CCP Lesson 3

Question 1

Maturity Model

Answer 1

A model that assesses how institutionalized critical practices and processes are in an organization and helps determine what capabilities they need in order to continue to improve their performance.

Question 2

Domain

Answer 2

A grouping of like practices based on the 14 control families set forth in NIST SP 800-171

Question 3

Practice

Answer 3

An activity or set of activities that are performed to meet the defined CMMC objectives

Question 4

Assessment Objective (AO)

Answer 4

Identifies the specific set of objectives that must be met to receive MET for the practice as defined in NIST SP 800-171A

Question 5

Self-assessment

Answer 5

Assessing your organization’s compliance to the practice requirements

Question 6

Self-attestation

Answer 6

Making an official declaration that something complies with regulations without independent substantiating evidence

Question 7

Maturity Model

Answer 7

Measures how well you perform a checklist practice consistently

Question 8

Cybersecurity Maturity Model Certification (CMMC) Model 2.0

Answer 8

Identifies 3 levels of practices that lead to increasingly stronger cyber hygiene

Question 9

Cybersecurity Maturity Model Certification (CMMC) Taxonomy

Answer 9

Cybersecurity Maturity Model Certification Model –> Domains –> Practices –> Assessment Objectives

Question 10

Cybersecurity Maturity Model Certification (CMMC) Domains

Answer 10

14 Domains:

Access Control
Audit and Accountability
Awareness and Training
Configuration Management
Identification and Authentication
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System and Communication Protection
System and information Integrity

Question 11

Cybersecurity Maturity Model Certification (CMMC) Practice

Answer 11

One or more activities that an organization regularly performs, demonstrating a particular cybersecurity capability

Question 12

Cybersecurity Maturity Model Certification (CMMC) Practice Numbering System

Answer 12

Practice number indicate:

Domain
Level
Requirement number

Example: AC.L1-3.1.1

Question 13

Access Control (AC) Domain

Answer 13

Manage who accesses your network and systems

Level 1 - 4 practices

Level 2 - 22 practices

Question 14

Audit and Accountability (AU) Domain

Answer 14

Create logs and review them frequently

Level 1 - 0 practices

Level 2 - 9 practices

Question 15

Awareness and Training (AT) Domain

Answer 15

Ensure your people are trained appropriately

Level 1 - 0 practices

Level 2 - 3 practices

Question 16

Configuration Management (CM) Domain

Answer 16

Ensure baselines and other configurations are kept up to date

Level 1 - 0 practices

Level 2 - 9 practices

Question 17

Identification and Authentication (IA) Domain

Answer 17

Know you is requesting access and authenticate appropriately

Level 1 - 2 practices

Level 2 - 11 practices

Question 18

Incident Response (IR) Domain

Answer 18

Be able to recover once an incident occurs

Level 1 - 0 practices

Level 2 - 3 practices

Question 19

Maintenance (MA) Domain

Answer 19

Keep your systems up to date and patched

Level 1 - 0 practices

Level 2 - 6 practices

Question 20

Media Protection (MP) Domain

Answer 20

Ensure mobile media is protected against theft or loss

Level 1 - 1 practice

Level 2 - 9 practices

Question 21

Personnel Security (PP) Domain

Answer 21

Manage risks to your environment by insiders

Level 1 - 0 practices

Level 2 - 2 practices

Question 22

Physical Protection (PE) Domain

Answer 22

Employ physical protection mechanisms to prevent access to physical devices

Level 1 - 4 practices

Level 2 - 6 practices

Question 23

Risk Assessment (RA) Domain

Answer 23

Have a process for identifying and managing enterprise risk

Level 1 - 0 practices

Level 2 - 3 practices

Question 24

Security Assessment (CA) Domain

Answer 24

Independently verify your security posture

Level 1 - 0 practices

Level 2 - 4 practices

Question 25

System and Communications Protection (SC) Domain

Answer 25

Manage security tools and processes related to system security Level 1 - 2 practices Level 2 - 16 practices

Question 26

System and Information Integrity (SI) Domain

Answer 26

Monitor and protect the information system against malicious content Level 1 - 4 practices Level 2 - 7 practices

Question 27

Cybersecurity Maturity Model Certification (CMMC) Documentation

Answer 27

Cybersecurity Maturity Model Certification (CMMC) Model Overview

Question 28

Cybersecurity Maturity Model Certification (CMMC) Model Overview

Answer 28

Model framework and background for the creation of the Cybersecurity Maturity Model Certification (CMMC) Model

Question 29

Cybersecurity Maturity Model Certification (CMMC) Self-Assessment Guide Level 1

Answer 29

assessment criteria and methodology used by Organization Seeking Certification (OSC) to conduct self-assessment

