Summer Sale- Special Discount Limited Time 65% Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Cyber AB CMMC-CCP Certified CMMC Professional (CCP) Exam Exam Practice Test

Page: 1 / 17
Total 170 questions

Certified CMMC Professional (CCP) Exam Questions and Answers

Question 1

While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users. processes acting on behalf of users, and devices?

Options:

A.

Procedures for implementing access control lists

B.

List of unauthorized users that identifies their identities and roles

C.

User names associated with system accounts assigned to those individuals

D.

Physical access policy that states. "All non-employees must wear a special visitor pass or be escorted."

Question 2

Contractor scoping requirements for a CMMC Level 2 Assessment to document the asset in an inventory, in the SSP and on the network diagram apply to:

Options:

A.

GUI Assets.

B.

CUI and Security Protection Asset categories.

C.

all asset categories except for the Out-of-scope Assets.

D.

Contractor Risk Managed Assets and Specialized Assets.

Question 3

During assessment planning, the OSC recommends a person to interview for a certain practice. The person being interviewed MUST be the person who:

Options:

A.

funds that practice.

B.

audits that practice.

C.

supports, audits, and performs that practice.

D.

implements, performs, or supports that practice.

Question 4

When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:

Options:

A.

have a security clearance.

B.

be a senior person in the company.

C.

demonstrate expertise on the CMMC requirements.

D.

provide clarity and understanding of their practice activities.

Question 5

An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?

Options:

A.

OSC and Sponsor

B.

OSC and CMMC-AB

C.

Lead Assessor and C3PAO

D.

C3PAO and Assessment Official

Question 6

A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?

Options:

A.

"The OSC determines the CMMC Assessment Scope, and the CCP validates the CMMC Assessment Scope."

B.

"The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope."

C.

"The CMMC Lead Assessor determines the CMMC Assessment Scope, and the OSC validates the CMMC Assessment Scope."

D.

"The CMMC C3PAO determines the CMMC Assessment Scope, and the Lead Assessor validates the CMMC Assessment Scope."

Question 7

Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?

Options:

A.

Phase 1: Plan and Prepare Assessment

B.

Phase 2: Conduct Assessment

C.

Phase 3: Report Recommended Assessment Results

D.

Phase 4: Remediation of Outstanding Assessment Issues

Question 8

Which assessment method describes the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specification, mechanisms, activities)?

Options:

A.

Test

B.

Assess

C.

Examine

D.

Interview

Question 9

What is the primary intent of the verify evidence and record gaps activity?

Options:

A.

Map test and demonstration responses to CMMC practices.

B.

Conduct interviews to test process implementation knowledge.

C.

Determine the one-to-one relationship between a practice and an assessment object.

D.

Identify and describe differences between what the Assessment Team required and the evidence collected.

Question 10

Which statement BEST describes a LTP?

Options:

A.

Creates DoD-licensed training

B.

Instructs a curriculum approved by CMMC-AB

C.

May market itself as a CMMC-AB Licensed Provider for testing

D.

Delivers training using some CMMC body of knowledge objectives

Question 11

Ethics is a shared responsibility between:

Options:

A.

DoD and CMMC-AB.

B.

OSC and sponsors.

C.

CMMC-AB and members of the CMMC Ecosystem.

D.

members of the CMMC Ecosystem and Lead Assessors.

Question 12

A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?

Options:

A.

Host Unit

B.

Branch Office

C.

Coordinating Unit

D.

Supporting Organization/Units

Question 13

SC.L2-3 13.14: Control and monitor the use of VoIP technologies is marked as NOT APPLICABLE for an OSC's assessment. How does this affect the assessment scope?

Options:

A.

Any existing telephone system is in scope even if it is not using VoIP technology.

B.

An error has been made and the Lead Assessor should be contacted to correct the error.

C.

VoIP technology is within scope, and it uses FlPS-validated encryption, so it does not need to be assessed.

D.

VoIP technology is not used within scope boundary, so no assessment procedures are specified for this practice.

Question 14

Within how many days from the Assessment Final Recommended Findings Brief should the Lead Assessor and Assessment Team Members, if necessary, review the accuracy and validity of (he OSC's updated POA&M with any accompanying evidence or scheduled collections?

Options:

A.

90 days

B.

180 days

C.

270 days

D.

360 days

Question 15

How does the CMMC define a practice?

Options:

A.

A business transaction

B.

A condition arrived at by experience or exercise

C.

A series of changes taking place in a defined manner

D.

An activity or activities performed to meet defined CMMC objectives

Question 16

In scoping a CMMC Level 1 Self-Assessment, all of the computers and digital assets that handle FCI are identified. A file cabinet that contains paper FCI is also identified. What can this file cabinet BEST be determined to be?

