Cyber AB CMMC-CCP - Certified CMMC Professional (CCP) Exam

Understanding CMMC Assessment ProceduresACMMC assessment procedureconsists of:

Assessment Objective– Defines what is being evaluated and the expected outcome.

Assessment Methods– Specifies how the evaluation is conducted (e.g.,examination, interviews, testing).

Assessment Objects– Identifies what is being evaluated, such as policies, systems, or people.

Assessment Objectivesincludedetermination statementsthat describe the expected outcome for each CMMC security practice.

These statements define whether a practice has beenadequately implementedbased ondocumented evidence and assessment findings.

TheCMMC Assessment Process (CAP) GuideandNIST SP 800-171Aspecify that each practice has a determination statement guiding assessment decisions.

A. Specifications and mechanisms→Incorrect

These belong toassessment objects, which refer to the systems, policies, and mechanisms being evaluated.

B. Examination, interviews, and testing→Incorrect

These areassessment methods, which describe how assessorsverifycompliance (e.g., through interviews or testing).

D. Exercising assessment objects under specified conditions→Incorrect

This refers toassessment testing, which is a method, not an assessment objective.

CMMC Assessment Process (CAP) Guide– Describes determination statements as the core of assessment objectives.

NIST SP 800-171A– Defines determination statements as a key element of evaluating security controls.

Why the Correct Answer is "C"?Why Not the Other Options?Relevant CMMC 2.0 References:Final Justification:Since anassessment objectiveincludes adetermination statementthat describes whether a practice is implemented properly, the correct answer isC.

The term that describes"the prevention of damage to, protection of, and restoration of computers and electronic communication systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation"isCybersecurity.

Step-by-Step Breakdown:✅1. Cybersecurity Defined

Cybersecurityfocuses onprotecting networks, systems, and datafrom cyber threats.

It includes measures to ensure:

Availability(data is accessible when needed).

Integrity(data is accurate and unaltered).

Authentication(verifying users' identities).

Confidentiality(ensuring only authorized access).

Non-repudiation(preventing denial of actions).

The definition in the questionaligns directly with cybersecurity principles, making it the best answer.

✅2. Why the Other Answer Choices Are Incorrect:

(B) Data Security❌

Data securityfocusesspecificallyon protectingstored information(e.g., encryption, access controls), but cybersecurity is broader—it includesnetworks, systems, and communication services.

(C) Network Security❌

Network securityis asubset of cybersecuritythat focuses on protectingnetwork infrastructure(e.g., firewalls, intrusion detection systems).

The definition in the question includesmore than just networks, so cybersecurity is the better choice.

(D) Information Security❌

Information security (InfoSec)is related but broader than cybersecurity.

InfoSeccoversphysical and organizational security(e.g., policies, procedures) in addition todigital protections.

CMMC and NIST SP 800-171 define cybersecurityas the protection ofsystems, networks, and data from cyber threats.

DoD Cybersecurity Definitions(aligned with NIST) confirm that cybersecurity is the term thatbest fits the definition in the question.

Final Validation from CMMC Documentation:

Understanding Configuration Management (CM) in CMMC Level 2InCMMC Level 2, theConfiguration Management (CM) domainis critical for ensuring that systems aresecurely configured, maintained, and monitoredto prevent unauthorized changes. One key aspect of CM is managinguser-installed software, which can introducesecurity risksif not properly controlled.

The correct approach to managinguser-installed softwarealigns withCM.3.068fromNIST SP 800-171, which requires organizations to:

✅Establish and enforce configuration settingsto ensure security.

✅Monitor and control user-installed softwareto prevent unauthorized or insecure applications from running on organizational systems.

Why "Controlled and Monitored" is Correct?The CCP (Certified CMMC Professional) conducting theinterviewshould focus on whether theuser-installed softwareiscontrolled and monitoredto align withCMMC Level 2 requirements. This means verifying:

Approval processesfor user-installed software.

Monitoring mechanisms(e.g., system logs, audits) to track software changes.

Policies that restrict unauthorized installationsto prevent security risks.

Breakdown of Answer ChoicesOption

Description

Correct?

A. Controlled and monitored

✅Ensures compliance with CM.3.068, verifying that user-installed software ismanaged securely.

✅Correct

B. Removed from the system

Software isnot always removed—only unauthorized or risky software should be.

❌Incorrect

C. Scanned for malicious code

While scanning isimportant(covered in SI.3.218), it isnot the primary focusof Configuration Management.

❌Incorrect

D. Limited to mission-essential use only

While limiting software is useful,monitoring and controllingis the key security measure.

❌Incorrect

NIST SP 800-171, CM.3.068– "Control and monitor user-installed software."

CMMC 2.0 Level 2 Requirements– Directly aligned withNIST SP 800-171 security controls.

Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isA. Controlled and monitored, as perCM.3.068inNIST SP 800-171andCMMC 2.0documentation.

Level 1 only addresses the protection of Federal Contract Information (FCI) and does not include requirements for safeguarding Controlled Unclassified Information (CUI).

Level 2 is explicitly designed to protect Controlled Unclassified Information (CUI). It requires implementation of all 110 security requirements from NIST SP 800-171 Rev. 2, which directly support the safeguarding of CUI and help prevent its unauthorized disclosure or exfiltration.

Level 3 builds on Level 2 by including a subset of requirements from NIST SP 800-172. These additional practices are designed to enhance the protection of CUI against advanced persistent threats (APTs), further strengthening defenses against exfiltration.

Therefore, the levels that focus on protecting CUI from exfiltration are Levels 2 and 3.

