Getting ready for the Cyber AB CMMC-CCP certification exam can feel challenging, but with the right preparation, success is closer than you think. At PASS4EXAMS, we provide authentic, verified, and updated study materials designed to help you pass confidently on your first attempt.
Why Choose PASS4EXAMS for Cyber AB CMMC-CCP?
At PASS4EXAMS, we focus on real results. Our exam preparation materials are carefully developed to match the latest exam structure and objectives.
Real Exam-Based Questions – Practice with content that reflects the actual Cyber AB CMMC-CCP exam pattern.
Updated Regularly – Stay current with the most recent CMMC-CCP syllabus and vendor updates.
Verified by Experts – Every question is reviewed by certified professionals for accuracy and quality.
Instant Access – Download your materials immediately after purchase and start preparing right away.
100% Pass Guarantee – If you prepare with PASS4EXAMS, your success is fully guaranteed.
What’s Inside the Cyber AB CMMC-CCP Study Material
When you choose PASS4EXAMS, you get a complete and reliable preparation experience:
Comprehensive Question & Answer Sets that cover all exam objectives.
Practice Tests that simulate the real exam environment.
Detailed Explanations to strengthen understanding of each concept.
Free 3 months Updates ensuring your material stays relevant.
Expert Preparation Tips to help you study efficiently and effectively.
Why Get Certified?
Earning your Cyber AB CMMC-CCP certification demonstrates your professional competence, validates your technical skills, and enhances your career opportunities. It’s a globally recognized credential that helps you stand out in the competitive IT industry.
Cyber AB CMMC-CCP Sample Question Answers
Question # 1
The evidence needed for each practice and/or process is weight for:
A. adequacy and sufficiency. B. adequacy and thoroughness. C. sufficiency and thoroughness. D. sufficiency and appropriateness.
Answer: A Explanation: During aCMMC assessment, organizations must provide evidence to demonstrate compliance with
requiredpractices and processes. Assessors evaluate this evidence based on two key criteria: Adequacy– Does the evidence meet the intent of the security requirement? Sufficiency– Is there enough evidence to reasonably conclude that the practice/process is effectively
implemented?
These principles are outlined in theCMMC Assessment Process Guide, which provides a structured
approach for evaluating compliance. Step-by-Step Breakdown:✅1. Adequacy – Does the evidence fully meet the requirement?
Adequacyrefers to whether the evidence properly demonstrates that the security practice has been
implemented as required. Example: If an organization claims to enforceMulti-Factor Authentication (MFA), an assessor would
checksystem configurations, login policies, and user authentication logsto confirm that MFA is
actually in use. ✅2. Sufficiency – Is there enough evidence to support the claim? Sufficiencymeans that there isenough supporting evidenceto prove compliance.
Example: If an organization providesonly one screenshot of an MFA login screen, that alone may not besufficient—additional logs, policies, and user records would help strengthen the case.
(B) Adequacy and Thoroughness⠌
Thoroughnessis not a defined metric in CMMC evidence evaluation.
The focus is onwhether the evidence meets the requirement (adequacy)and if there isenough of it (sufficiency). (C) Sufficiency and Thoroughness⠌
Thoroughnessis not a recognized term in CMMC compliance validation. Evidence must beadequate and sufficient, not just thorough.
(D) Sufficiency and Appropriateness⠌ Appropriatenessis not a CMMC-defined criterion.
Thecorrect terms used in CMMC assessmentsareAdequacy(Does it meet the requirement?)
andSufficiency(Is there enough proof?). Why the Other Answer Choices Are Incorrect:
CMMC Assessment Process Guideexplicitly states that evidence must be evaluated based
onadequacyandsufficiencyto confirm compliance with security practices.
Final Validation from CMMC Documentation:
Question # 2
Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1.
Guidelines for Media Sanitation?
A. Clear, purge, destroy B. Clear redact, destroy C. Clear, overwrite, purge D. Clear, overwrite, destroy
Answer: A Explanation: Understanding NIST SP 800-88 Rev. 1 and Media SanitizationTheNIST Special Publication (SP) 800-88
Revision 1, Guidelines for Media Sanitization, provides guidance onsecure disposalof data from
various types of storage media to prevent unauthorized access or recovery. Clear Useslogical techniquesto remove data from media, making it difficult to recover usingstandard
system functions. Example:Overwriting all datawith binary zeros or ones on a hard drive.
Applies to:Magnetic media, solid-state drives (SSD), and non-volatile memory when the media
is reused within the same security environment. Purge Uses advanced techniques to make data recovery infeasible, even with forensic tools.
Example: Degaussing magnetic hard drive or cryptographic erasure(deleting encryption keys).
Applies to: Media that is leaving organizational control or requires a higher level of assurance than "Clear".
Destroy Physicallydamages the mediaso that data recovery isimpossible. Example:Shredding, incinerating, pulverizing, or disintegratingstorage devices. Applies to:Highly sensitive data that must be permanently eliminated.
B . Clear, Redact, Destroy (Incorrect)– "Redact" is a term used for document sanitization,notdata
disposal. C . Clear, Overwrite, Purge (Incorrect)– "Overwrite" is a method within "Clear," but it isnot a top-level
categoryin NIST SP 800-88. D . Clear, Overwrite, Destroy (Incorrect)– "Overwrite" is a sub-method of "Clear," but "Purge" is
missing, making this incorrect. The correct answer is A. Clear, Purge, Destroy, as these are thethree official categoriesof data disposal
inNIST SP 800-88 Revision 1. Reference:
NIST SP 800-88 Rev. 1 – Guidelines for Media Sanitization
CMMC 2.0 Security Practices Related to Media Disposal(Aligned with NIST guidance)
Question # 3
When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person
responsible for the intrusion detection system and examines relevant policies and procedures for
monitoring organizational systems. What would be a possible next step the CCA could conduct to
gather sufficient evidence?
A. Conduct a penetration test B. Interview the intrusion detection system's supplier. C. Upload known malicious code and observe the system response. D. Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
Answer: D Explanation: Understanding SI.L2-3.14.6: Monitor Communications for AttacksThe practiceSI.L2-3.14.6fromNIST
SP 800-171(aligned with CMMC Level 2) requires an organization tomonitor organizational
communications for indicators of attack. This typically includes: ✅Intrusion Detection Systems (IDS)andIntrusion Prevention Systems (IPS) ✅Log analysis and network monitoring
✅Incident response planningfor detected threats
As part of aCMMC Level 2 assessment, theCertified CMMC Assessor (CCA)must ensure that theOSC
(Organization Seeking Certification)hasproperly implemented and documenteditsmonitoring
capabilities. The CCA must collect sufficient objective evidence to determine compliance. Reviewing anartifact(such as system configurations, IDS/IPS logs, or security policies)helps
validatethat intrusion detection is properly implemented. Configuration settings providedirect evidenceof whethermonitoring for attacksis effectively applied.
Why "Review an artifact to check key references for the configuration of the IDS or IPS" is Correct? Breakdown of Answer ChoicesOption Description Correct?
A . Conduct a penetration test
⠌Incorrect–Penetration testing isnot requiredfor CMMC Level 2 assessments and falls outside an
assessor's responsibilities. B . Interview the intrusion detection system's supplier.
⠌Incorrect–Thesupplier does not determine compliance; the assessor needs evidence from
theOSC’s implementation. C . Upload known malicious code and observe the system response.
⠌Incorrect–This would beinvasive testing, which isnot part of a CMMC assessment. D . Review an artifact to check key references for the configuration of the IDS or IPS practice for
additional guidance on intrusion detection and prevention systems. ✅Correct – Reviewing system artifacts provides direct evidence of compliance with SI.L2-3.14.6. NIST SP 800-171 SI.L2-3.14.6– Requires monitoring communications for attack indicators. CMMC Assessment Process Guide (CAP)– Describesartifact reviewas an essential assessment
method. Official Reference from CMMC 2.0 and NIST SP 800-171 DocumentationFinal Verification and
ConclusionThe correct answer isD. Review an artifact to check key references for the configuration of
the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.
This aligns withCMMC 2.0 Level 2 assessment requirementsandSI.L2-3.14.6 compliance verification.
Question # 4
An Assessment Team is conducting a Level 2 Assessment at the request of an OSC. The team has
begun to score practices based on the evidence provided. At a MINIMUM what is required of the
Assessment Team to determine if a practice is scored as MET?
