In your assessment of an OSC's information systems, you realize that the OSC has been having issues determining what is and isn't CUI. One of the employees asks for your help identifying CUI so that they can take measures to protect it. They also request that you recommend a resource where they can understand the national CUI policy. Which of the following is the BEST resource they should visit to understand what CUI is and the national CUI policy?
A. 48 CFR 52.204-21 and NIST SP 800-171You are the Lead Assessor for a CMMC Level 2 assessment. The OSC has implemented a practice using a custom-built tool developed by their IT team. The tool appears to meet the practice's objectives, but no formal documentation or testing records exist. How should you evaluate this evidence?
A. Accept the tool as sufficient evidence since it meets the objectives.Ron is the Lead Assessor for an OSC's CMMC assessment. His team has scheduled interviews and demonstrations with the OSC's system administrator, Olivia. However, on the first day, the CEO informs Ron that Olivia is very ill and is unavailable. The CEO offers to be interviewed about Olivia's responsibilities instead, even though he does not actually perform those tasks. What should Ron do in this scenario?
A. Have the CEO accompanied by another IT rep during the interview.During the on-site assessment, the assessment team thoroughly evaluated an OSC's systems, policies, procedures, and practices against the 110 CMMC Level 2 practices. Initially, they found several deficient areas where practices were not fully met. The OSC took advantage of the Limited Practice Deficiency Correction program, which allowed them to provide additional evidence and implement corrections for certain deficient practices during the assessment period. What status should the Lead Assessor recommend for CMMC Level 2 Certification if an OSC has 85 out of 110 practices scored as `MET' after applying the Limited Practice Deficiency Correction program?
A. The Lead Assessor will recommend the OSC receive a final finding of "Not Achieved" for CMMC Level 2 Certification. The OSC will be required to correct deficiencies and reapply for CMMC L2 Certification.An OSC specializing in developing directed energy systems plans to bid on a DoD contract to produce a 250kW High Energy Laser Weapon System (HELWS).
This system is to be deployed on military bases across the globe to protect U.S. servicemen against aerial threats, including mortars, rockets, and unmanned aerial vehicles (UAVs), as well as swarms of mini-UAVs. Because of the sensitivity
of the information, the OSC has prohibited using emails to transmit information regarding the project, whether encrypted or otherwise.
They also have instituted procedures to remove CUI from the email system. The documents containing project information from the DoD are likely to contain which banner marking?
A. CUI//SP-EXPTWhen validating an OSC's proposed CMMC assessment scope, the Assessment Team finds that the OSC has properly categorized its assets. The OSC has contracted an External Service Provider (ESP) for various cybersecurity functions. The ESP has deployed FortiSIEM and Splunk for real-time security monitoring, threat intelligence, application monitoring, log management, and reporting. They also deployed Microsoft Intune and configured app protection policies blocking proscribed apps and those suspected of data exfiltration. How should you handle the ESP during the CMMC assessment?
A. Assess against CMMC practices.When assessing a contractor's implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. How would you score the contractor's implementation of AU.L2-3.3.6 ?Reductionand; Reporting?
A. Partially MetAfter the Assessment Team has been formed and the OSC Point of Contact (PoC) and Assessment Official have been identified, your C3PAO appoints John as the Lead Assessor. During the kickoff meeting, John reassures the OSC Assessment Official not to worry; they are guaranteed to pass the CMMC assessment. If they don't, John has agreed to refund 40% of the assessment fee. Which of the following is true about John's behavior as a Certified CMMC Assessor?
A. It is unprofessional.You have been sent to assess an OSC's implementation of CMMC practices, one of which is AC.L2-3.1.11 ?Session Termination. You expect to find the following items when examining the contractor's list of conditions or trigger events requiring session termination, EXCEPT?
A. Time-of-day restrictions on system useDuring a social event after work, a CCA from your C3PAO team brags about providing "consulting advice" to an OSC they recently assessed for CMMC compliance. You know this directly violates the CoPC's restrictions on CCAs offering such services during an assessment. What is your ethical obligation in this situation?
A. Publicly confront the CCA and remind them of the CoPC violation.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cyber AB exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CMMC-CCA exam preparations and Cyber AB certification application, do not hesitate to visit our Vcedump.com to find your solutions here.