Summer Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CMMC-CCP Questions and Answers

Question # 6

Which statement is NOT a requirement for a Licensed Partner Publisher?

A.

Must have at least two years of history in publishing

B.

Must possess a Dun and Bradstreet number and background check

C.

Must receive CMMC Level 3 certification

D.

Must be approved by CMMC-AB or authorized organization

Full Access
Question # 7

In scoping a CMMC Level 1 Self-Assessment, all of the computers and digital assets that handle FCI are identified. A file cabinet that contains paper FCI is also identified. What can this file cabinet BEST be determined to be?

A.

In scope, because it is an asset that stores FCI

B.

In scope, because it is part of the same physical location

C.

Out of scope, because they are all only paper documents

D.

Out of scope, because it does not process or transmit FCI

Full Access
Question # 8

In preparation for a CMMC Level 1 Self-Assessment, the IT manager for a DIB organization is documenting asset types in the company ' s SSP The manager determines that identified machine controllers and assembly machines should be documented as Specialized Assets. Which type of Specialized Assets has the manager identified and documented?

A.

loT

B.

Restricted IS

C.

Test equipment

D.

Operational technology

Full Access
Question # 9

What is the MOST common purpose of assessment procedures?

A.

Obtain evidence.

B.

Define level of effort.

C.

Determine information flow.

D.

Determine value of hardware and software.

Full Access
Question # 10

In late September. CA.L2-3.12.1: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application is assessed. Procedure specifies that a security control assessment shall be conducted quarterly. The Lead Assessor is only provided the first quarter assessment report because the person conducting the second quarter ' s assessment is currently out of the office and will return to the office in two hours. Based on this information, the Lead Assessor should determine that the evidence is;

A.

sufficient, and rate the audit finding as MET

B.

insufficient, and rate the audit finding as NOT MET.

C.

sufficient, and re-rate the audit finding after a quarter two assessment report is examined.

D.

insufficient, and re-rate the audit finding after a quarter two assessment report is examined.

Full Access
Question # 11

A CMMC Level 1 Self-Assessment identified an asset in the OSC ' s facility that does not process, store, or transmit FCI. Which type of asset is this considered?

A.

FCI Assets

B.

Specialized Assets

C.

Out-of-Scope Assets

D.

Government-Issued Assets

Full Access
Question # 12

A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?

A.

Host Unit

B.

Branch Office

C.

Coordinating Unit

D.

Supporting Organization/Units

Full Access
Question # 13

While developing an assessment plan for an OSC. it is discovered that the certified assessor will be interviewing a former college roommate. What is the MOST correct action to take?

A.

Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.

B.

Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.

C.

Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.

D.

Inform the OSC and the C3PAO of the possible conflict of interest, document the conflict and mitigation actions in the assessment plan, and if the mitigation actions are acceptable, continue with the assessment.

Full Access
Question # 14

Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope by categorizing all assets. Which two asset categories are always assessed against CMMC practices?

A.

CUI Assets and Specialized Assets

B.

Security Protection Assets and CUI Assets

C.

Specialized Assets and Contractor Risk Managed Assets

D.

Security Protection Assets and Contractor Risk Managed Assets

Full Access
Question # 15

During an assessment, the Lead Assessor reviews the evidence for each CMMC in-scope practice that has been reviewed, verified, rated, and discussed with the OSC during the daily reviews. The Assessment Team records the final recommended MET or NOT MET rating and prepares to present the results to the assessment participants during the final review with the OSC and sponsor. As a part of this presentation, which document MUST include the attendee list, time/date, location/meeting link, results from all discussed topics, including any resulting actions, and due dates from the OSC or Assessment Team?

A.

Final log report

B.

Final CMMC report

C.

Final and recorded OSC CMMC report

D.

Final and recorded Daily Checkpoint log

Full Access
Question # 16

Which document is the BEST source for determining the sources of evidence for a given practice?

A.

NISTSP 800-53

B.

NISTSP 800-53A

C.

CMMC Assessment Scope

D.

CMMC Assessment Guide

Full Access
Question # 17

When are data and documents with legacy markings from or for the DoD required to be re-marked or redacted?

A.

When under the control of the DoD

B.

When the document is considered secret

C.

When a document is being shared outside of the organization

D.

When a derivative document ' s original information is not CUI

Full Access
Question # 18

An employee is the primary system administrator for an OSC. The employee will be a core part of the assessment, as they perform most of the duties in managing and maintaining the systems. What would the employee be BEST categorized as?

A.

Analyzer

B.

Inspector

C.

Applicable staff

D.

Demonstration staff

Full Access
Question # 19

A server is used to store FCI with a cloud provider long-term. What is the server considered?

A.

In scope, because the cloud provider will be storing the FCI data

B.

Out of scope, because the cloud provider stores the FCI data long-term

C.

In scope, because the cloud provider is required to be CMMC Level 2 certified

D.

Out of scope, because encryption is always used when the cloud provider stores the FCI data

Full Access
Question # 20

The CMMC Level 2 assessment methods include examination and can include:

A.

documents, mechanisms, or activities.

B.

specific hardware, software, or firmware safeguards employed within a system.

C.

policies, procedures, security plans, penetration tests, and security requirements.

D.

observation of system backup operations, exercising a contingency plan, and monitoring network traffic.

Full Access
Question # 21

A CCP is consulting with an OSC. In the course of an interview, the OSC representative asks the CCP what basic safeguarding requirements must be met with respect to CMMC Level 1. The CCP tells the representative that this publication contains all the requirements from:

A.

NIST SP 800-171.

B.

DFARS Clause 252.202-7014.

C.

DFARS Clause 252.204-7012.

D.

FAR Clause 52.204-21.

Full Access
Question # 22

When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?

A.

Conduct a penetration test

B.

Interview the intrusion detection system ' s supplier.

C.

Upload known malicious code and observe the system response.

D.

Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

Full Access
Question # 23

In many organizations, the protection of FCI includes devices that are used to scan physical documentation into digital form and print physical copies of digital FCI. What technical control can be used to limit multi-function device (MFD) access to only the systems authorized to access the MFD?

A.

Virtual LAN restrictions

B.

Single administrative account

C.

Documentation showing MFD configuration

D.

Access lists only known to the IT administrator

Full Access
Question # 24

An OSC lead has provided company information, identified that they are seeking CMMC Level 2, stated that they handle FCI. identified stakeholders, and provided assessment logistics. The OSC has provided the company ' s cyber hygiene practices that are posted on every workstation, visitor logs, and screenshots of the configuration of their FedRAMP-approved applications. The OSC has not won any DoD government contracts yet but is working on two proposals Based on this information, which statement BEST describes the CMMC Level 2 Assessment requirements?

A.

Ready because there is no need to certify this company until after they win a DoD contract.

B.

Not ready because the OSC is not on contract because they do not know the scope of FCI protection required by the contract.

C.

Not ready because the OSC still lacks artifacts that prove they have implemented all the CMMC Level 2 Assessment requirements.

D.

Ready because all DoD contractors are required to achieve CMMC Level 2; therefore, they are being proactive in seeking certification.

Full Access
Question # 25

During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?

A.

Host Unit

B.

Organization

C.

Coordinating Unit

D.

Supporting Organization/Unit

Full Access
Question # 26

What is DFARS clause 252.204-7012 required for?

A.

All DoD solicitations and contracts

B.

Solicitations and contracts that use FAR part 12 procedures

C.

Procurements solely for the acquisition of commercial off-the-shelf

D.

Commercial off-the-shelf sold in the marketplace without modifications

Full Access
Question # 27

The Level 1 practice description in CMMC is Foundational. What is the Level 2 practice description?

A.

Expert

B.

Advanced

C.

Optimizing

D.

Continuously Improved

Full Access
Question # 28

The Lead Assessor interviews a network security specialist of an OSC. The incident monitoring report for the month shows that no security incidents were reported from OSC ' s external SOC service provider. This is provided as evidence for RA.L2-3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Based on this information, the Lead Assessor should conclude that the evidence is:

A.

inadequate because it is irrelevant to the practice.

B.

adequate because it fits well for expected artifacts.

C.

adequate because no security incidents were reported.

D.

inadequate because the OSC ' s service provider should be interviewed.

Full Access
Question # 29

Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?

A.

Access control

B.

Physical access control

C.

Mandatory access control

D.

Discretionary access control

Full Access
Question # 30

Who is responsible for ensuring that subcontractors have a valid CMMC Certification?

A.

CMMC-AB

B.

OUSD A & S

C.

DoD agency or client

D.

Contractor organization

Full Access
Question # 31

What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?

A.

CDI

B.

CTI

C.

CUI

D.

FCI

Full Access
Question # 32

When an OSC requests an assessment by a C3PAO, who selects the Lead Assessor for the assessment?

A.

OSC

B.

C3PAO

C.

C3PAO and OSC

D.

OSC and Lead Assessor

Full Access
Question # 33

During the assessment process, who is the final interpretation authority for recommended findings?

A.

C3PAO

B.

CMMC-AB

C.

OSC sponsor

D.

Assessment Team Members

Full Access
Question # 34

Which MINIMUM Level of certification must a contractor successfully achieve to receive a contract award requiring the handling of CUI?

A.

Level 1

B.

Level 2

C.

Level 3

D.

Any level

Full Access
Question # 35

Which government agency are DoD contractors required to report breaches of CUI to?

A.

FBI

B.

NARA

C.

DoD Cyber Crime Center

D.

Under Secretary of Defense for Intelligence and Security

Full Access
Question # 36

The Assessment Team has completed Phase 2 of the Assessment Process. In conducting Phase 3 of the Assessment Process, the Assessment Team is reviewing evidence to address Limited Practice Deficiency Corrections. How should the team score practices in which the evidence shows the deficiencies have been corrected?

A.

MET

B.

POA & M

C.

NOT MET

D.

NOT APPLICABLE

Full Access
Question # 37

Which term describes the prevention of damage to. protection of, and restoration of computers and electronic communications systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation?

A.

Cybersecurity

B.

Data security

C.

Network security

D.

Information security

Full Access
Question # 38

The evidence needed for each practice and/or process is weighed for:

A.

Adequacy and sufficiency

B.

Adequacy and thoroughness

C.

Sufficiency and thoroughness

D.

Sufficiency and appropriateness

Full Access
Question # 39

What service is the MOST comprehensive that the RPO provides?

A.

Training services

B.

Education services

C.

Consulting services

D.

Assessment services

Full Access
Question # 40

Who is the FedRAMP certification program for?

A.

IT contractors risk management self-assessments

B.

Cloud service providers for cloud products and services

C.

IT contractors for cybersecurity self-assessments

D.

Cloud service providers for on-premise products and services

Full Access
Question # 41

Prior to initiating an OSC ' s CMMC Assessment, the Lead Assessor briefed the team on the most important requirements of the assessment. The assessor also insisted that the same results of the findings summary, practice ratings, and Level recommendations must be submitted to the C3PAO for initial processes and review. After several weeks of assessment, the C3PAO completes the internal review, the recommended results are then submitted through the C3PAO for final quality review and rating approval. Which document stipulates these reporting requirements?

A.

CMMC Assessment reporting requirements

B.

DFARS 52.204-21 assessment reporting requirements

C.

NISTSP 800-171 Revision 2 assessment reporting requirements

D.

DFARS clause 252.204-7012 assessment reporting requirements

Full Access
Question # 42

Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?

A.

Phase 1: Plan and Prepare Assessment

B.

Phase 2: Conduct Assessment

C.

Phase 3: Report Recommended Assessment Results

D.

Phase 4: Remediation of Outstanding Assessment Issues

Full Access
Question # 43

An Assessment Team is conducting a Level 2 Assessment at the request of an OSC. The team has begun to score practices based on the evidence provided. At a MINIMUM what is required of the Assessment Team to determine if a practice is scored as MET?

A.

All three types of evidence are documented for every control.

B.

Examine and accept evidence from one of the three evidence types.

C.

Complete one of the following; examine two artifacts, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.

D.

