct applies to all CMMC assessors, practitioners, and ecosystem participants. Its guiding principles are: Objectivity, Information Integrity, and Higher Accountability.

Supporting Extracts from Official Content:

CMMC Code of Professional Conduct: ''Guiding principles... include Objectivity, Information Integrity, and Higher Accountability.''

Why Option A is Correct:

These three principles are the official guiding values documented in the Code of Professional Conduct.

Options B, C, and D insert terms (''proper use of methods'') that are not part of the official guiding principles.

Reference (Official CMMC v2.0 Content):

CMMC Code of Professional Conduct.

===========

Answer : D

Who Should Be Interviewed During a CMMC Assessment?

During assessment planning, theOrganization Seeking Certification (OSC)may suggest personnel for interviews. However, the person interviewedmustbe someone who:

Implementsthe practice (directly responsible for executing it).

Performsthe practice (carries out day-to-day security operations).

Supportsthe practice (provides necessary resources or oversight).

Why 'Implements, Performs, or Supports That Practice' is Correct?

Theassessor needs direct insightsfrom individuals actively involved in the practice.

Funding (Option A)does not providetechnical or operationalinsight into practice execution.

Auditing (Option B)focuses on compliance checks, but auditorsdo not implementthe practice.

Supporting, auditing, and performing (Option C)includesauditors, who arenot necessarily the right interviewees.

Breakdown of Answer Choices

Option

Description

Correct?

A . Funds that practice.

Incorrect--Funding is important but doesnot mean direct involvement.

B . Audits that practice.

Incorrect--Auditors check compliance but donot implementpractices.

C . Supports, audits, and performs that practice.

Incorrect--Auditing isnot a requirementfor interviewees.

D . Implements, performs, or supports that practice.

Correct -- The interviewee must have direct involvement in execution.

Official Reference from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)-- Requires that interviewees bedirectly responsiblefor implementing, performing, or supporting the practice.

Final Verification and Conclusion

The correct answer isD. Implements, performs, or supports that practice, as the interviewee mustactively contribute to the execution of the practice.

Answer : D

The correct document is a Non-Disclosure Agreement (NDA), because its specific purpose is to restrict a receiving party from disclosing sensitive or confidential information to unauthorized parties. In the official CMMC Assessment Process (CAP) v2.0, NDAs are called out directly as a required element of the contracting relationship for a Level 2 certification assessment.

CAP v2.0 states that the C3PAO and the OSC must execute a written contractual agreement for the assessment and then specifies that ''A mutual non-disclosure agreement (NDA) between the parties shall be incorporated into the contractual agreement or negotiated and executed in a separate document (e.g., stand-alone NDA, master services agreement, etc.).''

This is important because CMMC assessments can involve access to highly sensitive organizational information, including details about system architectures, security implementations, and potentially CUI handling processes. The CAP's NDA requirement supports controlling dissemination of that information and reinforces the broader confidentiality expectations placed on assessment participants.

While an ''assessment agreement'' or generic ''legal agreement'' might contain confidentiality clauses, CAP v2.0 explicitly identifies the NDA instrument (either embedded or standalone) as the mechanism to protect information exchanged during the assessment engagement. Therefore, the best answer---consistent with CMMC v2.0 official process documentation---is D (Non-disclosure agreement).