×

Quiz Session - Attempts With Random Questions

Cyber AB CCP Exam Questions

Page 10 of 25

181.

You are the Chief Information Security Officer (CISO) for CHISS Corporation, a DoD contractor that handles sensitive government information. One of your analysts informs you that a workstation was found to have malware, even though it had up-to-date antimalware software installed and running. The workstation itself did not contain any covered defense information, but it is connected to your corporate network which does have covered information. What should you do to manage this incident?

  • Report the incident, and take specific steps to mitigate it depending on the organization's incident response plan and contractual obligations

  • Report the incident to the DoD immediately, as any malware incident must be reported regardless of the content on the affected workstation

  • Disconnect the workstation from the corporate network and conduct an internal investigation without reporting the incident

  • Not report the incident, as it does not involve covered defense information

Since the infected workstation is connected to a network with covered defense information, the malware could potentially spread and impact that data. Even though the workstation itself did not contain CDI, it is part of the covered contractor information system. Under DFARS 252.204-7012(c)(1), the contractor must conduct a review for evidence of compromise anytime a cyber incident affects a covered contractor information system. This includes analyzing systems connected to the network that may have been impacted. Although the workstation did not contain CDI, the fact that malware was able to execute on it demonstrates a potentially adverse effect on the overall covered contractor information system. Even though the impacted system did not itself contain CDI, the cyber incident reporting requirements still apply since it could potentially affect covered information on the network. Thorough analysis and prompt reporting are critical. As the CISO, you should: - Isolate the infected workstation and conduct forensic analysis to determine the scope of the incident. - Review network activity to identify any signs of compromise or lateral movement. - Rapidly report the incident via https://dibnet.dod.mil within 72 hours as required by the clause. - Preserve images of the affected systems and relevant monitoring data for at least 90 days per DFARS 252.204-7012(e). - Provide access to additional information if requested by DoD to assist with damage assessment.

182.

Assisting the client in rectifying an anomaly, so that it is not reported, is a violation of which of the following?

  • Information Integrity; Proper Use of Methods; Professionalism & Objectivity

  • Information Integrity

  • Proper Use of Methods

  • Professionalism & Objectivity

Assisting a client in rectifying an anomaly threatens the integrity of the process and compromises the objectivity of the client. This opposes information integrity, proper use of methods, professionalism, and objectivity. Essentially, honesty and transparency is needed in the relationship between clients and stakeholders.

183.

Under DFARS Clause 252.204-7012, for how long must the contractor preserve images and monitoring data after a cyber incident?

  • 90 days

  • 30 days

  • 60 days

  • 120 days

DFARS 252.204-7012 Paragraph (e) states the contractor must preserve images and monitoring data for at least 90 days after submitting the cyber incident report.

184.

Which of the following BEST describes the CMMC Level 2 practices?

  • They focus on the protection of CUI

  • Consists of 15 basic safeguarding requirements from FAR Clause 52.204-21

  • Any contractors handling CUI can only be certified at Level 3

  • Assessments are conducted annually and can be self-assessments

CMMC Level 2 focuses on the protection of CUI. It consists of 110 practices from NIST SP 800-171 Rev 2, and contractors handling CUI need to be certified at Level 2 or higher, and assessments are triennial by a third-party (a C3PAO or a CCA).

185.

Which of the following is NOT a measure of limiting physical access to the system?

  • Placing equipment in locked rooms and ensuring unauthorized individuals are accompanied when accessing the system.

  • Placing equipment in locked rooms and ensuring any personnel accessing it are authenticated and authorized using organizational mechanisms

  • Allowing access to authorized individuals only

  • Placing equipment in locations that can be monitored by organizational personnel

Defined under the Physical Protection domain, practice PE.L1-3.10.1. This practice outlines the measures to protect physical access to the system. According to this practice, limiting physical access to the system may include placing equipment in locked rooms or other secured areas and allowing access to authorized individuals only; and placing equipment in locations that can be monitored by organizational personnel. Computing devices, external disk drives, networking devices, monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of equipment.

186.

What is the main objective of NIST SP 800-172?

  • To provide enhanced security requirements for protecting CUI

  • Replaces the provisions of NIST 800-171

  • Acts as a guide for securing Top Secret government data.

  • Provides a mechanism for securing high value assets (HVA)

NIST SP 800-172 provides enhanced security requirements for protecting Controlled Unclassified Information (CUI) associated with critical programs and high value assets from advanced persistent threats. It acts as a supplement to NIST SP 800-171 with additional recommendations to strengthen CUI security, especially related to Advanced Persistent Threats (APTs), supply chain risk management, incident response, and cybersecurity testing. It does not replace or relate to provisions for classified data like Top Secret information.