A. All three types of evidence are documented for every control. B. Examine and accept evidence from one of the three evidence types. C. Complete one of the following; examine two artifacts, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel. D. Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.
Answer: D Explanation: This question pertains to theminimum evidence requirementsneeded by a CMMCAssessment
Teamto score a practice asMETduring aLevel 2 Assessment. The CMMC Level 2 assessment must align withNIST SP 800-171and follow the procedures outlined in
theCMMC Assessment Process (CAP) Guide v1.0, particularly aroundevidence collection and scoring
methodology. ✅Step 1: Refer to the CMMC Assessment Process (CAP) Guide v1.0CAP v1.0 – Section 3.5.4: Evaluate Evidence and Score Practices“To assign a MET determination, the Assessment Team
must collect and corroborate at least two types of objective evidence: either through examination of
artifacts, interviews (affirmation), or testing (demonstration).â€
This meansat least two typesof the following evidence are required: Examine(documentation/artifacts), Interview(affirmation from personnel), Test(demonstration of implementation).
✅Step 2: Clarify the Official Minimum Standard for a Practice to be Scored METThe CAP explicitly
states: “A practice can only be scored MET when a minimum oftwo types of evidencefrom the E-I-T (Examine, Interview, Test) triad are successfully collected and evaluated.â€
The evidence types must come from two different categories, for example: An artifact(Examine)+ an interview affirmation(Interview), A demonstration(Test)+ an interview(Interview), Etc.
This cross-validation ensures that the control isimplemented, documented, and understoodby
personnel — a core principle in assessing effective cybersecurity implementation. ⠌Why the Other Options Are Incorrect A. All three types of evidence are documented for every control✘Incorrect:While collecting all three types (E-I-T) strengthens the assessment, theminimum
requirementis onlytwo. Collecting all three isnot requiredfor a practice to be scoredMET.
B . Examine and accept evidence from one of the three evidence types✘Incorrect:This fails to meet
theminimum two-evidence-type requirementset by the CAP. Single-source evidence is not sufficient
to score a practice as MET. C . Complete one of the following; examine two artifacts, observe one demonstration, or receive one
affirmation✘Incorrect:Even if two artifacts are examined,this is still only one type of
evidence(Examine). The CAP requires twotypes— not two instances of the same type.
✅Why D is CorrectD. Complete two of the following: examine one artifact, either observe a
satisfactory demonstration of one control or receive one affirmation from the OSC personnel.
✔ This directly reflects theCAP’s requirement for collecting two different types of objective
evidenceto determine a practice is MET. BLUF (Bottom Line Up Front):To score a CMMC Level 2 practice asMET, the Assessment Team must
collecta minimum of two distinct types of evidence— from theExamine, Interview, Test (E-IT)
categories. This requirement is clearly stated in the CMMC Assessment Process (CAP) v1.0.
Question # 5
Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope
by categorizing all assets. Which two asset categories are always assessed against CMMC practices?
A.CUI Assets and Specialized Assets B.Security Protection Assets and CUI Assets C.Specialized Assets and Contractor Risk Managed Assets D.Security Protection Assets and Contractor Risk Managed Assets
Answer: B Explanation: Understanding CMMC Asset Scoping RequirementsBefore conducting aCMMC Level 2 Assessment,
anOrganization Seeking Certification (OSC)must define theassessment scopeby categorizing all
assets. This ensures that only relevant systems are assessed againstCMMC practices, reducing
unnecessary compliance burdens. According to theCMMC Scoping Guide for Level 2, there are four asset categories:
CUI Assets– Assets that process, store, or transmitControlled Unclassified Information (CUI).
Security Protection Assets (SPA)– Assets that providesecurity functions(e.g., firewalls, intrusion
detection systems, identity management systems). Contractor Risk Managed Assets (CRMA)– Assets thatdo not directly store/process CUIbut interact
with CUI environments (e.g., BYOD devices, personal computers used for remote access). Specialized Assets– Unique systems such asOperational Technology (OT), IoT, and Government
Furnished Equipment (GFE), which may requirelimitedCMMC assessment. Which Asset Categories Are Always Assessed?✅1. CUI Assets(ALWAYS ASSESSED)
These are theprimary focusof CMMC Level 2 since they handleCUI. All110 NIST SP 800-171 controlsapply to these assets. ✅2. Security Protection Assets (SPA)(ALWAYS ASSESSED) Security tools that protectCUI Assetsarealways includedin the assessment.
Examples includefirewalls, antivirus, endpoint detection and response (EDR) tools, and identity
management systems. (A) CUI Assets and Specialized Assets⠌ CUI Assets are assessed, butSpecialized Assets are only assessed in a limited manner, depending on
their role inCUI security. (C) Specialized Assets and Contractor Risk Managed Assets⠌
Specialized Assets and CRMAsare typicallynot fully assessedagainst CMMC controls unless they
directly impactCUI security. (D) Security Protection Assets and Contractor Risk Managed Assets⠌ SPAs are always assessed, butCRMAs are not necessarily assessedunless they directly impact CUI.
TheCMMC Scoping Guide (Level 2)clearly states thatCUI Assets and Security Protection SPAs are always assessed, butCRMAs are not necessarily assessedunless they directly impact CUI.
TheCMMC Scoping Guide (Level 2)clearly states thatCUI Assets and Security Protection Why the Other Answer Choices Are Incorrect:Final Validation from CMMC Documentation:Thus, the
correct answer is: B . Security Protection Assets and CUI Assets.
Question # 6
An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two
organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the
Assessment Plan?
A.OSC and Sponsor B.OSC and CMMC-AB C.Lead Assessor and C3PAO D.C3PAO and Assessment Official
Answer: C Explanation: Understanding the CMMC Level 2 Assessment ProcessWhen anOrganization Seeking Certification
(OSC)engages aCertified Third-Party Assessment Organization (C3PAO)to conduct aCMMC Level 2
Assessment, anAssessment Planis developed to outline the scope, methodology, and logistics of the
assessment According to theCMMC Assessment Process (CAP) Guide, theAssessment Plan must be formally
agreed upon and signed off by: Lead Assessor– The individual responsible for overseeing the execution of the assessment.
C3PAO (Certified Third-Party Assessment Organization)– The entity conducting the assessment.
TheLead Assessorensures that theAssessment Plan aligns with CMMC-AB and DoD requirements,
including methodology, objectives, and evidence collection. TheC3PAOprovides organizational approval, confirming that the assessment is conducted according
toCMMC-AB rules and contractual agreements. A . OSC and Sponsor (Incorrect) TheOSC (Organization Seeking Certification)is involved in planning but does not sign off on the plan.
Asponsoris not part of the sign-off process in CMMC assessments. B . OSC and CMMC-AB (Incorrect)
TheOSCdoes not formally approve theAssessment Plan—this responsibility belongs to the
assessment team. TheCMMC-ABdoes not sign off on individualAssessment Plans.
D . C3PAO and Assessment Official (Incorrect)
"Assessment Official" isnot a defined rolein the CMMC assessment process.
TheC3PAOis involved, but it must be theLead Assessorwho signs off, not an unspecified official. The correct answer isC. Lead Assessor and C3PAO; TheLead Assessorensures assessment integrity, while theC3PAOprovides official authorization. Reference: CMMC Assessment Process (CAP) Guide
CMMC 2.0 Level 2 Certification Procedures
The Cyber AB Assessment Guidelines
Question # 7
When assessing an OSC for CMMC: the Lead Assessor should use the information from the
Discussion and Further Discussion sections in each practice because it:
A.is normative for an OSC to follow. B.contains examples that an OSC must implement. C.is mandatory and aligns with FAR Clause 52.204-21. D.provides additional information to facilitate the assessment of the practice.
Answer: D Explanation: Understanding the Role of "Discussion" and "Further Discussion" Sections in CMMC
AssessmentsWhen assessing anOrganization Seeking Certification (OSC)forCMMC compliance,
theLead Assessorrelies on various sources of guidance. Eachpracticein the CMMC model includes: The Practice Statement– The official requirement the OSC must meet.
Discussion Section– Providesclarifications, interpretations, and guidancefor implementation.
Further Discussion Section– Expands on the practice,offering additional details, best practices, and
examples. These sections arenot mandatory, but they help assessorsinterpret and evaluatewhether an OSC has
met the practice requirements. TheDiscussion and Further Discussion sectionsprovidecontext, explanations, and examplesto assist
theLead Assessorin understanding how an OSC might demonstrate compliance. Theyhelp guide the assessment processbut arenot prescriptiveormandatoryfor an OSC.
Theassessor uses these sectionsto verify whether theOSC's implementation meets the intent of
the requirement. Why "Provides Additional Information to Facilitate the Assessment" is Correct?Breakdown of Answer ChoicesOption Description Correct?
A . Is normative for an OSC to follow.
⠌Incorrect–The sections areguidance, notnormative (mandatory)requirements. B . Contains examples that an OSC must implement.
⠌Incorrect–Examples aresuggestions, notmandatory implementations.
C . Is mandatory and aligns with FAR Clause 52.204-21.
⠌Incorrect–The "Discussion" sections arenot mandatoryand arenot tied directlyto FAR 52.204-21.
D . Provides additional information to facilitate the assessment of the practice .
✅Correct – These sections help the assessor evaluate compliance but do not mandate specific
implementations. TheCMMC Assessment Guidestates that theDiscussion and Further Discussion sections provide
clarificationsto help both assessors and OSCs. These sections arenot bindingbut serve asinterpretive guidanceto assist in assessments.
Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct
answer isD. Provides additional information to facilitate the assessment of the practice.This aligns
withCMMC 2.0 documentation and assessment guidelines.
Question # 8
Which statement BEST describes a LTP?
A.Creates DoD-licensed training B.Instructs a curriculum approved by CMMC-AB C.May market itself as a CMMC-AB Licensed Provider for testing D.Delivers training using some CMMC body of knowledge objectives
Answer: B Explanation: Understanding Licensed Training Providers (LTPs) in CMMCALicensed Training Provider (LTP)is
an entity that is authorized by theCybersecurity Maturity Model Certification Accreditation Body
(CMMC-AB)todeliver CMMC trainingbased on anapproved curriculum. Provides CMMC-AB-approved training programsfor individuals seeking CMMC certifications. Uses an official CMMC curriculumthat aligns with theCMMC Body of Knowledge (BoK)and
other CMMC-AB guidance. Prepares students for CMMC roles, such asCertified CMMC Assessors (CCA) and Certified CMMC
Professionals (CCP). Key Responsibilities of an LTP:
A . Creates DoD-licensed training → Incorrect
TheCMMC-AB, not the DoD, manages LTP licensing. LTPsdo not create new training contentbut
mustfollow an approved curriculum. B . Instructs a curriculum approved by CMMC-AB → Correct
LTPsteacha curriculum that has beenapproved by the CMMC-AB, ensuring consistency in CMMC
training. C . May market itself as a CMMC-AB Licensed Provider for testing → Incorrect
LTPs provide training, not testing. Testing is handled byLicensed Partner Publishers (LPPs)and exam
bodies. D . Delivers training using some CMMC body of knowledge objectives → Incorrect
LTPs mustfully adhereto theCMMC-AB-approved curriculum, not just "some" objectives.
Why is the Correct Answer "Instructs a curriculum approved by CMMC-AB" (B)? CMMC-AB Licensed Training Provider (LTP) Program Guidelines Defines LTPs as entities thatdeliver CMMC-AB-approved training programs. CMMC Body of Knowledge (BoK) Specifies that training must follow theCMMC-AB-approved curriculumto ensure standardization.
CMMC-AB Training & Certification Framework Requires LTPs todeliver structured training that meets CMMC-AB guidelines. CMMC 2.0 Reference Supporting This
Answer:
Final Answer: ✔B. Instructs a curriculum approved by CMMC-AB
Question # 9
Two network administrators are working together to determine a network configuration in
preparation for CMMC. The administrators find that they disagree on a couple of small items. Which
solution is the BEST way to ensure compliance with CMMC?
A.Consult with the CEO of the company. B.Consult the CMMC Assessment Guides and NIST SP 800-171. C.Go with the network administrator's ideas with the least stringent controls. D.Go with the network administrator's ideas with the most stringent controls.