Complete two of the following: examine one artifact, either observe a satisfactory demonstration of one control or receive one affirmation from the OSC personnel.

Full Access
Question # 44

During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC ' s WiFi network. What type of asset is this?

A.

FCI Asset

B.

CUI Asset

C.

In-scope Asset

D.

Specialized Asset

Full Access
Question # 45

As part of CMMC 2.0, the change to Level 1 Self-Assessments supports " reduced assessment costs " allows all companies at Level 1 (Foundational) to:

A.

to conduct self-assessments.

B.

opt out of CMMC Assessments.

C.

have assessment costs reimbursed by the DoD.

D.

pay no more than $500.00 for their annual assessment.

Full Access
Question # 46

An assessor is collecting affirmations. So far, the assessor has collected interviews, demonstrations, emails, messaging, and presentations. Are these appropriate approaches to collecting affirmations?

A.

No, emails are not appropriate affirmations.

B.

No, messaging is not an appropriate affirmation.

C.

Yes, the affirmations collected by the assessor are all appropriate.

D.

Yes, the affirmations collected by the assessor are all appropriate, as are screenshots.

Full Access
Question # 47

Which example represents a Specialized Asset?

A.

SOCs

B.

Hosted VPN services

C.

Consultants who provide cybersecurity services

D.

All property owned or leased by the government

Full Access
Question # 48

When a conflict of interest is unavoidable, a CCP should NOT:

A.

Inform their organization

B.

Take action to minimize its impact

C.

Disclose it to affected stakeholders

D.

Conceal it from the Assessment Team lead

Full Access
Question # 49

Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?

A.

DoD

B.

CISA

C.

NIST

D.

CMMC-AB

Full Access
Question # 50

When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:

A.

have a security clearance.

B.

be a senior person in the company.

C.

demonstrate expertise on the CMMC requirements.

D.

provide clarity and understanding of their practice activities.

Full Access
Question # 51

Which DFARS clause considers Safeguarding CDI and Cyber Incident Reporting?

A.

252.204-7022

B.

252.204-7020

C.

252.204-7012

D.

252.204-7021

Full Access
Question # 52

What type of criteria is used to answer the question " Does the Assessment Team have the right evidence? "

A.

Adequacy criteria

B.

Objectivity criteria

C.

Sufficiency criteria

D.

Subjectivity criteria

Full Access
Question # 53

Which statement BEST describes an assessor ' s evidence gathering activities?

A.

Use interviews for assessing a Level 2 practice.

B.

Test all practices or objectives for a Level 2 practice

C.

Test certain assessment objectives to determine findings.

D.

Use examinations, interviews, and tests to gather sufficient evidence.

Full Access
Question # 54

A contractor provides services and data to the DoD. The transactions that occur to handle FCI take place over the contractor ' s business network, but the work is performed on contractor-owned systems, which must be configured based on government requirements and are used to support a contract. What type of Specialized Asset are these systems?

A.

loT

B.

Restricted IS

C.

Test equipment

D.

Government property

Full Access
Question # 55

When executing a remediation review, the Lead Assessor should:

A.

help OSC to complete planned remediation activities.

B.

plan two consecutive remediation reviews for an OSC.

C.

submit a delta assessment remediation package for C3PAO ' s internal quality review.

D.

validate that practices previously listed on the POA & M have been removed on an updated Risk Assessment.

Full Access
Question # 56

A dedicated local printer is used to print out documents with FCI in an organization. This is considered an FCI Asset Which function BEST describes what the printer does with the FCI?

A.

Encrypt

B.

Manage

C.

Process

D.

Distribute

Full Access
Question # 57

Where can a listing of all federal agencies ' CUI indices and categories be found?

A.

32 CFR Section 2002

B.

Official CUI Registry

C.

Executive Order 13556

D.

Official CMMC Registry

Full Access
Question # 58

During an assessment, which phase of the process identifies conflicts of interest?

A.

Analyze requirements.

B.

Develop assessment plan.

C.

Verify readiness to conduct assessment.

D.

Generate final recommended assessment results.

