Question 1

When scoping the organizational system, the scope of applicability for the cybersecurity CUI practices applies to the components of:

Options :

A : federal systems that process, store, or transmit CUI.

B : nonfederal systems that process, store, or transmit CUI.

C :

federal systems that process, store, or transmit CUI. or that provide protection for the system components.

D :

nonfederal systems that process, store, or transmit CUI. or that provide protection for the system components.

Answer: B

Question 2

Which term describes "the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to. or modification of information"?

Options :

A : Adopted security

B : Adaptive security

C : Adequate security

D : Advanced security

Answer: C

Question 3

An OSC has requested a C3PAO to conduct a Level 2 Assessment. The C3PAO has agreed, and the two organizations have collaborated to develop the Assessment Plan. Who agrees to and signs off on the Assessment Plan?

Options :

A : OSC and Sponsor

B : OSC and CMMC-AB

C : Lead Assessor and C3PAO

D : C3PAO and Assessment Official

Answer: C

Question 4

When assessing an OSC for CMMC: the Lead Assessor should use the information from the Discussion and Further Discussion sections in each practice because it:

Options :

A : is normative for an OSC to follow.

B : contains examples that an OSC must implement.

C : is mandatory and aligns with FAR Clause 52.204-21.

D : provides additional information to facilitate the assessment of the practice.

Answer: D

Question 5

Which authority leads the CMMC direction, standards, best practices, and knowledge framework for how to map the controls and processes across different Levels that range from basic cyber hygiene to advanced cyber practices?

Options :

A : NIST

B : DoD CIO office

C : Federal CIO office

D : Defense Federal Acquisition Regulation Council

Answer: B