CMMC-CCP Exam Dumps - Cyber AB CMMC Questions and Answers

In this scenario, the primary concern is the protection of Controlled Unclassified Information (CUI) in an environment that lacks sufficient physical security controls (specifically, a lack of a locked cabinet or drawer). According to the CMMC Assessment Process (CAP) and NIST SP 800-171 (specifically the Physical Protection (PE) family), CUI must be protected from unauthorized access at all times.

Responsibility of the Assessor: CMMC Professionals (CCPs and CCAs) are bound by the CMMC Code of Professional Conduct and the C3PAO's internal security protocols to ensure that any CUI provided by the Organization Seeking Certification (OSC) is handled securely.

Physical Protection (PE.L2-3.10.1 and PE.L2-3.10.2): These practices require that an organization limit physical access to systems and equipment to authorized users and protect the physical facility. If the provided "hoteling space" does not offer a locked container (like a cabinet) to secure the CUI overnight, leaving it in an unlocked drawer (Option C) or on the desk (Option B) would be a violation of CUI handling requirements and a security risk.

Why Option A is the best "Next" step: In the absence of on-site secure storage, the assessor must maintain positive control of the CUI. Taking the document to a secure location (such as the assessor's hotel room or person) where they can ensure it remains under their control is the only viable way to prevent unauthorized access by janitorial staff or other unauthorized personnel at the client site overnight.

Why other options are incorrect:

Option B and C: Both fail to protect the CUI from unauthorized access in a non-secure, shared environment.

Option D: Taking a picture of CUI on a personal phone is a major security violation (spillage), as personal devices are generally not authorized to store or process CUI.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section regarding "Assessor Responsibilities for CUI and Proprietary Information."

NIST SP 800-171 Rev 2: Physical Protection (PE) family (3.10.1, 3.10.2).

DoD Instruction 5200.48: "Controlled Unclassified Information (CUI)," which specifies that CUI must be protected by at least one physical barrier when not in the direct control of an authorized individual.

Understanding C3PAO Requirements

ACertified Third-Party Assessment Organization (C3PAO)is an entityauthorized by the CMMC Accreditation Body (CMMC-AB)to conductCMMC Level 2 Assessmentsfor organizations handlingControlled Unclassified Information (CUI).

Key Requirements for a C3PAO to Conduct Assessments:

✔Must be authorized by CMMC-AB before conducting assessments.

✔Must meet CMMC-AB and DoD cybersecurity and process requirements.

✔Must comply with ISO/IEC 17020 standards for inspection bodies.

✔Must undergo a rigorous vetting process, including cybersecurity verification.

Why is the Correct Answer "D" (A C3PAO must be authorized by CMMC-AB before being able to conduct assessments)?

A. An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements → Incorrect

C3PAOs must comply with CMMC-AB authorization requirementsbefore performing assessments.

While they must align withISO/IEC 17020, they donotnecessarily meet all requirements upfront.

B. An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements → Incorrect

C3PAOs are not accredited by DoD; they areauthorized by CMMC-ABto perform assessments.

Accreditation follows full compliance with CMMC-AB and ISO/IEC 17020 requirements.

C. A C3PAO must be accredited by DoD before being able to conduct assessments → Incorrect

The DoD does not directly accredit C3PAOs—CMMC-AB is responsible forauthorization and oversight.

D. A C3PAO must be authorized by CMMC-AB before being able to conduct assessments → Correct

CMMC-AB grants authorization to C3PAOs, allowing them to perform assessmentsonly after meeting specific requirements.

CMMC 2.0 References Supporting This Answer:

CMMC-AB Certified Third-Party Assessment Organization (C3PAO) Guidelines

States thatC3PAOs must receive CMMC-AB authorization before conducting assessments.

CMMC 2.0 Assessment Process (CAP) Document

Specifies that onlyC3PAOs authorized by CMMC-AB can conduct official CMMC assessments.

ISO/IEC 17020 Compliance for C3PAOs

Defines theinspection body requirements for C3PAOs, which must be met for accreditation.

The best resource for identifying the category of Controlled Unclassified Information (CUI) is NARA , because NARA is the CUI Executive Agent for the federal CUI Program and maintains the authoritative CUI Registry . The Registry is specifically where the government publishes the approved CUI categories (and related markings and handling guidance) used across the Executive Branch.

