CMMC-CCP Exam Dumps - Cyber AB CMMC Questions and Answers

Understanding CMMC Asset CategorizationTheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).

In this scenario:

Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-scopefor CMMC Level 1.

Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-Scope Assets.

CMMC 2.0 Definition of Out-of-Scope AssetsAs per theCMMC Scoping Guide, assets that:

✅Do not store, process, or transmit FCI/CUI

✅Do not directly impact the security of in-scope assets

✅Are completely segregated from the FCI/CUI environment

are classified asOut-of-Scope Assets.

Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.

A. FCI Assets❌Incorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify.

B. Specialized Assets❌Incorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division.

D. Operational Technology Assets❌Incorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.

Why the Other Answers Are Incorrect

CMMC 2.0 Scoping Guide – Level 1 & Level 2

CMMC Assessment Process (CAP) Document

CMMC Official ReferencesThus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.

Federal Contract Information (FCI)is any informationnot intended for public releasethat is provided or generated under aU.S. Government contracttodevelop or deliver a product or service.

Enhanced Security Personnel (ESP)refers to employees, contractors, or third parties whohave access to FCIwithin anOrganization Seeking Certification (OSC).

UnderCMMC 2.0 Scoping Guidance, anypersonnel, system, or asset with access to FCI is considered in scopefor a CMMC Level 1 assessment.

Since theESP employee has access to FCI, theymustbe included in the assessment scope.

Option B (Out of scope)is incorrect because anyone with access to FCI is automatically considered part of theCMMC Level 1 boundary.

Option C (OSC point of contact)is incorrect because thepoint of contactis typically an administrative or compliance representative, not necessarily someone with FCI access.

Option D (Assessment Team Member)is incorrect because anESP employee is not part of the assessment team but rather a subject of the assessment.

CMMC Level 1 Scoping Guide, Section 2 – Defining Scope for FCI

CMMC Assessment Process (CAP) Guide – Roles and Responsibilities

Federal Acquisition Regulation (FAR) 52.204-21(Basic Safeguarding of FCI)

Understanding Scoping in CMMC Level 1 Self-AssessmentsWhy Option A (In scope) is CorrectOfficial CMMC Documentation ReferencesFinal VerificationSince theESP employee has access to FCI, they are consideredin scopefor the CMMC Level 1 self-assessment, makingOption A the correct answer.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, achieving Level 2 compliance requires an Organization Seeking Certification (OSC) to implement all 110 security practices outlined in NIST SP 800-171 Revision 2. The CMMC framework allows for a limited use of Plans of Action and Milestones (POA&Ms) to address certain deficiencies; however, this is contingent upon meeting specific criteria.

According to the final CMMC rule, to obtain a Conditional Level 2 status, an OSC must achieve a minimum score of 88 out of 110 points during the assessment. This scoring system assigns weighted values to each of the 110 security requirements, with some controls deemed critical and others non-critical. The POA&M mechanism permits OSCs to temporarily address non-critical deficiencies, provided the minimum score threshold is met. Critical controls, however, must be fully implemented at the time of assessment; they cannot be deferred and included in a POA&M.

MWE

In the scenario where 15 practices are NOT MET, the OSC's score would fall below the required 88-point threshold, rendering the organization ineligible for Conditional Level 2 status. Consequently, the OSC would not have the option to remediate these deficiencies through a POA&M. Instead, the organization must fully implement and rectify all NOT MET practices before undergoing a subsequent assessment to achieve the necessary compliance level.

This policy ensures that organizations handling Controlled Unclassified Information (CUI) have adequately addressed all critical and non-critical security requirements, thereby maintaining the integrity and security of sensitive information within the Defense Industrial Base.

For detailed guidance on assessment criteria and the use of POA&Ms, refer to the CMMC Assessment Guide – Level 2 and the official CMMC documentation provided by the Department of Defense.

When a company usesthird-party IT providersto manage their infrastructure, these organizations are classified asExternal Service Providers (ESPs)underCMMC scoping guidelines.

Step-by-Step Breakdown:✅1. What is an ESP?

External Service Providers (ESPs)arethird-party organizationsthat:

ProvideIT services, cloud hosting, and managed security solutions.

Process, store, or transmit FCI or CUIon behalf of a contractor.

Mustmeet the same security requirementsas the OSC if they handle FCI or CUI.

If a company relies ona hosting provider to manage IT infrastructure, that provider is anESPunderCMMC scoping guidelines.

✅2. Why the Other Answer Choices Are Incorrect:

(B) People❌

Incorrect:ESPs areorganizations, not individual people.

(C) Facilities❌

Incorrect:Facilities refer tophysical locationslike office buildings or data centers, not third-partyservice providers.

(D) Technology❌

Incorrect:While ESPs provide technology services, the correct term forthird-party IT providersunder CMMC isESPs, not just "Technology."

TheCMMC Level 1 Scoping GuidedefinesExternal Service Providers (ESPs)asthird-party organizations that manage IT infrastructure and security services.

Final Validation from CMMC Documentation:Thus, the correct answer is:

✅A. ESPs (External Service Providers).

CMMC 2.0 Level 2 is directly aligned withNIST Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations."Organizations seeking certification (OSC) at Level 2 must demonstrate compliance with the 110 security requirements specified inNIST SP 800-171, as mandated byDFARS 252.204-7012.

Defines the Security Requirements for Protecting CUI:

NIST SP 800-171 outlines 110 security controls that contractors must implement to protectControlled Unclassified Information (CUI)in nonfederal systems.

These controls are categorized under14 families, including access control, incident response, and risk management.

Establishes the Baseline for CMMC Level 2 Compliance:

CMMC 2.0 Level 2 assessments areentirely based on NIST SP 800-171requirements.

Every practice assessed in a Level 2 certification maps directly to a requirement fromNIST SP 800-171 Rev. 2.

Provides Guidance for Implementation & Assessment:

TheNIST SP 800-171A "Assessment Guide"provides detailed assessment objectives that guide OSCs in preparing for CMMC evaluations.

It helps define the scope of an assessment by clarifying how each control should be implemented and verified.

Referenced in CMMC and DFARS Regulations:

DFARS 252.204-7012requires contractors to implementNIST SP 800-171security requirements.

TheCMMC 2.0 Level 2modeldirectly incorporates all 110 requirementsfromNIST SP 800-171, ensuring consistency with DoD cybersecurity expectations.

A. NIST SP 800-53 ("Security and Privacy Controls for Federal Information Systems and Organizations")

This documentapplies to federal systems, not nonfederal entities handling CUI.

While it is the foundation for other security standards, it isnot the basis of CMMC Level 2assessments.

B. NIST SP 800-88 ("Guidelines for Media Sanitization")

This documentfocuses on secure data destructionand media sanitization techniques.

While data disposal is important, this standarddoes not define security controls for protecting CUI.

D. NIST SP 800-172 ("Enhanced Security Requirements for Protecting CUI")

This documentbuilds on NIST SP 800-171and applies to systems needingadvanced cybersecurity protections(e.g., targeting Advanced Persistent Threats).

It isnot required for standard CMMC Level 2 assessments, which only mandateNIST SP 800-171 compliance.

NIST SP 800-171 Rev. 2(NIST Official Site)

NIST SP 800-171A (Assessment Guide)(NIST Official Site)

CMMC 2.0 Level 2 Scoping Guide(Cyber AB)

Why NIST SP 800-171 is Essential for Level 2 Scoping:Explanation of Incorrect Answers:Key References for CMMC Level 2 Scoping:Conclusion:SinceCMMC 2.0 Level 2 assessments are based entirely on NIST SP 800-171, this document is the most relevant resource for scoping Level 2 assessments. Therefore, the correct answer is:

✅C. NIST SP 800-171

Understanding the Role of NIST SP 800-171 in CMMCNIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.

