×

Quiz Session - Attempts With Random Questions

Cyber AB CCP Exam Questions

Page 9 of 25

161.

FIPS validated encryption (CMMC Practice SC.L2-3.13.11) is required to protect the confidentiality of CUI. If encryption is employed, but it is not FIPS-validated, how many points are subtracted from the score of 110?

  • 3 points

  • 5 points

  • 1 point

  • 2 points

FIPS validated encryption (CMMC Practice SC.L2-3.13.11) is required to protect the confidentiality of CUI. If encryption is employed, but is not FIPS validated, 3 points are subtracted from the score of 110; if encryption is not employed, 5 points are subtracted from the score of 110. FIPS is the only partial credit practice

162.

Controlled Unclassified Information (CUI) includes information traditionally marked as:​

  • For Official Use Only (FOUO)

  • Classified

  • International Traffic in Arms Regulations (ITAR)​

  • Uncontrolled

U//FOUO is a legacy marking that indicates sensitivity based on agency policy or practice. CUI is a marking that indicates the presence of CUI basic information. CUI is an umbrella term for all information that is controlled but not classified SECRET or higher. Therefore, all FOUO is CUI, but not all CUI is FOUO. CUI will replace agency specific labels such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES) on new data. However, not every Executive branch agency has implemented CUI, so you may still receive documents marked as FOUO. Information previously marked as FOUO does not need to be re-marked as long it remains under DoD control or is accessed online and downloaded for use within the DoD.

163.

What is the primary requirement of the 48 CFR § 52.204-21 - FAR (Federal Acquisition Regulation) regarding Federal Contract Information (FCI)?

  • Contractors are required to apply basic safeguards and comply with the law

  • Reporting security incidents to the Department of Defense

  • Implementing advanced cybersecurity measures

  • Encrypting all FCI data

48 CFR § 52.204-21 requires that contractors apply basic safeguards and remain compliant with the law and provides the responsibilities for contractors when delegating contract work to subcontractors

164.

Who is responsible for defining the Assessment scope before a CMMC Assessment?

  • The Organization Seeking Certification (OSC)

  • The C3PAO

  • The OSC PoC

  • The Lead Assessor

Before a CMMC assessment, the OSC should define the scope of the assessment that represents the boundary for which the CMMC certificate will be issued.

165.

Which of the following is not a component of a Systems Security Plan (SSP)?

  • Risk Appetite

  • Roles & Responsibilities for security management

  • Security controls implementation

  • Laws, Regulations, Policies, and Directives

According to NIST Interagency Report (IR) 8286, Risk Appetite is defined as the broad-based amount an enterprise is willing to accept in pursuit of its mission/vision. On the other hand, NIST SP 800-18 Rev 1, defines a System Security Plan as a formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan. The completion of system security plans is a requirement of the Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources,” Appendix III. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system.

166.

Which of the following would most effectively reduce social engineering incidents?

  • Security Awareness Trainings

  • Increased physical security measures

  • Email monitoring policy

  • Intrusion detection system

Security awareness training is considered one of the most effective ways to reduce social engineering attacks because it focuses on educating individuals within an organization about the various tactics used by attackers and how to recognize and respond to potential threats.

167.

The CMMC Third Party Assessment Organization (C3PAO) is supposed to consider the following when assigning the lead assessor, except?

  • The relationship between the Lead Assessor and selected OSC Assessment Official

  • The experience and skills of the Lead Assessor

  • The Geographical locations of the Assessment Assets

  • The Lead Assessor's familiarity with the OSC's lines of business

The C3PAO should consider the Lead Assessor's credentials, the aspirational CMMC Certification level of the OSC, the skills and experience of the Lead Assessor, the geographical location(s) of the Assessment, the Lead Assessor's familiarity with the OSC's lines of business, and other factors to align and assign an available Lead Assessor.

168.

What is the primary result of a self-assessment?

  • A Self-Assessment report

  • A Supplier Performance Risk System (SPRS) Score

  • A CMMC certification

  • A Plan of Action & Milestones (POA&M)

The primary result of a self-Assessment is a self-Assessment report, which contains the findings associated with the self-assessment.

169.

Which practice in the Security Assessment domain requires Organizations Seeking Certification (OSCs) to reassess existing controls at periodic intervals in order to validate their usefulness in organizational systems and to keep up with the constantly changing security landscape.

  • CA.L2-3.12.1

  • CA.L2-3.12.2

  • CA.L2-3.12.3

  • CA.L2-3.12.4

This practice, CA.L2-3.12.1, requires organizations to periodically assess the security controls in organizational systems to determine if the controls are effective in their application. It determines if security controls are implemented properly, and promotes effective security assessments for organizational systems required by CA.L2-3.12.3.

170.

Before starting the assessment, the Lead Assessor, and the Assessment Team holds a Kickoff Meeting. Which of the following groups or individuals will not be a part of this meeting?

  • All members of the OSC

  • The OSC Assessment Official

  • The OSC Point of Contact

  • Assessment Team Members

The attendees of the Kickoff Meeting should include, but are not limited to, the Lead Assessor, the OSC Assessment Official, the OSC POC, the Assessment Team Members, and all members of the OSC who will be participating in the Assessment.

