Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 18 Topic 2 Discussion

CMMC-CCP Exam Topic 2 Question 18 Discussion:

Question #: 18

Topic #: 2

Which domains are a part of a Level 1 Self-Assessment?

Access Control (AC), Risk Management

Risk Management (RM). Access Control (AC), and Physical Protection (PE)

Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)

Risk Management (RM). Media Protection (MP), and Identification and Authentication (IA)

Get Premium CMMC-CCP Questions

Explanation

CMMCLevel 1focuses onbasic cyber hygieneand includes17 practicesderived fromNIST SP 800-171 Rev. 2butonly covers the protection of Federal Contract Information (FCI)—not Controlled Unclassified Information (CUI).

UnlikeLevel 2, which aligns fully withNIST SP 800-171,Level 1 does not require third-party certificationand can beself-assessedby the organization.

Domains Covered in a Level 1 Self-AssessmentCMMC Level 1 practices fall underthree specific domains:

Access Control (AC)– Ensures that only authorized individuals can access FCI.

Physical Protection (PE)– Protects physical access to systems and facilities storing FCI.

Identification and Authentication (IA)– Verifies the identity of users accessing systems containing FCI.

These domains focus on foundational security controls necessary toprotect FCI from unauthorized access.

CMMC Model v2.0states thatLevel 1 includes only 17 practicesmapped toNIST SP 800-171requirements specific toAccess Control (AC), Physical Protection (PE), and Identification and Authentication (IA).

CMMC Assessment Guide, Level 1confirms thatRisk Management (RM) and Media Protection (MP) are not included in Level 1, as they pertain to more advanced security measures needed for handlingCUI (Level 2).

A. Access Control (AC), Risk Management (RM), and Media Protection (MP)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

B. Risk Management (RM), Access Control (AC), and Physical Protection (PE)→ Incorrect.Risk Management (RM) is not part of Level 1.

C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)→Correct.These are thethree domains covered in CMMC Level 1 self-assessments.

D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA)→ Incorrect.Risk Management (RM) and Media Protection (MP) are Level 2 domains.

Official CMMC 2.0 Documentation ReferencesBreakdown of Answer ChoicesConclusionThecorrect answer is C. Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA), as these are theonly three domains included in a CMMC Level 1 Self-Assessmentaccording toCMMC 2.0 documentation and NIST SP 800-171 mapping.

CMMC 2.0 Model Overview – DoD Official Documentation

CMMC Assessment Guide, Level 1

NIST SP 800-171 Rev. 2 (Basic Security Requirements for FCI)

Reference Documents for Further Reading

Actual exam question for Cyber AB CMMC-CCP exam by Kai1971 at Aug 28, 2025, 2:37:39 PM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

New Year Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 18 Topic 2 Discussion

Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 18 Topic 2 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

New Year Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 18 Topic 2 Discussion

Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 18 Topic 2 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval