When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?
Which assessment method compares actual-specified conditions with expected behavior?
As part of CMMC 2.0, the change to Level 1 Self-Assessments supports "reduced assessment costs" allows all companies at Level 1 (Foundational) to:
In the CMMC Model, how many practices are included in Level 2?
Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?
When scoping a Level 2 assessment, which document is useful for understanding the process to successfully implement practices required for the various Levels of CMMC?
During an assessment, which phase of the process identifies conflicts of interest?
Which NIST SP defines the Assessment Procedure leveraged by the CMMC?
How are the Final Recommended Assessment Findings BEST presented?
How does the CMMC define a practice?
Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope by categorizing all assets. Which two asset categories are always assessed against CMMC practices?
An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice. What can the assessor do?
Where does the requirement to include a required practice of ensuring that personnel are trained to carry out their assigned information security-related duties and responsibilities FIRST appear?
Evidence gathered from an OSC is being reviewed. Based on the assessment and organizational scope, the Lead Assessor requests the Assessment Team to verify that the coverage by domain, practice. Host Unit. Supporting Organization/Unit, and enclaves are comprehensive enough to rate against each practice. Which criteria is the assessor referring to?
A dedicated local printer is used to print out documents with FCI in an organization. This is considered an FCI Asset Which function BEST describes what the printer does with the FCI?
During a Level 2 Assessment, an OSC provides documentation that attests that they utilize multifactor authentication on nonlocal remote maintenance sessions. The OSC feels that they have met the controls for the Level 2 certification. What additional measures should the OSC perform to fully meet the maintenance requirement?
An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works. Is this adequate for the practice?
In the Code of Professional Conduct, what does the practice of Professionalism require?
An OSC lead has provided company information, identified that they are seeking CMMC Level 2, stated that they handle FCI. identified stakeholders, and provided assessment logistics. The OSC has provided the company's cyber hygiene practices that are posted on every workstation, visitor logs, and screenshots of the configuration of their FedRAMP-approved applications. The OSC has not won any DoD government contracts yet but is working on two proposals Based on this information, which statement BEST describes the CMMC Level 2 Assessment requirements?
Plan of Action defines the clear goal or objective for the plan. What information is generally NOT a part of a plan of action?
Which assessment method describes the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specification, mechanisms, activities)?
In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI. What is the ESP employee considered?
An assessor needs to get the most accurate answers from an OSC's team members. What is the BEST method to ensure that the OSC's team members are able to describe team member responsibilities?
A CCP is on their first assessment for CMMC Level 2 with an Assessment Team and is reviewing the CMMC Assessment Process to understand their responsibilities. Which method gathers information from the subject matter experts to facilitate understanding and achieve clarification?
An assessor has been working with an OSC's point of contact to plan and prepare for their upcoming assessment. What is one of the MOST important things to remember when analyzing requirements for an assessment?
An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?
The evidence needed for each practice and/or process is weight for:
What are CUI protection responsibilities?
What is objectivity as it applies to activities with the CMMC-AB?
Which government agency are DoD contractors required to report breaches of CUI to?
Contractor scoping requirements for a CMMC Level 2 Assessment to document the asset in an inventory, in the SSP and on the network diagram apply to:
Which statement BEST describes the requirements for a C3PA0?
A CMMC Assessment Team arrives at an OSC to begin a CMMC Level 2 Assessment. The team checks in at the front desk and lets the receptionist know that they are here to conduct the assessment. The receptionist is aware that the team is arriving today and points down a hallway where the conference room is. The receptionist tells the Lead Assessor to wait in the conference room. as someone will be there shortly. The receptionist fails to check for credentials and fails to escort the team. The receptionist's actions are in direct violation of which CMMC practice?
How many domains does the CMMC Model consist of?
Recording evidence as adequate is defined as the criteria needed to:
While developing an assessment plan for an OSC. it is discovered that the certified assessor will be interviewing a former college roommate. What is the MOST correct action to take?
The Audit and Accountability (AU) domain has practices in:
Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?
Which document is the BEST source for determining the sources of evidence for a given practice?
A machining company has been awarded a contract with the DoD to build specialized parts. Testing of the parts will be done by the company using in-house staff and equipment. For a Level 1 Self-Assessment, what type of asset is this?
Which resource contains authoritative data classifications of CUI?
What is the LAST step when developing an assessment plan for an OSC?
The CMMC Level 2 assessment methods include examination and can include:
What is a PRIMARY activity that is performed while conducting an assessment?
An assessment procedure consists of an assessment objective, potential assessment methods, and assessment objects. Which statement is part of an assessment objective?
Which regulation allows for whistleblowers to sue on behalf of the federal government?
Two network administrators are working together to determine a network configuration in preparation for CMMC. The administrators find that they disagree on a couple of small items. Which solution is the BEST way to ensure compliance with CMMC?
A CMMC Assessment is being conducted at an OSC's HQ. which is a shared workspace in a multi-tenant building. The OSC is renting four offices on the first floor that can be locked individually. The first-floor conference room is shared with other tenants but has been reserved to conduct the assessment. The conference room has a desk with a drawer that does not lock. At the end of the day, an evidence file that had been sent by email is reviewed. What is the BEST way to handle this file?
While conducting a CMMC Assessment, an individual from the OSC provides documentation to the assessor for review. The documentation states an incident response capability is established and contains information on incident preparation, detection, analysis, containment, recovery, and user response activities. Which CMMC practice is this documentation attesting to?
An Assessment Team is reviewing a practice that is documented and being checked monthly. When reviewing the logs, the practice is only being completed quarterly. During the interviews, the team members say they perform the practice monthly but only document quarterly. Is this sufficient to pass the practice?
Who is responsible for ensuring that subcontractors have a valid CMMC Certification?