Free CyberAB CMMC-CCP Exam Questions (2026 Update)

Explanation:

The assessment is conducted in a shared workspace (multi-tenant building, unlocked desk drawer, shared conference room). The evidence file likely contains FCI or CUI and must be protected from unauthorized access by other tenants, visitors, or cleaning staff.

Why C is correct:

Reviewing and making notes is necessary for assessment documentation.
Printing allows physical markup if needed.
Cross-cut shredding ensures the printed evidence cannot be reconstructed after use, fulfilling assessor obligations to destroy sensitive materials no longer needed.
This is the only option that includes a verifiable destruction method.

Why other options are incorrect:

A (print, put in unlocked drawer)
– An unlocked drawer in a shared building provides zero security. Anyone with building access could retrieve the file. Violates basic safeguarding principles.

B (review, make notes on client computer)
– While this avoids printing, it ignores the scenario's implication that printing has occurred or may be needed. More critically, it lacks any physical destruction step if a printed copy exists. Incomplete and not the "best" for physical evidence handling.

D (print, leave in folder on table) – This is a gross security violation. Leaves evidence completely exposed in a shared, unsecured space. Would constitute assessor negligence.

References

Cyber AB CCP Exam Guide – Domain: Assessment Execution; Sub-topic: Evidence handling and protection of OSC data.

CMMC Assessment Process Guide – Section on securing assessment artifacts during on-site assessments.

CMMC Code of Professional Conduct – Assessors must safeguard OSC information from unauthorized disclosure

Explanation:

The CMMC Code of Professional Conduct (CoPC) establishes binding ethical requirements for all credentialed individuals in the CMMC ecosystem, including CCPs, assessors, and C3PAO personnel. The CoPC explicitly lists its guiding principles in a dedicated section of the document . These principles include: Objectivity, Information Integrity, Proper Use of Methods, Confidentiality, Professionalism, Conflicts of Interest, Respect for Intellectual Property, and Lawful and Ethical Practices .

Why other options are incorrect:

A, C, and D include "higher accountability" – Incorrect. The phrase "higher accountability" does not appear anywhere in the CMMC Code of Professional Conduct's list of guiding principles . The actual CoPC includes distinct principles such as Confidentiality and Respect for Intellectual Property, neither of which equates to "higher accountability."

A and C omit "information integrity" – Incorrect. Option A replaces information integrity with higher accountability, and option C omits information integrity entirely. Information integrity is a foundational principle that directly addresses the protection of sensitive OSC data during assessments .

D omits "objectivity" – Incorrect. Option D replaces objectivity with higher accountability. Objectivity is a critical principle ensuring impartial, unbiased assessments free from conflicts of interest .

References

CMMC-AB Code of Professional Conduct (CoPC) – Section on "Guiding Principles" lists: Professionalism, Objectivity, Confidentiality, Proper Use of Methods, Information Integrity, Conflicts of Interest, Respect for Intellectual Property, and Lawful and Ethical Practices

Inside Cybersecurity (2020) – Details CoPC requirements for confidentiality, proper use of methods, and IP protections

CCP Blueprint (The Cyber AB) – Domain 2 identifies guiding principles as a key knowledge area for the CCP exam

Explanation:

The CMMC Assessment Guide specifies three primary methods for assessors to gather evidence: Examine, Interview, and Test . The scenario describes that the CCA has already interviewed the IDS responsible person and examined relevant policies and procedures. The logical next step is to continue with the Examine method by reviewing specific artifacts that provide deeper technical evidence of proper IDS/IPS configuration.

Why other options are incorrect:

A. Conduct a penetration test – Incorrect.
Penetration testing is a specialized, intrusive assessment method typically outside the scope of a standard CMMC assessment. The C3PAO and OSC would need prior agreement, scoping, and rules of engagement. This is not a routine "next step" for gathering evidence on IDS/IPS configuration.

