According to DFARS clause 252.204-7012, who is responsible for determining that Information in a given category should be considered CUI?

What type of criteria is used to answer the question "Does the Assessment Team have the right evidence?"

Before submitting the assessment package to the Lead Assessor for final review, a CCP decides to review the Media Protection (MP) Level 1 practice evidence to ensure that all media containing FCI are sanitized or destroyed before disposal or release for reuse. After a thorough review, the CCP tells the Lead Assessor that all supporting documents fully reflect the performance of the practice and should be accepted because the evidence is:

For CMMC Assessments, during Phase 1 of the CMMC Assessment Process, which are responsible for identifying potential conflicts of information?

A defense contractor needs to share FCI with a subcontractor and sends this data in an email. The email system involved in this process is being used to:

During the planning phase of a CMMC Level 2 Assessment, the Lead Assessor is considering what would constitute the right evidence for each practice. What is the Assessor attempting to verify?

Plan of Action defines the clear goal or objective for the plan. What information is generally NOT a part of a plan of action?

When are contractors required to achieve a CMMC certificate at the Level specified in the solicitation?

In CMMC High-Level scoping, which definition BEST describes an HQ organization?

Companies that knowingly defraud the government by not being in compliance with cybersecurity regulations are at risk of being held liable for:

For the purpose of determining scope, what needs to be included as part of the assessment but would NOT receive a CMMC certification unless an enterprise assessment is conducted?

In scoping a CMMC Level 1 Self-Assessment, all of the computers and digital assets that handle FCI are identified. A file cabinet that contains paper FCI is also identified. What can this file cabinet BEST be determined to be?

The Advanced Level in CMMC will contain Access Control (AC) practices from:

A contractor stores security policies, system configuration files, and audit logs in a centralized file repository for later review. According to CMMC terminology, the file repository is being used to:

In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI. What is the ESP employee considered?

An Assessment Team is reviewing a practice that is documented and being checked monthly. When reviewing the logs, the practice is only being completed quarterly. During the interviews, the team members say they perform the practice monthly but only document quarterly. Is this sufficient to pass the practice?

A Lead Assessor is preparing to conduct a Readiness Review during Phase 1 of the Assessment Process. How much evidence MUST be gathered for each practice?

Which organization is the governmental authority responsible for identifying and marking CUI?

During an assessment, which phase of the process identifies conflicts of interest?

Per DoDI 5200.48: Controlled Unclassified Information (CUI), CUI is marked by whom?

An assessor is collecting affirmations. So far, the assessor has collected interviews, demonstrations, emails, messaging, and presentations. Are these appropriate approaches to collecting affirmations?

Which standard and regulation requirements are the CMMC Model 2.0 based on?

The evidence needed for each practice and/or process is weighed for:

Which standard of assessment do all C3PAO organizations execute an assessment methodology based on?

Which statement BEST describes the requirements for a C3PA0?

Which term describes the prevention of damage to. protection of, and restoration of computers and electronic communications systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation?

According to the Configuration Management (CM) domain, which principle is the basis for defining essential system capabilities?

What is the BEST document to find the objectives of the assessment of each practice?

Which statement BEST describes an assessor's evidence gathering activities?

Which NIST SP defines the Assessment Procedure leveraged by the CMMC?

Which statement is NOT a measure to determine if collected evidence is sufficient?

In the Code of Professional Conduct, what does the practice of Professionalism require?

Ethics is a shared responsibility between:

Which resource contains authoritative data classifications of CUI?

Evidence gathered from an OSC is being reviewed. Based on the assessment and organizational scope, the Lead Assessor requests the Assessment Team to verify that the coverage by domain, practice. Host Unit. Supporting Organization/Unit, and enclaves are comprehensive enough to rate against each practice. Which criteria is the assessor referring to?

Validation of findings is an iterative process usually performed during the Daily Checkpoints throughout the entire assessment process. As a validation activity, why are the preliminary findings important?

A Level 2 Assessment was conducted for an OSC, and the results are ready to be submitted. Prior to uploading the assessment results, what step MUST the C3PAO complete?

In the CMMC Model, how many practices are included in Level 2?

A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of the assessors approaches with a signed policy. There is one signatory, and that person has since left the company. Subsequently, another person was hired into that position but has not signed the document. Is this document valid?

The IT manager is scoping the company's CMMC Level 1 Self-Assessment. The manager considers which servers, laptops. databases, and applications are used to store, process, or transmit FCI. Which asset type is being considered by the IT manager?

The practices in CMMC Level 2 consist of the security requirements specified in:

The Level 1 practice description in CMMC is Foundational. What is the Level 2 practice description?

During an assessment, the Lead Assessor reviews the evidence for each CMMC in-scope practice that has been reviewed, verified, rated, and discussed with the OSC during the daily reviews. The Assessment Team records the final recommended MET or NOT MET rating and prepares to present the results to the assessment participants during the final review with the OSC and sponsor. As a part of this presentation, which document MUST include the attendee list, time/date, location/meeting link, results from all discussed topics, including any resulting actions, and due dates from the OSC or Assessment Team?

A server is used to store FCI with a cloud provider long-term. What is the server considered?

An assessment is being completed at a client site that is not far from the Lead Assessor's home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?

What is DFARS clause 252.204-7012 required for?

A C3PAO has completed a Limited Practice Deficiency Correction Evaluation following an assessment of an OSC. The Lead Assessor has recommended moving deficiencies to a POA&M. but the OSC will remain on an Interim Certification. What is the MINIMUM number of practices that must be scored as MET to initiate this course of action?

What type of information is NOT intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments?

Prior to initiating an OSC's CMMC Assessment, the Lead Assessor briefed the team on the most important requirements of the assessment. The assessor also insisted that the same results of the findings summary, practice ratings, and Level recommendations must be submitted to the C3PAO for initial processes and review. After several weeks of assessment, the C3PAO completes the internal review, the recommended results are then submitted through the C3PAO for final quality review and rating approval. Which document stipulates these reporting requirements?

An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?

What is the primary intent of the verify evidence and record gaps activity?

An assessor needs to get the most accurate answers from an OSC's team members. What is the BEST method to ensure that the OSC's team members are able to describe team member responsibilities?

A company is working with a CCP from a contracted CMMC consulting company. The CCP is asked where the Host Unit is required to document FCI and CUI for a CMMC Assessment. How should the CCP respond?

When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:

Which regulation allows for whistleblowers to sue on behalf of the federal government?

Exercising due care to ensure the information gathered during the assessment is protected even after the engagement has ended meets which code of conduct requirement?

During assessment planning, the OSC recommends a person to interview for a certain practice. The person being interviewed MUST be the person who:

The director of sales, in a meeting, stated that the sales team received feedback on some emails that were sent, stating that the emails were not marked correctly. Which training should the director of sales refer the sales team to regarding information as to how to mark emails?

An assessor has been working with an OSC's point of contact to plan and prepare for their upcoming assessment. What is one of the MOST important things to remember when analyzing requirements for an assessment?

When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:

How many domains does the CMMC Model consist of?