Free CyberAB CMMC-CCP Exam Questions (2026 Update)

Explanation:

According to Department of Defense Instruction (DoDI) 5200.48, Controlled Unclassified Information (CUI), responsibility for identifying and applying the correct CUI markings falls squarely on the authorized holder who creates or designates the document.

An "authorized holder" is any individual, agency, or organization permitted by an authorized authority to designate, produce, or maintain CUI. Specifically, the instruction mandates that:

The originator (who is an authorized holder) must properly mark the information at the time of creation.

If an authorized holder incorporates existing CUI into a new document (derivative marking), they are responsible for bringing those markings forward correctly.

Why Other Options Are Incorrect

A is incorrect:While the Office of the Under Secretary of Defense for Intelligence and Security (OUSD(I&S)) oversees the DoD CUI Program, they do not mark individual documents unless they are the specific creators of that data.

C is incorrect: "Information Disclosure Officials" or Public Release authorities deal with releasing information outside the government, not the initial compliance marking of internal CUI documents.

D is incorrect: An "Original Classification Authority" (OCA) is a specialized position authorized by the President or agency heads to classify Classified National Security Information (Confidential, Secret, Top Secret) under Executive Order 13526. They do not govern unclassified markings like CUI.

References

DoDI 5200.48, Section 3.1 & 3.2 (CUI Management Responsibilities):Explicitly states that the authorized holder/originator is responsible for determining whether information falls under a CUI category and ensuring it is marked correctly prior to dissemination.

32 CFR Part 2002 (The National CUI Rule): Reaffirms that authorized holders are responsible for applying markings and dissemination controls in accordance with the CUI Registry.

Explanation:

According to the DFARS policy codified in the Code of Federal Regulations, contractors are explicitly required to achieve the required CMMC status at the time of award. The regulation states: "Contractors are required to achieve, at time of award, a CMMC status at the CMMC level specified in the solicitation, or higher, for all information systems used in the performance of the contract that will process, store, or transmit FCI or CUI" .

Why other options are incorrect:

B. Upon solicitation submission – Incorrect.
Contractors are not required to have certification at the time they submit their bid or proposal. The requirement applies at award, allowing time for offerors to achieve certification between solicitation response and contract award.

C. Thirty days from the award date – Incorrect.
There is no 30-day grace period after award. The requirement must be satisfied at the time of award, not after. For Level 2 and Level 3, a "conditional status" may provide up to 180 days for remediation, but this applies to deficiencies discovered during an assessment, not as a grace period to achieve initial certification .

D. Before the due date of submission – Incorrect.
This essentially means prior to proposal submission, which is not required. The certification must be in place at award, not before submission.

References

DFARS 204.7502 Policy (a)(3) – "Contractors are required to achieve, at time of award, a CMMC status at the CMMC level specified in the solicitation"

32 CFR § 170.3 – CMMC Program applicability and phased implementation

Explanation:

The C3PAO (Certified Third-Party Assessment Organization) bears the initial and primary responsibility for identifying and managing conflicts of interest before an assessment begins. This responsibility is established in the CMMC Assessment Process (CAP) as a "preliminary proceeding" that must be completed prior to the assessment . The CAP explicitly requires C3PAOs to handle COI identification during Phase 1 (Plan and Prepare the Assessment) before any assessment activities commence .

Why other options are incorrect:

A. OSC – The Organization Seeking Certification is the client being assessed. While the OSC may disclose potential conflicts, they have no authority to manage the assessor's independence or enforce COI policies.

C. CMMC-AB (The Cyber AB) – The Accreditation Body sets COI rules and accredits C3PAOs but does not manage conflicts for individual assessments. This responsibility is delegated to authorized C3PAOs .

D. Lead Assessor – The Lead Assessor must attest to the absence of COI and work with the OSC to mitigate identified conflicts , but this occurs after the C3PAO has already performed initial identification and assignment. The Lead Assessor's responsibility is execution-level, not initial organizational responsibility.

References

32 CFR § 170.9(b)(2) – C3PAO compliance with COI policies

CMMC Assessment Process (CAP) – Phase 1 preliminary proceedings include COI identification; C3PAO responsibility

Explanation:

NIST Special Publication (SP) 800-171, titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is the definitive source document for CMMC Level 2 requirements. It was specifically created by NIST to provide federal agencies with a standardized set of recommended security requirements to protect the confidentiality of CUI when it resides on or traverses nonfederal information systems (such as those owned by Department of Defense contractors).

The 110 security practices evaluated at CMMC Level 2 are pulled directly from the requirements established in this publication.

Why Other Options Are Incorrect

A is incorrect: NIST SP 800-37 outlines the Risk Management Framework (RMF) for Information Systems and Organizations, which is a process used primarily by federal agencies to secure internal government systems.

B is incorrect: NIST SP 800-53 provides a massive catalog of Security and Privacy Controls for Information Systems and Organizations. While NIST SP 800-171 is derived from a subset of moderate-impact controls in SP 800-53, SP 800-53 itself is designed for federal environments.

C is incorrect: NIST SP 800-88 provides the Guidelines for Media Sanitization, which deals specifically with wiping, destroying, or declassifying data storage devices.

References

NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations), Title and Purpose statements.

32 CFR Part 170 (CMMC Final Rule): Establishes that CMMC Level 2 alignment is explicitly mapped against the security requirements of NIST SP 800-171.

Explanation:

For a CMMC Level 1 Self-Assessment, assets are categorized based on their relationship with Federal Contract Information (FCI). Unlike Level 2 (which uses five distinct asset categories including CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets), Level 1 follows a simpler scoping framework .

Why other options are incorrect:

A. CUI Asset – Incorrect.
CUI (Controlled Unclassified Information) assets are defined at Level 2, not Level 1 . Level 1 only concerns FCI protection. The scenario explicitly states this is a Level 1 Self-Assessment with no mention of CUI handling.

C. Specialized Asset – Incorrect.
Under Level 1 scoping rules, Specialized Assets (including IoT devices, OT, and test equipment) are explicitly excluded from the assessment scope . The regulation states: "Specialized Assets are not part of the Level 1 CMMC Assessment Scope and are not assessed against CMMC security requirements" . However, this exclusion applies only when the specialized asset can process FCI but is unable to be fully secured . The question does not indicate the testing equipment falls under this exception, and typical in-house test equipment used for contract fulfillment is treated as in-scope .

D. Contractor Risk Managed Asset – Incorrect.
Contractor Risk Managed Assets (CRMA) are a Level 2 asset category, not used in Level 1 scoping . CRMA refers to assets that can but are not intended to process CUI due to risk-based policies . This category does not apply to Level 1 assessments.

References

32 CFR § 170.19(b) – Level 1 scoping requirements; assets processing, storing, or transmitting FCI are in scope

CMMC Level 1 Scoping Guide – Defines In-Scope Assets for Level 1 Self-Assessments as those that process, store, or transmit FCI

Explanation

Under Chapter 33 of Title 44, United States Code (the Federal Records Act), the definition of "records" explicitly includes all recorded information, regardless of form or characteristics, made or received by a Federal agency in connection with the transaction of public business . NARA directives and the U.S. Code further specify that "recorded information includes all traditional forms of records, regardless of physical form or characteristics, including information created, manipulated, communicated, or stored in digital or electronic form" .

Why other options are incorrect:

A. All recorded digital documents – Incorrect.
This excludes paper records, maps, photographs, film, tape, and other physical documentary materials that are also subject to records disposition requirements .

B. All digital and recorded paper documents – Incorrect.
While this expands beyond digital, it still excludes other physical media such as film, tape, maps, and photographs, all of which fall under "recorded information, regardless of physical form" .

C. All digital documents and recorded media – Incorrect.
Although "recorded media" is broader, this option still excludes traditional paper records and other documentary materials that are not classified as "media" but are still subject to disposal policies .

References

44 U.S.C. § 3301(a) – Definition of records includes "all recorded information, regardless of form or characteristics"

44 U.S.C. § 3301(a)(2) – "Recorded information includes all traditional forms of records...including information created, manipulated, communicated, or stored in digital or electronic form"

Explanation:

Under CMMC 2.0, Federal Contract Information (FCI) protection is specifically aligned with CMMC Level 1. Level 1 requires implementation of the basic safeguarding requirements found in FAR 52.204-21 and applies exclusively to contractors who handle FCI but do not process, store, or transmit Controlled Unclassified Information (CUI).

CMMC Level 1 focuses on foundational cybersecurity practices, requiring annual self-assessment and senior official affirmation. Approximately 63% of the Defense Industrial Base will need Level 1 certification for contracts involving FCI only.

Why other options are incorrect:

B. Level 2 – Incorrect.
Level 2 is designed for contractors handling CUI, requiring 110 practices aligned with NIST SP 800-171 and typically a third-party C3PAO assessment.

C. Levels 2 and 3 – Incorrect.
Both Levels 2 and 3 address CUI protection, not FCI. Level 3 applies to the most critical national security programs handling high-value CUI.

D. Levels 1, 2, and 3 – Incorrect.
While the levels are cumulative in maturity, requiring Level 2 or 3 for FCI-only contracts would impose unnecessary compliance burdens. DoD policy explicitly states Level 1 is sufficient for FCI protection.

References

32 CFR § 170.5(c) – CMMC Program requirements apply to contracts handling FCI

CMMC Level 1 Assessment Guide – Defines FCI protection requirements

DFARS CMMC Final Rule (Sept 2025) – Level 1 for FCI, Level 2/3 for CUI

Explanation:

Under the CMMC Model, Level 1 (Foundational) includes 17 security practices derived directly from FAR 52.204-21, which addresses the basic safeguarding of Federal Contract Information (FCI). These 17 practices are organized across six domains: Access Control (4 practices), Identification and Authentication (2), Media Protection (1), Physical Protection (4), System and Communications Protection (2), and System and Information Integrity (4).

The source of confusion between "15" and "17" stems from how the FAR 52.204-21 requirements are counted. The FAR clause contains 15 basic safeguarding requirements, but when mapped to NIST SP 800-171 Rev 2 for assessment purposes, these requirements align with 17 distinct security practices. Both CMMC 1.0 and CMMC 2.0 specify 17 practices for Level 1.

Why other options are incorrect:

A. 15 practices – Incorrect.
While FAR 52.204-21 contains 15 basic safeguarding requirements, the CMMC Level 1 model expands these to 17 practices when mapped to NIST SP 800-171 Rev 2 for assessment and evidence collection.

C. 72 practices – Incorrect.
72 practices represent the cumulative total for Level 2 under CMMC 1.0 (17 from Level 1 + 55 new from Level 2). This is not the count for Level 1 alone.

D. 110 practices – Incorrect.
110 practices is the total for CMMC Level 2 under CMMC 2.0, aligned with all NIST SP 800-171 Rev 2 requirements. Level 1 only requires the foundational 17 practices.

References

CMMC Model v2.0 – Level 1 requires 17 practices from FAR 52.204-21

32 CFR § 170.15 – Level 1 self-assessment requirements NIST SP 800-171 Rev 2 – The 17 Level 1 practices map across 6 control families

Explanation:

Under CMMC Level 1, the self-assessment covers six domains that contain the 17 basic safeguarding practices derived from FAR 52.204-21 . The Level 1 domains are:

Access Control (AC) – 4 practices
Identification and Authentication (IA) – 2 practices
Media Protection (MP) – 1 practice
Physical Protection (PE) – 4 practices
System and Communications Protection (SC) – 2 practices
System and Information Integrity (SI) – 4 practices

Option C correctly lists three of these six domains: Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA). All three are mandatory components of any Level 1 Self-Assessment .

Why other options are incorrect:

A. Access Control (AC), Risk Management (RM), and Media Protection (MP) – Incorrect.
Risk Management (RM) is not a Level 1 domain. RM appears at Level 2 and above under CMMC 2.0, not at the foundational Level 1 .

B. Risk Management (RM), Access Control (AC), and Physical Protection (PE) – Incorrect.
Risk Management (RM) is not included in Level 1. The Level 1 domains consist of AC, IA, MP, PE, SC, and SI only .

D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA) – Incorrect.
Risk Management (RM) is not a Level 1 domain. While Media Protection (MP) and Identification and Authentication (IA) are valid Level 1 domains, RM is exclusively part of higher CMMC levels.

References

32 CFR § 170.14(c)(2) – CMMC Level 1 security requirements from 48 CFR 52.204-21(b)(1)(i) through (xv)

CMMC Level 1 Self-Assessment Guide (DoD) – Lists six domains: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity

Explanation:

The CMMC Code of Professional Conduct and the CMMC Assessment Process (CAP) require that any actual or apparent conflict of interest (COI) must be identified, disclosed, and managed appropriately. A former college roommate relationship could create an appearance of bias or favoritism, even if no actual bias exists.

Why other options are incorrect:

A. Do not inform the OSC and the C3PAO – Incorrect.
Concealing a potential conflict violates the CMMC Code of Professional Conduct (Objectivity and Conflicts of Interest principles). This could result in loss of certification and C3PAO sanctions.

B. Start the entire process over without the conflicted team member – Incorrect.
Restarting the assessment from scratch is unnecessary and costly. The conflict can be mitigated without discarding all prior work, provided the OSC and C3PAO agree.

C. Assume no conflict exists because time has passed – Incorrect.
Time alone does not automatically eliminate a potential conflict of interest. Any relationship that could create an appearance of bias (past personal relationship) must be disclosed, regardless of how long ago it occurred.

References

CMMC Code of Professional Conduct – Conflicts of Interest section: Requires disclosure of actual or apparent conflicts

CMMC Assessment Process (CAP) – Phase 1: Conflict of interest identification and mitigation documentation