B. Interview the intrusion detection system's supplier – Incorrect.
The IDS supplier is not part of the OSC's organization and cannot provide evidence of how the OSC has implemented and configured the system. The OSC's internal personnel are the appropriate interview subjects .

C. Upload known malicious code and observe the system response – Incorrect.
This constitutes active testing that could disrupt live systems and create security risks. While testing is a valid assessment method , this specific action is dangerous and not standard practice. Safe testing would require isolated environments and proper authorization.

References

CMMC Level 2 Assessment Guide (DoD CIO) – SI.L2-3.14.6: Lists "Examine" methods including system configuration settings, monitoring tools documentation, and system audit logs

NIST SP 800-171 R2 – 3.14.6: System monitoring discussion and reference to SP 800-94 for IDPS guidance

NIST SP 800-94 – Intrusion Detection and Prevention Systems: Provides characteristics of IDPS technologies and recommendations for design, implementation, configuration, and monitoring

Explanation:

During CMMC assessment planning, the CCA needs to interview personnel with direct, hands-on knowledge of the security practice being assessed. According to standard CMMC assessment methodology, the person interviewed must be the individual who actually implements, performs, or supports that practice .

This requirement ensures the assessor receives accurate, first-hand information about how the control operates in practice. The person answering needs first-hand knowledge of the control, a clear understanding of its function, and the ability to discuss any deficiencies honestly . Individuals who merely fund, approve, or audit a practice typically lack the detailed operational knowledge required to verify proper implementation .

Why other options are incorrect:

A. funds that practice – Incorrect.
Financial approval provides no insight into daily operational execution. A CFO who approves the budget cannot describe how access logs are reviewed or how intrusion detection rules are configured.

B. audits that practice – Incorrect.
While internal auditors understand compliance frameworks, they do not perform the daily implementation or support of security controls. Assessors need to speak with the "doers," not the reviewers .

C. supports, audits, and performs that practice – Incorrect.
This option incorrectly combines audit with implementation. In mature organizations, segregation of duties separates audit/oversight from day-to-day operations to prevent conflicts of interest. The same person should not both perform and audit the same control.

The RACI model clarifies this distinction: the Responsible party (performs the work) is the appropriate interview subject, not the Accountable (owner), Consulted, or Informed parties .

References

CMMC Assessment Process (CAP) – Phase 2:Conduct Assessment; Interview methodology requires personnel with direct implementation or support responsibilities

NICCS CMMC CCP Course – Assessment process includes interviewing personnel responsible for security practice execution

Explanation:

According to the CMMC Assessment Process (CAP) documentation, the CMMC Assessment Findings Briefing is the official template used by the Lead Assessor to present assessment results to the OSC . The CAP explicitly states that the Findings Briefing is a "PowerPoint file that can be used to construct the reporting of the Assessment results to the OSC" and that "the formal brief-out of Assessment results from the C3PAO to the OSC is required" .

The scenario describes presenting results during the final Daily Checkpoint. The CAP identifies the Daily Checkpoint as a distinct PowerPoint template (Appendix H) used for daily progress updates, while the CMMC Assessment Findings Briefing (Appendix K) is the designated template for formally delivering final recommended findings .

Why other options are incorrect:

A. CMMC POA&M Brief – Incorrect.
A POA&M (Plan of Actions and Milestones) is an OSC-generated document tracking remediation of deficiencies, not an assessor's presentation template for delivering findings . The POA&M is reviewed during assessment but is not the deliverable for presenting results.

C. CMMC Assessment Tracker Tool – Incorrect.
The Assessment Results Template (Excel, Appendix J) is used for recording and submitting results to eMASS . The Tracker Tool is an internal C3PAO working document, not the formal presentation to the OSC during the final Daily Checkpoint.

D. CMMC Recommended Findings template – Incorrect.
No such template name appears in the official CAP documentation. The correct template name is CMMC Assessment Findings Briefing .

References

CMMC Assessment Process (CAP) – Appendix K: CMMC Assessment Findings Briefing; formal brief-out of assessment results is required

32 CFR § 170.17(c)(1) – Final results communicated to OSC through CMMC Assessment Findings Report

Explanation:

Assessment planning is an iterative process, not a one-time event. As the assessor gathers information during pre-assessment activities and the assessment itself, new discoveries may impact scoping, evidence requirements, or the assessment approach. The CMMC Assessment Process (CAP) emphasizes that assessors must remain flexible and continuously refine their understanding of the OSC's environment, system boundaries, and implemented practices.

Why other options are incorrect:

A. Scoping an assessment is easy and worry-free – Incorrect.
Scoping is one of the most complex and critical parts of a CMMC assessment. It requires careful analysis of system boundaries, asset categories, external service providers, and contract requirements. Improper scoping can lead to incomplete assessments or unnecessary costs for the OSC.

B. The initial plan cannot be changed once agreed upon – Incorrect.
The assessment plan is a living document. Changes are not only permitted but often necessary as new information emerges. Both the assessor and OSC can agree to modifications, though significant changes should be documented.

C. There is a determined amount of time that the OSC's point of contact has to submit evidence and rough order-of-magnitude – Incorrect.
While evidence submission timelines should be agreed upon during planning, the phrase "rough order-of-magnitude" (ROM) is typically used for cost estimation, not evidence submission. More importantly, the question asks about analyzing requirements, not about fixed deadlines for evidence.

References

CMMC Assessment Process (CAP) – Section on Assessment Planning: Emphasizes iterative refinement of scope and requirements as information becomes available

CMMC-CCP Exam Content Outline – Domain: Assessment Planning; includes continuous review and updating of assessment requirements

Explanation

The CMMC Code of Professional Conduct (CoPC) explicitly addresses the protection of sensitive information gathered during assessments. The CoPC states that credentialed individuals and organizations have an obligation to "protect identifiable and confidential customer data from unauthorized disclosure" and must "exercise due care to ensure that confidential or privileged information gathered during assessments or consulting remains so, even after a work engagement has ended".

Why other options are incorrect:

A. Availability – Incorrect.
Availability refers to ensuring information is accessible when needed by authorized users. The scenario describes protecting information from disclosure, not ensuring its accessibility.

C. Information Integrity – Incorrect.
Information integrity focuses on maintaining the accuracy, completeness, and trustworthiness of information throughout its lifecycle. While related to information protection, integrity concerns preventing unauthorized modification or corruption, not preventing disclosure. The CoPC lists "Information Integrity" as a separate guiding principle from "Confidentiality".

D. Respect for Intellectual Property – Incorrect.
Respect for intellectual property addresses proper handling of copyrighted materials, trademarks, and proprietary methodologies (such as approved CMMC training content). This differs from protecting sensitive customer and government information gathered during assessments, which falls under confidentiality.

References

32 CFR § 170.13(b)(6) – CCPs shall "not share any information about an OSC obtained during CMMC pre-assessment and assessment activities with any person not involved with that specific assessment"

Explanation:

During the planning phase of a CMMC Level 2 Assessment, the Lead Assessor is specifically focused on determining what would constitute the right evidence for each practice. This directly maps to the concept of adequacy in evidence evaluation.

Why other options are incorrect:

B. Sufficiency – Incorrect.
Sufficiency addresses whether there is enough of the right evidence, not what constitutes the right evidence itself. The question focuses on the qualitative aspect ("right evidence"), not the quantitative aspect ("enough evidence") .

C. Process mapping – Incorrect.
Process mapping is a technique used to document workflows and responsibilities, typically within a System Security Plan (SSP). It is not what the assessor is verifying when determining the right evidence for each practice .

D. Assessment scope – Incorrect.
Assessment scope defines the boundary of systems, assets, and facilities subject to the assessment. While scope influences which practices apply, determining the right evidence for each practice is a separate activity focused on evidence quality, not boundary definition .

