Cybersecurity Maturity Model Certification Exam, Exams of Technology

The Cybersecurity Maturity Model Certification (CMMC) Exam validates understanding of the CMMC framework developed to protect sensitive defense information across the defense supply chain. The exam covers maturity levels, security domains, implementation practices, assessment readiness, and compliance requirements. It is intended for cybersecurity professionals, compliance managers, and contractors supporting organizations within regulated defense ecosystems.

Typology: Exams

2025/2026

Available from 01/24/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 81

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cybersecurity Maturity Model Certification
Exam
Question 1. Which entity is primarily responsible for establishing and maintaining the CMMC
standard?
A) Cyber AB
B) DoD Office of the Undersecretary of Defense (OUSD)
C) C3PAO
D) NIST
Answer: B
Explanation: The OUSD oversees the CMMC framework, ensuring it meets defense
requirements.
Question 2. What is the main function of the Cyber AB within the CMMC ecosystem?
A) Certify organizations
B) Set regulatory standards
C) Accredit assessment organizations and professionals
D) Issue contracts
Answer: C
Explanation: The Cyber AB acts as the accreditation body, overseeing C3PAOs and credentialing
CMMC professionals.
Question 3. Which organization conducts assessments for Organizations Seeking Certification
(OSCs)?
A) Cyber AB
B) C3PAO
C) OUSD
D) NIST
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51

Partial preview of the text

Download Cybersecurity Maturity Model Certification Exam and more Exams Technology in PDF only on Docsity!

Exam

Question 1. Which entity is primarily responsible for establishing and maintaining the CMMC standard? A) Cyber AB B) DoD Office of the Undersecretary of Defense (OUSD) C) C3PAO D) NIST Answer: B Explanation: The OUSD oversees the CMMC framework, ensuring it meets defense requirements. Question 2. What is the main function of the Cyber AB within the CMMC ecosystem? A) Certify organizations B) Set regulatory standards C) Accredit assessment organizations and professionals D) Issue contracts Answer: C Explanation: The Cyber AB acts as the accreditation body, overseeing C3PAOs and credentialing CMMC professionals. Question 3. Which organization conducts assessments for Organizations Seeking Certification (OSCs)? A) Cyber AB B) C3PAO C) OUSD D) NIST Answer: B

Exam

Explanation: C3PAOs are authorized third-party organizations that perform CMMC assessments. Question 4. Who are Registered Practitioners (RPs) in the CMMC ecosystem? A) Individuals authorized to perform assessments B) Individuals who advise and consult on CMMC implementation C) Organizations seeking certification D) Members of OUSD Answer: B Explanation: RPs provide guidance on CMMC compliance but do not conduct formal assessments. Question 5. What distinguishes Certified Assessors (CCAs) from Certified Professionals (CCPs)? A) CCAs can perform official assessments, CCPs cannot B) CCPs are accredited by DoD C) CCAs only advise organizations D) There is no difference Answer: A Explanation: CCAs are credentialed to conduct assessments, while CCPs assist in the assessment process. Question 6. What is the primary use of the Enterprise Mission Assurance Support Service (eMASS)? A) Managing assessment schedules B) Securely storing assessment reports and evidence C) Issuing contracts D) Marking CUI

Exam

D) Report to DoD Answer: B Explanation: Ethical guidelines require disclosure and possible recusal to maintain assessment objectivity. Question 10. What principle guides all CMMC-related activities? A) Profitability B) Professionalism C) Speed D) Exclusivity Answer: B Explanation: Professionalism ensures fair, unbiased, and effective CMMC operations. Question 11. Who should violations of the Code of Professional Conduct be reported to? A) DoD B) C3PAO C) Cyber AB D) SPRS Answer: C Explanation: Cyber AB is responsible for investigating and handling ethics violations. Question 12. Why is confidentiality crucial during CMMC assessments? A) Prevents legal action B) Protects sensitive and proprietary data C) Ensures rapid certification

