EMT Practice Test

1. Question Content...


Question List

Question1: An assessor is collecting affirmations. So far, the assessor has collected interviews, demonstrations, emails, messaging, and presentations. Are these appropriate approaches to collecting affirmations?

Question2: While conducting a CMMC Assessment, an individual from the OSC provides documentation to the assessor for review. The documentation states an incident response capability is established and contains information on incident preparation, detection, analysis, containment, recovery, and user response activities. Which CMMC practice is this documentation attesting to?

Question3: Per DoDI 5200.48: Controlled Unclassified Information (CUI), CUI is marked by whom?

Question4: Which authority leads the CMMC direction, standards, best practices, and knowledge framework for how to map the controls and processes across different Levels that range from basic cyber hygiene to advanced cyber practices?

Question5: Companies that knowingly defraud the government by not being in compliance with cybersecurity regulations are at risk of being held liable for:

Question6: What is DFARS clause 252.204-7012 required for?

Question7: A C3PAO has completed a Limited Practice Deficiency Correction Evaluation following an assessment of an OSC. The Lead Assessor has recommended moving deficiencies to a POA&M. but the OSC will remain on an Interim Certification. What is the MINIMUM number of practices that must be scored as MET to initiate this course of action?

Question8: When planning an assessment, the Lead Assessor should work with the OSC to select personnel to be interviewed who could:

Question9: Which example represents a Specialized Asset?

Question10: Which code or clause requires that a contractor is meeting the basic safeguarding requirements for FCI during a Level 1 Self-Assessment?

Question11: Which assessment method compares actual-specified conditions with expected behavior?

Question12: Which resource contains authoritative data classifications of CUI?

Question13: An Assessment Team is conducting a Level 2 Assessment at the request of an OSC. The team has begun to score practices based on the evidence provided. At a MINIMUM what is required of the Assessment Team to determine if a practice is scored as MET?

Question14: Ethics is a shared responsibility between:

Question15: Which NIST SP discusses protecting CUI in nonfederal systems and organizations?

Question16: What is objectivity as it applies to activities with the CMMC-AB?

Question17: What is the BEST document to find the objectives of the assessment of each practice?

Question18: An assessment is being conducted at a remote client site. For the duration of the assessment, the client has provided a designated hoteling space in their secure facility which consists of a desk with access to a shared printer. After noticing that the desk does not lock, a locked cabinet is requested but the client does not have one available. At the end of the day, the client provides a printout copy of an important network diagram. The diagram is clearly marked and contains CUI. What should be done NEXT to protect the document?

Question19: An assessment procedure consists of an assessment objective, potential assessment methods, and assessment objects. Which statement is part of an assessment objective?

Question20: Contractor scoping requirements for a CMMC Level 2 Assessment to document the asset in an inventory, in the SSP and on the network diagram apply to:

Question21: A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of the assessors approaches with a signed policy. There is one signatory, and that person has since left the company.
Subsequently, another person was hired into that position but has not signed the document. Is this document valid?

Question22: Which phase of the CMMC Assessment Process includes the task to identify, obtain inventory, and verify evidence?

Question23: Which standard of assessment do all C3PAO organizations execute an assessment methodology based on?

Question24: An Assessment Team is reviewing a practice that is documented and being checked monthly. When reviewing the logs, the practice is only being completed quarterly. During the interviews, the team members say they perform the practice monthly but only document quarterly. Is this sufficient to pass the practice?

Question25: A Lead Assessor is preparing to conduct a Readiness Review during Phase 1 of the Assessment Process. How much evidence MUST be gathered for each practice?

Question26: In the CMMC Model, how many practices are included in Level 1?

Question27: Which term describes "the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to. or modification of information"?

Question28: In scoping a CMMC Level 1 Self-Assessment, all of the computers and digital assets that handle FCI are identified. A file cabinet that contains paper FCI is also identified. What can this file cabinet BEST be determined to be?

Question29: During a Level 2 Assessment, an OSC provides documentation that attests that they utilize multifactor authentication on nonlocal remote maintenance sessions. The OSC feels that they have met the controls for the Level 2 certification. What additional measures should the OSC perform to fully meet the maintenance requirement?

Question30: During Phase 4 of the Assessment process, what MUST the Lead Assessor determine and recommend to the C3PAO concerning the OSC?

Question31: Which words summarize categories of data disposal described in the NIST SP 800-88 Revision 1, Guidelines for Media Sanitation?

Question32: Who is responsible for ensuring that subcontractors have a valid CMMC Certification?

Question33: When assessing an OSC for CMMC: the Lead Assessor should use the information from the Discussion and Further Discussion sections in each practice because it:

Question34: According to the Configuration Management (CM) domain, which principle is the basis for defining essential system capabilities?

Question35: On a Level 2 Assessment Team, what are the roles of the CCP and the CCA?