187.

By introducing CMMC 2.0, the DoD aims to do all of the following, except?

  • To drive more profits by encouraging more SMBs

  • To reduce costs, particularly for SMBs

  • To clarify and align cybersecurity requirements with widely accepted standards

  • To increase trust and confidence in the framework

DoD is not a profit making entity but rather an executive branch department. The introduction of CMMC aims at aligning and clarifying cybersecurity requirements with the widely accepted standards, reduce compliance costs for the SMBs, increasing trust and confidence, among other things.

188.

In determining scope, the Certified CMMC Assessor (CCA) plays the following roles, EXCEPT?

  • Defines the scope of the assessment that represents the boundary for which the CMMC certificate will be issued.

  • Works with the OSC Sponsor and/or POC to collect information to define the organizational scope

  • Works with the OSC Sponsor and/or POC to determine the model, assessment, organizational, and contractual boundaries and scope details.

  • Verifies that assessment team members are familiar with the assessment scope, method, plan, and tools.

The CCA works with the OSC Sponsor to determine the assessment scope, which consists of the CMMC model scope and the general scope of the OSC. The Model scope includes the maturity level targeted to be assessed and achieved. These are defined by the CMMC Model. The CCA works with the OSC Sponsor and/or POC to collect information to define the organizational scope. This consists of the organization, host unit, supporting units and any enclaves in scope that will provide Objective Evidence (OE) of their CMMC process implementation. This information is captured in the CMMC Cyber-AB Intake Form. The CCA continues to work with the OSC Sponsor and/or POC to determine the details on model, assessment, organizational, and contractual boundaries and scope

189.

How often does the CMMC Professional (CCP) need to renew their certification?

  • Annually

  • Every 6 months

  • Every 2 years

  • It does not need renewal

Once certified, a CCP needs to renew their certification each year, which is currently a $250 fee. However, if they earn the Certified CMMC Assessor (CCA) certification, they will only be required to renew the CCA certification, which is a $500 annual maintenance fee.

190.

Jane is a Certified CMMC Assessor (CCA) for a leading CMMC Third Party Assessment Organization (C3PAO). The C3PAO has selected a team of four led by James to assess how Micron Inc., an Organization Seeking Certification (OSC), has implemented the requirements for a level 2 certification. However, she witnesses James and Micron's Chief Information Security Officer (CISO) strike a deal to manipulate some findings to ensure the OSC is certified. What should Jane do?

  • When observing colleagues making choices that are in violation of the CoPC, you should privately request clarification or offer to help rectify the violation. Thereafter, you should report the ethical violation, misconduct, or professional breach to the CMMC Accreditation Body within 30 days.

  • She should report to the Department of Justice's False Claims Act team for James and the CISO to be arrested

  • She should escalate the issue to the Department of Defense's investigation team for them to initiate an investigation

  • She should talk with both James and the CISO and tell them to self-report or she will escalate the matter to the Cyber AB

When observing colleagues making choices that are in violation of the CoPC, you should privately request clarification or offer to help rectify the violation.

191.

An Assessment Plan is essentially a signed contract between the _____ and the ______.

  • Assessment Official, C3PAO

  • OSC, DoD

  • C3PAO, Cyber AB

  • OSC, Cyber AB

The Assessment Plan should be included as an addendum to the contract between the Assessment Official and the C3PAO and must be formally reviewed, approved, and signed by both parties.

192.

What can a Registered Practitioner (RP) do to assist the members of an Organization Seeking Certification (OSC) in achieving CMMC compliance faster?

  • RPs can offer CMMC training to OSC members to expedite compliance efforts

  • RPs are responsible for compliance, and training is not within their scope.

  • RPs can provide CMMC training, but it doesn't contribute to faster compliance

  • RPs are not allowed to offer CMMC training to OSC members

While they may be equipped and knowledgeable enough to offer CMMC training to OSCs, RPs and Registered Practioner Organizations (RPOs) can only provide advice, consulting, general training, and recommendations. They cannot legally conduct Certified CMMC Assessments or Certified Training. RPs are the "implementers” and consultants and are not certified by Cyber AB.

193.

________ criteria is needed to verify, based on Assessment and organizational scope, that coverage by domain, practice, and host units, supporting units and enclaves is enough to rate against each practice by the process role performing the work.

  • Sufficiency

  • Adequacy

  • Competency

  • Capability

Sufficiency criteria is needed to verify, based on Assessment and organizational scope, that coverage by domain, practice and Host Units, Supporting Units, and enclaves is enough (sufficient) to rate against each practice by the process role performing the work. ​ Sufficiency answers the question: "Does the Assessment Team have enough of the right Evidence?” ​

194.

