×

Quiz Session - Attempts With Random Questions

Cyber AB CCP Exam Questions

Page 7 of 25

121.

What two NIST 800-171 Rev 2 domains are concerned with a user connecting to the system and it's environment of operation?

  • Access Control and Identification & Authentication

  • System and Communication Protection and Identification & Authentication

  • Access Control and Personnel Security

  • System and Communication Protection and Personnel Security

NIST SP 800-171 Revision 2 has 110 security requirements organized within 14 families of controls also known as domains. The 14 control families are: 1) Access Control 2) Awareness and Training 3) Audit and Accountability 4) Configuration Management 5) Identification and Authentication 6) Incident Response 7) Maintenance 8) Media Protection 9) Personnel Security 10) Physical Protection 11) Risk Assessment 12) Security Assessment 13) System and Communications Protection 14) System and Information Integrity

122.

CMMC 2.0 is different from version 1.0. If true, what are the key differences?

  • Yes, CMMC 2.0 introduces a risk-based approach and focuses on the most critical requirements

  • Yes, CMMC 2.0 introduces a new set of assessment practices and eliminates all practices from version 1.0

  • No, CMMC 2.0 retains the same practices and framework as version 1.0.

  • Yes, CMMC 2.0 places a stronger emphasis on physical security practices

CMMC 2.0 aims to streamline the original assessment framework — while lowering costs and simplifying its implementation — with the following key changes: -Reducing the number of certification levels from five to three -Removing maturity processes and CMMC-unique practices -Aligning Advanced/Level 2 requirements with National Institute of Standards and Technology Special Publication or NIST SP 800-171 controls -Basing Expert/Level 3 requirements on a subset of NIST SP 800-172 -Allowing the use of time-limited plans of action and milestones (POAMs) and waivers

123.

How does the Federal Risk and Authorization Management Program (FedRAMP) differ from Federal Information Security Modernization Act (FISMA) in terms of authorization requirements?

  • FedRAMP authorizations are broader and qualify CSPs for business with multiple agencies.

  • FedRAMP authorizations are more rigorous and require multiple certifications.

  • FedRAMP authorizations are agency-specific, while FISMA requires a single certification.

  • FISMA authorizations are more far-reaching and qualify CSPs for business with any federal agency.

A FedRAMP ATO qualifies a Cloud Service Provider (CSP) to do business with any federal agency. Unlike FISMA, which requires organizations to seek an Authorization to Operate (ATO) from each individual federal agency.

124.

The following CMMC Practices should NOT be placed on a limited practice deficiency correction program EXCEPT?

  • Any practice that changes and/or limits the effectiveness of another practice that has been scored as "NOT MET”.

  • Practices that could lead to significant exploitation of the network or exfiltration of CUI

  • Any practice(s) listed on the OSC's Self-Assessment Practice Deficiency Tracker

  • Practices that were not implemented by the OSC prior to the current CMMC Assessment

The practices below shouldn’t be added to the limited practice deficiency correction 1) Practices that could lead to significant exploitation of the network or exfiltration of CUI are excluded 2) Any practice(s) listed on the OSCs Self-Assessment Practice Deficiency Tracker 3) Practices that were not implemented prior to the CMMC Assessment 4) Any practice that changes and/or limits the effectiveness of another practice that has been scored "MET”

125.

What organization is responsible for reviewing agency Controlled Unclassified Information (CUI) training materials to ensure consistency and compliance with Executive Order 13556, 32 CFR part 2002, and the CUI Registry?

  • The CUI Executive Agent (EA)

  • The Authorized Holder

  • The CUI Senior Agency Official (SAO)

  • The Agency Head

32 CFR 2002.30(d), designates the CUI EA as the agency responsible for reviewing agency training materials to ensure compliance and consistency with CUI regulations. This includes verifying that agency training materials align with the requirements set forth in 32 CFR Part 2002, which govern the handling and protection of CUI.

126.

An authorized holder defined under 32 CFR 2002.4(d) can do all of the following, EXCEPT?

  • Give clearance to unauthorized users to handle, disseminate, or store CUI

  • Remove safeguarding or dissemination controls from CUI that no longer requires such controls

  • Designate information as CUI

  • Provide access, transmit, or transfer CUI to other authorized holders

32 CFR 2002.4(v), 32 CFR 2002.4(t), 32 CFR 2002.4(s) provide the responsibilities of an authorized holder with respect to Controlled Unclassified Information (CUI). Whenever information is designated as CUI, the authorized holder cannot give clearance to unauthorized holders to handle it in whatever capacity. Unauthorized access or dissemination of CUI would be a violation of CUI handling regulations.

