×

Quiz Session - Attempts With Random Questions

Cyber AB CCP Exam Questions

Page 1 of 25

1.

Before it is implemented or put into practice, all of the following must approve of the Assessment Plan, EXEPT?

  • The OSC POC

  • The OSC Assessment Official

  • The Lead Assessor

  • The C3PAO

The OSC Assessment Official, the Lead Assessor, and C3PAO must approve of the Assessment plan.

2.

If a prime contractor engages the services of a subcontractor to deliver on the contract, whose responsibility is it to ensure contract adherence and flow down of requirements?

  • The prime contractor

  • The Department of Defense

  • Both the prime contractor and subcontractor equally

  • The subcontractor

DFARS clause 252.204-7012 flows down to subcontractors without alteration, except to identify the parties, when performance will involve operationally critical support or covered defense information. Per 252.204-7012(m)(1), the prime contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information, thus necessitating flow-down of the clause. The contractor should consult with the contracting office if clarification is required. The Department's emphasis is on the deliberate management of information requiring protection. Prime contractors should minimize the flow-down of information requiring protection. Flow down is a requirement of the terms of the contract with the Government, which should be enforced by the prime contractor because of compliance with these terms. If a subcontractor does not agree to comply with the terms of DFARS Clause 252.204–7012, then covered defense information shall not be on that subcontractor's information system.

3.

If CUI banner marking is mandatory for all documents containing Controlled Unclassified Information (CUI), how should it be marked?

  • CUI banner marking is mandatory, and it should be applied according to the specific guidelines and requirements outlined for CUI

  • CUI banner marking is optional and depends on the content of the document.

  • CUI banner marking is not mandatory

  • CUI banner marking should be applied only to classified documents

The CUI marking must be identical on each page of the CUI document. The marking should be displayed in bold, capitalized, black text and centered at the top of each page, when possible, in the format CONTROLLED or CUI//CATEGORIES/SUBCATEGORIES/DISSEM. Though optional, it is recommended to also include the CUI marking at the bottom of every page as a best practice.

4.

What should be done to evidence collection methods resulting in a CMMC practice being scored "NOT MET”?

  • They should be evaluated using the current DoD Assessment methodology against the CMMC 2.0 Plan of Action and Milestones (POA&M) scoring criteria.

  • They should be deducted from the total score

  • They should be recorded in the findings as not met

  • They should always be put on the Limited Practice Deficiency correction program

Any Evidence collection method that results in a CMMC practice being scored "NOT MET” must be evaluated using the current DoD Assessment methodology against the CMMC 2.0 Plan of Action and Milestones (POA&M) scoring criteria. The failed practice must also be recorded on the OSC's Level 2 CA.3.12.1 "Security Control Assessment” practice documentation, under the corresponding practice as "NOT MET”.

5.

To achieve a specific CMMC level, the contractor will need a finding of ___________ on all CMMC practices required for the desired certification level as well as for all lower levels. 

  • MET or NOT APPLICABLE

  • NOT MET

  • NOT MET or NOT APPLICABLE

  • MET

The assessment of a CMMC practice results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE. ​To achieve a specific CMMC Level, the contractor will need a finding of MET or NOT APPLICABLE finding on all CMMC practices required for the desired level as well as for all lower levels. ​For example, a contractor will need a MET or NOT APPLICABLE finding on all CMMC practices at Levels 2 and 1 to achieve a CMMC Level 2 certification.​

6.

Jane has one year of experience and an associate's degree in cybersecurity. She is interested in eventually becoming a Certified CMMC Assessor (CCA) but wants to start with the Certified CMMC Professional (CCP). What are Jane's options for gaining the experience required for the CCP?

  • Continue building her work experience and consider additional certifications.

  • Complete the CCP certification without additional work experience, as the associate's degree in cybersecurity may fulfill the requirements.

  • Wait until she has the required five years of experience before considering the CCP certification

  • Focus solely on obtaining the Certified CMMC Assessor (CCA) certification without pursuing the CCP

Jane should continue building her work experience, pursue relevant roles as a cybersecurity assessor, engage in professional development, and consider additional certifications, until she has more years of experience to pursue the CCP and then the CCA certification.

7.

What principle restricts user access to only the machines and information needed to fulfill job responsibilities?

  • The principle of least privilege

  • The principle of privileged accounts

  • The principle of separation of duties

  • The principle of Lawful Government Purpose

The principle of least privilege applies to all users and processes on all systems, but it is critical to systems containing or accessing CUI. Least privilege: restricts user access to only the machines and information needed to fulfill job responsibilities; and limits what system configuration settings users can change, only allowing individuals with a business need to change them.

8.

Prior to having an assessment done, an OSC may opt to have a pre-assessment completed by:

  • A CMMC Registered Provider Organization (RPO); A CMMC C3PAO

  • A CMMC Registered Provider Organization (RPO)

  • A CMMC C3PAO

  • The IT director of the OSC

An OSC can engage with either a C3PAO or RPO to perform pre-assessment services. However, the same C3PAO cannot be used for both the pre-assessment and certified CMMC assessment as they must be different organizations.

9.

The CMMC Code of Professional Conduct (CoPC) applies to the following individuals and entities, EXCEPT

  • Company Chief Information Security Officers (CISOs)

  • Certified CMMC Professional (CCP) Certified CMMC Assessor (CCA) Certified CMMC Instructor (CCI) Certified CMMC Master Instructor (CCMI) CMMC Quality Assurance Professional (CQAP)

  • CMMC Third Party Assessment Organization (C3PAO)

  • Registered Practitioners (RPs) Registered Practitioner Advanced (RPA) Registered Practitioner Organization (RPO) Licensed Publishing Partner (LPP) Licensed Training Provider (LTP)

CoPC applies to credentialed individuals and those applying to the Cyber AB to be credentialed as either a Certified CMMC Professional (CCP), a Certified CMMC Assessor (CCA), a Certified CMMC Instructor (CCI), a Certified CMMC Master Instructor (CCMI), or a CMMC Quality Assurance Professional (CQAP). It is also a requirement for the entities that provide training materials for Certified Assessors or Certified Professionals (i.e., Licensed Training Partners (LTPs) and Licensed Publishing Partners (LPPs)). It also applies to the entities accredited by the Cyber AB to employ or engage Credentialed Individuals to conduct assessments, and entities applying for accreditation and to those individuals and entities that register for inclusion in the Cyber AB's directory of Credentialed Individuals and Accredited entities. However, company CISOs are not bound to the CMMC CoPC

10.

From a Cybersecurity perspective, the primary objective of Identification and Authentication (IA) is to:

  • Identify and authenticate information system users, processes, or devices acting on behalf of users, as a prerequisite to allowing access to organizational information systems.

  • Assist the Assessment Team in performing risk assessments

  • Test the organizational incident response capability

  • Perform maintenance on organizational systems

Common device identifiers include media access control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length.

11.

Which of the following statements is true?

  • All CUI is FCI

  • All FCI is CUI

  • All ECI is FCI

  • All FCI is ECI

All CUI is FCI "While FCI is any information that is ‘not intended for public release,’ CUI is information that requires safeguarding.”

12.

During a CMMC assessment, which of the following steps should a CMMC assessor perform first?

  • Review the data flow diagram

  • Review user access

  • Review system logs

  • Evaluate configuration change request process

The CCA works with the OSC Sponsor to determine the assessment scope, which consists of the CMMC model scope and the general scope of the OSC.

13.

How many practices are assessed at Level 1?

  • 17

  • 110

  • 6

  • 14

The CMMC practices provide threat mitigation across the levels, starting with basic safeguarding of FCI at Level 1, moving to the broad protection of CUI at Level 2, and culminating with reducing the risk from Advanced Persistent Threats (APTs) at Level 3. CMMC Level 1 focuses on the protection of Federal Contract Information (FCI) and consists of only 17 practices that correspond to the basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21.