Exam

D) Lowers costs Answer: B Explanation: Confidentiality safeguards proprietary and controlled information during the assessment process. Question 13. What is the main regulatory clause governing protection of CUI in defense contracts? A) DFARS 252.204- 7012 B) DFARS 252.204- 7021 C) NIST SP 800- 171 D) CMMC Model Answer: A Explanation: DFARS 252.204-7012 requires contractors to implement safeguards for CUI. Question 14. Which DFARS clause mandates CMMC certification requirements? A) 7012 B) 7019 C) 7020 D) 7021 Answer: D Explanation: DFARS 252.204-7021 incorporates CMMC certification requirements into contracts. Question 15. What document outlines enhanced security requirements for CUI? A) NIST SP 800- 171 B) NIST SP 800- 172

Exam

B) “CUI” header/footer C) “For Official Use Only” D) No marking required Answer: B Explanation: Official CUI documents must be labeled with the “CUI” marking. Question 19. What is the foundational level in the CMMC maturity model? A) Level 1 B) Level 2 C) Level 3 D) Level 4 Answer: A Explanation: Level 1 is the entry-level (Foundational) tier for basic safeguarding of FCI. Question 20. How many domains are covered by CMMC Level 2? A) 5 B) 10 C) 14 D) 17 Answer: C Explanation: CMMC Level 2 includes 14 security domains. Question 21. Which CMMC domain focuses on limiting access to systems and data? A) Media Protection B) Access Control

Exam

C) Awareness & Training D) Incident Response Answer: B Explanation: Access Control (AC) is dedicated to restricting system access. Question 22. What is the primary goal of the Awareness & Training (AT) domain? A) Penetration testing B) Security awareness for personnel C) Encrypting data D) Backup management Answer: B Explanation: Awareness & Training ensures staff understand and adhere to security practices. Question 23. Which domain ensures creation and protection of system logs? A) Audit & Accountability B) Risk Assessment C) Identification & Authentication D) System Maintenance Answer: A Explanation: The Audit & Accountability domain governs logging and audit trail management. Question 24. What does Configuration Management (CM) primarily address? A) User provisioning B) Establishing and maintaining secure baseline configurations C) Employee training

Exam

Answer: A Explanation: MA covers procedures for securely maintaining systems. Question 28. The Media Protection (MP) domain is designed to: A) Protect removable storage and sanitize media B) Audit user activity C) Train users D) Monitor network traffic Answer: A Explanation: MP ensures the secure handling and disposal of media. Question 29. Personnel Security (PS) addresses: A) Employee training B) Screening employees and protecting CUI during transitions C) Network encryption D) Physical barriers Answer: B Explanation: PS includes background checks and secure handling of CUI when staff leave. Question 30. Physical Protection (PE) includes controls for: A) Limiting physical access to systems and infrastructure B) Data encryption C) Password policies D) Patch management Answer: A

Exam

Explanation: PE secures physical locations and hardware. Question 31. Risk Assessment (RA) requires organizations to: A) Ignore threats B) Identify, scan for, and remediate vulnerabilities C) Encrypt all data D) Perform regular backups Answer: B Explanation: RA focuses on discovering and mitigating cybersecurity risks. Question 32. Security Assessment (CA) is responsible for: A) Periodic review of control effectiveness B) Managing user accounts C) System configuration D) Encrypting data Answer: A Explanation: CA requires routine evaluations of security controls. Question 33. The System & Communications Protection (SC) domain governs: A) Data protection in transit and at rest B) User training C) Media disposal D) Incident reporting Answer: A Explanation: SC includes controls for encrypting and safeguarding data.

