Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Cyber AB
  3. CMMC-CCP

Cyber AB CMMC-CCP Exam (page: 4)
Cyber AB Certified CMMC Professional (CCP)
Updated on: 09-Feb-2026

Viewing Page 4 of 23
CMMC-CCP PDF 171 Questions

Who is responsible for ensuring that subcontractors have a valid CMMC Certification?

  1. CMMC-AB
  2. OUSDA&S
  3. DoD agency or client
  4. Contractor organization

Answer(s): D

Explanation:

The prime contractor (contractor organization)is responsible for ensuring thatits subcontractorshave the requiredCMMC certification levelbefore engaging them inDoD contracts that involve FCI or CUI. This requirement is enforced throughflow-down clausesinDFARS 252.204-7021, which mandates that subcontractors handlingCUImeet the necessaryCMMC Level 2 or Level 3 requirements.


Reference:

DFARS 252.204-7021(CMMC Compliance)
CMMC 2.0 Program Documentation
Step 2: Why Other Answer Choices Are IncorrectA. CMMC-AB (Incorrect):
TheCyber AB (formerly CMMC-AB)is responsible foraccrediting C3PAOs and managing the assessment process, but it does not enforce subcontractor compliance.
B . OUSDA&S (Incorrect):
TheOffice of the Under Secretary of Defense for Acquisition & Sustainment (OUSD A&S)develops and overseesCMMC policy, but it does not monitor or enforce individual subcontractor compliance.
C . DoD agency or client (Incorrect):
While theDoD sets CMMC requirements, it relies onprime contractors to ensure compliance among their subcontractorsthrough contract flow-down requirements.

Final Confirmation of Answer(s); Prime contractors must ensure their subcontractors have the required CMMC certification level to handle FCI or CUI. Thus, the correct answer is:D. Contractor organization



How many domains does the CMMC Model consist of?

  1. 14 domains
  2. 43 domains
  3. 72 domains
  4. 110 domains

Answer(s): A

Explanation:

TheCMMC Model consists of 14 domains, which are based on theNIST SP 800-171 control familieswith additional cybersecurity practices.
Eachdomaincontainspractices and processesthat define cybersecurity requirements for organizations seeking CMMC certification.


Reference:

CMMC 2.0 Model Documentation
NIST SP 800-171 Framework
Step 2: List of 14 CMMC DomainsAccess Control (AC)
Asset Management (AM)(Introduced in CMMC 2.0 for scoping guidance) Audit and Accountability (AU)
Awareness and Training (AT)
Configuration Management (CM)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)

Physical Protection (PE)
Risk Management (RM)
Security Assessment (CA)
System and Communications Protection (SC)
Step 3: Why Other Answer Choices Are IncorrectB. 43 domains (Incorrect):
The CMMC model does not have43 domains; this number is incorrect.
C . 72 domains (Incorrect):
There are72 practices in CMMC Level 2, but not72 domains.
D . 110 domains (Incorrect):
110 refers to the number of security controls in NIST SP 800-171, which aligns withCMMC Level 2, but these are controls, not domains.
Final Confirmation of Answer(s); The CMMC Model consists of 14 domains based on NIST SP

800-171 control families.
Thus, the correct answer is:A. 14 domains



During the assessment process, who is the final interpretation authority for recommended findings?

  1. C3PAO
  2. CMMC-AB
  3. OSC sponsor
  4. Assessment Team Members

Answer(s): B

Explanation:

Final Interpretation Authority in the CMMC Assessment ProcessDuring aCMMC Level 2 assessment, several entities are involved in the process, including theOrganization Seeking Certification (OSC), Certified Third-Party Assessment Organization (C3PAO), Assessment Team Members, and the CMMC Accreditation Body (CMMC-AB).
Role of the C3PAO and Assessment Team:
TheCertified Third-Party Assessment Organization (C3PAO)is responsible for conducting the assessment and makinginitial recommended findingsbased on NIST SP 800-171 security requirements.
Assessment Team Members(Lead Assessor and support staff) conduct evaluations and submit theirrecommendationsto the C3PAO.
Final Interpretation Authority ­ CMMC-AB:
TheCMMC Accreditation Body (CMMC-AB)is responsible for ensuring consistency and accuracy in assessments.
If there is any dispute or need for clarification regarding findings, CMMC-AB provides the final interpretation and guidance.
This ensures uniformity in certification decisions across different C3PAOs.
Why CMMC-AB is the Answer(s);


CMMC-AB has the ultimate authority over thequality assurance processfor assessments.

It reviewsremediation requests, challenges, or disputesfrom the OSC or C3PAO and makes final determinations.
The CMMC-AB maintains oversight to ensure assessmentsalign with CMMC 2.0 policies and DFARS 252.204-7021 requirements.
A . C3PAO­ The C3PAO conducts the assessment and submits findings, butit does not have the final interpretation authority. Findings must pass through theCMMC-AB quality assurance process. C . OSC Sponsor­ The OSC (Organization Seeking Certification)cannot interpret findings; they can only respond to identified deficiencies and appeal assessments through CMMC-AB channels. D . Assessment Team Members­ The assessment teamrecommends findingsbut does not make final interpretations. Their role is limited to conducting evaluations, collecting evidence, and submitting reports to the C3PAO.


Reference:

CMMC Assessment Process Guide (CAP v2.0)­Cyber AB

DFARS 252.204-7021(DoD Regulation on CMMC Requirements) CMMC 2.0 Model Overview(DoD CIO Site)
Final Answer(s); B. CMMC-AB



An OSC receives an email with "CUI//SP-PRVCY//FED Only" in the body of the message Which organization's website should the OSC go to identify what this marking means?

  1. NARA
  2. CMMC-AB
  3. DoD Contractors FAQ page
  4. DoD 239.7601 Definitions page

Answer(s): A

Explanation:

What Does "CUI//SP-PRVCY//FED Only" Mean?
The email containsControlled Unclassified Information (CUI)withspecific categories and dissemination controls.
CUI//SP-PRVCY//FED Onlybreaks down as follows:
CUI Controlled Unclassified Information designation.
SP-PRVCYSpecifiedcategory forPrivacy Information(SP stands for "Specified"). FED Only Restriction forFederal Government use only(not for contractors or the public).
Who Maintains the Official CUI Registry?
TheNational Archives and Records Administration (NARA) oversees the CUI Programand maintains the officialCUI Registry(https://www.archives.gov/cui). The CUI Registry providesdefinitions, marking guidance, and categoriesfor all CUI labels, including "SP-PRVCY" and dissemination controls like "FED Only." Why NARA is the Answer(s);


NARA is the governing body responsible for defining and managing CUI markings.

Any organization handling CUI shouldrefer to the NARA CUI Registryfor official marking interpretations.
DoD contractors and other organizationsmust comply with NARA guidelines when handling, marking, and disseminating CUI.
B . CMMC-AB­ TheCMMC Accreditation Bodymanages certification assessments butdoes not define or interpret CUI markings.
C . DoD Contractors FAQ Page­ The DoD may provide general contractor guidance, butCUI markings are governed by NARA, not an FAQ page.
D . DoD 239.7601 Definitions Page­ This refers to generalDoD acquisition definitions, butCUI categories and markings fall under NARA's authority.


Reference:

NARA CUI Registry(https://www.archives.gov/cui)

DoD CUI Program Guidance(DoD CIO Site)
CMMC 2.0 Level 2 Compliance Requirements(Cyber AB)
Final answer; (A). NARA



Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?

  1. Organizational operations, business assets, and employees
  2. Organizational operations, business processes, and employees
  3. Organizational operations, organizational assets, and individuals
  4. Organizational operations, organizational processes, and individuals

Answer(s): C

Explanation:

TheRisk Assessment (RA) domainaligns withNIST SP 800-171 control family 3.11 (Risk Assessment)and is designed to help organizationsidentify, assess, and manage cybersecurity risksthat could impact their operations.
TheRA.3.144 practice(which is a CMMC Level 2 requirement) explicitly states:
"Periodically assess therisktoorganizational operations (including mission, functions, image, or reputation), organizational assets, and individualsresulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI." This means that OSCs (Organizations Seeking Certification) should regularly evaluate risks to:
Organizational operations(e.g., mission, business continuity, functions) Organizational assets(e.g., data, IT systems, intellectual property) Individuals(e.g., employees, contractors, customers affected by security risks) Thus, the correct answer isC. Organizational operations, organizational assets, and individuals.

A . Organizational operations, business assets, and employeesIncorrect."Business assets"is not the correct terminology used in CMMC/NIST SP 800-171. Instead,"organizational assets"is the proper term.
B . Organizational operations, business processes, and employeesIncorrect."Business processes"is not a part of the formal risk assessment requirement. The correct scope includesorganizational assetsandindividuals, not just processes.
D . Organizational operations, organizational processes, and individualsIncorrect.
While processes are important,organizational assetsmust be considered in the assessment, not just processes.
Why the Other Answers Are Incorrect

CMMC 2.0 Model (Level 2 - RA.3.144)­ Specifies that risk assessments must coverorganizational operations, organizational assets, and individuals.
NIST SP 800-171 (3.11.1)­ Reinforces the same risk assessment scope.

CMMC Official ReferenceThus,option C (Organizational operations, organizational assets, and individuals) is the correct answerbased on official CMMC risk assessment requirements.



In the CMMC Model, how many practices are included in Level 2?

  1. 17 practices
  2. 72 practices
  3. 110 practices
  4. 180 practices

Answer(s): C

Explanation:

CMMC Level 2is designed to alignfullywithNIST SP 800-171, which consists of110 security controls (practices).
This meansall 110 practicesfrom NIST SP 800-171 are required for aCMMC Level 2 certification. How Many Practices Are Included in CMMC Level 2?Breakdown of Practices in CMMC 2.0CMMC Level
Number of Practices
Level 1
17 practices(Basic Cyber Hygiene)
Level 2
110 practices(Aligned with NIST SP 800-171)
Level 3
Not yet finalized but expected to exceed 110
Since CMMC Level 2 mandatesall 110 NIST SP 800-171 practices, the correct answer isC. 110 practices.

A . 17 practicesIncorrect.17 practicesapply only toCMMC Level 1, not Level 2. B . 72 practicesIncorrect. There is no CMMC level with72 practices. D . 180 practicesIncorrect. CMMC Level 2only requires 110 practices, not 180.
Why the Other Answers Are Incorrect

CMMC 2.0 Model­ Confirms thatLevel 2 includes 110 practicesaligned withNIST SP 800-171. NIST SP 800-171 Rev. 2­ Outlines the110 security controlsrequired for handlingControlled Unclassified Information (CUI).
CMMC Official ReferenceThus,option C (110 practices) is the correct answer, as per official CMMC guidance.



The Audit and Accountability (AU) domain has practices in:

  1. Level 1.
  2. Level 2.
  3. Levels 1 and 2.
  4. Levels 1 and 3.

Answer(s): B

Explanation:

TheAudit and Accountability (AU) domainis one of the14 familiesof security requirements inNIST SP 800-171 Rev. 2, which is fully adopted byCMMC 2.0 Level 2.
A . Level 1Incorrect
CMMCLevel 1only includes17 basic FAR 52.204-21 safeguarding requirementsand does not coverAudit and Accountability (AU)practices.
B . Level 2Correct
TheAU domain is required at Level 2, which aligns withNIST SP 800-171. CMMC 2.0 Level 2includes110 security controls, among whichAU-related controlsfocus on logging, monitoring, and accountability.
C . Levels 1 and 2Incorrect
Level 1 does not requireaudit and accountability practices.
D . Levels 1 and 3Incorrect
CMMC 2.0 only has Levels 1, 2, and 3, andAU is present in Level 2, making Level 3 irrelevant for this answer.
NIST SP 800-171 Rev. 2 (Audit and Accountability - Family 3.3) TheAU domainconsists of security controls3.3.1 ­ 3.3.8, focusing on audit log generation, retention, and accountability.
CMMC 2.0 Level 2 Practices (Aligned with NIST SP 800-171) AU practices (Audit and Accountability) are only required at Level 2. Analysis of the Given Options:Official Reference Supporting the Answer(s); Conclusion:TheAU domain applies only to CMMC 2.0 Level 2, making the correct answer:
B . Level 2.



A Level 2 Assessment was conducted for an OSC, and the results are ready to be submitted. Prior to uploading the assessment results, what step MUST the C3PAO complete?

  1. Pay an assessment submission fee.
  2. Complete an internal review of the results.
  3. Notify the CMMC-AB that submission is forthcoming.
  4. Coordinate a final briefing between the Lead Assessor and the OSC.

Answer(s): D

Explanation:

ACMMC Level 2 Assessmentis conducted by aC3PAO (Certified Third-Party Assessment Organization)to determine whether theOrganization Seeking Certification (OSC)meets all required110 NIST SP 800-171 controls.
Before submitting the results, theC3PAO must complete a final briefing between the Lead Assessor and the OSCto review findings and clarify any concerns.
A . Pay an assessment submission feeIncorrect
There is no mandatory submission fee for assessment results.Fees apply to the assessment process, not submission.
B . Complete an internal review of the resultsIncorrect While internal reviews are encouraged, they arenot a required step before submissionin CMMC assessment procedures.
C . Notify the CMMC-AB that submission is forthcomingIncorrect TheC3PAO submits results to the CMMC-AB through the CMMC eMASS system, but prior notification isnot a required procedural step.
D . Coordinate a final briefing between the Lead Assessor and the OSCCorrect According toCMMC Assessment Process (CAP) guidelines, theLead Assessor must conduct a final briefing with the OSCbefore submitting the results.
This briefing ensures transparency, provides OSC with insight into the findings, and allows for final clarifications.
CMMC Assessment Process (CAP) v1.0
Requires afinal briefing between the Lead Assessor and the OSC before submitting assessment results.
CMMC-AB and C3PAO Process Requirements
TheLead Assessor must communicate final findings with the OSC before submission to CMMC-AB. Analysis of the Given Options:Official Reference Supporting the Answer(s); Conclusion:The correct answer is:
D . Coordinate a final briefing between the Lead Assessor and the OSC.



