Free Preparation Discussions
MENU
Cyber AB CMMC-CCP Exam Questions
- Topic 1: CMMC Ecosystem: This section of the exam measures the skills of consultants and compliance professionals and focuses on the different roles and responsibilities across the CMMC ecosystem. Candidates must understand the functions of entities such as the Department of Defense, CMMC-AB, Organizations Seeking Certification, Registered Practitioners, and Certified CMMC Professionals, as well as how the ecosystem supports cybersecurity standards and certification.
- Topic 2: CMMC-AB Code of Professional Conduct (Ethics): This section of the exam measures the integrity of cybersecurity professionals by evaluating their understanding of the CMMC-AB Code of Professional Conduct. It emphasizes ethical responsibilities, including confidentiality, objectivity, professionalism, conflict-of-interest avoidance, and respect for intellectual property, ensuring candidates can uphold ethical standards throughout their CMMC-related duties.
- Topic 3: CMMC Governance and Source Documents: This section of the exam measures the capabilities of legal or compliance advisors, covering key regulatory frameworks that govern cybersecurity compliance. Topics include Federal Contract Information, Controlled Unclassified Information, the role of NIST SP 800-171, DFARS, FAR, and the structure and requirements of CMMC v2.0, including self-assessments and certification levels.
- Topic 4: CMMC Model Construct and Implementation Evaluation: This section of the exam measures the evaluative skills of cybersecurity assessors, focusing on the application and assessment of the CMMC model. It includes understanding its levels, domains, practices, and implementation criteria, and how to assess whether organizations meet the required cybersecurity practices using evidence-based evaluation.
- Topic 5: CMMC Assessment Process (CAP): This section of the exam measures the planning and execution skills of audit and assessment professionals, covering the end-to-end CMMC Assessment Process. This includes planning, executing, documenting, reporting assessments, and managing Plans of Action and Milestones (POA&M) in alignment with DoD and CMMC-AB methodology.
- Topic 6: Scoping: This section of the exam measures the analytical skills of cybersecurity practitioners, highlighting their ability to properly define assessment scope. Candidates must demonstrate knowledge of identifying and classifying Controlled Unclassified Information (CUI) assets, recognizing the difference between in-scope, out-of-scope, and specialized assets, and applying logical and physical separation techniques to determine accurate scoping for assessments
Free Cyber AB CMMC-CCP Exam Actual Questions
Note: Premium Questions for CMMC-CCP were last updated On Jun. 06, 2026 (see below)
During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC's WiFi network. What type of asset is this?
Understanding Asset Categorization in CMMC 2.0
InCMMC 2.0, assets are categorized into different types based on their function, connectivity, and whether they process, store, or transmitFederal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Why 'D. Specialized Asset' is Correct?
TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT classificationsbut still exist within the organizational environment.
Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined in CMMC.
Why Other Answers Are Incorrect?
A . FCI Asset (Incorrect)
FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does not.
B . CUI Asset (Incorrect)
CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.
C . In-scope Asset (Incorrect)
In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.
Conclusion
The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into theSpecialized Assetcategory.
CMMC 2.0 Scoping Guide
DoD Cybersecurity Guidelines on IoT Devices
SC.L2-3 13.14: Control and monitor the use of VoIP technologies is marked as NOT APPLICABLE for an OSC's assessment. How does this affect the assessment scope?
Understanding SC.L2-3.13.14 -- Control and Monitor the Use of VoIP Technologies
TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.
If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.
Why Option D is Correct
When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.
No assessment procedures are neededsince there is no VoIP system to evaluate.
Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14---only VoIP is within scope.
Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.
Option C (VoIP in scope but using FIPS-validated encryption, so it doesn't need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.
Official CMMC Documentation Reference
CMMC 2.0 Level 2 Assessment Guide -- SC.L2-3.13.14
NIST SP 800-171, Security Requirement 3.13.14
CMMC Scoping Guidance -- Determining Not Applicable (N/A) Practices
Final Verification
IfVoIP is not used within the OSC's system boundary, the control does not require assessment, making Option D the correct answer.
Who has the initial responsibility for identifying and managing conflicts of interest?
Under the CMMC Assessment Process (CAP) v2.0, the C3PAO holds the initial (and ultimate) responsibility to identify and manage conflicts of interest (COI) related to a CMMC Level 2 certification assessment. CAP v2.0 includes an explicit pre-assessment activity titled ''Identify and Manage Initial Conflicts of Interest (COI)'' and states that C3PAOs are ultimately responsible for managing impartiality and identifying conflicts of interest for the assessment.
