Cyber AB CCP Exam Questions

Page 4 of 25

61.

Which of the following requires an International Traffic in Arms Regulation (ITAR) DSP-5 license per 22 CFR 125.2?

  • Export of unclassified technical data

  • Returning loaned equipment to a foreign ally

  • Transiting controlled cargo through the United States

  • Temporary import of defense articles

Permanent technical data exports require a DSP-5 license per ITAR regulations in 22 CFR 125.2(a).

62.

What are the two subcategories of the Export Control category?

  • Export Controlled and Export Controlled Research

  • Export Administration Regulation

  • Controlled Technical Information

  • International Traffic in Arms Regulation

Export Control category has two subcategories: Export Controlled Export Controlled Research

63.

As per the CMMC Assessment guide, ‘Specifications’ are a type of Assessment Object that refer to:

  • The document-based artifacts

  • The hardware, software, or firmware safeguards employed within a system

  • The specific configuration of the enterprise architecture

  • The protection-related actions supporting a system that involves people

Assessment Objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, security plans). Mechanisms are the hardware, software, or firmware safeguards employed within a system. Activities are the protection-related actions supporting a system that involves people, and Individuals are the people applying the specifications, mechanisms, or activities.

64.

What is the primary purpose of Phase 2 of the CMMC Assessment Process?

  • To identify, describe, and record any gaps in implemented procedures within the OSC related to model practices or procedures

  • To deliver assessment results to the Organization Seeking Certification (OSC)

  • To report assessment results to the C3PAO

  • To close out the Plan of Action & Milestones (POA&M)

The primary purpose of Phase 2 of the CMMC Assessment Process is to identify gaps in the contractor's procedures related to CMMC practices by collecting and examining evidence.

65.

Which practice focuses on protecting CUI on mobile devices and platforms?

  • AC.L2-3.1.19

  • AC.L2-3.1.16

  • AC.L2-3.1.17

  • AC.L2-3.1.18

Practice AC.L2-3.1.19 - "Encrypt CUI on mobile" covers encrypting CUI on mobile devices and mobile computing platforms

66.

Whistleblowers who confidentially disclose fraud against the federal government and can be rewarded up to what percentage of the award if successful?

  • 0.3

  • 0.6

  • 0.1

  • 0.45

Since its original signing, the False Claims Act has seen several revisions and become increasingly powerful, but one aspect has remained since its conception: the qui tam, or whistleblower, provision. This important provision allows any individual or non-governmental organization to file a lawsuit, in U.S. District Courts, on behalf of the United States government. Under this provision, whistleblowers can be rewarded for confidentially disclosing fraud that results in a financial loss to the federal government. Provided that their original information results in a successful prosecution, whistleblowers are awarded a mandatory reward of between 15% to 30% of the collected proceeds. These rewards are often substantial, since under the False Claims Act, the criminal is liable for a civil penalty as well as treble damages.

67.

Why is compliance with International Traffic in Arms Regulation (ITAR) critical for defense companies?

  • To prevent harm to US national security interests

  • To avoid financial penalties

  • To be eligible for defense contracts

  • To facilitate technology transfers to allies

Compliance with International Traffic in Arms Regulation (ITAR) is critical to prevent unauthorized exports that could harm U.S. national security interests. ITAR violations can undermine military advantage and enable capabilities in unfriendly nations, contrary to the regulations' intent under 22 CFR 120-130

68.

What type of document is needed when transferring export controlled products, technical data, or providing defense services to any Foreign National, even if the person is located in the U.S.

  • Export License

  • Export Credit Letter

  • Export Approval

  • Export Regulation

An export is the transmission, shipping or carrying of equipment, materials, items, proprietary software, and/or protected technology/information abroad or to a foreign person. For export control purposes, foreign persons comprise foreign companies/corporations not incorporated in the U.S., foreign institutions/governments, and foreign persons who are not Legal Permanent Residents (LPRs). Exporting can occur as an export, "deemed export,” re-export or "temporary-export.” A "deemed export” is the transmission of protected technology/information to a non-LPR foreign person within U.S. boundaries.

69.

Which of the following information pertains to a ‘Host Unit’?

  • Specific people, processes and technology with an HQ organization that would be applied to the DoD contract

  • A subset of an organization that is responsible for protecting FCI/ CUI

  • Considered as an OSC for the purpose of Assessment

  • All of the above

Host units are the people, processes, and technology that will be applied to the contract (this could be one or many teams that are doing the work). This is the unit of the organization that is requesting a CMMC Level.​

70.

What is the primary requirement for systems that store or collect Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)?

  • They must be governed and protected against cybersecurity threats

  • They must be continuously audited

  • They must be open for public access

  • They must have minimal security measures

All Contractors that handle FCI or CUI must be governed and protected against cybersecurity threats. Contractors that store FCI must meet the requirements in 48 CFR § 52.204-21 Federal Acquisition Regulation - Basic Safeguarding of Contractor Information Systems requirements while contractors that handle CUI must meet the requirements in 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

71.

