Summer Sale Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

Cyber AB CMMC-CCP Dumps

Page: 1 / 24
Total 236 questions

Certified CMMC Professional (CCP) Exam Questions and Answers

Question 1

Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI are sanitized or destroyed before disposal or release for reuse. After a thorough review, the CCP tells the Lead Assessor that all supporting documents fully reflect the performance of the practice and should be accepted because the evidence is:

Options:

A.

official.

B.

adequate.

C.

compliant.

D.

subjective.

Question 2

An assessment is being completed at a client site that is not far from the Lead Assessor ' s home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?

Options:

A.

Log into the secure cloud storage service to save copies of the documents on both the work and client laptops.

B.

Log into the client VPN from the client laptop and retrieve the documents from the secure cloud storage service.

C.

Log into the client VPN from the assessor ' s laptop and retrieve the documents from the secure cloud storage service.

D.

Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick.

Question 3

The director of cybersecurity is considering which company offices and data centers store FCI to ensure an accurate scope for their CMMC Level 1 Self-Assessment . Which asset type is the director considering?

Options:

A.

ESP

B.

People

C.

Facilities

D.

Technology

Question 4

When assessing SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems, evidence shows that all of the OSC ' s workstations and servers have antivirus software installed for malicious code protection. A centralized console for the antivirus software management is in place and records show that all devices have received the most updated antivirus patterns. What is the BEST determination that the Lead Assessor should reach regarding the evidence?

Options:

A.

It is sufficient, and the audit finding can be rated as MET.

B.

It is insufficient, and the audit finding can be rated NOT MET.

C.

It is sufficient, and the Lead Assessor should seek more evidence.

D.

It is insufficient, and the Lead Assessor should seek more evidence.

Question 5

Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?

Options:

A.

Organizational operations, business assets, and employees

B.

Organizational operations, business processes, and employees

C.

Organizational operations, organizational assets, and individuals

D.

Organizational operations, organizational processes, and individuals

Question 6

An OSC performing a CMMC Level 1 Self-Assessment uses a legacy Windows 95 computer, which is the only system that can run software that the government contract requires. Why can this asset be considered out of scope?

Options:

A.

It handles CUI

B.

It is a restricted IS

C.

It is government property

D.

It is operational technology

Question 7

During the planning phase of a CMMC Level 2 Assessment, the Lead Assessor is considering what would constitute the right evidence for each practice. What is the Assessor attempting to verify?

Options:

A.

Adequacy

B.

Sufficiency

C.

Process mapping

D.

Assessment scope

Question 8

Which resource contains authoritative data classifications of CUI?

Options:

A.

NARA

B.

CMMC-AB

C.

DoD Contractors FAQ

D.

OSC ' s privacy policies

Question 9

A Lead Assessor is presenting an assessment kickoff and opening briefing. What topic MUST be included?

Options:

A.

Gathering evidence

B.

Review of the OSC ' s SSP

C.

Overview of the assessment process

D.

Examination of the artifacts for sufficiency

Question 10

At which CMMC Level do the Security Assessment (CA) practices begin?

Options:

A.

Level 1

B.

Level 2

C.

Level 3

D.

Level 4

Question 11

As part of CMMC 2.0, the change to Level 1 Self-Assessments supports " reduced assessment costs " allows all companies at Level 1 (Foundational) to:

Options:

A.

to conduct self-assessments.

B.

opt out of CMMC Assessments.

C.

have assessment costs reimbursed by the DoD.

D.

pay no more than $500.00 for their annual assessment.

Question 12

Ethics is a shared responsibility between:

Options:

A.

DoD and CMMC-AB.

B.

OSC and sponsors.

C.

CMMC-AB and members of the CMMC Ecosystem.

D.

members of the CMMC Ecosystem and Lead Assessors.

Question 13

When are data and documents with legacy markings from or for the DoD required to be re-marked or redacted?

Options:

A.

When under the control of the DoD

B.

When the document is considered secret

C.

When a document is being shared outside of the organization

D.

When a derivative document ' s original information is not CUI

Question 14

An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?

Options:

A.

OSC and Sponsor

B.

OSC and CMMC-AB

C.

Lead Assessor and C3PAO

D.

C3PAO and Assessment Official

Question 15

The practices in CMMC Level 2 consists of the security requirements specified in:

Options:

A.

NISTSP 800-53.

B.

NISTSP 800-171.

C.

48 CFR 52.204-21.

D.

DFARS 252.204-7012.

Question 16

During Phase 4 of the Assessment process, what MUST the Lead Assessor determine and recommend to the C3PAO concerning the OSC?

Options:

A.

Ability

B.

Eligibility

C.

Capability

D.

Suitability

Question 17

A C3PAO Assessment Plan document captures the names of the interviewees, the facilities that will utilized, along with estimated costs and schedule of the assessment. What part of the assessment plan is this?

Options:

A.

Identify resources and schedule.

B.

Select Assessment Team members.

C.

Identify and manage assessment risks.

D.

Select and develop the evidence collection approach.

Question 18

Within the CMMC Ecosystem which organization ultimately will manage and oversee the training, testing, authorization, and certification of candidate assessors and instructors?

Options:

A.

DoD OUSD

B.

DIB Collaborative Information Sharing Environment

C.

Committee on National Security Systems Instructions

D.

CMMC Assessors and Instructors Certification Organization

Question 19

After completing a Level 2 Assessment, a C3PAO is preparing to upload the Assessment Results Package to Enterprise Mission Assurance Support Service. Which document MUST be included as part of the final assessment results package?

Options:

A.

Final Report

B.

Certification rating

C.

Summary-level findings

D.

All Daily Checkpoint logs

Question 20

A C3PAO has conducted a CMMC Level 2 Assessment for an OSC. The results have been reviewed by a CMMC Quality Assurance Professional. What is the final step in the process of submitting assessment results?

Options:

A.

The C3PAO submits the results to the CMMC-AB.

B.

The OSC submits the results, as provided by the Lead Assessor, to the CMMC-AB.

C.

The C3PAO submits the results to Enterprise Mission Assurance Support Service.

D.

The Lead Assessor submits the results to the CMMC-AB.

Question 21

Which MINIMUM Level of certification must a contractor successfully achieve to receive a contract award requiring the handling of CUI?

Options:

A.

Level 1

B.

Level 2

C.

Level 3

D.

Any level

Question 22

What is objectivity as it applies to activities with the CMMC-AB?

Options:

A.

Ensuring full disclosure

B.

Reporting results of CMMC services completely

C.

Avoiding the appearance of or actual, conflicts of interest

D.

Demonstrating integrity in the use of materials as described in policy

Question 23

Which assessment method describes the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specification, mechanisms, activities)?

Options:

A.

Test

B.

Assess

C.

Examine

D.

Interview

Question 24

Which NIST SP defines the Assessment Procedure leveraged by the CMMC?

Options:

A.

NIST SP 800-53

B.

NISTSP800-53a

C.

NIST SP 800-171

D.

NISTSP800-171a

Question 25

In accordance with NARA directives and Chapter 33 of Title 44 (Records Management Directive), which types of data MUST have policies and procedures for disposal?

Options:

A.

All recorded digital documents

B.

All digital and recorded paper documents

C.

All digital documents and recorded media

D.

All recorded information, regardless of form or characteristics

Question 26

While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users. processes acting on behalf of users, and devices?

Options:

A.

Procedures for implementing access control lists

B.

List of unauthorized users that identifies their identities and roles

C.

User names associated with system accounts assigned to those individuals

D.

Physical access policy that states. " All non-employees must wear a special visitor pass or be escorted. "

Question 27

The IT manager is scoping the company ' s CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI. Which asset type is being considered by the IT manager?

Options:

A.

ESP

B.

People

C.

Facilities

D.

Technology

Question 28

Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?

Options:

A.

CMMC Glossary

B.

CMMC Appendices

C.

CMMC Assessment Process

D.

CMMC Assessment Guide Levels 1 and 2

Question 29

What is the BEST document to find the objectives of the assessment of each practice?

Options:

A.

CMMC Glossary

B.

CMMC Appendices

C.

CMMC Assessment Process

D.

CMMC Assessment Guide Levels 1 and 2

Question 30

A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?

Options:

A.

Host Unit

B.

Branch Office

C.

Coordinating Unit

D.

Supporting Organization/Units

Question 31

How many cybersecurity levels does the CMMC Model structure contain?

Options:

A.

2 Levels.

B.

3 Levels.

C.

5 Levels.

D.

4 Levels.

Question 32

The Assessment Team has completed Phase 2 of the Assessment Process. In conducting Phase 3 of the Assessment Process, the Assessment Team is reviewing evidence to address Limited Practice Deficiency Corrections. How should the team score practices in which the evidence shows the deficiencies have been corrected?

Options:

A.

MET

B.

POA & M

C.

NOT MET

D.

NOT APPLICABLE

Question 33

Which statement is NOT a requirement for a Licensed Partner Publisher?

Options:

A.

Must have at least two years of history in publishing

B.

Must possess a Dun and Bradstreet number and background check

C.

Must receive CMMC Level 3 certification

D.

Must be approved by CMMC-AB or authorized organization

Question 34

What is a PRIMARY activity that is performed while conducting an assessment?

Options:

A.

Develop assessment plan.

B.

Collect and examine evidence.

C.

Verify readiness to conduct assessment.

D.

Deliver recommended assessment results.

Question 35

During a Level 2 Assessment, the OSC has provided an inventory list of all hardware. The list includes servers, workstations, and network devices. Why should this evidence be sufficient for making a scoring determination for AC.L2-3.1.19: Encrypt CUI on mobile devices and mobile computing platforms?

Options:

A.

The inventory list does not specify mobile devices.

B.

The interviewee attested to encrypting all data at rest.

C.

The inventory list does not include Bring Your Own Devices.

D.

The DoD has accepted an alternative safeguarding measure for mobile devices.

Question 36

The evidence needed for each practice and/or process is weighed for:

Options:

A.

Adequacy and sufficiency

B.

Adequacy and thoroughness

C.

Sufficiency and thoroughness

D.

Sufficiency and appropriateness

Question 37

An OSC receives an email with " CUI//SP-PRVCY//FED Only " in the body of the message Which organization ' s website should the OSC go to identify what this marking means?

Options:

A.

NARA

B.

CMMC-AB

C.

DoD Contractors FAQ page

D.

DoD 239.7601 Definitions page

Question 38

When scoping a Level 2 assessment, which document is useful for understanding the process to successfully implement practices required for the various Levels of CMMC?

Options:

A.

NISTSP 800-53

B.

NISTSP 800-88

C.

NISTSP 800-171

D.

NISTSP 800-172

Question 39

An organization that manufactures night vision cameras is looking for help to address the gaps identified in physical access control systems. Which certified individual should they approach for implementation support?

Options:

A.

CCA of the C3PAO performing the assessment

B.

RP of an organization not part of the assessment

C.

Practitioner of the organization performing the assessment LTP

D.

DoD Contract Official of the organization performing the assessment

Question 40

When scoping the organizational system, the scope of applicability for the cybersecurity CUI practices applies to the components of:

Options:

A.

federal systems that process, store, or transmit CUI.

B.

nonfederal systems that process, store, or transmit CUI.

C.

federal systems that process, store, or transmit CUI. or that provide protection for the system components.

D.

nonfederal systems that process, store, or transmit CUI. or that provide protection for the system components.

Question 41

Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope by categorizing all assets. Which two asset categories are always assessed against CMMC practices?

Options:

A.

CUI Assets and Specialized Assets

B.

Security Protection Assets and CUI Assets

C.

Specialized Assets and Contractor Risk Managed Assets

D.

Security Protection Assets and Contractor Risk Managed Assets

Question 42

What service is the MOST comprehensive that the RPO provides?

Options:

A.

Training services

B.

Education services

C.

Consulting services

D.

Assessment services

Question 43

Which CMMC Levels focus on protecting CUI from exfiltration?

Options:

A.

Levels 1 and 2

B.

Levels 1 and 3

C.

Levels 2 and 3

D.

Levels 1, 2, and 3

Question 44

A CCP is working as an Assessment Team Member on a CMMC Level 2 Assessment. The Lead Assessor has assigned the CCP to assess the OSC ' s Configuration Management (CM) domain. The CCP ' s first interview is with a subject-matter expert for user-installed software. With respect to user-installed software, what facet should the CCP ' s interview focus on?

Options:

A.

Controlled and monitored

B.

Removed from the system

C.

Scanned for malicious code

D.

Limited to mission-essential use only

Question 45

An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice. What can the assessor do?

Options:

A.

Notify the CMMC-AB.

B.

Cancel the assessment.

C.

Postpone the assessment.

D.

Contact the C3PAO for guidance.

Question 46

What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?

Options:

A.

CDI

B.

CTI

C.

CUI

D.

FCI

Question 47

A Lead Assessor and an OSC ' s Assessment Official have agreed to have the Assessment results presented during the final Daily Checkpoint of the OSC ' s CMMC Level 2 Assessment. Which document MUST the Lead Assessor use to present assessment findings to the OSC?

Options:

A.

CMMC POA & M Brief

B.

CMMC Findings Brief

C.

CMMC Assessment Tracker Tool

D.

CMMC Recommended Findings template

Question 48

In the CMMC Model, how many practices are included in Level 1?

Options:

A.

15 practices

B.

17 practices

C.

72 practices

D.

110 practices

Question 49

The results package for a Level 2 Assessment is being submitted. What MUST a Final Report. CMMC Assessment Results include?

Options:

A.

Affirmation for each practice or control

B.

Documented rationale for each failed practice

C.

Suggested improvements for each failed practice

D.

Gaps or deltas due to any reciprocity model are recorded as met

Question 50

Which regulation allows for whistleblowers to sue on behalf of the federal government?

Options:

A.

NISTSP 800-53

B.

NISTSP 800-171

C.

False Claims Act

D.

Code of Professional Conduct

Question 51

According to the Configuration Management (CM) domain, which principle is the basis for defining essential system capabilities?

Options:

A.

Least privilege

B.

Essential concern

C.

Least functionality

D.

Separation of duties

Question 52

During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC ' s WiFi network. What type of asset is this?

Options:

A.

FCI Asset

B.

CUI Asset

C.

In-scope Asset

D.

Specialized Asset

Question 53

Which organization is the governmental authority responsible for identifying and marking CUI?

Options:

A.

NARA

B.

NIST

C.

CMMC-AB

D.

Department of Homeland Security

Question 54

Who is responsible for ensuring that subcontractors have a valid CMMC Certification?

Options:

A.

CMMC-AB

B.

OUSDA & S

C.

DoD agency or client

D.

Contractor organization

Question 55

A program manager for a defense contractor saves all FCI data relevant to a contract on a flash drive. Why is the flash drive categorized as an FCI Asset ?

Options:

A.

It is storing FCI.

B.

It is testing FCI.

C.

It is distributing FCI.

D.

It is properly marked as FCI.

Question 56

As defined in the CMMC-AB Code of Professional Conduct, what term describes any contract between two legal entities?

Options:

A.

Union

B.

Accord

C.

Alliance

D.

Agreement

Question 57

For a scoping a CMMC Level 1 Self-Assessment, which asset types are assessed against CMMC practices?

Options:

A.

Any IoT or Industrial Internet of Things devices

B.

Any restricted IS

C.

Any test equipment hardware

D.

Any asset transmitting FCI

Question 58

A machining company has been awarded a contract with the DoD to build specialized parts. Testing of the parts will be done by the company using in-house staff and equipment. For a Level 1 Self-Assessment, what type of asset is this?

