CCP Exam Review — 2025/2026

Exam Roadmap

DOMAIN 1

CMMC Ecosystem

~8–9 questions

DOMAIN 2

Code of Professional Conduct

~8–9 questions

DOMAIN 3 ★ PRIORITY

Governance & Source Documents

15%

~25–26 questions

DOMAIN 4

Model Construct & Implementation

25–35%

~42–60 questions

DOMAIN 5 ★ PRIORITY

CMMC Assessment Process (CAP)

35–40%

~60–68 questions

DOMAIN 6

Scoping

15–20%

~25–34 questions

Suggested 2–3 Hour Study Schedule

Domain 3 · Governance & Source Docs Priority

25 min

Domain 5 · CMMC Assessment Process Priority

40 min

Domain 4 · Model Construct & Implementation

35 min

Domain 6 · Scoping

25 min

Domain 1 · Ecosystem

10 min

Domain 2 · Ethics / CoPC

10 min

Practice Questions (all domains)

35 min

Key Source Documents — Quick Reference

These documents are tested directly. Know the relationship between each one — many questions hinge on knowing which source document governs what.

Document	What It Governs	Key Link
CMMC 2.0 Final Rule (32 CFR Part 170)	The CMMC program rule itself — levels, requirements, certification paths	DoD / OUSD(A&S)
DFARS 252.204-7012	Safeguarding Covered Defense Information; mandates NIST SP 800-171 compliance	Existing contract clause
DFARS 252.204-7019 / 7020 / 7021	7019: SPRS score requirement; 7020: allows DoD to review SSP; 7021: requires CMMC certification	CMMC-level contracts
NIST SP 800-171 Rev 2	110 security requirements for protecting CUI; basis of CMMC Level 2	Maps to 14 domains
NIST SP 800-172	Enhanced security requirements for CUI (Level 3 baseline)	Critical programs only
NIST SP 800-171A	Assessment procedures for 800-171 controls — drives examination/interview/test methods	Used in CAP
48 CFR Part 52 / FAR 52.204-21	Basic Safeguarding of Covered Contractor Information Systems; 15 practices for FCI	Level 1 baseline
32 CFR Part 2002 (CUI Rule)	ISOO CUI program; definitions, markings, categories	Authoritative for CUI
CMMC Assessment Process (CAP) Document	Cyber AB's official document governing how C3PAO assessments are conducted	C3PAO / assessment teams

High-Frequency Exam Terms

Information Categories Know Cold

FCI – Federal Contract Information: info provided by or generated for the Government under a contract. NOT intended for public release. Requires basic safeguarding (FAR 52.204-21, 15 practices).
CUI – Controlled Unclassified Information: information the Government creates or possesses that requires safeguarding per law/policy. Requires NIST 800-171 (CMMC Level 2).
CDI – Covered Defense Information: umbrella term per DFARS 7012; includes CUI and operationally critical technical data.

Key Acronyms Tested

OSC – Organization Seeking Certification
C3PAO – CMMC Third-Party Assessor Organization
CCA – Certified CMMC Assessor
CCP – Certified CMMC Professional (you)
CCI – Certified CMMC Instructor
DIB – Defense Industrial Base
SPRS – Supplier Performance Risk System (score repository)
POA&M – Plan of Action & Milestones
SSP – System Security Plan

Domain 1

CMMC Ecosystem

5% of Exam

Ecosystem Roles & Relationships

Entity	Role	Key Facts
OUSD(A&S)	Policy owner	Under Secretary of Defense for Acquisition & Sustainment. Owns CMMC program policy and rulemaking (32 CFR Part 170).
Cyber AB (formerly CMMC-AB)	Accreditation body	Non-profit authorized by DoD. Accredits C3PAOs, certifies CCPs/CCAs/CCIs. Maintains marketplace. Issues Code of Professional Conduct.
CAICO	Compliance & enforcement	CMMC Accreditation Institute Compliance Organization — investigates CoPC violations.
C3PAO	Conducts L2/L3 assessments	Must be Cyber AB–accredited. Employs Lead CCA + assessment team. Cannot consult for the same OSC they assess (conflict of interest).
RPO	Consulting / readiness	Registered Practitioner Organization — helps OSCs prepare. Cannot conduct formal assessments. Employs CCPs.
OSC	The contractor being assessed	Organization Seeking Certification. Responsible for their own compliance, SSP, evidence.
DCSA	DoD L3 government-led assessments	Defense Counterintelligence and Security Agency — conducts Level 3 assessments on behalf of DoD.

CCP Role & Boundaries

A CCP can support assessments under CCA supervision but cannot lead them. Know the line between what a CCP vs. CCA vs. Lead CCA is authorized to do.

CCP: Can be on assessment team, collect evidence, support gap analysis. Employed by RPOs and C3PAOs.
CCA: Can lead and sign off on CMMC assessments. Requires passing CCA exam + mentored assessment hours.
Lead CCA: Leads the entire assessment engagement; final responsible party for the report.

Conflict of Interest Rules

Prohibited Scenarios Tested

Same C3PAO cannot both consult/prepare an OSC and conduct their CMMC assessment (consulting taint).
An assessor cannot assess an organization where they have a financial or employment interest.
CCPs/CCAs must disclose conflicts before being assigned to engagements.
Marketplace listing does not imply endorsement of any specific OSC relationship.

Practice Questions · Domain 1

An RPO has been helping an OSC prepare for their Level 2 CMMC assessment for six months. The OSC now asks the same RPO to conduct the formal certification assessment. What is the correct course of action?

▼

A. The RPO may conduct the assessment since they are already familiar with the OSC's environment.

B. The RPO cannot conduct the assessment; a separate, unaffiliated C3PAO must be engaged.

C. The RPO can conduct the assessment if a CCA from a different RPO is the lead assessor.

D. The assessment is allowed if the OSC signs a conflict-of-interest waiver.

✓ B is correct. RPOs are consulting organizations only — they cannot conduct formal CMMC certification assessments. Additionally, consulting for and then assessing the same OSC is explicitly prohibited as a conflict of interest. Only accredited C3PAOs may conduct certification assessments.

Which entity is responsible for investigating potential Code of Professional Conduct violations against a Certified CMMC Professional?

▼

A. OUSD(A&S)

B. The C3PAO that employed the individual

C. CAICO (CMMC Accreditation Institute Compliance Organization)

D. DCSA

✓ C is correct. CAICO is the enforcement arm of the Cyber AB ecosystem responsible for investigating CoPC violations. OUSD(A&S) owns policy, not individual conduct enforcement.

Domain 2

Code of Professional Conduct (Ethics)

5% of Exam

CoPC Core Pillars

Professionalism

Represent credentials accurately; only claim certifications you hold.
Perform only work within your competence level.
Maintain continuing education requirements for certification renewal.

Objectivity / Independence

Assessors must remain free of bias and conflict of interest.
Cannot allow personal relationships to influence assessment outcomes.
Results must be based solely on evidence.

Confidentiality

Protect all information obtained during assessments — including SSPs, network diagrams, and findings.
OSC data cannot be shared without authorization.
Confidentiality obligations survive after an engagement ends.

Proper Use of Materials

Do not reproduce, distribute, or share proprietary CMMC training materials.
Exam content is confidential — sharing questions is a CoPC violation.
Includes materials from Cyber AB, LTPs, and official source documents.

Exam questions often present scenarios and ask you to identify which CoPC principle was violated. Map each scenario to: Professionalism, Objectivity, Confidentiality, or Proper Use.

Practice Questions · Domain 2

A CCP who recently completed an assessment casually mentions specific findings from an OSC's assessment to colleagues at an industry conference. Which CoPC principle has been violated?

▼

A. Professionalism

B. Objectivity

C. Proper Use of Materials

D. Confidentiality

✓ D is correct. Sharing specific assessment findings outside authorized channels — even informally — is a violation of the Confidentiality obligation. Confidentiality persists after the engagement concludes.

Domain 3

Governance & Source Documents

15% — Priority ★

The Regulatory Chain

The exam tests whether you understand the hierarchy of requirements — from federal law → DoD policy → contract clause → CMMC requirement. Many wrong answers confuse which layer governs what.