127.

What process allows organizations to limit the scope of CMMC requirements by isolating designated system components in a separate CUI security domain?

  • Logical separation

  • Physical separation

  • Segmentation

  • Decentralization

Logical separation occurs when an asset is physically (wired or wirelessly) connected to another asset or set of assets, but software configuration prevents data from flowing along the physical connection path, for example, a network system. This allows an organization to isolate CUI components and limit scope.

128.

Which of the following applies if a member of the CMMC ecosystem witnesses a violation of the Code of Professional Conduct (CoPC)?

  • They should report ethical violations, misconduct, or professional breaches to the CMMC Accreditation Body within 30 days, regardless of whether they try to personally resolve the situation or not

  • They should report to the Department of Justice's False Claims Act team for the violating party to be arrested

  • They should escalate the issue to the International Standards Organization (ISO), for there to be an investigation

  • They should talk with the violating party and settle the underlying issues

If a member of the CMMC ecosystem violates the Code of Professional Conduct (CoPC), they should not just try to privately settle the issues with the aggrieved party. According to the CoPC, individuals who participate in the CMMC ecosystem have an obligation to report ethical violations, misconduct, or professional breaches to the CMMC Accreditation Body within 30 days, regardless of whether they try to personally resolve the situation. Violations of the CoPC can undermine the integrity and trustworthiness of the entire CMMC framework, so handling them as internal matters between two parties is insufficient. Formal reporting enables oversight bodies to conduct proper investigations and enforce standards consistently across the ecosystem. Trying to quietly settle CoPC violations without external awareness risks enabling unethical or unprofessional actions to continue. For the good of the ecosystem, violations must be reported

129.

The investigation of a violation may result in findings and recommendations for ________.

  • Corrective Action

  • The C3PAO

  • Certification

  • A Different Maturity Level

Corrective action is taken depending on the nature of the violation and the policies. The investigation manages the issue and dissuades it from reoccurring. Corrective actions may include remedial action or revocation of license.

130.

A final, detailed Scope of a Level 2 Assessment is determined by the:

  • The Lead Assessor

  • The C3PAO

  • The OSC Point of Contact (POC)

  • The OSC Official

Determining the proper and accurate CMMC Assessment Scope is essential for conducting a valid Assessment. The OSC has the initial responsibility to establish the CMMC Assessment Scope of their networked environment, to include identifying and taking inventory of the various categories of assets contained therein that will be the subject of the CMMC Assessment. For guidance on how to conduct this scoping, refer to the Department of Defense's CMMC Assessment Scope - Level 2, December 2021. The OSC presents the CMMC Assessment Scope to the Lead Assessor, who then proceeds to verify its accuracy and integrity. In support of understanding and interpreting the CMMC Assessment Scope, the OSC must also provide to the Lead Assessor with supporting documentation, such as network schematic diagrams, the System Security Plan (SSP), policies, and organizational charts.

131.

Upon an analysis of all the collected information and discussions conducted during Phase 1, the lead Assessor can arrive at either of 4 possible determinations, one of which is cancelling the assessment. What factors can result in cancellation of the Assessment?

  • Insurmountable factors such as a conflict of interest that cannot be mitigated, a failure to arrive at contract terms between the C3PAO and OSC.

  • The OSC has not met all the preparedness requirements.

  • Compromise of the OSC's proprietary information by the C3PAO.

  • The Lead Assessor has chosen too many Assessment Team members.

The Assessment can be cancelled because of insurmountable factors such as a conflict of interest that cannot be mitigated, a failure to arrive at contract terms between the C3PAO and OSC.

132.

This regulation requires DIB suppliers to implement a set of basic security controls from NIST SP800-171 for contractor information systems upon which this information resides and specifies cyber incident reporting. 

  • DFARS 252.204-7012

  • FAR 52.204-21

  • Federal Risk and Authorization Management Program (FedRAMP)

  • Federal Information Security Modernization Act (FISMA)

DFARS 252.204-7012 requires DIB suppliers to implement a set of basic security controls from NIST SP 800-171 for contractor information systems upon which this information resides and specifies cyber incident reporting. ​

133.

Which of the following is NOT true about security boundaries?

  • A limited boundary can help an organization complete the assessment faster

  • Too limited boundaries lead to managing more systems separately, increasing the organization's assessment and cybersecurity costs.

  • Too expansive or unnecessarily complex boundaries make the assessment process unwieldy and complex.

  • Expanded boundaries may even decrease the level of detail of overall testing or protection for the system due to insufficient funding to cover the entire system.

