Free CyberAB CMMC-CCP Exam Questions (2026 Update)

Explanation:

FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, establishes the mandatory baseline for protecting Federal Contract Information (FCI). The clause requires contractors to implement 15 specific security controls that represent the foundational level of protection for information systems processing, storing, or transmitting FCI.

Why other options are incorrect:

A. It directs all covered contractors to install the cyber security systems listed in that clause – Incorrect.
The clause describes 15 performance-based controls (e.g., "limit access," "identify users," "authenticate identities"), not specific technology products or systems. It focuses on what must be achieved, not how or which specific systems to install.

B. It describes all of the safeguards that contractors must take to secure covered contractor IS – Incorrect.
The clause explicitly states that it "does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies" . It is a minimum baseline, not an exhaustive list of all possible safeguards. Contractors handling CUI must also comply with NIST SP 800-171 and other requirements.

D. It directs covered contractors to obtain CMMC Certification at the level equal to the lowest requirement of their contracts – Incorrect.
FAR 52.204-21 predates the CMMC program. CMMC Level 1 is based on the 15 controls in this FAR clause, but the clause itself does not mention CMMC certification. CMMC requirements are implemented through DFARS clauses, not this FAR clause.

References

FAR 52.204-21(b)(1) – Prescribes 15 basic safeguarding requirements at a minimum

81 Fed. Reg. 30439 (May 16, 2016) – Final Rule stating safeguards are "reflective of actions a prudent businessperson would employ"

Explanation:

The risk assessment requirement RA.L2-3.11.1 explicitly requires assessing risk to "organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals" resulting from the operation of organizational systems that process, store, or transmit CUI.

For a CMMC Level 2 assessment, the scope is defined by where CUI flows—including emails, shared drives, devices, cloud services, and all systems that handle CUI. The CUI boundary encompasses people, systems, and workflows that “touch” CUI.

Why other options are incorrect:

A. IT systems
– Too narrow. While IT systems are included, the scope also encompasses people, processes, and physical entities such as facilities and manufacturing locations.

B. Enterprise systems
– Too narrow and ambiguous. Enterprise systems are part of the scope but do not capture the requirement's focus on people, processes, physical assets, and individuals.

C. CUI Marking processes
– Incorrect. CUI marking is related to media protection and labeling, not risk assessment. RA.L2-3.11.1 focuses on identifying threats, vulnerabilities, and impacts to operations, assets, and people.

References

CMMC Level 2 Assessment Guide – RA.L2-3.11.1 assessment objectives and discussion

32 CFR § 170.19(c) – CMMC Level 2 asset categories including CUI Assets, Security Protection Assets, and people

Explanation:

The primary purpose of interviewing personnel during a CMMC assessment is to gather evidence about how security practices are implemented and operated in the organization's daily activities. The best interview subjects are those who can provide clarity and demonstrate understanding of their specific practice activities —the individuals who actually implement, perform, or support the security practices being assessed.

According to CMMC assessment methodology, the personnel selected for interviews should have direct, hands-on knowledge of the practices being evaluated. They should be able to explain how they perform their assigned security responsibilities, what procedures they follow, and provide specific examples of implementation. This ensures the assessor receives accurate, first-hand information about control execution.

Why other options are incorrect:

A. Have a security clearance – Irrelevant. A security clearance does not indicate knowledge of CMMC practices or how the organization implements specific controls. Clearance relates to classified information, not unclassified FCI/CUI protection.

B. Be a senior person in the company– Senior personnel (CEOs, VPs) typically lack hands-on, day-to-day operational knowledge of specific security practices. They may set policy but cannot provide implementation-level details required for assessment evidence.

C. Demonstrate expertise on the CMMC requirements – While helpful, the assessor—not the OSC personnel—is the CMMC expert. OSC personnel need operational knowledge of their own implementations, not theoretical CMMC expertise.

References

CMMC Assessment Process (CAP) – Interview methods and selection of personnel with direct implementation responsibilities

NIST SP 800-171A – Interview assessment method objective: gather evidence from individuals with knowledge of the system and its security controls

Explanation:

The Configuration Management (CM) domain's definition of essential system capabilities is based on the principle of least functionality. The official CMMC requirement CM.L2-3.4.6 explicitly states: "Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities" .

The assessment objectives for CM.L2-3.4.6 require first determining whether "essential system capabilities are defined based on the principle of least functionality" and then whether "the system is configured to provide only the defined essential capabilities" . The principle of least functionality mandates eliminating all nonessential programs, services, ports, and protocols—keeping only what is strictly necessary for the system's intended operation, which reduces the attack surface and lowers cybersecurity risk .

Why other options are incorrect:

A. Least privilege – Incorrect. Least privilege is an Access Control (AC) principle, not a Configuration Management principle. Least privilege limits user and process access rights to the minimum necessary to perform their assigned functions, focusing on who can access what, not what the system can run.

B. Essential concern – Incorrect.
"Essential concern" is not a recognized security principle in CMMC or NIST documentation. This is a distractor with no basis in the standard.

D. Separation of duties – Incorrect.
Separation of duties is an Access Control (AC) principle that prevents any single individual from having excessive authority or control over a critical function. It relates to fraud prevention and accountability, not system configuration or essential capabilities.

References
CMMC Level 2 Assessment Guide – CM.L2-3.4.6: Employ the principle of least functionality
NIST SP 800-171 Rev 2 – Requirement 3.4.6: Least functionality
Zimperium CMMC Configuration Management Guide – Lists CM.L2-3.4.6 as "Least Functionality"

Explanation:

The documentation described in the question—an incident response capability that "contains information on incident preparation, detection, analysis, containment, recovery, and user response activities"—directly aligns with the official text of IR.L2-3.6.1. The CMMC practice requires organizations to: "Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities".

The six elements listed in the question (preparation, detection, analysis, containment, recovery, and user response activities) are taken verbatim from the IR.L2-3.6.1 requirement. This practice focuses on having a documented and operational incident handling capability that covers the full incident lifecycle from preparation through recovery.

Why other options are incorrect:

B. IR.L2-3.6.2: Incident Reporting – Incorrect. This practice requires organizations to "track, document, and report incidents to appropriate officials and external authorities". It focuses on incident tracking, documentation, and notification workflows—not the six-component incident handling framework described in the documentation.

C. IR.L2-3.6.3: Incident Response Testing – Incorrect.
This practice requires organizations to "test the organizational incident response capability" through tabletop exercises, simulations, and functional tests. The documentation described does not mention testing, exercises, or validation activities—it describes the actual incident handling capability itself.

D. IR.L2-3.6.4: Incident Spillage – Incorrect. While incident spillage (unauthorized transfer of CUI) is addressed within incident response, there is no standalone "IR.L2-3.6.4" practice in the Incident Response domain. The Incorrect option also lists a non-existent practice number.

Explanation:

According to the CMMC Assessment Guide, Level 2, an assessment practice can be scored as MET if the Assessment Team completes two of three possible evidence-gathering activities . The three types of evidence are:

Examine – Review one artifact (e.g., policy, procedure, configuration, log)
Test – Observe a satisfactory demonstration of one control in action
Interview – Receive one affirmation from OSC personnel confirming implementation

This approach recognizes that assessors do not need to use all three assessment methods for every practice to determine that a practice is MET. By requiring at least two forms of corroborating evidence, the methodology ensures sufficient confidence in the finding while maintaining assessment efficiency.

Why other options are incorrect:

A. All three types of evidence are documented for every control – Incorrect.The CMMC Assessment Guide explicitly states that not every practice requires all three methods. Requiring all three for every control would be unnecessarily burdensome and is not required for a MET determination .

B. Examine and accept evidence from one of the three evidence types – Incorrect.
A single evidence type is generally insufficient to determine a practice is MET. The assessor must complete two of three activities to have adequate corroboration.

C. Complete one of the following: examine two artifacts, either observe a satisfactory demonstration of one control or receive one affirmation – Incorrect.
This option incorrectly inverts the requirement. The standard is to complete two of three distinct activities (examine one artifact, OR test, OR interview), not to double up on examination while skipping the other methods.

References

CMMC Assessment Process (CAP) – Phase 2: Determine Final Practice MET/NOT MET/NA Results

32 CFR § 170.24(b)(1) – "Met" defined as all applicable objectives satisfied based on evidence

Explanation:

The BEST way to retrieve sensitive client documents (which may contain CUI or FCI) is to use the client-provided laptop as the access device, connecting via the client's VPN to reach the client's secure cloud storage service. This approach maintains the client's security boundary and ensures that the client retains control over data access, transmission, and storage.

Using the client's laptop ensures that all client security controls (endpoint protection, logging, access restrictions, configuration policies) remain applied. Connecting through the client's VPN ensures encrypted transmission and authenticates the session using client-authorized credentials. This method aligns with the principle of least functionality and access control—accessing client resources only from client-managed devices rather than from unmanaged personal or home office equipment.

Why other options are incorrect:

A. Save copies on both the work and client laptops – Incorrect. Saving client documents on the assessor's own "work laptop" (which is not client-managed) unnecessarily expands the data footprint. Client data should remain on client-managed devices whenever possible. This violates data minimization principles.

C. Log into the client VPN from the assessor's laptop – Incorrect.
Using a personal or work laptop (not provided or approved by the client) to access client VPN introduces risk because the assessor's laptop is not subject to the client's security controls, monitoring, or configuration standards. This could violate both the client's security policies and CMMC assessor obligations.