Options:

A.

In scope, because it is an asset that stores FCI

B.

In scope, because it is part of the same physical location

C.

Out of scope, because they are all only paper documents

D.

Out of scope, because it does not process or transmit FCI

Question 17

An Assessment Team is reviewing a practice that is documented and being checked monthly. When reviewing the logs, the practice is only being completed quarterly. During the interviews, the team members say they perform the practice monthly but only document quarterly. Is this sufficient to pass the practice?

Options:

A.

No, the work is not being done as stated.

B.

Yes, the practice is being done as documented.

C.

No, all three assessment methods must be met to pass.

D.

Yes. the interview process is enough to pass a practice.

Question 18

In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI. What is the ESP employee considered?

Options:

A.

In scope

B.

Out of scope

C.

OSC point of contact

D.

Assessment Team Member

Question 19

An OSC receives an email with "CUI//SP-PRVCY//FED Only" in the body of the message Which organization's website should the OSC go to identify what this marking means?

Options:

A.

NARA

B.

CMMC-AB

C.

DoD Contractors FAQ page

D.

DoD 239.7601 Definitions page

Question 20

The Audit and Accountability (AU) domain has practices in:

Options:

A.

Level 1.

B.

Level 2.

C.

Levels 1 and 2.

D.

Levels 1 and 3.

Question 21

At which CMMC Level do the Security Assessment (CA) practices begin?

Options:

A.

Level 1

B.

Level 2

C.

Level 3

D.

Level 4

Question 22

CMMC scoping covers the CUI environment encompassing the systems, applications, and services that focus on where CUI is:

Options:

A.

received and transferred.

B.

stored, processed, and transmitted.

C.

entered, edited, manipulated, printed, and viewed.

D.

located on electronic media, on system component memory, and on paper.

Question 23

On a Level 2 Assessment Team, what are the roles of the CCP and the CCA?

Options:

A.

The CCP leads the Level 2 Assessment Team, which consists of one or more CCAs.

B.

The CCA leads the Level 2 Assessment Team, which can include 3 CCP with US Citizenship.

C.

The CCA leads the Level 2 Assessment Team, which can include a CCP regardless of citizenship.

D.

The CCP leads the Level 2 Assessment Team, which can include a CCA. regardless of citizenship.

Question 24

While developing an assessment plan for an OSC. it is discovered that the certified assessor will be interviewing a former college roommate. What is the MOST correct action to take?

Options:

A.

Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.

B.

Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.

C.

Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.

D.

Inform the OSC and the C3PAO of the possible conflict of interest, document the conflict and mitigation actions in the assessment plan, and if the mitigation actions are acceptable, continue with the assessment.

Question 25

What is the MOST common purpose of assessment procedures?

Options:

A.

Obtain evidence.

B.

Define level of effort.

C.

Determine information flow.

D.

Determine value of hardware and software.

Question 26

Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?

Options:

A.

Access control

B.

Physical access control

C.

Mandatory access control

D.

Discretionary access control

Question 27

Exercising due care to ensure the information gathered during the assessment is protected even after the engagement has ended meets which code of conduct requirement?

Options:

A.

Availability

B.

Confidentiality

C.

Information Integrity

D.

Respect for Intellectual Property

Question 28

When assessing an OSC for CMMC: the Lead Assessor should use the information from the Discussion and Further Discussion sections in each practice because it:

Options:

A.

is normative for an OSC to follow.

B.

contains examples that an OSC must implement.

C.

is mandatory and aligns with FAR Clause 52.204-21.

D.

provides additional information to facilitate the assessment of the practice.

Question 29

What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?

Options:

A.

CDI

B.

CTI

C.

CUI

D.

FCI

Question 30

What service is the MOST comprehensive that the RPO provides?

Options:

A.

Training services

B.

Education services

C.

Consulting services

D.

Assessment services

Question 31

During the review of information that was published to a publicly accessible site, an OSC correctly identifies that part of the information posted should have been restricted. Which item did the OSC MOST LIKELY identify?

Options:

A.

FCI

B.

Change of leadership in the organization

C.

Launching of their new business service line

D.

Public releases identifying major deals signed with commercial entities

Question 32

A CMMC Level 1 Self-Assessment identified an asset in the OSC's facility that does not process, store, or transmit FCI. Which type of asset is this considered?

Options:

A.

FCI Assets

B.

Specialized Assets

C.

Out-of-Scope Assets

D.

Government-Issued Assets

Question 33

Who is responsible for identifying and verifying Assessment Team Member qualifications?

Options:

A.

C3PAO

B.

CMMC-AB

C.

Lead Assessor

D.

CMMC Marketplace

Question 34

During an assessment, which phase of the process identifies conflicts of interest?

Options:

A.

Analyze requirements.

B.

Develop assessment plan.

C.

Verify readiness to conduct assessment.

D.

Generate final recommended assessment results.

Question 35

During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC's WiFi network. What type of asset is this?

Options:

A.

FCI Asset

B.

CUI Asset

C.

In-scope Asset

D.

Specialized Asset

Question 36

In the CMMC Model, how many practices are included in Level 1?

Options:

A.

15 practices

B.

17 practices

C.

72 practices

D.

110 practices

Question 37

An assessment is being conducted at a remote client site. For the duration of the assessment, the client has provided a designated hoteling space in their secure facility which consists of a desk with access to a shared printer. After noticing that the desk does not lock, a locked cabinet is requested but the client does not have one available. At the end of the day, the client provides a printout copy of an important network diagram. The diagram is clearly marked and contains CUI. What should be done NEXT to protect the document?

Options:

A.

Take it with them to review in the evening.

B.

Leave it on the desk for review the following day.

C.

Put it in the unlocked desk drawer for review the following morning.

D.

Take a picture with the personal phone before securely shredding it.

Question 38

A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?

Options:

A.

That the information is correct

B.

That the CEO approved the message

C.

That the company has to safeguard the release of FCI

D.

That so long as the information is only FCI, it can be released

Question 39

When executing a remediation review, the Lead Assessor should:

Options:

A.

help OSC to complete planned remediation activities.

B.

plan two consecutive remediation reviews for an OSC.

C.

submit a delta assessment remediation package for C3PAO's internal quality review.

D.

validate that practices previously listed on the POA&M have been removed on an updated Risk Assessment.

Question 40

An assessment is being completed at a client site that is not far from the Lead Assessor's home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?

Options:

A.

Log into the secure cloud storage service to save copies of the documents on both the work and client laptops.

B.

Log into the client VPN from the client laptop and retrieve the documents from the secure cloud storage service.

C.

Log into the client VPN from the assessor's laptop and retrieve the documents from the secure cloud storage service.

D.

Use their home office workstation to retrieve the documents from the secure cloud storage service and save them to a USB stick.

Question 41

Which NIST SP discusses protecting CUI in nonfederal systems and organizations?

Options:

A.

NIST SP 800-37

B.

NIST SP 800-53

C.

NIST SP 800-88

D.

NIST SP 800-171

Question 42

A defense contractor needs to share FCI with a subcontractor and sends this data in an email. The email system involved in this process is being used to:

Options:

A.

manage FCI.

B.

process FCI.

C.

transmit FCI.

D.

generate FCI

Question 43

An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice. What can the assessor do?

Options:

A.

Notify the CMMC-AB.

B.

Cancel the assessment.

C.

Postpone the assessment.

D.

Contact the C3PAO for guidance.

Question 44

Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?

Options:

A.

CMMC Glossary

B.

CMMC Appendices

C.

CMMC Assessment Process

D.

CMMC Assessment Guide Levels 1 and 2

Question 45

Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?

Options:

A.

Organizational operations, business assets, and employees

B.

Organizational operations, business processes, and employees

C.

Organizational operations, organizational assets, and individuals

D.

Organizational operations, organizational processes, and individuals

Question 46

When are data and documents with legacy markings from or for the DoD required to be re-marked or redacted?

Options:

A.

When under the control of the DoD

B.

When the document is considered secret

C.

When a document is being shared outside of the organization

D.

When a derivative document's original information is not CUI

Question 47

What are CUI protection responsibilities?

Options:

A.

Shielding

B.

Governing

C.

Correcting

D.

Safeguarding

Question 48

During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?

Options:

A.

Host Unit

B.

Organization

C.

Coordinating Unit

D.

Supporting Organization/Unit

Question 49

A Lead Assessor is planning an assessment and scheduling the test activities. Who MUST perform tests to obtain evidence?

Options:

A.

OSC personnel who normally perform that work as the CCP observes

B.

Military personnel and the CCP and/or Lead Assessor to test the adequacy of the written procedure(s)

C.

Military personnel assigned to the contractor for that contract to ensure the confidentiality of the CUI

D.

OSC personnel who do not ordinarily perform that work to evaluate the accuracy of the written procedure(s)

Question 50

The IT manager is scoping the company's CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI. Which asset type is being considered by the IT manager?

Options:

A.

ESP

B.

People

C.

Facilities

D.

Technology

Question 51

Which domains are a part of a Level 1 Self-Assessment?

Options:

A.

Access Control (AC), Risk Management

B.

Risk Management (RM). Access Control (AC), and Physical Protection (PE)

C.

Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)

D.

Risk Management (RM). Media Protection (MP), and Identification and Authentication (IA)

Page: 1 / 17
Total 170 questions