Weekend Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

CMMC-CCP Certified CMMC Professional (CCP) Exam Questions and Answers

Questions 4

Who makes the final determination of the assessment method used for each practice?

Options:

A.

CCP

B.

osc

C.

Site Manager

D.

Lead Assessor

Buy Now
Questions 5

Which assessment method compares actual-specified conditions with expected behavior?

Options:

A.

Test

B.

Examine

C.

Compile

D.

Interview

Buy Now
Questions 6

The Audit and Accountability (AU) domain has practices in:

Options:

A.

Level 1.

B.

Level 2.

C.

Levels 1 and 2.

D.

Levels 1 and 3.

Buy Now
Questions 7

A C3PAO has completed a Limited Practice Deficiency Correction Evaluation following an assessment of an OSC. The Lead Assessor has recommended moving deficiencies to a POA&M. but the OSC will remain on an Interim Certification. What is the MINIMUM number of practices that must be scored as MET to initiate this course of action?

Options:

A.

80 practices

B.

88 practices

C.

100 practices

D.

110 practices

Buy Now
Questions 8

Ethics is a shared responsibility between:

Options:

A.

DoD and CMMC-AB.

B.

OSC and sponsors.

C.

CMMC-AB and members of the CMMC Ecosystem.

D.

members of the CMMC Ecosystem and Lead Assessors.

Buy Now
Questions 9

During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?

Options:

A.

Host Unit

B.

Organization

C.

Coordinating Unit

D.

Supporting Organization/Unit

Buy Now
Questions 10

A CMMC Assessment is being conducted at an OSC's HQ. which is a shared workspace in a multi-tenant building. The OSC is renting four offices on the first floor that can be locked individually. The first-floor conference room is shared with other tenants but has been reserved to conduct the assessment. The conference room has a desk with a drawer that does not lock. At the end of the day, an evidence file that had been sent by email is reviewed. What is the BEST way to handle this file?

Options:

A.

Review it. print it, and put it in the desk drawer.

B.

Review it, and make notes on the computer provided by the client.

C.

Review it, print it, make notes, and then shred it in cross-cut shredder in the print room.

D.

Review it. print it, and leave it in a folder on the table together with the other documents.

Buy Now
Questions 11

Which statement BEST describes a LTP?

Options:

A.

Creates DoD-licensed training

B.

Instructs a curriculum approved by CMMC-AB

C.

May market itself as a CMMC-AB Licensed Provider for testing

D.

Delivers training using some CMMC body of knowledge objectives

Buy Now
Questions 12

In many organizations, the protection of FCI includes devices that are used to scan physical documentation into digital form and print physical copies of digital FCI. What technical control can be used to limit multi-function device (MFD) access to only the systems authorized to access the MFD?

Options:

A.

Virtual LAN restrictions

B.

Single administrative account

C.

Documentation showing MFD configuration

D.

Access lists only known to the IT administrator

Buy Now
Questions 13

The IT manager is scoping the company's CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI. Which asset type is being considered by the IT manager?

Options:

A.

ESP

B.

People

C.

Facilities

D.

Technology

Buy Now
Questions 14

The director of sales, in a meeting, stated that the sales team received feedback on some emails that were sent, stating that the emails were not marked correctly. Which training should the director of sales refer the sales team to regarding information as to how to mark emails?

Options:

A.

FBI CUI Introduction to Marking

B.

NARA CUI Introduction to Marking

C.

C3PAO CUI Introduction to Marking

D.

CMMC-AB CUI Introduction to Marking

Buy Now
Questions 15

In the CMMC Model, how many practices are included in Level 2?

Options:

A.

17 practices

B.

72 practices

C.

110 practices

D.

180 practices

Buy Now
Questions 16

Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?

Options:

A.

Organizational operations, business assets, and employees

B.

Organizational operations, business processes, and employees

C.

Organizational operations, organizational assets, and individuals

D.

Organizational operations, organizational processes, and individuals

Buy Now
Questions 17

Which code or clause requires that a contractor is meeting the basic safeguarding requirements for FCI during a Level 1 Self-Assessment?

Options:

A.

FAR 52.204-21

B.

22CFR 120-130

C.

DFARS 252.204-7011

D.

DFARS 252.204-7021

Buy Now
Questions 18

An Assessment Team is conducting a Level 2 Assessment at the request of an OSC. The team has begun to score practices based on the evidence provided. At a MINIMUM what is required of the Assessment Team to determine if a practice is scored as MET?

Options:

A.

All three types of evidence are documented for every control.

B.

