Pass the Cyber AB CMMC CMMC-CCP Questions and answers with CertsForce

UnderCMMC 2.0 Level 2, which aligns with the requirements ofNIST SP 800-171, maintaining robust control overnonlocal maintenance sessionsis critical. While multifactor authentication (MFA) is a required safeguard for secure access, additional measures must be implemented to fully meet the maintenance requirements as outlined inControl 3.3.5:

Key Requirements for Nonlocal Maintenance:

Termination of Nonlocal Maintenance Sessions:

To reduce the attack surface and prevent unauthorized access, nonlocal maintenance connectionsmust be terminated immediately after the maintenance activity is completed. This is a direct requirement to mitigate risks associated with lingering remote sessions that could be exploited by threat actors.

Supporting Reference:NIST SP 800-171, Control 3.3.5 states: "Ensure that remote maintenance is conducted in a controlled manner and disable connections immediately after use."

Multifactor Authentication (MFA):

OSCs are required to implement MFA for nonlocal remote maintenance sessions. MFA must includeat least two factors(e.g., something you know, something you have, or something you are).

While the OSC’s use of MFA satisfies part of the requirement, it does not complete the control unless proper termination procedures are in place.

Policy and Procedure Adherence:

The OSC must also document amaintenance policyand ensure it reflects the need for terminating connections post-maintenance. The policy should outline roles, responsibilities, and steps for ensuring secure nonlocal maintenance practices.

Incorrect Options:

B. Unlimited connections:Allowing unrestricted nonlocal maintenance sessions is a significant security risk and violates the principle of least privilege.

C. Removing restrictions:Removing restrictions for convenience directly undermines compliance and security.

D. Multifactor authentication details:While MFA is necessary, the question states the OSC already uses it. Termination of sessions is the missing requirement.

Conclusion:

The requirement toterminate nonlocal maintenance sessions after maintenance is complete(Option A) is critical for compliance withCMMC 2.0 Level 2andNIST SP 800-171, Control 3.3.5. This ensures that nonlocal maintenance activities are secured against unauthorized access and potential vulnerabilities.

Understanding SI.L2-3.14.6: Monitor Communications for AttacksThe practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:

✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)

✅Log analysis and network monitoring

✅Incident response planningfor detected threats

As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.

TheCCA must collect sufficient objective evidenceto determine compliance.

Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.

Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.

Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Conduct a penetration test

❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.

B. Interview the intrusion detection system's supplier.

❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.

C. Upload known malicious code and observe the system response.

❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.

D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.

NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.

CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.

Official References from CMMC 2.0 and NIST SP 800-171 DocumentationFinal Verification and ConclusionThe correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.

Understanding Access Control (AC) in CMMC Advanced (Level 3)TheCMMC Advanced Level (Level 3)is designed for organizations handlinghigh-value Controlled Unclassified Information (CUI)and aligns with a subset ofNIST SP 800-172for advanced cybersecurity protections.

Access Control (AC) Practices in CMMC Level 3✅CMMC Level 1 includesbasic AC practices fromFAR 52.204-21(e.g., restricting access to authorized users).

✅CMMC Level 2 includesallAccess Control (AC) practices from NIST SP 800-171(e.g., managing privileged access).

✅CMMC Level 3 expands on Levels 1 and 2, incorporatingadditional protections from NIST SP 800-172, such as enhanced monitoring and adversary deception techniques.

CMMC Level 3 builds upon all previous levels, includingAccess Control (AC) practices from Levels 1 and 2.

Options A, B, and C are incorrectbecause Level 3 includesallprevious AC practices fromLevels 1 and 2, plus additional ones.

Why "Levels 1, 2, and 3" is Correct?Breakdown of Answer ChoicesOption

Description

Correct?

A. Level 1

❌Incorrect–Level 3 includes AC practices fromLevels 1 and 2, not just Level 1.

B. Level 3

❌Incorrect – Level 3 builds onLevels 1 and 2, not just Level 3 practices.

C. Levels 1 and 2

❌Incorrect–Level 3 containsadditionalAC practices beyond Levels 1 and 2.

D. Levels 1, 2, and 3

✅Correct – Level 3 contains all AC practices from Levels 1 and 2, plus additional ones.

CMMC Model Framework– Outlines howLevel 3 builds upon Level 1 and 2 practices.

NIST SP 800-172– Definesadvanced cybersecurity controlsrequired inCMMC Level 3.

Official References from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. Levels 1, 2, and 3, as CMMC Level 3 includesAccess Control (AC) practices from all previous levels plus additional enhancements.

Step 1: Understand the Assessment Phases (CAP v1.0)TheCMMC Assessment Process (CAP)outlines a structured lifecycle for assessments, including:

Plan and Prepare Phase– Develop the assessment plan (before the assessment starts).

Conduct Assessment Phase– Execute the actual assessment activities.

Report Results Phase– Finalize and deliver the assessment outcomes.

CAP v1.0 – Section 3.5 (Conduct Assessment):

“The assessment team collects, examines, and evaluates evidence to determine if practices are MET or NOT MET.”

During the“Conduct Assessment” phase, the main activity is to:

Collect evidence(documentation, interviews, testing),

Validate adequacy and sufficiency,

Score practicesas MET/NOT MET.

✅Step 2: Why “Collect and Examine Evidence” Is the Primary ActivityThis is thecore responsibilityof assessorswhile conductingan assessment.

A. Develop assessment plan✘ This occurs in thePlan and Preparephasebeforeconducting the assessment.

C. Verify readiness to conduct assessment✘ Readiness verification is part ofpre-assessment activities, not during the assessment itself.

D. Deliver recommended assessment results✘ This is done during theReport Resultsphase after the assessment has been conducted.

❌Why the Other Options Are Incorrect

Theprimary activity performed during the actual executionof a CMMC assessment iscollecting and examining evidenceto determine compliance with practices.

Anorganization seeking helpto address security gaps—such asphysical access control deficiencies—needs acertified professional who can provide implementation supportwithoutbeing involved in the actual CMMC assessment.

A Registered Practitioner (RP)is a CMMC-certified individualwho provides consulting and implementation supportto organizations butdoes not perform assessments.

RPs work independently from C3PAOsand canassist in fixing gapsin security controlsbeforeorafteran assessment.

Since RPs are not assessors, they can provide direct remediation supportwithout any conflict of interest.

The OSC needs assistance in implementing security controls(not assessment).

An RP is trained and authorized to provide remediation and advisory services.

Conflict of interest rules prevent the assessing C3PAO from providing implementation support.

A. CCA of the C3PAO performing the assessment (Incorrect)

ACertified CMMC Assessor (CCA)is responsible for conducting the assessmentonly.

TheC3PAO performing the assessment cannot also provide remediationdue to aconflict of interest.

C. Practitioner of the Organization Performing the Assessment LTP (Incorrect)

The assessmentLead Technical Practitioner (LTP)cannot provide remediation support for an OSC they are assessing.

D. DoD Contract Official of the Organization Performing the Assessment (Incorrect)

DoD Contract Officialsoversee contract compliance butdo not provide cybersecurity implementation support.

The correct answer isB. RP of an organization not part of the assessment, asonly independent RPs can assist with remediation and implementation support.

A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.

Supporting Extracts from Official Content:

CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”

Why Option B is Correct:

The Windows 95 system is an example of a restricted IS, so it can be scoped out.

Option A is incorrect — the asset is not handling CUI in this case.

Option C is incorrect — government property designation does not define scope.

Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.

References (Official CMMC v2.0 Content):

CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.

===========

Understanding CMMC Assessment ProceduresACMMC assessment procedureconsists of:

Assessment Objective– Defines what is being evaluated and the expected outcome.

Assessment Methods– Specifies how the evaluation is conducted (e.g.,examination, interviews, testing).

Assessment Objects– Identifies what is being evaluated, such as policies, systems, or people.

Assessment Objectivesincludedetermination statementsthat describe the expected outcome for each CMMC security practice.

These statements define whether a practice has beenadequately implementedbased ondocumented evidence and assessment findings.

TheCMMC Assessment Process (CAP) GuideandNIST SP 800-171Aspecify that each practice has a determination statement guiding assessment decisions.

A. Specifications and mechanisms→Incorrect

These belong toassessment objects, which refer to the systems, policies, and mechanisms being evaluated.

B. Examination, interviews, and testing→Incorrect

These areassessment methods, which describe how assessorsverifycompliance (e.g., through interviews or testing).

D. Exercising assessment objects under specified conditions→Incorrect

This refers toassessment testing, which is a method, not an assessment objective.

CMMC Assessment Process (CAP) Guide– Describes determination statements as the core of assessment objectives.

NIST SP 800-171A– Defines determination statements as a key element of evaluating security controls.

Why the Correct Answer is "C"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:Since anassessment objectiveincludes adetermination statementthat describes whether a practice is implemented properly, the correct answer isC.

CMMC Assessment Process (CAP) and CMMC Code of Professional Conduct emphasize that conflicts of interest (COI) must be disclosed and managed transparently. A Certified CMMC Professional (CCP) is required to:

Inform their organization,

Disclose the COI to the affected stakeholders, and

Take reasonable steps to minimize the impact.

What they must NOT do is conceal it from the Assessment Team Lead or others. Concealing a COI violates the CMMC Code of Professional Conduct and compromises the integrity of the assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

CMMC Code of Professional Conduct, CMMC-AB

Understanding the Phases of the CMMC Assessment ProcessTheCMMC Assessment Process (CAP)consists of multiple phases, with each phase focusing on a different aspect of the assessment.Developing the assessment planoccurs inPhase 1, which is thePre-Assessment Phase.

Engagement Agreement: TheOSC (Organization Seeking Certification)and theCertified Third-Party Assessment Organization (C3PAO)formalize the assessment contract.

Developing the Assessment Plan: TheLead Assessorand the assessment team create anAssessment Plan, which outlines:

Scope of the assessment

CMMC Level requirements

Assessment methodology

Timeline and logistics

Initial Data Collection: Review of system documentation, policies, and relevant security controls.

Key Activities in Phase 1 – Pre-Assessment Phase

A. Phase 1 → Correct

Phase 1 is where the assessment plan is developed.

It ensuresclarity on scope, methodology, and logistics before the assessment begins.

B. Phase 2 → Incorrect

Phase 2 is theAssessment Conduct Phase, where assessorsexecutethe plan by examining evidence and interviewing personnel.

C. Phase 3 → Incorrect

Phase 3 is thePost-Assessment Phase, which involvesfinalizing findings and submitting reports, not developing the plan.

D. Phase (Incomplete Answer) → Incorrect

The question requires a specific phase, and the correct one isPhase 1.

Why is the Correct Answer "Phase 1" (A)?

CMMC Assessment Process (CAP) Document

DefinesPhase 1as the stage where the assessment plan is developed.

CMMC Accreditation Body (CMMC-AB) Guidelines

Specifies thatplanning and pre-assessment activities occur in Phase 1.

CMMC 2.0 Certification Workflow

Outlines the assessment planning process as part of theinitial engagementbetween theC3PAO and the OSC.

CMMC 2.0 References Supporting this Answer: