marks4sure logo
A CMMC Assessment is being conducted at an OSC's HQ. which is a shared workspace in a multi-tenant building. The OSC is renting four offices on the first floor that can be locked individually. The first-floor conference room is shared with other tenants but has been reserved to conduct the assessment. The conference room has a desk with a drawer that does not lock. At the end of the day, an evidence file that had been sent by email is reviewed. What is the BEST way to handle this file?
A CCP is working as an Assessment Team Member on a CMMC Level 2 Assessment. The Lead Assessor has assigned the CCP to assess the OSC's Configuration Management (CM) domain. The CCP's first interview is with a subject-matter expert for user-installed software. With respect to user-installed software, what facet should the CCP's interview focus on?
A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?
A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of the assessors approaches with a signed policy. There is one signatory, and that person has since left the company. Subsequently, another person was hired into that position but has not signed the document. Is this document valid?
A CMMC Level 1 Self-Assessment identified an asset in the OSC's facility that does not process, store, or transmit FCI. Which type of asset is this considered?
An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works. Is this adequate for the practice?
During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?
Which term describes "the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to. or modification of information"?
Which domain has a practice requiring an organization to restrict, disable, or prevent the use of nonessential programs?
A Lead Assessor is performing a CMMC readiness review. The Lead Assessor has already recorded the assessment risk status and the overall assessment feasibility. At MINIMUM, what remaining readiness review criteria should be verified?
Per DoDI 5200.48: Controlled Unclassified Information (CUI), CUI is marked by whom?
While determining the scope for a company's CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third-party organization?
An assessment is being completed at a client site that is not far from the Lead Assessor's home office. The client provides a laptop for the duration of the engagement. During a meeting with the network engineers, the Lead Assessor requests information about the network. They respond that they have a significant number of drawings they can provide via their secure cloud storage service. The Lead Assessor returns to their home office and decides to review the documents. What is the BEST way to retrieve the documents?
While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users. processes acting on behalf of users, and devices?
Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?
Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1. Guidelines for Media Sanitation?
In performing scoping, what should the assessor ensure that the scope of the assessment covers?
An OSC lead has provided company information, identified that they are seeking CMMC Level 2, stated that they handle FCI. identified stakeholders, and provided assessment logistics. The OSC has provided the company's cyber hygiene practices that are posted on every workstation, visitor logs, and screenshots of the configuration of their FedRAMP-approved applications. The OSC has not won any DoD government contracts yet but is working on two proposals Based on this information, which statement BEST describes the CMMC Level 2 Assessment requirements?
Which NIST SP discusses protecting CUI in nonfederal systems and organizations?
CMMC scoping covers the CUI environment encompassing the systems, applications, and services that focus on where CUI is:
Which code or clause requires that a contractor is meeting the basic safeguarding requirements for FCI during a Level 1 Self-Assessment?
In the Code of Professional Conduct, what does the practice of Professionalism require?
Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?
Who makes the final determination of the assessment method used for each practice?
An assessment procedure consists of an assessment objective, potential assessment methods, and assessment objects. Which statement is part of an assessment objective?
SC.L2-3 13.14: Control and monitor the use of VoIP technologies is marked as NOT APPLICABLE for an OSC's assessment. How does this affect the assessment scope?
During assessment planning, the OSC recommends a person to interview for a certain practice. The person being interviewed MUST be the person who:
While conducting a CMMC Assessment, an individual from the OSC provides documentation to the assessor for review. The documentation states an incident response capability is established and contains information on incident preparation, detection, analysis, containment, recovery, and user response activities. Which CMMC practice is this documentation attesting to?
A CCP is on their first assessment for CMMC Level 2 with an Assessment Team and is reviewing the CMMC Assessment Process to understand their responsibilities. Which method gathers information from the subject matter experts to facilitate understanding and achieve clarification?
A CCP is providing consulting services to a company who is an OSC. The CCP is preparing the OSC for a CMMC Level 2 assessment. The company has asked the CCP who is responsible for determining the CMMC Assessment Scope and who validates its CMMC Assessment Scope. How should the CCP respond?
An Assessment Team is conducting a Level 2 Assessment at the request of an OSC. The team has begun to score practices based on the evidence provided. At a MINIMUM what is required of the Assessment Team to determine if a practice is scored as MET?
An employee is the primary system administrator for an OSC. The employee will be a core part of the assessment, as they perform most of the duties in managing and maintaining the systems. What would the employee be BEST categorized as?
What is the BEST document to find the objectives of the assessment of each practice?
As defined in the CMMC-AB Code of Professional Conduct, what term describes any contract between two legal entities?
Plan of Action defines the clear goal or objective for the plan. What information is generally NOT a part of a plan of action?
A CCP is part of a CMMC Assessment Team interviewing a subject-matter expert on Access Control (AC) within an OSC. During the interview process, what will the CCP ensure about the information exchanged during the interview?
Which statement BEST describes the key references a Lead Assessor should refer to and use the:
Where does the requirement to include a required practice of ensuring that personnel are trained to carry out their assigned information security-related duties and responsibilities FIRST appear?
During a CMMC readiness review, the OSC proposes that an associated enclave should not be applicable in the scope. Who is responsible for verifying this request?
TESTED 22 Feb 2025