Question36: In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI. What is the ESP employee considered?

Question37: A Level 2 Assessment was conducted for an OSC, and the results are ready to be submitted. Prior to uploading the assessment results, what step MUST the C3PAO complete?

Question38: Which statement is NOT a measure to determine if collected evidence is sufficient?

Question39: The Advanced Level in CMMC will contain Access Control {AC) practices from:

Question40: Exercising due care to ensure the information gathered during the assessment is protected even after the engagement has ended meets which code of conduct requirement?

Question41: In accordance with NARA directives and Chapter 33 of Title 44 (Records Management Directive), which types of data MUST have policies and procedures for disposal?

Question42: An Assessment Team Member is conducting a CMMC Level 2 Assessment for an OSC that is in the process of inspecting Assessment Objects for AC.L1-3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) to determine the adequacy of evidence provided by the OSC. Which Assessment Method does this activity fall under?

Question43: As part of CMMC 2.0, the change to Level 1 Self-Assessments supports "reduced assessment costs" allows all companies at Level 1 (Foundational) to:

Question44: Which standard and regulation requirements are the CMMC Model 2.0 based on?

Question45: A contractor provides services and data to the DoD. The transactions that occur to handle FCI take place over the contractor's business network, but the work is performed on contractor-owned systems, which must be configured based on government requirements and are used to support a contract. What type of Specialized Asset are these systems?

Question46: The Lead Assessor is presenting the Final Findings Presentation to the OSC. During the presentation, the Assessment Sponsor and OSC staff inform the assessor that they do not agree with the assessment results.
Who has the final authority for the assessment results?

Question47: The evidence needed for each practice and/or process is weighed for:

Question48: Which government agency are DoD contractors required to report breaches of CUI to?

Question49: There are 15 practices that are NOT MET for an OSC's Level 2 Assessment. All practices are applicable to the OSC. Which determination should be reached?

Question50: Prior to initiating an OSC's CMMC Assessment, the Lead Assessor briefed the team on the most important requirements of the assessment. The assessor also insisted that the same results of the findings summary, practice ratings, and Level recommendations must be submitted to the C3PAO for initial processes and review. After several weeks of assessment, the C3PAO completes the internal review, the recommended results are then submitted through the C3PAO for final quality review and rating approval. Which document stipulates these reporting requirements?

Question51: How are the Final Recommended Assessment Findings BEST presented?

Question52: What is a PRIMARY activity that is performed while conducting an assessment?

Question53: An assessor has been working with an OSC's point of contact to plan and prepare for their upcoming assessment. What is one of the MOST important things to remember when analyzing requirements for an assessment?

Question54: Which phase of the CMMC Assessment Process includes developing the assessment plan?

Question55: The Audit and Accountability (AU) domain has practices in:

Question56: Two network administrators are working together to determine a network configuration in preparation for CMMC. The administrators find that they disagree on a couple of small items. Which solution is the BEST way to ensure compliance with CMMC?

Question57: The facilities manager for a company has procured a Wi-Fi enabled, mobile application-controlled thermostat for the server room, citing concerns over the inability to remotely gauge and control the temperature of the room. Because the thermostat is connected to the company's FCI network, should it be assessed as part of the CMMC Level 1 Self-Assessment Scope?

Question58: A company is working with a CCP from a contracted CMMC consulting company. The CCP is asked where the Host Unit is required to document FCI and CUI for a CMMC Assessment. How should the CCP respond?

Question59: While conducting a CMMC Assessment, a Lead Assessor is given documentation attesting to Level 1 identification and authentication practices by the OSC. The Lead Assessor asks the CCP to review the documentation to determine if identification and authentication controls are met. Which documentation BEST satisfies the requirements of IA.L1-3.5.1: Identify system users. processes acting on behalf of users, and devices?

Question60: An assessor is in Phase 3 of the CMMC Assessment Process. The assessor has delivered the final findings, submitted the assessment results package, and provided feedback to the C3PAO and CMMC-AB. What must the assessor still do?

Question61: A CCP is on their first assessment for CMMC Level 2 with an Assessment Team and is reviewing the CMMC Assessment Process to understand their responsibilities. Which method gathers information from the subject matter experts to facilitate understanding and achieve clarification?

Question62: For CMMC Assessments, during Phase 1 of the CMMC Assessment Process, which are responsible for identifying potential conflicts of information?

Question63: While determining the scope for a company's CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third- party organization?

Question64: An OSC receives an email with "CUI//SP-PRVCY//FED Only" in the body of the message Which organization's website should the OSC go to identify what this marking means?

Question65: Recording evidence as adequate is defined as the criteria needed to:

Question66: When a conflict of interest is unavoidable, a CCP should NOT:

Question67: A company is about to conduct a press release. According to AC.L1-3.1.22: Control information posted or processed on publicly accessible systems, what is the MOST important factor to consider when addressing CMMC requirements?

