×

Quiz Session - Attempts With Random Questions

Cyber AB CCP Exam Questions

Page 5 of 25

81.

Which organization initiates an investigation if a violation of the code is reported?

  • Cyber AB

  • NARA

  • OUSD (A&S)

  • DoD

The Cyber AB may initiate an investigation based on a complaint or on information received or observed relating to a violation by a person or organization.

82.

If a C3PAO has received a request via the CMMC Marketplace for an assessment from an OSC, the C3PAO:

  • Must respond in writing

  • Must ensure the Cyber AB assigns a Lead Assessor (CCA)

  • Must respond via email or in writing

  • Must respond in three business days

An OSC generally initiates the engagement concerning a prospective CMMC Assessment by contacting an authorized C3PAO. The updated registry of authorized C3PAOs in good standing is maintained in the CMMC Marketplace website administered by the CMMC Accreditation Body (The Cyber AB). Unless otherwise notified by The Cyber AB, any C3PAO listed as "Authorized” within the Marketplace may be considered a C3PAO in good standing and eligible to conduct a CMMC Assessment. The initial contact from the OSC can be made via the CMMC Marketplace's online intake form or by direct email or phone call to the C3PAO. C3PAO-OSC contact, and communications may be initiated by either party, but in no circumstances will individuals from The Cyber AB nor the Department of Defense serve in an introductory or facilitation role. Once the request for a CMMC Assessment is received, the C3PAO should respond to the OSC in writing within five (5) business days, acknowledging the request and proposing the scheduling of an initial coordination call or virtual meeting.

83.

What is the frequency of the re-assessment according to the ‘NIST SP 800-171 DOD Assessment’ guidelines?

  • May vary based on the requirement of the contracting authority

  • 4 years

  • 2 years

  • 1 year

The NIST SP 800-171 DoD Assessment Methodology enables DoD to strategically assess a contractor's implementation of NIST SP 800-171 on existing contracts which include DFARS clause 252.204-7012, and to provide DoD Components with visibility to the summary level scores of strategic assessments completed by DoD, thus providing an alternative to the contract-by-contract approach. Assessment of contractors with contracts containing DFARS clause 252.204-7012 is anticipated to be once every three years unless other factors, such as program criticality/risk or a security-relevant change, drive the need for a different assessment frequency. Organizations with DFARS 7012 requirements in their contracts and handling CUI will need to complete a Basic Assessment (self-assessment).

84.

In the context of CMMC (Cybersecurity Maturity Model Certification), can a Certified CMMC Professional (CCP) support or help the Assessment Team look for evidence gaps?

  • Yes, a CCP is authorized to assist the Assessment Team in identifying evidence gaps during the assessment process, but the CCP can only work on the Level 1 practices.

  • CCPs are not involved in the assessment process, and their role is separate from evidence gap identification.

  • The involvement of a CCP in evidence gap identification depends on the preferences of the certification body.

  • No, the role of a CCP is limited to specific responsibilities and does not include assisting with evidence gap identification

The CCP can help look for gaps like affirmations or tests that are incomplete, incomplete documents, policies lacking endorsements by senior management etc., but the CCP can only work on the Level 1 practices.

85.

Which of the following best describes the CMMC Professional (CCP) certification path?

  • Application, Training, Exam, Certification

  • Training, Exam, Application, Certification

  • Training, Application, Certification, Exam

  • Application, Training, Certification, Exam

Complete CCP Application Online on the Cyber AB website (www.cyberab.org). After that, the applicant should complete an approved training program from a Licensed Training Provider (LTP). They should then demonstrate some basic understanding of CMMC. Only then can they complete a CCP certification test.

86.

What two actions prohibit the export, re-export, and sales of almost all items and services to or from sanctioned countries and their citizens?

  • Embargoes and Sanctions

  • Fines and Penalties

  • Restrictions and Sanctions

  • Mandates and Directives

The U.S. export regulations restrict imports and exports to certain destinations without a U.S. Government authorization (called "license"). Embargoes and sanctions prohibit ALL transactions (including imports and exports) without a license authorization. Targeted sanctions prohibit certain exports of items, data and/or software without a license authorization.

87.

Data classification is a basic security requirement that organizes data into categories based on which of the following?

  • Data importance and sensitivity

  • Government agency requirements

  • Security clearance

  • DoD priority and regulations

The types of sensitive information created within a contract should be specifically defined and appropriately classified, marked, and protected. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters. When all FCI or CUI is appropriately marked and classified, it is easier to comply with data collection requirements. This prevents unauthorized access to CUI data

88.

Who provides targeted support to top-tier Defense Industrial Base (DIB) companies categorized as critical infrastructure?

  • National Security Agency (NSA)

  • DoD Chief Information Officer (CIO)

  • Defense Counterintelligence and Security Agency (DCSA)

  • Department of Defense Cyber Crime Center (DC3)

NSA shares "left of boom” products and tools with DIB to prevent bad events from occuring and are responsible for providing targeted support to DIB companies categorized as critical infrastructure.

89.

Which of the following markings must be used for CUI with restricted dissemination to Federal employees?

  • FED ONLY

  • NOCON

  • FEDCON

  • NOFORN

Dissemination Controls are:​ No Foreign Dissemination (NOFORN)​ Federal Employees Only (FED ONLY)​ Federal Employees and Contractors Only (FEDCON)​ No Dissemination to Contractors (NOCON)​

90.

In the process of achieving CMMC (Cybersecurity Maturity Model Certification) Level 2 certification, is it a requirement for a contractor to demonstrate compliance with all Level 1 requirements, which consist of the 15 practices outlined in FAR 52.204-21?

