Pass the Cyber AB CMMC CMMC-CCP Questions and answers with CertsForce

In the context of a CMMC Level 2 Assessment, assessors must evaluate the "Institutionalization" of practices, which includes the review of Policies. The validity of a policy document depends on the Organization Seeking Certification (OSC)'s internal governance and administrative procedures.

Internal Governance (The "Why"): CMMC does not dictate exactlyhowa company must authorize its policies (e.g., whether a signature must be refreshed immediately upon a personnel change). Instead, the assessor must verify if the document is considered "active" and "authoritative" by the OSC’s own standards.

The Role of the Assessor: As per the CMMC Assessment Process (CAP) and CCP training materials, an assessor cannot unilaterally declare a policy invalid simply because a signatory has left. The assessor must perform "more research" (typically through Interviews or examining Supplemental Documents) to determine the OSC's internal rules for policy management.

If the OSC's "Policy on Policies" states that a signature is tied to the individual, the document may be expired.

If the OSC's rules state that the authority is tied to the role/position (which is common in most corporate governance), the policy remains in effect until it is formally rescinded or updated.

Distinction from other options:

Option A is too restrictive; it assumes a universal rule that doesn't exist in the CMMC framework.

Option C is incorrect because a signatory (or formal approval)isoften what gives a policy its "authoritative" status in an audit; ignoring it would be a failure of the Examine method.

Option D is a common business assumption, but an assessor must verify this via the OSC's own procedures rather than assuming it is true for every company.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Examine" methods and evaluating evidence integrity.

NIST SP 800-171A: Discussion on "Organizational Policies" as assessment objects and the requirement for policies to be "established and maintained."

CMMC Level 2 Assessment Guide: Clarifies that policies must be "formally documented" and "representative of organizational requirements."

The correct answer is B , 30 days. The official CMMC Program rule at 32 CFR Part 170 , Subpart C, requires CMMC ecosystem members to report certain criminal matters to the Accreditation Body within 30 days . The rule specifically includes convictions, guilty pleas, and no contest pleas involving crimes such as fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or similar offenses in civil or criminal legal proceedings. This requirement applies whether or not the offense is directly connected to the individual’s CMMC ecosystem role.

This requirement is important because CMMC ecosystem roles, including Lead Assessors, depend on trustworthiness, professional integrity, impartiality, and reliability. A Lead Assessor participates in activities that may affect whether an OSC receives a CMMC certification, so criminal conduct involving dishonesty or misuse of funds is highly relevant to the integrity of the ecosystem. Option A , 90 days, is incorrect because the reporting window is shorter. Option C , 3 days, and option D , 7 days, are also incorrect because they do not match the official 30-day reporting requirement. Although older training materials may use the term “CMMC-AB,” the current terminology commonly refers to the Accreditation Body or The Cyber AB. The required reporting period remains 30 days .

===========

Understanding the Role of "Discussion" and "Further Discussion" Sections in CMMC Assessments

When assessing anOrganization Seeking Certification (OSC)forCMMC compliance, theLead Assessorrelies on various sources of guidance.

Eachpracticein the CMMC model includes:

The Practice Statement– The official requirement the OSC must meet.

Discussion Section– Providesclarifications, interpretations, and guidancefor implementation.

Further Discussion Section– Expands on the practice,offering additional details, best practices, and examples.

These sections arenot mandatory, but they help assessorsinterpret and evaluatewhether an OSC has met the practice requirements.

Why "Provides Additional Information to Facilitate the Assessment" is Correct?

TheDiscussion and Further Discussion sectionsprovidecontext, explanations, and examplesto assist theLead Assessorin understanding how an OSC might demonstrate compliance.

Theyhelp guide the assessment processbut arenot prescriptiveormandatoryfor an OSC.

Theassessor uses these sectionsto verify whether theOSC's implementation meets the intent of the requirement.

Breakdown of Answer Choices

Option

Description

Correct?

A. Is normative for an OSC to follow.

❌Incorrect–The sections areguidance, notnormative (mandatory)requirements.

B. Contains examples that an OSC must implement.

❌Incorrect–Examples aresuggestions, notmandatory implementations.

C. Is mandatory and aligns with FAR Clause 52.204-21.

❌Incorrect–The "Discussion" sections arenot mandatoryand arenot tied directlyto FAR 52.204-21.

D. Provides additional information to facilitate the assessment of the practice.

✅Correct – These sections help the assessor evaluate compliance but do not mandate specific implementations.

Official References from CMMC 2.0 Documentation

TheCMMC Assessment Guidestates that theDiscussion and Further Discussion sections provide clarificationsto help both assessors and OSCs.

These sections arenot bindingbut serve asinterpretive guidanceto assist in assessments.

Final Verification and Conclusion

The correct answer isD. Provides additional information to facilitate the assessment of the practice.This aligns withCMMC 2.0 documentation and assessment guidelines.