Examine and accept evidence from one of the three evidence types.

C.

Complete one of the following; examine two artifacts, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.

D.

Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.

Buy Now
Questions 19

A machining company has been awarded a contract with the DoD to build specialized parts. Testing of the parts will be done by the company using in-house staff and equipment. For a Level 1 Self-Assessment, what type of asset is this?

Options:

A.

CUI Asset

B.

In-scope Asset

C.

Specialized Asset

D.

Contractor Risk Managed Asset

Buy Now
Questions 20

Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?

Options:

A.

Access control

B.

Physical access control

C.

Mandatory access control

D.

Discretionary access control

Buy Now
Questions 21

A CMMC Level 1 Self-Assessment identified an asset in the OSC's facility that does not process, store, or transmit FCI. Which type of asset is this considered?

Options:

A.

FCI Assets

B.

Specialized Assets

C.

Out-of-Scope Assets

D.

Government-Issued Assets

Buy Now
Questions 22

A Lead Assessor is performing a CMMC readiness review. The Lead Assessor has already recorded the assessment risk status and the overall assessment feasibility. At MINIMUM, what remaining readiness review criteria should be verified?

Options:

A.

Determine the practice pass/fail results.

B.

Determine the preliminary recommended findings.

C.

Determine the initial model practice ratings and record them.

D.

Determine the logistics. Assessment Team, and the evidence readiness.

Buy Now
Questions 23

According to the Configuration Management (CM) domain, which principle is the basis for defining essential system capabilities?

Options:

A.

Least privilege

B.

Essential concern

C.

Least functionality

D.

Separation of duties

Buy Now
Questions 24

Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1. Guidelines for Media Sanitation?

Options:

A.

Clear, purge, destroy

B.

Clear redact, destroy

C.

Clear, overwrite, purge

D.

Clear, overwrite, destroy

Buy Now
Questions 25

When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?

Options:

A.

Conduct a penetration test

B.

Interview the intrusion detection system's supplier.

C.

Upload known malicious code and observe the system response.

D.

Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

Buy Now
Questions 26

A CCP is part of a CMMC Assessment Team interviewing a subject-matter expert on Access Control (AC) within an OSC. During the interview process, what will the CCP ensure about the information exchanged during the interview?

Options:

A.

Performed in groups for more efficient use of resources

B.

Recorded for inclusion in the Final Recommended Findings report

C.

Confidential and non-attributable so interviewees can speak without fear of reprisal

D.

Mapped to specific CMMC practices to clearly delineate which practice is being evaluated

Buy Now
Questions 27

Contractor scoping requirements for a CMMC Level 2 Assessment to document the asset in an inventory, in the SSP and on the network diagram apply to:

Options:

A.

GUI Assets.

B.

CUI and Security Protection Asset categories.

C.

all asset categories except for the Out-of-scope Assets.

D.

Contractor Risk Managed Assets and Specialized Assets.

Buy Now
Questions 28

A company has a government services division and a commercial services division. The government services division interacts exclusively with federal clients and regularly receives FCI. The commercial services division interacts exclusively with non-federal clients and processes only publicly available information. For this company's CMMC Level 1 Self-Assessment, how should the assets supporting the commercial services division be categorized?

Options:

A.

FCI Assets

B.

Specialized Assets

C.

Out-of-Scope Assets

D.

Operational Technology Assets

Buy Now
Questions 29

A Lead Assessor is presenting an assessment kickoff and opening briefing. What topic MUST be included?

Options:

A.

Gathering evidence

B.

Review of the OSC's SSP

C.

Overview of the assessment process

D.

Examination of the artifacts for sufficiency

Buy Now
Questions 30

During a CMMC readiness review, the OSC proposes that an associated enclave should not be applicable in the scope. Who is responsible for verifying this request?

Options:

A.

CCP

B.

C3PAO

C.

Lead Assessor

D.

Advisory Board

Buy Now
Questions 31

During the assessment process, who is the final interpretation authority for recommended findings?

Options:

A.

C3PAO

B.

CMMC-AB

C.

OSC sponsor

D.

Assessment Team Members

Buy Now
Questions 32

What is the BEST description of the purpose of FAR clause 52 204-21?

Options:

A.

It directs all covered contractors to install the cyber security systems listed in that clause.

B.

It describes all of the safeguards that contractors must take to secure covered contractor IS.

C.

It describes the minimum standard of care that contractors must take to secure covered contractor IS.

D.

It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts.

Buy Now
Questions 33

At which CMMC Level do the Security Assessment (CA) practices begin?

Options:

A.

