During assessment planning, the OSC recommends a person to interview for a certain practice. The person being interviewed MUST be the person who:

Which document is the BEST source for determining the sources of evidence for a given practice?

At which CMMC Level do the Security Assessment (CA) practices begin?

Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1, Guidelines for Media Sanitation?

In the CMMC Model, how many practices are included in Level 2?

Regarding the Risk Assessment (RA) domain, what should an OSC periodically assess?

Which resource could BEST help a CEO determine how to identify the category of CUI ?

Within how many days from the Assessment Final Recommended Findings Brief should the Lead Assessor and Assessment Team Members, if necessary, review the accuracy and validity of (he OSC's updated POA & M with any accompanying evidence or scheduled collections?

A Lead Assessor is preparing to conduct a Readiness Review during Phase 1 of the Assessment Process. How much evidence MUST be gathered for each practice?

The Lead Assessor interviews a network security specialist of an OSC. The incident monitoring report for the month shows that no security incidents were reported from OSC's external SOC service provider. This is provided as evidence for RA.L2-3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Based on this information, the Lead Assessor should conclude that the evidence is:

Contractor scoping requirements for a CMMC Level 2 Assessment to document the asset in an inventory, in the SSP and on the network diagram apply to:

When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:

Where does the requirement to include a required practice of ensuring that personnel are trained to carry out their assigned information security-related duties and responsibilities FIRST appear?

A contractor provides services and data to the DoD. The transactions that occur to handle FCI take place over the contractor's business network, but the work is performed on contractor-owned systems, which must be configured based on government requirements and are used to support a contract. What type of Specialized Asset are these systems?

A cyber incident is discovered that affects a covered contractor IS and the CDI residing therein. How long does the contractor have to inform the DoD?

An OSC lead has provided company information, identified that they are seeking CMMC Level 2, stated that they handle FCI. identified stakeholders, and provided assessment logistics. The OSC has provided the company's cyber hygiene practices that are posted on every workstation, visitor logs, and screenshots of the configuration of their FedRAMP-approved applications. The OSC has not won any DoD government contracts yet but is working on two proposals Based on this information, which statement BEST describes the CMMC Level 2 Assessment requirements?

Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?

When an OSC requests an assessment by a C3PAO, who selects the Lead Assessor for the assessment?

Which NIST SP defines the Assessment Procedure leveraged by the CMMC?

How does the CMMC define a practice?

The CMMC Level 2 assessment methods include examination and can include:

Which entity specifies the required CMMC Level in Requests for Information and Requests for Proposals?

A Level 2 Assessment of an OSC is winding down and the final results are being prepared to present to the OSC. When should the final results be delivered to the OSC?

Which NIST SP discusses protecting CUI in nonfederal systems and organizations?

An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?

An assessor has been working with an OSC's point of contact to plan and prepare for their upcoming assessment. What is one of the MOST important things to remember when analyzing requirements for an assessment?

An OSC performing a CMMC Level 1 Self-Assessment uses a legacy Windows 95 computer, which is the only system that can run software that the government contract requires. Why can this asset be considered out of scope?

While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users. processes acting on behalf of users, and devices?

Within the CMMC Ecosystem which organization ultimately will manage and oversee the training, testing, authorization, and certification of candidate assessors and instructors?

The evidence needed for each practice and/or process is weighed for:

When scoping a Level 2 assessment, which document is useful for understanding the process to successfully implement practices required for the various Levels of CMMC?

After a CMMC Level 2 certification assessment, the Lead Assessor (Lead CCA) is preparing to present the Final Recommended Findings to the OSC . Which statement BEST describes the Lead Assessor’s responsibility for delivering the assessment findings to the OSC?

An OSC receives an email with "CUI//SP-PRVCY//FED Only" in the body of the message Which organization's website should the OSC go to identify what this marking means?

Which entity requires that organizations handling FCI or CUI be assessed to determine a required Level of cybersecurity maturity?