Understanding CMMC 2.0 Incident Response Practices

TheIncident Response (IR) domaininCMMC 2.0 Level 2aligns withNIST SP 800-171, Section 3.6, which defines requirements forestablishing and maintaining an incident response capability.

Why "A. IR.L2-3.6.1: Incident Handling" is Correct?

The documentation provideddescribes an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities.

IR.L2-3.6.1specifically requires organizations toestablish an incident handling processcovering:

Preparation

Detection & Analysis

Containment

Eradication & Recovery

Post-Incident Response

Why Other Answers Are Incorrect?

B. IR.L2-3.6.2: Incident Reporting (Incorrect)

Incident reporting focuses on reporting incidents to external parties (e.g., DoD, DIBNet),which isnot what the provided documentation describes.

C. IR.L2-3.6.3: Incident Response Testing (Incorrect)

Incident response testing ensures that the response process is regularly tested and evaluated,which isnot the primary focus of the documentation provided.

D. IR.L2-3.6.4: Incident Spillage (Incorrect)

Incident spillage specifically refers to CUI exposure or handling unauthorized CUI incidents,which isnot the scenario described.

Conclusion

The correct answer isA. IR.L2-3.6.1: Incident Handling, as the documentationattests to the establishment of an incident response capability.

TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.

Analysis of the Given Options:

A. Level 1→Incorrect

CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.

B. Level 2→Correct

TheAU domain is required at Level 2, which aligns withNIST SP 800-171.

CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.

C. Levels 1 and 2→Incorrect

Level 1 does not requireaudit and accountability practices.

D. Levels 1 and 3→Incorrect

CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.

Official References Supporting the Correct Answer:

NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3)

TheAU domainconsists of security controls3.3.1 – 3.3.8, focusing on audit log generation, retention, and accountability.

CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171)

AU practices (Audit and Accountability) are only required at Level 2.

Conclusion:

TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:

✅B. Level 2.

A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.

Supporting Extracts from Official Content:

CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”

Why Option B is Correct:

The Windows 95 system is an example of a restricted IS, so it can be scoped out.

Option A is incorrect — the asset is not handling CUI in this case.

Option C is incorrect — government property designation does not define scope.

Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.

===========

Understanding the CMMC Level 2 Final Report Requirements

For aCMMC Level 2 Assessment, theFinal CMMC Assessment Results Reportmust include:

Assessment findings for each practice

Final ratings (MET or NOT MET) for each practice

A detailed rationale for each practice rated as NOT MET

Why "B. Documented rationale for each failed practice" is Correct?

The CMMC Assessment Process (CAP) Guidestates that if a practice is markedNOT MET, theassessors must provide a rationale explaining why it failed.

This rationale helps theOSC understand what needs remediationand, if applicable, whether the deficiency can be addressed via aPlan of Action & Milestones (POA & M).

TheFinal Report serves as an official recordand must be submitted as part of theresults package.

Why Other Answers Are Incorrect?

A. Affirmation for each practice or control (Incorrect)

While the report includes aMET/NOT MET ratingfor each practice,affirmation is not a required component.

C. Suggested improvements for each failed practice (Incorrect)

Assessors do not provide recommendations for improvement—they only document findings and rationale.

Providing suggestions would create aconflict of interestperCMMC-AB Code of Professional Conduct.

D. Gaps or deltas due to any reciprocity model are recorded as met (Incorrect)

If an organization isleveraging reciprocity (e.g., FedRAMP, Joint Surveillance Voluntary Assessments), gapsmust still be documented—not automatically marked as "MET."

Conclusion

The correct answer isB. Documented rationale for each failed practice, as this is amandatory requirement in the Final CMMC Assessment Results Report.

During aCMMC readiness review, anOrganization Seeking Certification (OSC)may argue that a specificenclave (network segment or system) is out of scopefor assessment. TheLead Assessor is responsible for verifying and approving this request.

Roles and Responsibilities in CMMC Assessments:

Certified CMMC Professional (CCP)

A CCP supports OSCs inpreparing for assessmentsbutdoes not make final scope determinations.

Certified Third-Party Assessment Organization (C3PAO)

The C3PAOoversees the assessmentbut doesnot personally verify scope exclusions—that falls under theLead Assessor’s role.

Lead Assessor (Correct Answer)

TheLead Assessor has the authorityto determine if anenclave is out of scopebased on OSC-provided evidence.

The Lead Assessor followsCMMC Assessment Process (CAP) guidelinesto ensure proper scoping.

Advisory Board

TheCMMC-AB (Advisory Board) does not make scope determinations. It focuses onprogram oversightandcertification processes.

Official References Supporting the Correct Answer:

CMMC Assessment Process (CAP) v1.0

TheLead Assessor is responsible for confirming the assessment scopeand determining enclave applicability.

