Month End Special Limited Time Flat 70% Discount offer - Ends in 1d 20h 39m 31s - Coupon code: 70spcl

Cyber AB CMMC-CCP Certified CMMC Professional (CCP) Exam Exam Practice Test

Page: 1 / 17
Total 170 questions

Certified CMMC Professional (CCP) Exam Questions and Answers

Question 1

On a Level 2 Assessment Team, what are the roles of the CCP and the CCA?

Options:

A.

The CCP leads the Level 2 Assessment Team, which consists of one or more CCAs.

B.

The CCA leads the Level 2 Assessment Team, which can include 3 CCP with US Citizenship.

C.

The CCA leads the Level 2 Assessment Team, which can include a CCP regardless of citizenship.

D.

The CCP leads the Level 2 Assessment Team, which can include a CCA. regardless of citizenship.

Question 2

A C3PAO is near completion of a Level 2 Assessment for an OSC. The CMMC Findings Brief and CMMC Assessment Results documents have been developed. The Final Recommended Assessment Results are being generated. When generating these results, what MUST be included?

Options:

A.

An updated Assessment Plan

B.

Recorded and final updated Daily Checkpoint

C.

Fully executed CMMC Assessment contract between the C3PAO and the OSC

D.

Review documentation for the CMMC Quality Assurance Professional (CQAP)

Question 3

The Advanced Level in CMMC will contain Access Control {AC) practices from:

Options:

A.

Level 1.

B.

Level 3.

C.

Levels 1 and 2.

D.

Levels 1,2, and 3.

Question 4

A company is working with a CCP from a contracted CMMC consulting company. The CCP is asked where the Host Unit is required to document FCI and CUI for a CMMC Assessment. How should the CCP respond?

Options:

A.

"In the SSP. within the asset inventory, and in the network diagranY'

B.

"Within the hardware inventory, data (low diagram, and in the network diagram"

C.

"Within the asset inventory, in the proposal response, and in the network diagram"

D.

"In the network diagram, in the SSP. within the base inventory, and in the proposal response'"

Question 5

CMMC scoping covers the CUI environment encompassing the systems, applications, and services that focus on where CUI is:

Options:

A.

received and transferred.

B.

stored, processed, and transmitted.

C.

entered, edited, manipulated, printed, and viewed.

D.

located on electronic media, on system component memory, and on paper.

Question 6

Who is responsible for identifying and verifying Assessment Team Member qualifications?

Options:

A.

C3PAO

B.

CMMC-AB

C.

Lead Assessor

D.

CMMC Marketplace

Question 7

Which domains are a part of a Level 1 Self-Assessment?

Options:

A.

Access Control (AC), Risk Management

B.

Risk Management (RM). Access Control (AC), and Physical Protection (PE)

C.

Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA)

D.

Risk Management (RM). Media Protection (MP), and Identification and Authentication (IA)

Question 8

While determining the scope for a company's CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third-party organization?

Options:

A.

ESPs

B.

People

C.

Facilities

D.

Technology

Question 9

Which statement BEST describes a LTP?

Options:

A.

Creates DoD-licensed training

B.

Instructs a curriculum approved by CMMC-AB

C.

May market itself as a CMMC-AB Licensed Provider for testing

D.

Delivers training using some CMMC body of knowledge objectives

Question 10

Contractor scoping requirements for a CMMC Level 2 Assessment to document the asset in an inventory, in the SSP and on the network diagram apply to:

Options:

A.

GUI Assets.

B.

CUI and Security Protection Asset categories.

C.

all asset categories except for the Out-of-scope Assets.

D.

Contractor Risk Managed Assets and Specialized Assets.

Question 11

The facilities manager for a company has procured a Wi-Fi enabled, mobile application-controlled thermostat for the server room, citing concerns over the inability to remotely gauge and control the temperature of the room. Because the thermostat is connected to the company's FCI network, should it be assessed as partof the CMMC Level 1 Self-Assessment Scope?

Options:

A.

No, because it is OT

B.

No, because it is an loT device

C.

