Summer Sale - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 65percent

Welcome To DumpsPedia

CMMC-CCP Sample Questions Answers

Questions 4

When assessing SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems, evidence shows that all of the OSC ' s workstations and servers have antivirus software installed for malicious code protection. A centralized console for the antivirus software management is in place and records show that all devices have received the most updated antivirus patterns. What is the BEST determination that the Lead Assessor should reach regarding the evidence?

Options:

A.

It is sufficient, and the audit finding can be rated as MET.

B.

It is insufficient, and the audit finding can be rated NOT MET.

C.

It is sufficient, and the Lead Assessor should seek more evidence.

D.

It is insufficient, and the Lead Assessor should seek more evidence.

Buy Now
Questions 5

What is the BEST document to find the objectives of the assessment of each practice?

Options:

A.

CMMC Glossary

B.

CMMC Appendices

C.

CMMC Assessment Process

D.

CMMC Assessment Guide Levels 1 and 2

Buy Now
Questions 6

Which domains are a part of a Level 1 Self-Assessment?

Options:

A.

Access Control (AC), Risk Management < RM), and Media Protection (MP)

B.

Risk Management (RM). Access Control (AC), and Physical Protection (PE)

C.

Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)

D.

Risk Management (RM). Media Protection (MP), and Identification and Authentication (IA)

Buy Now
Questions 7

As defined in the CMMC-AB Code of Professional Conduct, what term describes any contract between two legal entities?

Options:

A.

Union

B.

Accord

C.

Alliance

D.

Agreement

Buy Now
Questions 8

When are contractors required to achieve a CMMC certificate at the Level specified in the solicitation?

Options:

A.

At the time of award

B.

Upon solicitation submission

C.

Thirty days from the award date

D.

Before the due date of submission

Buy Now
Questions 9

In preparation for a CMMC Level 1 Self-Assessment, the IT manager for a DIB organization is documenting asset types in the company ' s SSP The manager determines that identified machine controllers and assembly machines should be documented as Specialized Assets. Which type of Specialized Assets has the manager identified and documented?

Options:

A.

loT

B.

Restricted IS

C.

Test equipment

D.

Operational technology

Buy Now
Questions 10

A CCP is part of a CMMC Assessment Team interviewing a subject-matter expert on Access Control (AC) within an OSC. During the interview process, what will the CCP ensure about the information exchanged during the interview?

Options:

A.

Performed in groups for more efficient use of resources

B.

Recorded for inclusion in the Final Recommended Findings report

C.

Confidential and non-attributable so interviewees can speak without fear of reprisal

D.

Mapped to specific CMMC practices to clearly delineate which practice is being evaluated

Buy Now
Questions 11

The Lead Assessor is presenting the Final Findings Presentation to the OSC. During the presentation, the Assessment Sponsor and OSC staff inform the assessor that they do not agree with the assessment results. Who has the final authority for the assessment results?

Options:

A.

C3PAO

B.

CMMC-AB

C.

Assessment Team

D.

Assessment Sponsor

Buy Now
Questions 12

In CMMC High-Level scoping, which definition BEST describes an HQ organization?

Options:

A.

The entity that carries out the tasks under a contract

B.

The unit to which a CMMC Level is applied for each contract

C.

The teams, services, and technologies that provide support to a Host Unit

D.

The entity legally responsible for the delivery of products or services under a contract

Buy Now
Questions 13

Which code or clause requires that a contractor is meeting the basic safeguarding requirements for FCI during a Level 1 Self-Assessment?

Options:

A.

FAR 52.204-21

B.

22CFR 120-130

C.

DFARS 252.204-7011

D.

DFARS 252.204-7021

Buy Now
Questions 14

CMMC scoping covers the CUI environment encompassing the systems, applications, and services that focus on where CUI is:

Options:

A.

received and transferred.

B.

stored, processed, and transmitted.

C.

entered, edited, manipulated, printed, and viewed.

D.

located on electronic media, on system component memory, and on paper.

Buy Now
Questions 15

A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?

Options:

A.

" The OSC determines the CMMC Assessment Scope, and the CCP validates the CMMC Assessment Scope. "

B.

" The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope. "

C.

" The CMMC Lead Assessor determines the CMMC Assessment Scope, and the OSC validates the CMMC Assessment Scope. "

D.

" The CMMC C3PAO determines the CMMC Assessment Scope, and the Lead Assessor validates the CMMC Assessment Scope. "

Buy Now
Questions 16

The evidence needed for each practice and/or process is weight for:

Options:

A.

adequacy and sufficiency.

