Weekend Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

CMMC-CCP Certified CMMC Professional (CCP) Exam Questions and Answers

Questions 4

When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:

Options:

A.

Have a security clearance

B.

Be a senior person in the company

C.

Demonstrate expertise on the CMMC requirements

D.

Provide clarity and understanding of their practice activities

Buy Now
Questions 5

A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?

Options:

A.

Host Unit

B.

Branch Office

C.

Coordinating Unit

D.

Supporting Organization/Units

Buy Now
Questions 6

For the purpose of determining scope, what needs to be included as part of the assessment but would NOT receive a CMMC certification unless an enterprise assessment is conducted?

Options:

A.

ESP

B.

People

C.

Test equipment

D.

Government property

Buy Now
Questions 7

What is the primary intent of the verify evidence and record gaps activity?

Options:

A.

Map test and demonstration responses to CMMC practices.

B.

Conduct interviews to test process implementation knowledge.

C.

Determine the one-to-one relationship between a practice and an assessment object.

D.

Identify and describe differences between what the Assessment Team required and the evidence collected.

Buy Now
Questions 8

Which document is used to protect sensitive and confidential information from being made available by the recipient of that information?

Options:

A.

Legal agreement

B.

CMMC agreement

C.

Assessment agreement

D.

Non-disclosure agreement

Buy Now
Questions 9

For a scoping a CMMC Level 1 Self-Assessment, which asset types are assessed against CMMC practices?

Options:

A.

Any IoT or Industrial Internet of Things devices

B.

Any restricted IS

C.

Any test equipment hardware

D.

Any asset transmitting FCI

Buy Now
Questions 10

During an assessment, which phase of the process identifies conflicts of interest?

Options:

A.

Analyze requirements.

B.

Develop assessment plan.

C.

Verify readiness to conduct assessment.

D.

Generate final recommended assessment results.

Buy Now
Questions 11

What technical means can an OSC have in place to limit individuals who are authorized to post or process information on publicly accessible systems?

Options:

A.

Enable cookies to track who has accessed certain websites.

B.

Ensure procedural documentation is in place on how to access website consoles.

C.

Ensure marketing team trainings are required so that any changes to the website go through proper review.

D.

Enable administrative access roles to those that need them so that only those people can post items to the website.

Buy Now
Questions 12

A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?

Options:

A.

That the information is correct

B.

That the CEO approved the message

C.

That the company has to safeguard the release of FCI

D.

That so long as the information is only FCI, it can be released

Buy Now
Questions 13

A C3PAO has conducted a CMMC Level 2 Assessment for an OSC. The results have been reviewed by a CMMC Quality Assurance Professional. What is the final step in the process of submitting assessment results?

Options:

A.

The C3PAO submits the results to the CMMC-AB.

B.

The OSC submits the results, as provided by the Lead Assessor, to the CMMC-AB.

C.

The C3PAO submits the results to Enterprise Mission Assurance Support Service.

D.

The Lead Assessor submits the results to the CMMC-AB.

Buy Now
Questions 14

A cyber incident is discovered that affects a covered contractor IS and the CDI residing therein. How long does the contractor have to inform the DoD?

Options:

A.

24 hours

B.

48 hours

C.

72 hours

D.

96 hours

Buy Now
Questions 15

During the review of information that was published to a publicly accessible site, an OSC correctly identifies that part of the information posted should have been restricted. Which item did the OSC MOST LIKELY identify?

Options:

A.

FCI

B.

Change of leadership in the organization

C.

Launching of their new business service line

D.

Public releases identifying major deals signed with commercial entities

Buy Now
Questions 16

The Level 1 practice description in CMMC is Foundational. What is the Level 2 practice description?

Options:

A.

Expert

B.

Advanced

C.

Optimizing

D.

Continuously Improved

Buy Now
Questions 17

A dedicated local printer is used to print out documents with FCI in an organization. This is considered an FCI Asset Which function BEST describes what the printer does with the FCI?

Options:

A.

Encrypt

B.

Manage

C.

Process

D.

Distribute

Buy Now
Questions 18

During the planning phase of a CMMC Level 2 Assessment, the Lead Assessor is considering what would constitute the right evidence for each practice. What is the Assessor attempting to verify?

Options:

A.

Adequacy

B.

Sufficiency

C.

Process mapping

D.

