CMMC study guide | Questions & Answers (100 %Score) Latest Updated 2024/2025
Comprehensive Questions A+ Graded Answers | 100% Pass
What does CMMC stand for? - ✔✔Cybersecurity Maturity Model Certification
What is CMMC? - ✔✔A cybersecurity compliance mandate, required by the US DoD of orgs that serve
the DoD (prime contractors and their subcontractors)
Who mandated CMMC? What org runs the CMMC program? - ✔✔US DoD. Cyber AB runs it.
Who is subject to CMMC? - ✔✔Private sector orgs in the DIB (& higher Ed that obtain DoD research
grants with CUI)
What is the purpose of CMMC - ✔✔The DoD's goal is to strengthen the cybersecurity posture of their
suppliers and protect controlled unclassified info (CUI)
What is the acronym for the data that the DoD is seeking to protect? What does the acronym stand for?
- ✔✔CUI; Controlled unclassified information
What set of standards is CMMC based upon? - ✔✔NIST 800-171
What is the acronym for the companies that will perform CMMC audits? What does this acronym stand
for? - ✔✔C3PAO - Certified Third-party assessment organizations.
What are at least (3) major reasons that a DIB org should want to self-attest truthfully and/or be
compliant with CMMC? - ✔✔Not awarded contract work / DOJ ramifications / contract termination or
suspension / False Claims Act violations / fines and penalties.
How many domains are part of NIST 800-171 - ✔✔14
Name 6 of the domains - ✔✔Access control, awareness and training, audit and accountability,
configuration management, identification and authentication, incident response, Maintenance, media
, protection, personnel security, physical protection, risk assessment, security assessment, system and
comms protection, system and information integrity.
How many controls compromise 800-171 - ✔✔110
Each control has 2 primary components and they are ———— and ————. - ✔✔Policy & practice
NIST does not "weight" the criticality of any particular security control, but the DoD has. How does this
weighting / prioritization system work? - ✔✔Assessment methodology. Scale of 1, 3, or 5. 1 being lowest
and 5 being highest and most critical. No POAMs for 5.
What is the primary document that outlines any DIB's cyber program - ✔✔Systems and Security plan -
SSP
What are at least (3) things that would be discussed in this document - ✔✔Security policies, roles and
responsibilities, details the different security standards and guidelines that the org follows, identifies all
its hardware and the software installed on the system, include high-level diagrams that show how
connected systems talk to each other.
Provides an example of policy and practice - ✔✔Policy: user must reset password every x days and the
password must contain certain parameters.
Practice: sys admin creates the rules to remind users.
How many levels did CMMC 1.0 have - ✔✔5
How many levels are in CMMC 2? How many controls? How many objectives - ✔✔3 levels, 110 controls,
320+ objectives
What is the difference between a control and an objective - ✔✔Control = security control that must be
met to be compliant. Objectives are the criteria within a control that are auditable
Comprehensive Questions A+ Graded Answers | 100% Pass
What does CMMC stand for? - ✔✔Cybersecurity Maturity Model Certification
What is CMMC? - ✔✔A cybersecurity compliance mandate, required by the US DoD of orgs that serve
the DoD (prime contractors and their subcontractors)
Who mandated CMMC? What org runs the CMMC program? - ✔✔US DoD. Cyber AB runs it.
Who is subject to CMMC? - ✔✔Private sector orgs in the DIB (& higher Ed that obtain DoD research
grants with CUI)
What is the purpose of CMMC - ✔✔The DoD's goal is to strengthen the cybersecurity posture of their
suppliers and protect controlled unclassified info (CUI)
What is the acronym for the data that the DoD is seeking to protect? What does the acronym stand for?
- ✔✔CUI; Controlled unclassified information
What set of standards is CMMC based upon? - ✔✔NIST 800-171
What is the acronym for the companies that will perform CMMC audits? What does this acronym stand
for? - ✔✔C3PAO - Certified Third-party assessment organizations.
What are at least (3) major reasons that a DIB org should want to self-attest truthfully and/or be
compliant with CMMC? - ✔✔Not awarded contract work / DOJ ramifications / contract termination or
suspension / False Claims Act violations / fines and penalties.
How many domains are part of NIST 800-171 - ✔✔14
Name 6 of the domains - ✔✔Access control, awareness and training, audit and accountability,
configuration management, identification and authentication, incident response, Maintenance, media
, protection, personnel security, physical protection, risk assessment, security assessment, system and
comms protection, system and information integrity.
How many controls compromise 800-171 - ✔✔110
Each control has 2 primary components and they are ———— and ————. - ✔✔Policy & practice
NIST does not "weight" the criticality of any particular security control, but the DoD has. How does this
weighting / prioritization system work? - ✔✔Assessment methodology. Scale of 1, 3, or 5. 1 being lowest
and 5 being highest and most critical. No POAMs for 5.
What is the primary document that outlines any DIB's cyber program - ✔✔Systems and Security plan -
SSP
What are at least (3) things that would be discussed in this document - ✔✔Security policies, roles and
responsibilities, details the different security standards and guidelines that the org follows, identifies all
its hardware and the software installed on the system, include high-level diagrams that show how
connected systems talk to each other.
Provides an example of policy and practice - ✔✔Policy: user must reset password every x days and the
password must contain certain parameters.
Practice: sys admin creates the rules to remind users.
How many levels did CMMC 1.0 have - ✔✔5
How many levels are in CMMC 2? How many controls? How many objectives - ✔✔3 levels, 110 controls,
320+ objectives
What is the difference between a control and an objective - ✔✔Control = security control that must be
met to be compliant. Objectives are the criteria within a control that are auditable
