Scoping for CCP

Sample Practice Questions

1. Question 1

   During a CMMC readiness review, the OSC proposes that an associated enclave should not be applicable in the scope. Who is responsible for verifying this request?
   1. A. CCP
   2. B. C3PAO
   3. C. Lead Assessor
   4. D. Advisory Board
   Explanation

   The correct answer is: C. Lead Assessor.

   When the OSC proposes that an associated enclave should be excluded from the assessment scope — for example, a separate network segment that the OSC argues does not handle CUI — the Lead Assessor is responsible for verifying that proposal during the readiness review. The Lead Assessor examines the segmentation evidence (network diagrams, firewall rules, data-flow analysis), confirms there is no CUI flow into the proposed-out-of-scope enclave, and either accepts the exclusion or pushes back if the boundary is insufficiently documented. CCPs participate in the team but do not own scope verification independently. The C3PAO organization owns the assessment overall, but enclave-level scope determinations are operationalized through the Lead Assessor. There is no 'Advisory Board' role in CAP that handles this. The Lead Assessor is the right authority.

2. Question 2

   While determining the scope for a company--s CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third-party organization?
   1. A. ESPs
   2. B. People
   3. C. Facilities
   4. D. Technology
   Explanation

   The correct answer is: A. ESPs.

   When the OSC's IT infrastructure (servers, networks, storage) is operated by a third-party organization — a managed services provider, a colocation host, or a cloud-based managed IT firm — that organization falls into the External Service Provider (ESP) category in CMMC scoping. ESPs include any external entity providing services that involve handling, processing, or supporting CMMC-relevant information, regardless of whether they are formally certified themselves. People, Facilities, and Technology are also asset types in CMMC scoping but they describe components within the OSC's scope; a hosting provider as a separate organizational entity is captured under ESP. Identifying ESPs accurately is critical because their controls flow into the OSC's scoping decisions and influence whether their handling of OSC data needs to be assessed.

3. Question 3

   Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?
   1. A. Access control
   2. B. Physical access control
   3. C. Mandatory access control
   4. D. Discretionary access control
   Explanation

   The correct answer is: A. Access control.

   Access control, as defined by NIST and used throughout the CMMC framework, is the broad term for the process of granting or denying specific requests to obtain and use information, related information processing services, and to enter specific physical facilities. The breadth of the definition covers both logical access (to systems, applications, and data) and physical access (to buildings, rooms, and equipment). 'Physical access control' is a narrower subset focused only on physical entry. 'Mandatory access control' (MAC) is a specific access-control model where the system enforces policy based on labels and clearances. 'Discretionary access control' (DAC) is another specific model where resource owners decide who has access. The umbrella term that encompasses both information and facility access is simply Access Control.

4. Question 4

   An assessor is collecting affirmations. So far, the assessor has collected interviews, demonstrations, emails, messaging, and presentations. Are these appropriate approaches to collecting affirmations?
   1. A. No, emails are not appropriate affirmations.
   2. B. No, messaging is not an appropriate affirmation.
   3. C. Yes, the affirmations collected by the assessor are all appropriate.
   4. D. Yes, the affirmations collected by the assessor are all appropriate, as are screenshots.
   Explanation

   The correct answer is: C. Yes, the affirmations collected by the assessor are all appropriate..

   Affirmations in the CMMC context are statements from authorized OSC representatives that confirm a practice is implemented as described, and they can be gathered through multiple methods: structured interviews with subject-matter experts, live demonstrations of system behavior, written confirmations sent by email, instant messages exchanged during the assessment window, and presentations the OSC delivers to walk the team through how a control operates. As long as the source is an authorized OSC representative speaking to a practice they have responsibility for and the assessor records the affirmation properly, each of these methods is appropriate. Screenshots can also serve as evidence — they fall under the Examine method as inspected artifacts — but the question's listed methods already cover the core affirmation channels and there is no method on the list that should be excluded. The assessor's job is to capture and corroborate, not to constrain channels.

5. Question 5

   While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users, processes acting on behalf of users, and devices?
   1. A. Procedures for implementing access control lists
   2. B. List of unauthorized users that identifies their identities and roles
   3. C. User names associated with system accounts assigned to those individuals
   4. D. Physical access policy that states, --All non-employees must wear a special visitor pass or be escorted.--
   Explanation

   The correct answer is: C. User names associated with system accounts assigned to those individuals.

   IA.L1-3.5.1 requires the OSC to identify system users, the processes acting on behalf of users, and devices. The control's evidence is satisfied by artifacts that demonstrate unique identification at the account level: a list mapping individual usernames to the system accounts assigned to them is the most direct documentation that users (and the processes running under their accounts) are uniquely identified. A list of unauthorized users does not satisfy the control — the practice is about identifying authorized users. Procedures for implementing access control lists relate to the AC family (3.1), not IA. A physical access policy belongs to the Physical Protection family. Username-to-account mapping is the simplest, most direct evidence that L1-3.5.1 is being met.

Other CCP domains

• CMMC Assessment Process (CAP) (69 questions)
• CMMC Governance and Source Documents (20 questions)
• CMMC Model Construct and Implementation Evaluation (46 questions)