Cyber AB CCP Exam Questions

Page 6 of 25

101.

Who holds the final interpretation authority on practice scorings and findings during an assessment?

  • The C3PAO

  • The OSC

  • The assessment team

  • The lead assessor

For any practices where there is a dispute between the Assessment Team and the OSC, the C3PAO Official holds the final interpretation authority for practice scorings and their related findings

102.

Examples of projects that are likely to involve U.S. export controlled services and information are those that:

  • Require access to or receipt of U.S. military or intel data

  • Covers non-military items and general services

  • Develop project management software

  • Require overseas travel to support non-U.S. Government

ECI includes CUI such as, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and non-proliferation objectives. ECI includes CUI such as, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and non-proliferation objectives. ​The Commerce Department's Bureau of Industry and Security enforces EAR rules and imposes penalties. ECI includes unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations (ITAR) and the munitions list; license applications; and sensitive nuclear technology information.

103.

The CMMC is designed to measure a company's ability to ________ FCI and CUI.

  • Protect

  • Obtain

  • Disseminate

  • Preserve

The CMMC practices for Level 1 and Level 2 stem from NIST SP 800-171 Rev 2: Protecting Controled Unclassified Information in Nonfederal Systems and Organizations. The guidance specified in NIST SP 800-171A focuses on CUI. Because CMMC Level 1 focuses on protecting FCI, the applicable Assessment objectives for Level 1 are updated to address FCI. These practices also apply to CMMC Level 2 Assessments where the contractor has CUI because CMMC is cumulative.

104.

Which of the following is NOT a boundary component?

  • Printer

  • Routers

  • Gateways

  • Virtualization systems

Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks)

105.

Which of the following is NOT true concerning Export Controlled Information (ECI)?

  • Export controllled software or information is not allowed to be exported.

  • Sending export controlled information via your work email account is considered an export.

  • Travelling abroad with export controlled software or information on your laptop is considered an export.

  • Providing export controlled software or information to a foreign-owned company is considered an export.​

Export Controlled Information (ECI) includes CUI such as, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and non-proliferation objectives. It is a broad term that refers to any information that is subject to a country's export controls regime. ECI can include: Technical data, Technology, Assistance, Software, Statements of work. ECI is regulated for reasons such as national security, foreign policy, anti-terrorism, or non-proliferation. ECI can be confidential technical information that is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of commodities.

106.

How many days does an Organization Seeking Certification (OSC) have to fix items placed on the Limited Practice Deficiency Correction Program worksheet?

  • 5 days

  • 10 days

  • 30 days

  • 15 days

If the overall scoring of the assessment after placing items on the Limited Practice Deficiency Correction Program results in greater than or equal to 80% (88/110 practices "MET”), the OSC will be required to correct deficiencies within five (5) business day from the Final Findings Brief or Lead Assessor/C3PAO specified date, not to exceed five days prior to the submission of the final report into eMASS.

107.

Which of the following is the first step taken to ensure effective implementation of access controls?

  • Inventory of system resources

  • Classification of system assets

  • Labeling of system resources

  • Creation of an access control list

Determine whether a list of authorized users is maintained that defines their identities and roles. Confirm that account requests are authorized before system access is granted.

108.

Which of the following documets provides the origin of CMMC Practices?

  • FAR Clause 52.204-21 and DFARS Clause 252.204-7012

  • NIST SP 800-172 and DFARS Clause 252.204-7012

  • NIST SP 800-171 and DFARS Clause 252.204-7019

  • FAR Clause 52.204-21 and DFARS Clause 252.204-7019

The practices originate from the safeguarding requirements and security requirements specified in FAR Clause 52.204-21 and DFARS Clause 252.204-7012, respectively. • Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21 • Level 2 is equivalent to all of the security requirements in NIST SP 800-171 Revision 2 • Level 3 will be based on a subset of NIST SP 800-172 and more detailed information will be released at a later date

109.

Which organization is responsible for curriculum development?

  • LPP

  • LTP

  • RPO

  • OSC

Licensed Partner Publishers (LPPs) are responsible for developing educational content and curriculum that map to the Cyber AB certification exams. Licensed Training Providers (LTPs) are entities that use the authorized curriculum to deliver training to individuals. Registered Practitioner Organizations (RPOs) are organizations that provide advice, consulting, and recommendations to help Organizations Seeking Certification (OSCs) create cybersecurity programs in preparation to meet or exceed CMMC assessment requirements

110.

In which phase of a CMMC Assessment are contracts and Non-Disclosure Agreements (NDAs) typically executed between the Organization Seeking Certification (OSC) and the Registered Practitioner Organization (RPO) or CMMC Third Party Assessment Organization (C3PAO)?

  • Phase 1

  • Phase 2

  • Phase 3

  • Phase 4

Signing the NDA as part of the initial contractual arrangement can protect and give legal grounds to the OSC in the event of loss or disclosure of sensitive information by the C3PAO.

111.

The three assessment methods that can be used to assess CUI security requirements under NIST SP-800-171 are:

  • Examine, Interview, Test

  • Primary, Secondary, Final

  • Interview, Document, Report

  • Basic, Focused, Comprehensive

The assessment methods define the nature and the extent of the [Assessor's] actions. According to NIST SP 800-171, these methods are examine, interview, and test. All other answers are incorrect.

