CMMC-CCP Exam Dumps - Certified CMMC Professional (CCP) Exam
In the CMMC Model, how many practices are included in Level 2?
17 practices
72 practices
110 practices
180 practices
Answer:
Explanation:
CMMC Level 2is designed to alignfullywithNIST SP 800-171, which consists of110 security controls (practices).
This meansall 110 practicesfrom NIST SP 800-171 are required for aCMMC Level 2 certification.
How Many Practices Are Included in CMMC Level 2?Breakdown of Practices in CMMC 2.0CMMC Level
Number of Practices
Level 1
17 practices(Basic Cyber Hygiene)
Level 2
110 practices(Aligned with NIST SP 800-171)
Level 3
Not yet finalized but expected to exceed 110
Since CMMC Level 2 mandatesall 110 NIST SP 800-171 practices, the correct answer isC. 110 practices.
A. 17 practicesâŒIncorrect.17 practicesapply only toCMMC Level 1, not Level 2.
B. 72 practicesâŒIncorrect. There is no CMMC level with72 practices.
D. 180 practicesâŒIncorrect. CMMC Level 2only requires 110 practices, not 180.
Why the Other Answers Are Incorrect
CMMC 2.0 Model– Confirms thatLevel 2 includes 110 practicesaligned withNIST SP 800-171.
NIST SP 800-171 Rev. 2– Outlines the110 security controlsrequired for handlingControlled Unclassified Information (CUI).
CMMC Official ReferencesThus,option C (110 practices) is the correct answer, as per official CMMC guidance.
What are CUI protection responsibilities?
Shielding
Governing
Correcting
Safeguarding
Answer:
Explanation:
Understanding CUI Protection ResponsibilitiesControlled Unclassified Information (CUI)is sensitive butnot classifiedinformation that requires protection underDoD Instruction 5200.48andDFARS 252.204-7012.
Theprimary responsibilityfor handling CUIis safeguardingit against unauthorized access, disclosure, or modification.
TheCUI Program (as per NARA and DoD)mandatessafeguarding measuresto protectCUI in both digital and physical forms.
CMMC 2.0 Level 2 (Advanced) practices align with NIST SP 800-171, which focuses on safeguarding CUIthrough access controls, encryption, and monitoring.
DFARS 252.204-7012requires DoD contractors to implementcybersecurity safeguardsto protect CUI.
A. Shielding (Incorrect)–Shieldingis not a cybersecurity term associated with CUI protection.
B. Governing (Incorrect)–Governing refers to policy-making, not direct protection.
C. Correcting (Incorrect)–Correcting implies remediation, but the primary responsibility is tosafeguardCUI proactively.
The correct answer isD. Safeguarding, asCUI protection focuses on implementing cybersecurity safeguards.
The Audit and Accountability (AU) domain has practices in:
Level 1.
Level 2.
Levels 1 and 2.
Levels 1 and 3.
Answer:
Explanation:
TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.
A. Level 1→Incorrect
CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.
B. Level 2→Correct
TheAU domain is required at Level 2, which aligns withNIST SP 800-171.
CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.
C. Levels 1 and 2→Incorrect
Level 1 does not requireaudit and accountability practices.
D. Levels 1 and 3→Incorrect
CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.
NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3)
TheAU domainconsists of security controls3.3.1 – 3.3.8, focusing on audit log generation, retention, and accountability.
CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171)
AU practices (Audit and Accountability) are only required at Level 2.
Analysis of the Given Options:Official References Supporting the Correct Answer:Conclusion:TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:
✅B. Level 2.
Which MINIMUM Level of certification must a contractor successfully achieve to receive a contract award requiring the handling of CUI?
Level 1
Level 2
Level 3
Any level
Answer:
Explanation:
1. Understanding CMMC 2.0 Levels and CUI Handling RequirementsUnderCMMC 2.0, contractors handlingControlled Unclassified Information (CUI)must meet aminimumcertification level to be eligible for contract awards involving CUI.
Level 1 (Foundational) – 17 Practices
Covers onlyFederal Contract Information (FCI)security.
Does NOT meet CUI handling requirements.
Level 2 (Advanced) – 110 Practices✅
REQUIRED for handling CUI.
Aligns withNIST SP 800-171, which establishes security controls for protecting CUI.
Contractorsmust achieve Level 2for contracts requiring CUI protection.
Level 3 (Expert) – 110+ Practices
Required for contracts involvinghigh-value CUIandcritical national security information.
Includesadditionalprotections fromNIST SP 800-172.
CMMC 2.0 Levels:
TheCMMC 2.0 Model Overviewclearly states that Level 2 is required for contractorshandling CUI.
DFARS 252.204-7012mandates that contractors protecting CUI must implementNIST SP 800-171, which is thefoundation of CMMC Level 2.
TheDoD’s CMMC Assessment Guidefor Level 2 specifies thatorganizations handling CUI must demonstrate full implementation of 110 practices from NIST SP 800-171to qualify for contract awards.
2. Official CMMC 2.0 References Confirming Level 2 for CUI
A. Level 1âŒ
Only covers FCI, not CUI.
Does notmeet DoD requirements for protectingCUI.
C. Level 3âŒ
While Level 3 offersadditional protectionsfor high-risk CUI, it isnot the minimumrequirement.
Level 2 is the minimumneeded to handle CUI.
D. Any levelâŒ
OnlyLevel 2 and higherare eligible for contracts requiring CUI protection.
Level 1 doesnotmeet CUI security standards.
3. Why the Other Options Are Incorrect
The evidence needed for each practice and/or process is weight for:
adequacy and sufficiency.
adequacy and thoroughness.
sufficiency and thoroughness.
sufficiency and appropriateness.
Answer:
Explanation:
During aCMMC assessment, organizations must provide evidence to demonstrate compliance with requiredpractices and processes. Assessors evaluate this evidence based on two key criteria:
Adequacy– Does the evidence meet the intent of the security requirement?
Sufficiency– Is there enough evidence to reasonably conclude that the practice/process is effectively implemented?
These principles are outlined in theCMMC Assessment Process Guide, which provides a structured approach for evaluating compliance.
Step-by-Step Breakdown:✅1. Adequacy – Does the evidence fully meet the requirement?
Adequacyrefers to whether the evidence properly demonstrates that the security practice has been implemented as required.
Example: If an organization claims to enforceMulti-Factor Authentication (MFA), an assessor would checksystem configurations, login policies, and user authentication logsto confirm that MFA is actually in use.
✅2. Sufficiency – Is there enough evidence to support the claim?
Sufficiencymeans that there isenough supporting evidenceto prove compliance.
Example: If an organization providesonly one screenshot of an MFA login screen, that alone may not besufficient—additional logs, policies, and user records would help strengthen the case.
(B) Adequacy and ThoroughnessâŒ
Thoroughnessis not a defined metric in CMMC evidence evaluation.
The focus is onwhether the evidence meets the requirement (adequacy)and if there isenough of it (sufficiency).
(C) Sufficiency and ThoroughnessâŒ
Thoroughnessis not a recognized term in CMMC compliance validation.
Evidence must beadequate and sufficient, not just thorough.
(D) Sufficiency and AppropriatenessâŒ
Appropriatenessis not a CMMC-defined criterion.
Thecorrect terms used in CMMC assessmentsareAdequacy(Does it meet the requirement?) andSufficiency(Is there enough proof?).
Why the Other Answer Choices Are Incorrect:
CMMC Assessment Process Guideexplicitly states that evidence must be evaluated based onadequacyandsufficiencyto confirm compliance with security practices.
Final Validation from CMMC Documentation:
Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1. Guidelines for Media Sanitation?
Clear, purge, destroy
Clear redact, destroy
Clear, overwrite, purge
Clear, overwrite, destroy
Answer:
Explanation:
Understanding NIST SP 800-88 Rev. 1 and Media SanitizationTheNIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from various types of storage media to prevent unauthorized access or recovery.
Clear
Useslogical techniquesto remove data from media, making it difficult to recover usingstandard system functions.
Example:Overwriting all datawith binary zeros or ones on a hard drive.
Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memorywhen the media isreused within the same security environment.
Purge
Usesadvanced techniquesto make data recoveryinfeasible, even with forensic tools.
Example:Degaussinga magnetic hard drive orcryptographic erasure(deleting encryption keys).
Applies to:Media that is leaving organizational control or requires a higher level of assurance than "Clear".
Destroy
Physicallydamages the mediaso that data recovery isimpossible.
Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices.
Applies to:Highly sensitive data that must be permanently eliminated.
B. Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata disposal.
C. Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level categoryin NIST SP 800-88.
D. Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is missing, making this incorrect.
The correct answer isA. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal inNIST SP 800-88 Revision 1.
Who is responsible for identifying and verifying Assessment Team Member qualifications?
C3PAO
CMMC-AB
Lead Assessor
CMMC Marketplace
Answer:
Explanation:
Understanding the Role of the Lead Assessor in CMMC AssessmentsTheLead Assessoris responsible for managing theAssessment Teamand ensuring that all team members meet the required qualifications as defined by theCMMC Accreditation Body (CMMC-AB)and theCybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) Guide.
Lead Assessor’s Key Responsibilities (Per CAP Guide)
Verify team member qualificationsto ensure compliance with CMMC-AB guidelines.
Assignappropriate assessment tasksbased on team members’ expertise.
Ensure that theassessment is conducted in accordance with CMMC procedures.
Why Not the Other Options?
A. C3PAO (Certified Third-Party Assessor Organization)→Incorrect
AC3PAOis responsible fororganizing assessmentsand ensuring their execution, but itdoes not verify individual team member qualifications—that responsibility belongs to theLead Assessor.
B. CMMC-AB (CMMC Accreditation Body)→Incorrect
TheCMMC-ABestablishestraining and certification requirements, but itdoes not verify individual assessment team members—that responsibility is given to theLead Assessor.
D. CMMC Marketplace→Incorrect
TheCMMC Marketplacelists authorizedC3PAOs, Registered Practitioners (RPs), and Certified Professionals (CCPs)butdoes not verify assessment team qualifications.
CMMC Assessment Process (CAP) Guide– Defines theLead Assessor’s responsibilityfor verifying assessment team qualifications.
CMMC-AB Certification Guide– Specifies that the Lead Assessor must ensure all assessment team members meet CMMC-AB qualification standards.
Why the Correct Answer is "C. Lead Assessor"?Relevant CMMC 2.0 References:Final Justification:Since theLead Assessor is responsible for verifying assessment team member qualifications, the correct answer isC. Lead Assessor.
Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?
Access control
Physical access control
Mandatory access control
Discretionary access control
Answer:
Explanation:
Understanding Access Control in CMMCAccess control refers to the process ofgranting or denyingspecific requests to:
Obtain and use information
Access information processing services
Enter specific physical locations
TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:
✅Implement policies for granting and revoking access.
✅Restrict access to authorized personnel only.
✅Protect physical and digital assets from unauthorized access.
Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.
B. Physical access controlâŒIncorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.
C. Mandatory access control (MAC)âŒIncorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.
D. Discretionary access control (DAC)âŒIncorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.
Why the Other Answers Are Incorrect
CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.
NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.
CMMC Official ReferencesThus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.