Cyber AB CMMC-CCP - Certified CMMC Professional (CCP) Exam

During aCMMC readiness review, anOrganization Seeking Certification (OSC)may argue that a specificenclave (network segment or system) is out of scopefor assessment. TheLead Assessor is responsible for verifying and approving this request.

Roles and Responsibilities in CMMC Assessments:

Certified CMMC Professional (CCP)

A CCP supports OSCs inpreparing for assessmentsbutdoes not make final scope determinations.

Certified Third-Party Assessment Organization (C3PAO)

The C3PAOoversees the assessmentbut doesnot personally verify scope exclusions—that falls under theLead Assessor’s role.

Lead Assessor (Correct Answer)

TheLead Assessor has the authorityto determine if anenclave is out of scopebased on OSC-provided evidence.

The Lead Assessor followsCMMC Assessment Process (CAP) guidelinesto ensure proper scoping.

Advisory Board

TheCMMC-AB (Advisory Board) does not make scope determinations. It focuses onprogram oversightandcertification processes.

Official References Supporting the Correct Answer:

CMMC Assessment Process (CAP) v1.0

TheLead Assessor is responsible for confirming the assessment scopeand determining enclave applicability.

CMMC Scoping Guidance for Level 2 Assessments

Requires theLead Assessor to review and approve any enclave exclusionsbefore finalizing the assessment scope.

Conclusion:

TheLead Assessoris the correct answer because they have the authority to verify scope determinations during the assessment.

✅Correct Answer: C. Lead Assessor

Step 1: Review CMMC 2.0 Reforms (Level 1 – Foundational)

As part ofCMMC 2.0, the DoD announced changes toreduce burden and costsfor companies that only handleFederal Contract Information (FCI):

DoD Statement (CMMC 2.0 Overview):

“Level 1 (Foundational) will only require an annual self-assessment, affirming implementation of the 17 FAR 52.204-21 controls.”

✅Step 2: Intent of “Reduced Assessment Costs”

The move to allowself-assessments at Level 1was explicitly designed toeliminate the costof hiring third-party assessors for organizations that only handle FCI.

Level 1 self-assessments are:

Conductedinternally by the OSC,

Affirmed annuallyby a senior company official,

Submitted via SPRS(Supplier Performance Risk System).

❌Why the Other Options Are Incorrect

B. Opt out of CMMC Assessments

✘Incorrect. Organizations must still perform aself-assessmentannually — they cannot opt out entirely.

C. Have assessment costs reimbursed by the DoD

✘No such reimbursement mechanism exists.

D. Pay no more than $500.00…

✘No such fixed cost is set or guaranteed in CMMC documentation.

UnderCMMC 2.0, all companies atLevel 1 (Foundational)are permitted toconduct self-assessmentsannually to demonstrate compliance, supporting the DoD’s goal ofreducing assessment costsfor low-risk contractors.

In Phase 1 (Planning) of the CMMC Assessment Process, the Lead Assessor is responsible for managing the team and identifying conflicts of interest. Assessment team members must also disclose potential conflicts.

Supporting Extracts from Official Content:

CAP v2.0, Planning (§2.5–2.8): “The Lead Assessor and Assessment Team Members must identify and disclose any conflicts of interest prior to conducting the assessment.”

Why Option D is Correct:

Only the Lead Assessor and assessment team are responsible for identifying conflicts of interest during Phase 1.

Options A, B, and C incorrectly assign this role to organizations that do not hold the responsibility.

References (Official CMMC v2.0 Content):

CMMC Assessment Process (CAP) v2.0, Phase 1 Planning responsibilities.

===========

In the context of a CMMC Level 2 Assessment, assessors must evaluate the "Institutionalization" of practices, which includes the review of Policies. The validity of a policy document depends on the Organization Seeking Certification (OSC)'s internal governance and administrative procedures.

Internal Governance (The "Why"): CMMC does not dictate exactlyhowa company must authorize its policies (e.g., whether a signature must be refreshed immediately upon a personnel change). Instead, the assessor must verify if the document is considered "active" and "authoritative" by the OSC’s own standards.

The Role of the Assessor: As per the CMMC Assessment Process (CAP) and CCP training materials, an assessor cannot unilaterally declare a policy invalid simply because a signatory has left. The assessor must perform "more research" (typically through Interviews or examining Supplemental Documents) to determine the OSC's internal rules for policy management.

If the OSC's "Policy on Policies" states that a signature is tied to the individual, the document may be expired.

If the OSC's rules state that the authority is tied to the role/position (which is common in most corporate governance), the policy remains in effect until it is formally rescinded or updated.

Distinction from other options:

Option A is too restrictive; it assumes a universal rule that doesn't exist in the CMMC framework.

Option C is incorrect because a signatory (or formal approval)isoften what gives a policy its "authoritative" status in an audit; ignoring it would be a failure of the Examine method.

