Cyber AB CCP Exam Questions

Page 3 of 25

41.

In terms of CoPC violations, an appeal against Cyber AB corrective actions may be filed within how many days?

  • 30 days

  • 60 days

  • 90 days

  • 15 days

If you have been subject to a corrective action and wish to appeal the outcome with the Cyber AB, you may request a review within 30 days of termination notice.​

42.

Who has access to the Department of Defense (DoD) Controlled Unclassified Information (CUI) registry?

  • Access to the DoD CUI registry is available to the public.

  • Only contractors working on DoD projects have access to the CUI registry

  • Any member of the DoD has unrestricted access to the CUI registry

  • Access to the DoD CUI registry is restricted to specific personnel within the DoD

Access to the DoD CUI Registry is available to the public.

43.

Which of the following actions would be considered a violation of the Code of Professional Conduct (CoPC) for Certified CMMC Professionals (CCPs)?

  • Soliciting business based on promises of guaranteed certification outcomes

  • Maintaining confidentiality of assessment results and findings

  • Continuing professional development and staying current with CMMC requirements

  • Disclosing any conflicts of interest before starting an assessment

Correct answer: Soliciting business based on promises of guaranteed certification outcomes

The Code of Professional Conduct for Certified CMMC Professionals outlines ethical guidelines and standards of behavior expected from professionals involved in the CMMC assessment and certification process. Key points include:

  • Maintaining Confidentiality: Professionals must protect the confidentiality of assessment results and findings.
  • No Guarantees: It is unethical and a violation to promise guaranteed certification outcomes to solicit business.
  • Professional Development: Professionals should engage in continuous learning and stay updated with the latest CMMC requirements.
  • Conflict of Interest: It is important to disclose any potential conflicts of interest before beginning an assessment to ensure impartiality.

Soliciting business by guaranteeing certification outcomes undermines the integrity and objectivity of the assessment process, thus violating the Code of Professional Conduct.

44.

Which of the following organizations reserves the right to investigate CMMC Credentialed, Registered, and Accredited persons or entities for potential violations arising from unusual behavior?

  • The Cyber AB

  • The CAICO

  • The DoD

  • The ISO/IEC

The Cyber AB monitors the CMMC-related activity of all CMMC Credentialed, Registered, and Accredited roles and reserves the right to investigate any potential violations that arise from unusual behavior.

45.

Which act amended and renamed the 2002 Federal Information Security Management Act (FISMA?

  • The Federal Information Security Modernization Act of 2014

  • 2014 Federal Civilian Agencies Act

  • 48 CFR § 52.204-21 Federal Acqusition Regulation

  • 2002 Federal Contract Information Act

The Federal Information Security Management Act (FISMA) of 2002 was amended to the Federal Information Security Modernization Act (FISMA) in 2014 to address evolving cybersecurity challenges and to modernize federal information security management practices. The shift from "Management" to "Modernization" in FISMA's title reflects a broader shift in focus from compliance and static security measures to a more dynamic, risk-based, and technologically up-to-date approach to cybersecurity within the federal government.

46.

Controls to protect CUI data fall into four major categories – Physical, Network, Session, and Infrastructure. The main objective of these four categories is to ensure CUI data maintains which of the following?

  • Confidentiality, Integrity, and Availability

  • Integrity and Sensitivity

  • Confidentiality and Availability

  • Objectivity and Availability

The security requirements in 800-171 protect the confidentiality of CUI, while the enhanced security requirements in 800-172 address confidentiality, integrity, and availability protection of Controlled Unclassified Information (CUI) associated with critical programs or high value assets from the advanced persistent threat (APT).

47.

AC.L2-3.1.11 requires that user sessions are _______ terminated after a defined condition.

  • Automatically

  • Manually

  • Periodically

  • Permanently

AC.L2-3.1.11 requires that user sessions are automatically terminated after a defined condition (e.g., 2 hours of inactivity). If there is no automatic termination of user sessions, an unauthorized user could take advantage of an unattended session.

48.

MECA is a small-sized analytics firm that cleans, aggregates, analyzes, and maintains datasets that DoD uses for Artificial Intelligency training. MECA uses an External Service Provider (ESP) that provides Identity and Access Management (IAM) solutions. While the ESP may be separated logically and process no CUI, the IAM contributes to meeting the CMMC practice requirements. a) What type of Asset is the IAM solution? b) What are the obligations of the Contractor with respect to the Asset?

  • It is a security protection asset, It must be documented in the asset inventory, System Security Plan (SSP), and the network diagram of the CMMC Assessment Scope

  • It is a CUI asset, and must be documented in the asset inventory, the System Security Plan (SSP), and the network diagram of the CMMC Assessment Scope

  • It is a security protection asset, and must be assessed against CMMC practices

  • It is a contractor risk managed asset, and must be documented in the asset inventory, System Security Plan (SSP), to show these assets are managed using the contractor's risk-based security policies, procedures, and practices

Since the IAM provides security functions or capabilities to the Contractor's CMMC Assessment Scope, it is a security protection asset. The Contractor must document the IAM in the asset inventory, System Security Plan (SSP), and the network diagram of the CMMC Assessment Scope. The IAM solutions, should also prepare to be assessed against CMMC practices.