This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.

Breakdown of Answer ChoicesNIST SP

Title

Relevance to CMMC

NIST SP 800-37

Risk Management Framework (RMF)

Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.

NIST SP 800-53

Security and Privacy Controls for Federal Systems

Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.

NIST SP 800-88

Guidelines for Media Sanitization

Covers secure data destruction and disposal, not overall CUI protection.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

✅Correct Answer – Directly addresses CUI protection in contractor systems.

Key Requirements from NIST SP 800-171The document outlines110 security controlsgrouped into14 families, including:

Access Control (AC)– Restrict access to authorized users.

Audit and Accountability (AU)– Maintain system logs and monitor activity.

Incident Response (IR)– Establish an incident response plan.

System and Communications Protection (SC)– Encrypt CUI in transit and at rest.

These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.

CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.

DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.

Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.

TheCMMC 2.0 framework applies to nonfederal systemsthat process, store, or transmitCUI.

Scoping determineswhich system components must comply with CMMC practices.

If a systemprocesses, stores, or transmits CUI, orprovides security for those systems, itmust be included in the assessment scope.

CMMC Applies to Contractors, Not Federal Systems

CMMC isdesigned for Department of Defense (DoD) contractors, notfederal systems.

Federal systems arealready governed by NIST SP 800-53and other regulations.

Scope Includes Systems That Process CUI AND Those That Protect Them

Systemsprocessing, storing, or transmitting CUIare in scope.

Systems thatprovide protection for CUI systems(e.g., firewalls, monitoring tools, security appliances) arealso in scope.

A. Federal systems that process, store, or transmit CUI.→Incorrect

CMMCdoes not apply to federal systems.

B. Nonfederal systems that process, store, or transmit CUI.→Partially correct but incomplete

Itexcludes security systemsthat protect CUI assets, whichare also in scope.

C. Federal systems that process, store, or transmit CUI, or that provide protection for the system components.→Incorrect

CMMConly applies to nonfederal systems.

CMMC Scoping Guide (Nov 2021)– Confirms that CMMCapplies to nonfederal systemsprocessingCUI.

NIST SP 800-171 Rev. 2– Specifies security requirements fornonfederal systemshandling CUI.

DFARS 252.204-7012– Requires DoD contractors to implementNIST SP 800-171onnonfederal systemshandling CUI.

Understanding Scoping in CMMC 2.0Why the Correct Answer is "D. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:SinceCMMC applies to nonfederal systems that process CUI or protect those systems, the correct answer isD. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.

Understanding the CMMC Assessment ProcessTheCMMC Assessment Process (CAP)consists offour phases, each with specific tasks and objectives.

Phase 1: Plan and Prepare Assessment– Planning, scheduling, and preparing for the assessment.

Phase 2: Conduct Assessment–Gathering and verifying evidence, conducting interviews, and evaluating compliance.

Phase 3: Report Recommended Assessment Results– Documenting findings and reporting results.

Phase 4: Remediation of Outstanding Assessment Issues– Allowing the organization to address any deficiencies.

Why "Phase 2: Conduct Assessment" is Correct?DuringPhase 2: Conduct Assessment, theAssessment Teamperforms key activities, including:

✅Identifying required evidencefor compliance verification.

✅Obtaining and reviewing artifacts(e.g., security policies, configurations, logs).

✅Verifying the sufficiency of evidenceagainst CMMC practice requirements.

✅Interviewing key personneland observing cybersecurity implementations.

Since the question specifically mentions"identify, obtain inventory, and verify evidence,"this task directly falls underPhase 2: Conduct Assessment.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Phase 1: Plan and Prepare Assessment

❌Incorrect–This phase focuses onscheduling, logistics, and planning, not evidence collection.

B. Phase 2: Conduct Assessment

✅Correct – This phase involves gathering, verifying, and reviewing evidence.

C. Phase 3: Report Recommended Assessment Results

❌Incorrect–This phasedocumentsresults but doesnotcollect evidence.

