- All Exams Instant Download
Which determination should be reached?
There are 15 practices that are NOT MET for an OSC's Level 2 Assessment. All practices are applicable to the OSC. Which determination should be reached?A . The OSC may have 90 days for remediating NOT MET practices.B . The OSC is not eligible for an option to remediate NOT...
Which term describes "the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to. or modification of information"?
Which term describes "the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to. or modification of information"?A . Adopted securityB . Adaptive securityC . Adequate securityD . Advanced securityView AnswerAnswer: C
Who will verify the adequacy and sufficiency of evidence to determine whether the practices and related components for each in-scope Host Unit. Supporting Organization/Unit, or enclave has been met?
Who will verify the adequacy and sufficiency of evidence to determine whether the practices and related components for each in-scope Host Unit. Supporting Organization/Unit, or enclave has been met?A . OSCB . Assessment TeamC . Authorizing officialD . Assessment officialView AnswerAnswer: B
Who is responsible for identifying and verifying Assessment Team Member qualifications?
Who is responsible for identifying and verifying Assessment Team Member qualifications?A . C3PAOB . CMMC-ABC . Lead AssessorD . CMMC MarketplaceView AnswerAnswer: A
What set of established security requirements MUST that cloud provider meet?
A client uses an external cloud-based service to store, process, or transmit data that is reasonably believed to qualify as CUI. According to DFARS clause 252.204-7012. What set of established security requirements MUST that cloud provider meet?A . FedRAMP LowB . FedRAMP ModerateC . FedRAMP HighD . FedRAMP SecureView AnswerAnswer:...
Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?
During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a...
What can the assessor do?
An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice. What can the assessor do?A . Notify the CMMC-AB.B . Cancel the assessment.C . Postpone the assessment.D . Contact the C3PAO for guidance.View...
What service is the MOST comprehensive that the RPO provides?
What service is the MOST comprehensive that the RPO provides?A . Training servicesB . Education servicesC . Consulting servicesD . Assessment servicesView AnswerAnswer: D
What is the MOST correct action to take?
While developing an assessment plan for an OSC. it is discovered that the certified assessor will be interviewing a former college roommate. What is the MOST correct action to take?A . Do not inform the OSC and the C3PAO of the possible conflict of interest, and continue as planned.B ....
What is the BEST determination that the Lead Assessor should reach regarding the evidence?
When assessing SI.L1-3.14.2: Provide protection from malicious code at appropriate locations within organizational information systems, evidence shows that all of the OSC's workstations and servers have antivirus software installed for malicious code protection. A centralized console for the antivirus software management is in place and records show that all devices...