B.

adequacy and thoroughness.

C.

sufficiency and thoroughness.

D.

sufficiency and appropriateness.

Buy Now
Questions 17

A server is used to store FCI with a cloud provider long-term. What is the server considered?

Options:

A.

In scope, because the cloud provider will be storing the FCI data

B.

Out of scope, because the cloud provider stores the FCI data long-term

C.

In scope, because the cloud provider is required to be CMMC Level 2 certified

D.

Out of scope, because encryption is always used when the cloud provider stores the FCI data

Buy Now
Questions 18

The evidence needed for each practice and/or process is weighed for:

Options:

A.

Adequacy and sufficiency

B.

Adequacy and thoroughness

C.

Sufficiency and thoroughness

D.

Sufficiency and appropriateness

Buy Now
Questions 19

An organization ' s sales representative is tasked with entering FCI data into various fields within a spreadsheet on a company-issued laptop. This laptop is an FCI Asset being used to:

Options:

A.

process and transmit FCI.

B.

process and organize FCI.

C.

store, process, and transmit FCI.

D.

store, process, and organize FCI.

Buy Now
Questions 20

How many cybersecurity levels does the CMMC Model structure contain?

Options:

A.

2 Levels.

B.

3 Levels.

C.

5 Levels.

D.

4 Levels.

Buy Now
Questions 21

The practices in CMMC Level 2 consists of the security requirements specified in:

Options:

A.

NISTSP 800-53.

B.

NISTSP 800-171.

C.

48 CFR 52.204-21.

D.

DFARS 252.204-7012.

Buy Now
Questions 22

SC.L2-3 13.14: Control and monitor the use of VoIP technologies is marked as NOT APPLICABLE for an OSC ' s assessment. How does this affect the assessment scope?

Options:

A.

Any existing telephone system is in scope even if it is not using VoIP technology.

B.

An error has been made and the Lead Assessor should be contacted to correct the error.

C.

VoIP technology is within scope, and it uses FlPS-validated encryption, so it does not need to be assessed.

D.

VoIP technology is not used within scope boundary, so no assessment procedures are specified for this practice.

Buy Now
Questions 23

Ethics is a shared responsibility between:

Options:

A.

DoD and CMMC-AB.

B.

OSC and sponsors.

C.

CMMC-AB and members of the CMMC Ecosystem.

D.

members of the CMMC Ecosystem and Lead Assessors.

Buy Now
Questions 24

A C3PAO Assessment Plan document captures the names of the interviewees, the facilities that will utilized, along with estimated costs and schedule of the assessment. What part of the assessment plan is this?

Options:

A.

Identify resources and schedule.

B.

Select Assessment Team members.

C.

Identify and manage assessment risks.

D.

Select and develop the evidence collection approach.

Buy Now
Questions 25

How many domains does the CMMC Model consist of?

Options:

A.

14 domains

B.

43 domains

C.

72 domains

D.

110 domains

Buy Now
Questions 26

The Advanced Level in CMMC will contain Access Control {AC) practices from:

Options:

A.

Level 1.

B.

Level 3.

C.

Levels 1 and 2.

D.

Levels 1,2, and 3.

Buy Now
Questions 27

A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of the assessors approaches with a signed policy. There is one signatory, and that person has since left the company. Subsequently, another person was hired into that position but has not signed the document. Is this document valid?

Options:

A.

The signatory is the authority to implement and enforce the policy, and since that person is no longer with the company, the policy is not valid.

B.

More research on the company policy of creating, implementing, and enforcing policies is needed. If the company has a policy identifying the authority as with the position or person, then the policy is valid.

C.

The signatory does not validate or invalidate the policy. For the purpose of this assessment, ensuring that the policy is current and is being implemented by the individuals who are performing the work is sufficient.

D.

The authority to implement and enforce lies with the position, not the person. As long as that position ' s authority and responsibilities have not been removed from implementing that domain, it is still a valid policy.

Buy Now
Questions 28

According to DFARS clause 252.204-7012, who is responsible for determining that Information in a given category should be considered CUI?

Options:

A.

The NARA CUI Executive Agent

B.

The contractor who generated the information

C.

The DoD agency for whom the contractor is performing the work

D.

The military personnel assigned to the contractor for that purpose

Buy Now
Questions 29

A Lead Assessor is ensuring all actions have been completed to conclude a Level 2 Assessment. The final Assessment Results Package has been properly reviewed and is ready to be uploaded. What other materials is the Lead Assessor responsible for maintaining and protecting?

Options:

A.

Any additional notes and information from the Assessment

B.

A final assessment plan, and a Quality Control report from C3PAO

C.

A final assessment plan, and a letter from the Lead Assessor explaining the process

D.

A final assessment plan, a letter from the Lead Assessor explaining the results, and a Quality Control report from C3PAO

Buy Now
Questions 30

Which document is used to protect sensitive and confidential information from being made available by the recipient of that information?

Options:

A.

Legal agreement

B.

CMMC agreement

C.

Assessment agreement

D.

Non-disclosure agreement

Buy Now
Questions 31

Who is responsible for identifying and verifying Assessment Team Member qualifications?

Options:

A.

C3PAO

B.

CMMC-AB

C.

Lead Assessor

D.

CMMC Marketplace

Buy Now
Questions 32

Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?

Options:

A.

Organizational operations, business assets, and employees

B.

Organizational operations, business processes, and employees

C.

Organizational operations, organizational assets, and individuals

D.

Organizational operations, organizational processes, and individuals

Buy Now
Questions 33

Which term describes assessing the ability of a unit equipped with a system to support its mission while withstanding cyber threat activity representative of an actual adversary?

Options:

A.

Penetration test

B.

Black hat testing

C.

Red cell assessment

D.

Adversarial assessment

Buy Now
Questions 34

What is DFARS clause 252.204-7012 required for?

Options:

A.

All DoD solicitations and contracts

B.

Solicitations and contracts that use FAR part 12 procedures

C.

Procurements solely for the acquisition of commercial off-the-shelf

D.

Commercial off-the-shelf sold in the marketplace without modifications

Buy Now
Questions 35

When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:

Options:

A.

have a security clearance.

B.

be a senior person in the company.

C.

demonstrate expertise on the CMMC requirements.

D.

provide clarity and understanding of their practice activities.

Buy Now
Questions 36

The results package for a Level 2 Assessment is being submitted. What MUST a Final Report. CMMC Assessment Results include?

Options:

A.

Affirmation for each practice or control

B.

Documented rationale for each failed practice

C.

Suggested improvements for each failed practice

D.

Gaps or deltas due to any reciprocity model are recorded as met

Buy Now
Questions 37

How does the CMMC define a practice?

Options:

A.

A business transaction

B.

A condition arrived at by experience or exercise

C.

A series of changes taking place in a defined manner

D.

An activity or activities performed to meet defined CMMC objectives

Buy Now
Questions 38

When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?

Options:

A.

Conduct a penetration test

B.

Interview the intrusion detection system ' s supplier.

C.

Upload known malicious code and observe the system response.

D.

Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

Buy Now
Questions 39

Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?

Options:

A.

Phase 1: Plan and Prepare Assessment

B.

Phase 2: Conduct Assessment

C.

Phase 3: Report Recommended Assessment Results

D.

Phase 4: Remediation of Outstanding Assessment Issues

Buy Now
Questions 40

What activities are conducted while developing an assessment plan?

Options:

A.

The C3PAO decides the Assessment Team members and notifies the Lead Assessor.

B.

The Lead Assessor and the OSC’s sponsor determine the assessment resources and schedule.

C.

The C3PAO’s project manager is responsible for handling potential conflicts of interest.

D.

The evidence collection approach can be finalized when the Lead Assessor conducts an onsite assessment.

Buy Now
Questions 41

What technical means can an OSC have in place to limit individuals who are authorized to post or process information on publicly accessible systems?

Options:

A.

Enable cookies to track who has accessed certain websites.

B.

Ensure procedural documentation is in place on how to access website consoles.

C.

Ensure marketing team trainings are required so that any changes to the website go through proper review.

D.

Enable administrative access roles to those that need them so that only those people can post items to the website.

Buy Now
Questions 42

Companies that knowingly defraud the government by not being in compliance with cybersecurity regulations are at risk of being held liable for:

Options:

A.

The contract value plus a penalty as stated in the Cyber Claims Act

B.

The contract value plus a penalty as stated in the False Claims Act

C.

Three times the contract value plus a penalty as stated in the Cyber Claims Act

D.

Three times the contract value plus a penalty as stated in the False Claims Act

Buy Now
Questions 43

A company has a government services division and a commercial services division. The government services division interacts exclusively with federal clients and regularly receives FCI. The commercial services division interacts exclusively with non-federal clients and processes only publicly available information. For this company ' s CMMC Level 1 Self-Assessment, how should the assets supporting the commercial services division be categorized?

Options:

A.

FCI Assets

B.

Specialized Assets

C.

Out-of-Scope Assets

D.

Operational Technology Assets

Buy Now
Questions 44

Within what amount of time MUST convictions, guilty pleas, or no contest pleas to crimes of fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or a similar offense in any legal proceeding, civil or criminal, whether or not connected with activities that relate to carrying out a Lead Assessor role, be reported to the CMMC Accreditation Body?

Options:

A.

90 days.

B.

30 days.

C.

3 days.

D.

7 days.

Buy Now
Questions 45

The practices in CMMC Level 2 consist of the security requirements specified in:

Options:

A.

NIST SP 800-53

B.

NIST SP 800-171

C.

48 CFR 52.204-21

D.

DFARS 252.204-7012

Buy Now
Questions 46

What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?

Options:

A.

CDI

B.

CTI

C.

CUI

D.

FCI

Buy Now
Questions 47

Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?

Options:

A.

DoD

B.

CISA

C.

NIST

D.

CMMC-AB

Buy Now
Questions 48

A C3PAO has conducted a CMMC Level 2 Assessment for an OSC. The results have been reviewed by a CMMC Quality Assurance Professional. What is the final step in the process of submitting assessment results?

Options:

A.

The C3PAO submits the results to the CMMC-AB.

B.

The OSC submits the results, as provided by the Lead Assessor, to the CMMC-AB.

C.

The C3PAO submits the results to Enterprise Mission Assurance Support Service.

D.

The Lead Assessor submits the results to the CMMC-AB.

Buy Now
Questions 49

What is the MOST common purpose of assessment procedures?

Options:

A.

Obtain evidence.

B.

Define level of effort.

C.

Determine information flow.

D.

Determine value of hardware and software.

Buy Now
Questions 50

Which statement BEST describes the requirements for a C3PA0?

Options:

A.

An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements.

B.

An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements.

C.

AC3PAO must be accredited by DoD before being able to conduct assessments.

D.

A C3PAO must be authorized by CMMC-AB before being able to conduct assessments.

Buy Now
Questions 51

Which domain references the requirements needed to handle physical or digital assets containing CUI?

Options:

A.

Media Protection (MP)

B.

Physical Protection (PE)

C.

System and Information Integrity (SI)

D.

System and Communications Protection (SC)

Buy Now
Questions 52

A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?

Options:

A.

Host Unit

B.

Branch Office

C.

Coordinating Unit

D.

Supporting Organization/Units

Buy Now
Questions 53

For CMMC Assessments, during Phase 1 of the CMMC Assessment Process, which are responsible for identifying potential conflicts of information?

Options:

A.

C3PAO and OSC

B.

OSC and CMMC-AB

C.

CMMC-AB and C3PAO

D.

Lead Assessor and Assessment Team Members

Buy Now
Questions 54

An OSC needs to be assessed on RA.L2-3.11.1: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. What is in scope for a Level 2 assessment of RA.L2-3.11.1?

Options:

A.

IT systems

B.

Enterprise systems

C.

CUI Marking processes

D.

Processes, people, physical entities, and IT systems in which CUI processed, stored, or transmitted

Buy Now
Questions 55

Recording evidence as adequate is defined as the criteria needed to:

Options:

A.

verify, based on an assessment and organizational scope.

B.

verify, based on an assessment and organizational practice.

C.

determine if a given artifact, interview response, demonstration, or test meets the CMMC scope.

D.

determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.

Buy Now
Questions 56

While conducting a CMMC Level 2 Assessment, the Lead Assessor determines that the OSC has badge readers, pin code pads, and keys for various access points as well as documentation to demonstrate meeting the practice. Which CMMC practice has the OSC MET?

Options:

A.

PE.L1-3.10.5: Control and manage physical access devices

B.

MP.L2-3.8.5: Mark media with necessary CUI markings and distribution limitations

C.

SI.L2-3.14.3: Monitor system security alerts and advisories and take action in response

D.

PS.L2-3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers

Buy Now
Questions 57

A CCP is working as an Assessment Team Member on a CMMC Level 2 Assessment. The Lead Assessor has assigned the CCP to assess the OSC ' s Configuration Management (CM) domain. The CCP ' s first interview is with a subject-matter expert for user-installed software. With respect to user-installed software, what facet should the CCP ' s interview focus on?

