×

Quiz Session - Attempts With Random Questions

Cyber AB CCP Exam Questions

Page 2 of 25

21.

Is it a requirement to submit quarantined malware to the Defense Cyber Crime Center (DC3) if antivirus software identifies and quarantines malware during a file download check? Additionally, can this action be considered a cyber incident?

  • No, there is no requirement to submit to DC3, and it depends on the severity whether it is considered a cyber incident

  • Yes, submission to DC3 is mandatory, and this is always considered a cyber incident

  • Submission to DC3 is optional, and this is always considered a cyber incident

  • Yes, submission to DC3 is mandatory, but it is not considered a cyber incident

The malware identified by the antivirus software does not need to be submitted to the DoD Cyber Crime Center (DC3). If detected by antivirus software, then the malware is known to that vendor, and there is no requirement to submit the sample. If the antivirus detected and quarantined the malware as part of the download process, then the incident was prevented, and a cyber incident did not occur and reporting under DFARS 252.204-7012 is not necessary.

22.

The ability to prove that the user or application is genuinely who that user or what that application claims to be is?

  • Authentication

  • Identification

  • Nonrepudiation

  • Authorization

Authentication is the ability to prove that the user or application is genuinely who that user or what that application claims to be and is required under CMMC Identification and Authentication (IA) domain

23.

Which of the following is NOT mentioned in FAR 52.204-21 as a required basic safeguarding procedure?

  • Implementing advanced persistent threat detection

  • Escorting visitors and monitoring visitor activity

  • Encrypting information system media containing federal contract information

  • Limiting physical access to information systems

FAR 52.204.21 paragraph (b) (1) "Safeguarding requirements and procedures” outlines 15 security controls a contractor should institute to protect covered contractor information systems which do not include the need to implement advanced persistent threat detection.

24.

The Assessment Team size and number of days on site are dependent on all of the following EXCEPT:

  • The OSC's Supplier Performance Risk System (SPRS) score

  • The complexity of the in-scope system

  • The geographical footprint of the OSC and the locations that are within scope

  • The size of the OSC

The statutory requirements of a CMMC Assessment and the preferences of the OSC Assessment Official, along with the consequent costs, logistics, size of the C3PAO Assessment Team, and schedule factors are balanced to arrive at an efficient and effective resource plan for the Assessment.

25.

Which of the following is NOT true about CMMC self-assessments?

  • Scoping is not required when self-assessing.

  • Level 1 self-Assessment asserts that a contractor is meeting the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21

  • DoD intends for Level 1 self-Assessment to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks

  • Contractors gather information and evidence to verify that they meet the stated self-Assessment objectives in the system information integrity, access control, physical protection, media protection, identification and authentication, systems communication protection CMMC domains

Prior to the self-assessment, the contractor must define the scope that represents the boundary.

26.

What can be used to address issues like data loss and service outages that threaten operations after a cyber attack?

  • Incident Response Plan

  • Event Management Plan

  • Incident Detection Procedure

  • Recovery Plan

An Incident Response (IR) plan establishes a clear set of actions to detect, respond to, and recover from an attack. ​The IR plan should be tested frequently to confirm that it is effective and successfully addresses the range of possible threats an organization may face.​

27.

Which organization acts as a single clearinghouse for Mandatory Incident Reports (MIR) that are unclassified? Who handles classified incident reports?

  • Department of Defense Cyber Crime Center (DC3)/DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE), Defense Counterintelligence and Security Agency (DCSA)

  • Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD/A&S), Defense Counterintelligence and Security Agency (DCSA)

  • National Security Agency (NSA), DCISE

  • DCSA, Department of Defense (DoD) Chief Information Security Officer (CISO)

DC3/DCISE serves as the single clearinghouse for Mandatory Incident Reports (MIR) that are unclassified while DCSA serves as a single clearinghouse for classified incident reports, as per DFARS-7012.

28.

Which of the following is NOT a potential risk to the CMMC assessment?