Question68: A Lead Assessor is planning an assessment and scheduling the test activities. Who MUST perform tests to obtain evidence?

Question69: An employee is the primary system administrator for an OSC. The employee will be a core part of the assessment, as they perform most of the duties in managing and maintaining the systems. What would the employee be BEST categorized as?

Question70: An OSC has submitted evidence for an upcoming assessment. The assessor reviews the evidence and determines it is not adequate or sufficient to meet the CMMC practice. What can the assessor do?

Question71: Two assessors cannot agree if a certain practice should be rated as MET or NOT MET. Who should they consult to determine the final interpretation?

Question72: In performing scoping, what should the assessor ensure that the scope of the assessment covers?

Question73: As defined in the CMMC-AB Code of Professional Conduct, what term describes any contract between two legal entities?

Question74: What is the MOST common purpose of assessment procedures?

Question75: Which regulation allows for whistleblowers to sue on behalf of the federal government?

Question76: The practices in CMMC Level 2 consists of the security requirements specified in:

Question77: Which document is the BEST source for descriptions of each practice or process contained within the various CMMC domains?

Question78: For the purpose of determining scope, what needs to be included as part of the assessment but would NOT receive a CMMC certification unless an enterprise assessment is conducted?

Question79: What is the LAST step when developing an assessment plan for an OSC?

Question80: During a Level 2 Assessment, the OSC has provided an inventory list of all hardware. The list includes servers, workstations, and network devices. Why should this evidence be sufficient for making a scoring determination for AC.L2-3.1.19: Encrypt CUI on mobile devices and mobile computing platforms?

Question81: A CMMC Assessment is being conducted at an OSC's HQ. which is a shared workspace in a multi-tenant building. The OSC is renting four offices on the first floor that can be locked individually. The first-floor conference room is shared with other tenants but has been reserved to conduct the assessment. The conference room has a desk with a drawer that does not lock. At the end of the day, an evidence file that had been sent by email is reviewed. What is the BEST way to handle this file?

Question82: Which method facilitates understanding by analyzing gathered artifacts as evidence?

Question83: The practices in CMMC Level 2 consist of the security requirements specified in:

Question84: A Lead Assessor is presenting an assessment kickoff and opening briefing. What topic MUST be included?

Question85: A server is used to store FCI with a cloud provider long-term. What is the server considered?

Question86: A CCP is part of a CMMC Assessment Team interviewing a subject-matter expert on Access Control (AC) within an OSC. During the interview process, what will the CCP ensure about the information exchanged during the interview?

Question87: A Lead Assessor is ensuring all actions have been completed to conclude a Level 2 Assessment. The final Assessment Results Package has been properly reviewed and is ready to be uploaded. What other materials is the Lead Assessor responsible for maintaining and protecting?

Question88: An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works. Is this adequate for the practice?

Question89: Where can a listing of all federal agencies' CUI indices and categories be found?

Question90: Which statement BEST describes a LTP?

Question91: A C3PAO Assessment Plan document captures the names of the interviewees, the facilities that will utilized, along with estimated costs and schedule of the assessment. What part of the assessment plan is this?

Question92: When assessing SI.L2-3.14.6: Monitor communications for attack, the CCA interviews the person responsible for the intrusion detection system and examines relevant policies and procedures for monitoring organizational systems. What would be a possible next step the CCA could conduct to gather sufficient evidence?

Question93: CMMC scoping covers the CUI environment encompassing the systems, applications, and services that focus on where CUI is:

Question94: Which term describes the prevention of damage to. protection of, and restoration of computers and electronic communications systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation?

Question95: An assessor needs to get the most accurate answers from an OSC's team members. What is the BEST method to ensure that the OSC's team members are able to describe team member responsibilities?

Question96: Who is responsible for ensuring that subcontractors have a valid CMMC Certification?

Question97: When executing a remediation review, the Lead Assessor should:

Question98: An OSC performing a CMMC Level 1 Self-Assessment uses a legacy Windows 95 computer, which is the only system that can run software that the government contract requires. Why can this asset be considered out of scope?

Question99: A Level 2 Assessment of an OSC is winding down and the final results are being prepared to present to the OSC. When should the final results be delivered to the OSC?

Question100: A contractor has implemented IA.L2-3.5.3: Multifactor Authentication practice for their privileged users, however, during the assessment it was discovered that the OSC's standard users do not require MFA to access their endpoints and network resources. What would be the BEST finding?

Question101: A contractor stores security policies, system configuration files, and audit logs in a centralized file repository for later review. According to CMMC terminology, the file repository is being used to:

Question102: Which document specifies the CMMC Level 1 practices that correspond to basic safeguarding requirements?

Question103: Which document BEST determines the existence of FCI and/or CUI in scoping an assessment with an OSC?