CCP Lesson 5

Question 1

Scope

Answer 1

The scale or extent of what will be evaluated for conformity, which includes those assets (people, facilities, technology) within the OSC’s environment that are targeted for CMMC Assessment because they interact with sensitive information - for example, by containing it, touching it in transit, or operating on the same network as it.

Question 2

Scoping

Answer 2

The process of setting or determining the scope.

Question 3

Headquarters (HQ) Organization

Answer 3

The legal entity that will be delivering services or products under the terms of a DoD contract

Question 4

Host Unit

Answer 4

The specific people, procedures, and technology within an HQ Organization that would be applied to the DoD contract and that are to be considered as the OSC for CMMC Assessment purposes

Question 5

Supporting Organization/Units

Answer 5

The people, procedures, and technology external to the HQ Organization that support the Host Unit. The affiliated asset may need to be included as part of the CMMC Assessment Scope

Question 6

Out-of-Scope Assets

Answer 6

Assets that cannot process, store or transmit FCI or CUI because they are physically or logically separated from CUI assets or are inherently unable to do so.

Question 7

System

Answer 7

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Question 8

Shared Responsibility Matrix

Answer 8

A mechanism that identifies the person(s) or team(s) in the OSC or the ESP responsible for the implementation and sustainment of the technical controls, as reflected in the terms of service between the EST as provider and the OSC as customer.

Question 9

Security Control Inheritance

Answer 9

A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; either internal or external to the organization where the system or application resides.

Question 10

CMMC Certification Boundary

Answer 10

Defines the assets to which an assessor will evaluate conformity with applicable CMMC practices. This is the boundary to which a CMMC Certificate will be applied.

Question 11

Assessment Boundary

Answer 11

Identifies all assets in the contractor’s environment for the Assessment engagement. Assets within the Assessment Boundary can be part of the CMMC Certification Boundary or Enabling Assets.

Question 12

System Security Plan

Answer 12

The formal document prepared by the information system owner (or common security controls owner for inherited controls) that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configuration management plan, and incident response plan.

Question 13

Enclave

Answer 13

A segmentation of an organization’s network or data that is intended to “wall off” that network or database from all other networks or systems. A CMMC Assessment scope can be within the Assessment scope of an enclave.

Question 14

Cybersecurity Maturity Model Certification (CMMC) Level 1 Scoping Guidance

Answer 14

Cybersecurity Maturity Model Certification (CMMC) Self-assessment Scope must be done before Level 1 Cybersecurity Maturity Model Certification (CMMC) Self-Assessment

Informs which assets will be assessed

Informs the details of the Self-Assessment

Question 15

Cybersecurity Maturity Model Certification (CMMC) Level 2 Scoping Guidance

Answer 15

Prior to an assessment, contractor assets must be categorized

Question 16

Data at use

Answer 16

Processing

When Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) is actively being used by a system component

Question 17

Data at rest

Answer 17

Storage

When Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) is inactive

Question 18

Data in Motion

Answer 18

When Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) is transferred from one information system or one location to another

Question 19

Level 1 scoping considerations

Answer 19

People

Technology

Facilities

External Service providers

Question 20

Cloud-based External Service Providers

Answer 20

Virtualized

Save on capital and operational expenses

Question 21

Security Protection Assets

Answer 21

Cybersecurity Maturity Mode Certification (CMMC) Level 2

Provide security functions or capabilities to the Office seeking Certification (OSC)

Question 22

Contractor Risk Managed Assets

Answer 22

Managed using contractor’s risk-based information security policy, procedures, and practices

Question 23

Specialized Assets

Answer 23

Part of Cybersecurity Maturity Certification (CMMC) Level 2
- Government Propery
- Internet of Things (IoT) or Industial Internet of Things (IIoT)
- Operational Technology
- Restricted Information Systems
- Test Equipment

Question 24

Specialized Assets - Government Property

Answer 24

All property owned or leased by the government

Question 25

Specialized Assets - Internet of Things (IoT) or Industial Internet of Things (IIoT)

Answer 25

Interconnected devices having physical or virtual representation in the digital world

Question 26

Specialized Assets - Operational Technology (OT)

Answer 26

Used in manufacturing systems, Industrial Control Systems (ICS), or Supervisory Control and Data Aquisition (SCADA) Systems

Question 27

Specialized Assets - Restricted Information Systems

Answer 27

Systems that are configured based entirely on government requirements and used to support the contract

Question 28

Specialized Assets - Test Equipment

Answer 28

Used in testing of products, system components, and contract deliverables

Question 29

Controlled Unclassified Information (CUI) Asset Contractor Requirements

Answer 29

Document asset inventory Document System Security Plan (SSP) Document Network Diagram Prepare to be assessed against Level 2 Practices

Question 30

Security Protection Assets Contractor Requirements

Answer 30

Document asset inventory Document System Security Plan (SSP) Document Network Diagram Prepare to be assessed against Level 2 Practices

Question 31

Contractor Risk Managed Assests Contractor Requirements

Answer 31

Document asset inventory Document System Security Plan (SSP) Document Network Diagram Prepare to be assessed against CA.L2-3.12.4

Question 32

Specialized Assets Contractor Requirements

Answer 32

Document asset inventory Document System Security Plan (SSP) Document Network Diagram Prepare to be assessed against CA.L2-3.12.4

Question 33

Follow the Information Strategy

Answer 33

Used to determine scope

Question 34

Scoping Methodology

Answer 34

Identify Sensitive Information Identify business processes that use that information identify systems that directly support those processes Identify enabling systems

Question 35

Categories of Cloud Services

Answer 35

Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)

Question 36

Shared Responsibility Matrix

Answer 36

Identifies who is responsible for each Assessment Objective

Question 37

Responsible, Accountable, Consulted, Informed (RACI) Chart

Answer 37

A way to document a shared responsibility matrix

Question 38

Establishing Scope

Answer 38

Inventory all systems Catalog Sensitive Information Determine how sensitive information moves Identify Systems and enabling systems in scope