Full Access
Question # 59

A client uses an external cloud-based service to store, process, or transmit data that is reasonably believed to qualify as CUI. According to DFARS clause 252.204-7012. what set of established security requirements MUST that cloud provider meet?

A.

FedRAMP Low

B.

FedRAMP Moderate

C.

FedRAMP High

D.

FedRAMP Secure

Full Access
Question # 60

Recording evidence as adequate is defined as the criteria needed to:

A.

verify, based on an assessment and organizational scope.

B.

verify, based on an assessment and organizational practice.

C.

determine if a given artifact, interview response, demonstration, or test meets the CMMC scope.

D.

determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.

Full Access
Question # 61

After a CMMC Level 2 certification assessment, the Lead Assessor (Lead CCA) is preparing to present the Final Recommended Findings to the OSC . Which statement BEST describes the Lead Assessor’s responsibility for delivering the assessment findings to the OSC?

A.

Summary recommendations presented using the CMMC Assessment Findings Brief are sufficient.

B.

Detailed findings must be presented to the OSC along with clear evidence of how the ratings map to the assessor’s findings.

C.

The initial report delivered to the OSC will only include an overall assessment MET or NOT MET score along with a score for each practice.

D.

The Lead Assessor is required to submit their initial assessment findings to the C3PAO for review before they can be shared with the OSC.

Full Access
Question # 62

While determining the scope for a company ' s CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third-party organization?

A.

ESPs

B.

People

C.

Facilities

D.

Technology

Full Access
Question # 63

Who is responsible for identifying and verifying Assessment Team Member qualifications?

A.

C3PAO

B.

CMMC-AB

C.

Lead Assessor

D.

CMMC Marketplace

Full Access
Question # 64

A contractor stores security policies, system configuration files, and audit logs in a centralized file repository for later review. According to CMMC terminology, the file repository is being used to:

A.

protect CUI.

B.

transmit CUI.

C.

store CUI.

D.

generate CUI

Full Access
Question # 65

When assessing SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems, evidence shows that all of the OSC ' s workstations and servers have antivirus software installed for malicious code protection. A centralized console for the antivirus software management is in place and records show that all devices have received the most updated antivirus patterns. What is the BEST determination that the Lead Assessor should reach regarding the evidence?

A.

It is sufficient, and the audit finding can be rated as MET.

B.

It is insufficient, and the audit finding can be rated NOT MET.

C.

It is sufficient, and the Lead Assessor should seek more evidence.

D.

It is insufficient, and the Lead Assessor should seek more evidence.

Full Access
Question # 66

A machining company has been awarded a contract with the DoD to build specialized parts. Testing of the parts will be done by the company using in-house staff and equipment. For a Level 1 Self-Assessment, what type of asset is this?

A.

CUI Asset

B.

In-scope Asset

C.

Specialized Asset

D.

Contractor Risk Managed Asset

Full Access
Question # 67

According to the Configuration Management (CM) domain, which principle is the basis for defining essential system capabilities?

A.

Least privilege

B.

Essential concern

C.

Least functionality

D.

Separation of duties

Full Access
Question # 68

Within what amount of time MUST convictions, guilty pleas, or no contest pleas to crimes of fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or a similar offense in any legal proceeding, civil or criminal, whether or not connected with activities that relate to carrying out a Lead Assessor role, be reported to the CMMC Accreditation Body?

A.

90 days.

B.

30 days.

C.

3 days.

D.

7 days.

Full Access
Question # 69

For CMMC Assessments, during Phase 1 of the CMMC Assessment Process, which are responsible for identifying potential conflicts of information?

A.

C3PAO and OSC

B.

OSC and CMMC-AB

C.

CMMC-AB and C3PAO

D.

Lead Assessor and Assessment Team Members

Full Access
Question # 70

When scoping the organizational system, the scope of applicability for the cybersecurity CUI practices applies to the components of:

A.

federal systems that process, store, or transmit CUI.

B.

nonfederal systems that process, store, or transmit CUI.

C.

federal systems that process, store, or transmit CUI. or that provide protection for the system components.

D.

nonfederal systems that process, store, or transmit CUI. or that provide protection for the system components.

Full Access