Viewing Page 4 of 23



Share your comments for Cyber AB CMMC-CCP exam with other users:

Tanvi 9/27/2023 4:02:00 AM

good level of questions
Anonymous


Boopathy 8/17/2023 1:03:00 AM

i need this dump kindly upload it
Anonymous


s_123 8/12/2023 4:28:00 PM

do we need c# coding to be az204 certified
Anonymous


Blessious Phiri 8/15/2023 3:38:00 PM

excellent topics covered
Anonymous


Manasa 12/5/2023 3:15:00 AM

are these really financial cloud questions and answers, seems these are basic admin question and answers
Anonymous


Not Robot 5/14/2023 5:33:00 PM

are these comments real
Anonymous


kriah 9/4/2023 10:44:00 PM

please upload the latest dumps
UNITED STATES


ed 12/17/2023 1:41:00 PM

a company runs its workloads on premises. the company wants to forecast the cost of running a large application on aws. which aws service or tool can the company use to obtain this information? pricing calculator ... the aws pricing calculator is primarily used for estimating future costs
UNITED STATES


Muru 12/29/2023 10:23:00 AM

looks interesting
Anonymous


Tech Lady 10/17/2023 12:36:00 PM

thanks! that’s amazing
Anonymous


Mike 8/20/2023 5:12:00 PM

the exam dumps are helping me get a solid foundation on the practical techniques and practices needed to be successful in the auditing world.
UNITED STATES


Nobody 9/18/2023 6:35:00 PM

q 14 should be dmz sever1 and notepad.exe why does note pad have a 443 connection
Anonymous


Muhammad Rawish Siddiqui 12/4/2023 12:17:00 PM

question # 108, correct answers are business growth and risk reduction.
SAUDI ARABIA


Emmah 7/29/2023 9:59:00 AM

are these valid chfi questions
KENYA


Mort 10/19/2023 7:09:00 PM

question: 162 should be dlp (b)
EUROPEAN UNION


Eknath 10/4/2023 1:21:00 AM

good exam questions
INDIA


Nizam 6/16/2023 7:29:00 AM

I have to say this is really close to real exam. Passed my exam with this.
EUROPEAN UNION


poran 11/20/2023 4:43:00 AM

good analytics question
Anonymous


Antony 11/23/2023 11:36:00 AM

this looks accurate
INDIA


Ethan 8/23/2023 12:52:00 AM

question 46, the answer should be data "virtualization" (not visualization).
Anonymous


nSiva 9/22/2023 5:58:00 AM

its useful.
UNITED STATES


Ranveer 7/26/2023 7:26:00 PM

Pass this exam 3 days ago. The PDF version and the Xengine App is quite useful.
SOUTH AFRICA


Sanjay 8/15/2023 10:22:00 AM

informative for me.
UNITED STATES


Tom 12/12/2023 8:53:00 PM

question 134s answer shoule be "dlp"
JAPAN


Alex 11/7/2023 11:02:00 AM

in 72 the answer must be [sys_user_has_role] table.
Anonymous


Finn 5/4/2023 10:21:00 PM

i appreciated the mix of multiple-choice and short answer questions. i passed my exam this morning.
IRLAND


AJ 7/13/2023 8:33:00 AM

great to find this website, thanks
UNITED ARAB EMIRATES


Curtis Nakawaki 6/29/2023 9:11:00 PM

examination questions seem to be relevant.
UNITED STATES


Umashankar Sharma 10/22/2023 9:39:00 AM

planning to take psm test
Anonymous


ED SHAW 7/31/2023 10:34:00 AM

please allow to download
UNITED STATES


AD 7/22/2023 11:29:00 AM

please provide dumps
UNITED STATES


Ayyjayy 11/6/2023 7:29:00 AM

is the answer to question 15 correct ? i feel like the answer should be b
BAHRAIN


Blessious Phiri 8/12/2023 11:56:00 AM

its getting more technical
Anonymous


Jeanine J 7/11/2023 3:04:00 PM

i think these questions are what i need.
UNITED STATES