Cyber AB Updated CMMC-CCP Exam Questions and Answers by osian

Understanding the Principle of Least Functionality in the CM DomainTheConfiguration Management (CM) domainin CMMC 2.0 focuses on maintaining the security and integrity of an organization’s systems through controlled configurations and restrictions on system capabilities.

The principle ofLeast Functionalityrefers to limiting a system’s features, services, and applications to only those necessary for its intended purpose. This principle reduces the attack surface by minimizing unnecessary components that could be exploited by attackers.

CMMC Practice CM.L2-3.4.6 (Use Least Functionality)explicitly states:"Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities."

Thegoalis to prevent unauthorized or unnecessary applications, services, and ports from running on the system.

Examples of Implementation:

Disabling unnecessary services, such as remote desktop access if not required.

Restricting software installation to approved applications.

Blocking unused network ports and protocols.

A. Least Privilege

This principle (associated with Access Control) ensures that users and processes have only the minimum level of access necessary to perform their jobs.

It is relevant to CMMC PracticeAC.L2-3.1.5 (Least Privilege)but does not define system capabilities.

B. Essential Concern

There is no officially recognized cybersecurity principle called "Essential Concern" in CMMC, NIST, or related frameworks.

D. Separation of Duties

This principle (covered under CMMCAC.L2-3.1.4) ensures that no single individual has unchecked control over critical functions, reducing the risk of fraud or abuse.

While important for security, it does not define essential system capabilities.

CMMC 2.0 Level 2 Assessment Guide – Configuration Management (CM) Domain

CM.L2-3.4.6 mandatesleast functionalityto enhance security by removing unnecessary features.

NIST SP 800-171 (which CMMC is based on) – Requirement 3.4.6

States:"Limit system functionality to only the essential capabilities required for organizational missions or business functions."

NIST SP 800-53 – Control CM-7 (Least Functionality)

Provides detailed recommendations on configuring systems to operate with only necessary features.

Justification for the Correct Answer: Least Functionality (C)Why Other Options Are IncorrectOfficial CMMC and NIST ReferencesConclusionTheprinciple of Least Functionality (C)is the basis for defining essential system capabilities in theConfiguration Management (CM) domainof CMMC 2.0. By applying this principle, organizations reduce security risks by ensuring that only the necessary functions, services, and applications are enabled.

Understanding Specialized Assets in a CMMC Self-AssessmentDuringCMMC Level 1 Self-Assessments, organizations must classify theirassetsin theSystem Security Plan (SSP).

Operational Technology (OT)includesmachine controllers, industrial control systems (ICS), and assembly machines.

Thesesystems control physical processesin manufacturing, energy, and industrial environments.

OT assets are distinct from traditional IT systemsbecause they haveunique security considerations(e.g., real-time control, legacy system constraints).

Specialized Asset Type: Operational Technology (OT)

A. IoT (Internet of Things) → Incorrect

IoT devicesinclude smart home systems, connected sensors, and networked appliances, butmachine controllers and assembly machines fall under OT, not IoT.

B. Restricted IS → Incorrect

Restricted Information Systems (IS) refer to classified or highly controlled systems, whichdoes not apply to standard industrial machines.

C. Test Equipment → Incorrect

Test equipment includes diagnostic tools or measurement devicesused forquality assurance, not industrial machine controllers.

D. Operational Technology → Correct

Machine controllers and assembly machinesare part ofindustrial automation and control systems, which are classified asOperational Technology (OT).

Why is the Correct Answer "D. Operational Technology"?

CMMC Scoping Guidance for Level 1 & Level 2 Assessments

DefinesOperational Technology (OT) as a category of Specialized Assetsthat requirespecific security considerations.

NIST SP 800-82 (Guide to Industrial Control Systems Security)

Identifiesmachine controllers and assembly machinesas part ofOperational Technology (OT).

CMMC 2.0 Asset Classification Guidelines

Specifies thatOT systems should be documented separately in an organization's SSP.

CMMC 2.0 References Supporting This Answer:

In aCMMC Level 2 assessment, theOrganization Seeking Certification (OSC)is responsible for identifying theassessment scopebased on theCMMC Scoping Guidanceprovided by theCyber AB (Cyber Accreditation Body) and DoD.

The OSC must determine which assets and systems handleControlled Unclassified Information (CUI)and categorize them accordingly.

CMMC Level 2is designed to alignfullywithNIST SP 800-171, which consists of110 security controls (practices).

This meansall 110 practicesfrom NIST SP 800-171 are required for aCMMC Level 2 certification.

How Many Practices Are Included in CMMC Level 2?Breakdown of Practices in CMMC 2.0CMMC Level

Number of Practices

Level 1

17 practices(Basic Cyber Hygiene)

Level 2

110 practices(Aligned with NIST SP 800-171)

Level 3

Not yet finalized but expected to exceed 110

Since CMMC Level 2 mandatesall 110 NIST SP 800-171 practices, the correct answer isC. 110 practices.

A. 17 practices❌Incorrect.17 practicesapply only toCMMC Level 1, not Level 2.

B. 72 practices❌Incorrect. There is no CMMC level with72 practices.

D. 180 practices❌Incorrect. CMMC Level 2only requires 110 practices, not 180.

Why the Other Answers Are Incorrect

CMMC 2.0 Model– Confirms thatLevel 2 includes 110 practicesaligned withNIST SP 800-171.

NIST SP 800-171 Rev. 2– Outlines the110 security controlsrequired for handlingControlled Unclassified Information (CUI).

CMMC Official ReferencesThus,option C (110 practices) is the correct answer, as per official CMMC guidance.