Which framework are controls in the Federal Risk and Authorization Management Program (FedRAMP) based on?

  • National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53

  • FISMA

  • OMB Circular A-130

  • ISO 27001

Like FISMA, the controls in FedRAMP are based on NIST SP 800-53.

72.

When is the Contractor required to report cyber incidents to DoD according to the DFARS Clause 252.204-7012?

  • Within 72 hours of discovery

  • Within 48 hours of discovery

  • Within 24 hours of discovery

  • Within 7 days of discovery

Paragraph (c)(1) of the DFARS 252.204-7012 clause requires that when the contractor discovers a cyber incident that affects covered defense information or operationally critical support, they must "Rapidly report cyber incidents to DoD at https://dibnet.dod.mil." "Rapidly report” is defined in paragraph a to mean "within 72 hours of discovery of any cyber incident." Therefore, the contractor is required to report qualifying cyber incidents to DoD within 72 hours of discovery per the clause requirements.

73.

During the CMMC Certification Assessment, the spot check perfomed on contractor risk-managed assets is identified by the Assessors as a review that needs a comprehensive evaluation. Can Assessors increase the scope (plus cost and duration) of the assessment unilaterally?

  • Assessors cannot increase the cost/duration for spot checks of risk-managed assets. Checks must stay within the defined scope

  • Assessors are required to complete the assessment within the initially defined cost and duration, regardless of the complexity of risk-managed assets

  • The cost and duration adjustments are solely at the discretion of the contractor, not the assessors

  • Assessors have the flexibility to adjust the cost and duration to ensure a thorough assessment of risk-managed assets

Assessors cannot increase the cost/duration for spot checks of risk-managed assets. Checks must stay within the defined scope.

74.

The practice of identifying the size, scale, date, time, place, manner, resources, and level of effort associated with the prospective conduct of a CMMC Assessment is called what?

  • Assessment Framing

  • CMMC Scoping

  • Assessment planning

  • Scoping

Assessment Framing is the high-level contract scoping that is discussed and agreed to at the onset of the C3PAO-OSC engagement. It is the practice of identifying the size, scale, date, time, place, manner, resources, and level-of-effort associated with the prospective conduct of a CMMC Assessment.

75.

What is the ability to prove that the user or application is genuinely who that user or what that application claims to be?

  • Authentication

  • Identification

  • Nonrepudiation

  • Authorization

Authentication is the ability to prove that the user or application is genuinely who that user or what that application claims to be.​ Nonrepudiation is a concept that is implemented to prevent users from denying authorship or ownership of certain actions. Identification involves a subject or person claiming a unique identity, commonly through the use of usernames or smartcards. Authorization is used to determine what type of privileges a user has and what system resources a user is authorized to access. Authorization is preceded by authentication.

76.

Which of the following are examples of NARA CUI categories?

  • Immigration; Proprietary Business Information

  • Immigration

  • Proprietary Business Information

  • Structural

NARA CUI categories include but are not limited to Immigration, Proprietary Business Information, Nuclear, Patent, and Transportation. Each categoriy includes several lower categories for more specific CUI.

77.

As per the CMMC Assessment guide, ‘Individuals’ are a type of Assessment Object that refer to:

  • The people applying the specifications, mechanisms, or activities

  • The C3PAO Assessment Team Members

  • The protection-related actions supporting a system that involves people

  • The OSC's IT Department

Assessment Objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, security plans). Mechanisms are the hardware, software, or firmware safeguards employed within a system. Activities are the protection-related actions supporting a system that involves people, and Individuals are the people applying the specifications, mechanisms, or activities.

78.

Which of the following is not an example of an External Service Provider (ESP)?

  • Security Service Provider (SSP)

  • Cloud Service Provider (CSP)

  • Managed Service Provider (MSP)

  • Cybersecurity-as-a-Service (CSaaS)

A contractor can inherit practice objectives from other entities such as an External Service Provider (ESP) who performs the practice objective. An ESP may be external people, technology, or facilities that the contractor uses, including Cloud Service Providers (CSPs), Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), or Cybersecurity-as-a-Service (CSaaS) providers.

79.

The three assessment methods that can be used to assess CUI security requirements under NIST SP-800-171 are:

  • Examine, Interview, Test

  • Confidentiality, Integrity, Availability

  • Interview, Document, Report

  • Basic, Focused, Comprehensive

The assessment methods define the nature and the extent of the [Assessor's] actions. According to NIST SP 800-171, these methods are examine, interview, and test. All other answers are incorrect.

80.

What is the minimum required action for out-of-scope assets?

  • No action required

  • Document them in SSP

  • Logically separate them

  • Include them in asset inventory

No documentation is required for out-of-scope assets