Download CMMC CCP Practice Exam Questions And Answers and more Exams Computer Science in PDF only on Docsity!
Answers
What is a CUI Asset? - correct answer ✅Asset that stores, processes, or transmits CUI Examples: Servers, Printers, Endpoints, Cloud Services, ERP Systems Where do you document a CUI Asset? - correct answer ✅Document in Asset Inventory Document in SSP Document in Network Diagram What practices do you apply to a CUI Asset? - correct answer ✅CMMC Level 2 What does CMMC stand for? - correct answer ✅Cybersecurity Maturity Model Certification How many controls are in CMMC L2? - correct answer ✅110 controls What impact level is required when storing CUI? - correct answer ✅IL
Answers
What contract clause is used for CMMC L1? - correct answer ✅FAR 52.204-21 (17 practices in total) If you want to be CMMC L2 compliant, do you need to also be CMMC L1 compliant? - correct answer ✅Yes What do you call the part before the first period in the following control? AC.L1-3.1.1 - correct answer ✅Domain What do you call the part after the first period in the following control? AC.L1-3.1.1 - correct answer ✅Level What do you call the part after the dash in the following control? AC.L1-3.1.1 - correct answer ✅Security Practice Number
Answers
Means to gain detailed insight about practices implemented in and by the OSC and how those practices are performed What are the six components of a CMMC practice? - correct answer ✅1. Identifier and Practice Statement
- Assessment Objectives
- Potential Assessment Methods and Objects
- Discussion
- Further Discussion
- Key References What is an Assessment Procedure? - correct answer ✅Consists of an Assessment Objective and a set of potential assessment methods What is an Assessment Method? - correct answer ✅*Examine *Interview *Test
Answers
The nature and extent of the Assessors action What are the three characteristics of FCI? - correct answer ✅1. Not intended for public release
- It is provided by or for the government
- It is not transactional bidding information or publicly released information Is all CUI considered FCI? - correct answer ✅Yes What is a Specialized Asset (SA)? - correct answer ✅May or may not have CUI - specialized equipment that can't be updated Example: Government Property, Operational Tech, Test Equipment, CNC Machine
Answers
What is it called when a portion of the company infrastructure is separate from the rest of the company? - correct answer ✅Enclaving (Host unit) Where does an OSC register to be issued a UEI and CAGE code? - correct answer ✅SAM.gov What three places do you need to document a SPA? - correct answer ✅Document in Asset Inventory Document in SSP Document in Network Diagram How many phases are in the CAP? - correct answer ✅ 4 How many phases are in the CAP? - correct answer ✅4 Phases
Answers
What are the phases of the CAP? - correct answer ✅1. Plan and prepare
- Conduct
- Report Assessment
- Close out POAMs Where are the results of a CMMC assessment uploaded and stored? - correct answer ✅CMMC eMass How do you protect the findings from a CMMC assessment? - correct answer ✅The CMMC artifact Hashing Tool How quickly should a C3PAO respond to an OSC? - correct answer ✅5 business days What is an OSC Assessment Official? - correct answer ✅The most senior representative of an OSC who is directly and actively responsible for leading and managing the OSCs engagement
Answers
What is a CMMC Quality Assurance Professional? - correct answer ✅A CQAP - The formally trained individual who is responsible for ensuring Assessment documentation completeness and accuracy. What's the minimum number of CQAPs a C3PAO must have on staff? - correct answer ✅Each C3PAO is required to have at least one (1) CQAP on staff for ensuring all Assessment packages are reviewed and validated for procedural integrity prior to upload into eMASS or any other official CMMC repository system or application. What assessment documents and templates must you have in order to perform an assessment? - correct answer ✅*Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2. *CMMC Assessment Guide, Level 2, Version 2. *CMMC Assessment Scope, Level 2, Version 2. *CMMC eMASS Concept of Operations (CONOPS) for CMMC Third Party Assessment Organizations; *CMMC Artifact Hashing Tool User Guide, Version 2.
Answers
What is the CMMC Pre-assessment form? - correct answer ✅Provides the central record and information for the Assessment, to include the documentation of assets and CMMC Assessment Scope, Evidence, and other OSC data. Use of this template is mandatory. What is the virtual assessment evidence preparation template? Is it mandatory? - correct answer ✅Excel file to support the organization and presentation of Evidence that will be validated virtually during an Assessment. Use of this template is mandatory. What is the CMMC Assessment Readiness Review? - correct answer ✅CARR checklist - A preliminary but formal review conducted by the Lead Assessor and, as applicable, Assessment Team, verifying the OSC's and Assessment Team's readiness to conduct the Phase 2 portion of the Assessment against the identified Assessment planning parameters and Assessment scope.
