During a CMMC readiness review, the OSC proposes that an associated enclave should not be applicable in the scope.
Who is responsible for verifying this request?
- A . CCP
- B . C3PAO
- C . Lead Assessor
- D . Advisory Board
Which resource contains authoritative data classifications of CUI?
- A . NARA
- B . CMMC-AB
- C . DoD Contractors FAQ
- D . OSC’s privacy policies
The Advanced Level in CMMC will contain Access Control {AC) practices from:
- A . Level 1.
- B . Level 3.
- C . Levels 1 and 2.
- D . Levels 1,2, and 3.
Prior to initiating an OSC’s CMMC Assessment, the Lead Assessor briefed the team on the most important requirements of the assessment. The assessor also insisted that the same results of the findings summary, practice ratings, and Level recommendations must be submitted to the C3PAO for initial processes and review. After several weeks of assessment, the C3PAO completes the internal review, the recommended results are then submitted through the C3PAO for final quality review and rating approval.
Which document stipulates these reporting requirements?
- A . CMMC Assessment reporting requirements
- B . DFARS 52.204-21 assessment reporting requirements
- C . NISTSP 800-171 Revision 2 assessment reporting requirements
- D . DFARS clause 252.204-7012 assessment reporting requirements
A defense contractor needs to share FCI with a subcontractor and sends this data in an email.
The email system involved in this process is being used to:
- A . manage FCI.
- B . process FCI.
- C . transmit FCI.
- D . generate FCI
What are CUI protection responsibilities?
- A . Shielding
- B . Governing
- C . Correcting
- D . Safeguarding
Where does the requirement to include a required practice of ensuring that personnel are trained to carry out their assigned information security-related duties and responsibilities FIRST appear?
- A . Level 1
- B . Level 2
- C . Level 3
- D . All levels
A company has a government services division and a commercial services division. The government services division interacts exclusively with federal clients and regularly receives FCI. The commercial services division interacts exclusively with non-federal clients and processes only publicly available information.
For this company’s CMMC Level 1 Self-Assessment, how should the assets supporting the commercial services division be categorized?
- A . FCI Assets
- B . Specialized Assets
- C . Out-of-Scope Assets
- D . Operational Technology Assets
Where can a listing of all federal agencies’ CUI indices and categories be found?
- A . 32 CFR Section 2002
- B . Official CUI Registry
- C . Executive Order 13556
- D . Official CMMC Registry
When assessing an OSC for CMMC: the Lead Assessor should use the information from the Discussion and Further Discussion sections in each practice because it:
- A . is normative for an OSC to follow.
- B . contains examples that an OSC must implement.
- C . is mandatory and aligns with FAR Clause 52.204-21.
- D . provides additional information to facilitate the assessment of the practice.
As part of CMMC 2.0, the change to Level 1 Self-Assessments supports "reduced assessment costs" allows all companies at Level 1 (Foundational) to:
- A . to conduct self-assessments.
- B . opt out of CMMC Assessments.
- C . have assessment costs reimbursed by the DoD.
- D . pay no more than $500.00 for their annual assessment.
An assessor is collecting affirmations. So far, the assessor has collected interviews, demonstrations, emails, messaging, and presentations.
Are these appropriate approaches to collecting affirmations?
- A . No,emails are not appropriate affirmations.
- B . No, messaging is not an appropriate affirmation.
- C . Yes,the affirmations collected by the assessor are all appropriate.
- D . Yes,the affirmations collected by the assessor are all appropriate, as are screenshots.
There are 15 practices that are NOT MET for an OSC’s Level 2 Assessment. All practices are applicable to the OSC.
Which determination should be reached?
- A . The OSC may have 90 days for remediating NOT MET practices.
- B . The OSC is not eligible for an option to remediate NOT MET practices.
- C . The OSC may be eligible for an option to remediate NOT MET practices.
- D . The OSC is not eligible for an option to remediate after the assessment is canceled.
Who will verify the adequacy and sufficiency of evidence to determine whether the practices and related components for each in-scope Host Unit. Supporting Organization/Unit, or enclave has been met?
- A . OSC
- B . Assessment Team
- C . Authorizing official
- D . Assessment official
A CMMC Assessment is being conducted at an OSC’s HQ. which is a shared workspace in a multi-tenant building. The OSC is renting four offices on the first floor that can be locked individually. The first-floor conference room is shared with other tenants but has been reserved to conduct the assessment. The conference room has a desk with a drawer that does not lock. At the end of the day, an evidence file that had been sent by email is reviewed.
What is the BEST way to handle this file?
- A . Review it. print it, and put it in the desk drawer.
- B . Review it, and make notes on the computer provided by the client.
- C . Review it, print it, make notes, and then shred it in cross-cut shredder in the print room.
- D . Review it. print it, and leave it in a folder on the table together with the other documents.
Which phase of the CMMC Assessment Process includes developing the assessment plan?
- A . Phase 1
- B . Phase 2
- C . Phase 3
- D . Phase 4
What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?
- A . CDI
- B . CTI
- C . CUI
- D . FCI
A C3PAO has completed a Limited Practice Deficiency Correction Evaluation following an assessment of an OSC. The Lead Assessor has recommended moving deficiencies to a POA&M. but the OSC will remain on an Interim Certification.
What is the MINIMUM number of practices that must be scored as MET to initiate this course of action?
- A . 80 practices
- B . 88 practices
- C . 100 practices
- D . 110 practices
Who is responsible for identifying and verifying Assessment Team Member qualifications?
- A . C3PAO
- B . CMMC-AB
- C . Lead Assessor
- D . CMMC Marketplace
A CCP is working as an Assessment Team Member on a CMMC Level 2 Assessment. The Lead Assessor has assigned the CCP to assess the OSC’s Configuration Management (CM) domain. The CCP’s first interview is with a subject-matter expert for user-installed software.
With respect to user-installed software, what facet should the CCP’s interview focus on?
- A . Controlled and monitored
- B . Removed from the system
- C . Scanned for malicious code
- D . Limited to mission-essential use only
Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI are sanitized or destroyed before disposal or release for reuse.
After a thorough review, the CCP tells the Lead Assessor that all supporting documents fully reflect the performance of the practice and should be accepted because the evidence is:
- A . official.
- B . adequate.
- C . compliant.
- D . subjective.
In scoping a CMMC Level 1 Self-Assessment, all of the computers and digital assets that handle FCI are identified. A file cabinet that contains paper FCI is also identified.
What can this file cabinet BEST be determined to be?
- A . In scope, because it is an asset that stores FCI
- B . In scope, because it is part of the same physical location
- C . Out of scope, because they are all only paper documents
- D . Out of scope, because it does not process or transmit FCI
An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan.
Who agrees to and signs off on the Assessment Plan?
- A . OSC and Sponsor
- B . OSC and CMMC-AB
- C . Lead Assessor and C3PAO
- D . C3PAO and Assessment Official
In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI.
What is the ESP employee considered?
- A . In scope
- B . Out of scope
- C . OSC point of contact
- D . Assessment Team Member
During the assessment process, who is the final interpretation authority for recommended findings?
- A . C3PAO
- B . CMMC-AB
- C . OSC sponsor
- D . Assessment Team Members
An Assessment Team is reviewing a practice that is documented and being checked monthly. When reviewing the logs, the practice is only being completed quarterly. During the interviews, the team members say they perform the practice monthly but only document quarterly.
Is this sufficient to pass the practice?
- A . No, the work is not being done as stated.
- B . Yes, the practice is being done as documented.
- C . No, all three assessment methods must be met to pass.
- D . Yes. the interview process is enough to pass a practice.
While developing an assessment plan for an OSC. it is discovered that the certified assessor will be interviewing a former college roommate.
What is the MOST correct action to take?
- A . Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.
- B . Inform the OSC and the C3PAO of the possible conflict of interest, and start the entire process over without the conflicted team member.
- C . Inform the OSC and the C3PAO of the possible conflict of interest but since it has been an acceptable amount of time since college, no conflict of interest exists, and continue as planned.
- D . Inform the OSC and the C3PAO of the possible conflict of interest, document the conflict and mitigation actions in the assessment plan, and if the mitigation actions are acceptable, continue with the assessment.
An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice.
What can the assessor do?
- A . Notify the CMMC-AB.
- B . Cancel the assessment.
- C . Postpone the assessment.
- D . Contact the C3PAO for guidance.
A dedicated local printer is used to print out documents with FCI in an organization. This is considered an FCI Asset.
Which function BEST describes what the printer does with the FCI?
- A . Encrypt
- B . Manage
- C . Process
- D . Distribute
During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC’s WiFi network.
What type of asset is this?
- A . FCI Asset
- B . CUI Asset
- C . In-scope Asset
- D . Specialized Asset
Which organization is the governmental authority responsible for identifying and marking CUI?
- A . NARA
- B . NIST
- C . CMMC-AB
- D . Department of Homeland Security
A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?
- A . That the information is correct
- B . That the CEO approved the message
- C . That the company has to safeguard the release of FCI
- D . That so long as the information is only FCI, it can be released
A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of the assessors approaches with a signed policy. There is one signatory, and that person has since left the company. Subsequently, another person was hired into that position but has not signed the document.
Is this document valid?
- A . The signatory is the authority to implement and enforce the policy, and since that person is no longer with the company, the policy is not valid.
- B . More research on the company policy of creating, implementing, and enforcing policies is needed. If the company has a policy identifying the authority as with the position or person, then the policy is valid.
