









































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The Cybersecurity Maturity Model Certification (CMMC) Exam validates understanding of the CMMC framework developed to protect sensitive defense information across the defense supply chain. The exam covers maturity levels, security domains, implementation practices, assessment readiness, and compliance requirements. It is intended for cybersecurity professionals, compliance managers, and contractors supporting organizations within regulated defense ecosystems.
Typology: Exams
1 / 81
This page cannot be seen from the preview
Don't miss anything!










































































Question 1. Which entity is primarily responsible for establishing and maintaining the CMMC standard? A) Cyber AB B) DoD Office of the Undersecretary of Defense (OUSD) C) C3PAO D) NIST Answer: B Explanation: The OUSD oversees the CMMC framework, ensuring it meets defense requirements. Question 2. What is the main function of the Cyber AB within the CMMC ecosystem? A) Certify organizations B) Set regulatory standards C) Accredit assessment organizations and professionals D) Issue contracts Answer: C Explanation: The Cyber AB acts as the accreditation body, overseeing C3PAOs and credentialing CMMC professionals. Question 3. Which organization conducts assessments for Organizations Seeking Certification (OSCs)? A) Cyber AB B) C3PAO C) OUSD D) NIST Answer: B
Explanation: C3PAOs are authorized third-party organizations that perform CMMC assessments. Question 4. Who are Registered Practitioners (RPs) in the CMMC ecosystem? A) Individuals authorized to perform assessments B) Individuals who advise and consult on CMMC implementation C) Organizations seeking certification D) Members of OUSD Answer: B Explanation: RPs provide guidance on CMMC compliance but do not conduct formal assessments. Question 5. What distinguishes Certified Assessors (CCAs) from Certified Professionals (CCPs)? A) CCAs can perform official assessments, CCPs cannot B) CCPs are accredited by DoD C) CCAs only advise organizations D) There is no difference Answer: A Explanation: CCAs are credentialed to conduct assessments, while CCPs assist in the assessment process. Question 6. What is the primary use of the Enterprise Mission Assurance Support Service (eMASS)? A) Managing assessment schedules B) Securely storing assessment reports and evidence C) Issuing contracts D) Marking CUI
D) Report to DoD Answer: B Explanation: Ethical guidelines require disclosure and possible recusal to maintain assessment objectivity. Question 10. What principle guides all CMMC-related activities? A) Profitability B) Professionalism C) Speed D) Exclusivity Answer: B Explanation: Professionalism ensures fair, unbiased, and effective CMMC operations. Question 11. Who should violations of the Code of Professional Conduct be reported to? A) DoD B) C3PAO C) Cyber AB D) SPRS Answer: C Explanation: Cyber AB is responsible for investigating and handling ethics violations. Question 12. Why is confidentiality crucial during CMMC assessments? A) Prevents legal action B) Protects sensitive and proprietary data C) Ensures rapid certification
D) Lowers costs Answer: B Explanation: Confidentiality safeguards proprietary and controlled information during the assessment process. Question 13. What is the main regulatory clause governing protection of CUI in defense contracts? A) DFARS 252.204- 7012 B) DFARS 252.204- 7021 C) NIST SP 800- 171 D) CMMC Model Answer: A Explanation: DFARS 252.204-7012 requires contractors to implement safeguards for CUI. Question 14. Which DFARS clause mandates CMMC certification requirements? A) 7012 B) 7019 C) 7020 D) 7021 Answer: D Explanation: DFARS 252.204-7021 incorporates CMMC certification requirements into contracts. Question 15. What document outlines enhanced security requirements for CUI? A) NIST SP 800- 171 B) NIST SP 800- 172
B) “CUI” header/footer C) “For Official Use Only” D) No marking required Answer: B Explanation: Official CUI documents must be labeled with the “CUI” marking. Question 19. What is the foundational level in the CMMC maturity model? A) Level 1 B) Level 2 C) Level 3 D) Level 4 Answer: A Explanation: Level 1 is the entry-level (Foundational) tier for basic safeguarding of FCI. Question 20. How many domains are covered by CMMC Level 2? A) 5 B) 10 C) 14 D) 17 Answer: C Explanation: CMMC Level 2 includes 14 security domains. Question 21. Which CMMC domain focuses on limiting access to systems and data? A) Media Protection B) Access Control
C) Awareness & Training D) Incident Response Answer: B Explanation: Access Control (AC) is dedicated to restricting system access. Question 22. What is the primary goal of the Awareness & Training (AT) domain? A) Penetration testing B) Security awareness for personnel C) Encrypting data D) Backup management Answer: B Explanation: Awareness & Training ensures staff understand and adhere to security practices. Question 23. Which domain ensures creation and protection of system logs? A) Audit & Accountability B) Risk Assessment C) Identification & Authentication D) System Maintenance Answer: A Explanation: The Audit & Accountability domain governs logging and audit trail management. Question 24. What does Configuration Management (CM) primarily address? A) User provisioning B) Establishing and maintaining secure baseline configurations C) Employee training
Answer: A Explanation: MA covers procedures for securely maintaining systems. Question 28. The Media Protection (MP) domain is designed to: A) Protect removable storage and sanitize media B) Audit user activity C) Train users D) Monitor network traffic Answer: A Explanation: MP ensures the secure handling and disposal of media. Question 29. Personnel Security (PS) addresses: A) Employee training B) Screening employees and protecting CUI during transitions C) Network encryption D) Physical barriers Answer: B Explanation: PS includes background checks and secure handling of CUI when staff leave. Question 30. Physical Protection (PE) includes controls for: A) Limiting physical access to systems and infrastructure B) Data encryption C) Password policies D) Patch management Answer: A
Explanation: PE secures physical locations and hardware. Question 31. Risk Assessment (RA) requires organizations to: A) Ignore threats B) Identify, scan for, and remediate vulnerabilities C) Encrypt all data D) Perform regular backups Answer: B Explanation: RA focuses on discovering and mitigating cybersecurity risks. Question 32. Security Assessment (CA) is responsible for: A) Periodic review of control effectiveness B) Managing user accounts C) System configuration D) Encrypting data Answer: A Explanation: CA requires routine evaluations of security controls. Question 33. The System & Communications Protection (SC) domain governs: A) Data protection in transit and at rest B) User training C) Media disposal D) Incident reporting Answer: A Explanation: SC includes controls for encrypting and safeguarding data.