49.

Which of the following individuals/entities has the responsibility to validate that Assessment Team Members are aware of assessment scope, method, plan and tools?

  • The Lead Assessor

  • The OSC

  • The POC

  • The C3PAO

The CCA, Certified CMMC Assessor, works with the Sponsor and/or OSC POC to collect information to define the organizational scope.​ This consists of the organization, host unit, supporting units and any enclaves in scope that will provide Evidence of their CMMC process implementation. ​This information is captured in the CMMC Intake Form. The CCA continues to work with the OSC Sponsor and/or POC to determine the details on model, assessment, organizational, and contractual boundaries and scope. Thus, the CCA verifies that assessment team members are familiar with the assessment scope, method, plan, and tools.

50.

What would be the most effective control for enforcing accountability among database users accessing sensitive information?

  • Implement a log management process

  • Separate database and application servers

  • Use table views to access sensitive data

  • Implement two-factor authentication

Organizations are required to control access to organization facilities and devices. Locked doors and the physical limitation of access to organization's data servers, back up devices, etc. prevent information from being stolen, accessed, and destroyed. ​ If the organization is using an offsite cloud-based service (such as, AWS) look to the CSLA (Cloud Service Level Agreement) for specific actions and measures. Additionally, Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. NIST SP 800-92 provides guidance on security log management. Contractors must ensure that all applicable systems create and retain audit logs that contain enough information to identify and investigate potentially unlawful or unauthorized system activity. Contractors must define the audit logs it needs to collect as well as the specific events to capture within the selected logs. Captured audit records are checked to verify that they contain the required events. CMMC Practice # AU.L2-3.3.1 – System Auditing provides more details on this requirement.

51.

Is it mandatory for the Organization Seeking Certification's (OSC's) Point of Contact (OSC POC) to be an employee of the organization being assessed?

  • No, the OSC POC can be an external consultant hired for the assessment

  • Yes, it is a requirement specified by the CMMC standards

  • It depends on the size of the organization

  • The requirement is optional and can be decided by the organization

The OSC POC is an individual within the OSC who provides daily coordination and liaison support between the OSC and the Assessment Team. The OSC POC does not necessarily have to be an employee of the organization that is being assessed, but rather could be a contractor, consultant, or advisor like a CMMC Registered Practitioner (RP).

52.

What document provides the performance standards by which the roles of the CMMC Ecosystem will be held accountable?

  • The Code of Professional Conduct (CoPC)

  • The CMMC Model

  • The CMMC Assessment Process

  • The CMMC Scoping Guide

The Code of Professional Conduct (CoPC) sets expectations for those CMMC-AB credentialed individuals and entities that are authorized to deliver CMMC services under license from the CMMC Accreditation Body (CMMC-AB). It also sets expectations for those Registered Practitioners (RPs) and Registered Provider Organizations (RPOs) that deliver unlicensed non-certified services that choose to register with the CMMC-AB, and other individuals and entities with a relationship to the CMMC-AB. This CoPC represents the performance standards by which the roles of the CMMC eco-system will be held accountable, and the procedures for addressing violations of those performance standards.

53.

After analyzing and examining Assessment objects, the OSC Point of Contact (POC) informs the members of their group that the next step will involve interviewing and analyzing results. What is the main essence of interviews in a CMMC Certification Assessment?

  • Allows the Assessment Team to gain detailed insight into the CMMC conformance of an OSC, including the effectiveness and outcomes of the practices. 

  • Allows the Assessment Team to take steps to ensure and verify that confidentiality and non-attribution is addressed for anyone conducting a test or demonstration so that they can speak openly without fear or concern about retribution from any member of the OSC.

  • Allows the Assessment Team to map responses from tests and demonstrations to CMMC practices to aide in determining and supporting the rating of that practice.

  • Provides the Assessment Team with an iterative activity that requires follow-up sessions to gain insight into the outcomes of the practices implemented in the OSC.

Interviews are another effective means by which to glean insight into the CMMC conformance of an OSC, including an understanding of how those practices or procedures are performed by employees, contract staff, and supporting Organizations. Interviews allow the Lead Assessor and the Assessment Team to gain detailed insight into the effectiveness and outcomes of the practices, procedures, and related policies and plans implemented in the OSC, including an understanding of how those practices or procedures are performed.

Interviewing is the process of conducting discussions with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an interview statement to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the CMMC practice. Interview affirmations must be provided by people who implement, perform, or support procedures.

54.

The process of exercising Assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior, is known as?

  • Testing

  • Examining

  • Interviewing

  • Observing

Test method is the process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior

55.

Which of the following is NOT a reason the Controlled Unclassified Information (CUI) Program was initiated?

