CMMC-CCP Certified CMMC Professional (CCP) Exam Questions and Answers
When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:
A C3PAO is conducting High Level Scoping for an OSC that requested an assessment Which term describes the people, processes, and technology that will be applied to the contract who are requesting a CMMC Level assessment?
For the purpose of determining scope, what needs to be included as part of the assessment but would NOT receive a CMMC certification unless an enterprise assessment is conducted?
Which document is used to protect sensitive and confidential information from being made available by the recipient of that information?
For a scoping a CMMC Level 1 Self-Assessment, which asset types are assessed against CMMC practices?
During an assessment, which phase of the process identifies conflicts of interest?
What technical means can an OSC have in place to limit individuals who are authorized to post or process information on publicly accessible systems?
A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?
A C3PAO has conducted a CMMC Level 2 Assessment for an OSC. The results have been reviewed by a CMMC Quality Assurance Professional. What is the final step in the process of submitting assessment results?
A cyber incident is discovered that affects a covered contractor IS and the CDI residing therein. How long does the contractor have to inform the DoD?
During the review of information that was published to a publicly accessible site, an OSC correctly identifies that part of the information posted should have been restricted. Which item did the OSC MOST LIKELY identify?
The Level 1 practice description in CMMC is Foundational. What is the Level 2 practice description?
A dedicated local printer is used to print out documents with FCI in an organization. This is considered an FCI Asset Which function BEST describes what the printer does with the FCI?
During the planning phase of a CMMC Level 2 Assessment, the Lead Assessor is considering what would constitute the right evidence for each practice. What is the Assessor attempting to verify?
A client uses an external cloud-based service to store, process, or transmit data that is reasonably believed to qualify as CUI. According to DFARS clause 252.204-7012. what set of established security requirements MUST that cloud provider meet?
A CMMC Assessment Team arrives at an OSC to begin a CMMC Level 2 Assessment. The team checks in at the front desk and lets the receptionist know that they are here to conduct the assessment. The receptionist is aware that the team is arriving today and points down a hallway where the conference room is. The receptionist tells the Lead Assessor to wait in the conference room. as someone will be there shortly. The receptionist fails to check for credentials and fails to escort the team. The receptionist ' s actions are in direct violation of which CMMC practice?
When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:
To develop an assessment contract and establish a scope of work, which organization does an OSC work with?
A program manager for a defense contractor saves all FCI data relevant to a contract on a flash drive. Why is the flash drive categorized as an FCI Asset ?
What is the BEST document to find the objectives of the assessment of each practice?
When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?
SI.L2-3.14.7: Identify unauthorized use of organizational systems is being assessed using two assessment objectives. The assessment objectives are to determine if authorized use of the system is defined and to determine if unauthorized use of the system is identified. What is the BEST evidence for this practice?
According to DFARS clause 252.204-7012, who is responsible for determining that Information in a given category should be considered CUI?
An assessment is being completed at a client site that is not far from the Lead Assessor ' s home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?
The Lead Assessor interviews a network security specialist of an OSC. The incident monitoring report for the month shows that no security incidents were reported from OSC ' s external SOC service provider. This is provided as evidence for RA.L2-3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Based on this information, the Lead Assessor should conclude that the evidence is:
Evidence gathered from an OSC is being reviewed. Based on the assessment and organizational scope, the Lead Assessor requests the Assessment Team to verify that the coverage by domain, practice. Host Unit. Supporting Organization/Unit, and enclaves are comprehensive enough to rate against each practice. Which criteria is the assessor referring to?
An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice. What can the assessor do?
An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works. Is this adequate for the practice?
Which document specifies the CMMC Level 1 practices that correspond to basic safeguarding requirements?
In the Code of Professional Conduct, what does the practice of Professionalism require?
Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope by categorizing all assets. Which two asset categories are always assessed against CMMC practices?
The director of sales, in a meeting, stated that the sales team received feedback on some emails that were sent, stating that the emails were not marked correctly. Which training should the director of sales refer the sales team to regarding information as to how to mark emails?
Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1, Guidelines for Media Sanitation?
An assessor has been working with an OSC ' s point of contact to plan and prepare for their upcoming assessment. What is one of the MOST important things to remember when analyzing requirements for an assessment?
When an OSC requests an assessment by a C3PAO, who selects the Lead Assessor for the assessment?
In preparation for a CMMC Level 1 Self-Assessment, the IT manager for a DIB organization is documenting asset types in the company ' s SSP The manager determines that identified machine controllers and assembly machines should be documented as Specialized Assets. Which type of Specialized Assets has the manager identified and documented?
The IT manager is scoping the company ' s CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI. Which asset type is being considered by the IT manager?
An assessor is in Phase 3 of the CMMC Assessment Process. The assessor has delivered the final findings, submitted the assessment results package, and provided feedback to the C3PAO and CMMC-AB. What must the assessor still do?
What is the legal entity under a contract that has agreed to deliver products or services?
During a Level 2 Assessment, an OSC provides documentation that attests that they utilize multifactor authentication on nonlocal remote maintenance sessions. The OSC feels that they have met the controls for the Level 2 certification. What additional measures should the OSC perform to fully meet the maintenance requirement?
A Level 2 Assessment was conducted for an OSC, and the results are ready to be submitted. Prior to uploading the assessment results, what step MUST the C3PAO complete?
A C3PAO has completed a Limited Practice Deficiency Correction Evaluation following an assessment of an OSC. The Lead Assessor has recommended moving deficiencies to a POA & M. but the OSC will remain on an Interim Certification. What is the MINIMUM number of practices that must be scored as MET to initiate this course of action?
During a Level 1 Self-Assessment, a smart thermostat was identified. It is connected to the Internet on the OSC ' s WiFi network. What type of asset is this?
A Lead Assessor is presenting an assessment kickoff and opening briefing. What topic MUST be included?
While determining the scope for a company ' s CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third-party organization?
While conducting a CMMC Level 2 Assessment, a CCP is reviewing an OSC ' s personnel security process. They have a policy that describes screening individuals prior to authorizing access to CUI, but it does not mention what organizations should be looking for in an individual. There is no link to a process or procedural document. What should the OSC evaluate when screening individuals prior to accessing CUI?
Plan of Action defines the clear goal or objective for the plan. What information is generally NOT a part of a plan of action?
Which term describes the prevention of damage to. protection of, and restoration of computers and electronic communications systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation?
Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?
An employee is the primary system administrator for an OSC. The employee will be a core part of the assessment, as they perform most of the duties in managing and maintaining the systems. What would the employee be BEST categorized as?
A CCP is part of a CMMC Assessment Team interviewing a subject-matter expert on Access Control (AC) within an OSC. During the interview process, what will the CCP ensure about the information exchanged during the interview?
Which organization is the governmental authority responsible for identifying and marking CUI?
Which assessment method describes the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specification, mechanisms, activities)?
What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?