Exam

Question 37. What is the first phase in the CMMC Assessment Process (CAP)? A) Conduct Assessment B) Plan and Prepare C) Report Results D) Close-out Answer: B Explanation: Planning and preparation come before evidence collection. Question 38. Reviewing the System Security Plan (SSP) occurs in which assessment phase? A) Plan and Prepare B) Conduct Assessment C) Report Results D) Close-out Answer: A Explanation: The SSP is reviewed during the initial planning phase. Question 39. During “Conduct Assessment,” what activities take place? A) Writing contracts B) Gathering evidence and interviewing SMEs C) Uploading reports D) Marking CUI Answer: B Explanation: Evidence collection and stakeholder interviews are key assessment activities. Question 40. The CMMC Assessment Report (CAR) is generated in which phase?

Exam

A) Plan and Prepare B) Conduct Assessment C) Report Results D) Close-out Answer: C Explanation: The CAR is drafted and finalized during the reporting phase. Question 41. What is the final step of the CMMC assessment process? A) Plan and Prepare B) Conduct Assessment C) Report Results D) Close-out Answer: D Explanation: Close-out finalizes certification and uploads results to eMASS. Question 42. What does the “Examine, Interview, Test” (EIT) method refer to? A) A control family B) Three evidence collection techniques C) CUI marking standards D) Levels of CMMC Answer: B Explanation: EIT encompasses the three ways to gather evidence during assessments. Question 43. When is a Plan of Action and Milestones (POA&M) permitted under CMMC? A) Never

Exam

C) Avoids certification D) Speeds up the process Answer: A Explanation: Objectivity prevents personal bias and maintains certification integrity. Question 47. What is the consequence of failing to report an ethics violation? A) Faster certification B) Disciplinary action by Cyber AB C) Approval of certification D) No consequence Answer: B Explanation: Failure to report can result in penalties or loss of credentials. Question 48. What is a key difference between eMASS and SPRS? A) eMASS stores assessment data; SPRS tracks supplier risk B) SPRS is run by NIST C) eMASS marks CUI D) Both have the same function Answer: A Explanation: eMASS is for assessment management, SPRS for supplier risk evaluation. Question 49. Who is responsible for marking CUI in documents? A) C3PAO B) Organization generating the document C) OUSD

Exam

D) Cyber AB Answer: B Explanation: The organization handling CUI must ensure proper marking. Question 50. Which domain addresses sanitization of USB drives? A) Media Protection B) Access Control C) Incident Response D) Risk Assessment Answer: A Explanation: Sanitization of removable media is a Media Protection practice. Question 51. What is the function of a Certified Professional (CCP)? A) Conducting formal assessments B) Supporting CCAs and advising organizations C) Accrediting C3PAOs D) Creating regulatory standards Answer: B Explanation: CCPs assist CCAs and provide CMMC guidance. Question 52. Which document must organizations have to begin the CMMC assessment? A) CAR B) SSP C) SPRS Report D) POA&M

Exam

Answer: A Explanation: Unique user identification is an IA requirement. Question 56. What is the primary purpose of system logs? A) Record user activity for audit and accountability B) Encrypt data C) Manage passwords D) Train users Answer: A Explanation: Audit logs help track actions and detect abnormal behavior. Question 57. Which domain requires periodic vulnerability scanning? A) Risk Assessment B) Awareness & Training C) Maintenance D) Security Assessment Answer: A Explanation: RA includes routine vulnerability scans. Question 58. What is the role of a C3PAO? A) Perform official CMMC assessments B) Mark CUI C) Develop standards D) Manage eMASS Answer: A

Exam

Explanation: Only C3PAOs are authorized to conduct CMMC assessments. Question 59. How often must security controls be assessed? A) Once B) Periodically C) Annually only D) Never Answer: B Explanation: Security controls require regular assessment to remain effective. Question 60. Which control family relates to monitoring for malware? A) System & Information Integrity B) Security Assessment C) Media Protection D) Access Control Answer: A Explanation: SI includes malware detection and response. Question 61. What is the purpose of baseline configuration in CM? A) Standardize secure settings across systems B) Train users C) Report incidents D) Mark CUI Answer: A Explanation: Baseline configuration ensures consistent security standards.