





Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
An overview of the assessment objects, test methods, and determination statements used in the cybersecurity maturity model certification (cmmc) assessment process. It covers key concepts such as assessment objectives, assessment methods, and the specific practices and requirements that must be demonstrated at different cmmc levels. The process for identifying authorized users, processes, and devices, controlling access to external systems, sanitizing media, limiting physical access, monitoring and protecting communications, and remediating system flaws. It also addresses the scoping of cmmc assessments, the roles and responsibilities of various stakeholders, and the certification process. This information is crucial for organizations seeking cmmc certification to understand the assessment criteria and prepare effectively for the evaluation.
Typology: Exams
1 / 9
This page cannot be seen from the preview
Don't miss anything!
How many controls does lvl. 1 have? - 17 How many domains does lvl. 1 have? - 6 AC, IA, MP, PE, SC, SI Define assessment methods. - The assessment methods define the nature and the extent of the [Self- Assessor's] actions. What are the assessment methods? - Examine, Interview, and Test. Define assessment objects. - Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities and individuals. The examine method is the process of: - reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities). The purpose of the examine method is to facilitate understanding, achieve clarification, or obtain evidence. The interview method is the process of: - holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence. The test method is the process of: - exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior. Specifications are the: - document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, and architectural designs) associated with a system. Mechanisms are the: - specific hardware, software, or firmware safeguards employed within a system. Activities are the: - protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic). Individuals, or groups of individuals, are: - people applying the specifications, mechanisms, or activities described in the CMMC 2.0 Self-Assessment Guide - Lvl 1. An assessment procedure consists of an: - assessment objective and a set of potential assessment methods and assessment objects that can be used to conduct the assessment. Each assessment objective includes a: -
determination statement related to the [CMMC practice] that is the subject of the assessment. The determination statements are linked to the (1) to ensure (2) of the assessment results to the requirements. - (1) content of the [CMMC practice]. (2) traceability. Determine if: [a] authorized users are identified; [b] processing acting on behalf of authorized users are identified; [c] devices (and other systems) authorized to connect to the system are identified; [d] system access is limited to authorized users; [e] system access is limited to processes acting on behalf of authorized users; and [f] system access is limited to authorized devices (including other systems). - Determine if: [a] authorized users are identified; [b] processing acting on behalf of authorized users are identified; [c] devices (and other systems) authorized to connect to the system are identified; [d] system access is limited to authorized users; [e] system access is limited to processes acting on behalf of authorized users; and [f] system access is limited to authorized devices (including other systems). AC.L1-3.1.2 - Transaction & Function Control Limit information system access to the types of transactions and functions that authorized users are permitted to execute. - Determine if: [a] the types of transactions and functions that authorized users are permitted to execute are defined; and [b] system access is limited to the defined types of transactions and functions for authorized users. AC.L1-3.1.20 - External Connections Verify and control/limit connections to and use of external information systems. - Determine if: [a] connections to external systems are identified; [b] the use of external systems is identified; [c] connections to external systems are verified; [d] the use of external systems are verified; [e] connections to external systems are controlled/limited; and [f] the use of external systems is controlled/limited. AC.L1-3.1.22 - Control Public Information Control information posted or processed on publicly accessible information systems. - Determine if: [a] individuals authorized to post or process information on publicly accessible systems are identified; [b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified; [c] a review process is in place prior to posting of any content to publicly accessible systems;
[b] physical access devices are controlled; and [c] physical access devices are managed. SC.L1-3.13.1 - Boundary Protection Monitor, control, and protect organizational communications (i.e., information transmitted or received by organization information systems) at the external boundaries and key internal boundaries of the information systems. - Determine if: [a] the external system boundary is defined; [b] key internal system boundaries are defined; [c] communications are monitored at the external system boundary; [d] communications are monitored at the key internal boundaries; [e] communications are controlled at the external system boundary; [f] communications are controlled at key internal boundaries; [g] communications are protected at the external system boundary; and [h] communications are protected at key internal boundaries. SC.L1-3.13.5 - Public-Access System Separation Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. - Determine if: [a] publicly accessible system components are identified; and [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks. SI.L1-3.14.1 - Flaw Remediation Identify, report, and correct information and information system flaws in a timely manner. - Determine if: [a] the time within which to identify system flaws is specified; [b] system flaws are identified within the specified time frame; [c] the time within which to report system flaws is specified; [d] system flaws are reported within the specified time frame; [e] the time within which to correct system flaws is specified; and [f] system flaws are corrected within the specified time frame. SI.L1-3.14.2 - Malicious Code Protection Provide protection from malicious code at appropriate locations within organizational information systems. - Determine if: [a] designated locations for malicious code protection are identified; and [b] protection from malicious code at designated locations is provided. SI.L1-3.14.4 - Update Malicious Code Protection Update malicious code protection mechanisms when new releases are available. - Determine if: [a] malicious code protection mechanisms are updated when new releases are available. SI.L1-3.14.5 - System & File Scanning Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. -
Determine if: [a] the frequency for malicious code scans is defined; [b] malicious code scans are performed with the defined frequency; and [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed. What is the number of controls for a passing score? - 88/ What is the minimum passing score? - 80% How many days do you have to complete your POA&M for a conditional certification? - 5 days. How many days after the assessment do you have to closeout your POA&M and then those controls reassessed? - 180 days. CUI: Whose responsibility? - NARA. Who manages the CUI Registry? - NARA. The timing of the required Checkpoints usually happens: - Daily, at the end of the Assessment day. Who oversees and manages the individuals involved and the phases of the CMMC Assessment for a particular OSC? - Lead Assessor. 32 CFR Part 2000 and EO 13556 focus on the protection for what? - CUI. In order to appropriately scope at Level 1, the contractor must consider what elements involved with the handling of FCI within their environment? - People, Facilities, and Technology. T/F: CUI requires protection measures outlined at CMMC Level 2 or above. - True. T/F: The Objective Assessments for each practice/system in scope roll-up at the lowest level of compliance/conformity. - True. What are the correct potential outcomes for POA&M close-out? (Choose 2) A. The OSC fails to correct the POA&M deficiencies, and the CMMC L2 Limited Certification becomes null and void. B. The OSC fails to correct the POA&M deficiencies and is allowed to forego the CMMC L2 Certification requirement. C. The OSC corrects all POA&M deficiencies, and the Lead Assessor will recommend CMMC L2 Final Certification. D. The OSC fails to correct the POA&M deficiencies and is allowed to apply for an one- time POA&M extension. - A. The OSC fails to correct the POA&M deficiencies, and the CMMC L Limited Certification becomes null and void.
C. Maintain the CMMC Model and Assessment Guide. D. Build an ecosystem to implement the CMMC Model and program. - C. Maintain the CMMC Model and Assessment Guide. NARA requires that CUI Category and Subcategory markings are separated by a: - Double forward slash (//). The LRP drivers are behind the compliance requirement that government contractors must adhere to. The term LRP stands for: - Policy, Legal, Regulatory. What OSC artifacts are typically used by the Assessment Team for the scoping activities? - Asset Inventory and Network Diagrams. After C3PAO uploads the Assessment Results Package into CMMC eMASS, the Lead Assessor has one remaining mandatory task which is: - Verify that artifacts are archived or disposed. T/F: As CMMC becomes widely implemented, sections of RFPs may be available for viewing only by organizations with CMMC certification. - True. T/F: The OSC must work contract with the same C3PAO that conducted the original Assessment for closing out POA&M. - False. Practice number AC.L2-3.1.5 specifies that organizations should employ the principle of least privilege for privileged accounts. At which CMMC level would an organization become responsible to demonstrate they follow this practice? - Level 2. For an artifact to be accepted as Evidence in an Assessment using the Examine method, it must: (Choose 2). -
During the initial discussion between the OSC and the C3PAO, it is recommended that C3PAOs include which document as part of the initial contractual agreement? - NDA.
The CoPC Practices include which of the following areas: (Choose 3). A. CMMC Model and Architecture. B. Information Integrity. C. Evidence Availability. D. Adherence to materials and methods. E. Confidentiality. - B. Information Integrity. D. Adherence to materials and methods. E. Confidentiality. Specialized Assets can consist of the following types: (Choose 2). A. Restricted Information Systems. B. Public-facing websites. C. In-house Accounting System. D. Operational Technology. - A. Restricted Info Systems. D. OT. CMMC Level 2 certificate is only valid for _________ _________. - 3 years. Which of the following are part of CCP's guiding principles? (Choose 3). A. Proper Use of Methods. B. Framework Proficiency. C. Technology Proficiency. D. Objectivity. E. Confidentiality. - A. Proper Use of Methods. D. Objectivity. E. Confidentiality. The format for the Final Finding Brief will be based on: - the Assessment Findings Brief template. Which of the following can be Assessment Team Members? (Choose 2). A. Certified CMMC Professional. B. Certified CMMC Assessor. C. Registered Practitioner. D. Provisional Instructor. - A. Certified CMMC Professional. B. Certified CMMC Assessor. What Level 2 assets are assessed against only CMMC practice CA.L2-3.12.4 System Security Plan? -