Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Cyber AB CMMC-CCA Exam - Topic 1 Question 2 Discussion

Actual exam question for Cyber AB's CMMC-CCA exam
Question #: 2
Topic #: 1
[All CMMC-CCA Questions]

You are the Lead Assessor for a CMMC assessment of an OSC that has previously obtained ISO 27001 certification for its information security management system. During the initial discussions, the OSC requests that you consider their ISO 27001 certification and grant them credit toward their CMMC certification. They believe there is a significant overlap between CMMC and ISO 27001. What should your response to the OSC be?

Show Suggested Answer Hide Answer
Suggested Answer: C

Comprehensive and Detailed in Depth

The CAP explicitly states that other certifications like ISO 27001 do not grant automatic CMMC credit unless DoD policy allows (Option C). Options A, B, and D suggest potential credit without basis.

Extract from Official Document (CAP v1.0):

Section 1.1 -- Purpose (pg. 7):'Alternative cybersecurity certifications do not automatically bestow any status or credit towards CMMC certification unless DoD publishes non-duplication policies.'


CMMC Assessment Process (CAP) v1.0, Section 1.1.

by Justine at Oct 06, 2025, 09:34 PM

Limited Time Offer

25%

Off

Get Premium CMMC-CCA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Mollie
27 days ago
Yeah, but waiting for official policies might be wise. Better safe than sorry.
upvoted 0 times
...
Elvera
2 months ago
Option A could delay things too much. We need a clear answer now.
upvoted 0 times
...
Stefanie
2 months ago
True, but there is overlap. Still, we should stick to the rules.
upvoted 0 times
...
Meaghan
2 months ago
I feel like option D is too lenient. CMMC has specific requirements.
upvoted 0 times
...
Hollis
2 months ago
Deferring the decision sounds like the safest bet.
upvoted 0 times
...
Rolland
2 months ago
Surprised they even asked for credit, it’s a different standard!
upvoted 0 times
...
Maricela
3 months ago
No way they should get automatic credit for that!
upvoted 0 times
...
Cristy
3 months ago
I think we should verify their ISO 27001 first.
upvoted 0 times
...
Pete
3 months ago
I recall that granting credit based on ISO 27001 could be risky without proper validation. It might be best to stick to the CMMC requirements.
upvoted 0 times
...
Eric
3 months ago
I'm a bit uncertain about the non-duplication credit. I feel like it might be better to inform them that ISO 27001 doesn't automatically count for CMMC.
upvoted 0 times
...
France
3 months ago
I think we practiced a question like this in class, and the answer was to verify the ISO certification first. That seems like a safe approach.
upvoted 0 times
...
Taryn
3 months ago
I remember discussing how ISO 27001 and CMMC have some overlapping controls, but I'm not sure if that means we can grant credit.
upvoted 0 times
...
Dorcas
4 months ago
I agree, but option C makes sense too. Just because they have ISO 27001 doesn’t mean they get credit.
upvoted 0 times
...
Detra
4 months ago
ISO 27001 and CMMC do overlap, but they’re not the same.
upvoted 0 times
...
Daniel
4 months ago
I wonder if the OSC has a secret handshake to get CMMC credit. C) is the clear answer here.
upvoted 0 times
...
Rosalind
4 months ago
I think option B is the best. We need to verify their ISO 27001 first.
upvoted 0 times
...
Norah
5 months ago
B) Definitely need to validate that ISO 27001 cert first before making any decisions.
upvoted 0 times
...
Miss
5 months ago
Haha, I bet the OSC was hoping for a free pass on CMMC. Nice try, but C) is the way to go.
upvoted 0 times
...
Chandra
5 months ago
C) Yep, that's the right call. CMMC and ISO 27001 are different standards, so no automatic credit.
upvoted 0 times
...
Moon
5 months ago
B) Seems like the safest option to verify the ISO 27001 certification before considering any credit.
upvoted 0 times
...
Ty
5 months ago
I think the best answer here is B. We can't just take their word for it that the ISO 27001 certification covers the CMMC requirements. Gotta do our due diligence and check it against the CMMC Assessment Process before considering any credit.
upvoted 0 times
...
Becky
6 months ago
Hmm, this is a good question. I'm leaning towards B - verifying the ISO 27001 certification first seems like the safest approach before making any decisions about non-duplication credit. We need to be thorough in our assessment.
upvoted 0 times
...
Dusti
6 months ago
I'm pretty confident on this one. The correct answer is C - we have to inform the OSC that their ISO 27001 certification doesn't automatically translate to CMMC credit. The standards are different, so we need to evaluate them individually.
upvoted 0 times
...
Glory
6 months ago
Okay, this is a tricky one. I think the key is to verify the OSC's ISO 27001 certification first before considering any credit. The CMMC requirements may not fully overlap with ISO 27001, so we can't just assume they'll get credit.
upvoted 0 times
...
Lea
6 months ago
I'm not sure about this one. The question seems to be testing our understanding of how CMMC and ISO 27001 certifications relate. I'll need to review the CMMC Assessment Process to see what it says about non-duplication credit.
upvoted 0 times
Trinidad
11 days ago
But if they have valid certification, why not consider it?
upvoted 0 times
...
Alexia
17 days ago
I lean towards option C. No automatic credit for ISO 27001.
upvoted 0 times
...
Annelle
22 days ago
I think verifying the ISO 27001 certification is crucial first.
upvoted 0 times
...
Marjory
4 months ago
Definitely! We can't just assume they overlap without checking.
upvoted 0 times
...
...

Save Cancel