Assessment scope

Buy Now
Questions 19

A client uses an external cloud-based service to store, process, or transmit data that is reasonably believed to qualify as CUI. According to DFARS clause 252.204-7012. what set of established security requirements MUST that cloud provider meet?

Options:

A.

FedRAMP Low

B.

FedRAMP Moderate

C.

FedRAMP High

D.

FedRAMP Secure

Buy Now
Questions 20

A CMMC Assessment Team arrives at an OSC to begin a CMMC Level 2 Assessment. The team checks in at the front desk and lets the receptionist know that they are here to conduct the assessment. The receptionist is aware that the team is arriving today and points down a hallway where the conference room is. The receptionist tells the Lead Assessor to wait in the conference room. as someone will be there shortly. The receptionist fails to check for credentials and fails to escort the team. The receptionist ' s actions are in direct violation of which CMMC practice?

Options:

A.

PE.L1-3.10.3: Escort visitors and monitor visitor activity

B.

PE.L1-3.10.5: Control and manage physical access devices

C.

PS.L2-3.9.1; Screen individuals prior to authorizing access to organizational systems containing CUI

D.

PS.L2-3 9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers

Buy Now
Questions 21

When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:

Options:

A.

have a security clearance.

B.

be a senior person in the company.

C.

demonstrate expertise on the CMMC requirements.

D.

provide clarity and understanding of their practice activities.

Buy Now
Questions 22

To develop an assessment contract and establish a scope of work, which organization does an OSC work with?

Options:

A.

OUSD

B.

RPOs

C.

C3PAOs

D.

CMMC-AB

Buy Now
Questions 23

A program manager for a defense contractor saves all FCI data relevant to a contract on a flash drive. Why is the flash drive categorized as an FCI Asset ?

Options:

A.

It is storing FCI.

B.

It is testing FCI.

C.

It is distributing FCI.

D.

It is properly marked as FCI.

Buy Now
Questions 24

What is the BEST document to find the objectives of the assessment of each practice?

Options:

A.

CMMC Glossary

B.

CMMC Appendices

C.

CMMC Assessment Process

D.

CMMC Assessment Guide Levels 1 and 2

Buy Now
Questions 25

When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?

Options:

A.

Conduct a penetration test

B.

Interview the intrusion detection system ' s supplier.

C.

Upload known malicious code and observe the system response.

D.

Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

Buy Now
Questions 26

SI.L2-3.14.7: Identify unauthorized use of organizational systems is being assessed using two assessment objectives. The assessment objectives are to determine if authorized use of the system is defined and to determine if unauthorized use of the system is identified. What is the BEST evidence for this practice?

Options:

A.

Risk response

B.

Risk assessment

C.

Incident response

D.

System monitoring

Buy Now
Questions 27

According to DFARS clause 252.204-7012, who is responsible for determining that Information in a given category should be considered CUI?

Options:

A.

The NARA CUI Executive Agent

B.

The contractor who generated the information

C.

The DoD agency for whom the contractor is performing the work

D.

The military personnel assigned to the contractor for that purpose

Buy Now
Questions 28

An assessment is being completed at a client site that is not far from the Lead Assessor ' s home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?

Options:

A.

Log into the secure cloud storage service to save copies of the documents on both the work and client laptops.

B.

Log into the client VPN from the client laptop and retrieve the documents from the secure cloud storage service.

C.

Log into the client VPN from the assessor ' s laptop and retrieve the documents from the secure cloud storage service.

D.

Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick.

Buy Now
Questions 29

The Lead Assessor interviews a network security specialist of an OSC. The incident monitoring report for the month shows that no security incidents were reported from OSC ' s external SOC service provider. This is provided as evidence for RA.L2-3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Based on this information, the Lead Assessor should conclude that the evidence is:

Options:

A.

inadequate because it is irrelevant to the practice.

B.

adequate because it fits well for expected artifacts.

C.

adequate because no security incidents were reported.

D.

inadequate because the OSC ' s service provider should be interviewed.

Buy Now
Questions 30

Ethics is a shared responsibility between:

Options:

A.

DoD and CMMC-AB.

B.

OSC and sponsors.

C.

CMMC-AB and members of the CMMC Ecosystem.

D.

members of the CMMC Ecosystem and Lead Assessors.