Yes. because it is a restricted IS

D.

Yes, because it is government property

Question 12

A dedicated local printer is used to print out documents with FCI in an organization. This is considered an FCI Asset Which function BEST describes what the printer does with the FCI?

Options:

A.

Encrypt

B.

Manage

C.

Process

D.

Distribute

Question 13

Which NIST SP discusses protecting CUI in nonfederal systems and organizations?

Options:

A.

NIST SP 800-37

B.

NIST SP 800-53

C.

NIST SP 800-88

D.

NIST SP 800-171

Question 14

Validation of findings is an iterative process usually performed during the Daily Checkpoints throughout the entire assessment process. As a validation activity, why are the preliminary findings important?

Options:

A.

It allows the OSC to comment and provide additional evidence.

B.

It determines whether the OSC will be rated MET or NOT MET on their assessment.

C.

It confirms that the Assessment Team's findings are right and cannot be changed.

D.

It corroborates the Assessment Team's understanding of the CMMC practices and controls.

Question 15

An Assessment Team Member is conducting a CMMC Level 2 Assessment for an OSC that is in the process of inspecting Assessment Objects for AC.L1-3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) to determine the adequacy of evidence provided by the OSC. Which Assessment Method does this activity fall under?

Options:

A.

Test

B.

Observe

C.

Examine

D.

Interview

Question 16

When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?

Options:

A.

Conduct a penetration test

B.

Interview the intrusion detection system's supplier.

C.

Upload known malicious code and observe the system response.

D.

Review an artifact to check key references for the configuration of the IDS or IPS practice for additional guidance on intrusion detection and prevention systems.

Question 17

Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1. Guidelines for Media Sanitation?

Options:

A.

Clear, purge, destroy

B.

Clear redact, destroy

C.

Clear, overwrite, purge

D.

Clear, overwrite, destroy

Question 18

In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI. What is the ESP employee considered?

Options:

A.

In scope

B.

Out of scope

C.

OSC point of contact

D.

Assessment Team Member

Question 19

Which statement BEST describes an assessor's evidence gathering activities?

Options:

A.

Use interviews for assessing a Level 2 practice.

B.

Test all practices or objectives for a Level 2 practice

C.

Test certain assessment objectives to determine findings.

D.

Use examinations, interviews, and tests to gather sufficient evidence.

Question 20

Which regulation allows for whistleblowers to sue on behalf of the federal government?

Options:

A.

NISTSP 800-53

B.

NISTSP 800-171

C.

False Claims Act

D.

Code of Professional Conduct

Question 21

Which domain references the requirements needed to handle physical or digital assets containing CUI?

Options:

A.

Media Protection (MP)

B.

Physical Protection (PE)

C.

System and Information Integrity (SI)

D.

System and Communications Protection (SC)

Question 22

An OSC receives an email with "CUI//SP-PRVCY//FED Only" in the body of the message Which organization's website should the OSC go to identify what this marking means?

Options:

A.

NARA

B.

CMMC-AB

C.

DoD Contractors FAQ page

D.

DoD 239.7601 Definitions page

Question 23

A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?

Options:

A.

Host Unit

B.

Branch Office

C.

Coordinating Unit

D.

Supporting Organization/Units

Question 24

A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?

Options:

A.

"The OSC determines the CMMC Assessment Scope, and the CCP validates the CMMC Assessment Scope."

B.

"The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope."

C.

"The CMMC Lead Assessor determines the CMMC Assessment Scope, and the OSC validates the CMMC Assessment Scope."

D.

"The CMMC C3PAO determines the CMMC Assessment Scope, and the Lead Assessor validates the CMMC Assessment Scope."

Question 25

Who makes the final determination of the assessment method used for each practice?

Options:

A.

CCP

B.

osc

C.

Site Manager

D.

Lead Assessor

Question 26

During assessment planning, the OSC recommends a person to interview for a certain practice. The person being interviewed MUST be the person who:

Options:

A.

funds that practice.

B.

audits that practice.

C.

supports, audits, and performs that practice.

