Pass the Cyber AB CMMC CMMC-CCP Questions and answers with CertsForce

Key References for a Lead Assessor in a CMMC AssessmentALead Assessorconducting aCMMC assessmentmust rely onofficial CMMC guidance documentsto evaluate whether anOrganization Seeking Certification (OSC)meets the required cybersecurity practices.

TheCMMC Assessment Guideprovidesdetailed descriptionsof eachpractice and processat the specificCMMC level being assessed.

It defines:✔Theassessment objectivesfor each practice.✔Therequired evidencefor compliance.✔Thescoring criteriato determine if a practice isMET or NOT MET.

Most Relevant Reference: CMMC Assessment Guide

A. DoD adequate security checklist for covered defense information → Incorrect

TheDoD adequate security checklistis related toDFARS 252.204-7012 compliance, butCMMC assessmentsfollow theCMMC Assessment Guide.

B. CMMC Model Overview as it provides assessment methods and objects → Incorrect

TheCMMC Model Overviewprovideshigh-level guidance, butdoes not contain specific assessment criteria.

C. Safeguarding requirements from FAR Clause 52.204-21 for a Level 2 Assessment → Incorrect

FAR 52.204-21is relevant toCMMC Level 1 (FCI protection), butCMMC Level 2 follows NIST SP 800-171and requiresCMMC Assessment Guidesfor validation.

D. Published CMMC Assessment Guide practice descriptions for the desired certification level → Correct

TheCMMC Assessment Guideis theofficial documentused to determine if anOSC meets the required security practices for certification.

Why is the Correct Answer "D. Published CMMC Assessment Guide practice descriptions for the desired certification level"?

CMMC Assessment Process (CAP) Document

Specifies thatLead Assessors must use the CMMC Assessment Guidefor official scoring.

CMMC Assessment Guide for Level 1 & Level 2

Providesdetailed descriptions, assessment methods, and scoring criteriafor each practice.

CMMC-AB Guidance for Certified Third-Party Assessment Organizations (C3PAOs)

Confirms thatCMMC assessments must follow the Assessment Guide, not general DoD security policies.

CMMC 2.0 References Supporting This Answer:

Final Answer:✔D. Published CMMC Assessment Guide practice descriptions for the desired certification level.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, particularly at Level 2, organizations are required to implement stringent controls to protect Controlled Unclassified Information (CUI). This includes adhering to specific practices related to media protection and physical security.

Media Protection (MP):

MP.L2-3.8.1 – Media Protection:Organizations must protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. This ensures that sensitive information is not accessible to unauthorized individuals.

Defense Innovation Unit

MP.L2-3.8.3 – Media Disposal:It is imperative to sanitize or destroy information system media containing CUI before disposal or release for reuse. This practice prevents potential data breaches from discarded or repurposed media.

Defense Innovation Unit

Physical Protection (PE):

PE.L2-3.10.2 – Monitor Facility:Organizations are required to protect and monitor the physical facility and support infrastructure for organizational systems. This includes ensuring that areas where CUI is processed or stored are secure and access is controlled.

Defense Innovation Unit

Application to the Scenario:

Given that the Organization Seeking Certification (OSC) operates within a shared, multi-tenant building and utilizes a common conference room for assessments, the following considerations are crucial:

Reviewing the Evidence File:The evidence file, which contains CUI, should be reviewed on a secure, authorized device to prevent unauthorized access or potential data leakage.

Printing the Evidence File:If printing is necessary, ensure that the printer is located in a secure area, and the printed documents are retrieved immediately to prevent unauthorized viewing.

Making Notes:Any notes derived from the evidence file should be treated with the same level of security as the original document, especially if they contain CUI.

Disposal of Printed Materials:After the assessment, all printed materials and notes containing CUI must be destroyed using a cross-cut shredder. Cross-cut shredding ensures that the information cannot be reconstructed, thereby maintaining confidentiality.

totem.tech

Options A and D are inadequate as they involve leaving sensitive information in unsecured locations, which violates CMMC physical security requirements. Option B, while secure in terms of digital handling, does not address the proper disposal of any physical copies that may have been made. Therefore, Option C is the best practice, aligning with CMMC 2.0 guidelines by ensuring that all physical media containing CUI are properly reviewed, securely stored during use, and thoroughly destroyed when no longer needed.

TheCMMC Assessment Guideis the best source for determining the sources of evidence for a given practice because it provides specific guidance on how organizations should implement and demonstrate compliance with CMMC practices. Each CMMC level has its own assessment guide (e.g.,CMMC Assessment Guide – Level 1, Level 2), detailing expected evidence and assessment procedures.

CMMC Assessment Guide (Primary Source for Evidence)

TheCMMC Assessment Guideexplicitly outlines the evidence required to verify compliance with each practice.

It provides detailed instructions on assessment objectives, clarifying what assessors should look for when determining compliance.

The guide breaks down each practice intoassessment objectives, helping organizations prepare appropriate documentation and artifacts.

Other Documents and Why They Are Not the Best Choice:

NIST SP 800-53 (Option A)

WhileNIST SP 800-53provides a comprehensive catalog of security and privacy controls, it does not focus on CMMC-specific evidence requirements.