Buy Now
Questions 31

Evidence gathered from an OSC is being reviewed. Based on the assessment and organizational scope, the Lead Assessor requests the Assessment Team to verify that the coverage by domain, practice. Host Unit. Supporting Organization/Unit, and enclaves are comprehensive enough to rate against each practice. Which criteria is the assessor referring to?

Options:

A.

Adequacy

B.

Capability

C.

Sufficiency

D.

Objectivity

Buy Now
Questions 32

An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice. What can the assessor do?

Options:

A.

Notify the CMMC-AB.

B.

Cancel the assessment.

C.

Postpone the assessment.

D.

Contact the C3PAO for guidance.

Buy Now
Questions 33

An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works. Is this adequate for the practice?

Options:

A.

Yes, the antivirus program is available, so it is sufficient.

B.

Yes, antivirus programs are automated to run independently.

C.

No, the team member must know how the antivirus program is deployed and maintained.

D.

No, the team member ' s interview answers about deployment and maintenance are insufficient.

Buy Now
Questions 34

Which document specifies the CMMC Level 1 practices that correspond to basic safeguarding requirements?

Options:

A.

NIST SP 800-171

B.

NIST SP 800-171b

C.

48 CFR 52.204-21

D.

DFARS 252.204-7012

Buy Now
Questions 35

In the Code of Professional Conduct, what does the practice of Professionalism require?

Options:

A.

Do not copy materials without permission to do so.

B.

Do not make assertions about assessment outcomes.

C.

Refrain from dishonesty in all dealings regarding CMMC.

D.

Ensure the security of all information discovered or received.

Buy Now
Questions 36

When executing a remediation review, the Lead Assessor should:

Options:

A.

help OSC to complete planned remediation activities.

B.

plan two consecutive remediation reviews for an OSC.

C.

submit a delta assessment remediation package for C3PAO ' s internal quality review.

D.

validate that practices previously listed on the POA & M have been removed on an updated Risk Assessment.

Buy Now
Questions 37

Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope by categorizing all assets. Which two asset categories are always assessed against CMMC practices?

Options:

A.

CUI Assets and Specialized Assets

B.

Security Protection Assets and CUI Assets

C.

Specialized Assets and Contractor Risk Managed Assets

D.

Security Protection Assets and Contractor Risk Managed Assets

Buy Now
Questions 38

The director of sales, in a meeting, stated that the sales team received feedback on some emails that were sent, stating that the emails were not marked correctly. Which training should the director of sales refer the sales team to regarding information as to how to mark emails?

Options:

A.

FBI CUI Introduction to Marking

B.

NARA CUI Introduction to Marking

C.

C3PAO CUI Introduction to Marking

D.

CMMC-AB CUI Introduction to Marking

Buy Now
Questions 39

What is the BEST description of the purpose of FAR clause 52 204-21?

Options:

A.

It directs all covered contractors to install the cyber security systems listed in that clause.

B.

It describes all of the safeguards that contractors must take to secure covered contractor IS.

C.

It describes the minimum standard of care that contractors must take to secure covered contractor IS.

D.

It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts.

Buy Now
Questions 40

Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1, Guidelines for Media Sanitation?

Options:

A.

Clear, purge, destroy

B.

Clear, redact, destroy

C.

Clear, overwrite, purge

D.

Clear, overwrite, destroy

Buy Now
Questions 41

An assessor has been working with an OSC ' s point of contact to plan and prepare for their upcoming assessment. What is one of the MOST important things to remember when analyzing requirements for an assessment?

Options:

A.

Scoping an assessment is easy and worry-free.

B.

The initial plan cannot be changed once agreed upon.

C.

There is a determined amount of time that the OSC ' s point of contact has to submit evidence and rough order-of-magnitude.

D.

Assessors need to continuously review and update the requirements and plan for the assessment as information is gathered.

Buy Now
Questions 42

When an OSC requests an assessment by a C3PAO, who selects the Lead Assessor for the assessment?

Options:

A.

OSC

B.

C3PAO

C.

C3PAO and OSC

D.

OSC and Lead Assessor

Buy Now
Questions 43

In preparation for a CMMC Level 1 Self-Assessment, the IT manager for a DIB organization is documenting asset types in the company ' s SSP The manager determines that identified machine controllers and assembly machines should be documented as Specialized Assets. Which type of Specialized Assets has the manager identified and documented?

Options:

A.

loT

B.

Restricted IS

C.

Test equipment

D.