Federal Law

FISMA, E.O. 13556

DoD Regulation

32 CFR 170

Contract Clauses

DFARS 252.204

NIST Standards

800-171, 800-172

CMMC Model

L1 / L2 / L3

DFARS Clauses — Critical Distinctions

Clause	Requirement	Who It Applies To
`252.204-7012`	Safeguard Covered Defense Information; report cyber incidents to DIBNet within 72 hours; preserve images 90 days; report malicious software	All contractors handling CDI/CUI
`252.204-7019`	Notice of NIST SP 800-171 DoD Assessment Req. — contractor must complete NIST 800-171 assessment and post score to SPRS	Contractors before award
`252.204-7020`	NIST SP 800-171 DoD Assessment Requirements — gives DoD right to review contractor's SSP and assessment results	Contractors post-award
`252.204-7021`	CMMC Level Requirements — specifies the required CMMC level; contractor must achieve and maintain it	Contracts requiring CMMC cert

FCI vs. CUI — Master This

FCI Federal Contract Information

Information provided by or generated for the Government under a contract.
Not intended for public release.
Governed by FAR 52.204-21 (15 basic safeguarding practices).
Requires CMMC Level 1 (17 practices, annual self-assessment).
Does NOT include information provided to the public or simple transactional data (price lists, etc.).

CUI Controlled Unclassified Information

Information the Government creates or possesses that requires safeguarding per law, regulation, or policy.
Governed by 32 CFR Part 2002 and the CUI Registry (ISOO).
Handling, marking, and destruction governed by CUI markings (e.g., CUI//SP-CTI).
Requires CMMC Level 2 (110 practices from NIST 800-171).
All CUI is a subset of CDI under DFARS 7012.

Key distinction: FCI flows under a contract. CUI is designated by a Government agency and requires specific handling. A contractor can have FCI without having CUI.

CMMC Level Structure

Level	Name	Practices	Source	Assessment	For
L1	Foundational	17	FAR 52.204-21	Annual self-assessment, affirmed to SPRS	Contractors with FCI only
L2	Advanced	110	NIST SP 800-171 Rev 2	Triennial third-party (C3PAO) or self-assessment (some programs)	Contractors with CUI
L3	Expert	110 + 24	NIST SP 800-171 + 800-172 subset	Government-led (DCSA)	Critical programs, highest-risk CUI

POA&M Rules

Plan of Action & Milestones (POA&M) rules differ by level. This is tested frequently.

For Level 2 third-party assessments: limited POA&M is allowed for certain practices, but there is a minimum floor score — a contractor cannot achieve CMMC if their score is below the threshold, regardless of POA&M.
POA&M items must have realistic, achievable timelines — they are a commitment, not a parking lot.
Critical/high-impact practices cannot be left on a POA&M; they must be MET at time of assessment.
Closing the POA&M triggers a follow-up or confirmation assessment before certification is awarded.

Practice Questions · Domain 3

A prime contractor generates reports documenting technical specifications used during weapon system development for the DoD. These reports are shared with a subcontractor. Which information category BEST describes these reports?

▼

A. FCI only — it was generated under a DoD contract.

B. CUI — technical specifications for weapon systems are a controlled category under the CUI Registry.

C. Classified information — weapon system data is always classified.

D. CDI only — not CUI since it flows through a subcontractor.

✓ B is correct. Weapon system technical specifications fall under controlled CUI categories (CTI/ITAR-related categories). CUI designation is based on content, not just contract origin. Note: CUI and classified information are mutually exclusive — CUI is unclassified.

A contractor discovers that their SPRS score is -147 and has not been updated in 18 months. A new contract under DFARS 252.204-7019 is being awarded. What is the contractor's immediate obligation?

▼

A. Complete a current NIST SP 800-171 self-assessment, establish a POA&M, and post the updated score to SPRS before contract award.

B. Immediately achieve a passing CMMC Level 2 certification before proceeding.

C. Submit an exception request to DoD explaining the low score.

D. No action is required; SPRS scores are advisory only under 252.204-7019.

✓ A is correct. Under DFARS 252.204-7019, contractors must have a current (within 3 years) NIST 800-171 self-assessment score posted in SPRS prior to award. A current score with an active POA&M is acceptable for the SPRS requirement — CMMC certification is a separate, phased requirement under 252.204-7021.

Which DFARS clause specifically grants the DoD Contracting Officer the right to review a contractor's System Security Plan?

▼

A. DFARS 252.204-7012

B. DFARS 252.204-7019

C. DFARS 252.204-7020

D. DFARS 252.204-7021

✓ C is correct. 252.204-7020 gives the DoD the right to review a contractor's SSP and supporting assessment documentation. 7019 requires the assessment to happen; 7020 allows DoD to verify it. 7021 is the future-forward clause that will require CMMC certification in contracts.

Under 32 CFR Part 170, which CMMC level requires a Government-led assessment conducted by DCSA?

▼

A. Level 1

B. Level 2 (all contracts)

C. Level 2 (critical programs)

D. Level 3

✓ D is correct. Level 3 assessments are Government-led and conducted by DCSA. Level 2 third-party assessments are conducted by accredited C3PAOs. Level 1 uses annual self-assessments. This is a clean, testable distinction.

Domain 4

CMMC Model Construct & Implementation Evaluation

25–35% of Exam

The 14 CMMC Security Domains

These map directly from NIST SP 800-171. Know each domain abbreviation, approximate practice count at L2, and what it governs. Scenario questions will test whether you can assign a control to the right domain.

Abbr	Domain	Key Focus	L2 Practices
`AC`	Access Control	Least privilege, remote access, session controls, CUI flow control	22
`AT`	Awareness & Training	User security awareness, role-based training, insider threat awareness	3
`AU`	Audit & Accountability	Log creation, protection, review, retention, event correlation	9
`CM`	Configuration Management	Baselines, change control, least functionality, software restrictions	9
`IA`	Identification & Authentication	Multi-factor auth, password management, authenticator management	11
`IR`	Incident Response	Incident handling, reporting (72-hr DIBNet), testing response capability	3
`MA`	Maintenance	Controlled/sanitized maintenance, maintenance tools, remote maintenance	6
`MP`	Media Protection	Access, marking, storage, transport, sanitization, destruction of CUI media	9
`PS`	Personnel Security	Screening, termination, transfer, third-party personnel	2
`PE`	Physical Protection	Physical access to systems/facilities containing CUI	6
`RA`	Risk Assessment	Risk assessments, vulnerability scanning, risk response	3
`CA`	Security Assessment	System assessments, plans of action, configuration management, monitoring	4
`SC`	System & Communications Protection	Network boundaries, CUI in transit, architecture, mobile code, VoIP	16
`SI`	System & Information Integrity	Malware, security alerts, patching, spam protection, input validation	7

Practice vs. Objective vs. Capability

CMMC Model Hierarchy Architecture

Domain → Highest grouping (14 total, e.g., Access Control)
Capability → Grouping of related practices within a domain (not tested as heavily in CCP)
Practice → Specific activity requirement, numbered (e.g., AC.L2-3.1.1)
Objective → Sub-elements within a practice used in assessment; from NIST 800-171A

Practice Numbering Format

AC.L2-3.1.1

AC = Domain (Access Control)
L2 = Level (Level 2)
3.1.1 = NIST SP 800-171 requirement number (Family 3.1, Req. 1)

Level 1 practices are labeled L1; Level 2 includes all Level 1 practices plus additional ones.

Evidence Types

From NIST 800-171A / CMMC Assessment Guide — assessors use three methods. Know when each is appropriate.

Method	What It Is	Examples
Examine	Review of documentation, mechanisms, and configurations	Policies, SSP, log samples, screenshots, config files, network diagrams
Interview	Questioning of individuals to verify knowledge and process	System admin confirming patch process, ISSO explaining incident response steps
Test	Exercising a mechanism to verify it works as intended	Attempting unauthorized access, running vulnerability scanner, MFA test

Most CMMC practices require ALL THREE methods to achieve a MET determination. A practice is only MET when all objectives are satisfied. If any objective is NOT MET, the practice is NOT MET.

MET / NOT MET Scoring

Each practice is scored as either MET or NOT MET — there is no partial credit.
SPRS score starts at 110. Each NOT MET practice deducts a weighted point value. The maximum SPRS score is 110; a perfect score means all practices are MET.
Negative SPRS scores are possible and reflect significant gaps.
A CMMC Level 2 certification requires all 110 practices MET (with limited POA&M exceptions).

