CMMC-CCP Exam Dumps - Cyber AB CMMC Questions and Answers

Step 1: Understanding Who Specifies CMMC Levels

TheU.S. Department of Defense (DoD)determines the requiredCMMC Levelbased on thesensitivity of the information involved in a contract.

The required CMMC Level isspecified in Requests for Information (RFIs) and Requests for Proposals (RFPs).

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.

Why NIST SP 800-171 is Essential for Level 2 Scoping:

Defines the Security Requirements for Protecting CUI:

NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.

These controls are categorized under14 families, including access control, incident response, and risk management.

Establishes the Baseline for CMMC Level 2 Compliance:

CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.

Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.

Provides Guidance for Implementation & Assessment:

TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.

It helps define the scope of an assessment by clarifying how each control should be implemented and verified.

Referenced in CMMC and DFARS Regulations:

DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.

TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.

Explanation of Incorrect Answers:

A. NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")

This documentapplies to federal systems, not nonfederal entities handling CUI.

While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.

B. NIST SP 800-88 ("Guidelines for Media Sanitization")

This documentfocuses on secure data destructionand media sanitization techniques.

While data disposal is important, this standarddoes not define security controls for protecting CUI.

D. NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")

This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).

It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.

Key References for CMMC Level 2 Scoping:

NIST SP 800-171 Rev. 2(NIST Official Site)

NIST SP 800-171A (Assessment Guide)(NIST Official Site)

CMMC 2.0 Level 2 Scoping Guide(Cyber AB)

Conclusion:

SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:

✅C. NIST SP 800-171

Understanding the Role of "Discussion" and "Further Discussion" Sections in CMMC Assessments

When assessing anOrganization Seeking Certification (OSC)forCMMC compliance, theLead Assessorrelies on various sources of guidance.

Eachpracticein the CMMC model includes:

The Practice Statement– The official requirement the OSC must meet.

Discussion Section– Providesclarifications, interpretations, and guidancefor implementation.

Further Discussion Section– Expands on the practice,offering additional details, best practices, and examples.

These sections arenot mandatory, but they help assessorsinterpret and evaluatewhether an OSC has met the practice requirements.

Why "Provides Additional Information to Facilitate the Assessment" is Correct?

TheDiscussion and Further Discussion sectionsprovidecontext, explanations, and examplesto assist theLead Assessorin understanding how an OSC might demonstrate compliance.

Theyhelp guide the assessment processbut arenot prescriptiveormandatoryfor an OSC.

Theassessor uses these sectionsto verify whether theOSC's implementation meets the intent of the requirement.

Breakdown of Answer Choices

Option

Description

Correct?

A. Is normative for an OSC to follow.

❌Incorrect–The sections areguidance, notnormative (mandatory)requirements.

B. Contains examples that an OSC must implement.

❌Incorrect–Examples aresuggestions, notmandatory implementations.

C. Is mandatory and aligns with FAR Clause 52.204-21.

❌Incorrect–The "Discussion" sections arenot mandatoryand arenot tied directlyto FAR 52.204-21.

D. Provides additional information to facilitate the assessment of the practice.

✅Correct – These sections help the assessor evaluate compliance but do not mandate specific implementations.

Official References from CMMC 2.0 Documentation

TheCMMC Assessment Guidestates that theDiscussion and Further Discussion sections provide clarificationsto help both assessors and OSCs.

These sections arenot bindingbut serve asinterpretive guidanceto assist in assessments.

Final Verification and Conclusion

The correct answer isD. Provides additional information to facilitate the assessment of the practice.This aligns withCMMC 2.0 documentation and assessment guidelines.

In CMMC scoping terminology, an HQ Organization is the entity legally responsible for contract performance and delivery of products or services.

Supporting Extracts from Official Content:

CMMC Scoping Guide: “HQ Organization is the legal entity responsible for the performance and delivery of contract requirements.”

Why Option D is Correct:

The HQ Org is legally accountable, while Host Units (option A/B) are subordinate entities.

Option C refers to shared services, not the HQ.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, High-Level Scoping Definitions.