  • Market competition

  • Cost / Funding constraints

  • Availability of experienced team members

  • Extent of data collection

The C3PAO and/or Lead Assessor should evaluate the potential risks associated with the assessment to ensure any risk mitigation are put into place prior to the assessment. C3PAOs may have internal processes and/or templates for determining risk factors and applying mitigation. This step should be done in conjunction with the OSC POC.

29.

When Scoring practices and validating preliminary results, which of the following is true about evidence accepted?

  • Evidence should be adequate, sufficient and reflect the objective of the practice defined in the CMMC Level 2 Assessment Guide.

  • It must be applicable to the practice and related policy, plan, and process being evaluated.

  • It should only be applicable to one practice.

  • It should be applicable to multiple practices.

All Evidence examined by the C3PAO Assessment Team must address the full CMMC Assessment Scope of the OSC. The Evidence examined must be adequate, sufficient, and fully reflect the performance of the practice Assessment objective defined in the CMMC Level 2 Assessment Guide. Furthermore, the evidence must be applicable to the practice and related policy, plan, and process being evaluated. If the examined artifact sufficiently answers both the adequacy and sufficiency questions, an Evidence gap exists.

30.

What term is used to describe technical information with military or space applications that is subject to strict controls, meeting criteria for distribution statements B through F as per DoD Instruction 5230.24, but excludes publicly available information without restrictions?

  • Controlled Technical Information (CTI)

  • Classified Technical Information (CTI)

  • Controlled Technical Data (CTD)

  • Restricted Technical Information (RTI)

DFARS 252.204-7012.01(a) defines Controlled Technical Information as: "Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents.

31.

How does CMMC differ from cybersecurity guidelines within FISMA (Federal Information Security Modernization Act)?

  • Companies cannot certify compliance themselves

  • CMMC emphasizes self-certification for compliance.

  • FISMA mandates third-party assessments for compliance.

  • CMMC and FISMA have no significant differences.

CMMC builds on cybersecurity guidelines within FISMA but with one major difference: companies cannot certify compliance on their own. Instead, companies that need CMMC accreditation must be assessed by a third-party assessor known as a C3PAO - CMMC Third Party Assessment Organization

32.

What are the 4 subcategories of CUI under the Defense category in the CUI Registry?

  • Controlled Technical Information (CTI), DoD Critical Infrastructure Security Information (DCRIT), Naval Nuclear Propulsion Information (NNPI), Unclassified Controlled Nuclear Information (UCNI)

  • ECI – Export Ccontrolled Information, CTI – Controlled Technical Information, CDI – Covered Defense Information, FCI – Federal Contract Information.

  • ECI – Export Controlled Information PHI - Protected Health Information PII - Personally Identifiable Information CDI - Covered Defense Information

  • CDI - Covered Defense Information CTI - Controlled Technical Information, UCNI - Unclassified Controlled Nuclear Information ECI - Export Control Information

The Defense category has 4 subcategories: Controlled Technical Information (CTI) DoD Critical Infrastructure Security Information (DCRIT) Naval Nuclear Propulsion Information (NNPI) Unclassified Controlled Nuclear Information (UCNI)

33.

What is a key benefit of observing tests during a CMMC assessment?

  • Gain insight into practice effectiveness and outcomes

  • Review compliance with standards

  • Validate system security controls

  • Identify gaps in technical cybersecurity controls

Observing live tests or demonstrations provides the Lead Assessor and Assessment Team with detailed operational insight into the effectiveness and outcomes of the practices, procedures, and related policies and plans implemented in the OSC, including an understanding of how those practices or procedures are performed using a given system, test, or other similar approach.

34.

Which of following data states should be covered in an assessment scope?

  • Data at rest, Data in use, and Data in motion

  • Data in use, Data asleep, and Data in transit

  • Data in place, Data in storage, and Data on hold

  • Data in work, Data in place, and Data in motion

The FCI/CUI environment encompasses the systems, applications, and services that store, process and transmit FCI/CUI. Defining FCI data in the form of Assets that:​ Store – When FCI/CUI is inactive or at rest (e.g., located on electronic media, system component memory, paper)​ Process – When FCI/CUI is actively being used by a system component (e.g., entered, edited, viewed manipulated, printed)​ Transmit – When FCI/CUI is being transferred from one location to another (e.g., data in motion)​ Essentially, if something can impact the security of the FCI/CUI, it is in scope.

35.

The organization you work for plans to work on contracts that process Controlled Unclassified Information (CUI), but would prefer to perform a Self-Assessment and Self-Attestation rather than a CMMC Level 2 Certification Assessment; what advice would you give them?

  • Any contractor can perform a self-assessment and self-attestation so long as the information they handle is not deemed critical to national security

  • Self-assessments are only applicable to Certified CMMC Professionals (CCP)

  • Only contractors with special authorization from the Cyber AB can perform Level 2 Self-Assessments

  • Level 2 contractors are not allowed to perform self-assessments

Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards. A subset of programs with Level 2 requirements do not involve information critical to national security, and associated contractors will be permitted to meet the requirement through self-assessments.

36.

An organization should _____ risks that can impact any part of the organization and ______ those risks which it believes are the most significant.​

  • Identify, manage

  • Mitigate, validate

  • Handle, expose

  • Implement, prioritize

Organizations should define their "risk appetite” and identify risks they are willing to accept and those they are not. Then, the necessary mitigating actions should be put in place to manage those risks appropriately.​

37.

What does the practice "Monitor system security alerts and advisories and take action in response" help ensure?

  • Information integrity

  • Flaw remediation

  • Malicious code protection

  • Session management

The practice "Monitor system security alerts and advisories and take action in response" (SI.L2-3.14.3) within the System and Information Integrity domain ensures information integrity by proactively tracking security alerts. This approach helps organizations stay informed about software vulnerabilities, enabling timely actions such as patching or implementing compensating controls. Monitoring and responding to alerts are vital for maintaining system integrity and preventing unauthorized access or data compromises. While practices like flaw remediation and malicious code protection also contribute to integrity, monitoring security alerts provides ongoing threat intelligence for proactive responses.

38.

To become a CMMC Third Party Assessment Organization an organization must be which one of the following to qualify?

  • It must be 100% U.S. Citizen owned

  • It must be a registered business located in any of the (North Atlantic Treaty Organization) NATO countries.

  • There are no specific requirements for C3PAOs. Any organization can become a C3PAO

  • It must have been in business for a minimum of five years

For an entity to be approved to act as a C3PAO, it must be 100% U.S. Citizen owned and successfully pass a Foreign Ownership, Control or Influence (FOCI) and SF-328 review to be eligible. No foreign owned businesses are currently admitted

39.

Which of the following institutions was involved in the development of the Cybersecurity Maturity Model Certification (CMMC)?

  • Carnegie Mellon University

  • Harvard University

  • Massachusetts Institute of Technology (MIT)

  • University of California, Berkeley

The Office of the Under Secretary of Defense, Acquisition & Sustainment (OUSD)(A&S)) engaged the researchers at the Carnegie Mellon University Software Engineering Institute (SEI) and The Johns Hopkins Applied Physics Laboratory (APL) to develop the CMMC to prevent loss of Intellectual Property and Controlled Unclassified Information (CUI), and bolster the Defense Industrial Base (DIB) sector's cybersecurity posture.

40.

After the Assessment Team's Practice Ratings have been determined, but prior to the submission of the Assessment Report, which of the following is likely to occur?

  • Execute POA&M Review

  • Upload Results into eMASS

  • Support Assessment Appeals Process

  • Deliver Recommended Assessment Results

After all Evidence for each CMMC in-scope practice has been reviewed, verified, and rated, and discussed with the OSC participant during the daily checkpoints, the Lead Assessor records the final recommended MET/NOT MET/NA score and prepares to present the results to the Assessment participants during the final review with the OSC and its Assessment Official. CMMC will allow the conditional use of Plans of Action and Milestones (POA&M) to remediate practices that are not fully or successfully implemented. The POA&Ms will be strictly time-bound with a validity period of no more than 180 days from the Assessment Final Recommended Findings Briefing (Phase 3).

×