CMMC Model Construct and Implementation Evaluation for CCP

Sample Practice Questions

1. Question 1

   A dedicated local printer is used to print out documents with FCI in an organization. This is considered an FCI Asset. Which function BEST describes what the printer does with the FCI?
   1. A. Encrypt
   2. B. Manage
   3. C. Process
   4. D. Distribute
   Explanation

   The correct answer is: D. Distribute.

   Information lifecycle thinking treats a printer as the boundary device that takes electronic FCI and distributes it in physical (paper) form. While CMMC's canonical asset-function vocabulary is process / store / transmit, the printer's specific role in this scenario is to convert and output — distributing the FCI from a digital channel to a physical artifact that may then circulate within the OSC. 'Encrypt' and 'Manage' are not functions printers perform on the data they handle. 'Process' is a defensible alternative because the printer does process the data through its print pipeline, but among the offered choices 'Distribute' captures the printer's distinguishing role as the device that produces a physical FCI copy. Asset-function categorization influences how the asset is treated under physical-protection (PE) and media-protection (MP) controls.

2. Question 2

   Which domain has a practice requiring an organization to restrict, disable, or prevent the use of nonessential programs?
   1. A. Access Control (AC)
   2. B. Media Protection (MP)
   3. C. Asset Management (AM)
   4. D. Configuration Management (CM)
   Explanation

   The correct answer is: D. Configuration Management (CM).

   The Configuration Management (CM) domain in CMMC, drawn from NIST SP 800-171 family 3.4, is where the principle of restricting, disabling, or preventing the use of nonessential programs and services lives — specifically in CM control 3.4.6 (Least Functionality). The intent is to reduce the attack surface by ensuring systems offer only the capabilities required for mission needs, not every default service or application that ships with the platform. Access Control (AC) governs who can do what but not the catalog of installed functionality. Media Protection (MP) covers media handling and sanitization. Asset Management is not even a CMMC 2.0 domain (CMMC 1.0 had it; CMMC 2.0 dropped it). Configuration Management is the correct home for the least-functionality practice.

3. Question 3

   In preparation for a CMMC Level 1 Self-Assessment, the IT manager for a DIB organization is documenting asset types in the company--s SSP. The manager determines that identified machine controllers and assembly machines should be documented as Specialized Assets. Which type of Specialized Assets has the manager identified and documented?
   1. A. IoT
   2. B. Restricted IS
   3. C. Test equipment
   4. D. Operational technology
   Explanation

   The correct answer is: D. Operational technology.

   Operational Technology (OT) is the Specialized Asset subcategory covering hardware and software that detects or causes change through direct monitoring or control of physical devices, processes, and events — industrial control systems, SCADA, programmable logic controllers, machine controllers, assembly-line equipment, and similar manufacturing or process technology. Machine controllers and assembly machines are classic OT examples. Specialized Assets is the umbrella; OT is the specific subtype. IoT is a different subtype (consumer-grade or environmental sensors and connected devices). Restricted Information Systems are configured per government requirements to support a contract. Test equipment is a separate subtype for QC and validation tools. Distinguishing OT from IoT matters because OT systems often have unique availability and safety requirements that influence assessment treatment.

4. Question 4

   According to the Configuration Management (CM) domain, which principle is the basis for defining essential system capabilities?
   1. A. Least privilege
   2. B. Essential concern
   3. C. Least functionality
   4. D. Separation of duties
   Explanation

   The correct answer is: C. Least functionality.

   Least functionality is the principle in NIST SP 800-171 control 3.4.6 (and elsewhere in the catalog) requiring systems to be configured to provide only essential capabilities — every nonessential service, port, protocol, application, or function should be disabled, removed, or restricted. The principle is the conceptual basis for hardening guides, application allowlisting, and disabling default features that aren't needed. Least privilege is a related but different principle (limiting user permissions to what is necessary for assigned duties) and lives in the AC family. Separation of duties is yet another distinct principle (preventing a single individual from holding incompatible responsibilities) also in AC. 'Essential concern' is not a recognized security principle. Least functionality is the CM principle that defines essential system capabilities.

5. Question 5

   A contractor provides services and data to the DoD. The transactions that occur to handle FCI take place over the contractor--s business network, but the work is performed on contractor-owned systems, which must be configured based on government requirements and are used to support a contract. What type of Specialized Asset are these systems?
   1. A. IoT
   2. B. Restricted IS
   3. C. Test equipment
   4. D. Government property
   Explanation

   The correct answer is: B. Restricted IS.

   Restricted Information Systems is the Specialized Asset subcategory in the CMMC L2 Scoping Guide that covers systems and associated IT components configured based on government requirements (typically because they are connected to or required to support a specific contract) and used to support that contract. Contractor-owned systems whose configuration is dictated by government specs to handle FCI under a DoD agreement fit this description precisely. IoT covers consumer / connected devices. Test equipment supports validation, not contract execution. Government property covers GFE / GFP equipment owned or leased by the government — in this scenario the systems are contractor-owned, not government-owned, so 'Restricted IS' rather than 'Government property' is the correct label. Distinguishing these subtypes matters because each carries slightly different documentation expectations in the SSP.

Other CCP domains

• CMMC Assessment Process (CAP) (69 questions)
• CMMC Governance and Source Documents (20 questions)
• Scoping (21 questions)