Cyber AB Updated CMMC-CCP Exam Questions and Answers by philippa

A Certified CMMC Instructor (CCI) is only authorized to deliver CMMC-AB (now The Cyber AB) approved training courses through a Licensed Training Provider (LTP). CCI instructors do not deliver DFARS or NARA CUI training under CMMC authorization—only formally approved CMMC courses.

Supporting Extracts from Official Content:

CMMC Ecosystem Roles: “CCIs are authorized to deliver CMMC-AB approved training courses through an LTP.”

Why Option A is Correct:

CCIs teach only CMMC-AB approved training.

Options B, C, and D include external trainings (DFARS or NARA CUI) that are not within the CCI’s scope.

References (Official CMMC v2.0 Content):

CMMC Ecosystem documentation – Roles and Responsibilities of LTPs and CCIs.

===========

PerDFARS 252.204-7021, contractors must achieve the requiredCMMC certification levelbefore contract awardif the solicitation specifies it.

Key Requirements:

✔Contractorsmust be certified at the required CMMC levelprior to contract award.

✔Thecertification must be conducted by a C3PAO(for Level 2) orthrough self-assessment(for Level 1).

✔The certification must bevalid and registered in the Supplier Performance Risk System (SPRS)before award.

Why is the Correct Answer "At the Time of Award" (A)?

A. At the time of award → Correct

DFARS 252.204-7021requires CMMC certification before a contract can be awardedif the solicitation includes CMMC requirements.

B. Upon solicitation submission → Incorrect

Contractorsdo notneed to be CMMC-certified at thetime of bid submission, only by the time of award.

C. Thirty days from the award date → Incorrect

Contractorsmust already be certified before the award is granted. There isno grace period.

D. Before the due date of submission → Incorrect

While compliance planning is important,CMMC certification is only required before contract award, not before bid submission.

CMMC 2.0 References Supporting This Answer:

DFARS 252.204-7021 (CMMC Requirement Clause)

CMMC certification is required prior to contract awardif specified in the solicitation.

CMMC 2.0 Program Overview

States that certificationis not needed at bid submission but is required before award.

DoD Interim Rule & SPRS Guidance

Contractors must havea valid CMMC certification recorded in SPRSbefore award.

Step 1: Understand the “CA” Domain – Security Assessment

TheCA (Security Assessment)domain includes practices related to:

Planning security assessments,

Performing periodic reviews,

Managing plans of action and milestones (POA & Ms).

These practices derive fromNIST SP 800-171, specifically:

CA.2.157– Develop, document, and periodically update security plans,

CA.2.158– Periodically assess security controls,

CA.2.159– Develop and implement POA & Ms.

✅Step 2: Review CMMC Levels

Level 1 (Foundational):

Implements only the17 practicesfromFAR 52.204-21

Doesnot include the CA domain

Level 2 (Advanced):

Implements110 practicesfromNIST SP 800-171, including CA.2.157–159

First levelwhereSecurity Assessment (CA)practices are required

Level 3:

Not yet finalized but intended to include selected controls fromNIST SP 800-172

❌Why the Other Options Are Incorrect

A. Level 1

✘No CA domain practices are present at Level 1.

C. Level 3 / D. Level 4

✘These levels build on CA practices but do not represent thestarting point.

TheSecurity Assessment (CA)domain practices begin atCMMC Level 2, as part of the implementation ofNIST SP 800-171.

In the CMMC 2.0 Model , the "Advanced Level" specifically refers to Level 2 . The CMMC model is designed to be cumulative , meaning each level builds upon the requirements of the levels beneath it.

Cumulative Framework : To achieve a certification at a specific level, an Organization Seeking Certification (OSC) must demonstrate compliance with all practices at that level and all practices from the lower levels.

Access Control (AC) Domain : The Access Control domain is one of the 14 domains in CMMC Level 2. It consists of a total of 22 practices :

Level 1 (Foundational) : Contains 4 basic safeguarding practices (mapped to FAR 52.204-21).

Level 2 (Advanced) : Adds 18 additional practices (mapped to NIST SP 800-171), totaling 22 practices for the AC domain at this level.

Defining "Advanced" : The DoD defines the levels as Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Therefore, the "Advanced Level" (Level 2) contains the practices from Level 1 and Level 2, but does not include the "Expert" (Level 3) practices, which are derived from NIST SP 800-172.

Why other options are incorrect :

Option A : While it contains Level 1 practices, it also includes Level 2 practices.

Option B : Level 3 is the "Expert" level, which is separate and higher than the "Advanced" level.

Option D : The Advanced level does not reach the requirements of Level 3.

Reference Documents :

CMMC Model Overview (v2.0) : Section 3.2, "Level 2: Advanced," which describes the 110 practices derived from NIST SP 800-171.

32 CFR Part 170 (CMMC Program Rule) : Details the structure of the levels and the requirement for cumulative compliance.

CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment, clearly identifying which are carried over from Level 1.

===========