===========

In the CMMC 2.0 Model , the "Advanced Level" specifically refers to Level 2 . The CMMC model is designed to be cumulative , meaning each level builds upon the requirements of the levels beneath it.

Cumulative Framework : To achieve a certification at a specific level, an Organization Seeking Certification (OSC) must demonstrate compliance with all practices at that level and all practices from the lower levels.

Access Control (AC) Domain : The Access Control domain is one of the 14 domains in CMMC Level 2. It consists of a total of 22 practices :

Level 1 (Foundational) : Contains 4 basic safeguarding practices (mapped to FAR 52.204-21).

Level 2 (Advanced) : Adds 18 additional practices (mapped to NIST SP 800-171), totaling 22 practices for the AC domain at this level.

Defining "Advanced" : The DoD defines the levels as Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Therefore, the "Advanced Level" (Level 2) contains the practices from Level 1 and Level 2, but does not include the "Expert" (Level 3) practices, which are derived from NIST SP 800-172.

Why other options are incorrect :

Option A : While it contains Level 1 practices, it also includes Level 2 practices.

Option B : Level 3 is the "Expert" level, which is separate and higher than the "Advanced" level.

Option D : The Advanced level does not reach the requirements of Level 3.

Reference Documents :

CMMC Model Overview (v2.0) : Section 3.2, "Level 2: Advanced," which describes the 110 practices derived from NIST SP 800-171.

32 CFR Part 170 (CMMC Program Rule) : Details the structure of the levels and the requirement for cumulative compliance.

CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment, clearly identifying which are carried over from Level 1.

===========

TheLimited Practice Deficiency Correction Evaluationprocess occurs when anOrganization Seeking Certification (OSC)has undergone aCMMC Level 2 Assessmentby aCertified Third-Party Assessment Organization (C3PAO)and hasunresolved deficienciesin some security practices.

According toCMMC 2.0 policy and DFARS 252.204-7021, OSCs can still achieveInterim Certificationif they meet theminimum thresholdof security practices while addressing deficiencies through aPlan of Action & Milestones (POA & M).

Minimum Number of Practices Required

TheCMMC 2.0 Interim Rulestates that an OSCmust meet at least 100 out of 110 practicesto qualify for aPOA & M-based remediation.

A maximum of 10 practices can be listed in the POA & Mfor later correction.

Failure to meet at least 100 practices results in failing the assessment outright, requiring a full reassessment after remediation.

Why "C. 100 Practices" is Correct?

The Lead Assessor can recommend POA & M placementonly if the OSC meets at least 100 practices.

Less than 100 practices scored as MET means the OSC does not qualify for a POA & Mand mustretest completely.

DFARS 252.204-7021 and CMMC 2.0 policiesconfirm the100-practice thresholdfor conditional certification.

Why Other Answers Are Incorrect?

A. 80 practices (Incorrect)– Falls well below the 100-practice requirement.

B. 88 practices (Incorrect)– Still below the POA & M eligibility threshold.

D. 110 practices (Incorrect)– While meeting 110 practices would be ideal,CMMC allows a POA & M option at 100 practices.

Conclusion

The correct answer isC. 100 practices, as this meets theminimum threshold for POA & M-based Interim Certification.

Under NIST SP 800-171, Personnel Security (PS) family, requirement PS.L2-3.9.1, organizations must screen individuals prior to granting access to CUI. The screening is intended to evaluate conduct, integrity, and loyalty to ensure that individuals can be trusted with sensitive information.

Supporting Extracts from Official Content:

NIST SP 800-171 Rev. 2, PS.L2-3.9.1: “Screen individuals prior to authorizing access to organizational systems containing CUI… Screening is intended to assess an individual’s conduct, integrity, judgment, loyalty, and reliability.”

CMMC Level 2 Assessment Guide (Personnel Security practices): confirms that screening covers conduct, integrity, and loyalty.

Why Option C is Correct:

The key attributes explicitly listed are conduct, integrity, and loyalty.

Options A and B describe subjective or informal measures, not compliance criteria.

Option D uses terms not aligned with the official requirement.