Question 30

Cybersecurity Maturity Model Certification (CMMC) Assessment Guide Level 2

Answer 30

Assessment criteria and methodology used by Certified Cybersecurity Maturity Model Certification (CMMC) Assessors (CCA)

Question 31

Cybersecurity Maturity Model Certification (CMMC) Self-Assessment Scope Level 1

Answer 31

Used by contractors to specify which assets in the environment are in scope prior to self-assessment

Question 32

Cybersecurity Maturity Model Certification (CMMC) Assessment Scope Level 2

Answer 32

Used by Certified Cybersecurity Maturity Model Certification (CMMC) Professionals (CCPs) and Certified CMMC Assessors (CCAs) to identify assets in the Assessment Scope

Question 33

Cybersecurity Maturity Model Certification (CMMC) Glossary and Acronyms

Answer 33

Definitions and terms used in the Cybersecurity Maturity Model Certification (CMMC) Model

Question 34

Cybersecurity Maturity Model Certification (CMMC) Artifact Hashing Tool User Guide

Answer 34

Guidance on creating a cryptographic reference or hash for assessment artifacts to ensure artifact integrity

Question 35

Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP)

Answer 35

Definitive source for conducting Cybersecurity Maturity Model Certification (CMMC) Assessments. Details critical activities that need to be performed during an assessment

Question 36

Key Aspects of the Cybersecurity Maturity Model Certification (CMMC) 2.0 Framework

Answer 36

Streamlined Model Reliable Assessments Flexible Implementation

Question 37

Project Spectrum

Answer 37

a platform to help Defense Industry Base (DIB) assess and build their cybersecurity capabilities

Question 38

Cybersecurity Maturity Model Certification (CMMC) Self-Assessments

Answer 38

Level 1 and a small subset of Level 2 For Organizations Seeking Certification (OSCs) who handle Federal Contract Information (FCI) only Conducted annually Senior company official required to sign off

Question 39

Cybersecurity Maturity Model Certification (CMMC) Third-Party Assessments

Answer 39

Level 2 For Organizations Seeking Certification (OSCs) who handle Controlled Unclassified Information (CUI) critical to national security CMMC Third-Party Assessor Organization (C3PAO) assess the OSCs compliance with cybersecurity practices and provides an assessment to the DoD Conducted triennially (every 3 years)

Question 40

Supplier Performance Risk System (SPRS)

Answer 40

Where self-assessment scores and affirmations are posted

Question 41

Independent Third-Party Assessment Benefits

Answer 41

Consistency among assessors Impartial Experienced and trained

Question 42

Office of the Undersecretary of Defense for Aquisition and Sustainment (OUSD A&S)

Answer 42

Owner of the Cybersecurity Maturity Model Certification (CMMC) Model and Assessment Guides

Question 43

Cyber Accreditation Body (AB)

Answer 43

Non-profit organization that operationalizes Cybersecurity Maturity Model Certification (CMMC) assessments and training

Question 44

CMMC Assessors and Instructors Certification Organization (CAICO)

Answer 44

Future organization designed to be authorized to certify Cybersecurity Maturity Model Certification (CMMC) assessors and instructors

Question 45

Organizations Under the Authority of The Cyber Accreditation Body (AB)

Answer 45

CMMC Third-Party Assessment Organization (C3PAO) Registered Practitioner Organization (RPO) Organization Seeking Certification (OSC)

Question 46

CMMC Third-Party Assessment Organization (C3PAO)

Answer 46

Authorized to manage the Assessment process for an Organization Seeking Certification (OSC) Certified to provide consultative advice to an OSC

Question 47

Registered Practitioner Organization (RPO)

Answer 47

Organization authorized to provide recommendations and consulting advice about Cybersecurity Maturity Model Certification (CMMC) Assessments Do not conduct Certified CMMC Assessments

Question 48

Organization Seeking Certification (OSC)

Answer 48

Organization going through Cybersecurity Maturity Model Certification (CMMC) Assessment process

Question 49

Organizations Under the Authority of the CMMC Assessors and Instructors Certification Organization (CAICO)

Answer 49

Licensed Partner Publisher (LPP) Licensed Training Provider (LTP)

Question 50

Licensed Partner Publisher (LPP)

Answer 50

Purpose is to create accredited content for use by License Training Providers (LTPs)

Question 51

Licensed Training Provider (LTP)

Answer 51

Purpose is to conduct Certified Cybersecurity Maturity Model Certification (CMMC) classes using Licensed Partner Publisher (LPP) curricula

Question 52

Organizations Seeking Certification (OSC) Roles and Responsibilities

Answer 52

Identify Cybersecurity Maturity Model Certification (CMMC) Level Self- assess Level 1 compliance Seek CMMC Third-Party Assessment Organizations (C3PAO) to conduct level 2 assessments

Question 53

CMMC Third-Party Assessment Organizations (C3PAO) Roles and Responsibilities

Answer 53

Conduct Cybersecurity Maturity Model Certification (CMMC) assessments Have a CMMC Certified Assessor on staff

Question 54

Registered Practitioner Organizations (RPO) Roles and Responsibilities

Answer 54

Provide non-certified consultive services to help the Organization Seeking Certification (OSC)

Question 55

Licensed Partner Publishers (LPP) Roles and Responsibilities

Answer 55

Create Cybersecurity Maturity Model Certification (CMMC) training curricula based on exam objectives

Question 56

Licensed Training Providers (LTP) Roles and Respnsibilities

Answer 56

Provide infrastructure to deliver Cybersecurity Maturity Model Certification (CMMC) training to students Use approved curricula from Licensed Partner Publishers (LPP)

Question 57

CMMC Assessors and Instructors Certification Organization (CAICO) Individuals - Assessment

Answer 57

Certified CMMC Professionals (CCP) Certified CMMC Assessor (CCA) Assessment Team Members Lead Assessors

Question 58

Certified CMMC Professionals (CCP)

Answer 58

Individuals credentialed as understanding the requirements of Cybersecurity Maturity Model Certification (CMMC) for a DoD supplier

Question 59

Certified CMMC Assessor (CCA)

Answer 59

Individuals certified to assess all practices on Cybersecurity Maturity Model Certification (CMMC) Level 2 Assessments

Question 60

Assessment Team Members

Answer 60

Individuals working under the leadership of a Lead Assessor

Question 61

Lead Assessors

Answer 61

Individual who oversees and manages a discrete Cybersecurity Maturity Model Certification (CMMC) Assessment Team

Question 62

Certified CMMC Instructors (CCI)

Answer 62

Authorized to train Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA)

Question 63

Registered Practitioners (RP)

Answer 63

Deliver a non-advisory service informed by basic training on the Cybersecurity Maturity Model Certification (CMMC) standard

Question 64

Provisional Assessors (PA)

Answer 64

Provisionally trained to conduct Assessments at Level 2, during the interim period

Question 65

Provisional Instructors (PI)

Answer 65

Purpose is to establish a cadre of assessors for the Cybersecurity Maturity Model Certification (CMMC) ecosystem during the interim period

Question 66

Cybersecurity Maturity Model Certification (CMMC) Marketplace

Answer 66

Centralized access point for Organizations Seeking Certification (OSCs)

Question 67

Phases of a Third-Party Assessment

Answer 67

Plan for coordination and exchange of artifacts Conduct on-site assessment Report assessment findings

Question 68

Level 2 assessment roles and responsibilities - CMMC Third-Party Assessment Organizations (C3PAO)

Answer 68

Contract with members of the Defense Industrial Base (DIB) Perform initial quality checks on assessment reports

Question 69

Level 2 assessment roles and responsibilities - Lead Assessor

Answer 69

Lead Cybersecurity Maturity Model Certification (CMMC) Assessment Task CMMC Certified Professionals (CCPs) and CMMC Certified Assessors (CCAs) Communicate with the Organization Seeking Certification (OSC) and the CMMC Third-Party Assessment Organization (C3PAO)

Question 70

Cybersecurity Compliance Requirements Under the Cybersecurity Maturity Model Certification (CMMC) 2.0 Foundational Level 1

Answer 70

Self-assessment

Question 71

Cybersecurity Compliance Requirements Under the Cybersecurity Maturity Model Certification (CMMC) 2.0 Advanced Level 2

Answer 71

Third-party assessment for contractors with critical national security information Self-assessment for contractors that do not have information critical to national security

Question 72

Cybersecurity Compliance Requirements Under the Cybersecurity Maturity Model Certification (CMMC) 2.0 Expert Level 3

Answer 72

Government-led assessment

Question 73

Self-Assessment Under Cybersecurity Maturity Model Certification (CMMC) 2.0

Answer 73

Required for Level 1 practices Conducted annually Reported to Supplier Performance and Risk System (SPRS)

Question 74

Consequences of Non-Compliance of Self Assessment

Answer 74

Failure to receive award Contractual Liability Prosecution under the False Claims Act

Question 75

Christian Doctrine

Answer 75

States that mandatory procurement clauses are inherent in all federal contracts

Question 76

False Claims Act

Answer 76

Used to penalize contractors who not in compliance with cybersecurity regulations

Question 77

Civil Cyber-Fraud Initiative

Answer 77

utilizes the False Claims Act to pursue cybersecurity-related fraud by government contractors