Option D is a common business assumption, but an assessor must verify this via the OSC's own procedures rather than assuming it is true for every company.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Examine" methods and evaluating evidence integrity.

NIST SP 800-171A: Discussion on "Organizational Policies" as assessment objects and the requirement for policies to be "established and maintained."

CMMC Level 2 Assessment Guide: Clarifies that policies must be "formally documented" and "representative of organizational requirements."

Understanding Who Must Perform Tests in a CMMC Assessment

During aCMMC Level 2 Assessment, assessorsmust observe operational activities and security practicesto verify compliance. This process involves:

✔Testing security controls and proceduresas part of the assessment.

✔Observation of standard work practicesto ensure controls are properly implemented.

✔Using operational personnel (OSC employees) who regularly perform the taskto ensure realistic assessment conditions.

Who Performs Tests?

Operational personnel (OSC employees) must conduct the actual work while assessors observe.

Certified CMMC Professionals (CCPs) or Lead Assessorsoversee and document the testing process.

Why is the Correct Answer "A" (OSC personnel who normally perform that work as the CCP observes)?

A. OSC personnel who normally perform that work as the CCP observes → Correct

CMMC assessments require actual users (OSC personnel) to perform their regular duties while assessors observeto verify security practices.

B. Military personnel and the CCP and/or Lead Assessor to test the adequacy of the written procedure(s) → Incorrect

Military personnel are not responsible for testing contractor security controls.

Assessors observe and evaluate but do not perform testing themselves.

C. Military personnel assigned to the contractor for that contract to ensure the confidentiality of the CUI → Incorrect

Military personnel do not perform the testing.

The contractor (OSC) is responsible for implementing and demonstrating security controls.

D. OSC personnel who do not ordinarily perform that work to evaluate the accuracy of the written procedure(s) → Incorrect

Personnel unfamiliar with the job should not be used for testing.

Theassessment must reflect real-world conditions, so theactual employees who perform the work must demonstrate the process.

CMMC 2.0 References Supporting This Answer:

CMMC Assessment Process (CAP) Document

Specifies thatassessments must observe real operational activities to determine compliance.

CMMC-AB Assessment Methodology

Requirestesting of security controls in a realistic operational environment, meaning actual OSC personnel must perform the tasks.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Specifies thatinterviews and observations should be conducted with personnel who regularly perform the work.

Control Reference: CA.L2-3.12.1

CA.L2-3.12.1:"Periodically assess the security controls in organizational systems to determine if the controls are effective in their application."

This control is derived fromNIST SP 800-171, Requirement 3.12.1, which mandates organizations to performregular security control assessmentsto ensure compliance and effectiveness.

Assessment Criteria & Justification for the Correct Answer:

Evidence Review & Assessment Timeline:

The organization's procedureexplicitly statesthat security control assessments must be conductedquarterly(every three months).

Since the Lead Assessor only has access to thefirst-quarter report, the second-quarter report is missing at the time of assessment.

CMMC Audit Requirements:

For an assessor to rate a control asMET, sufficient evidence must bereadily availableat the time of evaluation.

Since the second-quarter report is missingat the time of assessment, the Lead Assessorcannot verify compliancewith the organization's own stated frequency of assessment.

Why the Answer is NOT A, C, or D:

A (Sufficient, MET)→Incorrect: The control assessment frequency is quarterly, but the evidence for Q2 is not available. Compliance cannot be confirmed.

C (Sufficient, and re-rate later)→Incorrect: If evidence is not available during the audit, the controlcannot be rated as MET initially. There is no provision in CMMC 2.0 to "conditionally" pass a control pending future evidence.

D (Insufficient, but re-rate later)→Incorrect: Once a control is ratedNOT MET, it staysNOT METuntil a re-assessment is conducted in a new audit cycle. The assessordoes not adjust ratings retroactivelybased on future evidence.

Official CMMC 2.0 References Supporting the Answer:

CMMC Assessment Process (CAP) Guide (2023):

"For a control to be rated as MET, the assessed organization must provide sufficient evidence at the time of the assessment."

"If evidence is missing or incomplete, the finding shall be rated as NOT MET."

NIST SP 800-171A (Security Requirement Assessment Guide):

"Evidence must be current, relevant, and sufficient to demonstrate compliance with stated periodicity requirements."

Since the procedure mandatesquarterly assessments, missing evidence means compliancecannot be validated.

DoD CMMC Scoping Guidance:

"Assessors shall base their determination on the evidence provided at the time of assessment. If required evidence is not available, the control shall be rated as NOT MET."

Final Conclusion:

Thecorrect answer is Bbecause the required evidence (the second-quarter report) is not availableat the time of assessment, making itinsufficientto validate compliance. The Lead Assessormust rate the control as NOT METin accordance with CMMC 2.0 assessment rules.