Pass the Cyber AB CMMC CMMC-CCP Questions and answers with CertsForce

According to the CMMC Assessment Process (CAP), the Lead Assessor must use the CMMC Findings Brief to formally present assessment results to the Organization Seeking Certification (OSC). The Findings Brief ensures consistency across assessments and provides the OSC with an official, standardized presentation of results, including observed strengths, weaknesses, and any non-conformities.

Other options are incorrect because:

POA & M Brief is not part of the official CAP presentation.

CMMC Assessment Tracker Tool is an internal tool used by assessors, not for presentation to the OSC.

Recommended Findings template is not a recognized deliverable in CAP.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Step 1: Review CMMC 2.0 Reforms (Level 1 – Foundational)

As part ofCMMC 2.0, the DoD announced changes toreduce burden and costsfor companies that only handleFederal Contract Information (FCI):

DoD Statement (CMMC 2.0 Overview):

“Level 1 (Foundational) will only require an annual self-assessment, affirming implementation of the 17 FAR 52.204-21 controls.”

✅Step 2: Intent of “Reduced Assessment Costs”

The move to allowself-assessments at Level 1was explicitly designed toeliminate the costof hiring third-party assessors for organizations that only handle FCI.

Level 1 self-assessments are:

Conductedinternally by the OSC,

Affirmed annuallyby a senior company official,

Submitted via SPRS(Supplier Performance Risk System).

❌Why the Other Options Are Incorrect

B. Opt out of CMMC Assessments

✘Incorrect. Organizations must still perform aself-assessmentannually — they cannot opt out entirely.

C. Have assessment costs reimbursed by the DoD

✘No such reimbursement mechanism exists.

D. Pay no more than $500.00…

✘No such fixed cost is set or guaranteed in CMMC documentation.

UnderCMMC 2.0, all companies atLevel 1 (Foundational)are permitted toconduct self-assessmentsannually to demonstrate compliance, supporting the DoD’s goal ofreducing assessment costsfor low-risk contractors.

The CMMC Code of Professional Conduct applies to all CMMC assessors, practitioners, and ecosystem participants. Its guiding principles are: Objectivity, Information Integrity, and Higher Accountability.

Supporting Extracts from Official Content:

CMMC Code of Professional Conduct: “Guiding principles… include Objectivity, Information Integrity, and Higher Accountability.”

Why Option A is Correct:

These three principles are the official guiding values documented in the Code of Professional Conduct.

Options B, C, and D insert terms (“proper use of methods”) that are not part of the official guiding principles.

References (Official CMMC v2.0 Content):

CMMC Code of Professional Conduct.

===========

Who Should Be Interviewed During a CMMC Assessment?

During assessment planning, theOrganization Seeking Certification (OSC)may suggest personnel for interviews. However, the person interviewedmustbe someone who:

✅Implementsthe practice (directly responsible for executing it).

✅Performsthe practice (carries out day-to-day security operations).

✅Supportsthe practice (provides necessary resources or oversight).

Why "Implements, Performs, or Supports That Practice" is Correct?

Theassessor needs direct insightsfrom individuals actively involved in the practice.

Funding (Option A)does not providetechnical or operationalinsight into practice execution.

Auditing (Option B)focuses on compliance checks, but auditorsdo not implementthe practice.

Supporting, auditing, and performing (Option C)includesauditors, who arenot necessarily the right interviewees.

Breakdown of Answer Choices

Option

Description

Correct?

A. Funds that practice.

❌Incorrect–Funding is important but doesnot mean direct involvement.

B. Audits that practice.

❌Incorrect–Auditors check compliance but donot implementpractices.

C. Supports, audits, and performs that practice.

❌Incorrect–Auditing isnot a requirementfor interviewees.

D. Implements, performs, or supports that practice.

✅Correct – The interviewee must have direct involvement in execution.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– Requires that interviewees bedirectly responsiblefor implementing, performing, or supporting the practice.

Final Verification and Conclusion

The correct answer isD. Implements, performs, or supports that practice, as the interviewee mustactively contribute to the execution of the practice.

Understanding the Role of Configuration Management (CM) in CMMC 2.0

TheConfiguration Management (CM) domainin CMMC 2.0 ensures that systems aresecurely configured and maintainedto prevent unauthorized or unnecessary changes that could introduce vulnerabilities. One key requirement in CM is torestrict, disable, or prevent the use of nonessential programsto reduce security risks.

Relevant CMMC 2.0 Practice:

CM.L2-3.4.1 – Establish and enforce security configuration settings for information technology products employed in organizational systems.

This practicerequires organizations to control system configurations, including the removal or restriction ofnonessential programs, functions, ports, and servicestoreduce attack surfaces.

The goal is tominimize exposure to cyber threatsby ensuring only necessary and approved software is running on the system.

Why is the Correct Answer CM (D)?

A. Access Control (AC) → Incorrect

Access Control (AC) focuses onmanaging user permissions and accessto systems and data, not restricting programs.

B. Media Protection (MP) → Incorrect

Media Protection (MP) deals withprotecting and controlling removable media(e.g., USBs, hard drives) rather than software or system configurations.

C. Asset Management (AM) → Incorrect

Asset Management (AM) is aboutidentifying and tracking IT assets, not configuring or restricting software.

D. Configuration Management (CM) → Correct

CM explicitly coverssecuring system configurationsbyrestricting nonessential programs, ports, services, and functions, making it the correct answer.

CMMC 2.0 References Supporting this Answer:

CMMC 2.0 Practice CM.L2-3.4.1(Security Configuration Management)

Requires organizations toenforce security configuration settingsandremove unnecessary programsto protect systems.

NIST SP 800-171 Requirement 3.4.1

Supportssecure configuration settingsandrestricting unauthorized applicationsto prevent security risks.

CMMC 2.0 Level 2 Requirement

This practice is aLevel 2 (Advanced) requirement, meaningorganizations handling Controlled Unclassified Information (CUI)must comply with it.

According to the CMMC Scoping Guidance, Level 1, the fundamental definition of an FCI Asset is any asset that performs at least one of three primary functions with Federal Contract Information (FCI). These functions are consistently defined across both Level 1 and Level 2 documentation as Processing, Storing, or Transmitting.

Process: In this scenario, the sales representative is "entering FCI data into various fields." The act of inputting, manipulating, or editing data within an application (the spreadsheet) is the definition of processing.

Store: Because the spreadsheet is on the laptop, the data resides on the laptop's hard drive or memory. This constitutes storing.

Transmit: While the prompt focuses on the data entry, a laptop is an endpoint designed to move data across a network (email, cloud uploads, or server saves). In the context of CMMC scoping, assets that handle protected information are categorized by their capability and role in the data lifecycle, which includes transmitting.

Why other options are incorrect:

Options B and D: These include the word "organize." While organizing data is a task a human performs, it is not a formal technical term used in the CMMC or NIST SP 800-171/FAR 52.204-21 definitions to categorize asset functions.

Option A: This option omits "store." Since the spreadsheet exists on the laptop, storage is a primary function being utilized.

Reference Documents:

CMMC Scoping Guidance, Level 1 (Version 2.0): Section 2.0, which defines FCI Assets as assets that "process, store, or transmit FCI."

FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems): The regulatory source for Level 1, which applies to systems that "process, store, or transmit" federal contract information.

CMMC Assessment Guide, Level 1: Introduction and Scoping sections, reinforcing the triad of data handling functions.

Step 1: Understanding CMMC Assessment Scope Determination

In a CMMC Level 2 assessment, the Organization Seeking Certification (OSC) is responsible for identifying the assessment scope based on the CMMC Scoping Guidance provided by the Cyber AB (Cyber Accreditation Body) and DoD.

The OSC must determine which assets and systems handle Controlled Unclassified Information (CUI) and categorize them accordingly.

Understanding the Role of a CCP in CMMC Assessments

ACertified CMMC Professional (CCP)is responsible for assistingCertified CMMC Assessors (CCA)in evaluating anOrganization Seeking Certification (OSC)during a CMMC assessment. One key aspect of this process isconducting interviewswith Subject Matter Experts (SMEs) to verify security practices.

Ensuring that interviewees canspeak freely without fear of retaliationiscriticalto obtainingaccurate and unbiased informationabout the implementation of security controls.

Step-by-Step Breakdown:

CMMC Assessment Process and the Role of Interviews

TheCMMC Assessment Guide (Level 2)outlines that interviews are conducted to confirm that security practices are effectively implemented.

Interviewees mustfeel comfortable sharing candid responseswithout concern that their statements will lead tonegative consequenceswithin the organization.

Ensuring Confidentiality and Non-Attribution

DoD Assessment Methodologyspecifies that interviews should be conductedconfidentiallytoprotect the identity of interviewees.

TheCMMC Code of Professional Conduct (CoPC)for assessors and professionals reinforces the requirement to maintain theconfidentialityof assessment participants.

Non-attributionensures that responses are used for evaluation purposeswithout linking statements to specific individuals.

Why the Other Answer Choices Are Incorrect:

(A) Performed in groups for more efficient use of resources:

Group interviews may prevent individuals from speaking openly.

Employees might be hesitant to contradict leadership or peers.

(B) Recorded for inclusion in the Final Recommended Findings report:

Interviews arenot directly recorded or attributedin assessment reports.

Instead, findings are documentedwithout identifying specific individuals.

(D) Mapped to specific CMMC practices to clearly delineate which practice is being evaluated:

While responsesinformwhich practices are being assessed, theprimary goalof an interview is to ensure accurate,unbiased information gathering.

Final Validation from CMMC Documentation:

According to theCMMC Assessment Guide and DoD Assessment Methodology, interview confidentiality iscrucialto gatheringaccurateandunbiasedresponses. This makesconfidentiality and non-attributionthe correct answer.

Thus, the correct answer is:

C. Confidential and non-attributable so interviewees can speak without fear of reprisal.

Understanding Who Must Perform Tests in a CMMC Assessment

During aCMMC Level 2 Assessment, assessorsmust observe operational activities and security practicesto verify compliance. This process involves:

✔Testing security controls and proceduresas part of the assessment.

✔Observation of standard work practicesto ensure controls are properly implemented.

✔Using operational personnel (OSC employees) who regularly perform the taskto ensure realistic assessment conditions.

Who Performs Tests?

Operational personnel (OSC employees) must conduct the actual work while assessors observe.

Certified CMMC Professionals (CCPs) or Lead Assessorsoversee and document the testing process.

Why is the Correct Answer "A" (OSC personnel who normally perform that work as the CCP observes)?

A. OSC personnel who normally perform that work as the CCP observes → Correct

CMMC assessments require actual users (OSC personnel) to perform their regular duties while assessors observeto verify security practices.

B. Military personnel and the CCP and/or Lead Assessor to test the adequacy of the written procedure(s) → Incorrect

Military personnel are not responsible for testing contractor security controls.

Assessors observe and evaluate but do not perform testing themselves.

C. Military personnel assigned to the contractor for that contract to ensure the confidentiality of the CUI → Incorrect

Military personnel do not perform the testing.

The contractor (OSC) is responsible for implementing and demonstrating security controls.

D. OSC personnel who do not ordinarily perform that work to evaluate the accuracy of the written procedure(s) → Incorrect

Personnel unfamiliar with the job should not be used for testing.

Theassessment must reflect real-world conditions, so theactual employees who perform the work must demonstrate the process.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

Specifies thatassessments must observe real operational activities to determine compliance.

CMMC-AB Assessment Methodology

Requirestesting of security controls in a realistic operational environment, meaning actual OSC personnel must perform the tasks.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Specifies thatinterviews and observations should be conducted with personnel who regularly perform the work.

Under CMMC 2.0 Level 2, which aligns with the requirements of NIST SP 800-171, maintaining robust control over nonlocal maintenance sessions is critical. While multifactor authentication (MFA) is a required safeguard for secure access, additional measures must be implemented to fully meet the maintenance requirements as outlined in Control 3.3.5:

Key Requirements for Nonlocal Maintenance:

Termination of Nonlocal Maintenance Sessions:

To reduce the attack surface and prevent unauthorized access, nonlocal maintenance connections must be terminated immediately after the maintenance activity is completed. This is a direct requirement to mitigate risks associated with lingering remote sessions that could be exploited by threat actors.

Supporting Reference: NIST SP 800-171, Control 3.3.5 states: "Ensure that remote maintenance is conducted in a controlled manner and disable connections immediately after use."

Multifactor Authentication (MFA):

OSCs are required to implement MFA for nonlocal remote maintenance sessions. MFA must include at least two factors (e.g., something you know, something you have, or something you are).

While the OSC’s use of MFA satisfies part of the requirement, it does not complete the control unless proper termination procedures are in place.

Policy and Procedure Adherence:

The OSC must also document a maintenance policy and ensure it reflects the need for terminating connections post-maintenance. The policy should outline roles, responsibilities, and steps for ensuring secure nonlocal maintenance practices.

Incorrect Options:

B. Unlimited connections: Allowing unrestricted nonlocal maintenance sessions is a significant security risk and violates the principle of least privilege.

C. Removing restrictions: Removing restrictions for convenience directly undermines compliance and security.

D. Multifactor authentication details: While MFA is necessary, the question states the OSC already uses it. Termination of sessions is the missing requirement.

Conclusion:

The requirement to terminate nonlocal maintenance sessions after maintenance is complete (Option A) is critical for compliance with CMMC 2.0 Level 2 and NIST SP 800-171, Control 3.3.5. This ensures that nonlocal maintenance activities are secured against unauthorized access and potential vulnerabilities.