Free CyberAB CMMC-CCP Exam Questions

Which statement BEST describes the requirements for a C3PA0?

A. An authorized C3PAO must meet some DoD and all ISO/IEC 17020 requirements.

B. An accredited C3PAO must meet all DoD and some ISO/IEC 17020 requirements.

C. AC3PAO must be accredited by DoD before being able to conduct assessments.

D. A C3PAO must be authorized by CMMC-AB before being able to conduct assessments.

Which term describes "the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to. or modification of information"?

A. Adopted security

B. Adaptive security

C. Adequate security

D. Advanced security

Who will verify the adequacy and sufficiency of evidence to determine whether the practices and related components for each in-scope Host Unit, Supporting Organization/Unit, or enclave have been met?

A. OSC

B. Assessment Team

C. Authorizing official

D. Assessment official

A contractor has implemented IA.L2-3.5.3: Multifactor Authentication practice for their privileged users, however, during the assessment it was discovered that the OSC's standard users do not require MFA to access their endpoints and network resources. What would be the BEST finding?

A. The process is running correctly.

B. It is out of scope as this is a new acquisition.

C. The new acquisition is considered Specialized Assets.

D. Practice is NOT MET since the objective was not implemented.

Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI are sanitized or destroyed before disposal or release for reuse. After a thorough review, the CCP tells the Lead Assessor that all supporting documents fully reflect the performance of the practice and should be accepted because the evidence is:

A. official.

B. adequate.

C. compliant.

D. subjective.

Recording evidence as adequate is defined as the criteria needed to:

A. verify, based on an assessment and organizational scope.

B. verify, based on an assessment and organizational practice.

C. determine if a given artifact, interview response, demonstration, or test meets the CMMC scope.

D. determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.

Exercising due care to ensure the information gathered during the assessment is protected even after the engagement has ended meets which code of conduct requirement?

A. Availability

B. Confidentiality

C. Information Integrity

D. Respect for Intellectual Property

In performing scoping, what should the assessor ensure that the scope of the assessment covers?

A. All assets documented in the business plan

B. All assets regardless if they do or do not process, store, or transmit FCI/CUI

C. All entities, regardless of the line of business, associated with the organization

D. All assets processing, storing, or transmitting FCI/CUI and security protection assets

An OSC performing a CMMC Level 1 Self-Assessment uses a legacy Windows 95 computer, which is the only system that can run software that the government contract requires. Why can this asset be considered out of scope?

A. It handles CUI

B. It is a restricted IS

C. It is government property

D. It is operational technology

While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users. processes acting on behalf of users, and devices?

A. Procedures for implementing access control lists

B. List of unauthorized users that identifies their identities and roles

C. User names associated with system accounts assigned to those individuals

D. Physical access policy that states. "All non-employees must wear a special visitor pass or be escorted."