It serves as a foundational cybersecurity framework but does not define the specific artifacts required for CMMC assessment.

NIST SP 800-53A (Option B)

NIST SP 800-53Aprovides guidance on assessing security controls but is not tailored to the CMMC framework.

It includes general control assessment procedures, but theCMMC Assessment Guideis more precise in defining the evidence needed for CMMC compliance.

CMMC Assessment Scope (Option C)

TheCMMC Assessment Scopedocument outlines which systems, assets, and processes are subject to assessment.

While important for defining boundaries, it does not provide details on specific evidence requirements for each practice.

CMMC Assessment Guide (Level 2) – Section on "Assessment Objectives"

This document details how evidence is collected and evaluated for each CMMC practice.

Example: ForAC.L2-3.1.1 (Access Control – Limit System Access), the guide specifies that assessors should verify documented policies, system configurations, and audit logs.

CMMC Model Overview (Official DoD Documents)

Emphasizes thatCMMC Assessment Guidesare the official reference for determining sources of evidence.

Detailed Justification:References from Official CMMC Documents:Conclusion:TheCMMC Assessment Guideis the most authoritative source for determining the required evidence for a given practice in CMMC assessments. It provides detailed breakdowns of assessment objectives, required artifacts, and verification steps necessary for compliance.

The Lead Assessor has the authority to make the final determination in situations where assessors cannot agree on a rating. CAP specifies that the Lead Assessor ensures consistency, resolves disputes, and provides the authoritative interpretation during the assessment process. Escalation to the CMMC-AB or Quality Assurance would only occur in rare post-assessment review cases, not during an active assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Understanding Evidence Sufficiency in CMMC Level 2 AssessmentsDuring aCMMC Level 2 Assessment, theLead Assessormust determine whether the evidence collected for each practice issufficientto support an assessment finding. This aligns with theCMMC Assessment Process (CAP) Guide, which requires assessors to evaluate:

Examinations– Reviewing documents, configurations, and system records.

Interviews– Speaking with personnel to confirm implementation and understanding.

Testing– Observing security controls in action to validate effectiveness.

To determine whether evidence issufficient, the assessor ensures that it:

Directly supports the assessment objective.

Demonstrates that the practice is consistently implemented.

Can be independently verified.

Sufficiencyrefers to whetherenoughevidence has been collected to make an accurate determination about compliance.

Option A (Adequacy)is incorrect because adequacy relates tothe qualityof evidence, while sufficiency focuses on whetherenoughevidence exists.

Option C (Process Mapping)is incorrect because process mapping is used for understanding workflows but is not an assessment verification method.

Option D (Assessment Scope)is incorrect because defining the scope happensbeforeevidence collection, during the planning phase.

CMMC Assessment Process (CAP) Guide – Section 3.6 (Determining Sufficiency of Evidence)

CMMC Level 2 Assessment Guide – Evidence Collection and Evaluation

Why Option B (Sufficiency) is CorrectOfficial CMMC Documentation ReferencesFinal VerificationSince theLead Assessor is ensuring enough evidence is available to verify compliance, the correct answer isOption B: Sufficiency.

In the context of the Cybersecurity Maturity Model Certification (CMMC) 2.0, achieving Level 2 compliance requires an Organization Seeking Certification (OSC) to implement all 110 security practices outlined in NIST SP 800-171 Revision 2. The CMMC framework allows for a limited use of Plans of Action and Milestones (POA&Ms) to address certain deficiencies; however, this is contingent upon meeting specific criteria.

According to the final CMMC rule, to obtain a Conditional Level 2 status, an OSC must achieve a minimum score of 88 out of 110 points during the assessment. This scoring system assigns weighted values to each of the 110 security requirements, with some controls deemed critical and others non-critical. The POA&M mechanism permits OSCs to temporarily address non-critical deficiencies, provided the minimum score threshold is met. Critical controls, however, must be fully implemented at the time of assessment; they cannot be deferred and included in a POA&M.

MWE

In the scenario where 15 practices are NOT MET, the OSC's score would fall below the required 88-point threshold, rendering the organization ineligible for Conditional Level 2 status. Consequently, the OSC would not have the option to remediate these deficiencies through a POA&M. Instead, the organization must fully implement and rectify all NOT MET practices before undergoing a subsequent assessment to achieve the necessary compliance level.

This policy ensures that organizations handling Controlled Unclassified Information (CUI) have adequately addressed all critical and non-critical security requirements, thereby maintaining the integrity and security of sensitive information within the Defense Industrial Base.

For detailed guidance on assessment criteria and the use of POA&Ms, refer to the CMMC Assessment Guide – Level 2 and the official CMMC documentation provided by the Department of Defense.

Theprimary goal of CMMC assessment proceduresis to determine whether anOrganization Seeking Certification (OSC)complies with the cybersecurity controls required for its certification level. Themost common purpose of assessment procedures is to obtain evidencethat verifies an organization has properly implemented security practices.

CMMC Assessments Require Evidence Collection

TheCMMC Assessment Process (CAP) Guideoutlines that assessors must use three methods to verify compliance:

Examine– Reviewing documentation, policies, and system configurations.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Validating controls through operational or technical tests.

All these methods involve obtaining evidenceto support whether a security requirement has been met.

Alignment with NIST SP 800-171A

CMMC Level 2 assessments follow NIST SP 800-171A, which is designed for evidence-based verification.

Assessors rely on documented artifacts, system logs, configurations, and personnel testimony as evidence of compliance.

B. Define level of effort (Incorrect)

Thelevel of effortrefers to the time and resources needed for an assessment, but this is aplanningactivity, not the primary goal of an assessment.

C. Determine information flow (Incorrect)

While understandinginformation flowis important for security controls likedata protection and access control, themain purpose of an assessment is to gather evidence—not to determine information flow itself.

D. Determine value of hardware and software (Incorrect)

Asset valuation may be part of an organization’s risk management process, but CMMC assessmentsdo not focus on determining hardware or software value.

The correct answer isA. Obtain evidence, as theCMMC assessment process is evidence-drivento verify compliance with security controls.

CMMCLevel 1focuses onbasic cyber hygieneand includes17 practicesderived fromNIST SP 800-171 Rev. 2butonly covers the protection of Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).

UnlikeLevel 2, which aligns fully withNIST SP 800-171,Level 1 does not require third-party certificationand can beself-assessedby the organization.

Domains Covered in a Level 1 Self-AssessmentCMMC Level 1 practices fall underthree specific domains:

Access Control (AC)– Ensures that only authorized individuals can access FCI.

Physical Protection (PE)– Protects physical access to systems and facilities storing FCI.

Identification and Authentication (IA)– Verifies the identity of users accessing systems containing FCI.

These domains focus on foundational security controls necessary toprotect FCI from unauthorized access.

CMMC Model v2.0states thatLevel 1 includes only 17 practicesmapped toNIST SP 800-171requirements specific toAccess Control (AC), Physical Protection (PE), and Identification and Authentication (IA).

CMMC Assessment Guide, Level 1confirms thatRisk Management (RM) and Media Protection (MP) are not included in Level 1, as they pertain to more advanced security measures needed for handlingCUI (Level 2).

A. Access Control (AC), Risk Management (RM), and Media Protection (MP)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

B. Risk Management (RM), Access Control (AC), and Physical Protection (PE)→ Incorrect.Risk Management (RM) is not part of Level 1.

C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)→Correct.These are thethree domains covered in CMMC Level 1 self-assessments.

D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

Official CMMC 2.0 Documentation ReferencesBreakdown of Answer ChoicesConclusionThecorrect answer is C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA), as these are theonly three domains included in a CMMC Level 1 Self-Assessmentaccording toCMMC 2.0 documentation and NIST SP 800-171 mapping.

CMMC 2.0 Model Overview – DoD Official Documentation

CMMC Assessment Guide, Level 1

NIST SP 800-171 Rev. 2 (Basic Security Requirements for FCI)

Reference Documents for Further Reading

Understanding the CMMC Assessment Process (CAP) PhasesTheCMMC Assessment Process (CAP)consists ofthree primary phases:

Phase 1 - Planning(Pre-assessment activities)

Phase 2 - Conducting the Assessment(Evidence collection and analysis)

Phase 3 - Reporting and Finalizing Results

DuringPhase 3, the Assessment Teamreviews evidenceto confirm if anyLimited Practice Deficiency Correctionshave been successfully implemented.

Scoring Practices in Phase 3The CAP document specifies that a practice can bescored as METif:

✅The deficiency identified in Phase 2 has been fully corrected before final scoring.

✅Sufficient evidence is provided to demonstrate compliance with the CMMC requirement.

✅The correction is notmerely plannedbutfully implemented and validatedby the assessors.

Since the evidence shows thatdeficiencies have been corrected, the correct score isMET.

B. POA&M (Plan of Action & Milestones)❌Incorrect. APOA&M (Plan of Action and Milestones)is usedonly when a deficiency remains unresolved. Since the deficiency is already corrected, this option does not apply.

C. NOT MET❌Incorrect. A practice is scoredNOT METonly if the deficiency hasnotbeen corrected by the end of the assessment.

D. NOT APPLICABLE❌Incorrect. A practice is markedNOT APPLICABLE (N/A)only if it doesnot apply to the organization’s environment, which is not the case here.

Why the Other Answers Are Incorrect

CMMC Assessment Process (CAP) Document– Defines scoring criteria for MET, NOT MET, and POA&M.

CMMC Official ReferencesThus,option A (MET) is the correct answer, as the deficiencies have been corrected before final scoring.

Understanding NIST SP 800-88 Rev. 1 and Media SanitizationTheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.

Clear

Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.

Example:Overwriting all datawith binary zeros or ones on a hard drive.

Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.

Purge

Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.

Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).

Applies to:Media that is leaving organizational control or requires a higher level of assurance than "Clear".

Destroy

Physicallydamages the mediaso that data recovery isimpossible.

Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.

Applies to:Highly sensitive data that must be permanently eliminated.

B. Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata disposal.

C. Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level categoryin NIST SP 800-88.

D. Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is missing, making this incorrect.

The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.