Practice Questions · Domain 4

During an assessment, an assessor reviews firewall rule sets, interviews the network engineer about segmentation rationale, and attempts to access a CUI system from an untrusted network segment. Which assessment methods are being used, respectively?

▼

A. Test, Interview, Examine

B. Examine, Interview, Test

C. Interview, Examine, Test

D. Examine, Test, Interview

✓ B is correct. Reviewing firewall rule sets = Examine (documentation/configuration review). Questioning the network engineer = Interview. Attempting access = Test (exercising a security mechanism). The order Examine → Interview → Test is logical and should be memorized.

An OSC has 108 out of 110 practices MET. The 2 remaining practices are NOT MET and placed on a POA&M. Under CMMC Level 2 with a third-party assessment, what outcome is MOST accurate?

▼

A. CMMC Level 2 certification is automatically awarded — 108/110 exceeds the passing threshold.

B. Certification is denied; no POA&M is permitted under L2 third-party assessments.

C. Conditional certification may be awarded if the NOT MET practices meet POA&M criteria; certification is finalized after POA&M closure and confirmation.

D. The OSC must restart the assessment from scratch once the POA&M is closed.

✓ C is correct. CMMC 2.0 allows a limited POA&M pathway for certain practices — a conditional certification status can be granted while the OSC works through their POA&M. The POA&M must be closed within an allowed timeframe, followed by confirmation. Critical/highest-weighted practices may not be eligible for POA&M.

Q10

An assessor is evaluating practice SI.L2-3.14.1 (Identify, report, and correct information and information system flaws). The system has a documented patching policy, the admin demonstrates the patching tool, and the assessor confirms recent patches are applied. Three of four objectives are satisfied; the fourth (timely remediation verification) cannot be confirmed. What is the determination?

▼

A. NOT MET — all objectives must be satisfied for a practice to be MET.

B. MET — 3 of 4 objectives represents substantial compliance.

C. Partially MET — the practice is scored proportionally.

D. MET with notation — the assessor adds a finding note but the practice passes.

✓ A is correct. CMMC uses binary scoring: MET or NOT MET. There is no "Partially MET" or proportional credit. A single unsatisfied objective results in a NOT MET determination for the entire practice. This is a fundamental rule that is frequently tested.

Domain 5

CMMC Assessment Process (CAP)

35–40% — Priority ★

CAP — 4 Phases Overview

The CAP applies to Level 2 assessments only. It is developed by the Cyber AB, reviewed/endorsed by DoD, and adherence is required by C3PAOs and their assessors. The word "shall" in the CAP = a requirement.

Phase 1

Plan & Prepare

1–several days

Phase 2

Conduct

Examine/Interview/Test

Phase 3

Report Results

Findings & eMASS Upload

Phase 4

Close-Out POA&Ms

Within 180 days

Critical Numbers — Memorize These

Key Timeframes Tested Heavily

5 business days — C3PAO must respond to OSC's initial assessment request
5 business days — OSC has to correct Limited Practice Deficiencies after Final Findings Briefing (or Lead Assessor-defined date, max 5 calendar days before eMASS upload)
180 days — Maximum POA&M validity from the Assessment Final Recommended Findings Briefing (Phase 3)
180 days — OSC must complete POA&M Close-Out Assessment within this window
10 business days — Report must be submitted to CQAP from Final Findings Briefing
20 business days — Report must be uploaded to eMASS from Final Findings Briefing
3 years — Assessment artifacts and notes must be retained and protected

Key Thresholds & Numbers Tested Heavily

88 / 110 — Minimum MET practices (80%) required for a Conditional L2 Certification (POA&M pathway)
110 — Starting SPRS score; perfect score = all practices MET
15 — Number of practice objectives that must be assessed in-person (cannot be virtual)
5 pts — SPRS deduction for high-impact practices (significant exploitation risk)
3 pts — SPRS deduction for medium-impact practices
1 pt — SPRS deduction for low-impact practices
1 CQAP minimum — Every C3PAO must have at least one CMMC Quality Assurance Professional on staff

Phase 1 — Plan & Prepare the Assessment

Phase 1 is driven by the C3PAO and Lead Assessor. The Pre-Assessment Data Form is the master planning document — it must be kept current throughout Phase 1 and uploaded to eMASS at Phase 1 completion.

1.1 — Receive Assessment Request & Frame

Initial Contact Rules CAP §1.1

OSC initiates contact with a C3PAO listed as "Authorized" on the CMMC Marketplace.
C3PAO must respond within 5 business days, acknowledging the request and proposing an initial coordination call.
Contact may be initiated by either party. Neither the Cyber AB nor DoD may serve in an introductory or facilitation role between OSC and C3PAO.
OSC may express a preference for a specific assessor — C3PAO may consider it, but the authority to select the assessment team rests solely with the C3PAO.

Assessment Framing vs. CMMC Assessment Scope — These two terms are often confused on the exam. Assessment Framing = high-level discussion of size, scale, date, location, cost, and effort. CMMC Assessment Scope = the technical, official boundary of assets to be assessed. Both are defined in Phase 1, but they are distinct activities.

1.2 — Roles & Responsibilities

Role	Who They Are	Key Authority / Constraint
OSC Assessment Official	Most senior OSC representative directly responsible for the assessment engagement	Must be an employee of the OSC. Only they can sign/approve the assessment contract.
OSC POC	Day-to-day liaison between OSC and assessment team	Does NOT have to be an OSC employee — can be an RP or consultant.
Lead Assessor (CCA)	CCA who oversees and manages the C3PAO Assessment Team	Makes final determination on all practice scores. Holds the formal Lead Assessor designation from Cyber AB.
Assessment Team Members	CCPs/CCAs on the C3PAO team	Must be in Active/Good Standing status verifiable on the Marketplace.
CQAP	CMMC Quality Assurance Professional	Verifies documentation completeness/accuracy before eMASS upload. Each C3PAO must have at least one.

1.3 — Templates: Mandatory vs. Not Mandatory

The exam tests which templates are mandatory. Know this table cold.

Template	Format	Phase	Mandatory?
CMMC Pre-Assessment Form	Excel	1	MANDATORY
Virtual Assessment Evidence Preparation Template	Excel	1	MANDATORY
CMMC Assessment Readiness Review (CA-RR) Checklist	PDF	1	Not Mandatory
C3PAO and Assessor COI Attestation	MS Word	2	Not Mandatory
CMMC Assessment In-Brief	PowerPoint	2	Not Mandatory
Daily Checkpoint	PowerPoint	2	Not Mandatory
Limited Practice Deficiency Correction Worksheet	PDF	2	MANDATORY
CMMC Assessment Results Form	Excel	2/3/4	MANDATORY
CMMC Assessment Findings Briefing	PowerPoint	2	Not Mandatory (brief-out itself IS required)
CMMC Assessment Quality Review Checklist	PDF	1/3	MANDATORY
Confirmation of Destruction of OSC Data	MS Word	4	Not Mandatory (notification IS required)

1.4 — Corporate Identity & Scoping

Organizational Definitions CAP §1.4.3

HQ Organization — The legal entity delivering products/services under a DoD contract. May itself be the OSC, or may designate a Host Unit.
Host Unit — The specific people, procedures, and technology within an HQ org applied to the DoD contract. This is the OSC for assessment purposes.
Enclave — A set of system resources in the same security domain behind a common security perimeter. An assessment scope can be within an enclave.
Supporting Organization — External entities that support the Host Unit. Their assets may be in scope, but they do NOT receive a CMMC Certification.

Pre-Assessment Requirements Can Block Assessment

The OSC must have a valid CAGE code issued by DoD — assessment cannot proceed without it.
The OSC must be registered in SAM.gov and have a UEI (Unique Entity Identifier).
An NDA is recommended before proprietary information is shared — though a formal contract may not yet exist.
Scope disagreements between C3PAO and OSC must be resolved before assessment commences.
Non-duplication rule: ISO 27001, FedRAMP, or other certifications do NOT grant CMMC credit or status absent DoD published non-duplication policy.

1.5 — Evidence Collection Approach & COI

The Evidence Collection Approach documents how artifacts will be gathered, how interviews will be scheduled, and how tests will be observed — including any virtual collection techniques and associated CUI protection measures.