Reference Documents:

CMMC Model v2.0 Overview (DoD, December 2021)

NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information

Under Title 44 U.S.C. Chapter 33 (Records Management) and NARA directives, agencies and organizations must establish policies and procedures for the disposal of all recorded information, regardless of form or characteristics. This includes paper records, electronic documents, digital media, audiovisual files, and any other information format. The requirement ensures consistent handling, retention, and lawful disposal of both federal records and CUI.

Reference Documents:

Title 44, U.S. Code, Chapter 33: Records Management

NARA Records Management Directive

Understanding Asset Categorization in CMMC 2.0InCMMC 2.0, assets are categorized into different types based on their function, connectivity, and whether they process, store, or transmitFederal Contract Information (FCI) or Controlled Unclassified Information (CUI).

TheCMMC 2.0 Scoping GuidedefinesSpecialized Assetsas assetsthat do not fit traditional IT classificationsbut still exist within the organizational environment.

Asmart thermostatis anInternet of Things (IoT) device, which falls underSpecialized Assetsas defined in CMMC.

A. FCI Asset (Incorrect)

FCI Assets process, store, or transmit Federal Contract Information, which asmart thermostat does not.

B. CUI Asset (Incorrect)

CUI Assets handle Controlled Unclassified Information, and athermostat does not process CUI.

C. In-scope Asset (Incorrect)

In-scope Assets include FCI and CUI assets, which asmart thermostat does not qualify as.

The correct answer isD. Specialized Asset, as asmart thermostat is an IoT device, which falls into theSpecialized Assetcategory.

Understanding CUI Protection ResponsibilitiesControlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.

Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.

TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.

CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.

DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.

A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.

B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.

C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.

The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.

ï‚· Understanding CMMC Assessment Requirements

CMMC assessments usethree assessment methodsto verify compliance with security practices:

Examine– Reviewing documentation, policies, logs, or records.

Interview– Speaking with personnel to confirm understanding and execution.

Test– Verifying through technical or operational means that the practice is being performed.

ï‚· Assessment Findings in the Given Scenario

Practice is documented as occurring monthly, but logs show quarterly execution.

Interviews indicate monthly execution, but documentation does not support this claim.

ï‚· Why the Organization Fails the Practice

Answer A (Incorrect): The work is being performed, but documentation is lacking, so the failure is not purely due to missing execution.

Answer B (Incorrect): The documented frequency does not match the evidence in logs, so the practice is not being done asfully documented.

Answer C (Correct):CMMC requires all three assessment methods (Examine, Interview, Test) to align. Since logs contradict the stated frequency, the practicefailscompliance.

Answer D (Incorrect): Interview responses alone are not enough. The CMMCCAP GuideandNIST SP 800-171Arequire corroboration with logs (Examine) and technical verification (Test).

ï‚· Conclusion

The correct answer isC: To pass a practice, the organization mustprovide evidence across all three assessment methods.

CMMC Assessment Process (CAP) Guide– Cyber AB

NIST SP 800-171A– Assessing Security Requirements for CUI

DoD CMMC 2.0 Scoping and Assessment Guide

Does a File Cabinet Containing Paper FCI Fall Within CMMC Scope?CMMConly applies to digital systems and assetsthatprocess, store, or transmitFederal Contract Information (FCI)andControlled Unclassified Information (CUI).Physical storage (such as paper documents) is not included in CMMC scoping.

Step-by-Step Breakdown:✅1. CMMC Scope Covers Only Digital Systems and Assets

According to theCMMC Scoping Guide (Level 1),only digital assetsthat handleFCIarein scopefor aLevel 1 Self-Assessment.

Afile cabinetisnot a digital system; therefore, it isnot in scopefor CMMC compliance.

✅2. Why the Other Answer Choices Are Incorrect:

(A) In scope, because it is an asset that stores FCI❌

Incorrect:While the file cabinetdoes store FCI,CMMC only applies to digital systems.

(B) In scope, because it is part of the same physical location❌

Incorrect:CMMCdoes notconsiderphysical proximitywhen determining scope—only digital data handling matters.

(D) Out of scope, because it does not process or transmit FCI❌

Partially correct, but incomplete: Themain reasonit is out of scope is that itcontains only paper documents, not that it doesn’t process/transmit data.

TheCMMC Level 1 Scoping Guideexplicitly states thatpaper-based storage of FCI does not fall within scope.

Final Validation from CMMC Documentation:Thus, the correct answer is:

✅C. Out of scope, because they are all only paper documents.

Understanding the Role of an FCI Asset in CMMCAdedicated local printer used to print Federal Contract Information (FCI)is considered anFCI Asset. UnderCMMC Level 1, FCI assets are required to meetbasic cybersecurity controlsto ensure that FCI is properlyprotected from unauthorized access.

Step-by-Step Breakdown:✅1. Why "Process" is the Best Answer

The printerreceives digital FCI, converts it into a physical format (paper), and outputs the document.

This aligns with thedefinition of "processing" in CMMC, which includes:

Transforming or modifying data

Generating output (e.g., printed documents)

Using systems to interpret or manipulate information

✅2. Why the Other Answer Choices Are Incorrect:

(A) Encrypt❌

Aprinter does not encryptFCI—it simply prints it. Encryption applies todigital storage and transmission, not printing.

(B) Manage❌

Managing FCI typically refers togovernance, access control, and oversight, which is not the function of a printer.

(D) Distribute❌

While a printed documentcould be distributed, theprinter itself is not responsible for distributing FCI—it only processes the data for output.

CMMC Assessment Guide (Level 1)confirms thatprocessing FCI includes using systems that convert or transform information, such as printers.

NIST SP 800-171definesprocessingas an action thatchanges or manipulates information, which applies to printing.

Final Validation from CMMC Documentation: