CCP

Question 1

What is the 4 phases of the CAP ?

Answer 1

Phase 1: Plan and Prepare Assessment
Phase 2: Conduct the Assessment
Phase 3: Report recommended assessment Results
Phase 4: Close-Out POA&M and Assessment

Question 2

Acronym: CUI ?

Answer 2

Control Unclassified Information

Question 3

Acronym: FCI ?

Answer 3

Federal Contract Information

Question 4

Acronym: DIB ?

Answer 4

Defense Industrial Base - Provides research and development services to US military such as design, manufacture, distribution and maintenance of military weapons systems and components.

Question 5

Acronym: LPP ?

Answer 5

Licensed Partner Publishers - develop training courses based on the CyberAB curriculum

Question 6

Acronym: FAR ?

Answer 6

Federal Acquisition Regulation - main set of rules that all U.S. federal executive agencies must follow when they buy goods or services using government funds.

Question 7

Acronym: DFARS ?

Answer 7

Defense Federal Acquisition Regulation Supplement - extension of the Federal Acquisition Regulation (FAR) that adds specific rules for Department of Defense (DoD) contracts.

Question 8

How many domains are there ?

Answer 8

14

Question 9

How many domains does level 1 have ?

Answer 9

6

Question 10

How many domains does level 2 have ?

Answer 10

14

Question 11

Is it true or false that CCP is only authorized to analyze only level 1 practices when conducting a CMMC assessment ?

Answer 11

True

Question 12

What is Phase 2 of the CAP ?

Answer 12

Phase 2: Conduct Assessment

Question 13

What are the 4 sub-phases of Phase 2 ?

Answer 13

1. Convene assessment kickoff meeting
2. Collect and examine evidence
3. Score OSC practices and validate preliminary results.
4. Generate and validate preliminary recommended findings

Question 14

What are the 3 steps in examining practices ?

Answer 14

Examine, interview, and Test

Question 15

When viewing evidence for a practice you must ensure ?

Answer 15

Adequacy and Sufficiency

Question 16

When a practice has not been effectively implemented but not appropriately documented, the assessment team should define it as ?

Answer 16

Limited Practice Deficiency Correction

Question 17

Does the CAP provide a list of ineligible and eligible practice for LPDC ?

Answer 17

Yes (true)

Question 18

True or False: During Phase 2, the CCP can assist the assessment team in collecting and examining evidence, scoring practices, and validating preliminary results and generating final assessment results for level 2 practices.

Answer 18

False

Question 19

What is Phase 3 of the CAP?

Answer 19

Phase 3: Report Recommended Assessment Results

Question 20

What are the two steps in Phase 3 of the CAP ?

Answer 20

1. Deliver recommended assessment results(final findings)(during final findings briefing)
2. Submit, package, and archive assessment documentation

Question 21

What template is to be using to deliver the assessment results to the OSC assessment official ?

Answer 21

Final Findings Briefing Template

Question 22

True or False: The C3PAO must use the CMMC eMASS JSON schema (detailed in the eMASS CONOPS ) for uploading the assessment results into CMMC eMASS. In how many days after the final findings briefing ?

Answer 22

True, in 20 days.

Question 23

Acronym: LPDCP ?

Answer 23

Limited Practice Deficiency Correction Program

Question 24

What happens if any practices on the LPDCP fail to result in a score of “MET” ?

Answer 24

The Lead Assessor will recommend moving the OSCs practice deficiency’s to a POA&M.

Question 25

What percentage of the assessment score must it be to move the OSC to the POA&M close-out assessment option ?

Answer 25

80%

Question 26

What document does the Lead Assessor use to present the final recommended findings ?

Answer 26

Assessment Findings Brief Template

Question 27

Who verifys assessment documentation prior to eMASS upload to ensure accuracy and completeness of the assessment results package ? And how long should the final report be submitted to the CQAP after the Final Findings Briefing ?

Answer 27

The CMMC Quality Assurance Professional (CQAP) and no later than 10 days

Question 28

How long does the Assessment Results package need to be retained and protected from confidentiality, non-disclosure and any other CUI ?

Answer 28

For three years

Question 29

What must the lead assessor ensure the OSC has done with the assessments results package since it remains with the OSC ?

Answer 29

Hashed all artifacts in accordance with the CMMC Artifact hashing tool user guide and retain for 3 years

Question 30

True or False: The CCP is allowed to take evidence or artifacts collected during the CMMC assessment ?

Answer 30

False

Question 31

What is Phase 4 of the CAP ?

Answer 31

Phase 4: Close-out POA&Ms and Assessment

Question 32

True or False: The C3PAO has the sole authority for validating the OSC POA&M close out results

Answer 32

True

Question 33

Acronym: RPO ?

Answer 33

Registered Provider Organization - offers non-certified CMMC consulting services to help organizations prepare for a CMMC assessment.

Question 34

True/False: RPOs are authorized to conduct assessments.

Answer 34

False

Question 35

Acronym: LTP ?

Answer 35

LTP program is designed for education and training providers that are responsible for delivering the training courses developed by LPPs.

Question 36

Acronym: FISMA ?

Answer 36

Federal Information Security Modernization Act - U.S. legislation that aims to improve the cybersecurity practices of the Federal Government.

Question 37

Acronym: NISPOM ?

Answer 37

The National Industrial Security Program Operating Manual (NISPOM) prescribes the restrictions and safeguarding requirements for protecting classified information.

Question 38

Acronym: FedRAMP?

Answer 38

The Federal Risk and Authorization Management Program (FedRAMP) is a government- wide program established to facilitate a secure transition to and use of cloud technologies.

Question 39

SSP ?

Answer 39

A System Security Plan (SSP) is a formal document that describes how an organization’s systems and processes protect sensitive information (like FCI or CUI) and how the organization meets security requirements.

Question 40

what does the FAR Clause 52.204-21 specify ?

Answer 40

specifies basic safeguarding requirements for all DoD contractors that process , store, or transmit FCI. (15 controls equivalent to 17 NIST SP 800-171 controls)

Question 41

What type of info must be present for DFARS Clause 252.204-7012 to apply to contracts ?

Answer 41

only apply when unclassified controlled technical information is present.

Question 42

What does DFARS Clause 252.204-7012 require ?

Answer 42

This clause requires all contractors and subcontractors to safeguard covered defense information that is either stored or transmitted through their information systems and networks. (CUI) (based on entire NIST SP 800-171)

Question 43

What does DFARS Clause 252.204-7013 require ?

Answer 43

Rights in Technical Data (Noncommercial Items), rule explains who owns and can use technical data (like designs, drawings, or specifications) that a contractor creates under a DoD contract.

Question 44

What is NIST SP 800-171, and why is it important?

Answer 44

It’s a set of 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. It’s the foundation for CMMC Level 2 requirements.

Question 45

What is 32 CFR Part 2002 about?

Answer 45

It’s managed by NARA/ISOO and sets standards for marking, safeguarding, and reviewing CUI programs.

Question 46

Which of the following is NOT a specification under NIST SP 800-171A?

Answer 46

Monitoring Network Traffic

Question 47

To become a CMMC Third Party Assessment Organization an organization must be which one of the following to qualify?

Answer 47

It must be 100% U.S Citizen owned

Question 48

What is a key requirement before the Cyber AB can accredit a candidate C3PAO?

Answer 48

The candidate C3PAO mist achieve and maintain ISO/IEC 17020 accredidation standard.

Question 49

When is the Contractor required to report cyber incidents to DoD according to the DFARS Clause 252.204-7012?

Answer 49

Within 72 hours of discovery