D. Phase 4: Remediation of Outstanding Assessment Issues

❌Incorrect–This phase focuses oncorrective actions, not evidence collection.

CMMC Assessment Process Guide (CAP)–Phase 2: Conduct Assessmentexplicitly includes tasks such asgathering and verifying evidence.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isB. Phase 2: Conduct Assessment, as this phase includesidentifying, obtaining, and verifying evidence, which is critical for determining CMMC compliance.

1. Understanding the Validation of Findings in CMMC AssessmentsValidation of findings is an essential part of theCMMC assessment process, ensuring that observations and preliminary conclusions drawn by the assessment team are accurate, fair, and based on complete evidence. This process occurs iteratively during theDaily Checkpointsand is fundamental in determining the overall compliance status of theOrganization Seeking Certification (OSC).

2. The Role of Preliminary Findings in the Assessment ProcessPreliminary findings arenot finalbut rather a mechanism for ensuring transparency, accuracy, and fairness. These findings serve several key purposes:

Allows for OSC Input & Clarification: The OSC has an opportunity to review andprovide additional evidencethat may address deficiencies identified by the assessment team.

Prevents Misinterpretations: By allowing the OSC to comment, the assessment team can refine or correct their understanding of the OSC's implementation of CMMC practices.

Supports Fair and Informed Ratings: Before finalizing MET or NOT MET determinations, the assessment team ensures they have considered all relevant evidence.

Encourages a Collaborative Assessment Process: This validation activity fosters open communication between assessors and the OSC, reducing disputes and misunderstandings.

The primary purpose of preliminary findings is to allow theOSC to comment and provide additional evidencebefore final determinations are made.

This aligns withCMMC Assessment Process guidance, which emphasizes iterative validation of findings throughDaily Checkpoints and Final Outbriefdiscussions.

The validation of findings ensures thatOSC responses and supplementary evidence are considered, making the assessment process more accurate and fair.

3. Why Answer Choice "A" is Correct4. Why Other Answer Choices Are IncorrectOption

Reason for Elimination

B. It determines whether the OSC will be rated MET or NOT MET on their assessment.

Incorrect: Preliminary findings do not directly determine the final rating. The assessment team reviews all collected evidence before making a final decision.

C. It confirms that the Assessment Team's findings are right and cannot be changed.

Incorrect: Findings arenot finalat the preliminary stage. The OSC has the opportunity to challenge findings by providing new or clarifying evidence.

D. It corroborates the Assessment Team's understanding of the CMMC practices and controls.

Partially Correct but Not the Best Answer: While validation helps refine understanding, itsprimary function is to allow OSC input, making optionA the most accurate choice.

CMMC Assessment Process (CAP) Document:

Section 5.3 – Validation of Findings: "The OSC is given the opportunity to provide additional evidence and comments to clarify or supplement preliminary assessment results."

Section 5.4 – Daily Checkpoints: "The assessment team discusses preliminary findings with the OSC, allowing the organization to address concerns in real time."

CMMC 2.0 Level 2 Scoping & Assessment Guide:

Confirms that the assessment process includes continuous dialogue with the OSC before final determinations are made.

5. Official CMMC References Supporting This Answer6. ConclusionPreliminary findings are acrucial validation stepin CMMC assessments, ensuring that organizations have the opportunity toprovide additional evidence and clarify potential misunderstandings. This iterative process improves accuracy and fairness in determining compliance with CMMC requirements. Therefore, the correct answer is:

A. It allows the OSC to comment and provide additional evidence.

Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.

CMMC Assessments Require Evidence Collection

TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:

Examine– Reviewing documentation, policies, and system configurations.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Validating controls through operational or technical tests.

All these methods involve obtaining evidenceto support whether a security requirement has been met.

Alignment with NIST SP 800-171A

CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.

Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.

B. Define level of effort (Incorrect)

Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.

C. Determine information flow (Incorrect)

While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.

D. Determine value of hardware and software (Incorrect)

Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.

The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.