112.

Which practice relates to terminating network connections at the end of sessions?

  • SC.L2-3.13.9

  • SC.L2-3.13.7

  • SC.L2-3.13.10

  • SC.L2-3.13.5

Practice SC.L2-3.13.9 applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses

113.

If an investigation finds that the CoPC has been violated. Corrective actions may include: warning, remediation, suspension, _________ ,  as well as temporary or permanent loss of eligibility for such credentials. ​

  • Denial or termination of CMMC Credentials, Registration, or Accreditation​

  • A Warning

  • Temporary or permanent loss of eligibility for credentials​

  • A Financial Penalty

Corrective actions may include warning, remediation, suspension, denial or termination of CMMC Credentials, Registration, or Accreditation, as well as temporary or permanent loss of eligibility for such credentials. ​

114.

How are feasibility concerns addressed during the Certification Assessment Readiness Review?

  • The Lead Assessor discusses them with the Assessment Official and ensures the Assessment plan and schedule are updated accordingly.

  • By forwarding them to Cyber AB for arbitration

  • The Assessment Team discusses them and submits their findings to the Lead Assessor

  • The OSC contacts the C3PAO for guidance

If feasibility concerns are identified by any relevant party to the Assessment, the Lead Assessor must discuss the concerns with the Assessment Official and keep the Assessment plan and schedule updated accordingly.

115.

Which of the following are examples of physical access devices?​

  • Biometric reader, Keys, CAC card

  • Biometric reader, Username, CAC card

  • Keys, Biometric reader, Username

  • CAC card, Username, Keys

Physical security measures should be applied to prevent unauthorized users from gaining access to areas within an organization they are not authorized to access.​ For that , physical access device should prevent an unauthorized person from physically damaging, destroying, or stealing assets. A username is a form of identification and is not physical security measure.

116.

How is a CMMC Assessment initiated?

  • The OSC initiates the engagement for a CMMC Assessment by contacting an Authorized C3PAO.

  • C3PAO receives an assessment request from an OSC

  • C3PAO submits an assessment proposal to the OSC

  • OSC researches potential C3PAOs on the CMMC-AB Marketplace

An Organization Seeking Certification generally initiates the engagement for a CMMC Assessment by contacting an authorized C3PAO. ​The updated registry of authorized C3PAOs in good standing is maintained in the CMMC Marketplace website administered by the Cyber Accreditation Body (Cyber AB). ​The initial contact from the OSC can be made via the CMMC Marketplace's online intake form or by direct email or phone call to the C3PAO. C3PAO-OSC contact, and communications may be initiated by either party, but in no circumstances will the Cyber AB nor the Department of Defense serve in an introductory or facilitation role.

117.

Which domain focuses on establishing a clear set of actions to detect, respond to, and recover from an attack?

  • Incident Response

  • Audit and Accountability

  • System and Information Integrity

  • Configuration Management

The CMMC domain that focuses on establishing a clear set of actions to detect, respond to, and recover from an attack is the Incident Response domain. This domain is essential for organizations seeking compliance with DFARS 252.204-7012, which mandates the implementation of the NIST SP 800-171 controls. Within the context of DFARS 252.204-7012, organizations are required to conduct gap assessments, develop a System Security Plan (SSP) and a Plan of Action and Milestones (POAMs) to address any gaps in meeting the security requirements. Incident Response is crucial in addressing security incidents and breaches as part of an organization's overall cybersecurity strategy, aligning with DFARS clauses and provisions aimed at protecting CUI and other sensitive government information

118.

Practice SC.L2-3.13.11, Employ FIPS-validated cryptography when used to protect the confidentiality of CUI complements each of the following EXCEPT?

  • AC. L2-3.1.5

  • AC.L2-3.1.19

  • MP.L2-3.8.6

  • SC.L2-3.13.8

SC.L2-3.13.11, complements AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and SC.L2-3.13.16 by specifying that FIPS-validated cryptography must be used.

119.

Which of the following would provide the most reliable evidence regarding the integrity of new staff?

  • A background screening

  • Interview responses

  • Qualifications

  • References

CMMC Practice #: PS.L2-3.9.1 – Screen Individuals and the corresponding NIST SP 800-171 Rev 2 control (3.9.1) require organizations to screen individuals prior to authorizing access to organizational systems containing CUI. Personnel security screening (vetting) activities involve the evaluation/assessment of individual's conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.

120.

Which of the following is NOT a prerequisite for the CMMC Professional (CCP) exam?

  • CompTIA Security+ certification

  • CompTIA A+ or equivalent knowledge/experience

  • Passing DoD CUI Awareness Training

  • 2+ years of IT experience

The Certified CMMC Professional (CCP) Test Blueprint defines the exam prerequisites as: A College degree in a cyber or information technology field or 2+ years of related experience or education; or 2+ years of equivalent experience (including military) in a cyber, information technology, or assessment field; and • Suggested CompTIA A+ or equivalent knowledge/experience; and • Complete Certified CMMC Professional Class offered by a Licensed Training Provider (LTP); and • Pass DOD CUI Awareness Training no earlier than three months prior to the exam