Evidence: Adequacy vs. Sufficiency High Frequency

Adequacy — Does the assessment team have the right evidence? (Does this artifact actually demonstrate performance of the CMMC practice?)
Sufficiency — Does the assessment team have enough of the right evidence? (Does coverage span all in-scope assets, Host Units, and Supporting Orgs?)
Both must be satisfied for a practice to be scored MET. A gap in either = Evidence Gap.

COI Management CAP §1.5.4

Lead Assessor is responsible for identifying COIs and documenting them in the Pre-Assessment Plan.
If a COI cannot be sufficiently mitigated, the C3PAO must not proceed with the assessment.
All team members must attest (by signature) to an Absence of COI before Phase 2 commences.
ISO/IEC 17020 governs impartiality requirements for conformity assessments.

1.6 — Readiness Determination

The Lead Assessor makes the readiness recommendation; the C3PAO retains final decision authority. The readiness review does NOT predict whether the OSC will pass — only that both parties are ready to conduct the assessment.

4 Possible Phase 1 Outcomes Know All Four

Proceed as planned — All conditions satisfied; assessment is a go.
Replan — Preparedness requirements not met; discrepancies must be resolved before proceeding. C3PAO cannot offer advice on how to improve readiness — this is a CoPC violation.
Reschedule — Ready but external factors (health issues, disaster, COVID protocols) require a new date.
Cancel — Insurmountable factors: unmitigable COI, failure to reach contract terms, etc.

Critical prohibition: At no time during the Phase 1 evidence verification or readiness review may the C3PAO or assessment team provide any advice, recommendations, or implementation assistance on how the OSC could improve their evidence or readiness. Doing so is an explicit CoPC violation.

Phase 2 — Conduct the Assessment

Phase 2 begins with the kickoff meeting and is iterative by nature. The Lead Assessor makes final determination on all preliminary recommended findings. The C3PAO holds final interpretation authority on practice scores.

2.1 — Kickoff Meeting

Convened by the Lead Assessor using the CMMC Assessment In-Brief (or equivalent).
Attendees: OSC Assessment Official, OSC POC, assessment team, and relevant OSC staff. The OSC's RP/RPO may attend.
OSC delivers a high-level overview of its cybersecurity program.
Lead Assessor ensures minutes/summary are documented and retained — including all Q&A.

2.2 — Evidence Collection (Examine / Interview / Test)

Evidence Rules

Evidence artifacts may not have a 1:1 relationship with practices — multiple artifacts may be required.
Artifacts must be produced by people who implement, perform, or support the work — not just described by them.
Policies and procedures must show deployment and adoption by affected OSC personnel — a signed policy alone is not sufficient.
For interviews: statements are accepted as evidence when provided by people who actually implement, perform, or support the practice.
For tests: any failed test results in NOT MET for that practice. Observed by the Lead Assessor and team.

Evidence Gaps & Daily Checkpoints

Evidence gaps = the space between what OSC evidence shows and what the assessment team requires.
Examples of deficient evidence: incomplete access control lists; affirmations from someone who is not the proper owner; policies lacking endorsement by senior management (unsigned or signed by someone without authority).
Daily Checkpoint — "Hot wash" meeting each day. OSC may present additional evidence during these sessions; the Lead Assessor decides if it changes scores.
NOT MET determinations are reported to the Lead Assessor immediately — assessed by any team member but determination confirmed by Lead Assessor.

In-Person Only — 15 Practice Objectives (Cannot Be Virtual)

These 15 objectives MUST be observed by the assessment team in-person, on-premises. This is frequently tested — know the domains they fall under.

Domain	Practice Objective	What Must Be Observed In-Person
`CM`	CM.L2-3.4.5[d]	Physical access restrictions associated with system changes
`MA`	MA.L2-3.7.2[d]	Personnel used for maintenance are controlled
`MP`	MP.L2-3.8.1[c]	Paper media containing CUI is securely stored
`MP`	MP.L2-3.8.1[d]	Digital media containing CUI is securely stored
`MP`	MP.L2-3.8.4[a]	Media containing CUI is marked with CUI markings
`MP`	MP.L2-3.8.4[b]	Media containing CUI is marked with distribution limitations
`PE`	PE.L1-3.10.1[b]	Physical access to org systems is limited to authorized individuals
`PE`	PE.L1-3.10.1[c]	Physical access to equipment is limited to authorized individuals
`PE`	PE.L2-3.10.2[a]	Physical facility is monitored
`PE`	PE.L2-3.10.2[d]	Support infrastructure for org systems is monitored
`PE`	PE.L1-3.10.3[a]	Visitors are escorted
`PE`	PE.L1-3.10.3[b]	Visitor activity is monitored
`PE`	PE.L1-3.10.5[b]	Physical access devices are controlled
`PE`	PE.L1-3.10.5[c]	Physical access devices are managed
`SC`	SC.L2-3.13.12[b]	Collaborative computing devices provide indication of use to present users

2.3 — Scoring & Limited Practice Deficiency Correction

The Limited Practice Deficiency Correction program is a nuanced mechanism that is heavily tested. Know the eligibility criteria, the ineligibility criteria, and the scoring threshold that triggers it.

Ineligible Practices (Cannot Use Correction Program)

Practices that could lead to significant exploitation or CUI exfiltration (5-point practices from Appendix P/K)
Any practice already on the OSC's Self-Assessment Practice Deficiency Tracker (known beforehand)
Practices that were NOT implemented prior to the current assessment
Any practice that changes or limits the effectiveness of another practice already scored MET

Eligible for Correction Program (Both Criteria Required)

The practice WAS implemented but has minor documentation gaps (outdated policy, missing updated signature) — implementation evidence shows it has been in place for a period of time; AND
Team consensus that fixing it does NOT change or limit the effectiveness of any other MET practice.
Eligible practices are scored as NOT MET and tracked on the Limited Practice Deficiency Correction Worksheet (Appendix J — mandatory template).

2.4 — Determining Final MET/NOT MET/NA & POA&M Review

The 80% Rule (88/110) Exact Numbers Tested

After applying Limited Practice Deficiency Correction: if OSC scores fewer than 88/110 MET (<80%) → finding is "Not Achieved" — OSC must correct deficiencies and reapply. No conditional cert.
If OSC scores 88/110 or more MET (≥80%) → OSC may proceed to either: (a) close Limited Deficiencies within 5 business days for Final Cert, or (b) move remaining deficiencies to a POA&M for Conditional Cert.
POA&Ms are not allowed for the highest-weighted practices (the 5-point practices from Appendix P).
POA&M validity period: maximum 180 days from the Assessment Final Recommended Findings Briefing.

A valid POA&M must document: the specific weakness tied to the practice, severity, scope within the environment, proposed mitigation, estimated remediation cost, documented progress, and a risk assessment of the deficiency.

Phase 3 — Report Recommended Assessment Results

The C3PAO and Lead Assessor deliver findings to the OSC, then the CQAP verifies documentation before upload to eMASS. The CQAP verifies the package at the end of both Phase 1 and Phase 3.

Deliverable	Timeline	Responsibility
Final Findings Briefing to OSC	End of Phase 2 / beginning of Phase 3	Lead Assessor; formal brief-out required even if Findings Brief template not used
Report submitted to CQAP	NLT 10 business days from Final Findings Briefing	Lead Assessor → C3PAO
Upload to CMMC eMASS	NLT 20 business days from Final Findings Briefing	C3PAO designated eMASS account holder
Artifact retention	3 years	C3PAO (notes/records); OSC (hashed artifacts)
OSC artifact hashing	Prior to eMASS upload	OSC hashes artifacts; C3PAO reports hash values to eMASS
Destruction of OSC proprietary data	At assessment conclusion	C3PAO — all OSC proprietary information must be returned or destroyed. Retaining it past conclusion is a CoPC violation.

Certification Types After Phase 3

CMMC L2 Final Certification — All 110 practices MET (or Limited Deficiencies closed). No POA&M outstanding.
CMMC L2 Conditional Certification — ≥88/110 practices MET; remaining NOT MET items on approved POA&M. OSC must close within 180 days and undergo a POA&M Close-Out Assessment.
Not Achieved — <88/110 MET. OSC must correct all deficiencies and reapply from scratch.

