CMMC CCP Exam 1 Questions &
Answers 2025/2026
What score is required to pass the CCP exam - ANSWERS500 out of 800
What is CMMC based on? - ANSWERSNIST 800-171 r2
Who provides the guidance regarding CUI policy and practice - ANSWERSNARA
License the Licensed Partner Publisher (LLP) coursework and provide the infrastructure, delivery
and training - ANSWERSLicensed Training Providers (LTP)
Only source for CMMC approved training materials - ANSWERSLicensed Partner Publisher (LLP)
What does DIBCAC stand for - ANSWERSDefense Industrial Base Cybersecurity Contract
Management Center
Are RPOs authorized to perform CMMC assessments? - ANSWERSNo, they can consult and help
an OSC get prepared for CMMC. They are not authorized to perform the assessment.
What is an Organization Seeking Certification (OSC) - ANSWERSA member or prospective
member of the Defense Industrial Base (DIB) involved in the handling and transmission of
storage of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) who
will need to adequately protect that information at a level commensurate with the risk
Can a C3PAO work for a company they acted as an RPO for - ANSWERSNo
,What is a C3PAO - ANSWERSCertified 3rd Party Organization
What are Registered Practitioners (RP) - ANSWERSAn individual that can provide advice,
consulting and recommendations to clients. They are the implementers and consultants but do
not participate in CMMC assessments
What falls under the CMMC-AB umbrella - ANSWERSOSC
RPO
What is the CMMC-AB - ANSWERSCMMC Accreditation Body, Inc.
What falls under the CAICO umbrella - ANSWERSC3PAO
- CCP
-CCA
What is the CAICO - ANSWERSCMMC Accessors and Instructors Certification Organization
What does 7021 require? - ANSWERSIntro of the CMMC model.
Not currently enforced
Currently gives 2025 deadline
What does 7020 require? - ANSWERSRequires a contractor, including a subcontractor, to provide
the government with access to it's facilities
What does 7019 require? - ANSWERSNIST SP 800-171, no older than 3 years
What regulation is CMMC level 2 - ANSWERSDFARS 252.204-7012
, What is Federal Acquisition Regulation (FAR)? - ANSWERSIntroduced in 2016. 100% of the
CMMC level 1 requirements that map from NIST
What does A & S stand for - ANSWERSAcquisition and Sustainment
What is the OUSD - ANSWERSOffice of the Undersecretary of Defense
What is a CCP - ANSWERSCertified CMMC Professional (Level 1 Assessor)
What is a POA&M? - ANSWERSPronounced (PO EMS) Plan of Action and Milestones is allowed
under certain circumstances to give an OSC a chance to achieve certification.
What is CMMC? - ANSWERSCybersecurity Maturity Model Certification - The validation
component of the requirements enforced by DFARS
What does DFARS stand for? - ANSWERSDefense Federal Acquisition Regulation Supplement
What is FAR Clause 52.204-21 - ANSWERSFirst introduced in May 2016. it's an attempt to
protect the confidentiality and integrity of FCI that resides in or transits through contractor
information systems. These are the same controls that comprise most of Level 1 of CMMC.
Verify and control/limit connections to and use of external information systems -
ANSWERSAC.L1-3.1.20 External Connections
Control information posted or processed on publicly accessible information systems -
ANSWERSAC.L1-3.1.22 Control Public Information
Answers 2025/2026
What score is required to pass the CCP exam - ANSWERS500 out of 800
What is CMMC based on? - ANSWERSNIST 800-171 r2
Who provides the guidance regarding CUI policy and practice - ANSWERSNARA
License the Licensed Partner Publisher (LLP) coursework and provide the infrastructure, delivery
and training - ANSWERSLicensed Training Providers (LTP)
Only source for CMMC approved training materials - ANSWERSLicensed Partner Publisher (LLP)
What does DIBCAC stand for - ANSWERSDefense Industrial Base Cybersecurity Contract
Management Center
Are RPOs authorized to perform CMMC assessments? - ANSWERSNo, they can consult and help
an OSC get prepared for CMMC. They are not authorized to perform the assessment.
What is an Organization Seeking Certification (OSC) - ANSWERSA member or prospective
member of the Defense Industrial Base (DIB) involved in the handling and transmission of
storage of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) who
will need to adequately protect that information at a level commensurate with the risk
Can a C3PAO work for a company they acted as an RPO for - ANSWERSNo
,What is a C3PAO - ANSWERSCertified 3rd Party Organization
What are Registered Practitioners (RP) - ANSWERSAn individual that can provide advice,
consulting and recommendations to clients. They are the implementers and consultants but do
not participate in CMMC assessments
What falls under the CMMC-AB umbrella - ANSWERSOSC
RPO
What is the CMMC-AB - ANSWERSCMMC Accreditation Body, Inc.
What falls under the CAICO umbrella - ANSWERSC3PAO
- CCP
-CCA
What is the CAICO - ANSWERSCMMC Accessors and Instructors Certification Organization
What does 7021 require? - ANSWERSIntro of the CMMC model.
Not currently enforced
Currently gives 2025 deadline
What does 7020 require? - ANSWERSRequires a contractor, including a subcontractor, to provide
the government with access to it's facilities
What does 7019 require? - ANSWERSNIST SP 800-171, no older than 3 years
What regulation is CMMC level 2 - ANSWERSDFARS 252.204-7012
, What is Federal Acquisition Regulation (FAR)? - ANSWERSIntroduced in 2016. 100% of the
CMMC level 1 requirements that map from NIST
What does A & S stand for - ANSWERSAcquisition and Sustainment
What is the OUSD - ANSWERSOffice of the Undersecretary of Defense
What is a CCP - ANSWERSCertified CMMC Professional (Level 1 Assessor)
What is a POA&M? - ANSWERSPronounced (PO EMS) Plan of Action and Milestones is allowed
under certain circumstances to give an OSC a chance to achieve certification.
What is CMMC? - ANSWERSCybersecurity Maturity Model Certification - The validation
component of the requirements enforced by DFARS
What does DFARS stand for? - ANSWERSDefense Federal Acquisition Regulation Supplement
What is FAR Clause 52.204-21 - ANSWERSFirst introduced in May 2016. it's an attempt to
protect the confidentiality and integrity of FCI that resides in or transits through contractor
information systems. These are the same controls that comprise most of Level 1 of CMMC.
Verify and control/limit connections to and use of external information systems -
ANSWERSAC.L1-3.1.20 External Connections
Control information posted or processed on publicly accessible information systems -
ANSWERSAC.L1-3.1.22 Control Public Information