  • Yes, contractors must satisfy all Level 1 requirements in addtion to Level 2 requirements to earn CMMC Level 2 certification

  • No, Level 2 certification is independent of Level 1, and contractors can pursue Level 2 without addressing Level 1 practices

  • Compliance with Level 1 practices is only necessary for certain CMMC levels, not specifically for Level 2

  • The decision to demonstrate Level 1 compliance is determined by the certification body, not the contractor

The CMMC levels and associated sets of practices across domains are cumulative. More specifically, for an organization to achieve a specific CMMC level, it must also demonstrate achievement of the preceding lower levels. For the case in which an organization does not meet its targeted level, it will be certified at the highest level for which it has achieved all applicable practices.

91.

What is the maximum age of an assessment that can be submitted per DFARS 252.204-7019?

  • 3 years

  • 1 year

  • 2 years

  • 4 years

DFARS 252.204-7019 Paragraph (b) states assessments must be current (not more than 3 years old unless otherwise specified).

92.

Which of the following activities is NOT prohibited behavior for CMMC Assessors?

  • Fulfilling all commitments as defined in the contract or registration agreement

  • Providing a guarantee of the assessment results

  • Soliciting business from customers either for themselves or their organization

  • None of the above

CoPC practices include professionalism that discourages dishonesty in all dealings including misleading or exaggerating services you accredited.

93.

Assets that store, process, or transmit CUI are called?

  • Controlled Unclassified Information (CUI) assets

  • CMMC Assets

  • Security Protection Assets

  • In-scope assets

CUI (controlled unclassified information) assets are those assets which store, process, or transmit CUI. The contractor is required to document such assets in an asset inventory and system security plans and are assessed against CMMC practices

94.

A USB is found in the lobby and it does not have any markings on it to indicate who the owner is. As the IT Manager, you plug in the device into your computer to see if you can find the rightful owner. What CMMC security practice have you just violated?

  • MP.L2-3.8.8 Shared Media

  • MP.L2-3.8.7 Removable Media

  • MP.L2-3.8.4 Media Markings

  • MP.L2-3.8.1 Media Protection

Plugging in a USB drive you found laying around can pose several risks: Malware: The drive may contain malware that can infect other computers when plugged in. The malware can also install itself, send malicious instructions, open backdoors, and more. Data loss: The drive may contain sensitive data that could fall into the wrong hands. Targeted hacking: The drive may be used for targeted hacking. Data from the original owner: The drive may contain malware, viruses, or other content from the original owner's computer. USB bomb: The drive may be a USB bomb, which stores enough power to fry your computer if discharged suddenly. This practice, MP.L2-3.8.8, furthers the protections provided by MP.L2-3.8.7 by prohibiting unidentified media use even if that media type is allowable.

95.

Three of the following are assessment methods for assessing CUI Security requirements under NIST 800-171A, except?

  • Describe

  • Examine

  • Interview

  • Test

In NIST Special Publication 800-171A, the assessment methods for assessing CUI requirements include; examine, interview, and test. The assessment methods involve examining documentation, interviewing personnel, and testing the effectiveness of security controls. "Describe" is not one of the primary assessment methods in this context.

96.

The primary purpose of a Certification Assessment Readiness Review (CA-RR) is to:

  • Determine whether the assessment team and OSC are ready to conduct the assessment as planned.

  • Have a budget that can be submitted to the Cyber AB

  • Prevent schedule "drift” during the assessment.

  • Minimize the assessment budget.

The purpose of the Certification Assessment Readiness Review (CA-RR) is to determine whether the Assessment Team and OSC (including Supporting Units and any enclaves) are ready to conduct the Assessment as planned, as well as in the time allocated. 

97.

When a CMMC Third Party Assessment Organization (C3PAO) and Organization Seeking Ceritification (OSC) agree to proceed with planning a CMMC assessment, the C3PAO reviews the following with the OSC Assessment Official and OSC Point of Contact (POC), EXCEPT?

  • Non-CUI related contracts

  • The assessment objectives

  • Prospective assessment scope

  • Relevant contractual requirements

Upon agreement between the parties (i.e., C3PAO and OSC) to proceed with planning a CMMC Assessment, the C3PAO works with the OSC Assessment Official and the OSC POC to determine the purview and planning details of the Assessment. This will include discussing schedule, size of the organization, personnel, logistics, relevant contractual requirements, and the prospective CMMC Assessment Scope.

98.

Which one of the following is the most significant risks to national security, directly affecting the lethality of our warfighters.

  • Loss of aggregated CUI

  • Loss of ITAR

  • Loss of ECI

  • Loss of EAR

Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI can be viewed as the most significant risk to national security, directly affecting lethality of our warfighters.

99.

Which of the following is not a responsibility of the National Archives and Records Administration (NARA) as the Controlled Unclassified Information (CUI) Executive Agent (EA)?

  • Conduct routine cybersecurity audits of federal agencies

  • Establish management planning framework and associated deadlines for phased implementation.

  • Approve categories and subcategories.

  • Maintain and update the CUI registry

The CUI Executive Agent (EA) is mandated with: • Issuing policy, guidance, and other materials to establish and maintain the CUI Program. • Reviewing, evaluating and overseeing agencies’ actions to implement CUI program. • Establishing management planning framework and associated deadlines for phased implementation. • Approving categories and subcategories. • Maintaining and update the CUI registry. • Prescribing standards, procedures, and instructions for oversight and agency self inspection. • Considering and resolving disputes, complaints, and suggestions

100.

For how long must the Protection and Destruction of Contractor Assessment Materials Template used to verify disposal of assessment artifacts be retained?

  • 3 years

  • 1 year

  • 5 years

  • Permanently

The Protection and Destruction of Contractor Assessment Materials Template can be used to verify disposal of assessment artifacts from all Assessment Team Member's. Each assessor's signed document should be kept on record and retained for three (3) years.

×