Free CyberAB CMMC-CCP Exam Questions (2026 Update)

Explanation:

The CMMC Physical Protection practice PE.L2-3.10.3 states the security requirement directly as: "Escort visitors and monitor visitor activity" . The phrase "at all times" is not explicitly in the requirement text but is consistently emphasized in official guidance and assessment considerations.

Why other options are incorrect:

A. Visitors must not be escorted
– Directly contradicts the CMMC requirement. This would be a finding of NOT MET.

B. Visitors must be escorted in the corporate area, but not in the controlled environment
– Reverses the correct priority. Escort requirements apply specifically to controlled environments (areas with CUI/FCI). Corporate or public areas may have less stringent rules, but the controlled environment requires the highest level of access control.

C. Visitors must be escorted in the controlled environment, but not in the corporate area
– This is partially true but incomplete. The CMMC requirement does not explicitly exempt corporate/public areas from escort requirements; it focuses on areas where CUI or FCI is accessible. However, a Data Access Policy could reasonably apply different rules for different zones. Option D is more complete and aligns with the "at all times" guidance found in official assessment materials.

References

CMMC Level 2 Assessment Guide – PE.L2-3.10.3: Escort visitors and monitor visitor activity

NIST SP 800-171 – Requirement 3.10.3: Escort visitors and monitor visitor activity

Explanation

According to the official CMMC Assessment Process (CAP), the CMMC Third-Party Assessment Organization (C3PAO) acts as the final interpretation authority when determining whether recommended findings are "Met," "Not Met," or "Not Applicable."

While individual Assessment Team Members and the Lead Assessor gather objective evidence, conduct interviews, and formulate recommended findings during field operations, their determinations are subject to a rigorous internal quality assurance review by the C3PAO. If an Organization Seeking Certification (OSC) disputes a practice rating or finding issued by the field team, the CAP explicitly dictates that the C3PAO—as the accredited oversight entity for that engagement—holds the final authority to interpret the standard and approve or modify the scoring before results are officially uploaded into the DoD's eMASS system.

Why Other Options Are Incorrect

B is incorrect: The CMMC-AB (The Cyber AB) provides overall governance, manages the professional ecosystem, and acts as an appeals body if an OSC formally challenges a final certification decision. However, they do not manage or make interpretation calls on recommended findings during the live assessment process.

C is incorrect: The OSC Sponsor is the organization undergoing the evaluation. They can provide clarifying evidence during disputes, but they hold no authority over the final evaluation results.

D is incorrect: Assessment Team Members provide the field observations and recommendations, but they do not have final organizational authority; their findings must be verified and finalized through their parent C3PAO's quality control review process.

References

The CMMC Assessment Process (CAP) – Dispute Resolution and Quality Assurance Process: Outlines that for any disputed or contested practice findings during an assessment, the C3PAO holds the final interpretation authority.

32 CFR § 170.9 & § 170.17 (CMMC Final Rule): Details the explicit roles, operational responsibilities, and quality management requirements assigned directly to C3PAOs.

Explanation

The CMMC practice IA.L1-3.5.1 requires organizations to "Identify information system users, processes acting on behalf of users, or devices" . This is a foundational Level 1 control derived from FAR 52.204-21 and NIST SP 800-171 3.5.1 .

The official CMMC Level 1 Assessment Guide explicitly states that "individual identifiers are the user names associated with the system accounts assigned to those individuals" . This means that the primary evidence for compliance is a list of system accounts showing the unique user names assigned to each individual who accesses the system. Without unique user names, you cannot trace actions to specific individuals, which undermines accountability and auditability .

Why other options are incorrect:

A. Procedures for implementing access control lists – Incorrect.
ACL procedures describe how access rules are enforced, not who the users are. This documents the mechanism (how access is controlled) rather than the identity (who the users are) required by IA.L1-3.5.1.

B. List of unauthorized users – Incorrect.
A list of unauthorized users is not meaningful because unauthorized users should not have system accounts. The requirement focuses on identifying authorized users, processes, and devices with assigned unique identifiers .

D. Physical access policy about visitor badges/escorts – Incorrect.
This addresses Physical Protection (PE), specifically PE.L2-3.10.3 (escort visitors), not Identification and Authentication (IA). Physical visitor management is separate from digital system user identification .

References

CMMC Level 1 Self-Assessment Guide (DoD)– IA.L1-3.5.1: "Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals"

NIST SP 800-171 Rev 2 – 3.5.1: Identify system users, processes acting on behalf of users, and devices

Explanation:

Federal Contract Information (FCI) is defined in 32 CFR § 2002.4(y) and 48 CFR § 52.204-21 as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.

The definition explicitly excludes:
Information provided by the Government to the public (e.g., public websites)
Simple transactional information (e.g., payment processing data)

FCI is distinct from CUI and requires only the basic safeguarding requirements of FAR 52.204-21 (CMMC Level 1), not the full NIST SP 800-171 controls required for CUI.

Why other options are incorrect:

A. CDI (Controlled Defense Information) – Incorrect.
CDI is a legacy DoD term from DFARS 252.204-7012, largely replaced by the broader "CUI" category. The question's definition does not match CDI.

B. CTI (Controlled Technical Information) – Incorrect.
CTI is a subset of CUI with technical data or computer software subject to controls. It does not encompass all contract information described in the question.

C. CUI (Controlled Unclassified Information) – Incorrect.
CUI requires safeguarding or dissemination controls pursuant to laws, regulations, or government-wide policies. Not all FCI rises to the level of CUI. The question's exclusion of simple transactional information and public information directly mirrors the FCI definition, not CUI.

References

32 CFR § 2002.4(y) – Definition of Federal Contract Information (FCI)
48 CFR § 52.204-21 – Basic safeguarding of contractor information systems (FCI definition)
32 CFR § 2002.4(h) – Definition of Controlled Unclassified Information (CUI)

Explanation

The 180-day timeline is a critical, non-negotiable compliance deadline for Conditional CMMC certification under Level 2 . The remediation window functions as the "close-out period," requiring an organization to finalize any corrections documented in a Plan of Action & Milestones (POA&M) and pass a follow-up assessment .

If an organization fails to close all required POA&M items and obtain a "Final" status within this period, the "Conditional" status expires, potentially impacting eligibility for contract award .

Why other options are incorrect:

A. 90 days – Incorrect.
This is shorter than the regulatory mandate. According to official guidance, the only exception to the 180-day rule is for "critical requirements" which must be fully implemented prior to certification and cannot be placed on a POA&M at all .

C. 270 days – Incorrect.
This extends beyond the maximum allowed window. If an organization cannot remediate within 180 days, they are not eligible for Conditional certification under the current CMMC 2.0 rules .

D. 360 days – Incorrect.
While the planning window for remediation often spans several months, the formal regulatory close-out period from the date of the assessment findings is strictly 180 days .

References

32 CFR § 170.21 – Conditional CMMC status, POA&M requirements and 180-day close-out window

CMMC Level 2 Assessment Guide – Assessment findings and POA&M remediation timelines

Explanation

The final step in the assessment planning phase is obtaining formal commitment from the OSC to proceed with the plan as documented . This step locks in the scope, schedule, and rules of engagement, creating a binding agreement between the OSC and the C3PAO . Obtaining this commitment involves a final review of the plan with the OSC and securing documented approval (e.g., a signed assessment agreement).

Why other options are incorrect:

A. Verify the readiness to conduct the assessment – Incorrect.
This occurs during the Phase 1 "Pre-assessment Activities" before the assessment plan is developed . You cannot finalize a plan without first knowing the OSC is ready.

B. Perform certification assessment readiness review – Incorrect.
The Readiness Review is a pre-scoping activity used to determine if the OSC can proceed . It logically comes before or during initial planning, not after finalizing the plan.

C. Update the assessment plan and schedule as needed – Incorrect.
This is an ongoing iterative task during planning; it happens before the final commitment . The plan is updated continuously as information is gathered, but the final step is to lock the plan with a commitment from the OSC.

References

Assessment Process (CAP) – Phase 1: Plan and Prepare; final step is obtaining commitment from the OSC

CMMC-CCP Exam Content Outline– Domain: Assessment Planning

Explanation

The Interview assessment method is specifically defined as the process of "conducting discussions with individuals or groups to gather evidence" . In the context of CMMC assessments, the Interview method is used to:

Gather information from subject matter experts (SMEs)
Facilitate understanding of how security practices are implemented
Achieve clarification on processes, roles, and responsibilities
Corroborate evidence obtained through examination or testing

Interviews are typically conducted with personnel who have direct knowledge of the security practice being assessed, such as system administrators, security managers, or process owners. The questions focus on "how" the practice is implemented in daily operations.

Why other options are incorrect:

A. Test – Incorrect.
The Test method involves "exercising assessment objects under specified conditions to compare actual with expected behavior" . Testing is active (e.g., running scripts, attempting logins) and does not involve discussions with SMEs.

B. Examine – Incorrect.
The Examine method involves "reviewing, inspecting, observing, studying, or analyzing assessment objects" such as policies, procedures, logs, and configuration files . Examination is document- or observation-focused, not conversation-based.

D. Assessment – Incorrect.
"Assessment" is the overall activity (CMMC Assessment) but is not one of the three named assessment methods. The specific methods are Examine, Interview, and Test .

References

NIST SP 800-171A – Section 2: Assessment Methods defines Interview as discussions with individuals or groups

CMMC Assessment Process (CAP) – Assessment methods guidance

CMMC Level 2 Assessment Guide – Interview method for evidence collection

Explanation:

Registered Practitioner Organizations (RPOs) are consultative entities officially registered with The Cyber AB (formerly CMMC-AB) that provide advisory and security support services to organizations preparing for CMMC certification . The official Cyber AB website explicitly states that RPOs "deliver a non-certified advisory service" and "do not conduct Certified CMMC Assessments" .

An RPO's core function is consulting — guiding Organizations Seeking Certification (OSC) through the certification process by interpreting requirements, conducting gap analyses, readiness assessments, remediation assistance, and implementation support . While RPOs may also offer training and education, these services are ancillary to their primary consultative role. Edwards Performance Solutions, a dual RPO and C3PAO, describes its RPO consulting services as including scoping, gap analysis, documentation, assessment preparation, and ongoing compliance support .

Why other options are incorrect:

A. Training services – Incorrect.
Training is a secondary offering many RPOs provide, but it is not their most comprehensive service. Training focuses on knowledge transfer, whereas consulting encompasses end-to-end compliance guidance including strategy, implementation, and remediation . Also, Licensed Training Providers (LTPs), not RPOs, are specifically authorized to deliver official CMMC training courses .

B. Education services – Incorrect.
Education falls under training and is similarly ancillary. The Cyber AB's Approved Partner Publisher (APP) and Approved Training Provider (ATP) designations specifically address education, not RPO status .

D. Assessment services – Incorrect.
RPOs cannot conduct certified CMMC assessments. Official sources repeatedly state that RPOs "do not conduct Certified CMMC Assessments" and that formal assessment responsibility "is limited to C3PAOs or government agencies" . Only C3PAOs (Certified Third-Party Assessment Organizations) are authorized to perform official CMMC Level 2 and Level 3 assessments .

References

Cyber AB Official Website– RPOs "deliver a non-certified advisory service" and "do not conduct Certified CMMC Assessments"

Continuum GRC – RPO responsibilities include gap analysis, readiness assessments, remediation assistance, and implementation support; RPOs do not provide assessment services

Explanation

The practice requiring organizations to "restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services" is CM.L2-3.4.7, which falls under the Configuration Management (CM) domain.

This practice is directly tied to the "principle of least functionality," where systems are configured to provide only essential capabilities. The CM domain explicitly addresses how organizations establish and maintain secure configurations across their systems, including baseline configurations, change management, and the control of nonessential functionality.

Why other options are incorrect:

A. Access Control (AC)
– The AC domain focuses on managing access to systems and data, including information flow control, separation of duties, least privilege, and limiting unsuccessful logins. AC does not address restricting nonessential programs or disabling unused services.

B. Media Protection (MP)
– The MP domain covers safeguarding physical media (e.g., removable media) and controlling its use on system components. MP.L2-3.8.7 specifically controls the use of removable media, not nonessential programs or functions.

C. Asset Management (AM)
– The AM domain focuses on identifying and inventorying system components. AM.2.002 requires organizations to "Inventory the components of organizational systems". Asset Management deals with knowing what assets exist, not configuring which programs and services are allowed to run on them.

References
CMMC Level 2 Assessment Guide – CM.L2-3.4.7
NIST SP 800-171 Rev 2 – Requirement 3.4.7
CMMC Practice CM.L2-3.4.7 – Assessment objectives

Explanation:

The foundation f any CMMC implementation is compliance with the authoritative sources that define the requirements. When network administrators disagree on configuration decisions, the proper resolution is to consult the official standards and guidance documents that form the basis of CMMC—specifically the CMMC Assessment Guides and NIST SP 800-171.

These documents provide clear, objective criteria for security controls. Relying on them ensures that decisions are based on compliance requirements rather than personal opinions, organizational hierarchy, or arbitrary choices. Consulting authoritative sources also creates defensible evidence for assessors that the organization made good-faith, standards-based implementation decisions.

Why other options are incorrect:

A. Consult with the CEO of the company
– The CEO is unlikely to have the technical expertise to resolve configuration disputes. Furthermore, compliance is based on objective standards, not executive preference. The CEO may be consulted for policy or resource decisions, but not for technical implementation details.

C. Go with the least stringent controls
– Choosing less restrictive controls simply because they are easier to implement is likely to result in non-compliance. CMMC requires specific security configurations; picking the weaker option risks failing the assessment.

D. Go with the most stringent controls
– While more security is generally better, implementing overly restrictive controls can hinder business operations unnecessarily. Compliance requires meeting the standard, not exceeding it arbitrarily. The correct approach is to meet the standard precisely, not guess.

References

CMMC Level 1 & 2 Assessment Guides – Authoritative source for assessment objectives and evidence requirements

NIST SP 800-171 Rev 2 – Baseline security requirements for CUI protection (CMMC Level 2)

32 CFR Part 170 – Codifies CMMC requirements in federal regulation