Too limited boundaries increase the number of systems that must be managed separately, which inflates assessment and cybersecurity costs. Expanded boundaries can also decrease the level of detail in testing or protection due to insufficient funding. Overly limited boundaries can lead to increased complexity and costs.

134.

What is the primary purpose of the Federal Risk and Authorization Management Program (FedRAMP) in relation to the federal government's cloud adoption strategy?

  • To promote and streamline the adoption of secure cloud services by federal agencies.

  • To standardize cybersecurity requirements for all government agencies.

  • To simplify the authorization process for cloud providers.

  • To regulate the use of commercial cloud services by federal agencies.

FedRAMPs mission is among other things to streamline and promote the adoption of secure cloud services throughout the federal government, provide a standard approach to security and risk assessment for cloud technologies across federal agencies, and empower agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.

135.

A CMMC implementation consultant has been asked to conduct a certified assessment. Which of the following should the consultant do?

  • Decline the assignment

  • Accept the assignment

  • Provide a disclaimer to management before accepting the audit

  • None of the above

Under no circumstances are credentialed or registered individuals permitted to conduct a certified assessment, or participate on a certified assessment team, if they have also served as a consultant to prepare the organization for that assessment. Consulting is defined as "providing direct assistance to the creation of processes, training, and technology required to meet the intent of CMMC controls and processes.”​

136.

When an agency re-uses information from legacy documents that qualifies as Controlled Unclassified Information (CUI) in a new document, do they have to designate the new document as CUI and mark it accordingly?

  • Yes, the new document should be designated as CUI and marked accordingly if it contains qualifying information.

  • No, designation and markings are optional for the new document

  • No, re-used information does not need to be designated as CUI in the new document

  • No, only the legacy documents need to be marked as CUI, not the new document

Per 32 CFR 2002.36(c), when the agency re-uses any information from legacy documents that qualifies as CUI, whether the documents have obsolete control markings or not, the agency must designate the newly created document (or other re-use) as CUI and mark it accordingly.

137.

FCI is data _______ public release.

  • Not intended for

  • Specifically classified for

  • That needs written authorization from the DoD prior to

  • That is protected for 18 months prior to

Federal Contract Information (FCI) is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.​

138.

An Organization Seeking Certification (OSC) can find a Certified Third-Party Assessment Organization (C3PAO):

  • Using the Marketplace on the Cyber AB's website

  • Using a Google Search

  • Using the DoD website

  • Using LinkedIn

An Organization Seeking Certification generally initiates the engagement for a CMMC Assessment by contacting an authorized C3PAO. ​The updated registry of authorized C3PAOs in good standing is maintained in the CMMC Marketplace website administered by the Cyber AB. ​The initial contact from the OSC can be made via the CMMC Marketplace's online intake form or by direct email or phone call to the C3PAO.

139.

A CCP working on a Level 2 Assessment should be able to do the following, EXCEPT?

  • Advise the OSC in its preparations to ensure they can pass an assessment.

  • Assist in generating final Assessment results

  • Maintain awareness of the CMMC POA&M Process

  • Assist in developing the Assessment plan

A CCP working on a Level 2 assessment must have the ability and understanding to assist throughout the 4 Assessment phases. In the first phase they should be able to Plan and Prepare assessments, help analyze requirements, develop the Assessment plan, and verify readiness. In the second phase, they should Conduct Assessment, help in gathering and reviewing evidence, scoring practices, validating preliminary results, and generating final outcomes. During the third phase, the CCP should be able to Report Recommended Assessment Results and assist in communicating the recommended findings. Finally, the CCP Close-Out POA&Ms and Assessment, maintain awareness of the CMMC POA&Ms process.

140.

Which of the following designations is not permitted by the Cyber AB to participate in a CMMC certification assessment?

  • Registered Practitioner

  • Certified CMMC Professional

  • Certified CMMC Assessor

  • Provisional Assessor

Registered Practitioners (RPs) are the "implementers” and consultants in Certified CMMC Assessments. They do not participate in Certified CMMC Assessments as "Assessment Team Members." RPs deliver a non-certified advisory service informed by basic training on the CMMC standard. By contrast, a Certified CMMC Professional (CCP) or Certified CMMC Assessor (CCA) delivers advice that is based on their rigorous training on what is and is not acceptable during an actual CMMC Certified Assessment. RPs are consultants, employed by or through RPOs, who help OSCs design and implement practices and create processes and process documentation consistent with the CMMC requirements. RPs are authorized to represent themselves as familiar with the basic constructs of the CMMC Standard with a Cyber AB provided logo.

×