Options:

A.

Controlled and monitored

B.

Removed from the system

C.

Scanned for malicious code

D.

Limited to mission-essential use only

Buy Now
Questions 58

A program manager for a defense contractor saves all FCI data relevant to a contract on a flash drive. Why is the flash drive categorized as an FCI Asset ?

Options:

A.

It is storing FCI.

B.

It is testing FCI.

C.

It is distributing FCI.

D.

It is properly marked as FCI.

Buy Now
Questions 59

A Lead Assessor and an OSC ' s Assessment Official have agreed to have the Assessment results presented during the final Daily Checkpoint of the OSC ' s CMMC Level 2 Assessment. Which document MUST the Lead Assessor use to present assessment findings to the OSC?

Options:

A.

CMMC POA & M Brief

B.

CMMC Findings Brief

C.

CMMC Assessment Tracker Tool

D.

CMMC Recommended Findings template

Buy Now
Questions 60

Who will verify the adequacy and sufficiency of evidence to determine whether the practices and related components for each in-scope Host Unit. Supporting Organization/Unit, or enclave has been met?

Options:

A.

OSC

B.

Assessment Team

C.

Authorizing official

D.

Assessment official

Buy Now
Questions 61

A contractor provides services and data to the DoD. The transactions that occur to handle FCI take place over the contractor ' s business network, but the work is performed on contractor-owned systems, which must be configured based on government requirements and are used to support a contract. What type of Specialized Asset are these systems?

Options:

A.

loT

B.

Restricted IS

C.

Test equipment

D.

Government property

Buy Now
Questions 62

What is objectivity as it applies to activities with the CMMC-AB?

Options:

A.

Ensuring full disclosure

B.

Reporting results of CMMC services completely

C.

Avoiding the appearance of or actual, conflicts of interest

D.

Demonstrating integrity in the use of materials as described in policy

Buy Now
Questions 63

Which method facilitates understanding by analyzing gathered artifacts as evidence?

Options:

A.

Test

B.

Examine

C.

Behavior

D.

Interview

Buy Now
Questions 64

In the CMMC Model, how many practices are included in Level 2?

Options:

A.

17 practices

B.

72 practices

C.

110 practices

D.

180 practices

Buy Now
Questions 65

In the CMMC Model, how many practices are included in Level 1?

Options:

A.

15 practices

B.

17 practices

C.

72 practices

D.

110 practices

Buy Now
Questions 66

Which statement is NOT a requirement for a Licensed Partner Publisher?

Options:

A.

Must have at least two years of history in publishing

B.

Must possess a Dun and Bradstreet number and background check

C.

Must receive CMMC Level 3 certification

D.

Must be approved by CMMC-AB or authorized organization

Buy Now
Questions 67

Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1, Guidelines for Media Sanitation?

Options:

A.

Clear, purge, destroy

B.

Clear, redact, destroy

C.

Clear, overwrite, purge

D.

Clear, overwrite, destroy

Buy Now
Questions 68

The director of sales, in a meeting, stated that the sales team received feedback on some emails that were sent, stating that the emails were not marked correctly. Which training should the director of sales refer the sales team to regarding information as to how to mark emails?

Options:

A.

FBI CUI Introduction to Marking

B.

NARA CUI Introduction to Marking

C.

C3PAO CUI Introduction to Marking

D.

CMMC-AB CUI Introduction to Marking

Buy Now
Questions 69

During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC ' s WiFi network. What type of asset is this?

Options:

A.

FCI Asset

B.

CUI Asset

C.

In-scope Asset

D.

Specialized Asset

Buy Now
Questions 70

The facilities manager for a company has procured a Wi-Fi enabled, mobile application-controlled thermostat for the server room, citing concerns over the inability to remotely gauge and control the temperature of the room. Because the thermostat is connected to the company ' s FCI network, should it be assessed as part of the CMMC Level 1 Self-Assessment Scope?

Options:

A.

No, because it is OT

B.

No, because it is an loT device

C.

Yes. because it is a restricted IS

D.

Yes, because it is government property

Buy Now
Exam Code: CMMC-CCP
Exam Name: Certified CMMC Professional (CCP) Exam
Last Update: Jul 13, 2026
Questions: 236

PDF + Testing Engine

$59.99 $171.4

Testing Engine

$44.99 $128.55

PDF (Q&A)

$49.99 $142.82