A program manager for a defense contractor saves all FCI data relevant to a contract on a flash drive. Why is the flash drive categorized as an FCI Asset ?

Which principles are included in defining the CMMC-AB Code of Professional Conduct?

Which statement is NOT a measure to determine if collected evidence is sufficient?

Companies that knowingly defraud the government by not being in compliance with cybersecurity regulations are at risk of being held liable for:

Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?

In the CMMC Model, how many practices are included in Level 2?

Which NIST SP discusses protecting CUI in nonfederal systems and organizations?

A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?

During a POA & M closeout assessment , the Lead Assessor and team members verified all evidence provided by the OSC and passed those that satisfied the requirements. Who MUST verify that every failed practice from the initial original assessment has been adequately addressed?

An organization's sales representative is tasked with entering FCI data into various fields within a spreadsheet on a company-issued laptop. This laptop is an FCI Asset being used to:

During the planning phase of a CMMC Level 2 Assessment, the Lead Assessor is considering what would constitute the right evidence for each practice. What is the Assessor attempting to verify?

When a conflict of interest is unavoidable, a CCP should NOT:

What is the BEST document to find the objectives of the assessment of each practice?

Exercising due care to ensure the information gathered during the assessment is protected even after the engagement has ended meets which code of conduct requirement?

An assessment is being conducted at a remote client site. For the duration of the assessment, the client has provided a designated hoteling space in their secure facility which consists of a desk with access to a shared printer. After noticing that the desk does not lock, a locked cabinet is requested but the client does not have one available. At the end of the day, the client provides a printout copy of an important network diagram. The diagram is clearly marked and contains CUI. What should be done NEXT to protect the document?

The Audit and Accountability (AU) domain has practices in:

Within the CMMC Ecosystem which organization ultimately will manage and oversee the training, testing, authorization, and certification of candidate assessors and instructors?

What type of criteria is used to answer the question "Does the Assessment Team have the right evidence?"

Which CMMC Levels meet the standards of protecting FCI (Federal Contract Information) ?

How many domains does the CMMC Model consist of?

Who makes the final determination of the assessment method used for each practice?

Which document specifies the CMMC Level 1 practices that correspond to basic safeguarding requirements?

Which domains are a part of a Level 1 Self-Assessment?

The practices in CMMC Level 2 consists of the security requirements specified in:

The director of cybersecurity is considering which company offices and data centers store FCI to ensure an accurate scope for their CMMC Level 1 Self-Assessment . Which asset type is the director considering?

Prior to conducting a CMMC Assessment, the contractor must specify the CMMC Assessment scope by categorizing all assets. Which two asset categories are always assessed against CMMC practices?

An assessment is being completed at a client site that is not far from the Lead Assessor's home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?

A defense contractor needs to share FCI with a subcontractor and sends this data in an email. The email system involved in this process is being used to:

Which government agency are DoD contractors required to report breaches of CUI to?

Which term describes the prevention of damage to. protection of, and restoration of computers and electronic communications systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation?

The Assessment Team has completed Phase 2 of the Assessment Process. In conducting Phase 3 of the Assessment Process, the Assessment Team is reviewing evidence to address Limited Practice Deficiency Corrections. How should the team score practices in which the evidence shows the deficiencies have been corrected?

Two network administrators are working together to determine a network configuration in preparation for CMMC. The administrators find that they disagree on a couple of small items. Which solution is the BEST way to ensure compliance with CMMC?

Which statement BEST describes an assessor's evidence gathering activities?

Which standard and regulation requirements are the CMMC Model 2.0 based on?

A contractor has implemented IA.L2-3.5.3: Multifactor Authentication practice for their privileged users, however, during the assessment it was discovered that the OSC's standard users do not require MFA to access their endpoints and network resources. What would be the BEST finding?

Which regulation allows for whistleblowers to sue on behalf of the federal government?

Which entity specifies the required CMMC Level in Requests for Information and Requests for Proposals?

Which statement BEST describes the key references a Lead Assessor should refer to and use the:

What is objectivity as it applies to activities with the CMMC-AB?

Prior to initiating an OSC's CMMC Assessment, the Lead Assessor briefed the team on the most important requirements of the assessment. The assessor also insisted that the same results of the findings summary, practice ratings, and Level recommendations must be submitted to the C3PAO for initial processes and review. After several weeks of assessment, the C3PAO completes the internal review, the recommended results are then submitted through the C3PAO for final quality review and rating approval. Which document stipulates these reporting requirements?

According to DFARS clause 252.204-7012, who is responsible for determining that Information in a given category should be considered CUI?

An assessor is collecting affirmations. So far, the assessor has collected interviews, demonstrations, emails, messaging, and presentations. Are these appropriate approaches to collecting affirmations?

During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?

When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?

When scoping a Level 2 assessment, which document is useful for understanding the process to successfully implement practices required for the various Levels of CMMC?

The director of sales, in a meeting, stated that the sales team received feedback on some emails that were sent, stating that the emails were not marked correctly. Which training should the director of sales refer the sales team to regarding information as to how to mark emails?

Which term describes a group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers?

When scoping the organizational system, the scope of applicability for the cybersecurity CUI practices applies to the components of:

During an assessment, the Lead Assessor reviews the evidence for each CMMC in-scope practice that has been reviewed, verified, rated, and discussed with the OSC during the daily reviews. The Assessment Team records the final recommended MET or NOT MET rating and prepares to present the results to the assessment participants during the final review with the OSC and sponsor. As a part of this presentation, which document MUST include the attendee list, time/date, location/meeting link, results from all discussed topics, including any resulting actions, and due dates from the OSC or Assessment Team?

In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI. What is the ESP employee considered?

Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1, Guidelines for Media Sanitation?

When an OSC requests an assessment by a C3PAO, who selects the Lead Assessor for the assessment?

While determining the scope for a company's CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third-party organization?

When are contractors required to achieve a CMMC certificate at the Level specified in the solicitation?

Who will verify the adequacy and sufficiency of evidence to determine whether the practices and related components for each in-scope Host Unit. Supporting Organization/Unit, or enclave has been met?

Which resource contains authoritative data classifications of CUI?

When executing a remediation review, the Lead Assessor should:

During a CMMC readiness review, the OSC proposes that an associated enclave should not be applicable in the scope. Who is responsible for verifying this request?

Which method facilitates understanding by analyzing gathered artifacts as evidence?

Plan of Action defines the clear goal or objective for the plan. What information is generally NOT a part of a plan of action?

The Lead Assessor interviews a network security specialist of an OSC. The incident monitoring report for the month shows that no security incidents were reported from OSC's external SOC service provider. This is provided as evidence for RA.L2-3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Based on this information, the Lead Assessor should conclude that the evidence is:

During Phase 4 of the Assessment process, what MUST the Lead Assessor determine and recommend to the C3PAO concerning the OSC?

In performing scoping, what should the assessor ensure that the scope of the assessment covers?

Which are guiding principles in the CMMC Code of Professional Conduct?

How many cybersecurity levels does the CMMC Model structure contain?

An assessor is in Phase 3 of the CMMC Assessment Process. The assessor has delivered the final findings, submitted the assessment results package, and provided feedback to the C3PAO and CMMC-AB. What must the assessor still do?

Which statement BEST describes a LTP?

While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users. processes acting on behalf of users, and devices?