D. Use their home office workstation to retrieve documents and save to USB stick – Incorrect.
This is the least secure option. A home workstation lacks enterprise security controls, and copying client data to a USB stick creates both a data spillage risk (lost thumb drive) and a potential data exfiltration vector. USB media is frequently prohibited in CUI environments.

References

CMMC Assessor Code of Professional Conduct – Safeguarding OSC data
NIST SP 800-171 – Requirement 3.1.8: Limit physical access to CUI systems and media
CMMC Scoping Guide – Use of External Service Providers (ESPs) and client-managed resources
DoD Cloud Computing SRG – Secure access to cloud storage from authorized devices

Explanation:

NIST Special Publication 800-88 Revision 1 ("Guidelines for Media Sanitization") defines three distinct categories of data sanitization methods. These categories represent escalating levels of security assurance and are explicitly named as Clear, Purge, and Destroy.

Clear – Applies logical techniques to sanitize data in all user-addressable storage locations, protecting against simple, non-invasive data recovery techniques. Media can be reused after clearing.

Purge – Applies physical or logical techniques that render target data recovery infeasible even using state-of-the-art laboratory techniques. Media can be reused after purging.

Destroy – Renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for data storage.

Why other options are incorrect:

B. Clear, redact, destroy – Incorrect. "Redact" refers to editing documents to remove sensitive information before release, not a media sanitization method defined in NIST SP 800-88.

C. Clear, overwrite, purge – Incorrect. "Overwrite" is a specific technique used within the Clear and Purge categories, not a separate sanitization category.

D. Clear, overwrite, destroy – Incorrect. "Overwrite" is a technique, not a category. The three categories are Clear, Purge, and Destroy.

References

NIST SP 800-88 Rev. 1– Section 2: Sanitization definition and categories (Clear, Purge, Destroy)

NIST SP 800-88 Rev. 1, Section 2.3 – Clear; Section 2.4 – Purge; Section 2.5 – Destroy

CMMC Media Protection (MP) domain – References NIST SP 800-88 for media sanitization

Explanation:

The CMMC Third-Party Assessment Organization (C3PAO) authorization process is fundamentally managed by the Accreditation Body (the CMMC-AB, now known as The Cyber AB) under authority granted by the DoD CMMC Program Management Office .

Why other options are incorrect:

A. An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements. – Incorrect.
C3PAOs are required to achieve and maintain compliance with ISO/IEC 17020, but they are given a 27-month grace period from the time of authorization to achieve full compliance . During this initial period, they are considered authorized but not yet accredited . The requirement states they "meet all requirements set forth in § 170.9," not that they must meet "some DoD and all ISO/IEC" requirements. Additionally, DoD requirements are fully applicable alongside ISO standards.

B. An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements. – Incorrect.
The term "accredited C3PAO" refers to a higher, more mature status that requires full compliance with ISO/IEC 17020 (not "some" requirements) . Organizations have 27 months to transition from authorized status to accredited status . The option incorrectly suggests only partial ISO compliance is required for accreditation, which is false.

C. A C3PAO must be accredited by DoD before being able to conduct assessments. – Incorrect.
The DoD does not directly accredit C3PAOs. The DoD sets the program requirements and oversees the process, but the Accreditation Body (The Cyber AB) is responsible for the actual authorization and accreditation of C3PAOs . The DoD CMMC PMO approves the requirements and may conduct oversight, but the Cyber AB executes the authorization process .

References

32 CFR § 170.8 – Accreditation Body roles and responsibilities; authorizes C3PAOs

32 CFR § 170.9 – C3PAO requirements; must obtain authorization or accreditation from the Accreditation Body

Explanation:

The requirement for Certified Professionals to report specific criminal legal actions (such as fraud, perjury, or embezzlement) is designed to protect the integrity of the CMMC ecosystem. For offenses that strike at the heart of trustworthiness—including those not connected to assessment duties—the standard for reporting is immediate, typically within 3 days. This short window ensures the Accreditation Body can promptly review the individual's status to maintain program credibility.

Why the other options are incorrect:

A. 90 days:
A quarterly timeframe is too long for severe ethical offenses. This duration might apply to business license renewals or other administrative tasks, not urgent personal conduct disclosures.

B. 30 days:
While common for general incident reporting or data breach notifications, 30 days exceeds the urgent window required for personal felony convictions under professional codes of conduct.

D. 7 days:
Although 7 days is sometimes used for security incident reporting, the listed offenses (fraud, perjury) require the strictest and shortest deadline (3 days) to preserve public trust in the assessment process.

References

32 CFR § 170.13(b)(10) – Requires certified professionals to report criminal convictions "as soon as possible" or within the specific timeframe set by the Accreditation Body.

CMMC Code of Professional Conduct – Establishes the duty to immediately report specific integrity-related offenses, typically interpreted as 3 days.