Answer: B Explanation: When preparing forCMMC compliance, organizations must ensure that theirnetwork configurations
align with required cybersecurity controls. Ifnetwork administratorsdisagree on certain
configurations, the mostobjective and accurateway to resolve the disagreement is by
referencingofficial CMMC guidanceandNIST SP 800-171 requirements, which form the foundation of
CMMC Level 2. CMMC Assessment Guides as the Primary Reference TheCMMC Assessment Guides (Level 1 & Level 2)provide clearinterpretationsof security practices.
Theyexplain how each practice should be implemented and assessedduring certification.
NIST SP 800-171 as the Compliance Baseline
CMMC Level 2is based directly onNIST SP 800-171, which outlines the110 security controlsrequired
for protectingControlled Unclassified Information (CUI). Network configurations must complywith NIST-defined security requirements, including:
Access Control (AC) – Ensuring least privilege principles. Audit and Accountability (AU) – Logging and monitoring network activity. System and Communications Protection (SC) – Secure network design and encryption.
Why the Other Answer Choices Are Incorrect: (A) Consult with the CEO of the company: ACEO is not necessarily a cybersecurity expertand may not be familiar with CMMC technical
requirements. Technical compliance decisions should be based onCMMC and NISTframeworks, not executive
opinions. (C) Go with the network administrator's ideas with the least stringent controls:
Choosingless stringent controls increases security riskand could lead toCMMC non-compliance. (D) Go with the network administrator's ideas with the most stringent controls:
While security is important,more stringent controlsmay introduceoperational
inefficienciesorunnecessary coststhat are not required for compliance. The correct approach is to implement what is required by CMMC and NIST SP 800-171, no more and
no less. TheCMMC Assessment GuidesandNIST SP 800-171 Rev. 2areofficial sourcesthat provide the most
reliable guidance on compliance. CMMC Level 2 is entirely based on NIST SP 800-171, making it the definitive source for resolving
security disagreements. Step-by-Step Breakdown:Final Validation from CMMC Documentation:Thus, the correct answer is:
B . Consult the CMMC Assessment Guides and NIST SP 800-171.
Question # 10
Which principles are included in defining the CMMC-AB Code of Professional Conduct?
A.Objectivity, classification, and information accuracy B.Objectivity, confidentiality, and information integrity C.Responsibility, classification, and information accuracy D.Responsibility, confidentiality, and information integrity
Answer: D Explanation: Understanding the CMMC-AB Code of Professional ConductTheCybersecurity Maturity Model
Certification Accreditation Body (CMMC-AB), now referred to asThe Cyber AB, establishes aCode of
Professional Conduct (CoPC)for all individuals involved in CMMC assessments, includingCertified
Assessors (CAs), Certified Professionals (CPs), and C3PAOs (Certified Third-Party Assessment
Organizations). Thecore principlesoutlined in theCMMC-AB Code of Professional Conductinclude:
Responsibility. CMMC professionals must takefull accountabilityfor their actions, ensuring that assessments are
conducted withintegrity and professionalism. They mustadhere to all ethical and regulatory requirementsestablished by The Cyber AB and the
DoD. Confidentiality CMMC professionals mustprotect sensitive information, includingControlled Unclassified Information
(CUI)andFederal Contract Information (FCI). They are required toadhere to non-disclosure agreements (NDAs)and avoid improper information
sharing. Information Integrity All reports, findings, and recommendations in CMMC assessments must beaccurate, unbiased, and
truthful. Assessors mustavoid conflicts of interestand ensure that all data provided in an assessment isverifiable and free from misrepresentation.
Answer A (Incorrect): "Classification" is not a primary principle of the CMMC-AB CoPC. The focus is
on protectingCUI and FCI, not on classification procedures. Answer B (Incorrect): "Objectivity" is important, but it is not explicitly listed as one of the three core
principles in theCMMC-AB Code of Professional Conduct. Answer C (Incorrect): "Classification" is not a guiding principle in the CoPC Answer D (Correct):The Code of Professional Conduct explicitly emphasizes responsibility,
confidentiality, and information integrity. The correct answer isD. Responsibility, Confidentiality, and Information Integrity. These principlesensure that all CMMC professionals maintain ethical standards and uphold the
integrity of the certification process.
Reference:
CMMC-AB Code of Professional Conduct (CoPC) The Cyber AB Ethical Guidelines
CMMC Assessment Process (CAP) Guide