While conducting a CMMC Level 2 Assessment, a CCP is reviewing an OSC's personnel security process. They have a policy that describes screening individuals prior to authorizing access to CUI, but it does not mention what organizations should be looking for in an individual. There is no link to a process or procedural document. What should the OSC evaluate when screening individuals prior to accessing CUI?

What service is the MOST comprehensive that the RPO provides?

A CMMC Assessment Team arrives at an OSC to begin a CMMC Level 2 Assessment. The team checks in at the front desk and lets the receptionist know that they are here to conduct the assessment. The receptionist is aware that the team is arriving today and points down a hallway where the conference room is. The receptionist tells the Lead Assessor to wait in the conference room. as someone will be there shortly. The receptionist fails to check for credentials and fails to escort the team. The receptionist's actions are in direct violation of which CMMC practice?

The facilities manager for a company has procured a Wi-Fi enabled, mobile application-controlled thermostat for the server room, citing concerns over the inability to remotely gauge and control the temperature of the room. Because the thermostat is connected to the company's FCI network, should it be assessed as part of the CMMC Level 1 Self-Assessment Scope?

During Phase 4 of the Assessment process, what MUST the Lead Assessor determine and recommend to the C3PAO concerning the OSC?

A machining company has been awarded a contract with the DoD to build specialized parts. Testing of the parts will be done by the company using in-house staff and equipment. For a Level 1 Self-Assessment, what type of asset is this?

To develop an assessment contract and establish a scope of work, which organization does an OSC work with?

When a conflict of interest is unavoidable, a CCP should NOT:

Which organization is the governmental authority responsible for identifying and marking CUI?

Who is responsible for ensuring that subcontractors have a valid CMMC Certification?

While conducting a CMMC Level 2 Assessment, the Lead Assessor determines that the OSC has badge readers, pin code pads, and keys for various access points as well as documentation to demonstrate meeting the practice. Which CMMC practice has the OSC MET?

What type of criteria is used to answer the question "Does the Assessment Team have the right evidence?"

When executing a remediation review, the Lead Assessor should:

In CMMC High-Level scoping, which definition BEST describes an HQ organization?

For the purpose of determining scope, what needs to be included as part of the assessment but would NOT receive a CMMC certification unless an enterprise assessment is conducted?

According to the Configuration Management (CM) domain, which principle is the basis for defining essential system capabilities?

A C3PAO has completed a Limited Practice Deficiency Correction Evaluation following an assessment of an OSC. The Lead Assessor has recommended moving deficiencies to a POA & M. but the OSC will remain on an Interim Certification. What is the MINIMUM number of practices that must be scored as MET to initiate this course of action?

During a Level 2 Assessment, the OSC has provided an inventory list of all hardware. The list includes servers, workstations, and network devices. Why should this evidence be sufficient for making a scoring determination for AC.L2-3.1.19: Encrypt CUI on mobile devices and mobile computing platforms?

Which MINIMUM Level of certification must a contractor successfully achieve to receive a contract award requiring the handling of CUI?

When assessing SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems, evidence shows that all of the OSC's workstations and servers have antivirus software installed for malicious code protection. A centralized console for the antivirus software management is in place and records show that all devices have received the most updated antivirus patterns. What is the BEST determination that the Lead Assessor should reach regarding the evidence?

During the review of information that was published to a publicly accessible site, an OSC correctly identifies that part of the information posted should have been restricted. Which item did the OSC MOST LIKELY identify?

What is the primary intent of the verify evidence and record gaps activity?

Who has the initial responsibility for identifying and managing conflicts of interest?

While determining the scope for a company's CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third-party organization?

Which statement BEST describes an assessor's evidence gathering activities?

CMMC scoping covers the CUI environment encompassing the systems, applications, and services that focus on where CUI is:

Who is responsible for identifying and verifying Assessment Team Member qualifications?

What activities are conducted while developing an assessment plan?

What is the BEST description of the purpose of FAR clause 52 204-21?

Which resource contains authoritative data classifications of CUI?

Which code or clause requires that a contractor is meeting the basic safeguarding requirements for FCI during a Level 1 Self-Assessment?

During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?