Level 1

B.

Level 2

C.

Level 3

D.

Level 4

Buy Now
Questions 34

An assessment is being completed at a client site that is not far from the Lead Assessor's home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?

Options:

A.

Log into the secure cloud storage service to save copies of the documents on both the work and client laptops.

B.

Log into the client VPN from the client laptop and retrieve the documents from the secure cloud storage service.

C.

Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service.

D.

Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick.

Buy Now
Questions 35

An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?

Options:

A.

OSC and Sponsor

B.

OSC and CMMC-AB

C.

Lead Assessor and C3PAO

D.

C3PAO and Assessment Official

Buy Now
Questions 36

Which government agency are DoD contractors required to report breaches of CUI to?

Options:

A.

FBI

B.

NARA

C.

DoD Cyber Crime Center

D.

Under Secretary of Defense for Intelligence and Security

Buy Now
Questions 37

Which example represents a Specialized Asset?

Options:

A.

SOCs

B.

Hosted VPN services

C.

Consultants who provide cybersecurity services

D.

All property owned or leased by the government

Buy Now
Questions 38

Which document BEST determines the existence of FCI and/or CUI in scoping an assessment with an OSC?

Options:

A.

OSC SSP

B.

OSC POA&M

C.

OSC Evidence

D.

OSC Contract with DoD

Buy Now
Questions 39

Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?

Options:

A.

DoD

B.

CISA

C.

NIST

D.

CMMC-AB

Buy Now
Questions 40

Which NIST SP discusses protecting CUI in nonfederal systems and organizations?

Options:

A.

NIST SP 800-37

B.

NIST SP 800-53

C.

NIST SP 800-88

D.

NIST SP 800-171

Buy Now
Questions 41

Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI are sanitized or destroyed before disposal or release for reuse. After a thorough review, the CCP tells the Lead Assessor that all supporting documents fully reflect the performance of the practice and should be accepted because the evidence is:

Options:

A.

official.

B.

adequate.

C.

compliant.

D.

subjective.

Buy Now
Questions 42

The evidence needed for each practice and/or process is weight for:

Options:

A.

adequacy and sufficiency.

B.

adequacy and thoroughness.

C.

sufficiency and thoroughness.

D.

sufficiency and appropriateness.

Buy Now
Questions 43

What are CUI protection responsibilities?

Options:

A.

Shielding

B.

Governing

C.

Correcting

D.

Safeguarding

Buy Now
Questions 44

Plan of Action defines the clear goal or objective for the plan. What information is generally NOT a part of a plan of action?

Options:

A.

Completion dates

B.

Milestones to measure progress

C.

Ownership of who is accountable for ensuring plan performance

D.

Budget requirements to implement the plan's remediation actions

Buy Now
Questions 45

During Phase 4 of the Assessment process, what MUST the Lead Assessor determine and recommend to the C3PAO concerning the OSC?

Options:

A.

Ability

B.

Eligibility

C.

Capability

D.

Suitability

Buy Now
Questions 46

Within the CMMC Ecosystem which organization ultimately will manage and oversee the training, testing, authorization, and certification of candidate assessors and instructors?

Options:

A.

DoD OUSD

B.

DIB Collaborative Information Sharing Environment

C.

Committee on National Security Systems Instructions

D.

CMMC Assessors and Instructors Certification Organization

Buy Now
Questions 47

During an assessment, the Lead Assessor reviews the evidence for each CMMC in-scope practice that has been reviewed, verified, rated, and discussed with the OSC during the daily reviews. The Assessment Team records the final recommended MET or NOT MET rating and prepares to present the results to the assessment participants during the final review with the OSC and sponsor. As a part of this presentation, which document MUST include the attendee list, time/date, location/meeting link, results from all discussed topics, including any resulting actions, and due dates from the OSC or Assessment Team?

Options:

A.

Final log report

B.

Final CMMC report

C.

Final and recorded OSC CMMC report

D.

Final and recorded Daily Checkpoint log

Buy Now
Questions 48

During assessment planning, the OSC recommends a person to interview for a certain practice. The person being interviewed MUST be the person who:

Options:

A.

funds that practice.

B.

audits that practice.

C.

supports, audits, and performs that practice.

D.

implements, performs, or supports that practice.

Buy Now
Exam Code: CMMC-CCP
Exam Name: Certified CMMC Professional (CCP) Exam
Last Update: Jun 13, 2025
Questions: 170

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now CMMC-CCP testing engine

PDF (Q&A)

$36.75  $104.99
buy now CMMC-CCP pdf