  • To appoint National Archives and Records Administration (NARA) as the Executive Agent (EA)

  • To comply with Executive Order 13556 and 32 CFR Part 2002

  • To protect sensitive information and increase transparency between government agencies

  • To standardize labeling and data handling procedures across the federal government

CUI is:​ Information that requires safeguarding that the government creates or possesses OR an entity creates or possesses on behalf of the government.​ The dissemination is controlled by law, regulation, or government policy. ​Defined by E.O. 13556, 32 CFR Part 2002.4, and DoDI 5200.48., CUI is always FCI, but not all FCI is CUI. Although E.O. 13556 did appoint National Archives and Records Administration (NARA) as the Executive Agent (EA), this is not a reason the CUI Program was created.

56.

What is another name for Lincoln's Law?

  • The False Claims Act

  • Anti-Kickback Act

  • Civil Monetary Penalties Law

  • Fraud Elimination Act

Known as America's first whistleblower (federal) law, it was first enacted in 1836 to target fraud in government contracting and is also known as "Lincoln's Law”​. The False Claims Act authorizes the United States to initiate False Claims Act actions independently. More frequently, however, False Claims Act lawsuits are initiated by private parties under the statute's qui tam provision (derived from the Latin phrase qui tam pro domino rege quam pro se ipso in hac parte sequitur, meaning "he who sues in this matter for the king as well as for himself”), which permits those private parties—known as whistleblowers or relators—to stand in the shoes of the government and bring suit on its behalf.

57.

A CMMC Third-Party Assessment Organization (C3PAO) and an Organization Seeking Certification (OSC) have already agreed on and approved a CMMC Assessment Scope document. However, the OSC's Assessment Official cannot be available on the dates scheduled for the commencement of the Assessment and requests that they postpone the activity to some other date. What should the C3PAO's Lead Assessor do?

  • Update the Assessment Plan and create a new CMMC Assessment Scope document and upload to eMASS

  • Nothing, the new dates don't change anything. The OSC Assessment Official will be briefed by the OSC Point of Contact upon their retrun.

  • Nothing the Pre-Assessment data can be updated at completion of the assessment when the Assessmet Package will be uploaded to eMASS

  • The Lead Assessor must escalate this to the Cyber AB as the Pre-Assessment data has been agreed upon and uploaded to eMASS

The Assessment Plan must be updated whenever any significant change occurs, including, but not limited to:  1. If/when any scope changes to the OSC-C3PAO contract occur;  2. Any change in the OSC organizational scope or functions (added or removed units, added, or removed process roles);  3. Changes to dates/times or scheduled Assessment events, including the scheduled dates for the Assessment itself;  4. Changes to the Assessment Team; and  5. Any unplanned disruptions (e.g., COVID-19 travel restrictions or protocols, natural disasters, etc.) before (Phase 1) or during the Assessment (Phase 2).  If changes occur after the Pre-Assessment data has been uploaded to CMMC eMASS, a new data upload is required. Previous data upload is retained in CMMC eMASS to allow for audit tracking. 

58.

Mr. XYZ has been convicted for stealing cash from a store. Mr. XYZ does not report this conviction to the Cyber AB as he thinks that this matter does not directly link to his role as a CMMC Assessor. Is Mr. XYZ correct in not disclosing his conviction, and how soon after, if necessary, should he disclose his conviction?

  • No, 30 days after

  • Yes, 15 days after

  • Yes, 30 days after

  • No, 15 days after

Mr. XYZ is not correct in not disclosing his conviction to the Cyber AB. Consequently, he needs to report to the Cyber AB within 30 days of conviction, whether or not in connection with activities that relate to his role in the CMMC ecosystem.​ Negligence to disclose a conviction can be perceived as an infringement of the Cyber AB's code of conduct, which can lead to disciplinary consequences.

59.

Why is it important to standardize the configuration of technology across the organization?

  • It simplifies maintenance, reduces operating costs, and improves security.

  • It reduces operating costs, increases employee productivity, and improves security.

  • It simplifies maintenance, increases employee productivity, and improves security.

  • It reduces operating costs, simplifies maintenance, and increases employee productivity.

Standardizing the configuration of technology across the organization reduces operating costs, simplifies maintenance, and improves security. This is because the purpose of configuration management is to establish a consistent, controlled, and audited process to manage system changes and subsequently system security, performance, and functionality.

60.

What sets the expectations for accredited and credentialed entities authorized to deliver CMMC services under Cyber AB licensing?

  • CMMC Code of Professional Conduct

  • CMMC Code of Ethical Conduct

  • Code of Practical Conduct

  • CMMC Professional Conduct Guidelines

The Code of Professional Conduct (CoPC) sets expectations for credentialed individuals and accredited entities that are authorized to deliver CMMC services under license from the Cyber AB. CoPC sets expectations for RPs and RPOs that deliver unlicensed noncertified services that choose to register with the Cyber AB, and other individuals and entities with a relationship to the Cyber AB.