NARA’s own CUI FAQs explicitly point users to the CUI Registry as the place that “lists all authorized CUI Categories (basic and specified).” Likewise, NIST’s CUI-related FAQ page also points to the NARA CUI Registry for CUI categories, reinforcing that the Registry is the correct source for determining which category applies to a given type of information.

By contrast, DFARS Part 252 (including clauses like 252.204-7012) addresses contractual safeguarding and cyber reporting requirements, not the authoritative categorization list itself. The CMMC Assessment Guide is about how to assess controls for CMMC levels, not how to determine CUI categories. And the Cyber AB (formerly CMMC-AB) administers the ecosystem and assessment processes, not the federal CUI category taxonomy. Therefore, NARA is the best answer.

According to the CMMC Assessment Process (CAP) and the roles defined within the CMMC Ecosystem, the responsibility for the final determination of assessment findings rests with the C3PAO (Certified Third-Party Assessment Organization).

While the Assessment Team (Lead Assessor and Assessor) performs the legwork—conducting interviews, examining documents, and testing mechanisms—the C3PAO is the legal entity contracted by the OSC (Organization Seeking Certification) to conduct the assessment and issue the recommendation for certification.

Role of the C3PAO: The C3PAO provides the quality assurance and oversight. Once the Assessment Team completes the draft findings, the C3PAO performs a quality or "peer" review to ensure the findings are consistent with CMMC requirements. They hold the final authority over the Recommended Finding (Met, Not Met, or N/A) before it is uploaded to the eMASS (Enterprise Mission Assurance Support Service) or the designated DoD database.

Role of the Cyber AB (formerly CMMC-AB): The Board provides the accreditation for the C3PAOs and manages the ecosystem, but they do not participate in individual assessments or overrule specific technical findings of an assessment unless there is a formal appeal or ethics complaint.

Role of the Assessment Team Members: They collect evidence and make initial determinations, but their findings are subject to the C3PAO’s internal quality management system (QMS) review.

Role of the OSC Sponsor: The OSC is the entity being assessed; they have no authority over the interpretation of findings, though they may provide additional evidence during the remediation period.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Phase 3: Conduct Assessment" and "Phase 4: Reporting Results," which details the C3PAO’s responsibility for the final package.

C3PAO Authorization Requirements: Outlines the requirement for a quality management review of all assessment findings by the C3PAO before submission to the DoD.

CMMC Level 2 Readiness and Certification Requirements

CMMCLevel 2is required forOrganizations Seeking Certification (OSCs) that handle Controlled Unclassified Information (CUI)and aligns withNIST SP 800-171's 110 security controls.

Key Readiness Indicators for a Level 2 Assessment:

The OSC must have implemented all 110 security practices from NIST SP 800-171.

Documented and validated cybersecurity policies and procedures must exist.

The OSC must be prepared to provide objective evidence (artifacts) proving compliance.

Why the OSC in the Question is Not Ready:

They have not won a DoD contract yet→ This means they do not yet have a contractually definedCUI environment, which is the foundation for defining their security scope.

They have only provided FCI-related artifacts(e.g., visitor logs, workstation policies, FedRAMP configurations).

Lack of full documentation of CMMC Level 2 controls→ The assessment requiresevidence for all 110 security practices(e.g., system security plans, incident response records, security awareness training documentation).

Clarification of Incorrect Options:

A. "Ready because there is no need to certify this company until after they win a DoD contract."

Incorrect→ Some organizationsseek certification proactivelybefore winning contracts. However, readiness depends on implementingall 110 required controls, not contract status alone.

B. "Not ready because the OSC is not on contract because they do not know the scope of FCI protection required by the contract."

Incorrect→ CMMC Level 2focuses on CUI, not just FCI. While FCI protection is important, the assessment’s focus is onCUI security requirements, which arenot fully addressed by the provided artifacts.

D. "Ready because all DoD contractors are required to achieve CMMC Level 2; therefore, they are being proactive in seeking certification."

Incorrect→ While it is commendable that the OSC is being proactive,readiness is based on full compliance with NIST SP 800-171, not just intent.

During aCMMC assessment, assessors rely on interviews to validate the implementation of cybersecurity practices within anOrganization Seeking Certification (OSC). Ensuringconfidentiality and non-attributionallows employees to speak freely without fear of retaliation or bias, leading to more accurate and candid responses.

Step-by-Step Breakdown:

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide(Level 2) states thatinterviews are a key methodto verify compliance with security controls.

Employees may hesitate to provide truthful information if they fear negative consequences.

To obtain accurate information, assessors must create an environment where team members feel safe.

Ensuring Non-Attribution for Accurate Responses

DoD Assessment Methodologyhighlights thatinterviewees should remain anonymousin reports.

Non-attribution reduces the risk of OSC leadership influencing responses or retaliating against employees.

Employees are more likely to provideaccurateandhonestdescriptions of their responsibilities when confidentiality is guaranteed.

Why the Other Answer Choices Are Incorrect:

(A) Interview groups of people to get collective answers:

Group interviews may limit honest responses due topeer pressure or management presence.

Employees mayhesitate to contradictsupervisors or peers in a group setting.

(B) Understand that testing is more important than interviews:

While testing (e.g., reviewing logs, configurations, and security settings) is crucial, interviews providecontexton how security practices are implemented and followed.

Interviewscomplementtesting rather than being less important.

(D) Let team members know the questions prior to the assessment:

Advanced notice may allow employees toprepare rehearsed answers, which might not reflect actual practices.

This couldreduce the effectivenessof the interview process.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guideand DoDAssessment Methodologyemphasize the importance of confidentiality in interviews to ensure accuracy.Non-attribution protects employees and ensures assessors get honest, unfiltered answers.

Thus, the correct answer is:

C. Ensure confidentiality and non-attribution of team members.

Understanding CMMC 2.0 Incident Response Practices

TheIncident Response (IR) domaininCMMC 2.0 Level 2aligns withNIST SP 800-171, Section 3.6, which defines requirements forestablishing and maintaining an incident response capability.

Why "A. IR.L2-3.6.1: Incident Handling" is Correct?

The documentation provideddescribes an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities.

IR.L2-3.6.1specifically requires organizations toestablish an incident handling processcovering:

Preparation

Detection & Analysis

Containment

Eradication & Recovery

Post-Incident Response

Why Other Answers Are Incorrect?

B. IR.L2-3.6.2: Incident Reporting (Incorrect)

Incident reporting focuses on reporting incidents to external parties (e.g., DoD, DIBNet),which isnot what the provided documentation describes.

C. IR.L2-3.6.3: Incident Response Testing (Incorrect)

Incident response testing ensures that the response process is regularly tested and evaluated,which isnot the primary focus of the documentation provided.

D. IR.L2-3.6.4: Incident Spillage (Incorrect)

Incident spillage specifically refers to CUI exposure or handling unauthorized CUI incidents,which isnot the scenario described.

Conclusion

The correct answer isA. IR.L2-3.6.1: Incident Handling, as the documentationattests to the establishment of an incident response capability.

CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 1 is designed to protectFederal Contract Information (FCI)and consists of17 foundational cybersecurity practices. These practices are directly derived fromFAR 52.204-21(Basic Safeguarding of Covered Contractor Information Systems), which outlines minimum security requirements for contractors handling FCI.

Breakdown of CMMC Level 1 Practices

The17 practicesin Level 1 focus on basic cybersecurity hygiene and fall under the following6 domains:

Access Control (AC)– 4 practices

AC.L1-3.1.1: Limit system access to authorized users

AC.L1-3.1.2: Limit user access to authorized transactions and functions

AC.L1-3.1.20: Verify and control connections to external systems

AC.L1-3.1.22: Control information posted or processed on publicly accessible systems

