Free CyberAB CMMC-CCP Exam Questions (2026 Update)

Explanation

The National Archives and Records Administration (NARA) serves as the Executive Agent for the Controlled Unclassified Information (CUI) Program and maintains the official CUI Registry, which contains all authoritative data classifications of CUI . Executive Order 13556 explicitly designated NARA as the Executive Agent responsible for overseeing the CUI Program and implementing government-wide standards .

Why other options are incorrect:

B. CMMC-AB (The Cyber AB)
– The Cyber AB is the accreditation body responsible for the CMMC ecosystem, including accrediting C3PAOs and maintaining the CMMC Marketplace. It does not define or maintain CUI data classifications. The Cyber AB's role is implementing assessment standards, not defining the underlying CUI categories.

C. DoD Contractors FAQ
– An FAQ document, regardless of its source, is an informational resource that may summarize or explain CUI requirements but is not the authoritative source for data classifications. Only the official CUI Registry maintained by NARA carries legal authority for CUI categories.

D. OSC's privacy policies
– An Organization Seeking Certification's internal privacy policies have no authority over government-defined CUI classifications. Privacy policies describe how an organization handles data internally but cannot define what constitutes CUI under federal law.

References

Executive Order 13556 – Controlled Unclassified Information; designates NARA as Executive Agent

32 CFR Part 2002 – NARA's final rule establishing uniform CUI policy across federal agencies

Explanation

The CMMC assessment process leverages NIST Special Publication 800-171A, titled "Assessing Security Requirements for Controlled Unclassified Information," as the definitive guide for assessment procedures and methods .

While NIST SP 800-171 defines the "what"—the 110 security requirements organizations must implement for CUI protection—NIST SP 800-171A defines the "how" . It details over 320 specific assessment objectives and outlines the three primary assessment methods used in CMMC evaluations: Examine, Interview, and Test

Why other options are incorrect:

A. NIST SP 800-53
– This publication provides security and privacy controls for federal information systems and organizations, primarily for FISMA compliance. It is not the assessment procedure document used for CMMC.

B. NIST SP 800-53A
– This is the assessment guide for SP 800-53 controls, used for federal agency assessments, not for CMMC contractor assessments.

C. NIST SP 800-171
– This defines the 110 security requirements (the "what" of compliance), not the assessment procedures (the "how"). It is the baseline standard, not the assessment methodology document.

References

NIST SP 800-171A – Section 2: Assessment Methods (Examine, Interview, Test)

CMMC Level 2 Assessment Guide – Assessment methodology and objectives

CMMC-CCP Exam Content Outline – Domain: Assessment Methods and Procedures

Explanation

CMMC scoping rules apply to all assets that process, store, or transmit protected government data. This rule is format-neutral; it applies equally to digital assets and physical assets.

Federal Contract Information (FCI) is defined as information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service. If a physical object—such as a file cabinet, storage locker, or security bin—contains printed paper documents that hold FCI, that physical object is actively storing FCI.

Therefore, it must be designated as In Scope for a CMMC Level 1 assessment. The assessor will evaluate this asset to ensure it meets basic physical safeguarding requirements, such as restricting physical access to authorized personnel (e.g., verifying that the cabinet is locked when unattended).

Why Other Options Are Incorrect

B is incorrect:
Being in the same physical location as an in-scope asset does not automatically pull an unrelated object into scope. An asset enters the CMMC Level 1 boundary because of its relationship to FCI (processing, storing, or transmitting it), not merely due to geographic proximity.

C is incorrect:
CMMC protections do not stop at digital boundaries. Paper-based FCI is subject to the exact same high-level regulatory protections under FAR Clause 52.204-21 as electronic files.

D is incorrect:
While a file cabinet does not "process" or "transmit" data, it does store data. Under the definition of the assessment boundary, satisfying any one of those three criteria (processing, storing, or transmitting) places the asset firmly in scope.

References

CMMC Scoping Guidance for Level 1: Explicitly outlines that assets that process, store, or transmit FCI are part of the Level 1 assessment boundary.

FAR Clause 52.204-21 (b)(1)(x): Requires contractors to limit physical access to organizational information systems and equipment to authorized individuals. A file cabinet storing paper FCI is classified as equipment protecting that data.

Explanation:

Under the official CMMC Assessment Process (CAP) rules for a Plan of Action and Milestones (POA&M) closeout assessment, the Lead Assessor retains the ultimate personal and professional accountability for verifying that the organization has successfully remediated its security gaps.

While other Assessment Team Members (such as Certified CMMC Assessors—CCAs) may assist in collecting, reviewing, and evaluating the newly provided objective evidence, the Lead Assessor is the only individual authorized to sign off on the final closeout results. They must personally verify that every single practice that failed during the initial assessment has now been adequately addressed, meets the CMMC assessment criteria, and is fully implemented before updating the final assessment report for the C3PAO.

Why Other Options Are Incorrect

A and C are incorrect:
The Organization Seeking Certification (OSC) and its corporate sponsor are responsible for implementing the remediations and providing the evidence, but they cannot legally audit or verify their own compliance.

B is incorrect:
While a Certified CMMC Assessor (CCA) can perform the underlying evaluation steps under the supervision of the Lead Assessor, the specific regulatory mandate to validate, approve, and finalize the overall closeout results rests strictly on the shoulders of the Lead Assessor leading the engagement.

References

The CMMC Assessment Process (CAP) – Phase 4:
Finalize Assessment (POA&M Closeout Assessment): Explicitly states that the Lead Assessor is responsible for reviewing the POA&M deficiencies and ensuring that all remaining practices have been validated as "Met."

32 CFR § 170.18 (CMMC Final Rule - Assessment Requirements):
Outlines the strict operational guidelines for POA&M closeouts, identifying the Lead Assessor as the technical authority who signs off on the final conformity assessment results.

Explanation

The verify evidence and record gaps activity is a core component of the CMMC assessment process. Its primary purpose is to compare the evidence provided by the OSC against the specific requirements of each CMMC practice and identify any discrepancies or deficiencies (gaps) where the evidence fails to meet the requirement.

Why other options are incorrect:

A. Map test and demonstration responses to CMMC practices
– This describes evidence mapping, which is part of correlating assessment results to practices, but it is not the primary intent of "verify evidence and record gaps." Mapping occurs earlier or in parallel.

B. Conduct interviews to test process implementation knowledge
– This describes the Interview assessment method, which is a separate evidence-gathering activity, not the gap verification and recording activity.

C. Determine the one-to-one relationship between a practice and an assessment object
– This describes evidence mapping or practice-object alignment, which is a planning or analysis activity, not the gap identification activity.

References

CMMC Assessment Process (CAP) – Phase 2: Verify evidence and record gaps

NIST SP 800-171A – Assessment objectives and evidence analysis

CMMC Level 2 Assessment Guide – Findings development and POA&M documentation

Explanation:

Under the CUI program established by Executive Order 13556 and implemented through 32 CFR Part 2002, legacy markings (such as FOUO – For Official Use Only) do not automatically convert to CUI markings. The requirement to re-mark or redact legacy documents is primarily triggered when information is shared outside of the organization.

Why other options are incorrect:

A. When under the control of the DoD – Incorrect.
Legacy materials under DoD control do not require immediate re-marking. Agencies may grant waivers for legacy materials while they remain under agency control. The requirement is triggered upon dissemination outside the agency, not while under DoD control.

B. When the document is considered secret – Incorrect.
The CUI program applies to unclassified information that requires safeguarding, not classified information. Secret documents fall under separate classification frameworks (e.g., Executive Order 13526) and are not governed by CUI marking requirements. The question specifically addresses CUI and DoD legacy markings, which by definition apply to unclassified information.

D. When a derivative document's original information is not CUI – Incorrect.
If the original information is not CUI, there is generally no requirement to re-mark or redact. The trigger for re-marking is when legacy information qualifies as CUI and is being reused or shared outside the organization. There is no requirement to re-mark non-CUI information.

References

DoD CUI Program FAQ – "Is FOUO a valid marking? No... If the same information is put in a new document or is shared outside the Department, it needs to be assessed to see if it meets the criteria for CUI and marked appropriately"

National Archives CUI Program Blog– "Agencies can waive the requirement to re-mark legacy information while the CUI is in their control... [Re-marking is required] when reusing and sharing the information with others outside of their agency"

Explanation

Assessment objectives are structured as determination statements that define what the assessor needs to confirm about an organization's implementation of a security practice. According to NIST SP 800-171A, each assessment objective begins with a phrase such as "[a determination that] the organization..." followed by the specific condition to be verified.

For example, for practice IA.L1-3.5.1 (Identify system users), the assessment objective is: "Determine if the organization identifies information system users, processes acting on behalf of users, or devices." This is a yes/no determination statement. Each assessment objective represents a specific, testable condition that contributes to determining whether a practice is MET or NOT MET.

Why other options are incorrect:

A. Specifications and mechanisms
– These are assessment objects, not parts of an assessment objective. Specifications include policies and procedures; mechanisms include hardware and software. They are what the assessor examines, not determination statements.

B. Examination, interviews, and testing
– These are the three assessment methods defined in NIST SP 800-171A, not parts of an assessment objective. Methods are "how" evidence is gathered; objectives define "what" is being determined.

D. Exercising assessment objects under specified conditions
– This describes the Test assessment method, specifically the process of active testing. It is not part of an assessment objective.

References

NIST SP 800-171A – Section 3: Assessment Objectives as determination statements

CMMC Level 2 Assessment Guide – Assessment objectives for each practice

Explanation:

The scenario describes evidence that fully satisfies SI.L1-3.14.2 (Provide protection from malicious code at appropriate locations). The OSC has demonstrated:

Antivirus software installed on all workstations and servers (appropriate locations)
A centralized management console (indicates enterprise control)
Updated antivirus patterns on all devices (verifies active protection)

Under CMMC Level 1 assessment methodology, evidence is evaluated against two criteria: adequacy (is it the right type of evidence?) and sufficiency (is there enough evidence?). Here, the evidence is both adequate and sufficient. No additional evidence is required to determine that the practice is MET.

Why other options are incorrect:

B. It is insufficient, and the audit finding can be rated NOT MET – Incorrect. The evidence presented is sufficient. There is no indication that malicious code protection is missing or inadequate.

C. It is sufficient, and the Lead Assessor should seek more evidence – Incorrect. Once sufficiency is established, the assessor should not seek more evidence unless there is a specific reason to doubt the evidence already collected. Doing so would be inefficient and unnecessary.

D. It is insufficient, and the Lead Assessor should seek more evidence – Incorrect. The evidence is sufficient. There is no basis to label it insufficient or to seek additional evidence.

References

CMMC Level 1 Self-Assessment Guide – SI.L1-3.14.2: Protection from malicious code
NIST SP 800-171 Rev 2 – Requirement 3.14.2
CMMC Assessment Process – Evidence adequacy and sufficiency criteria

Explanation:

For the purpose of determining scope, government property is an asset type that must be included as part of the CMMC assessment but would not receive a CMMC certification unless an enterprise assessment is conducted

Why other options are incorrect:

A. ESP (External Service Provider)
– ESPs are third-party entities that process, store, or transmit FCI, CUI, or Security Protection Data. They are not included in the OSC's assessment scope in the same way as specialized assets. Instead, ESPs are subject to their own compliance requirements (e.g., FedRAMP authorization for cloud service providers) and are addressed via a Customer Responsibility Matrix.

B. People
– Personnel are not an asset category that receives certification. People are part of the overall organizational assessment but are not certified independently. The CMMC assessment evaluates policies, training, and practices related to personnel security, but individuals themselves do not receive certification.

C. Test equipment
– Test equipment is actually a subset of Specialized Assets, alongside government property, IoT devices, and OT assets. While test equipment is included in the assessment scope, the question asks for an asset type that "would NOT receive a CMMC certification unless an enterprise assessment is conducted." Government property is the best answer because it is uniquely furnished by the government and cannot be certified without the government's participation in an enterprise-level assessment.

References

CMMC Scoping Guide (CMMC 2.0) – Defines four asset categories including Specialized Assets (government property, IoT, OT, test equipment)

Security Today Article – "Specialized Assets: Include items such as government property, Internet of Things devices, operational technology assets and test equipment"