D.

implements, performs, or supports that practice.

Question 27

A test or demonstration is being performed for the Assessment Team during an assessment. Which environment MUST the OSC perform this test or demonstration?

Options:

A.

Client

B.

Production

C.

Development

D.

Demonstration

Question 28

Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope by categorizing all assets. Which two asset categories are always assessed against CMMC practices?

Options:

A.

CUI Assets and Specialized Assets

B.

Security Protection Assets and CUI Assets

C.

Specialized Assets and Contractor Risk Managed Assets

D.

Security Protection Assets and Contractor Risk Managed Assets

Question 29

Which standard and regulation requirements are the CMMC Model 2.0 based on?

Options:

A.

NIST SP 800-171 and NIST SP 800-172

B.

DFARS, FIPS 100,and NIST SP 800-171

C.

DFARS, NIST, and Carnegie Mellon University

D.

DFARS, FIPS 100, NIST SP 800-171,and Carnegie Mellon University

Question 30

A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?

Options:

A.

That the information is correct

B.

That the CEO approved the message

C.

That the company has to safeguard the release of FCI

D.

That so long as the information is only FCI, it can be released

Question 31

A contractor has implemented IA.L2-3.5.3: Multifactor Authentication practice for their privileged users, however, during the assessment it was discovered that the OSC's standard users do not require MFA to access their endpoints and network resources. What would be the BEST finding?

Options:

A.

The process is running correctly.

B.

It is out of scope as this is a new acquisition.

C.

The new acquisition is considered Specialized Assets.

D.

Practice is NOT MET since the objective was not implemented.

Question 32

During a Level 2 Assessment, an OSC provides documentation that attests that they utilize multifactor authentication on nonlocal remote maintenance sessions. The OSC feels that they have met the controls for the Level 2 certification. What additional measures should the OSC perform to fully meet the maintenance requirement?

Options:

A.

Connections for nonlocal maintenance sessions should be terminated when maintenance is complete.

B.

Connections for nonlocal maintenance sessions should be unlimited to ensure maintenance is performed properly

C.

The nonlocal maintenance personnel complain that restrictions slow down their response time and should be removed.

D.

The maintenance policy states multifactor authentication must have at least two factors applied for nonlocal maintenance sessions.

Question 33

A CMMC Assessment Team arrives at an OSC to begin a CMMC Level 2 Assessment. The team checks in at the front desk and lets the receptionist know that they are here to conduct the assessment. The receptionist is aware that the team is arriving today and points down a hallway where the conference room is. The receptionist tells the Lead Assessor to wait in the conference room. as someone will be there shortly. The receptionist fails to check for credentials and fails to escort the team. The receptionist's actions are in direct violation of which CMMC practice?

Options:

A.

PE.L1-3.10.3: Escort visitors and monitor visitor activity

B.

PE.L1-3.10.5: Control and manage physical access devices

C.

PS.L2-3.9.1; Screen individuals prior to authorizing access to organizational systems containing CUI

D.

PS.L2-3 9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers

Question 34

During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC's WiFi network. What type of asset is this?

Options:

A.

FCI Asset

B.

CUI Asset

C.

In-scope Asset

D.

Specialized Asset

Question 35

Which organization is the governmental authority responsible for identifying and marking CUI?

Options:

A.

NARA

B.

NIST

C.

CMMC-AB

D.

Department of Homeland Security

Question 36

Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?

Options:

A.

Phase 1: Plan and Prepare Assessment

B.

Phase 2: Conduct Assessment

C.

Phase 3: Report Recommended Assessment Results

D.

Phase 4: Remediation of Outstanding Assessment Issues

Question 37

As defined in the CMMC-AB Code of Professional Conduct, what term describes any contract between two legal entities?

Options:

A.

Union

B.

Accord

C.

Alliance

D.

Agreement

Question 38

In performing scoping, what should the assessor ensure that the scope of the assessment covers?

Options:

A.

All assets documented in the business plan

B.

All assets regardless if they do or do not process, store, or transmit FCI/CUI

C.

