Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 49 Topic 5 Discussion

CMMC-CCP Exam Topic 5 Question 49 Discussion:

Question #: 49

Topic #: 5

A CCP is working as an Assessment Team Member on a CMMC Level 2 Assessment. The Lead Assessor has assigned the CCP to assess the OSC's Configuration Management (CM) domain. The CCP's first interview is with a subject-matter expert for user-installed software. With respect to user-installed software, what facet should the CCP's interview focus on?

Controlled and monitored

Removed from the system

Scanned for malicious code

Limited to mission-essential use only

Get Premium CMMC-CCP Questions

Explanation

Understanding Configuration Management (CM) in CMMC Level 2InCMMC Level 2, theConfiguration Management (CM) domainis critical for ensuring that systems aresecurely configured, maintained, and monitoredto prevent unauthorized changes. One key aspect of CM is managinguser-installed software, which can introducesecurity risksif not properly controlled.

The correct approach to managinguser-installed softwarealigns withCM.3.068fromNIST SP 800-171, which requires organizations to:

✅Establish and enforce configuration settingsto ensure security.

✅Monitor and control user-installed softwareto prevent unauthorized or insecure applications from running on organizational systems.

Why "Controlled and Monitored" is Correct?The CCP (Certified CMMC Professional) conducting theinterviewshould focus on whether theuser-installed softwareiscontrolled and monitoredto align withCMMC Level 2 requirements. This means verifying:

Approval processesfor user-installed software.

Monitoring mechanisms(e.g., system logs, audits) to track software changes.

Policies that restrict unauthorized installationsto prevent security risks.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Controlled and monitored

✅Ensures compliance with CM.3.068, verifying that user-installed software ismanaged securely.

✅Correct

B. Removed from the system

Software isnot always removed—only unauthorized or risky software should be.

❌Incorrect

C. Scanned for malicious code

While scanning isimportant(covered in SI.3.218), it isnot the primary focusof Configuration Management.

❌Incorrect

D. Limited to mission-essential use only

While limiting software is useful,monitoring and controllingis the key security measure.

❌Incorrect

NIST SP 800-171, CM.3.068– "Control and monitor user-installed software."

CMMC 2.0 Level 2 Requirements– Directly aligned withNIST SP 800-171 security controls.

Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isA. Controlled and monitored, as perCM.3.068inNIST SP 800-171andCMMC 2.0documentation.

Actual exam question for Cyber AB CMMC-CCP exam by Lyric17385 at Aug 3, 2025, 11:02:36 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 49 Topic 5 Discussion

Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 49 Topic 5 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 49 Topic 5 Discussion

Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 49 Topic 5 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval