CMMC-CCP Exam Dumps - Cyber AB CMMC Questions and Answers

ThePhysical Protection (PE) domaininCMMC 2.0 Level 1includes the requirementPE.L1-3.10.3, which mandates that organizationsescort visitors and monitor their activity.

TheCMMC Assessment Teamarrives at the OSC.

Thereceptionist acknowledges their arrival but does not verify credentials or escort themto the appropriate location.

Failing to verify visitor identity and failing to escort them is a violation of PE.L1-3.10.3.

A. PE.L1-3.10.3: Escort visitors and monitor visitor activity→✅Correct

This requirement ensures that visitorsdo not have unsupervised access to sensitive areas.

The receptionistshould have checked credentials and escorted the assessment team.

B. PE.L1-3.10.5: Control and manage physical access devices→❌Incorrect

This requirement refers to managingkeys, access badges, and security devices, which isnot the issue in this scenario.

C. PS.L2-3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI→❌Incorrect

This control applies to personnel screeningsbefore granting access to CUI systems, not physical visitor access.

D. PS.L2-3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers→❌Incorrect

This requirement deals withoffboarding employees and ensuring they no longer have system access. It isnot relevant to visitor escorting.

CMMC 2.0 Level 1 - PE.L1-3.10.3 (Physical Protection)

Requires organizations toescort visitors and monitor visitor activityat facilities containingFCI or CUI.

NIST SP 800-171 Rev. 2, Control 3.10.3

States thatvisitors must be escorted and monitored at all timesto prevent unauthorized access.

Breaking Down the Scenario:Analysis of the Given Options:Official References Supporting the Correct Answer:Conclusion:Since the receptionist failed to verify credentials and escort the visitors, this violatesPE.L1-3.10.3.

✅Correct Answer: A. PE.L1-3.10.3: Escort visitors and monitor visitor activity

Understanding the Role of the Lead Assessor in CMMC AssessmentsTheLead Assessoris responsible for managing theAssessment Teamand ensuring that all team members meet the required qualifications as defined by theCMMC Accreditation Body (CMMC-AB)and theCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) Guide.

Lead Assessor’s Key Responsibilities (Per CAP Guide)

Verify team member qualificationsto ensure compliance with CMMC-AB guidelines.

Assignappropriate assessment tasksbased on team members’ expertise.

Ensure that theassessment is conducted in accordance with CMMC procedures.

Why Not the Other Options?

A. C3PAO (Certified Third-Party Assessor Organization)→Incorrect

AC3PAOis responsible fororganizing assessmentsand ensuring their execution, but itdoes not verify individual team member qualifications—that responsibility belongs to theLead Assessor.

B. CMMC-AB (CMMC Accreditation Body)→Incorrect

TheCMMC-ABestablishestraining and certification requirements, but itdoes not verify individual assessment team members—that responsibility is given to theLead Assessor.

D. CMMC Marketplace→Incorrect

TheCMMC Marketplacelists authorizedC3PAOs, Registered Practitioners (RPs), and Certified Professionals (CCPs)butdoes not verify assessment team qualifications.

CMMC Assessment Process (CAP) Guide– Defines theLead Assessor’s responsibilityfor verifying assessment team qualifications.

CMMC-AB Certification Guide– Specifies that the Lead Assessor must ensure all assessment team members meet CMMC-AB qualification standards.

Why the Correct Answer is "C. Lead Assessor"?Relevant CMMC 2.0 References:Final Justification:Since theLead Assessor is responsible for verifying assessment team member qualifications, the correct answer isC. Lead Assessor.

Understanding the CMMC Readiness Review ProcessALead Assessorconducting aCMMC Readiness Reviewevaluates whether anOrganization Seeking Certification (OSC)is prepared for a formal assessment.

After recording theassessment risk statusandoverall assessment feasibility, theminimum remaining criteriato be verified include:

Logistics Planning– Ensuring that the assessment timeline, locations, and necessary resources are in place.

Assessment Team Preparation– Confirming that assessors and required personnel are available and briefed.

Evidence Readiness– Ensuring the OSC has gathered all required artifacts and documentation for review.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Determine the practice pass/fail results.

Happensduringthe formal assessment, not the readiness review.

❌Incorrect

B. Determine the preliminary recommended findings.

Findings are only madeafterthe full assessment.

❌Incorrect

C. Determine the initial model practice ratings and record them.

Ratings are assigned during theassessment, not readiness review.

❌Incorrect

D. Determine the logistics, Assessment Team, and the evidence readiness.

✅Essential readiness criteria that must be confirmedbeforeassessment starts.

✅Correct

TheCMMC Assessment Process Guide (CAP)states that readiness review ensureslogistics, assessment team availability, and evidence readinessare verified.

Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Determine the logistics, Assessment Team, and the evidence readiness.This aligns withCMMC readiness review requirements.

TheCybersecurity Maturity Model Certification (CMMC) 2.0is primarily based on two key National Institute of Standards and Technology (NIST) Special Publications:

NIST SP 800-171– "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations"

NIST SP 800-172– "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171"

NIST SP 800-171

This document is thecore foundationof CMMC 2.0 and establishes the security requirements for protectingControlled Unclassified Information (CUI)in non-federal systems.

The 110 security controls fromNIST SP 800-171 Rev. 2are mapped directly toCMMC Level 2.

NIST SP 800-172

This supplement includesenhanced security requirementsfor organizations handlinghigh-value CUIthat faces advanced persistent threats (APTs).

These enhanced requirements apply toCMMC Level 3under the 2.0 model.

B. DFARS, FIPS 100, and NIST SP 800-171→Incorrect

WhileDFARS 252.204-7012mandates compliance withNIST SP 800-171,FIPS 100 does not existas a relevant cybersecurity standard.

C. DFARS, NIST, and Carnegie Mellon University→Incorrect

CMMC is aligned with DFARS and NIST but isnot developed or directly influenced by Carnegie Mellon University.

D. DFARS, FIPS 100, NIST SP 800-171, and Carnegie Mellon University→Incorrect

Again,FIPS 100 is not relevant, andCarnegie Mellon Universityis not a defining entity in the CMMC framework.

CMMC 2.0 Scoping Guide (2023)confirms thatCMMC Level 2 is entirely based on NIST SP 800-171.

CMMC 2.0 Level 3 Draft Documentationexplicitly referencesNIST SP 800-172for enhanced security requirements.

DoD Interim Rule (DFARS 252.204-7021)mandates that organizations meetNIST SP 800-171 for CUI protection.

Reference and Breakdown:Eliminating Incorrect Answer Choices:Official CMMC 2.0 References Supporting the Answer:Final Conclusion:The CMMC 2.0 model is derivedsolely from NIST SP 800-171 and NIST SP 800-172, makingAnswer A the only correct choice.

Understanding the Media Protection (MP) DomainTheMedia Protection (MP) domaininCMMC 2.0focuses on the security requirements needed to handlephysical or digital mediacontainingControlled Unclassified Information (CUI).

This domain includes controls for:

Protecting digital and physical mediathat store CUI.

Sanitizing and destroying mediabefore disposal or reuse.

Restricting access to CUI mediato authorized personnel only.

TheMP domaindirectly addresses the requirements for handlingCUI media, includingencryption, access control, storage, and disposal.

CMMC 2.0Level 2aligns withNIST SP 800-171, which includesMP controlsfor managing media containing CUI.

B. Physical Protection (PE)→Incorrect

PEfocuses onphysical security(e.g., facility access, visitor logs, physical barriers),not the handling of CUI on media.

C. System and Information Integrity (SI)→Incorrect

SIdeals withsystem monitoring, vulnerability management, and incident response, not media protection.

D. System and Communications Protection (SC)→Incorrect

SCcoversnetwork security, encryption, and secure communications, but does not specifically focus on media handling.

CMMC Level 2 Practice MP.3.125– Protects CUI by ensuring proper handling ofmedia containing CUI.

NIST SP 800-171 (MP Family)– Establishes security requirements for handlingdigital and physical mediacontaining CUI.

CMMC Scoping Guide (Nov 2021)– ConfirmsMP controls apply to all media that store, process, or transmit CUI.

Why the Correct Answer is "A. Media Protection (MP)"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:SinceMedia Protection (MP) directly addresses the handling of assets containing CUI, the correct answer isA. Media Protection (MP).

In aCMMC Level 2 assessment, theOrganization Seeking Certification (OSC)is responsible for identifying theassessment scopebased on theCMMC Scoping Guidanceprovided by theCyber AB (Cyber Accreditation Body) and DoD.

The OSC must determine which assets and systems handleControlled Unclassified Information (CUI)and categorize them accordingly.

Who Verifies the Adequacy and Sufficiency of Evidence?In the CMMC assessment process, it is theAssessment Teamthat is responsible for verifying whether thepractices and related componentshave been met for each in-scopeHost Unit, Supporting Organization/Unit, or enclave.

TheCMMC Assessment Teamis composed of certified assessors and led by aCertified CMMC Assessor (CCA). Their primary role is to:

Review evidenceprovided by theOrganization Seeking Certification (OSC).

Determine compliancewith required CMMC practices and processes.

Evaluate the sufficiencyof evidence to confirm that all required practices have been properly implemented.

Document and report findingsto the CMMC Accreditation Body (CMMC-AB).

Breakdown of Answer ChoicesOption

Description

Correct?

A. OSC (Organization Seeking Certification)

The OSC provides documentation and evidence but doesnotverify its adequacy.

❌Incorrect

B. Assessment Team

✅Responsible for verifying the adequacy and sufficiency of evidence.

✅Correct

C. Authorizing Official

Typically refers to an official responsible for system accreditation underNIST RMF, not CMMC.

❌Incorrect

D. Assessment Official

Not a defined role in the CMMC framework.

❌Incorrect

TheCMMC Assessment Process Guide(CAP) outlines theAssessment Team'sresponsibility in verifying evidence.

TheCMMC Assessment Teamevaluates whether theorganization's cybersecurity practices meet CMMC requirements.

Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isB. Assessment Team, as per CMMC 2.0 documentation and official assessment processes.

Understanding the False Claims Act (FCA) and Whistleblower ProtectionsTheFalse Claims Act (FCA)(31 U.S.C. §§ 3729–3733) is aU.S. federal lawthat allowswhistleblowers (also known as "relators")to sue on behalf of the federal government if they believe a company issubmitting fraudulent claimsfor government funds.

The FCA includes a"qui tam" provision, which:

✅Allows private individuals to file lawsuits on behalf of the U.S. government.

✅Provides financial rewards to whistleblowersif the lawsuit results in recovered funds.

✅Protects whistleblowers from employer retaliation.

In the context ofCMMC and cybersecurity compliance, theFCA has been used to hold companies accountableformisrepresenting their cybersecurity compliancewhen working with federal contracts.

For example:

If a companyfalsely claimscompliance withCMMC, NIST SP 800-171, or DFARS 252.204-7012butfails to meet security requirements, it could beliable under the FCA.

TheDepartment of Justice (DOJ)has pursued cases under theCyber-Fraud Initiative, using theFCA against defense contractorsfor cybersecurity noncompliance.

Thus, the correct answer isC. False Claims Actbecause it specifically allows whistleblowers tosue on behalf of the federal government.

A. NIST SP 800-53❌Incorrect.NIST SP 800-53provides security controls for federal agencies butdoes notcontain whistleblower provisions.

B. NIST SP 800-171❌Incorrect.NIST SP 800-171outlines security requirements for protectingCUI, but itdoes not have legal mechanismsfor whistleblower lawsuits.

D. Code of Professional Conduct❌Incorrect. TheCMMC Code of Professional Conductapplies toC3PAOs and assessorsbut doesnot provide a legal basis for whistleblower lawsuits.

Why the Other Answers Are Incorrect

False Claims Act (31 U.S.C. §§ 3729–3733)– Establishes whistleblower protections and qui tam lawsuits.

DOJ Cyber-Fraud Initiative– Uses the FCA to enforce cybersecurity compliance in government contracts.

DFARS 252.204-7012 & CMMC– Require accurate reporting of cybersecurity compliance, which can lead to FCA violations if misrepresented.

CMMC Official ReferencesThus,option C (False Claims Act) is the correct answeras per official legal guidance.

Understanding IA.L1-3.5.1 (Identification and Authentication Requirements)TheCMMC 2.0 Level 1practiceIA.L1-3.5.1aligns withNIST SP 800-171, Requirement 3.5.1, which mandates that organizationsidentify system users, processes acting on behalf of users, and devicesto ensure proper access control.

To comply with this requirement, anOrganization Seeking Certification (OSC)must maintain documentation that demonstrates:

A unique identifier (username) for each system user

Mapping of system accounts to specific individuals

Identification of devices and automated processes that access systems

This documentation directly satisfies IA.L1-3.5.1because it showshow system users are uniquely identified and linked to specific accountswithin the environment.

Alist of users and their assigned accountsconfirms that the organization has a structured method oftracking access and authentication.

It allows auditors to verify thateach user has a distinct identityand that access control mechanisms are properly applied.

A. Procedures for implementing access control lists (Incorrect)

While access control lists (ACLs) are relevant for authorization, they do notidentify users or devicesspecifically, making them insufficient as primary evidence for IA.L1-3.5.1.

B. List of unauthorized users that identifies their identities and roles (Incorrect)

Identifying unauthorized users does not fulfill the requirement of trackingauthorizedusers, devices, and processes.

D. Physical access policy stating "All non-employees must wear a special visitor pass or be escorted" (Incorrect)

This pertains tophysical security, not system-baseduser identification and authentication.

The correct answer isC. User names associated with system accounts assigned to those individuals, as thisdirectly satisfies the identification requirement of IA.L1-3.5.1.

Understanding the CMMC Assessment Process (CAP) PhasesTheCMMC Assessment Process (CAP)consists ofthree primary phases:

Phase 1 - Planning(Pre-assessment activities)

Phase 2 - Conducting the Assessment(Evidence collection and analysis)

Phase 3 - Reporting and Finalizing Results

DuringPhase 3, the Assessment Teamreviews evidenceto confirm if anyLimited Practice Deficiency Correctionshave been successfully implemented.

Scoring Practices in Phase 3The CAP document specifies that a practice can bescored as METif:

✅The deficiency identified in Phase 2 has been fully corrected before final scoring.

✅Sufficient evidence is provided to demonstrate compliance with the CMMC requirement.

✅The correction is notmerely plannedbutfully implemented and validatedby the assessors.

Since the evidence shows thatdeficiencies have been corrected, the correct score isMET.

B. POA&M (Plan of Action & Milestones)❌Incorrect. APOA&M (Plan of Action and Milestones)is usedonly when a deficiency remains unresolved. Since the deficiency is already corrected, this option does not apply.

C. NOT MET❌Incorrect. A practice is scoredNOT METonly if the deficiency hasnotbeen corrected by the end of the assessment.

D. NOT APPLICABLE❌Incorrect. A practice is markedNOT APPLICABLE (N/A)only if it doesnot apply to the organization’s environment, which is not the case here.

Why the Other Answers Are Incorrect

CMMC Assessment Process (CAP) Document– Defines scoring criteria for MET, NOT MET, and POA&M.

CMMC Official ReferencesThus,option A (MET) is the correct answer, as the deficiencies have been corrected before final scoring.