Operational technology

Buy Now
Questions 44

Which standard and regulation requirements are the CMMC Model 2.0 based on?

Options:

A.

NIST SP 800-171 and NIST SP 800-172

B.

DFARS, FIPS 100, and NIST SP 800-171

C.

DFARS, NIST, and Carnegie Mellon University

D.

DFARS, FIPS 100, NIST SP 800-171, and Carnegie Mellon University

Buy Now
Questions 45

The IT manager is scoping the company ' s CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI. Which asset type is being considered by the IT manager?

Options:

A.

ESP

B.

People

C.

Facilities

D.

Technology

Buy Now
Questions 46

The Advanced Level in CMMC will contain Access Control {AC) practices from:

Options:

A.

Level 1.

B.

Level 3.

C.

Levels 1 and 2.

D.

Levels 1,2, and 3.

Buy Now
Questions 47

What activities are conducted while developing an assessment plan?

Options:

A.

The C3PAO decides the Assessment Team members and notifies the Lead Assessor.

B.

The Lead Assessor and the OSC’s sponsor determine the assessment resources and schedule.

C.

The C3PAO’s project manager is responsible for handling potential conflicts of interest.

D.

The evidence collection approach can be finalized when the Lead Assessor conducts an onsite assessment.

Buy Now
Questions 48

An assessor is in Phase 3 of the CMMC Assessment Process. The assessor has delivered the final findings, submitted the assessment results package, and provided feedback to the C3PAO and CMMC-AB. What must the assessor still do?

Options:

A.

Determine level recommendation

B.

Archive all assessment artifacts

C.

Determine final practice pass/fail results

D.

Archive or dispose of any assessment artifacts

Buy Now
Questions 49

Which statement is NOT a requirement for a Licensed Partner Publisher?

Options:

A.

Must have at least two years of history in publishing

B.

Must possess a Dun and Bradstreet number and background check

C.

Must receive CMMC Level 3 certification

D.

Must be approved by CMMC-AB or authorized organization

Buy Now
Questions 50

What is the legal entity under a contract that has agreed to deliver products or services?

Options:

A.

Supporting Organization/Unit

B.

Commercial and Government Entity Code

C.

Host Unit

D.

HQ Organization

Buy Now
Questions 51

How are the Final Recommended Assessment Findings BEST presented?

Options:

A.

Using the CMMC Findings Brief template

B.

Using a C3PAO-provided template that is preferred by the OSC

C.

Using a C3PAO-branded version of the CMMC Findings Brief template

D.

Using the proprietary template created by the Lead Assessor after approval from the C3PAO

Buy Now
Questions 52

During a Level 2 Assessment, an OSC provides documentation that attests that they utilize multifactor authentication on nonlocal remote maintenance sessions. The OSC feels that they have met the controls for the Level 2 certification. What additional measures should the OSC perform to fully meet the maintenance requirement?

Options:

A.

Connections for nonlocal maintenance sessions should be terminated when maintenance is complete.

B.

Connections for nonlocal maintenance sessions should be unlimited to ensure maintenance is performed properly

C.

The nonlocal maintenance personnel complain that restrictions slow down their response time and should be removed.

D.

The maintenance policy states multifactor authentication must have at least two factors applied for nonlocal maintenance sessions.

Buy Now
Questions 53

A Level 2 Assessment was conducted for an OSC, and the results are ready to be submitted. Prior to uploading the assessment results, what step MUST the C3PAO complete?

Options:

A.

Pay an assessment submission fee.

B.

Complete an internal review of the results.

C.

Notify the CMMC-AB that submission is forthcoming.

D.

Coordinate a final briefing between the Lead Assessor and the OSC.

Buy Now
Questions 54

A C3PAO has completed a Limited Practice Deficiency Correction Evaluation following an assessment of an OSC. The Lead Assessor has recommended moving deficiencies to a POA & M. but the OSC will remain on an Interim Certification. What is the MINIMUM number of practices that must be scored as MET to initiate this course of action?

Options:

A.

80 practices

B.

88 practices

C.

100 practices

D.

110 practices

Buy Now
Questions 55

Which statement BEST describes a LTP?

Options:

A.

Creates DoD-licensed training

B.

Instructs a curriculum approved by CMMC-AB

C.

May market itself as a CMMC-AB Licensed Provider for testing

D.