CMMC Scoping Guidance for Level 2 Assessments

Requires theLead Assessor to review and approve any enclave exclusionsbefore finalizing the assessment scope.

Conclusion:

TheLead Assessoris the correct answer because they have the authority to verify scope determinations during the assessment.

✅Correct Answer: C. Lead Assessor

Understanding Asset Types in CMMC 2.0

In CMMC 2.0, assets are categorized based on their role in handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The Cybersecurity Maturity Model Certification (CMMC) Scoping Guidance for Level 1 and Level 2 provides asset definitions to help organizations identify what needs protection.

According to CMMC Scoping Guidance, there are five primary asset types:

Security Protection Assets (ESP - External Service Providers & Security Systems)

People (Personnel who interact with FCI/CUI)

Facilities (Physical locations housing FCI/CUI)

Technology (Hardware, software, and networks that store, process, or transmit FCI/CUI)

CUI Assets (For Level 2 assessments, assets specifically storing CUI)

Why "Technology" Is the Correct Answer

The IT manager is evaluating servers, laptops, databases, and applications—all of which are technology assets used to store, process, or transmit FCI.

According to CMMC Scoping Guidance, Technology assets include:

✅Endpoints (Laptops, Workstations, Mobile Devices)

✅Servers (On-premise or cloud-based)

✅Networking Devices (Routers, Firewalls, Switches)

✅Applications (Software, Cloud-based tools)

✅Databases (Storage of FCI or CUI)

Since the IT manager is focusing on these components, the correct asset category is Technology (Option D).

Why the Other Answers Are Incorrect

A. ESP (Security Protection Assets)

❌Incorrect. ESPs refer to security-related assets (e.g., firewalls, monitoring tools, managed security services) that help protect FCI/CUI but do not store, process, or transmit it directly.

B. People

❌Incorrect. While employees play a role in handling FCI, the question focuses on hardware and software—which falls under Technology, not People.

C. Facilities

❌Incorrect. Facilities refer to physical buildings or secured areas where FCI/CUI is stored or processed. The question explicitly mentions servers, laptops, and applications, which are not physical facilities.

CMMC Official References

CMMC Level 1 Scoping Guide (CMMC-AB) – Defines asset categories, including Technology.

CMMC 2.0 Scoping Guidance for Assessors – Provides clarification on FCI assets.

Thus, option D (Technology) is the most correct choice as per official CMMC 2.0 guidance.

This question pertains to theminimum evidence requirementsneeded by a CMMCAssessment Teamto score a practice asMETduring aLevel 2 Assessment.

The CMMC Level 2 assessment must align withNIST SP 800-171and follow the procedures outlined in theCMMC Assessment Process (CAP) Guide v1.0, particularly aroundevidence collection and scoring methodology.

✅Step 1: Refer to the CMMC Assessment Process (CAP) Guide v1.0

CAP v1.0 – Section 3.5.4: Evaluate Evidence and Score Practices

“To assign a MET determination, the Assessment Team must collect and corroborate at least two types of objective evidence: either through examination of artifacts, interviews (affirmation), or testing (demonstration).”

This meansat least two typesof the following evidence are required:

Examine(documentation/artifacts),

Interview(affirmation from personnel),

Test(demonstration of implementation).

✅Step 2: Clarify the Official Minimum Standard for a Practice to be Scored MET

The CAP explicitly states:

“A practice can only be scored MET when a minimum oftwo types of evidencefrom the E-I-T (Examine, Interview, Test) triad are successfully collected and evaluated.”

Theevidence types must come from two different categories, for example:

An artifact(Examine)+ an interview affirmation(Interview),

A demonstration(Test)+ an interview(Interview),

Etc.

This cross-validation ensures that the control isimplemented, documented, and understoodby personnel — a core principle in assessing effective cybersecurity implementation.

❌Why the Other Options Are Incorrect

A. All three types of evidence are documented for every control

✘Incorrect:While collecting all three types (E-I-T) strengthens the assessment, theminimum requirementis onlytwo. Collecting all three isnot requiredfor a practice to be scoredMET.

B. Examine and accept evidence from one of the three evidence types

✘Incorrect:This fails to meet theminimum two-evidence-type requirementset by the CAP. Single-source evidence is not sufficient to score a practice as MET.

C. Complete one of the following; examine two artifacts, observe one demonstration, or receive one affirmation

✘Incorrect:Even if two artifacts are examined,this is still only one type of evidence(Examine). The CAP requires twotypes— not two instances of the same type.

✅Why D is Correct

D. Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.

✔This directly reflects theCAP’s requirement for collecting two different types of objective evidenceto determine a practice is MET.

BLUF (Bottom Line Up Front):

To score a CMMC Level 2 practice asMET, the Assessment Team must collecta minimum of two distinct types of evidence— from theExamine, Interview, Test (E-I-T)categories. This requirement is clearly stated in the CMMC Assessment Process (CAP) v1.0.