Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Cyber AB
  3. CMMC-CCP

Cyber AB CMMC-CCP Exam (page: 4)
Cyber AB Certified CMMC Professional (CCP)
Updated on: 24-Mar-2026

Viewing Page 4 of 23
CMMC-CCP PDF 171 Questions

Who is responsible for ensuring that subcontractors have a valid CMMC Certification?

  1. CMMC-AB
  2. OUSDA&S
  3. DoD agency or client
  4. Contractor organization

Answer(s): D

Explanation:

The prime contractor (contractor organization)is responsible for ensuring thatits subcontractorshave the requiredCMMC certification levelbefore engaging them inDoD contracts that involve FCI or CUI. This requirement is enforced throughflow-down clausesinDFARS 252.204-7021, which mandates that subcontractors handlingCUImeet the necessaryCMMC Level 2 or Level 3 requirements.


Reference:

DFARS 252.204-7021(CMMC Compliance)
CMMC 2.0 Program Documentation
Step 2: Why Other Answer Choices Are IncorrectA. CMMC-AB (Incorrect):
TheCyber AB (formerly CMMC-AB)is responsible foraccrediting C3PAOs and managing the assessment process, but it does not enforce subcontractor compliance.
B . OUSDA&S (Incorrect):
TheOffice of the Under Secretary of Defense for Acquisition & Sustainment (OUSD A&S)develops and overseesCMMC policy, but it does not monitor or enforce individual subcontractor compliance.
C . DoD agency or client (Incorrect):
While theDoD sets CMMC requirements, it relies onprime contractors to ensure compliance among their subcontractorsthrough contract flow-down requirements.

Final Confirmation of Answer(s); Prime contractors must ensure their subcontractors have the required CMMC certification level to handle FCI or CUI. Thus, the correct answer is:D. Contractor organization



How many domains does the CMMC Model consist of?

  1. 14 domains
  2. 43 domains
  3. 72 domains
  4. 110 domains

Answer(s): A

Explanation:

TheCMMC Model consists of 14 domains, which are based on theNIST SP 800-171 control familieswith additional cybersecurity practices.
Eachdomaincontainspractices and processesthat define cybersecurity requirements for organizations seeking CMMC certification.


Reference:

CMMC 2.0 Model Documentation
NIST SP 800-171 Framework
Step 2: List of 14 CMMC DomainsAccess Control (AC)
Asset Management (AM)(Introduced in CMMC 2.0 for scoping guidance) Audit and Accountability (AU)
Awareness and Training (AT)
Configuration Management (CM)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)

Physical Protection (PE)
Risk Management (RM)
Security Assessment (CA)
System and Communications Protection (SC)
Step 3: Why Other Answer Choices Are IncorrectB. 43 domains (Incorrect):
The CMMC model does not have43 domains; this number is incorrect.
C . 72 domains (Incorrect):
There are72 practices in CMMC Level 2, but not72 domains.
D . 110 domains (Incorrect):
110 refers to the number of security controls in NIST SP 800-171, which aligns withCMMC Level 2, but these are controls, not domains.
Final Confirmation of Answer(s); The CMMC Model consists of 14 domains based on NIST SP

800-171 control families.
Thus, the correct answer is:A. 14 domains



During the assessment process, who is the final interpretation authority for recommended findings?

  1. C3PAO
  2. CMMC-AB
  3. OSC sponsor
  4. Assessment Team Members

Answer(s): B

Explanation:

Final Interpretation Authority in the CMMC Assessment ProcessDuring aCMMC Level 2 assessment, several entities are involved in the process, including theOrganization Seeking Certification (OSC), Certified Third-Party Assessment Organization (C3PAO), Assessment Team Members, and the CMMC Accreditation Body (CMMC-AB).
Role of the C3PAO and Assessment Team:
TheCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting the assessment and makinginitial recommended findingsbased on NIST SP 800-171 security requirements.
Assessment Team Members(Lead Assessor and support staff) conduct evaluations and submit theirrecommendationsto the C3PAO.
Final Interpretation Authority ­ CMMC-AB:
TheCMMC Accreditation Body (CMMC-AB)is responsible for ensuring consistency and accuracy in assessments.
If there is any dispute or need for clarification regarding findings, CMMC-AB provides the final interpretation and guidance.
This ensures uniformity in certification decisions across different C3PAOs.
Why CMMC-AB is the Answer(s);


CMMC-AB has the ultimate authority over thequality assurance processfor assessments.

It reviewsremediation requests, challenges, or disputesfrom the OSC or C3PAO and makes final determinations.
The CMMC-AB maintains oversight to ensure assessmentsalign with CMMC 2.0 policies and DFARS 252.204-7021 requirements.
A . C3PAO­ The C3PAO conducts the assessment and submits findings, butit does not have the final interpretation authority. Findings must pass through theCMMC-AB quality assurance process. C . OSC Sponsor­ The OSC (Organization Seeking Certification)cannot interpret findings; they can only respond to identified deficiencies and appeal assessments through CMMC-AB channels. D . Assessment Team Members­ The assessment teamrecommends findingsbut does not make final interpretations. Their role is limited to conducting evaluations, collecting evidence, and submitting reports to the C3PAO.


Reference:

CMMC Assessment Process Guide (CAP v2.0)­Cyber AB

DFARS 252.204-7021(DoD Regulation on CMMC Requirements) CMMC 2.0 Model Overview(DoD CIO Site)
Final Answer(s); B. CMMC-AB



An OSC receives an email with "CUI//SP-PRVCY//FED Only" in the body of the message Which organization's website should the OSC go to identify what this marking means?

  1. NARA
  2. CMMC-AB
  3. DoD Contractors FAQ page
  4. DoD 239.7601 Definitions page

Answer(s): A

Explanation:

What Does "CUI//SP-PRVCY//FED Only" Mean?
The email containsControlled Unclassified Information (CUI)withspecific categories and dissemination controls.
CUI//SP-PRVCY//FED Onlybreaks down as follows:
CUI Controlled Unclassified Information designation.
SP-PRVCYSpecifiedcategory forPrivacy Information(SP stands for "Specified"). FED Only Restriction forFederal Government use only(not for contractors or the public).
Who Maintains the Official CUI Registry?
TheNational Archives and Records Administration (NARA) oversees the CUI Programand maintains the officialCUI Registry(https://www.archives.gov/cui). The CUI Registry providesdefinitions, marking guidance, and categoriesfor all CUI labels, including "SP-PRVCY" and dissemination controls like "FED Only." Why NARA is the Answer(s);


NARA is the governing body responsible for defining and managing CUI markings.

Any organization handling CUI shouldrefer to the NARA CUI Registryfor official marking interpretations.
DoD contractors and other organizationsmust comply with NARA guidelines when handling, marking, and disseminating CUI.
B . CMMC-AB­ TheCMMC Accreditation Bodymanages certification assessments butdoes not define or interpret CUI markings.
C . DoD Contractors FAQ Page­ The DoD may provide general contractor guidance, butCUI markings are governed by NARA, not an FAQ page.
D . DoD 239.7601 Definitions Page­ This refers to generalDoD acquisition definitions, butCUI categories and markings fall under NARA's authority.


Reference:

NARA CUI Registry(https://www.archives.gov/cui)

DoD CUI Program Guidance(DoD CIO Site)
CMMC 2.0 Level 2 Compliance Requirements(Cyber AB)
Final answer; (A). NARA



Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?

  1. Organizational operations, business assets, and employees
  2. Organizational operations, business processes, and employees
  3. Organizational operations, organizational assets, and individuals
  4. Organizational operations, organizational processes, and individuals

Answer(s): C

Explanation:

TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.
TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:
"Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI." This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:
Organizational operations(e.g., mission, business continuity, functions) Organizational assets(e.g., data, IT systems, intellectual property) Individuals(e.g., employees, contractors, customers affected by security risks) Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.

A . Organizational operations, business assets, and employeesIncorrect."Business assets"is not the correct terminology used in CMMC/NIST SP 800-171. Instead,"organizational assets"is the proper term.
B . Organizational operations, business processes, and employeesIncorrect."Business processes"is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.
D . Organizational operations, organizational processes, and individualsIncorrect.
While processes are important,organizational assetsmust be considered in the assessment, not just processes.
Why the Other Answers Are Incorrect

CMMC 2.0 Model (Level 2 - RA.3.144)­ Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.
NIST SP 800-171 (3.11.1)­ Reinforces the same risk assessment scope.

CMMC Official ReferenceThus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.



In the CMMC Model, how many practices are included in Level 2?

  1. 17 practices
  2. 72 practices
  3. 110 practices
  4. 180 practices

Answer(s): C

Explanation:

CMMC Level 2is designed to alignfullywithNIST SP 800-171, which consists of110 security controls (practices).
This meansall 110 practicesfrom NIST SP 800-171 are required for aCMMC Level 2 certification. How Many Practices Are Included in CMMC Level 2?Breakdown of Practices in CMMC 2.0CMMC Level
Number of Practices
Level 1
17 practices(Basic Cyber Hygiene)
Level 2
110 practices(Aligned with NIST SP 800-171)
Level 3
Not yet finalized but expected to exceed 110
Since CMMC Level 2 mandatesall 110 NIST SP 800-171 practices, the correct answer isC. 110 practices.

A . 17 practicesIncorrect.17 practicesapply only toCMMC Level 1, not Level 2. B . 72 practicesIncorrect. There is no CMMC level with72 practices. D . 180 practicesIncorrect. CMMC Level 2only requires 110 practices, not 180.
Why the Other Answers Are Incorrect

CMMC 2.0 Model­ Confirms thatLevel 2 includes 110 practicesaligned withNIST SP 800-171. NIST SP 800-171 Rev. 2­ Outlines the110 security controlsrequired for handlingControlled Unclassified Information (CUI).
CMMC Official ReferenceThus,option C (110 practices) is the correct answer, as per official CMMC guidance.



The Audit and Accountability (AU) domain has practices in:

  1. Level 1.
  2. Level 2.
  3. Levels 1 and 2.
  4. Levels 1 and 3.

Answer(s): B

Explanation:

TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.
A . Level 1Incorrect
CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.
B . Level 2Correct
TheAU domain is required at Level 2, which aligns withNIST SP 800-171. CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.
C . Levels 1 and 2Incorrect
Level 1 does not requireaudit and accountability practices.
D . Levels 1 and 3Incorrect
CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.
NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3) TheAU domainconsists of security controls3.3.1 ­ 3.3.8, focusing on audit log generation, retention, and accountability.
CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171) AU practices (Audit and Accountability) are only required at Level 2. Analysis of the Given Options:Official Reference Supporting the Answer(s); Conclusion:TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:
B . Level 2.



A Level 2 Assessment was conducted for an OSC, and the results are ready to be submitted. Prior to uploading the assessment results, what step MUST the C3PAO complete?

  1. Pay an assessment submission fee.
  2. Complete an internal review of the results.
  3. Notify the CMMC-AB that submission is forthcoming.
  4. Coordinate a final briefing between the Lead Assessor and the OSC.

Answer(s): D

Explanation:

ACMMC Level 2 Assessmentis conducted by aC3PAO (Certified Third-Party Assessment Organization)to determine whether theOrganization Seeking Certification (OSC)meets all required110 NIST SP 800-171 controls.
Before submitting the results, theC3PAO must complete a final briefing between the Lead Assessor and the OSCto review findings and clarify any concerns.
A . Pay an assessment submission feeIncorrect
There is no mandatory submission fee for assessment results.Fees apply to the assessment process, not submission.
B . Complete an internal review of the resultsIncorrect While internal reviews are encouraged, they arenot a required step before submissionin CMMC assessment procedures.
C . Notify the CMMC-AB that submission is forthcomingIncorrect TheC3PAO submits results to the CMMC-AB through the CMMC eMASS system, but prior notification isnot a required procedural step.
D . Coordinate a final briefing between the Lead Assessor and the OSCCorrect According toCMMC Assessment Process (CAP) guidelines, theLead Assessor must conduct a final briefing with the OSCbefore submitting the results.
This briefing ensures transparency, provides OSC with insight into the findings, and allows for final clarifications.
CMMC Assessment Process (CAP) v1.0
Requires afinal briefing between the Lead Assessor and the OSC before submitting assessment results.
CMMC-AB and C3PAO Process Requirements
TheLead Assessor must communicate final findings with the OSC before submission to CMMC-AB. Analysis of the Given Options:Official Reference Supporting the Answer(s); Conclusion:The correct answer is:
D . Coordinate a final briefing between the Lead Assessor and the OSC.