Delivers training using some CMMC body of knowledge objectives

Buy Now
Questions 56

During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC ' s WiFi network. What type of asset is this?

Options:

A.

FCI Asset

B.

CUI Asset

C.

In-scope Asset

D.

Specialized Asset

Buy Now
Questions 57

A Lead Assessor is presenting an assessment kickoff and opening briefing. What topic MUST be included?

Options:

A.

Gathering evidence

B.

Review of the OSC ' s SSP

C.

Overview of the assessment process

D.

Examination of the artifacts for sufficiency

Buy Now
Questions 58

While determining the scope for a company ' s CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third-party organization?

Options:

A.

ESPs

B.

People

C.

Facilities

D.

Technology

Buy Now
Questions 59

While conducting a CMMC Level 2 Assessment, a CCP is reviewing an OSC ' s personnel security process. They have a policy that describes screening individuals prior to authorizing access to CUI, but it does not mention what organizations should be looking for in an individual. There is no link to a process or procedural document. What should the OSC evaluate when screening individuals prior to accessing CUI?

Options:

A.

They are trusted and well liked

B.

They are a hard and loyal worker

C.

Their conduct, integrity, and loyalty

D.

Their functionality, reliability, and ability to adapt

Buy Now
Questions 60

Plan of Action defines the clear goal or objective for the plan. What information is generally NOT a part of a plan of action?

Options:

A.

Completion dates

B.

Milestones to measure progress

C.

Ownership of who is accountable for ensuring plan performance

D.

Budget requirements to implement the plan ' s remediation actions

Buy Now
Questions 61

What banner markings MUST a document that contains CUI include?

Options:

A.

A highest level of CUI contained within the document marking on each page

B.

All CUI Category and Subcategory markings contained within the document on each page

C.

A special Category or Subcategory marking on the cover page only

D.

A special Category or Subcategory marking on only the page(s) that include the CUI

Buy Now
Questions 62

Which term describes the prevention of damage to. protection of, and restoration of computers and electronic communications systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation?

Options:

A.

Cybersecurity

B.

Data security

C.

Network security

D.

Information security

Buy Now
Questions 63

Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?

Options:

A.

CMMC Glossary

B.

CMMC Appendices

C.

CMMC Assessment Process

D.

CMMC Assessment Guide Levels 1 and 2

Buy Now
Questions 64

An employee is the primary system administrator for an OSC. The employee will be a core part of the assessment, as they perform most of the duties in managing and maintaining the systems. What would the employee be BEST categorized as?

Options:

A.

Analyzer

B.

Inspector

C.

Applicable staff

D.

Demonstration staff

Buy Now
Questions 65

A CCP is part of a CMMC Assessment Team interviewing a subject-matter expert on Access Control (AC) within an OSC. During the interview process, what will the CCP ensure about the information exchanged during the interview?

Options:

A.

Performed in groups for more efficient use of resources

B.

Recorded for inclusion in the Final Recommended Findings report

C.

Confidential and non-attributable so interviewees can speak without fear of reprisal

D.

Mapped to specific CMMC practices to clearly delineate which practice is being evaluated

Buy Now
Questions 66

Which organization is the governmental authority responsible for identifying and marking CUI?

Options:

A.

NARA

B.

NIST

C.

CMMC-AB

D.

Department of Homeland Security

Buy Now
Questions 67

Who is the FedRAMP certification program for?

Options:

A.

IT contractors risk management self-assessments

B.

Cloud service providers for cloud products and services

C.

IT contractors for cybersecurity self-assessments

D.

Cloud service providers for on-premise products and services

Buy Now
Questions 68

Which assessment method describes the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specification, mechanisms, activities)?

Options:

A.

Test

B.

Assess

C.

Examine

D.

Interview

Buy Now
Questions 69

The CMMC Level 2 assessment methods include examination and can include:

Options:

A.

documents, mechanisms, or activities.

B.

specific hardware, software, or firmware safeguards employed within a system.

C.

policies, procedures, security plans, penetration tests, and security requirements.

D.

observation of system backup operations, exercising a contingency plan, and monitoring network traffic.

Buy Now
Questions 70

What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?

Options:

A.

CDI

B.

CTI

C.

CUI

D.

FCI

Buy Now
Exam Code: CMMC-CCP
Exam Name: Certified CMMC Professional (CCP) Exam
Last Update: Jul 19, 2026
Questions: 236

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99