Answers
CMMC Assessment Quality Review Checklist - correct answer ✅Checklist of items to be verified during the CMMC Quality Assurance Professional's review of documentation. Use of this template is mandatory. Confirmation of destruction of OSC data - correct answer ✅Microsoft Word template to be used by the C3PAO to document their surrender and/or destruction of any OSC proprietary information at the conclusion of the Assessment. While use of this template is not mandatory, the formal notification that proprietary information is no longer being retained by the C3PAO (in the absence of expressed written consent by the OSC) is required. What is required to frame the CMMC Assessment? - correct answer ✅Assessment location(s), including what aspects and activities of the Assessment will be conducted virtually Identification of OSC staff that will provide Evidence and support for the Assessment OSC's CMMC Assessment Scope
Answers
OSC's relevant documentation, including roles and responsibilities of its information and technology and information security staff(s) A rough order-of-magnitude ROM estimate for the approximate duration and timing for the Assessment The Assessment outputs that will be provided to the OSC Assessment Official upon completion of the Assessment The Lead Assessor and OSC POC should validate OSCs Self- Assessment Practice Deficiency items How should you pick a Lead Assessor? - correct answer ✅1. Experience of the Lead Assessor and how that relates to the size and complexity of the prospective Assessment,
- the geographical location(s) of the Assessment,
- the Lead Assessor's familiarity with the OSC's lines of business,
- Any potential conflicts of interest with the OSC.
Answers
What are supporting organizations? MSP, ESP, etc. - correct answer ✅The people, procedures, and technology external to the HQ Organization that support the Host Unit. Do you have to have a CAGE Code in order to go through a CMMC Assessment? - correct answer ✅Yes How do you validate the scope of a CMMC Assessment? - correct answer ✅The OSC must also provide to the Lead Assessor with supporting documentation, such as network schematic diagrams, the System Security Plan (SSP), policies, and organizational charts. What is required of the OSC prior to assessment kickoff with the C3PAO? - correct answer ✅1. Results of most recent OSC self-Assessment or any pre-Assessment conducted by an RP or Registered Practitioner Organization (RPO);
- A preliminary list of anticipated Evidence; The System Security Plan and other relevant documentation; and
Answers
- A list of all OSC personnel who play a role in the procedures that are in scope. Adequacy - correct answer ✅Answers the question "Does the assessment team have the right evidence?" Sufficiency - correct answer ✅Answers the question "Does the assessment team have enough of the right evidence?" What is considered a "MET" practice? - correct answer ✅For each practice marked MET, the Certified Assessor includes statements that indicate the response conforms to all objectives and documents the appropriate evidence to support the response. What is considered a "Not MET" practice? - correct answer ✅For each practice marked NOT MET, the Certified Assessor includes statements that explain why and documents the appropriate evidence that the contractor does not conform fully to all of the objectives.
Answers
CM.L2-3.4.5[d]: Physical access restrictions associated with changes to the system are enforced. MA.L2-3.7.2[d]: Personnel used to conduct system maintenance are controlled. MP.L2-3.8.1[c]: Paper media containing CUI is securely stored. MP.L2-3.8.1[d]: Digital media containing CUI is securely stored. MP.L2-3.8.4[a]: Media containing CUI is marked with applicable CUI markings. MP.L2-3.8.4[b]: Media containing CUI is marked with distribution limitations. PE.L1-3.10.1[b]: Physical access to organization systems is limited to authorized individuals. PE.L1-3-10.1[c]: Physical access to equipment is limited to authorized individuals. PE.L2-3.10.2[a]: The physical facility where organizational systems reside is monitored. PE.L2-3.10.2[d]: The support infrastructure for organizational systems is monitored. PE.L1-3.10.3[a]: Visitors are escorted. PE.L1-3.10.3[b]: Visitor activity is monitored. PE.L1-3.10.5[b]: Physical access devices are controlled.
Answers
PE.L1-3.10.5[c]: Physical access devices are managed. SC.L2-3.13.12[b]: Collaborative computing devices provide indication to users of devices in use. If a COI is disclosed or identified by either party (OSC or C3PAO), what should happen next? - correct answer ✅The Lead Assessor should work with the OSC Assessment Official to develop a mitigation plan for the identified conflict in question. Any mitigation measures to which the parties agree should be documented and signed accordingly. In the event the conflict cannot be sufficiently mitigated due to the circumstances, the C3PAO must not proceed with the Assessment. What is the final step of Phase 1? - correct answer ✅Confirm that all parties are ready in position to conduct a CMMC assessment. It's the lead assessors responsibility. What are the 4 outcomes of verifying readiness? - correct answer ✅1. Procede
- Replan
- Reschedule
- Cancel