Which of the following is NOT required documentation for contractor risk-managed assets?

  • Separation methodology

  • Asset inventory

  • Network diagram

  • System Security Plan

Separation methodology only applies to out-of-scope assets. Risk-managed assets must be documented in asset inventory, network diagram, and SSP

195.

What is the significance of data classification in protecting warfighters' lethality?

  • It prevents unauthorized access to warfighter data

  • It ensures warfighters have access to classified data

  • It helps in aggregating CUI data

  • It does not impact warfighters' lethality

Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters. When all FCI or CUI is appropriately marked and classified, it is easier to comply with data collection requirements. This prevents unauthorized access to CUI data

196.

What is a viable method for the destruction of CUI data?

  • Approved Cross-Cut Shredder

  • Unmarked Destruction Bin​

  • Breakroom Trash Can

  • Recycling Bin

The CUI regulation in 32 CFR 200.14(f)(2), requires that agencies destroy CUI in a manner that makes it unreadable and indecipherable, and irrecoverable. It also prescribes NIST SP 800-88, Revision 1: Guidelines for Media Sanitization destruction methods, or any destruction method approved for Classified National Security Information, unless the CUI category's authority mandates other destruction methods. Agencies must also use any destruction method specifically required by law, regulation, or Government-wide policy for CUI Specified categories.

197.

In which of the following phases does a CMMC Assessor deliver the assessment results?

  • Report Recommended Assessment Results

  • Conduct the Assessment

  • Plan and Prepare

  • CMMC Plans of Action and Milestones (POA&M) Close-Out Assessment

In Phase 3 - Report Reccomended Assessment Results, the Lead Assessor will deliver the reccomended reports to the OSC. Once these results have been finalized, they will be passed along to the CQAP and C3PAO, who will verify for completeness and accuracy. Once this is done, only then will the results be uploaded into eMass.

198.

Which of the following is a type of Controlled Unclassified Information (CUI)?

  • CUI Specified

  • CUI Standard​

  • CUI Classified​

  • CUI Controlled​

CUI is information that requires safeguarding that the government creates or possesses OR an entity creates or possesses on behalf of the government. The dissemination is controlled by law, regulation, or government policy. Defined by E.O. 13556, 32 CFR Part 2002.4, and DoDI 5200.48. CUI Specified is a subset of Controlled Unclassified Information (CUI) that has specific handling requirements. These requirements are mandated by law, regulation, or government-wide policy. CUI Specified is made up of 59 categories of information, which have additional requirements beyond the baseline set of rules applicable to Basic categories. Some examples of CUI include: Personally Identifiable Information (PII) Sensitive Personally Identifiable Information (SPII) Proprietary Business Information (PBI) Unclassified Controlled Technical Information (UCTI) Sensitive but Unclassified (SBU) Marking CUI Specified information may include: CUI or CUI//SP-CTI CONTROLLED//SP-CTI Mandatory for CUI Specified Separated from the CUI Control marking by a double forward slash (//) These markings should be at the top of the page of the information you receive. If the information is sent to you via email, the body of the email should also include the markings. The email must also have the CUI Designation Indicator after the sender's signature block. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out the controls for CUI Specified information and does not for CUI Basic information. CUI Basic controls apply to those aspects of CUI Specified where the authorizing laws, regulations, and Government-wide policies do not provide specific guidance.

199.

Which of the following is NOT true regarding Export Administration Regulations (EAR):

  • ECI is subject to fewer handling requirements than CUI.

  • It controls commercial and dual-use items, information, and technology

  • It includes technologies not on the ITAR list, which focuses mostly on defense technologies.

  • It may require an export authorization depending on the country, end user and end-use​​

ECI is subject to additional requirements above and beyond CUI handling. ECI includes CUI such as, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and non-proliferation objectives. ​The Commerce Department's Bureau of Industry and Security enforces EAR rules and imposes penalties. ECI includes unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations (ITAR) and the munitions list; license applications; and sensitive nuclear technology information.

200.

To facilitate subcontractor support, a Prime contractor has setup a storage drive for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Which of the following is a benefit of an FCI/ CUI storage drive maintained by the Prime Contractor?

  • The Prime contractor has better control over FCI/ CUI

  • The Prime contractor is more likely to pass their CMMC Level 2 Assessment

  • Subcontractors handling CUI can do a CMMC Level 2 self-attestation

  • The risk burden is transferred to the subcontractor(s)

The benefits of the Prime contractor maintaining FCI/ CUI data within their IT infrastructure, include better control over FCI/CUI, the subcontractor will only be required to comply with a lower leverl CMMC requirement, such as Level 1, and the prime contractor bears the burden of the risk of maintianing FCI/CUI on their network.

×