CMMC-CCP Exam Dumps : Certified CMMC Professional (CCP) Exam

Understanding CMMC Asset CategorizationTheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).

In this scenario:

Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-scopefor CMMC Level 1.

Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-Scope Assets.

CMMC 2.0 Definition of Out-of-Scope AssetsAs per theCMMC Scoping Guide, assets that:

✅Do not store, process, or transmit FCI/CUI

✅Do not directly impact the security of in-scope assets

✅Are completely segregated from the FCI/CUI environment

are classified asOut-of-Scope Assets.

Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.

A. FCI Assets❌Incorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify.

B. Specialized Assets❌Incorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division.

D. Operational Technology Assets❌Incorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.

Why the Other Answers Are Incorrect

CMMC 2.0 Scoping Guide – Level 1 & Level 2

CMMC Assessment Process (CAP) Document

CMMC Official ReferencesThus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.

What is Required in the CMMC Assessment Kickoff and Opening Briefing?Before starting aCMMC assessment, theLead Assessormust present anopening briefingto ensure that theOrganization Seeking Certification (OSC)understands the assessment process.

Step-by-Step Breakdown:✅1. Overview of the Assessment Process

The Lead Assessormust explain the CMMC assessment methodology, including:

Theassessment objectives and scope

How theassessment team will review security controls

What to expectduring interviews, testing, and document review

This ensurestransparency and alignmentbetween the assessors and the OSC.

✅2. Why the Other Answer Choices Are Incorrect:

(A) Gathering Evidence❌

Evidence collection is part of the assessment butnot the primary topic of the opening briefing.

(B) Review of the OSC's SSP❌

While theSSP is a key document, reviewing it is part of the assessment,not the kickoff briefing.

(D) Examination of the artifacts for sufficiency❌

Artifact review happens laterin the assessment process,not during the kickoff.

TheCMMC Assessment Process Guidestates that theopening briefing must include an overview of the assessment process, ensuring the OSC understands the expectations and methodology.

Final Validation from CMMC Documentation:Thus, the correct answer is:

✅C. Overview of the assessment process.

Understanding Access Control in CMMCAccess control refers to the process ofgranting or denyingspecific requests to:

Obtain and use information

Access information processing services

Enter specific physical locations

TheAccess Control (AC) domain in CMMCis based onNIST SP 800-171 (3.1 Access Control family)and includes requirements to:

✅Implement policies for granting and revoking access.

✅Restrict access to authorized personnel only.

✅Protect physical and digital assets from unauthorized access.

Since the questionbroadly asks about the process of granting or denying access to information, services, and physical locations, the correct answer isA. Access Control.

B. Physical access control❌Incorrect.Physical access controlis asubsetof access control that only applies tophysical locations(e.g., keycards, security guards, biometrics). The question includesinformation and services, makinggeneral access controlthe correct choice.

C. Mandatory access control (MAC)❌Incorrect.MAC is a specific type of access controlwhere access is strictly enforced based onsecurity classifications(e.g., Top Secret, Secret, Confidential). The questiondoes not specify MAC, so this is incorrect.

D. Discretionary access control (DAC)❌Incorrect.DAC is another specific type of access control, whereownersof data decide who can access it. The question asksgenerallyabout granting/denying access, makingaccess control (A)the best answer.

Why the Other Answers Are Incorrect

CMMC 2.0 Model - AC.L2-3.1.1 to AC.L2-3.1.22– Covers access control requirements, includingcontrolling access to information, services, and physical spaces.

NIST SP 800-171 (3.1 - Access Control Family)– Defines the general principles of access control.

CMMC Official ReferencesThus,option A (Access Control) is the correct answer, as it best aligns withCMMC access control requirements.