171.

How often should a DoD contractor renew their CMMC certification as per the guidance provided in DFARS 252.204-7021?

  • Every 3 years

  • Every year

  • Every 2 years

  • Only when significant changes are made.

The Contractor shall have a current (i.e., not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.

172.

What Agency has the authority to impose civil penalties for violations of the Export Administration Regulations (EAR)?

  • The Department of Commerce

  • The Department of Justice

  • The Department of State

  • The Department of Defense

The Commerce Department's Bureau of Industry and Security enforces EAR rules and imposes penalties.

173.

In the context of CMMC (Cybersecurity Maturity Model Certification), can another organization be categorized as an organizational asset?

  • Yes, another organization can be considered as an organizational asset within the CMMC framework.

  • The categorization of other organizations as organizational assets depends on the specific requirements of the CMMC assessment.

  • The decision to categorize another organization as an organizational asset is solely determined by the certification body overseeing the CMMC assessment.

  • No, organizational assets are limited to the internal components of the assessed organization, and other organizations are not categorized as such.

An organizational asset is defined as anything that has value to an organization, including, but not limited to: another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software, virtual computing platform, and related hardware.

174.

In which of the following processes is a Certification Assessment – Readiness Review (CARR) conducted?

  • Plan and Prepare

  • CMMC Plans of Action and Milestones (POA&M) Close-Out Assessment

  • Report Recommended Assessment Results

  • Conduct the Assessment

In Phase 1 - Plan and Prepare the Assessment, the Lead Assessor works with the OSC Assessment Official to identify the outputs for the Assessment, which include: ▪ Initial rough-order-of-magnitude (ROM) cost estimate that is based on the Assessment scope; ▪ Assessment Plan and schedule (demonstrating how the requirements in this process have been implemented); ▪ Certification Assessment Readiness Review (CA-RR) results; and more.

175.

ABC Corp has been awarded a new government contract that includes DFARS clause 252.204-7021 on Cybersecurity Maturity Model Certification as a requirement. As the contracting officer for ABC Corp, you need to ensure compliance with this clause for any subcontracts issued under the contract. While reviewing the clause language, you come across the following requirement: "The Contractor shall— (1) Insert the substance of this clause, including this paragraph (c), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products or commercial services, excluding commercially available off-the-shelf items." What action must the contracting officer for ABC Corp take regarding clause 252.204-7021 on Cybersecurity Maturity Model Certification Requirements for subcontracts issued under the new government contract?

  • Comply with the clause for subcontracts, ensuring the requirement is flowed down to subcontractors based on the type of information they handle.

  • The specific requirement in the clause for subcontracts is not provided.

  • The contracting officer should seek a waiver from compliance for subcontracts.

  • Ignore the clause for subcontracts as it only applies to the prime contractor.

DFARS Clause 252.204-7021 requires contractors to insert the substance of the clause and include the specific paragraph in all contracts and contratual instruments and flow down the requirement to all subcontractors and monitor to ensure compliance.

176.

How frequently must Level 2 contractors handling CUI be assessed?

  • Triennially

  • Bi-annually

  • Quarterly

  • Annually

DoD Contractors handling CUI must be certified at Level 2 by a third-party assessment organization triennially.

177.

Which of the following should be considered when defining the CMMC Assessment Scope?

  • The Target CMMC Level Certification

  • The customer HQ unit

  • The storage location for intellectual property

  • The process for vetting personnel

The Organization Unit includes the Legal Entity that will be delivering services or products under the terms of the contract. Additionally, the OSC determines scope based on type of contract information, FCI/CUI location, and target CMMC Maturity Level certification.​

178.

Most data breaches are caused by:

  • Insiders

  • Nation State Actors

  • Ransomware Hackers

  • Credit Card Scammers

Insider threat is a huge concern for organizations as employees pose one of the largest risks to the security of data and information. Approximately 60% of data breaches occur from inside companies, which is why organizations need to create a cyber-aware culture through regular cybersecurity awareness and training.

179.

When can a Lead Assessor recommend an Organization Seeking Certification (OSC) for final CMMC Level 2 Certification and close out the assessment?

  • When all deficiencies on the Limited Practice Deficiency Correction Program are resolved and practice scores result in a score of "Met"

  • When the OSC corrects over 90% of practice deficiencies

  • When the OSC appeals the assessment findings related to deficiencies

  • When the POA&M close-out assessment cannot be performed

If all practices on the Limited Practice Deficiency Correction Program result in a score of "MET,” the Lead Assessor will close out the Assessment using the steps in Phase 3. The Lead Assessor shall then recommend the OSC be granted a Final CMMC Level 2 Certification.

180.

What will happen if the offeror or contractor does not have a current CMMC certification after the required date?

  • Contracting officers will not award or exercise an option on a contract.

  • The contractor will receive an extension to obtain certification

  • The contractor will be given a grace period of one year to obtain certification

  • Contracting officers will make an award after the contractor pays a prescribed fee

Contracting officers will not award contracts or exercise options if the offeror or contractor lacks a current CMMC certification.

×