Cyber AB CMMC-CCP Certified CMMC Professional (CCP) Exam Exam Practice Test

When scoping the organizational system, the scope of applicability for the cybersecurity CUI practices applies to the components of:

The results package for a Level 2 Assessment is being submitted. What MUST a Final Report. CMMC Assessment Results include?

The Assessment Team has completed Phase 2 of the Assessment Process. In conducting Phase 3 of the Assessment Process, the Assessment Team is reviewing evidence to address Limited Practice Deficiency Corrections. How should the team score practices in which the evidence shows the deficiencies have been corrected?

What is the primary intent of the verify evidence and record gaps activity?

During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?

At which CMMC Level do the Security Assessment (CA) practices begin?

The evidence needed for each practice and/or process is weight for:

In the Code of Professional Conduct, what does the practice of Professionalism require?

A Level 2 Assessment of an OSC is winding down and the final results are being prepared to present to the OSC. When should the final results be delivered to the OSC?

While developing an assessment plan for an OSC. it is discovered that the certified assessor will be interviewing a former college roommate. What is the MOST correct action to take?

A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?

During assessment planning, the OSC recommends a person to interview for a certain practice. The person being interviewed MUST be the person who:

Within how many days from the Assessment Final Recommended Findings Brief should the Lead Assessor and Assessment Team Members, if necessary, review the accuracy and validity of (he OSC's updated POA&M with any accompanying evidence or scheduled collections?

A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of the assessors approaches with a signed policy. There is one signatory, and that person has since left the company. Subsequently, another person was hired into that position but has not signed the document. Is this document valid?

During Phase 4 of the Assessment process, what MUST the Lead Assessor determine and recommend to the C3PAO concerning the OSC?

An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works. Is this adequate for the practice?

While conducting a CMMC Assessment, an individual from the OSC provides documentation to the assessor for review. The documentation states an incident response capability is established and contains information on incident preparation, detection, analysis, containment, recovery, and user response activities. Which CMMC practice is this documentation attesting to?

A company has a government services division and a commercial services division. The government services division interacts exclusively with federal clients and regularly receives FCI. The commercial services division interacts exclusively with non-federal clients and processes only publicly available information. For this company's CMMC Level 1 Self-Assessment, how should the assets supporting the commercial services division be categorized?

What is the MOST common purpose of assessment procedures?

In many organizations, the protection of FCI includes devices that are used to scan physical documentation into digital form and print physical copies of digital FCI. What technical control can be used to limit multi-function device (MFD) access to only the systems authorized to access the MFD?

Which example represents a Specialized Asset?

An assessor is collecting affirmations. So far, the assessor has collected interviews, demonstrations, emails, messaging, and presentations. Are these appropriate approaches to collecting affirmations?

Which document BEST determines the existence of FCI and/or CUI in scoping an assessment with an OSC?

During the assessment process, who is the final interpretation authority for recommended findings?

What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?

An Assessment Team Member is conducting a CMMC Level 2 Assessment for an OSC that is in the process of inspecting Assessment Objects for AC.L1-3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) to determine the adequacy of evidence provided by the OSC. Which Assessment Method does this activity fall under?

An assessor has been working with an OSC's point of contact to plan and prepare for their upcoming assessment. What is one of the MOST important things to remember when analyzing requirements for an assessment?

There are 15 practices that are NOT MET for an OSC's Level 2 Assessment. All practices are applicable to the OSC. Which determination should be reached?

Ethics is a shared responsibility between:

Who is responsible for identifying and verifying Assessment Team Member qualifications?

Two network administrators are working together to determine a network configuration in preparation for CMMC. The administrators find that they disagree on a couple of small items. Which solution is the BEST way to ensure compliance with CMMC?

The Advanced Level in CMMC will contain Access Control {AC) practices from:

When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:

Recording evidence as adequate is defined as the criteria needed to:

A C3PAO is near completion of a Level 2 Assessment for an OSC. The CMMC Findings Brief and CMMC Assessment Results documents have been developed. The Final Recommended Assessment Results are being generated. When generating these results, what MUST be included?

An employee is the primary system administrator for an OSC. The employee will be a core part of the assessment, as they perform most of the duties in managing and maintaining the systems. What would the employee be BEST categorized as?

An assessment procedure consists of an assessment objective, potential assessment methods, and assessment objects. Which statement is part of an assessment objective?

Which regulation allows for whistleblowers to sue on behalf of the federal government?

In performing scoping, what should the assessor ensure that the scope of the assessment covers?

When are contractors required to achieve a CMMC certificate at the Level specified in the solicitation?

An OSC lead has provided company information, identified that they are seeking CMMC Level 2, stated that they handle FCI. identified stakeholders, and provided assessment logistics. The OSC has provided the company's cyber hygiene practices that are posted on every workstation, visitor logs, and screenshots of the configuration of their FedRAMP-approved applications. The OSC has not won any DoD government contracts yet but is working on two proposals Based on this information, which statement BEST describes the CMMC Level 2 Assessment requirements?

Which domain has a practice requiring an organization to restrict, disable, or prevent the use of nonessential programs?

Which domain references the requirements needed to handle physical or digital assets containing CUI?

A client uses an external cloud-based service to store, process, or transmit data that is reasonably believed to qualify as CUI. According to DFARS clause 252.204-7012. what set of established security requirements MUST that cloud provider meet?

During the review of information that was published to a publicly accessible site, an OSC correctly identifies that part of the information posted should have been restricted. Which item did the OSC MOST LIKELY identify?

A CCP is working as an Assessment Team Member on a CMMC Level 2 Assessment. The Lead Assessor has assigned the CCP to assess the OSC's Configuration Management (CM) domain. The CCP's first interview is with a subject-matter expert for user-installed software. With respect to user-installed software, what facet should the CCP's interview focus on?

Which entity specifies the required CMMC Level in Requests for Information and Requests for Proposals?

Which code or clause requires that a contractor is meeting the basic safeguarding requirements for FCI during a Level 1 Self-Assessment?

As defined in the CMMC-AB Code of Professional Conduct, what term describes any contract between two legal entities?

A company is working with a CCP from a contracted CMMC consulting company. The CCP is asked where the Host Unit is required to document FCI and CUI for a CMMC Assessment. How should the CCP respond?

Contractor scoping requirements for a CMMC Level 2 Assessment to document the asset in an inventory, in the SSP and on the network diagram apply to: