Cyber AB Updated CMMC-CCP Exam Questions and Answers by osian

Who Determines the Assessment Method for Each Practice?

In aCMMC Level 2 Assessment, theLead Assessorhas thefinal authorityin determining theassessment methodused to evaluate each practice.

Key Responsibilities of the Lead Assessor

✅Ensures theCMMC Assessment Process (CAP) Guideis followed.

✅Determines whether a practice is evaluated usinginterviews, demonstrations, or document reviews.

✅Directs theCertified CMMC Professionals (CCPs)and other assessors on themethodologyfor gathering evidence.

✅Works under aCertified Third-Party Assessment Organization (C3PAO)to ensure proper assessment execution.

Why "Lead Assessor" is Correct?

CCP (Option A) assists in the assessment but does not make final decisionson methods.

OSC (Option B) is the Organization Seeking Certification, and they do not control assessment methodology.

Site Manager (Option C) may coordinate logistics but has no authority over assessment decisions.

Breakdown of Answer Choices

Option

Description

Correct?

A. CCP

❌Incorrect–A CCPassistsbut doesnot determine assessment methods.

B. OSC

❌Incorrect–The OSC is beingassessedand does not decide assessment methods.

C. Site Manager

❌Incorrect–The Site Manager handles logistics butdoes not control assessment methods.

D. Lead Assessor

✅Correct – The Lead Assessor has the final say on the assessment method used.

Official References from CMMC 2.0 Documentation

CMMC Assessment Process Guide (CAP)– Defines theLead Assessor’s rolein determining assessment methods.

Final Verification and Conclusion

The correct answer isD. Lead Assessor, as they havefinal decision-making authority over the assessment methodology.

Understanding Evidence Sufficiency in CMMC Level 2 Assessments

During aCMMC Level 2 Assessment, theLead Assessormust determine whether the evidence collected for each practice issufficientto support an assessment finding. This aligns with theCMMC Assessment Process (CAP) Guide, which requires assessors to evaluate:

Examinations– Reviewing documents, configurations, and system records.

Interviews– Speaking with personnel to confirm implementation and understanding.

Testing– Observing security controls in action to validate effectiveness.

To determine whether evidence issufficient, the assessor ensures that it:

Directly supports the assessment objective.

Demonstrates that the practice is consistently implemented.

Can be independently verified.

Why Option B (Sufficiency) is Correct

Sufficiencyrefers to whetherenoughevidence has been collected to make an accurate determination about compliance.

Option A (Adequacy)is incorrect because adequacy relates tothe qualityof evidence, while sufficiency focuses on whetherenoughevidence exists.

Option C (Process Mapping)is incorrect because process mapping is used for understanding workflows but is not an assessment verification method.

Option D (Assessment Scope)is incorrect because defining the scope happensbeforeevidence collection, during the planning phase.

Official CMMC Documentation References

CMMC Assessment Process (CAP) Guide – Section 3.6 (Determining Sufficiency of Evidence)

CMMC Level 2 Assessment Guide – Evidence Collection and Evaluation

Final Verification

Since theLead Assessor is ensuring enough evidence is available to verify compliance, the correct answer isOption B: Sufficiency.

In the CMMC 2.0 framework, the "Advanced" level is synonymous with CMMC Level 2 . The model is designed to be cumulative , meaning each higher level incorporates the requirements of the level(s) below it.

Cumulative Structure : For an organization to achieve a Level 2 Certification, it must demonstrate that it meets all 17 practices from Level 1 (Foundational) plus the additional 93 practices introduced at Level 2, totaling 110 practices (aligned with NIST SP 800-171 ).

Access Control (AC) Domain Breakdown :

Level 1 : Contains 4 AC practices (e.g., limiting system access to authorized users).

Level 2 : Contains 22 AC practices total. This includes the original 4 from Level 1 and 18 additional practices (e.g., controlling the use of privileged functions, limiting unsuccessful logon attempts).

Level 3 (Expert) : This level adds even more practices from NIST SP 800-172 . While Level 3 "contains" Level 2, the question asks specifically about what the Advanced Level (Level 2) contains. Therefore, it contains Level 1 and Level 2 practices.

Why other options are incorrect :

Option A : Level 2 is not just Level 1; it includes the additional NIST 800-171 requirements.

Option B : Level 3 practices are part of the "Expert" level, not the "Advanced" level.

Option D : The "Advanced" level (Level 2) does not include the "Expert" (Level 3) practices.

Reference Documents :

CMMC Model Overview (v2.0/v2.1) : Section 3.2, "Level 2: Advanced," which explicitly states the level consists of the 110 practices from NIST SP 800-171, which includes the Level 1 requirements.

32 CFR Part 170 (CMMC Program Rule) : Defines the mapping of the 14 domains and the cumulative nature of the certification levels.

CMMC Level 2 Assessment Guide : Lists all 22 Access Control practices required for a Level 2 assessment.

Understanding SI.L2-3.14.6: Monitor Communications for Attacks

The practiceSI.L2-3.14.6fromNIST SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational communications for indicators of attack. This typically includes:

✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS)

✅Log analysis and network monitoring

✅Incident response planningfor detected threats

As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC (Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring capabilities.

Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct?

TheCCA must collect sufficient objective evidenceto determine compliance.

Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps validatethat intrusion detection is properly implemented.

Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.

Breakdown of Answer Choices

Option

Description

Correct?

A. Conduct a penetration test

❌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an assessor's responsibilities.

B. Interview the intrusion detection system's supplier.

❌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from theOSC’s implementation.

C. Upload known malicious code and observe the system response.

❌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment.

D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6.

Official References from CMMC 2.0 and NIST SP 800-171 Documentation

NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators.

CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment method.

Final Verification and Conclusion

The correct answer isD. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.