Identification and Authentication (IA)– 2 practices

IA.L1-3.5.1: Identify and authenticate system users

IA.L1-3.5.2: Use multifactor authentication for local and network access

Media Protection (MP)– 1 practice

MP.L1-3.8.3: Sanitize media before disposal or reuse

Physical Protection (PE)– 4 practices

PE.L1-3.10.1: Limit physical access to systems containing FCI

PE.L1-3.10.3: Escort visitors and monitor visitor activity

PE.L1-3.10.4: Maintain audit logs of physical access

PE.L1-3.10.5: Control and manage physical access devices

System and Communications Protection (SC)– 2 practices

SC.L1-3.13.1: Monitor and control communications at system boundaries

SC.L1-3.13.5: Implement subnetworks for publicly accessible system components

System and Information Integrity (SI)– 4 practices

SI.L1-3.14.1: Identify, report, and correct system flaws in a timely manner

SI.L1-3.14.2: Provide protection from malicious code at designated locations

SI.L1-3.14.4: Update malicious code protection mechanisms periodically

SI.L1-3.14.5: Perform scans of system components and real-time file scans

Official Reference from CMMC 2.0 Documentation

The 17 practices forCMMC Level 1are explicitly listed in theCMMC 2.0 Appendices and Assessment Guide for Level 1, as well as in theFAR 52.204-21 requirements. These practices representbasic safeguarding measuresthat all DoD contractors handlingFCImust implement.

???? CMMC 2.0 Level 1 Summary:

Focus:Basic safeguarding of FCI

Total Practices:17

Derived From:FAR 52.204-21

Assessment Type:Self-assessment (annual)

Final Verification and Conclusion

The correct answer isB. 17 practicesas verified from theCMMC 2.0 official documentsandFAR 52.204-21 requirements.

ACertified Third-Party Assessor Organization (C3PAO)is responsible for conductingCMMC Level 2 Assessments. Before the assessment begins, the C3PAO must develop anAssessment Plan, which includes several key elements.

The part of the plan that captures:

✅Names of interviewees

✅Facilities to be utilized

✅Estimated costs

✅Assessment schedule

falls under the"Identify Resources and Schedule"section of the plan.

Step-by-Step Breakdown:

✅1. Identify Resources and Schedule

This section of theCMMC Assessment Planoutlines:

Thepersonnelinvolved (e.g., interviewees, assessors).

Thelocationswhere the assessment will take place.

Thetimeline and scheduling details.

Theestimated costsassociated with the assessment.

This ensures that all necessaryresourcesare allocated and that the assessment proceeds as planned.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Select Assessment Team Members❌

This section focuses onchoosing the assessorswho will conduct the evaluation, not listing interviewees and facilities.

(C) Identify and Manage Assessment Risks❌

This part of the plandocuments risks(e.g., scheduling conflicts, data access issues), but it doesnot outline names, facilities, or costs.

(D) Select and Develop the Evidence Collection Approach❌

This step defineshowevidence will be gathered (e.g., document reviews, interviews, system testing) but doesnot focus on logistics.

Final Validation from CMMC Documentation:

TheCMMC Assessment Process Guidestates thatresource identification and schedulingare essential for organizing the assessment. Since this sectioncaptures interviewees, facilities, costs, and the schedule, the correct answer is:

✅A. Identify resources and schedule.

During aCMMC readiness review, anOrganization Seeking Certification (OSC)may argue that a specificenclave (network segment or system) is out of scopefor assessment. TheLead Assessor is responsible for verifying and approving this request.

Roles and Responsibilities in CMMC Assessments:

Certified CMMC Professional (CCP)

A CCP supports OSCs inpreparing for assessmentsbutdoes not make final scope determinations.

Certified Third-Party Assessment Organization (C3PAO)

The C3PAOoversees the assessmentbut doesnot personally verify scope exclusions—that falls under theLead Assessor’s role.

Lead Assessor (Correct Answer)

TheLead Assessor has the authorityto determine if anenclave is out of scopebased on OSC-provided evidence.

The Lead Assessor followsCMMC Assessment Process (CAP) guidelinesto ensure proper scoping.

Advisory Board

TheCMMC-AB (Advisory Board) does not make scope determinations. It focuses onprogram oversightandcertification processes.

Official References Supporting the Correct Answer:

CMMC Assessment Process (CAP) v1.0

TheLead Assessor is responsible for confirming the assessment scopeand determining enclave applicability.

CMMC Scoping Guidance for Level 2 Assessments

Requires theLead Assessor to review and approve any enclave exclusionsbefore finalizing the assessment scope.

Conclusion:

TheLead Assessoris the correct answer because they have the authority to verify scope determinations during the assessment.

✅Correct Answer: C. Lead Assessor