- C . The signatory does not validate or invalidate the policy. For the purpose of this assessment, ensuring that the policy is current and is being implemented by the individuals who are performing the work is sufficient.
- D . The authority to implement and enforce lies with the position, not the person. As long as that position’s authority and responsibilities have not been removed from implementing that domain, it is still a valid policy.
A CMMC Level 1 Self-Assessment identified an asset in the OSC’s facility that does not process, store, or transmit FCI.
Which type of asset is this considered?
- A . FCI Assets
- B . Specialized Assets
- C . Out-of-Scope Assets
- D . Government-Issued Assets
When assessing SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems, evidence shows that all of the OSC’s workstations and servers have antivirus software installed for malicious code protection. A centralized console for the antivirus software management is in place and records show that all devices have received the most updated antivirus patterns.
What is the BEST determination that the Lead Assessor should reach regarding the evidence?
- A . It is sufficient, and the audit finding can be rated as MET.
- B . It is insufficient, and the audit finding can be rated NOT MET.
- C . It is sufficient, and the Lead Assessor should seek more evidence.
- D . It is insufficient, and the Lead Assessor should seek more evidence.
Which MINIMUM Level of certification must a contractor successfully achieve to receive a contract award requiring the handling of CUI?
- A . Level 1
- B . Level 2
- C . Level 3
- D . Any level
Which document is the BEST source for determining the sources of evidence for a given practice?
- A . NISTSP 800-53
- B . NISTSP 800-53A
- C . CMMC Assessment Scope
- D . CMMC Assessment Guide
Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?
- A . CMMC Glossary
- B . CMMC Appendices
- C . CMMC Assessment Process
- D . CMMC Assessment Guide Levels 1 and 2
An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works.
Is this adequate for the practice?
- A . Yes, the antivirus program is available, so it is sufficient.
- B . Yes, antivirus programs are automated to run independently.
- C . No, the team member must know how the antivirus program is deployed and maintained.
- D . No, the team member’s interview answers about deployment and maintenance are insufficient.
When are data and documents with legacy markings from or for the DoD required to be re-marked or redacted?
- A . When under the control of the DoD
- B . When the document is considered secret
- C . When a document is being shared outside of the organization
- D . When a derivative document’s original information is not CUI
What service is the MOST comprehensive that the RPO provides?
- A . Training services
- B . Education services
- C . Consulting services
- D . Assessment services
What type of criteria is used to answer the question "Does the Assessment Team have the right evidence?"
- A . Adequacy criteria
- B . Objectivity criteria
- C . Sufficiency criteria
- D . Subjectivity criteria
During an assessment, the Lead Assessor reviews the evidence for each CMMC in-scope practice that has been reviewed, verified, rated, and discussed with the OSC during the daily reviews. The Assessment Team records the final recommended MET or NOT MET rating and prepares to present the results to the assessment participants during the final review with the OSC and sponsor.
As a part of this presentation, which document MUST include the attendee list, time/date, location/meeting link, results from all discussed topics, including any resulting actions, and due dates from the OSC or Assessment Team?
- A . Final log report
- B . Final CMMC report
- C . Final and recorded OSC CMMC report
- D . Final and recorded Daily Checkpoint log
What is a PRIMARY activity that is performed while conducting an assessment?
- A . Develop assessment plan.
- B . Collect and examine evidence.
- C . Verify readiness to conduct assessment.
- D . Deliver recommended assessment results.
A client uses an external cloud-based service to store, process, or transmit data that is reasonably believed to qualify as CUI. According to DFARS clause 252.204-7012.
What set of established security requirements MUST that cloud provider meet?
- A . FedRAMP Low
- B . FedRAMP Moderate
- C . FedRAMP High
- D . FedRAMP Secure
During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment.
Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?
- A . Host Unit
- B . Organization
- C . Coordinating Unit
- D . Supporting Organization/Unit
Which term describes "the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to. or modification of information"?
- A . Adopted security
- B . Adaptive security
- C . Adequate security
- D . Advanced security
Which domain has a practice requiring an organization to restrict, disable, or prevent the use of nonessential programs?
- A . Access Control (AC)
- B . Media Protection (MP)
- C . Asset Management (AM)
- D . Configuration Management (CM)
A machining company has been awarded a contract with the DoD to build specialized parts. Testing of the parts will be done by the company using in-house staff and equipment.
For a Level 1 Self-Assessment, what type of asset is this?
- A . CUI Asset
- B . In-scope Asset
- C . Specialized Asset
- D . Contractor Risk Managed Asset
An organization that manufactures night vision cameras is looking for help to address the gaps identified in physical access control systems.
Which certified individual should they approach for implementation support?
- A . CCA of the C3PAO performing the assessment
- B . RP of an organization not part of the assessment
- C . Practitioner of the organization performing the assessment LTP
- D . DoD Contract Official of the organization performing the assessment