CMMC-CCP Sample Questions Answers

A company is working with a CCP from a contracted CMMC consulting company. The CCP is asked where the Host Unit is required to document FCI and CUI for a CMMC Assessment. How should the CCP respond?

Which principles are included in defining the CMMC-AB Code of Professional Conduct?

Which domains are a part of a Level 1 Self-Assessment?

A company has a government services division and a commercial services division. The government services division interacts exclusively with federal clients and regularly receives FCI. The commercial services division interacts exclusively with non-federal clients and processes only publicly available information. For this company's CMMC Level 1 Self-Assessment, how should the assets supporting the commercial services division be categorized?

Where can a listing of all federal agencies' CUI indices and categories be found?

When assessing an OSC for CMMC: the Lead Assessor should use the information from the Discussion and Further Discussion sections in each practice because it:

As part of CMMC 2.0, the change to Level 1 Self-Assessments supports "reduced assessment costs" allows all companies at Level 1 (Foundational) to:

There are 15 practices that are NOT MET for an OSC's Level 2 Assessment. All practices are applicable to the OSC. Which determination should be reached?

Who will verify the adequacy and sufficiency of evidence to determine whether the practices and related components for each in-scope Host Unit. Supporting Organization/Unit, or enclave has been met?

A CCP is on their first assessment for CMMC Level 2 with an Assessment Team and is reviewing the CMMC Assessment Process to understand their responsibilities. Which method gathers information from the subject matter experts to facilitate understanding and achieve clarification?

Which statement BEST describes the requirements for a C3PA0?

How are the Final Recommended Assessment Findings BEST presented?

CMMC scoping covers the CUI environment encompassing the systems, applications, and services that focus on where CUI is:

Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?

While conducting a CMMC Assessment, an individual from the OSC provides documentation to the assessor for review. The documentation states an incident response capability is established and contains information on incident preparation, detection, analysis, containment, recovery, and user response activities. Which CMMC practice is this documentation attesting to?

A C3PAO has completed a Limited Practice Deficiency Correction Evaluation following an assessment of an OSC. The Lead Assessor has recommended moving deficiencies to a POA&M. but the OSC will remain on an Interim Certification. What is the MINIMUM number of practices that must be scored as MET to initiate this course of action?

Who is responsible for identifying and verifying Assessment Team Member qualifications?

A CCP is working as an Assessment Team Member on a CMMC Level 2 Assessment. The Lead Assessor has assigned the CCP to assess the OSC's Configuration Management (CM) domain. The CCP's first interview is with a subject-matter expert for user-installed software. With respect to user-installed software, what facet should the CCP's interview focus on?

In many organizations, the protection of FCI includes devices that are used to scan physical documentation into digital form and print physical copies of digital FCI. What technical control can be used to limit multi-function device (MFD) access to only the systems authorized to access the MFD?

Which regulation allows for whistleblowers to sue on behalf of the federal government?

Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope by categorizing all assets. Which two asset categories are always assessed against CMMC practices?

An assessment is being completed at a client site that is not far from the Lead Assessor's home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?

When are data and documents with legacy markings from or for the DoD required to be re-marked or redacted?

What service is the MOST comprehensive that the RPO provides?

During an assessment, the Lead Assessor reviews the evidence for each CMMC in-scope practice that has been reviewed, verified, rated, and discussed with the OSC during the daily reviews. The Assessment Team records the final recommended MET or NOT MET rating and prepares to present the results to theassessment participants during the final review with the OSC and sponsor. As a part of this presentation, which document MUST include the attendee list, time/date, location/meeting link, results from all discussed topics, including any resulting actions, and due dates from the OSC or Assessment Team?

What is a PRIMARY activity that is performed while conducting an assessment?

A client uses an external cloud-based service to store, process, or transmit data that is reasonably believed to qualify as CUI. According to DFARS clause 252.204-7012. what set of established security requirements MUST that cloud provider meet?

During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?

During the review of information that was published to a publicly accessible site, an OSC correctly identifies that part of the information posted should have been restricted. Which item did the OSC MOST LIKELY identify?

Which example represents a Specialized Asset?

Which MINIMUM Level of certification must a contractor successfully achieve to receive a contract award requiring the handling of CUI?

Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?

An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works. Is this adequate for the practice?

An OSC receives an email with "CUI//SP-PRVCY//FED Only" in the body of the message Which organization's website should the OSC go to identify what this marking means?

While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users. processes acting on behalf of users, and devices?

An assessor needs to get the most accurate answers from an OSC's team members. What is the BEST method to ensure that the OSC's team members are able to describe team member responsibilities?

A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?

A Lead Assessor is planning an assessment and scheduling the test activities. Who MUST perform tests to obtain evidence?

An organization's sales representative is tasked with entering FCI data into various fields within a spreadsheet on a company-issued laptop. This laptop is an FCI Asset being used to:

An employee is the primary system administrator for an OSC. The employee will be a core part of the assessment, as they perform most of the duties in managing and maintaining the systems. What would the employee be BEST categorized as?

In scoping a CMMC Level 1 Self-Assessment, all of the computers and digital assets that handle FCI are identified. A file cabinet that contains paper FCI is also identified. What can this file cabinet BEST be determined to be?

An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?

In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI. What is the ESP employee considered?

During the assessment process, who is the final interpretation authority for recommended findings?

A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?

The Lead Assessor interviews a network security specialist of an OSC. The incident monitoring report for the month shows that no security incidents were reported from OSC's external SOC service provider. This is provided as evidence for RA.L2-3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Based on this information, the Lead Assessor should conclude that the evidence is:

When executing a remediation review, the Lead Assessor should:

How many domains does the CMMC Model consist of?