Free CyberAB CMMC-CCA Exam Questions

You are the Lead Assessor for a CMMC assessment of an OSC that has previously obtained ISO 27001 certification for its information security management system. During the initial discussions, the OSC requests that you consider their ISO 27001 certification and grant them credit toward their CMMC certification. They believe there is a significant overlap between CMMC and ISO 27001. What should your response to the OSC be?

A. Defer the decision on non-duplication credit until the DoD publishes official nonduplication policies.

B. Verify the validity and authenticity of the OSC’s ISO 27001 certification against the requirements outlined in the CMMC Assessment Process (CAP) before considering granting any non-duplication credit.

C. Inform the OSC that alternative cybersecurity certifications like ISO 27001 do not automatically bestow any status or credit towards CMMC certification.

D. Grant the OSC credit towards their CMMC certification based on their ISO 27001 certification, as both standards cover similar cybersecurity requirements.

During a social event after work, a CCA from your C3PAO team brags about providing "consulting advice" to an OSC they recently assessed for CMMC compliance. You know this directly violates the CoPC’s restrictions on CCAs offering such services during an assessment. What is your ethical obligation in this situation?

A. Publicly confront the CCA and remind them of the CoPC violation.

B. Discreetly approach the CCA and offer to help them understand the CoPC guidelines.

C. Immediately report the incident to the Cyber AB.

D. Ignore the situation, as it doesn’t involve you directly.

An OSC is planning a CMMC Level 2 assessment that your C3PAO will conduct. In Phase 1.6.1 – Access and Verify Evidence, as the Lead Assessor, you are verifying the existence and accessibility of the evidence provided by the OSC. While reviewing the list of evidence mapped against the CMMC practices, you discover that the OSC cannot locate several critical system security policies for key IT systems supporting their DoD contracts. These missing policies are essential for demonstrating compliance with various CMMC practices related to access control, incident response, and system maintenance. What is the primary role of the CMMC Quality Assurance Professional (CQAP) regarding the Pre-Assessment Form?

A. To verify the accuracy and completeness of the information before uploading to CMMC eMASS.

B. To assign roles and responsibilities for each Assessment Team member.

C. To schedule CMMC eMASS training sessions for C3PAO representatives.

D. To configure access controls within the CMMC eMASS system.

A CCA is reviewing an OSC’s evidence for a CMMC practice and finds that the documentation is in draft form, marked “For Internal Use Only,” and lacks final approval. The OSC insists it is actively used. How should the CCA evaluate this evidence?

A. Accept the draft documentation as sufficient since it is actively used.

B. Document the lack of final approval as an evidence gap and assess based on all available evidence, including usage confirmation.

C. Reject the draft documentation and score the practice as "NOT MET."

D. Request the OSC to finalize the documentation before continuing the assessment.

After the Assessment Team has been formed and the OSC Point of Contact (PoC) and Assessment Official have been identified, your C3PAO appoints John as the Lead Assessor. During the kickoff meeting, John reassures the OSC Assessment Official not to worry; they are guaranteed to pass the CMMC assessment. If they don’t, John has agreed to refund 40% of the assessment fee. Which of the following is true about John’s behavior as a Certified CMMC Assessor?

A. It is unprofessional.

B. It is acceptable as it incentivizes the OSC to cooperate fully during the assessment process.

C. It aligns with the principle of objectivity outlined in the Code of Professional Conduct by removing any potential conflict of interest.

D. It demonstrates his confidence in the Assessment Team’s abilities and the OSC’s preparedness.

When conducting a CMMC assessment, the CCA must follow the steps outlined in the CMMC Assessment Process (CAP). This document is organized into several phases, each requiring the CCA to complete specific documents. The CAP also provides templates, some of which the Assessor must use and complete during specific phases. A CCA must complete all the following documents in Phase 1 of the CAP, EXCEPT?

A. CMMC Assessment Quality Review Checklist

B. CMMC Assessment Readiness Review (CA-RR) Checklist

C. Virtual Assessment Evidence Preparation Template

D. CMMC Pre-Assessment Form Data Template

A CCA is conducting a CMMC assessment and discovers that the OSC’s evidence includes a policy that contradicts a practice’s objectives (e.g., allowing unrestricted access when restricted access is required). The OSC claims it’s a typo and the practice is followed correctly. How should the CCA proceed?

A. Accept the OSC’s claim and score the practice as "MET" based on their assurance.

B. Document the contradiction as an evidence gap and assess based on observed practice implementation.

C. Score the practice as "NOT MET" due to the contradictory policy.

D. Request the OSC to correct the policy document during the assessment.

You are a Lead Assessor tasked with conducting a CMMC Assessment for an OSC seeking to secure its CMMC Level 2 certification. The OSC has previously conducted a self-assessment and engaged a Registered Practitioner Organization (RPO) for a preliminary evaluation. As part of the CMMC Assessment process, you begin by determining the necessary evidence for each practice or process across the OSC’s organizational functional areas. You consider both the adequacy and sufficiency of the evidence in relation to the CMMC’s requirements. After initial preparations, you and the OSC’s POC schedule a joint review session to align on the scope and expectations for the upcoming assessment. What is the primary focus of the ‘Sufficiency’ criterion during the evidence verification process in a CMMC assessment?

A. Confirming the evidence has been reviewed and approved by all stakeholders.

B. Sufficiency verifies that there is enough evidence to comprehensively assess each practice against the CMMC Assessment scope.

C. Checking if the evidence includes the latest cybersecurity trends and technologies.

D. Ensuring the evidence covers a wide range of cybersecurity threats.

During a CMMC assessment, an OSC employee asks the CCA if their current security measures are “good enough” to pass the assessment. The CCA responds by saying, “I can’t tell you that, but here’s what the CMMC requires for this practice.” What principle of the CoPC does this response uphold?

A. Confidentiality

B. Professionalism

C. Objectivity

D. Information Integrity

The Cyber AB is the sole authorized certification and accreditation partner for the DoD in its CMMC program. It is responsible for overseeing and establishing a trained, qualified, and high-fidelity community of assessors, including C3PAOs and CCAs. What is the main requirement before The Cyber AB can accredit an Assessor?

A. The Cyber AB must be DFARS 7012 compliant.

B. The Cyber AB must be compliant at a FISMA moderate level.

C. The Cyber AB must achieve and maintain ISO/IEC 17011 accreditation standard.

D. The Cyber AB must be approved by the DoD.