All entities, regardless of the line of business, associated with the organization

D.

All assets processing, storing, or transmitting FCI/CUI and security protection assets

Question 39

Which NIST SP defines the Assessment Procedure leveraged by the CMMC?

Options:

A.

NIST SP 800-53

B.

NISTSP800-53a

C.

NIST SP 800-171

D.

NISTSP800-171a

Question 40

A CCP is on their first assessment for CMMC Level 2 with an Assessment Team and is reviewing the CMMC Assessment Process to understand their responsibilities. Which method gathers information from the subject matter experts to facilitate understanding and achieve clarification?

Options:

A.

Test

B.

Examine

C.

Interview

D.

Assessment

Question 41

When are data and documents with legacy markings from or for the DoD required to be re-marked or redacted?

Options:

A.

When under the control of the DoD

B.

When the document is considered secret

C.

When a document is being shared outside of the organization

D.

When a derivative document's original information is not CUI

Question 42

Ethics is a shared responsibility between:

Options:

A.

DoD and CMMC-AB.

B.

OSC and sponsors.

C.

CMMC-AB and members of the CMMC Ecosystem.

D.

members of the CMMC Ecosystem and Lead Assessors.

Question 43

SC.L2-3 13.14: Control and monitor the use of VoIP technologies is marked as NOT APPLICABLE for an OSC's assessment. How does this affect the assessment scope?

Options:

A.

Any existing telephone system is in scope even if it is not using VoIP technology.

B.

An error has been made and the Lead Assessor should be contacted to correct the error.

C.

VoIP technology is within scope, and it uses FlPS-validated encryption, so it does not need to be assessed.

D.

VoIP technology is not used within scope boundary, so no assessment procedures are specified for this practice.

Question 44

An assessor is collecting affirmations. So far, the assessor has collected interviews, demonstrations, emails, messaging, and presentations. Are these appropriate approaches to collecting affirmations?

Options:

A.

No,emails are not appropriate affirmations.

B.

No, messaging is not an appropriate affirmation.

C.

Yes,the affirmations collected by the assessor are all appropriate.

D.

Yes,the affirmations collected by the assessor are all appropriate, as are screenshots.

Question 45

There are 15 practices that are NOT MET for an OSC's Level 2 Assessment. All practices are applicable to the OSC. Which determination should be reached?

Options:

A.

The OSC may have 90 days for remediating NOT MET practices.

B.

The OSC is not eligible for an option to remediate NOT MET practices.

C.

The OSC may be eligible for an option to remediate NOT MET practices.

D.

The OSC is not eligible for an option to remediate after the assessment is canceled.

Question 46

What is the BEST document to find the objectives of the assessment of each practice?

Options:

A.

CMMC Glossary

B.

CMMC Appendices

C.

CMMC Assessment Process

D.

CMMC Assessment Guide Levels 1 and 2

Question 47

Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?

Options:

A.

Organizational operations, business assets, and employees

B.

Organizational operations, business processes, and employees

C.

Organizational operations, organizational assets, and individuals

D.

Organizational operations, organizational processes, and individuals

Question 48

At which CMMC Level do the Security Assessment (CA) practices begin?

Options:

A.

Level 1

B.

Level 2

C.

Level 3

D.

Level 4

Question 49

Which document is the BEST source for determining the sources of evidence for a given practice?

Options:

A.

NISTSP 800-53

B.

NISTSP 800-53A

C.

CMMC Assessment Scope

D.

CMMC Assessment Guide

Question 50

Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?

Options:

A.

CMMC Glossary

B.

CMMC Appendices

C.

CMMC Assessment Process

D.

CMMC Assessment Guide Levels 1 and 2

Question 51

An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works. Is this adequate for the practice?

Options:

A.

Yes,the antivirus program is available, so it is sufficient.

B.

Yes,antivirus programs are automated to run independently.

C.

No, the team member must know how the antivirus program is deployed and maintained.

D.

No, the team member's interview answers about deployment and maintenance are insufficient.

Page: 1 / 17
Total 170 questions