Assessment Appeals

If OSC believes there are scoring discrepancies, they can submit an appeal through the Assessment Appeals Process (Appendix R of the CAP).
The C3PAO official holds final interpretation authority for practice scores during the assessment.
Appeals of final assessment results go to the Cyber AB — not the C3PAO.
The C3PAO issuing the Conditional Cert is NOT responsible for conducting the POA&M Close-Out Assessment.

Phase 4 — Close-Out POA&Ms and Assessment

Phase 4 is unique to OSCs with a Conditional Certification. It does NOT apply to OSCs with a Final Certification or those who received a "Not Achieved" result. Knowing when Phase 4 applies is itself a testable point.

Phase 4 Process CAP §4.1

OSC selects a C3PAO (may be different from the original assessment C3PAO) to conduct the POA&M Close-Out Assessment within 180 days of the Final Recommended Findings Briefing.
Lead Assessor reviews the updated POA&M with any evidence (observations, interviews, or tests).
If ALL POA&M items are MET → Lead Assessor recommends CMMC L2 Final Certification → follow Phase 3 steps 3.2.2–3.2.4.
If ANY POA&M item fails → Lead Assessor recommends OSC NOT receive Final Cert. The Conditional Cert becomes null and void. OSC must correct and reapply.

Criteria for a successful POA&M Close-Out: (1) The practice is now "Fully-Implemented" and scored MET; (2) closing the practice does NOT change/limit effectiveness of any previously MET practice; (3) updated risk assessment reflects removal of the POA&M practice; (4) updated POA&M shows no remaining deficiencies.

SPRS Scoring — Appendix P Reference

Every NOT MET practice deducts a weighted value from the maximum score of 110. Score can go negative. Know the weight tiers and which practices fall into each.

Weight	Why	Example Practices
5 pts	Not implemented = significant network exploitation or CUI exfiltration risk	AC.L1-3.1.1/3.1.2, IA.L1-3.5.1/3.5.2, IA.L2-3.5.3 (MFA), AU.L2-3.3.1, CM.L2-3.4.1/3.4.2, IR.L2-3.6.1/3.6.2, SI.L1-3.14.1/3.14.2/3.14.4, SC.L1-3.13.1/3.13.5, PE.L1-3.10.1, SC.L2-3.13.15, MA.L2-3.7.2
3 pts	Specific and confined effect — puts CUI on media/system at risk, not entire network	AC.L2-3.1.5, AU.L2-3.3.2, MA.L2-3.7.1/3.7.4, MP.L2-3.8.1/3.8.2/3.8.8, PS.L2-3.9.1, RA.L2-3.11.1, CA.L2-3.12.2, SC.L2-3.13.8, SI.L1-3.14.5/3.14.7
1 pt	Limited or indirect effect on network security	All remaining derived security requirements not in 5 or 3 categories
N/A (special)	CA.L2-3.12.4 (SSP)	Absence of SSP = assessment CANNOT BE COMPLETED due to noncompliance with DFARS 252.204-7012

FIPS Encryption Special Rule (SC.L2-3.13.11): If encryption is NOT employed at all → deduct 5 points. If encryption is employed but NOT FIPS-validated → deduct 3 points. This is the only practice with a tiered deduction built in.

Practice Questions · Domain 5 (CAP) — 12 Questions

The CAP v5.6.1 describes how many phases for a CMMC Level 2 assessment?

▼

A. Three — Plan, Conduct, Report

B. Four — Plan & Prepare, Conduct, Report, Close-Out POA&Ms

C. Five — Initiate, Plan, Conduct, Report, Close-Out

D. Three — Pre-Assessment, Assessment, Post-Assessment

✓ B is correct. The CAP v5.6.1 defines exactly four phases: Phase 1 (Plan and Prepare), Phase 2 (Conduct), Phase 3 (Report Recommended Assessment Results), and Phase 4 (Close-Out POA&Ms and Assessment). Phase 4 was commonly missed in earlier study materials that listed only three phases.

An OSC initiates contact with a C3PAO on Monday morning. Per the CAP, by when must the C3PAO acknowledge the request and propose an initial coordination call?

▼

A. Within 24 hours

B. Within 3 business days

C. Within 5 business days

D. Within 10 business days

✓ C is correct. Per CAP §1.1, once a CMMC Assessment Request is received, the C3PAO shall respond within 5 business days, acknowledging the request and proposing scheduling of an initial coordination call or virtual meeting.

During Phase 1 readiness review, the Lead Assessor discovers the OSC's system security plan is incomplete and some evidence is not yet available. The Lead Assessor wants to notify the OSC of what evidence would strengthen their readiness. What does the CAP say about this?

▼

A. The Lead Assessor is explicitly prohibited from providing any advice or recommendations on how the OSC can improve evidence or readiness — doing so is a CoPC violation.

B. The Lead Assessor may provide general guidance on evidence types but not specific recommendations on implementation.

C. The Lead Assessor may share a readiness checklist with the OSC and note which items are incomplete.

D. The Lead Assessor may consult on readiness since the formal assessment has not yet begun.

✓ A is correct. CAP §1.6.1 explicitly states: "At no time during this preliminary review of the Evidence shall the Assessment Team provide any advice or recommendation on how the OSC could improve or enhance the sufficiency or adequacy of their presented Evidence." The same prohibition extends to replanned or rescheduled assessments (§1.6.2). This is a CoPC violation regardless of when in Phase 1 it occurs.

An OSC's parent company (Acme Heavy Industries) has a defense-focused division (Acme Defense Mission Systems) that performs DoD contract work. A subcontractor cloud provider (All-American Cloud Services) provides IT services to that division. In the CMMC organizational model, what role does All-American Cloud Services play?

▼

A. Host Unit — they directly support DoD contract delivery

B. HQ Organization — they are part of the overall corporate structure

C. OSC — they will also receive CMMC certification during the assessment

D. Supporting Organization — their assets may be in scope, but they will NOT receive CMMC certification

✓ D is correct. Per CAP §1.4.3 (and Table 1.4.3 which uses this exact example): Acme Heavy Industries = HQ Organization; Acme Defense Mission Systems = Host Unit (OSC); All-American Cloud Services = Supporting Organization. Supporting Organizations' assets may be assessed as part of the scope but they do NOT receive CMMC certification from the OSC's assessment.

Which of the following templates is NOT mandatory per the CAP v5.6.1?

▼

A. CMMC Pre-Assessment Form Template

B. CMMC Assessment Readiness Review (CA-RR) Checklist

C. CMMC Assessment Results Form

D. Limited Practice Deficiency Correction Program Worksheet

✓ B is correct. Per CAP Table 1.3, the CA-RR Checklist is listed as "N" (not mandatory). The Pre-Assessment Form (A), Assessment Results Form (C), and Limited Practice Deficiency Correction Worksheet (D) are all mandatory templates. Note: the Assessment Findings Brief-out is required, but the PowerPoint template itself is not mandatory.

During a CMMC assessment, an assessor needs to verify that CUI stored on physical paper media is securely stored. The OSC proposes demonstrating this via a live video call tour of the storage area. What does the CAP require?

▼

A. The video call tour is acceptable — the CAP allows virtual observation for all media protection practices.

B. The assessor may accept photographic evidence submitted in advance as a substitute for in-person observation.

C. The assessor must be physically on-premises to observe this — MP.L2-3.8.1[c] (paper media secure storage) is one of 15 objectives that cannot be observed virtually.

D. Virtual observation is acceptable if the OSC Assessment Official provides written attestation of secure storage.

✓ C is correct. CAP §1.5.1 explicitly lists MP.L2-3.8.1[c] as one of 15 practice objectives that "must be observed by the C3PAO Assessment Team in-person and on the premises of the OSC" and where "Evidence collection thereof is precluded from being conducted virtually." MP.L2-3.8.1[d] (digital media) also appears on this list.

An OSC achieves a final score of 97 out of 110 practices MET. The 13 NOT MET practices are minor documentation gaps, and the Lead Assessor places them on the Limited Practice Deficiency Correction program. The OSC does not resolve them within 5 business days. What happens next?

▼

A. The Lead Assessor moves the unresolved deficiencies to a POA&M. Since 97/110 ≥ 88/110 (80%), the OSC can receive a CMMC L2 Conditional Certification.

B. The assessment is voided and the OSC must restart the process.

C. The OSC receives "Not Achieved" — all deficiencies must be resolved before certification can proceed.

D. The Lead Assessor grants a 10-day extension for all Limited Practice Deficiency corrections.

✓ A is correct. Per CAP §3.2.1, if Limited Practice Deficiency items fail to achieve MET, the Lead Assessor moves them to a POA&M review (§2.3.1.2). Since 97/110 ≥ 88/110, the OSC still meets the 80% threshold required for a Conditional Certification. The Conditional Cert gives the OSC 180 days to close the POA&M and complete a Phase 4 Close-Out Assessment.

An OSC received a Conditional CMMC L2 Certification 6 months ago. They have successfully implemented all POA&M items and select a new C3PAO to conduct the POA&M Close-Out Assessment. During the review, one POA&M item is found to be MET, but its implementation now limits the effectiveness of a previously MET practice (AC.L1-3.1.1). What is the correct outcome?

▼

A. Final Certification is awarded — the POA&M item is MET, which is the only criterion that matters in Phase 4.

B. Final Certification is awarded because the OSC is within the 180-day window.

C. The Conditional Cert remains valid and the OSC gets an extension to resolve the conflict.

D. Final Certification is NOT awarded. The Conditional Cert becomes null and void; the OSC must reapply.

✓ D is correct. Per CAP §4.1, one of the criteria for Phase 4 success is that "All POA&M items 'Fully-Implemented' do not change and/or limit the effectiveness of another practice that has been scored 'MET' during the CMMC L2 assessment." Since the closed POA&M item now limits AC.L1-3.1.1, this criterion fails. Per §4.1.2, the Lead Assessor recommends the OSC NOT receive Final Certification and the Conditional Cert becomes null and void.

During a CMMC assessment, the OSC argues that their ISO 27001 certification demonstrates compliance with several CMMC practices and requests that the assessment team give credit for those controls. What does the CAP say?

▼

A. ISO 27001 is recognized as equivalent to CMMC Level 2 and all overlapping practices can be marked MET.

B. The Lead Assessor has discretion to accept ISO 27001 evidence for up to 25% of practices.

C. Other cybersecurity certifications such as ISO 27001 do not bestow any credit or status toward CMMC absent an official DoD non-duplication policy.

D. The OSC must submit a formal non-duplication request to OUSD(A&S) during the assessment to receive credit.

✓ C is correct. CAP §1.4.5 explicitly states: "other cybersecurity conformance regimes that may have been implemented by an OSC do not bestow any status or credit toward an OSC's CMMC Assessment or Certification" absent official DoD non-duplication policy. This applies to ISO 27001, FedRAMP, and any other certification. All 110 practices must still be assessed against CMMC requirements.

Q10

An OSC's CMMC Assessment Results must be uploaded into CMMC eMASS. What are the correct timelines for (a) submitting the report to the CQAP, and (b) completing the eMASS upload?

▼

A. 5 business days to CQAP; 10 business days to eMASS

B. 10 business days to CQAP; 20 business days to eMASS

C. 15 business days to CQAP; 30 business days to eMASS

D. 5 calendar days to CQAP; 15 calendar days to eMASS

✓ B is correct. Per CAP §3.2.3: "Reports must submit to the CQAP NLT 10 Business Days from the Final Findings Briefing. Reports must be uploaded to eMASS NLT 20 Business Days from the Final Findings Briefing." All timelines are measured from the Final Findings Briefing date — memorize both numbers.

Q11

Practice SC.L2-3.13.11 (FIPS-validated encryption) is assessed during a CMMC Level 2 assessment. The OSC uses encryption to protect CUI in transit but the cryptographic module is NOT FIPS-validated. What is the SPRS score impact?

▼

A. Subtract 3 points — encryption is employed but not FIPS-validated

B. Subtract 5 points — any deviation from FIPS is treated as full non-implementation

C. Subtract 1 point — encryption is in use, which qualifies as partial implementation

D. No deduction — FIPS validation is advisory only for contractor systems

✓ A is correct. Per CAP Appendix P, SC.L2-3.13.11 has a tiered deduction: if encryption is NOT employed at all → subtract 5 points; if encryption IS employed but NOT FIPS-validated → subtract 3 points. This is the only CMMC practice with a built-in tiered scoring structure. FIPS validation requires the cryptographic MODULE itself to be NIST-validated under FIPS 140 — simply using an approved algorithm (e.g., AES) is NOT sufficient.

Q12

During a CMMC assessment, the OSC does not have a System Security Plan (SSP). Practice CA.L2-3.12.4 requires an SSP. What is the correct assessment outcome?

▼

A. CA.L2-3.12.4 is scored NOT MET with a 1-point deduction; assessment continues for all other practices.

B. CA.L2-3.12.4 is scored NOT MET with a 5-point deduction; assessment continues.

C. The OSC receives 30 days to produce an SSP before the assessment proceeds.

D. The assessment cannot be completed — absence of an SSP results in a finding that the assessment could not be completed due to noncompliance with DFARS 252.204-7012.

✓ D is correct. Per CAP Appendix P and the scoring table, CA.L2-3.12.4 is marked "N/A" for point deduction — but not because it's optional. Rather, the absence of an SSP means "it is not possible to conduct the assessment if the information is not available" and results in a finding that "an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012." The SSP is a prerequisite to assessment, not just another scoreable practice.

Domain 6

Scoping

15–20% of Exam

Asset Categories — Know All 6

Scoping is one of the most nuanced areas. Many questions present asset scenarios and ask you to categorize them. Memorize all six asset types, their definitions, and how they affect the assessment scope.

Asset Type	Definition	In Scope?	Assessment Impact
CUI Assets	Systems/components that process, store, or transmit CUI	Yes — fully in scope	All 110 practices assessed; highest scrutiny
Security Protection Assets (SPAs)	Assets that provide security functions protecting CUI assets (firewalls, IDS, IAM systems, logging platforms)	Yes — in scope	Assessed for their protective functions; critical controls apply
Contractor Risk Managed Assets (CRMAs)	Assets that can reach CUI assets but are managed to limit risk (e.g., managed network segments)	Partial	Contractor must demonstrate risk management; selected practices apply
Specialized Assets	OT/ICS, IoT, government-furnished equipment (GFE), test equipment not designed for standard NIST controls	In scope (documented)	May require documented exceptions; assessed for feasibility of practice implementation
Out-of-Scope Assets	Assets with no logical or physical connection to CUI environment and no path to CUI	No	Excluded; must be documented and justified in the SSP
External Service Providers (ESPs)	Cloud service providers, MSSPs, or vendors with access to CUI or CUI systems	In scope (inherited or shared)	Must meet applicable CMMC practices; FedRAMP equivalency for cloud

Cloud & FedRAMP

Cloud is heavily tested. Know when FedRAMP is required and what equivalency means.

Cloud service providers (CSPs) that process, store, or transmit CUI must be FedRAMP Authorized at a Moderate or higher baseline — OR meet equivalent security requirements as determined by the DoD.
FedRAMP Moderate baseline aligns with NIST 800-171 and is the standard threshold for CUI in cloud environments.
SaaS/IaaS/PaaS all fall under the same rule if CUI touches the service.
Inherited controls from a FedRAMP-authorized CSP still require the OSC to implement customer-responsible controls.
A contractor cannot claim FedRAMP controls as MET if the CSP's authorization doesn't cover the specific service being used.

Scoping Key Rules

What Drives the Scope

Data flows: any path CUI can travel defines the boundary.
Network connectivity: a system connected to a CUI system is in scope unless isolated by a security boundary.
The SSP defines the boundary — the assessor verifies it is accurate and complete.
Scoping must be conservative — assessors err toward including ambiguous systems rather than excluding them.

Scoping Gotchas

A system used for backup of CUI data is a CUI asset — not out of scope.
A printer connected to the CUI network is a specialized asset — still in scope.
Email systems that receive CUI from DoD partners are in scope even if CUI is incidental.
Personnel with access rights to CUI systems are in scope for AT and PS practices.
A firewall protecting CUI systems is an SPA — still assessed.

Practice Questions · Domain 6

Q16

A contractor uses a commercial email platform hosted in the cloud. Employees occasionally receive technical drawings (CUI) as email attachments from a DoD prime contractor. The cloud email provider does NOT have FedRAMP authorization. What is the MOST accurate scoping determination?

▼

A. Out of scope — the contractor does not intentionally store CUI on the platform.

B. In scope as a CUI asset / ESP; the cloud platform stores CUI and does not meet FedRAMP requirements, representing a compliance gap.

C. Specialized asset — email systems have limited applicability and can be excluded from full CMMC assessment.

D. In scope, but only for the AT domain since the issue is user behavior.

✓ B is correct. CUI that flows into an email system means that system stores and processes CUI — it is in scope regardless of intent. A non-FedRAMP cloud provider handling CUI is a significant compliance gap. "Incidental" CUI receipt does not provide a scoping exception.

Q17

A manufacturing company's shop floor uses legacy programmable logic controllers (PLCs) that cannot support modern authentication standards. These PLCs control machinery in a facility that also processes CUI in an adjacent office network. How should these PLCs be categorized?

▼

A. Out of scope — PLCs are not information systems.

B. CUI Assets — they are in the same facility as CUI.

C. Specialized Assets — OT/ICS equipment that may require documented exceptions for practices that are not technically feasible.

D. CRMAs — the contractor can manage risk without implementing CMMC controls.

✓ C is correct. OT/ICS equipment (PLCs, SCADA) is classified as Specialized Assets. They are in scope but may require documented exceptions where full CMMC control implementation is not technically feasible. The OSC must still implement compensating controls and document the exception in the SSP. Physical co-location alone does not make them CUI Assets (that requires logical connectivity to CUI data flows).

All Practice Questions

24 Questions · All Domains

Use this section for a timed run-through. Click each question to expand, select your answer, then check the explanation. Track your score in the bar below.

Domain 1 · Ecosystem

▼

A. The RPO may conduct the assessment since they are already familiar with the OSC's environment.

B. The RPO cannot conduct the assessment; a separate, unaffiliated C3PAO must be engaged.

C. The RPO can conduct the assessment if a CCA from a different RPO is the lead assessor.

D. The assessment is allowed if the OSC signs a conflict-of-interest waiver.

✓ B is correct. RPOs cannot conduct formal assessments. Consulting + assessing the same OSC is a prohibited conflict of interest.

Which entity investigates potential Code of Professional Conduct violations against a Certified CMMC Professional?

▼

A. OUSD(A&S)

B. The C3PAO that employed the individual

C. CAICO

D. DCSA

✓ C is correct. CAICO is the compliance and enforcement arm of the Cyber AB ecosystem.

Domain 2 · Ethics

A CCP casually mentions specific findings from an OSC's assessment to colleagues at an industry conference. Which CoPC principle was violated?

▼

A. Professionalism

B. Objectivity

C. Proper Use of Materials

D. Confidentiality

✓ D is correct. Sharing assessment findings outside authorized channels violates Confidentiality, which persists after engagement ends.

Domain 3 · Governance

A prime contractor generates technical specifications for a weapon system and shares them with a subcontractor. Which information category BEST describes these reports?

▼

A. FCI only

B. CUI — weapon system technical specifications are a controlled CUI category

C. Classified information

D. CDI only

✓ B is correct. Weapon system technical specifications fall under CUI categories. CUI is always unclassified — it is not classified information.

A contractor's SPRS score is -147 and hasn't been updated in 18 months. A new DFARS 252.204-7019 contract is being awarded. What is required?

▼

A. Complete a current NIST SP 800-171 assessment, establish a POA&M, and post the updated score to SPRS before award.

B. Immediately achieve CMMC Level 2 certification.

C. Submit an exception request to DoD.

D. No action required; SPRS scores are advisory only.

✓ A is correct. 252.204-7019 requires a current assessment posted to SPRS before award. A score with a POA&M is acceptable for this clause. CMMC certification (7021) is a separate requirement.

Which DFARS clause gives DoD the right to review a contractor's System Security Plan?

▼

A. DFARS 252.204-7012

B. DFARS 252.204-7019

C. DFARS 252.204-7020

D. DFARS 252.204-7021

✓ C is correct. 7020 grants DoD the right to review SSPs. 7019 requires the assessment; 7020 allows verification of it.

Under 32 CFR Part 170, which CMMC level requires a Government-led assessment by DCSA?

▼

A. Level 1

B. Level 2 (all contracts)

C. Level 2 (critical programs)

D. Level 3

✓ D is correct. Level 3 = Government-led by DCSA. Level 2 = C3PAO third-party (or self-assessment for some programs). Level 1 = self-assessment.

Domain 4 · Model

An assessor reviews firewall rules, interviews the network engineer about segmentation, and attempts access from an untrusted segment. What assessment methods are used, in order?

▼

A. Test, Interview, Examine

B. Examine, Interview, Test

C. Interview, Examine, Test

D. Examine, Test, Interview

✓ B is correct. Reviewing = Examine. Questioning = Interview. Attempting access = Test.

Three of four objectives for a practice are satisfied; the fourth cannot be confirmed. What is the determination?

▼

A. NOT MET — all objectives must be satisfied.

B. MET — 3/4 represents substantial compliance.

C. Partially MET — scored proportionally.

D. MET with notation.

✓ A is correct. Binary scoring: MET or NOT MET. No partial credit. One unsatisfied objective = NOT MET for the entire practice.

Domain 5 · CAP (12 Questions)

Q10

The CAP v5.6.1 describes how many phases for a CMMC Level 2 assessment?

▼

A. Three — Plan, Conduct, Report

B. Four — Plan & Prepare, Conduct, Report, Close-Out POA&Ms

C. Five — Initiate, Plan, Conduct, Report, Close-Out

D. Three — Pre-Assessment, Assessment, Post-Assessment

✓ B is correct. The CAP v5.6.1 defines exactly four phases: Phase 1 (Plan and Prepare), Phase 2 (Conduct), Phase 3 (Report Recommended Assessment Results), and Phase 4 (Close-Out POA&Ms and Assessment). Phase 4 is commonly missed in study materials that list only three phases.

Q11

An OSC initiates contact with a C3PAO on Monday morning. Per the CAP, by when must the C3PAO acknowledge the request and propose an initial coordination call?

▼

A. Within 24 hours

B. Within 3 business days

C. Within 5 business days

D. Within 10 business days

✓ C is correct. Per CAP §1.1, the C3PAO shall respond within 5 business days, acknowledging the request and proposing scheduling of an initial coordination call or virtual meeting.

Q12

During Phase 1 readiness review, the Lead Assessor wants to notify the OSC of what evidence would strengthen their readiness before the assessment begins. What does the CAP say about this?

▼

A. The Lead Assessor is explicitly prohibited from providing any advice or recommendations on improving evidence or readiness — this is a CoPC violation.

B. The Lead Assessor may provide general guidance on evidence types but not specific implementation recommendations.

C. The Lead Assessor may share a readiness checklist and note which items are incomplete.

D. The Lead Assessor may consult on readiness since the formal assessment has not yet begun.

✓ A is correct. CAP §1.6.1 and §1.6.2 explicitly prohibit the assessment team from providing any advice, recommendations, or implementation assistance on how the OSC can improve evidence or readiness — at any point, including during replanning or rescheduling. Doing so is an explicit CoPC violation.

Q13

Acme Heavy Industries (parent company) has a defense division, Acme Defense Mission Systems, that performs DoD contract work. A cloud provider, All-American Cloud Services, provides IT services to that division. What is All-American Cloud Services' role in the CMMC organizational model?

▼

A. Host Unit — they directly support DoD contract delivery

B. HQ Organization — they are part of the overall corporate structure

C. OSC — they will also receive CMMC certification during the assessment

D. Supporting Organization — assets may be in scope, but they will NOT receive CMMC certification

✓ D is correct. Per CAP §1.4.3 Table 1.4.3 (which uses this exact example): Acme Heavy Industries = HQ Organization; Acme Defense Mission Systems = Host Unit / OSC; All-American Cloud Services = Supporting Organization. Supporting Organizations may have assets in scope but do NOT receive a CMMC certification from the assessment.

Q14

Which of the following CAP templates is NOT mandatory per Table 1.3?

