What documents should I study for the CMMC 2.0 Exams?

New exams are coming out in 2027 but while we wait, we are still being tested on the exams developed and released in the 2021/2022 time frame. To my knowledge, those original exam questions have never been changed or modified.

Since it has been 4 years since the exams were developed, there has been a lot of updates in new documents, the CMMC final rule, and FAQs. None of that very useful information is on the current 2.0 versions of the exams. So, notably there are no questions on Security Protection Data (SPD) or the VDI endpoiut exclusions as being able to be brought out of scope.

CMMC Ecosystem

There are no documents for the ecosystem domain.

Notable changes from the course material to today are that:

• the CMMC PMO moved from OUSD(A&S) to the Office of the DoD CIO;

• ISACA is the new CAICO

• Licensed Training Providers and Licensed Publishing Partners changed from Licensed to Approved. LTP/LPP -> ATP/APP

CMMC-AB Code of Professional Conduct (Ethics)

There is a document to study for the exams. The version to study for the exam is 2.3, which is older than the current 2.0 CoPC on the Cyber AB website.

Here is a copy of the 2.3 CoPC, which you should study not the most current CoPC:

CMMC Governance and Sources Documents

Here are copies of the source documents that were in affect at the time of the exam that do not fall under the other domains.

CMMC Model Construct and Implementation Evaluation

The content of the Assessment Guides is mostly the same between the 2.0 and 2.13 versions, 3.12.2 inserted the word Operational in front of Plan of Action and they changed the numbering system for Level 1.

CMMC Assessment Process (CAP)

The official answer for which version of the CAP to study is to study the 5.6.1 training version of the CAP. However, this version of the CAP is not publicly available so I will not be the one to post it to the internet. However, I will upload the draft 1.0 CAP as it is largely the same as the 5.6.1 version and many practice questions reference the 1.0 CAP.

The 1.0 CAP removes many of the placeholder appendices from the 5.6.1 CAP and it adds more discussion around ESPs and FedRAMP that will not necessarily hurt you if you study it for the exams.

In contrast, you would not want to go study the 2.0 CAP as it has material differences from the 5.6.1 and 1.0 CAPs.

Here is the 1.0 CAP but you should really get the 5.6.1 from your ATP that took your class with:

Scoping

The Level 2 Scoping guide has merged cells in Table 1 while the latest scoping guide did some cleanup of language but it is mostly the same content.

CCA Domains

3 out of 4 of the CCA domains overlap completely with the CCP domains, so the same documents studied for the CCP are also studied for the CCA. You would refer to the Level 2 scoping guide, Level 2 assessment guide, and the CAP listed above.

The one domain that is unique to the CCA, Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirements, does not have any documents to download to study.

Hope this helps and good luck on your CMMC certification exams!