Viewing Page 4 of 23



Share your comments for Cyber AB CMMC-CCP exam with other users:

Ace 8/3/2023 10:37:00 AM

number 52 answer is d
UNITED STATES


Nathan 12/17/2023 12:04:00 PM

just started preparing for my exam , and this site is so much help
Anonymous


Corey 12/29/2023 5:06:00 PM

question 35 is incorrect, the correct answer is c, it even states so: explanation: when a vm is infected with ransomware, you should not restore the vm to the infected vm. this is because the ransomware will still be present on the vm, and it will encrypt the files again. you should also not restore the vm to any vm within the companys subscription. this is because the ransomware could spread to other vms in the subscription. the best way to restore a vm that is infected with ransomware is to restore it to a new azure vm. this will ensure that the ransomware is not present on the new vm.
Anonymous


Rajender 10/18/2023 3:54:00 AM

i would like to take psm1 exam.
Anonymous


Blessious Phiri 8/14/2023 9:53:00 AM

cbd and pdb are key to the database
SOUTH AFRICA


Alkaed 10/19/2022 10:41:00 AM

the purchase and download process is very much streamlined. the xengine application is very nice and user-friendly but there is always room for improvement.
NETHERLANDS


Dave Gregen 9/4/2023 3:17:00 PM

please upload p_sapea_2023
SWEDEN


Sarah 6/13/2023 1:42:00 PM

anyone use this? the question dont seem to follow other formats and terminology i have been studying im getting worried
CANADA


Shuv 10/3/2023 8:19:00 AM

good questions
UNITED STATES


Reb974 8/5/2023 1:44:00 AM

hello are these questions valid for ms-102
CANADA


Mchal 7/20/2023 3:38:00 AM

some questions are wrongly answered but its good nonetheless
POLAND


Sonbir 8/8/2023 1:04:00 PM

how to get system serial number using intune
Anonymous


Manju 10/19/2023 1:19:00 PM

is it really helpful to pass the exam
Anonymous


LeAnne Hair 8/24/2023 12:47:00 PM

#229 in incorrect - all the customers require an annual review
UNITED STATES


Abdul SK 9/28/2023 11:42:00 PM

kindy upload
Anonymous


Aderonke 10/23/2023 12:53:00 PM

fantastic assessment on psm 1
UNITED KINGDOM


SAJI 7/20/2023 2:51:00 AM

56 question correct answer a,b
Anonymous


Raj Kumar 10/23/2023 8:52:00 PM

thank you for providing the q bank
CANADA


piyush keshari 7/7/2023 9:46:00 PM

true quesstions
Anonymous


B.A.J 11/6/2023 7:01:00 AM

i canĀ“t believe ms asks things like this, seems to be only marketing material.
Anonymous


Guss 5/23/2023 12:28:00 PM

hi, could you please add the last update of ns0-527
Anonymous


Rond65 8/22/2023 4:39:00 PM

question #3 refers to vnet4 and vnet5. however, there is no vnet5 listed in the case study (testlet 2).
UNITED STATES


Cheers 12/13/2023 9:55:00 AM

sometimes it may be good some times it may be
GERMANY


Sumita Bose 7/21/2023 1:01:00 AM

qs 4 answer seems wrong- please check
AUSTRALIA


Amit 9/7/2023 12:53:00 AM

very detailed explanation !
HONG KONG


FisherGirl 5/16/2022 10:36:00 PM

the interactive nature of the test engine application makes the preparation process less boring.
NETHERLANDS


Chiranthaka 9/20/2023 11:15:00 AM

very useful.
Anonymous


SK 7/15/2023 3:51:00 AM

complete question dump should be made available for practice.
Anonymous


Gamerrr420 5/25/2022 9:38:00 PM

i just passed my first exam. i got 2 exam dumps as part of the 50% sale. my second exam is under work. once i write that exam i report my result. but so far i am confident.
AUSTRALIA


Kudu hgeur 9/21/2023 5:58:00 PM

nice create dewey stefen
CZECH REPUBLIC


Anorag 9/6/2023 9:24:00 AM

i just wrote this exam and it is still valid. the questions are exactly the same but there are about 4 or 5 questions that are answered incorrectly. so watch out for those. best of luck with your exam.
CANADA


Nathan 1/10/2023 3:54:00 PM

passed my exam today. this is a good start to 2023.
UNITED STATES


1 10/28/2023 7:32:00 AM

great sharing
Anonymous


Anand 1/20/2024 10:36:00 AM

very helpful
UNITED STATES