References (Official CMMC v2.0 Content):

NIST SP 800-171 Rev. 2, Personnel Security controls.

CMMC Assessment Guide, Level 2 – PS.L2-3.9.1.

===========

Understanding SC.L2-3.13.14 – Control and Monitor the Use of VoIP Technologies

TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.

If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.

Why Option D is Correct

When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.

No assessment procedures are neededsince there is no VoIP system to evaluate.

Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14—only VoIP is within scope.

Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.

Option C (VoIP in scope but using FIPS-validated encryption, so it doesn’t need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.

Official CMMC Documentation References

CMMC 2.0 Level 2 Assessment Guide – SC.L2-3.13.14

NIST SP 800-171, Security Requirement 3.13.14

CMMC Scoping Guidance – Determining Not Applicable (N/A) Practices

Final Verification

IfVoIP is not used within the OSC’s system boundary, the control does not require assessment, making Option D the correct answer.

Understanding CMMC Assessment Methods

TheCMMC Assessment Process (CAP)definesthree primary assessment methodsused to verify compliance with cybersecurity practices:

Examine– Reviewing documents, policies, configurations, and logs.

Interview– Engaging with subject matter experts (SMEs) to clarify processes and verify implementation.

Test– Observing technical implementations, such as system configurations and security measures.

Since the question asks for a method thatgathers information from SMEs to facilitate understanding and achieve clarification, the correct method isInterview.

Why "Interview" is Correct?

✅Interviewsare specifically designed togather information from SMEsto confirm understanding and clarify security processes.

✅TheCMMC Assessment Guiderequires assessors tointerview key personnelresponsible for cybersecurity practices.

✅Examine (Option B)andTest (Option A)are also valid assessment methods, but they donot focus on gathering insights directly from SMEs.

Breakdown of Answer Choices

Option

Description

Correct?

A. Test

❌Incorrect–This method involvestechnical verification, not gathering SME insights.

B. Examine

❌Incorrect–This method focuses ondocument review, not SME interaction.

C. Interview

✅Correct – The method used to gather information from SMEs and achieve clarification.

D. Assessment

❌Incorrect–This is a general term,not a specific assessment method.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– DefinesInterviewas the method for obtaining information from SMEs.

Final Verification and Conclusion

The correct answer isC. Interview, as this methodgathers insights from subject matter expertsto verify cybersecurity implementations.

UnderDFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), if acontractoruses acloud-based serviceto store, process, or transmitControlled Unclassified Information (CUI), the cloud providermustmeet the security requirements ofFedRAMP Moderate or equivalent.

Key Requirements from DFARS 252.204-7012 (c)(1):

CUI stored in the cloud must be protected according to FedRAMP Moderate (or higher) requirements.

The cloud provider must meetFedRAMP Moderate baseline security controls, which align withNIST SP 800-53moderate impact level requirements.

The cloud provider must also ensure compliance withincident reportingandcyber incident response requirementsin DFARS 252.204-7012.

Why is the Correct Answer "FedRAMP Moderate" (B)?

A. FedRAMP Low → Incorrect

FedRAMP Lowis intended for systems withlow confidentiality, integrity, and availability risks, making itinadequate for CUI protection.

B. FedRAMP Moderate → Correct

FedRAMP Moderate is the minimum required level for CUIunder DFARS 252.204-7012.

It provides a security baseline for protectingsensitive but unclassified government data.

C. FedRAMP High → Incorrect

FedRAMP Highapplies to systems handlinghighly sensitive information (e.g., classified or national security data), which is not necessarily required for CUI.

D. FedRAMP Secure → Incorrect

There isno official FedRAMP Secure categoryin FedRAMP guidelines.

CMMC 2.0 References Supporting this Answer:

DFARS 252.204-7012(c)(1)

Specifies thatcontractors using external cloud services for CUI must meet FedRAMP Moderate or equivalent.

CMMC 2.0 Level 2 Requirements

CUI must be protected using NIST SP 800-171 security requirements, whichalign with FedRAMP Moderate controls.

FedRAMP Security Baselines

FedRAMP Moderateis designed for systems that handlesensitive government data, including CUI.