CMMC CCP Dumps (V8.02) – Read the Certified CMMC Professional (CCP) Exam Questions to Prepare for Your Certification Exam

1. During a CMMC readiness review, the OSC proposes that an associated enclave should not be applicable in the scope.

Who is responsible for verifying this request?

2. Which resource contains authoritative data classifications of CUI?

3. The Advanced Level in CMMC will contain Access Control {AC) practices from:

4. Prior to initiating an OSC's CMMC Assessment, the Lead Assessor briefed the team on the most important requirements of the assessment. The assessor also insisted that the same results of the findings summary, practice ratings, and Level recommendations must be submitted to the C3PAO for initial processes and review. After several weeks of assessment, the C3PAO completes the internal review, the recommended results are then submitted through the C3PAO for final quality review and rating approval.

Which document stipulates these reporting requirements?

5. A defense contractor needs to share FCI with a subcontractor and sends this data in an email.

The email system involved in this process is being used to:

6. What are CUI protection responsibilities?

7. Where does the requirement to include a required practice of ensuring that personnel are trained to carry out their assigned information security-related duties and responsibilities FIRST appear?

8. A company has a government services division and a commercial services division. The government services division interacts exclusively with federal clients and regularly receives FCI. The commercial services division interacts exclusively with non-federal clients and processes only publicly available information.

For this company's CMMC Level 1 Self-Assessment, how should the assets supporting the commercial services division be categorized?

9. Where can a listing of all federal agencies' CUI indices and categories be found?

10. When assessing an OSC for CMMC: the Lead Assessor should use the information from the Discussion and Further Discussion sections in each practice because it:

11. As part of CMMC 2.0, the change to Level 1 Self-Assessments supports "reduced assessment costs" allows all companies at Level 1 (Foundational) to:

12. An assessor is collecting affirmations. So far, the assessor has collected interviews, demonstrations, emails, messaging, and presentations.

Are these appropriate approaches to collecting affirmations?

13. There are 15 practices that are NOT MET for an OSC's Level 2 Assessment. All practices are applicable to the OSC.

Which determination should be reached?

14. Who will verify the adequacy and sufficiency of evidence to determine whether the practices and related components for each in-scope Host Unit. Supporting Organization/Unit, or enclave has been met?

15. A CMMC Assessment is being conducted at an OSC's HQ. which is a shared workspace in a multi-tenant building. The OSC is renting four offices on the first floor that can be locked individually. The first-floor conference room is shared with other tenants but has been reserved to conduct the assessment. The conference room has a desk with a drawer that does not lock. At the end of the day, an evidence file that had been sent by email is reviewed.

What is the BEST way to handle this file?

16. Which phase of the CMMC Assessment Process includes developing the assessment plan?

17. What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?

18. A C3PAO has completed a Limited Practice Deficiency Correction Evaluation following an assessment of an OSC. The Lead Assessor has recommended moving deficiencies to a POA&M. but the OSC will remain on an Interim Certification.

What is the MINIMUM number of practices that must be scored as MET to initiate this course of action?

19. Who is responsible for identifying and verifying Assessment Team Member qualifications?

20. A CCP is working as an Assessment Team Member on a CMMC Level 2 Assessment. The Lead Assessor has assigned the CCP to assess the OSC's Configuration Management (CM) domain. The CCP's first interview is with a subject-matter expert for user-installed software.

With respect to user-installed software, what facet should the CCP's interview focus on?

21. Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI are sanitized or destroyed before disposal or release for reuse.

After a thorough review, the CCP tells the Lead Assessor that all supporting documents fully reflect the performance of the practice and should be accepted because the evidence is:

22. In scoping a CMMC Level 1 Self-Assessment, all of the computers and digital assets that handle FCI are identified. A file cabinet that contains paper FCI is also identified.

What can this file cabinet BEST be determined to be?

23. An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan.

Who agrees to and signs off on the Assessment Plan?

24. In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI.

What is the ESP employee considered?

25. During the assessment process, who is the final interpretation authority for recommended findings?

26. An Assessment Team is reviewing a practice that is documented and being checked monthly. When reviewing the logs, the practice is only being completed quarterly. During the interviews, the team members say they perform the practice monthly but only document quarterly.

Is this sufficient to pass the practice?

27. While developing an assessment plan for an OSC. it is discovered that the certified assessor will be interviewing a former college roommate.

What is the MOST correct action to take?

28. An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice.

What can the assessor do?

29. A dedicated local printer is used to print out documents with FCI in an organization. This is considered an FCI Asset.

Which function BEST describes what the printer does with the FCI?

30. During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC's WiFi network.

What type of asset is this?

31. Which organization is the governmental authority responsible for identifying and marking CUI?

32. A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?

33. A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of the assessors approaches with a signed policy. There is one signatory, and that person has since left the company. Subsequently, another person was hired into that position but has not signed the document.

Is this document valid?

34. A CMMC Level 1 Self-Assessment identified an asset in the OSC's facility that does not process, store, or transmit FCI.

Which type of asset is this considered?

35. When assessing SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems, evidence shows that all of the OSC's workstations and servers have antivirus software installed for malicious code protection. A centralized console for the antivirus software management is in place and records show that all devices have received the most updated antivirus patterns.

What is the BEST determination that the Lead Assessor should reach regarding the evidence?

36. Which MINIMUM Level of certification must a contractor successfully achieve to receive a contract award requiring the handling of CUI?

37. Which document is the BEST source for determining the sources of evidence for a given practice?

38. Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?

39. An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works.

Is this adequate for the practice?

40. When are data and documents with legacy markings from or for the DoD required to be re-marked or redacted?

41. What service is the MOST comprehensive that the RPO provides?

42. What type of criteria is used to answer the question "Does the Assessment Team have the right evidence?"

43. During an assessment, the Lead Assessor reviews the evidence for each CMMC in-scope practice that has been reviewed, verified, rated, and discussed with the OSC during the daily reviews. The Assessment Team records the final recommended MET or NOT MET rating and prepares to present the results to the assessment participants during the final review with the OSC and sponsor.

As a part of this presentation, which document MUST include the attendee list, time/date, location/meeting link, results from all discussed topics, including any resulting actions, and due dates from the OSC or Assessment Team?

44. What is a PRIMARY activity that is performed while conducting an assessment?

45. A client uses an external cloud-based service to store, process, or transmit data that is reasonably believed to qualify as CUI. According to DFARS clause 252.204-7012.

What set of established security requirements MUST that cloud provider meet?

46. During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment.

Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?

47. Which term describes "the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to. or modification of information"?

48. Which domain has a practice requiring an organization to restrict, disable, or prevent the use of nonessential programs?

49. A machining company has been awarded a contract with the DoD to build specialized parts. Testing of the parts will be done by the company using in-house staff and equipment.

For a Level 1 Self-Assessment, what type of asset is this?

50. An organization that manufactures night vision cameras is looking for help to address the gaps identified in physical access control systems.

Which certified individual should they approach for implementation support?