Question 15 - Cyber AB CMMC-CCP Real Exam Questions [March 2026 Update]

Q: 15

During the planning phase of a CMMC Level 2 Assessment, the Lead Assessor is considering what would constitute the right evidence for each practice. What is the Assessor attempting to verify?

Options

Correct Answer:

Explanation

During the planning phase, the Lead Assessor establishes the assessment plan, which outlines the methods and evidence required to verify each CMMC practice. The core objective is to ensure that the evidence collected will be sufficient to support a conclusive finding. Sufficiency of evidence refers to the measure of the quantity and quality of evidence gathered. The assessor is pre-determining what types and amount of objective evidence (e.g., from interviews, tests, and examinations of documents) will be necessary to make a credible and defensible judgment on whether a practice is met.

Why Incorrect

A. Adequacy: This term refers to the effectiveness and suitability of an implemented security control or practice itself, not the evidence used to prove its existence.

C. Process mapping: This is a specific technique or artifact that can be used as a piece of evidence, not the overarching principle of verifying the right amount of evidence.

D. Assessment scope: This defines the people, technology, facilities, and information that are the subject of the assessment, not the criteria for the evidence itself.

References

1. Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) for CMMC Level 2

Version 2.1 (December 2023). Section 3.3

"Conduct Assessment

" states

"The Assessment Team must collect and document sufficient objective evidence to support the determination of whether a practice is MET or NOT MET." (Page 13).

2. CMMC Level 2 Assessment Guide

Version 2.1 (December 2023). Section 1.4

"Assessment Conduct

" specifies

"The C3PAO assessment team must collect sufficient evidence to support the final score for each CMMC practice." (Page 8).

3. NIST Special Publication 800-171A

Assessing Security Requirements for Controlled Unclassified Information. Section 2.2

"Assessment Procedures

" notes that the use of assessment procedures is intended to "produce sufficient evidence to determine the disposition of the security requirements." This foundational document for CMMC Level 2 assessments emphasizes the principle of sufficiency.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE