×

Quiz Session - Attempts With Random Questions

Cyber AB CCP Exam Questions

Page 8 of 25

141.

The practices in the CMMC Code of Professional Conduct (CoPC) are mandatory expectations for any member of the CMMC ecosystem. Which of the following is NOT a repercussion of failure to comply with or violating the CoPC practices?

  • $1000 fine per violation

  • A warning

  • Temporary suspension

  • Permanent revocation of credentials

Violating the CMMC CoPC practices may result in sanctions, up to and including denial or revocation of a Credential, Registration, or Accreditation. This encompasses a warning, suspension, and permanent revocation.

142.

Evidence collection approach affects the following aspects of the Assessment, EXCEPT?

  • Obligations to follow the CoPC

  • The ability of the Assessment Team to make accurate judgements

  • The overall assessment costs

  • The usefulness and accuracy of the Assessment results

The Evidence collection approach is part of the overall Assessment Plan and has implications for the following aspects of the Assessment: ▪ Amount of time and effort expended by the organization in preparing for the Assessment; ▪ Ability of the Assessment Team to make accurate judgments; ▪ Usefulness and accuracy of the Assessment results; and ▪ Overall cost of the Assessment.

143.

All of the following happen during the Assessment kickoff meeting, EXCEPT?

  • An OSC elects their RPO or RP

  • The Lead Assessor communicates specific information about scheduled events and the locations where they occur

  • The Lead Assessor provides an overview of the Assessment process, purpose, schedule, and objectives

  • The OSC provides an overview of their organization, their current cybersecurity posture and their cybersecurity program. Assessment process, purpose, schedule, and objectives

The Lead Assessor and/or Assessment Team Members shall brief the Assessment process, purpose, schedule, and objectives. The Lead Assessor also communicates specific information about scheduled events and the locations where they will occur. The OSC should also deliver a briefing providing a high-level overview of their company/organization and their cybersecurity program. During this meeting, the OSC Assessment Official or the OSC Point of Contact (POC) should inform all relevant OSC personnel of their role in supporting the Assessment, including those being interviewed and providing Evidence. Any questions, issues, or concerns by either party should be identified, discussed, and resolved as part of this kickoff session. The Lead Assessor shall ensure that official minutes or a detailed meeting summary of the kickoff, including all questions and answers, shall be documented and retained by the C3PAO.

144.

ABC Co. submitted a CMMC Assessment request to a C3PAO on October 27, 2021. How many days later should the C3PAOs respond to ABC Co.'s request?

  • 5 Business Days

  • 7 Calendar Days

  • 7 Business Days

  • 5 Calendar Days

Once the request is received, the C3PAO should respond to the OSC within five (5) business days, acknowledging the request and proposing the scheduling of an initial coordination call or virtual meeting. ​

145.

The Assessment Scope consists of which of the following?

  • The CMMC Model Scope and the general scope of the OSC

  • The scope of the host unit and the assessment boundary

  • The scope of the CMMC Model and the assessment boundary

  • The Scope of the supporting unit and the general scope of the host unit

The CCA works with the OSC Sponsor to determine the assessment scope, which consists of the CMMC model scope and the general scope of the OSC. The Model scope includes the maturity level targeted to be assessed and achieved. These are defined by the CMMC Model. The CCA works with the Sponsor and/or OSC POC to collect information to define the organizational scope.

146.

As an active Certified CMMC Professional (CCP), is there a platform where I can list my qualifications and promote myself?

  • Cyber AB Marketplace

  • Cybersecurity Job Boards

  • Department of Defense Personnel Directory

  • National Cybersecurity Registry

After successfully completing your Certified CMMC Professional (CCP) certification, it will become active once you have completed all required steps, such as signing the Code of Professional Conduct, at that point the CCP will be listed in the CMMC Marketplace that is managed by the Cyber AB.

147.

Assets such as Government Property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment are an example of?

  • Specialized Assets

  • CUI Assets

  • Contractor Risk Managed Assets

  • Technology assets

Specialized assets may or may not process, store, or transmit CUI and include government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment. Where specialized assets are to be assessed, review the SSP in accordance with practice CA.L2-3.12.4 and do not assess against other CMMC practices

148.

An Inherited practice objective is MET if which of the following exists?

  • The enterprise or any other entity like an External Service Provider (ESP) performs the practice objective and shows they are applicable to in-scope assets and that the assessment objectives are met

  • Evidence from the entity or enterprise from which the practice objectives are inherited shows they are not applicable to in-scope assets.

  • The OSC's CEO attests in writing that the inhereted practice objectives have been met.

  • The practice objective appears to have been evaluated from the entity or enterprise they were inherited from.

A practice objective that is inherited is MET if adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice objective. An ESP may be external people, technology, or facilities that the contractor uses, including cloud service providers, managed service providers, managed security service providers, cybersecurity-as-a service providers. Evidence from the enterprise or the entity from which the objectives are inherited should show they are applicable to in-scope assets and that the assessment objectives are met. For each practice objective that is inherited, the Certified Assessor includes statements that indicate how they were evaluated and from whom they are inherited. If the contractor cannot demonstrate adequate evidence for all assessment objectives, through either contractor evidence or evidence of inheritance, the OSC will receive a NOT MET for the practice

149.

Can FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems and DFARS clause 252.204-7012 be utilized concurrently in the same solicitation or contract?

  • Yes, these clauses can be used together in the same solicitation or contract

  • No, these clauses are mutually exclusive and cannot be included in the same solicitation or contract.

  • Only one of the clauses can be used, depending on the type of contract

  • The use of these clauses together is optional and depends on the contracting officer's discretion

The prescribed use of each of these clauses is not reliant on the inclusion of the other clause. Most solicitations/contracts that include covered defense information will also include information that is not covered defense information, but is Federal contract information that requires protection in accordance with the Basic Safeguarding FAR clause 52.204-21. In addition, it is likely that Federal contract information is being handled by any contractor that is on a defense contract.

150.

What requirement does practice SC.L2-3.13.11 place on protecting CUI both at rest and in transit?

  • It requires orgnizations to ensure that CUI is encrypted using FIPS-Validated Cryptography.

  • It requires orgnizations ensure that CUI is always protected with a password.

  • It requires orgnizations encrypt CUI data using quality applications like BitLocker

  • It requires orgnizations always place CUI under lock and key.

FIPS-validated cryptography means the cryptographic module must have been tested and validated to meet FIPS 140-2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to protect CUI when transmitted or stored outside the protected environment of the covered OSA information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered OSA information system, would not need to use FIPS-validated cryptography.

151.

My customer asked me to send technical information that may be International Traffic in Arms Regulation (ITAR) controlled via my work email. What should I do?

  • Do not send the information by email. Check first with your manager and confrim the customer is a U.S. Citizen and the best way to safeguard the information during transport.

  • Send an email notifying your manager and then send the email to the customer. After all this is a customer you have been working with under contract for a while.

  • Send it. If your customer asked for the information then it is okay to send.

  • Send it. Your work email is in Office 365 Commercial Environment and provides the necessary protection.

ITAR is a category of information that is part of Export Controlled Information (ECI) which is subject to additional requirements above and beyond CUI handling. ECI includes CUI such as, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and non-proliferation objectives.  It includes items on the munitions list; license applications; and sensitive nuclear technology information. It cannot be released to anyone that is not a U.S. citizen.

152.

During the CMMC Certification Assessment Process, Requirements, Scoping, and Analysis of results compiled during Phase 1 (Analyze Requirements) are included in which of the following documents?

  • The Assessment Plan

  • CMMC Intake Form

  • Rough Order of Magnitude

  • CMMC Model Scope

The Assessment plan must contain the requirements, agreements, risks, COI, tailoring, and logistics for all Phases of the Assessment. ​Based on the scope, requirements, and initial ROM estimate, the Assessment plan must be kept up to date throughout Phase 1. In addition, the final plan is submitted using the Pre-Assessment Template at the end of Phase 1 into CMMC eMASS.

153.

Which of the following is NOT recommended as a process for sanitizing magnetic media containing CUI before disposal or reuse?

  • Format the magnetic media, and reuse, or sell to an accessories store.

  • Overwrite media by using organizationally approved software and perform verification on the overwritten data.

  • Incinerate floppy disks and diskettes by burning in a licensed incinerator or shred.

  • Degauss in an organizationally approved degausser rated at a minimum for the media

NIST SP 800-88 offers guidelines for media sanitization. It outlines methods to clear, purge, and destroy media holding CUI. Formatting magnetic media or hard drives does not guarantee the data cannot be retrieved using data recovery tools. (Table A-5 NIST SP 800-88 Rev. 1

154.

It is assumed that any information generated for the government is Federal Contract Information (FCI) unless it is explicitly marked as which of the following?

  • "Intended for public release"

  • Top Secret

  • Not Sensitive Data

  • Sensitive Data

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.

155.

Which of the following is not true about the Confidentiality principle of the CMMC Code of Professional Conduct (CoPC)?

  • If revealing the confidential customer or government data is beneficial to an entity or member of the CMMC, or an OSC's compliance efforts the entity is authorized to release it.

  • Members of the CMMC ecosystem should treat confidential information with utmost care

  • Entities and individuals within the CMMC ecosystem should ensure the confidentiality of government and customer data.

  • CMMC ecosystem members should never reveal information learned during the delivery of a CMMC service to any entity unless that entity is expressly authorized to view it

The CMMC ecosystem members should maintain the confidentiality of customer and government data. They should treat confidential information with the utmost care, and under no circumstances reveal whatever they learn during the delivery of CMMC services to anyone who is not expressly authorized to view it.

156.

An assessment plan contains all the following, EXCEPT?

  • The DoD manuals and directives the OSC will be assessed against.

  • Conflict of interest statements for all phases of the Assessment

  • Risks identified for all phases of the Assessment

  • Logistics and agreements used in all phases of the assessment

The Assessment plan must contain the requirements, agreements, risks, COI, tailoring, and logistics for all Phases of the Assessment.

157.

_______ ________ ________ and other protections are used to monitor, control and protect the flow of data passing between internal and external environments.​

  • Firewalls, web proxies, gateways

  • Firewalls, security guards, web proxies

  • Firewalls, security guards, gateways

  • Security guards, gateways, web proxies

Communications should be monitored and protected at system boundaries. Firewalls, web proxies, and gateways, are all examples of protections that can be used to monitor, control, and protect the flow of data passing between internal and external environments.​ Security guards are an example of physical protection.

158.

As per the CMMC Assessment guide, ‘Mechanisms’ are a type of Assessment Object that refer to:

  • The hardware, software, or firmware safeguards employed within a system

  • The document-based artifacts

  • The specific procedures that describe system configuration

  • The protection-related physical devices implemented

Assessment Objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, security plans). Mechanisms are the hardware, software, or firmware safeguards employed within a system. Activities are the protection-related actions supporting a system that involves people, and Individuals are the people applying the specifications, mechanisms, or activities.

159.

When conducting interviews, a Lead Assessor or Assessment Team should do all of the following, except:

  • Video record the interviews to share with the OSC POC and Assessment Team during the next Daily Check Point.

  • Take steps to ensure and verify that confidentiality and non-attribution is addressed for interviewees, so that they can speak openly without fear or concern about retribution.

  • Ask questions of OSC staff to get clarity and understanding of practice or process implementation, and then review or verify any corresponding artifacts and record the answers received in the form of notes.

  • Map responses from interviewees to CMMC practices to aide in determining and supporting the rating of that practice.

During the interview session, the Lead Assessor and, if applicable, the Assessment Team use the following communication skills to interview:  1.Takes steps to ensure and verify that confidentiality and non-attribution is addressed for interviewees so that they can speak openly without fear or concern about retribution from any member of the OSC;  2.Asks questions of OSC staff to get clarity and understanding of practice implementation, and then review or verify any corresponding artifacts to determine CMMC practice implementation and records their answers in the form of notes; and  3. Maps responses from interviewees to CMMC model practices to aide in determining and supporting the rating of that practice. 

160.

If a contractor is aggrieved about the findings of an assessment, how long do they have to file a rebuttal under DFARS Clause 252.204-7020?

  • 14 business days

  • 10 business days

  • 30 business days

  • 7 business days

Paragraph (e)(2) of the DFARS 252.204-7020 states "Upon completion of each assessment, the contractor has 14 business days to provide additional information to demonstrate that they meet any security requirements not observed by the assessment team or to rebut the findings that may be of question.”

×