References

ISACA CCP Exam Content Outline – Domain 4C: "Analyze the adequacy/sufficiency around the location/collection/quality/usage of evidence"

CMMC Assessment Process (CAP) – Phase 1:Verify and record evidence against adequacy and sufficiency criteria; defines adequacy as evidence meeting the intent of the CMMC practice

Explanation:


Under CMMC Level 2, an organization can receive a Conditional certification if it meets specific criteria, even with NOT MET findings. The key requirement is achieving an overall score of at least 80% (88 out of 110 points) while only certain lower-risk controls remain open . To qualify for remediation, the OSC must meet both of these conditions:

Adequate Score — The overall score from the assessment must be 80% or higher (88 out of 110 points) . This means the majority of applicable practices are MET.

Eligible Gaps — Only specific NOT MET practices can be placed on a POA&M. With one exception (CUI encryption, SC.L2-3.13.11, which is 3 points), only requirements worth 1 point (those with a "limited or indirect effect" on security) can be deferred. Any 5-point requirement or most 3-point requirements that are NOT MET immediately disqualify the OSC from Conditional certification .

Given that the question states all 15 practices are applicable but does not specify their point values or severity, the correct answer reflects that the OSC may be eligible for remediation — not that they automatically are. Eligibility depends on whether those 15 NOT MET practices consist only of eligible 1-point controls.

Why other options are incorrect:

A. The OSC may have 90 days for remediating NOT MET practices — Incorrect. The remediation window for Conditional certification is 180 days, not 90 days . This option also incorrectly assumes automatic eligibility.

B. The OSC is not eligible for an option to remediate NOT MET practices — Incorrect. Remediation through Conditional certification is available when the OSC meets the eligibility criteria. The question does not provide information indicating the OSC is ineligible.

D. The OSC is not eligible for an option to remediate after the assessment is canceled — Incorrect. The assessment is not described as canceled; it is a completed Level 2 Assessment with 15 NOT MET findings. Conditional certification and remediation are standard post-assessment options.

References

32 CFR § 170.21 — POA&M Requirements for Conditional Certification; establishes 180-day remediation period and eligibility criteria

32 CFR § 170.24(c)(2)(ii)— CMMC Level 2 Scoring Table; identifies which controls are 1-point (POA&M-eligible) vs. 3- or 5-point (ineligible)

Explanation:

The security requirement for practice CM.L2-3.4.9 is explicitly defined as: "Control and monitor user-installed software" . This is the verbatim language from the CMMC Level 2 Assessment Guide. The three assessment objectives for this practice are: (a) a policy for controlling the installation of software by users is established; (b) installation of software by users is controlled based on the established policy; and (c) installation of software by users is monitored .

Why other options are incorrect:

B. Removed from the system – Incorrect.
Removal of unneeded software relates to CM.L2-3.4.6 (Least Functionality), not CM.L2-3.4.9. The least functionality practice requires configuring systems to provide only essential capabilities . User-installed software may be legitimate and approved, not automatically removed.

C. Scanned for malicious code – Incorrect.
While scanning for malicious code is a security best practice (covered under SI domain practices like SI.L2-3.14.4), it is not the defining facet of CM.L2-3.4.9. The core requirement is controlling what gets installed and monitoring that it complies with policy, not scanning installed software .

D. Limited to mission-essential use only – Incorrect.
This describes least functionality (CM.L2-3.4.6), not user-installed software controls. Limiting functions to mission-essential capabilities is a separate configuration management practice focused on system hardening, not user software installation .

References

CMMC Level 2 Assessment Guide (DoD CIO) – CM.L2-3.4.9: Security requirement "Control and monitor user-installed software" and assessment objectives

CMMC Assessment Methods – Interview potential assessment objects include personnel with responsibilities for governing user-installed software