CAP v2.0 further clarifies that this responsibility cannot be delegated to the assessment team (including the Lead Assessor/Lead CCA) or to the OSC. In other words, while the Lead Assessor participates in executing the process and the OSC must cooperate (e.g., disclose relationships or prior services that could create COI), CAP places the duty to run the COI identification/mitigation process squarely on the C3PAO as the assessment organization.
This aligns with the intent of impartiality controls in certification programs: the certification body (here, the C3PAO) must ensure objective assessments by identifying conflicts early, applying mitigation (or avoidance), and documenting the resolution before the assessment proceeds. Since the question asks who has the initial responsibility, the CAP's direct assignment of COI management to the C3PAO makes B the correct answer.
===========
The facilities manager for a company has procured a Wi-Fi enabled, mobile application-controlled thermostat for the server room, citing concerns over the inability to remotely gauge and control the temperature of the room. Because the thermostat is connected to the company's FCI network, should it be assessed as part of the CMMC Level 1 Self-Assessment Scope?
Step 1: Understanding CMMC Level 1 Self-Assessment Scope
CMMC Level 1applies toFederal Contract Information (FCI)systems.
Any system or device that is connected to an FCI-handling network is within the assessment scopebecause it canintroduce vulnerabilitiesinto the environment.
Step 2: Why the Thermostat is in Scope
TheWi-Fi-enabled thermostat is connected to the FCI network, meaning it haspotential accessto sensitive contract-related data.
PerCMMC Scoping Guidance, this type of device is classified as aRestricted Information System (Restricted IS)---devices that do not store, process, or transmit FCI but areconnected to networks that do.
Restricted IS must be accounted for in the self-assessment scope to ensure they do not compromise security controls.
CMMC Level 1 Scoping Guidance
CMMC Assessment Process (CAP) Guide
Step 3: Why Other Answer Choices Are Incorrect
A . No, because it is OT (Incorrect):
Operational Technology (OT)includesindustrial control systemsbut does not exempt a device from assessmentif it connects to an FCI network.
B . No, because it is an IoT device (Incorrect):
IoT (Internet of Things) devicesthat areconnected to an FCI network must be assessedto ensure they do not create security vulnerabilities.
D . Yes, because it is government property (Incorrect):
Theownershipof the device (government or company) doesnotdetermine its inclusion in the CMMC assessment scope---its network connectivity does.
Final Confirmation of Correct Answer:
The thermostat is part of the CMMC Level 1 Self-Assessment Scope as a Restricted IS.
Thus, the correct answer is:C. Yes, because it is a restricted IS
A Lead Assessor is presenting an assessment kickoff and opening briefing. What topic MUST be included?
What is Required in the CMMC Assessment Kickoff and Opening Briefing?
Before starting aCMMC assessment, theLead Assessormust present anopening briefingto ensure that theOrganization Seeking Certification (OSC)understands the assessment process.
Step-by-Step Breakdown:
1. Overview of the Assessment Process
The Lead Assessormust explain the CMMC assessment methodology, including:
Theassessment objectives and scope
How theassessment team will review security controls
What to expectduring interviews, testing, and document review
This ensurestransparency and alignmentbetween the assessors and the OSC.
2. Why the Other Answer Choices Are Incorrect:
(A) Gathering Evidence
Evidence collection is part of the assessment butnot the primary topic of the opening briefing.
(B) Review of the OSC's SSP
While theSSP is a key document, reviewing it is part of the assessment,not the kickoff briefing.
(D) Examination of the artifacts for sufficiency
Artifact review happens laterin the assessment process,not during the kickoff.
Final Validation from CMMC Documentation:
TheCMMC Assessment Process Guidestates that theopening briefing must include an overview of the assessment process, ensuring the OSC understands the expectations and methodology.
Thus, the correct answer is:
C. Overview of the assessment process.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Carol Anderson
13 hours agoHeather Johnson
17 days agoCharles Lewis
30 days agoPatricia Sanchez
1 month agoDaniel Jones
1 month agoCarol Nguyen
28 days agoFrank Jones
24 days agoAngela Gonzalez
1 month agoDonald Young
1 month agoVallie
2 months agoMargery
2 months agoLarae
3 months agoRoyce
3 months agoGarry
3 months agoHassie
3 months agoSharita
4 months agoElvis
4 months agoDerrick
4 months agoRemedios
4 months agoEladia
5 months agoJeanice
5 months agoJamie
5 months agoNoah
5 months agoDudley
6 months agoBritt
6 months agoArlean
6 months agoYuki
6 months agoTiara
7 months agoBernardine
7 months agoRaylene
7 months agoVeta
7 months agoVallie
8 months agoTuyet
8 months agoArleen
8 months agoMargery
8 months agoTeri
9 months agoShawnee
9 months agoEladia
9 months agoFlorinda
9 months agoJanine
9 months ago