Cyber AB CMMC-CCA Exam - Topic 1 Question 2 Discussion

Actual exam question for Cyber AB's CMMC-CCA exam

Question #: 2
Topic #: 1

You are the Lead Assessor for a CMMC assessment of an OSC that has previously obtained ISO 27001 certification for its information security management system. During the initial discussions, the OSC requests that you consider their ISO 27001 certification and grant them credit toward their CMMC certification. They believe there is a significant overlap between CMMC and ISO 27001. What should your response to the OSC be?

ADefer the decision on non-duplication credit until the DoD publishes official non-duplication policies.

BVerify the validity and authenticity of the OSC's ISO 27001 certification against the requirements outlined in the CMMC Assessment Process (CAP) before considering granting any non-duplication credit.

CInform the OSC that alternative cybersecurity certifications like ISO 27001 do not automatically bestow any status or credit towards CMMC certification.

DGrant the OSC credit towards their CMMC certification based on their ISO 27001 certification, as both standards cover similar cybersecurity requirements.

Show Suggested Answer

Suggested Answer: C

Comprehensive and Detailed in Depth

The CAP explicitly states that other certifications like ISO 27001 do not grant automatic CMMC credit unless DoD policy allows (Option C). Options A, B, and D suggest potential credit without basis.

Extract from Official Document (CAP v1.0):

Section 1.1 -- Purpose (pg. 7):'Alternative cybersecurity certifications do not automatically bestow any status or credit towards CMMC certification unless DoD publishes non-duplication policies.'

CMMC Assessment Process (CAP) v1.0, Section 1.1.

by Justine at Oct 06, 2025, 09:34 PM

Limited Time Offer

25%

Off

Get Premium CMMC-CCA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Elvera

5 days ago

Option A could delay things too much. We need a clear answer now.

upvoted 0 times

...

Stefanie

10 days ago

True, but there is overlap. Still, we should stick to the rules.

upvoted 0 times

...

Meaghan

16 days ago

I feel like option D is too lenient. CMMC has specific requirements.

upvoted 0 times

...

Hollis

21 days ago

Deferring the decision sounds like the safest bet.

upvoted 0 times

...

Rolland

26 days ago

Surprised they even asked for credit, it’s a different standard!

upvoted 0 times

...

Maricela

1 month ago

No way they should get automatic credit for that!

upvoted 0 times

...

Cristy

1 month ago

I think we should verify their ISO 27001 first.

upvoted 0 times

...

Pete

1 month ago

I recall that granting credit based on ISO 27001 could be risky without proper validation. It might be best to stick to the CMMC requirements.

upvoted 0 times

...

Eric

2 months ago

I'm a bit uncertain about the non-duplication credit. I feel like it might be better to inform them that ISO 27001 doesn't automatically count for CMMC.

upvoted 0 times

...

France

2 months ago

I think we practiced a question like this in class, and the answer was to verify the ISO certification first. That seems like a safe approach.

upvoted 0 times

...

Taryn

2 months ago

I remember discussing how ISO 27001 and CMMC have some overlapping controls, but I'm not sure if that means we can grant credit.

upvoted 0 times

...

Dorcas

2 months ago

I agree, but option C makes sense too. Just because they have ISO 27001 doesn’t mean they get credit.

upvoted 0 times

...

Detra

2 months ago

ISO 27001 and CMMC do overlap, but they’re not the same.

upvoted 0 times

...

Daniel

2 months ago

I wonder if the OSC has a secret handshake to get CMMC credit. C) is the clear answer here.

upvoted 0 times

...

Rosalind

3 months ago

I think option B is the best. We need to verify their ISO 27001 first.

upvoted 0 times

...

Norah

3 months ago

B) Definitely need to validate that ISO 27001 cert first before making any decisions.

upvoted 0 times

...

Miss

3 months ago

Haha, I bet the OSC was hoping for a free pass on CMMC. Nice try, but C) is the way to go.

upvoted 0 times

...

Chandra

4 months ago

C) Yep, that's the right call. CMMC and ISO 27001 are different standards, so no automatic credit.

upvoted 0 times

...

Moon

4 months ago

B) Seems like the safest option to verify the ISO 27001 certification before considering any credit.

upvoted 0 times

...

Ty

4 months ago

I think the best answer here is B. We can't just take their word for it that the ISO 27001 certification covers the CMMC requirements. Gotta do our due diligence and check it against the CMMC Assessment Process before considering any credit.

upvoted 0 times

...

Becky

4 months ago

Hmm, this is a good question. I'm leaning towards B - verifying the ISO 27001 certification first seems like the safest approach before making any decisions about non-duplication credit. We need to be thorough in our assessment.

upvoted 0 times

...

Dusti

4 months ago

I'm pretty confident on this one. The correct answer is C - we have to inform the OSC that their ISO 27001 certification doesn't automatically translate to CMMC credit. The standards are different, so we need to evaluate them individually.

upvoted 0 times

...

Glory

4 months ago

Okay, this is a tricky one. I think the key is to verify the OSC's ISO 27001 certification first before considering any credit. The CMMC requirements may not fully overlap with ISO 27001, so we can't just assume they'll get credit.

upvoted 0 times

...

Lea

5 months ago

I'm not sure about this one. The question seems to be testing our understanding of how CMMC and ISO 27001 certifications relate. I'll need to review the CMMC Assessment Process to see what it says about non-duplication credit.

upvoted 0 times

Marjory

3 months ago

Definitely! We can't just assume they overlap without checking.

upvoted 0 times

...