14.

What rating is given to a practice if the assessment team does not find adequate evidence to demonstrate it has been met?

  • Not Met

  • Partial

  • In progress

  • Pending

If the assessment team does not find adequate evidence that a practice has been met, it is given a rating of NOT MET.

15.

What domain addresses the provision of a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

  • The Audit and Accountability (AU) domain

  • The System and Communications Protection

  • System and Information Integrity

  • The Identification and Authentication domain

The Audit and Accountability domain discusses the essentials of system auditing, user accountability, audit management, and reporting. Auditing will focus on system audit logs, audit record reviews, and audit protection. Accountability focuses on user accountability, event review, and management. AU.L2-3.3.7 Authoritative Time Source, requires the organization to provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. Under CMMC 2.0, there are no practices at Level 1 and a total of 9 practices at Level 2. For CMMC Level 3, the AU practices are yet to be determined.

16.

Unauthorized alteration of data affects which of the following?

  • Data Confidentiality and Integrity

  • Data Sensitivity and Integrity

  • Data Availability and Classification

  • Data Sensitivity and Confidentiality

Federal Information Processing Standards Publication (FIPS PUB) 199 Standards for Security Categorization of Federal Information and Information Systems, under its Security Objectives section defines the loss of integrity as the unauthorized modification or destruction of information. The security requirements in 800-171 protect the confidentiality of CUI, while the enhanced security requirements in 800-172 address confidentiality, integrity, and availability protection of Controlled Unclassified Information (CUI) associated with critical programs or high value assets from the advanced persistent threat (APT).

17.

The Organization Seeking Certification (OSC) should furnish the Lead Assessor with the following information, EXEPT?

  • A list of all OSC personnel

  • Results of most recent OSC self-Assessment or any pre-Assessment conducted by an RP or RPO

  • A preliminary list of anticipated Evidence

  • System Security Plan and other relevant documentation

The OSC should submit a list of only the personnel that play a role in procedures which are in-scope to the Lead Assessor

18.

Which of the following actions are required to ensure proper handling of sensitive information?​

  • Securely disposing data by deleting emails, electronic files, and using approved shredders for destruction of physical media.​

  • Freely sharing information with coworkers, customers, and contractors as needed to ensure you get the job done

  • Emailing information required to complete a task on a DoD contract in clear text without encryption

  • Discussing important contract details in the common area (kitchenette) within your office building​

CUI must be stored or handled in controlled environments that prevent or detect unauthorized access. Limit and control access to CUI within the workforce by establishing electronic barriers. When Reproducing or Faxing CUI, you may use agency-approved equipment. Look for signs on approved equipment. To protect CUI: Properly mark all CUI. 1) Store CUI data only on authorized information systems. 2) Don't transmit, store, or process CUI on non-approved systems. 3) Mark, handle, and store CUI properly. Follow policy in DOD Instruction 5200.48, "Controlled Unclassified Information (CUI)” for retention or disposal.

19.

Which of the following statements about Assets is NOT true?

  • Assets that do not process, store, or transmit FCI/CUI may still be in scope

  • 3D printers used by the OSC to print models before actual production for the government client are in scope assets

  • Design software such as AutoCAD used to create architectural designs, such as floor plans and elevations required for the government client are in scope assets.

  • An organization's e-mail system used to send e-mail correspondence between the OSC and government client is considered in scope

Assets that do not store, process, or transmit CUI or FCI are not in scope. All other options are examples of assets that process, store, or transmit FCI or CUI. While an email system transmits CUI or FCI, it also stores some information in the cache. Therefore, they all have an impact on CUI or FCI.

20.

________ criteria determines if a given artifact, interview response (affirmation), demo or test meets the CMMC practice.

  • Adequacy

  • Capability

  • Sufficiency

  • Competency

Adequacy criteria will determine if a given artifact, interview response (affirmation), demonstration, or test meets the CMMC practice. Adequacy answers the question: "Does the Assessment Team have the right Evidence?” ​

×