Question 37. What is the first phase in the CMMC Assessment Process (CAP)? A) Conduct Assessment B) Plan and Prepare C) Report Results D) Close-out Answer: B Explanation: Planning and preparation come before evidence collection. Question 38. Reviewing the System Security Plan (SSP) occurs in which assessment phase? A) Plan and Prepare B) Conduct Assessment C) Report Results D) Close-out Answer: A Explanation: The SSP is reviewed during the initial planning phase. Question 39. During “Conduct Assessment,” what activities take place? A) Writing contracts B) Gathering evidence and interviewing SMEs C) Uploading reports D) Marking CUI Answer: B Explanation: Evidence collection and stakeholder interviews are key assessment activities. Question 40. The CMMC Assessment Report (CAR) is generated in which phase?
A) Plan and Prepare B) Conduct Assessment C) Report Results D) Close-out Answer: C Explanation: The CAR is drafted and finalized during the reporting phase. Question 41. What is the final step of the CMMC assessment process? A) Plan and Prepare B) Conduct Assessment C) Report Results D) Close-out Answer: D Explanation: Close-out finalizes certification and uploads results to eMASS. Question 42. What does the “Examine, Interview, Test” (EIT) method refer to? A) A control family B) Three evidence collection techniques C) CUI marking standards D) Levels of CMMC Answer: B Explanation: EIT encompasses the three ways to gather evidence during assessments. Question 43. When is a Plan of Action and Milestones (POA&M) permitted under CMMC? A) Never
C) Avoids certification D) Speeds up the process Answer: A Explanation: Objectivity prevents personal bias and maintains certification integrity. Question 47. What is the consequence of failing to report an ethics violation? A) Faster certification B) Disciplinary action by Cyber AB C) Approval of certification D) No consequence Answer: B Explanation: Failure to report can result in penalties or loss of credentials. Question 48. What is a key difference between eMASS and SPRS? A) eMASS stores assessment data; SPRS tracks supplier risk B) SPRS is run by NIST C) eMASS marks CUI D) Both have the same function Answer: A Explanation: eMASS is for assessment management, SPRS for supplier risk evaluation. Question 49. Who is responsible for marking CUI in documents? A) C3PAO B) Organization generating the document C) OUSD
D) Cyber AB Answer: B Explanation: The organization handling CUI must ensure proper marking. Question 50. Which domain addresses sanitization of USB drives? A) Media Protection B) Access Control C) Incident Response D) Risk Assessment Answer: A Explanation: Sanitization of removable media is a Media Protection practice. Question 51. What is the function of a Certified Professional (CCP)? A) Conducting formal assessments B) Supporting CCAs and advising organizations C) Accrediting C3PAOs D) Creating regulatory standards Answer: B Explanation: CCPs assist CCAs and provide CMMC guidance. Question 52. Which document must organizations have to begin the CMMC assessment? A) CAR B) SSP C) SPRS Report D) POA&M
Answer: A Explanation: Unique user identification is an IA requirement. Question 56. What is the primary purpose of system logs? A) Record user activity for audit and accountability B) Encrypt data C) Manage passwords D) Train users Answer: A Explanation: Audit logs help track actions and detect abnormal behavior. Question 57. Which domain requires periodic vulnerability scanning? A) Risk Assessment B) Awareness & Training C) Maintenance D) Security Assessment Answer: A Explanation: RA includes routine vulnerability scans. Question 58. What is the role of a C3PAO? A) Perform official CMMC assessments B) Mark CUI C) Develop standards D) Manage eMASS Answer: A
Explanation: Only C3PAOs are authorized to conduct CMMC assessments. Question 59. How often must security controls be assessed? A) Once B) Periodically C) Annually only D) Never Answer: B Explanation: Security controls require regular assessment to remain effective. Question 60. Which control family relates to monitoring for malware? A) System & Information Integrity B) Security Assessment C) Media Protection D) Access Control Answer: A Explanation: SI includes malware detection and response. Question 61. What is the purpose of baseline configuration in CM? A) Standardize secure settings across systems B) Train users C) Report incidents D) Mark CUI Answer: A Explanation: Baseline configuration ensures consistent security standards.