Options:

A.

CUI Asset

B.

In-scope Asset

C.

Specialized Asset

D.

Contractor Risk Managed Asset

Question 59

Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?

Options:

A.

Phase 1: Plan and Prepare Assessment

B.

Phase 2: Conduct Assessment

C.

Phase 3: Report Recommended Assessment Results

D.

Phase 4: Remediation of Outstanding Assessment Issues

Question 60

The Advanced Level in CMMC will contain Access Control {AC) practices from:

Options:

A.

Level 1.

B.

Level 3.

C.

Levels 1 and 2.

D.

Levels 1,2, and 3.

Question 61

The practices in CMMC Level 2 consist of the security requirements specified in:

Options:

A.

NIST SP 800-53

B.

NIST SP 800-171

C.

48 CFR 52.204-21

D.

DFARS 252.204-7012

Question 62

When assessing an OSC for CMMC: the Lead Assessor should use the information from the Discussion and Further Discussion sections in each practice because it:

Options:

A.

is normative for an OSC to follow.

B.

contains examples that an OSC must implement.

C.

is mandatory and aligns with FAR Clause 52.204-21.

D.

provides additional information to facilitate the assessment of the practice.

Question 63

Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?

Options:

A.

DoD

B.

CISA

C.

NIST

D.

CMMC-AB

Question 64

Which term describes the prevention of damage to. protection of, and restoration of computers and electronic communications systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation?

Options:

A.

Cybersecurity

B.

Data security

C.

Network security

D.

Information security

Question 65

The Assessment Team has completed the assessment and determined the preliminary practice ratings. The preliminary practice ratings must be shared with the OSC prior to being finalized for submission. Based on this information, the assessor should present the preliminary practice ratings:

Options:

A.

During the final Daily Checkpoint

B.

After discussing with the CMMC-AB

C.

Via email after the final Daily Checkpoint

D.

Over the phone after the final Daily Checkpoint

Question 66

Companies that knowingly defraud the government by not being in compliance with cybersecurity regulations are at risk of being held liable for:

Options:

A.

The contract value plus a penalty as stated in the Cyber Claims Act

B.

The contract value plus a penalty as stated in the False Claims Act

C.

Three times the contract value plus a penalty as stated in the Cyber Claims Act

D.

Three times the contract value plus a penalty as stated in the False Claims Act

Question 67

A C3PAO is near completion of a Level 2 Assessment for an OSC. The CMMC Findings Brief and CMMC Assessment Results documents have been developed. The Final Recommended Assessment Results are being generated. When generating these results, what MUST be included?

Options:

A.

An updated Assessment Plan

B.

Recorded and final updated Daily Checkpoint

C.

Fully executed CMMC Assessment contract between the C3PAO and the OSC

D.

Review documentation for the CMMC Quality Assurance Professional (CQAP)

Question 68

During a POA & M closeout assessment , the Lead Assessor and team members verified all evidence provided by the OSC and passed those that satisfied the requirements. Who MUST verify that every failed practice from the initial original assessment has been adequately addressed?

Options:

A.

OSC

B.

CCA

C.

OSC sponsor

D.

Lead Assessor

Question 69

A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?

Options:

A.

" The OSC determines the CMMC Assessment Scope, and the CCP validates the CMMC Assessment Scope. "

B.

" The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope. "

C.

" The CMMC Lead Assessor determines the CMMC Assessment Scope, and the OSC validates the CMMC Assessment Scope. "

D.

" The CMMC C3PAO determines the CMMC Assessment Scope, and the Lead Assessor validates the CMMC Assessment Scope. "

Question 70

How are the Final Recommended Assessment Findings BEST presented?

Options:

A.

Using the CMMC Findings Brief template

B.

Using a C3PAO-provided template that is preferred by the OSC

C.

Using a C3PAO-branded version of the CMMC Findings Brief template

D.

Using the proprietary template created by the Lead Assessor after approval from the C3PAO

Page: 1 / 24
Total 236 questions