▼

A. CMMC Pre-Assessment Form Template

B. CMMC Assessment Readiness Review (CA-RR) Checklist

C. CMMC Assessment Results Form

D. Limited Practice Deficiency Correction Program Worksheet

✓ B is correct. Per CAP Table 1.3, the CA-RR Checklist is "N" (not mandatory). The Pre-Assessment Form (A), Assessment Results Form (C), and Limited Practice Deficiency Correction Worksheet (D) are all mandatory. Note: the Assessment Findings brief-out event is required, but the PowerPoint template itself is not.

Q15

An OSC proposes demonstrating that paper CUI media is securely stored via a live video call tour of the storage area. What does the CAP require?

▼

A. The video call tour is acceptable — the CAP allows virtual observation for all media protection practices.

B. Photographic evidence submitted in advance is an acceptable substitute for in-person observation.

C. The assessor must be physically on-premises — MP.L2-3.8.1[c] is one of 15 objectives that cannot be observed virtually.

D. Virtual observation is acceptable if the OSC Assessment Official provides written attestation.

✓ C is correct. CAP §1.5.1 lists 15 specific practice objectives that "must be observed by the C3PAO Assessment Team in-person and on the premises of the OSC." MP.L2-3.8.1[c] (paper media secure storage) and MP.L2-3.8.1[d] (digital media secure storage) are both explicitly on this list. Virtual observation is precluded.

Q16

An OSC achieves 97/110 practices MET. The 13 NOT MET practices are minor documentation gaps placed on the Limited Practice Deficiency Correction program. The OSC does not resolve them within 5 business days. What is the outcome?

▼

A. The Lead Assessor moves unresolved deficiencies to a POA&M. Since 97/110 ≥ 88/110, the OSC can receive a CMMC L2 Conditional Certification.

B. The assessment is voided and the OSC must restart the process.

C. The OSC receives "Not Achieved" — all deficiencies must be resolved before any certification.

D. The Lead Assessor grants a 10-day extension for corrections.

✓ A is correct. Per CAP §3.2.1, unresolved Limited Practice Deficiency items move to a POA&M review (§2.3.1.2). Since 97/110 exceeds the 80% threshold (88/110), the OSC qualifies for a Conditional Certification. The OSC then has 180 days from the Final Findings Briefing to complete a Phase 4 POA&M Close-Out Assessment.

Q17

An OSC with a Conditional Certification completes all POA&M items in Phase 4. However, one closed item now limits the effectiveness of a previously MET practice (AC.L1-3.1.1). What is the correct outcome?

▼

A. Final Certification is awarded — the POA&M item is MET, which is the key criterion.

B. Final Certification is awarded because the OSC is within the 180-day window.

C. The Conditional Cert remains valid and the OSC gets an extension to resolve the conflict.

D. Final Certification is NOT awarded. The Conditional Cert becomes null and void; the OSC must reapply.

✓ D is correct. Per CAP §4.1, one Phase 4 success criterion is that closed POA&M items "do not change and/or limit the effectiveness of another practice that has been scored MET." Since the remediation limits AC.L1-3.1.1, this criterion fails. Per §4.1.2, the Conditional Cert becomes null and void and the OSC must reapply.

Q18

An OSC argues that their ISO 27001 certification demonstrates compliance with several CMMC practices and requests credit for those controls. What does the CAP say?

▼

A. ISO 27001 is recognized as equivalent and all overlapping practices can be marked MET.

B. The Lead Assessor has discretion to accept ISO 27001 evidence for up to 25% of practices.

C. Other cybersecurity certifications do not bestow any credit or status toward CMMC absent an official DoD non-duplication policy.

D. The OSC must submit a non-duplication request to OUSD(A&S) during the assessment to receive credit.

✓ C is correct. CAP §1.4.5 explicitly states other cybersecurity conformance regimes (ISO 27001, FedRAMP, etc.) "do not bestow any status or credit toward an OSC's CMMC Assessment or Certification" absent official DoD non-duplication policy. All 110 practices must be assessed against CMMC requirements.

Q19

What are the correct timelines for (a) submitting the assessment report to the CQAP, and (b) uploading to CMMC eMASS — both measured from the Final Findings Briefing?

▼

A. 5 business days to CQAP; 10 business days to eMASS

B. 10 business days to CQAP; 20 business days to eMASS

C. 15 business days to CQAP; 30 business days to eMASS

D. 5 calendar days to CQAP; 15 calendar days to eMASS

✓ B is correct. Per CAP §3.2.3: reports must be submitted to the CQAP NLT 10 business days from the Final Findings Briefing, and uploaded to eMASS NLT 20 business days from the Final Findings Briefing. Both timelines count from the same starting point.

Q20

Practice SC.L2-3.13.11 is assessed and the OSC uses encryption to protect CUI in transit, but the cryptographic module is NOT FIPS-validated. What is the SPRS score impact?

▼

A. Subtract 3 points — encryption is employed but not FIPS-validated

B. Subtract 5 points — any deviation from FIPS is treated as full non-implementation

C. Subtract 1 point — encryption is in use, qualifying as partial implementation

D. No deduction — FIPS validation is advisory only for contractor systems

✓ A is correct. Per CAP Appendix P, SC.L2-3.13.11 has a tiered deduction: no encryption at all → subtract 5 points; encryption employed but NOT FIPS-validated → subtract 3 points. This is the only CMMC practice with a built-in tiered scoring structure. Using an approved algorithm (e.g., AES) without a FIPS 140-validated module is NOT sufficient.

Q21

During a CMMC assessment, the OSC does not have a System Security Plan (SSP). What is the correct assessment outcome for CA.L2-3.12.4?

▼

A. CA.L2-3.12.4 is scored NOT MET with a 1-point deduction; assessment continues.

B. CA.L2-3.12.4 is scored NOT MET with a 5-point deduction; assessment continues.

C. The OSC receives 30 days to produce an SSP before the assessment proceeds.

D. The assessment cannot be completed — absence of an SSP results in a finding of noncompliance with DFARS 252.204-7012.

✓ D is correct. Per CAP Appendix P, CA.L2-3.12.4 is marked "N/A" for point deduction — but that means it's a prerequisite, not optional. The absence of an SSP means "it is not possible to conduct the assessment" and results in a finding that the assessment could not be completed due to noncompliance with DFARS 252.204-7012. The SSP must exist for the assessment to proceed.

Domain 6 · Scoping

Q22

A contractor uses a non-FedRAMP cloud email platform. Employees receive CUI technical drawings as attachments from a DoD prime. What is the scoping determination?

▼

A. Out of scope — CUI received incidentally doesn't trigger scope.

B. In scope as a CUI asset/ESP; non-FedRAMP cloud handling CUI is a compliance gap.

C. Specialized asset — email systems can be excluded from full assessment.

D. In scope for AT domain only since the issue is user behavior.

✓ B is correct. Any system storing or processing CUI is in scope. A non-FedRAMP cloud provider handling CUI is a significant compliance gap regardless of whether CUI receipt was intentional.

Q23

Legacy PLCs on a shop floor cannot support modern authentication. They share facility space with an office network that processes CUI. How should the PLCs be categorized?

▼

A. Out of scope — PLCs are not information systems.

B. CUI Assets — same facility as CUI.

C. Specialized Assets — OT/ICS with documented exceptions for infeasible practices.

D. CRMAs — contractor manages risk without full CMMC controls.

✓ C is correct. OT/ICS (PLCs, SCADA) are Specialized Assets in scope but eligible for documented exceptions where full control implementation is technically infeasible. Physical co-location without logical CUI connectivity does not make them CUI Assets.

Q24

An OSC's Security Protection Asset (SPA) — specifically their SIEM platform — has a known unpatched vulnerability. Which domain's practices are MOST directly applicable to this asset?

▼

A. RA (Risk Assessment) only — vulnerability management is a risk domain function.

B. Multiple domains including SI (patch/flaw remediation), RA (vulnerability scanning), and CA (security assessments) — SPAs are assessed across all applicable domains.

C. SPAs are out of scope — they protect CUI assets but are not CUI assets themselves.

D. CM (Configuration Management) only — unpatched systems are a CM deficiency.

✓ B is correct. Security Protection Assets are in scope and assessed across all applicable CMMC practice domains. An unpatched SIEM implicates SI (flaw remediation), RA (vulnerability scanning), CM (baseline configuration), and CA (security assessment monitoring). Being "in scope" means all applicable practices apply, not a domain-limited subset.