CMMC Assessment Process Quiz

Questions and Answers

What must the HQ Organization or Host Unit possess for the Assessment to proceed?

A Unique Entity Identifier (UEI)

A Business License

An Assessment Completion Certificate

A Commercial and Government Entity (CAGE) code (correct)

Which of the following must the HQ Organization or Host Unit register with?

Federal Procurement Data System

Department of Defense Supplier Registry

National Institute of Standards and Technology

General Services Administration’s GSA SAM.gov system (correct)

Which statement is true regarding small and medium-sized businesses and their corporate architecture?

They require a CAGE code for each subsidiary.

They must outsource most functions to Supporting Organizations.

They generally do not delineate a Host Unit. (correct)

They always have a multi-level corporate structure.

What role does All-American Cloud Services, Inc. play in the context of the OSC?

It may support the OSC but may not be part of the CMMC Assessment.

What is the specified body typeface according to the CMMC Assessment Process documentation?

Arial

Which font size is designated for body text in the CMMC Assessment documentation?

10 Regular

What is the font style used for table headings in the CMMC Assessment documentation?

9 Bold

Which of the following terms is capitalized and defined in the CMMC Assessment documentation?

Assessment Team Member

What auxiliary verb of compulsion is used to denote a requirement in the CMMC documentation?

Shall

In which phase of the CMMC Assessment is planning and preparation emphasized?

Phase 1

How is the effectiveness of the CMMC Certification Assessment determined?

Through a well-organized planning effort

What is the ultimate goal of Phase I in the CMMC Assessment process?

Establish a successful assessment engagement

What is one of the primary roles of the Lead Assessor during interviews?

To verify confidentiality and non-attribution for interviewees

Why might interviews be considered an iterative activity during the assessment process?

The Lead Assessor may need to gather more information over multiple sessions

What is significant about mapping responses from interviewees to CMMC model practices?

It aids in supporting the rating of that practice

During interviews, what is the primary reason for asking clarifying questions?

To understand the implementation of practices and procedures

What does observing live tests provide for the Lead Assessor and Assessment Team?

Insight into the effectiveness of CMMC practices being implemented

What might influence the decision of the Lead Assessor on whether to conduct single or group interviews?

The Lead Assessor's perception of the OSC's roles and responsibilities

What should be recorded after conducting interviews according to best practices?

All interactions and responses given during the session

Which of the following is a key component of the interview process for CMMC assessments?

Verifying the implementation through corresponding artifacts

What is the purpose of the CMMC Confirmation of Destruction of OSC Data template?

To document the surrender or destruction of OSC proprietary information

Which CMMC assessment template is marked as mandatory?

CMMC Pre-Assessment Form Template

Which format is used for the CMMC Assessment Results Form?

Excel

What is the function of the CMMC Assessment Appeals Process document?

To outline how assessment findings can be disputed

In which phase is the Limited Practice Deficiency Correction Program Worksheet mandatory?

Phase 2

Which document format is used for the CMMC Assessment Quality Review Checklist?

PDF

What is the primary requirement for C3PAOs and their Assessment Team Members concerning available templates?

They should be familiar with applicable templates and have them ready for engagement.

How is the CMMC Assessment In-Brief formatted?

PowerPoint

During which phase is the CMMC Assessment Findings Briefing required?

It is not required in any phase.

What type of document is the OSC Self-Assessment Practice Deficiency Tracker?

Excel

What is one implication of the Evidence collection approach on the Assessment process?

It impacts the accuracy of the Assessment results.

During which phase must the Evidence collection approach record virtual data collection techniques?

Phase 1

Which of the following must always be observed in person, according to the Evidence collection guidelines?

Physical access restrictions for system changes.

What type of information must be managed and protected during Phase 1?

Controlled Unclassified Information (CUI)

What decision does the OSC have concerning the Evidence collection activities?

The decision to conduct activities virtually or in person rests with the OSC.

What is the primary purpose of Phase 2 in the CMMC Assessment Process?

To assess the implementation of CMMC practices

What is a requirement for conducting affirmation sessions during Phase 2?

They may be conducted either in person or virtually.

Who convenes the Assessment kickoff meeting?

Lead Assessor

Which practice objective must be marked with applicable CUI markings?

Paper media containing CUI.

Which of the following is NOT typically included in the attendees of the Assessment kickoff meeting?

C3PAO Management

What technology can be utilized for virtual Evidence collection?

Stable and commercially secure video conference systems

What role does the OSC Assessment Official play during the Assessment?

They inform OSC personnel of their roles

What type of information does the Lead Assessor communicate during the kickoff meeting?

Scheduled events and Assessment locations

What does the Assessment Team aim to identify during the implementation phase?

Gaps in procedures related to model practices

Which statement best characterizes the activities throughout Phase 2?

Iterative in nature during the Assessment

How might the Assessment kickoff meeting be conducted?

In-person, virtually, or in a hybrid manner

Study Notes

CMMC Assessment Process (CAP)

• Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) version 5.6.1, dated August 5, 2022
• Authorized for Training Providers and their respective training candidates
• For use in training and exam preparation for Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) programs related to the DoD CMMC Framework V2.0 only
• This document has not yet been endorsed by the Department of Defense for use in authorized CMMC certification assessments

Table of Contents

• Includes a detailed table of contents listing sections and subsections. The document covers multiple phases of the assessment process from planning to reporting.
• References appendices with specific templates for data input, documentation, and other requirements

Disclaimer

• Copyright 2022, Cybersecurity Maturity Model Accreditation Body, Inc. (d/b/a The Cyber AB)
• Proprietary and confidential; not to be shared without explicit permission
• Material does not constitute official U.S. Government policy, unless otherwise stated in other documentation
• No warranties; furnished on an "as-is" basis

Introduction to the CMMC Assessment Process (CAP)

• CMMC framework is the DoD's standard for implementing cybersecurity measures within the Defense Industrial Base (DIB)
• Grounded in NIST Special Publication 800-171
• CMMC Assessment Guides (published by DoD) provide detailed objectives, criteria, and guidelines for assessment
• CMMC Assessment Process (CAP) is the overarching process and guidance for assessments.
• This version of the CAP applies to Level 2 (L2) of the CMMC Model only
• It's intended for use by C3PAOs (Certified Third-Party Assessment Organizations), Certified CMMC Assessors, and Certified CMMC Professionals
• The CAP is organized into four phases: Plan and Prepare the Assessment, Conduct the Assessment, Report Assessment Results, and Close-Out POA&Ms and Assessment.

Phase 1 - Plan and Prepare the Assessment

• The recipient OSC (Organization Seeking Certification) initiates the assessment.
• The C3PAO (CMMC Third-Party Assessment Organization) acknowledges and proposes a scheduling timeframe.
• This phase includes establishing roles, responsibilities, organizing documents/templates, confirming corporate identity, validating scope, inventorying, managing conflicts of interest, preparing for evidence collection, and verifying readiness for assessment.

Phase 2 - Conduct the Assessment

• Organizations will convene a kickoff meeting.
• Assessment team gathers and examines evidence.
• Interviews and reviews documentation for effective procedures
• Identify any evidence gaps between OSC’s implementation and CMMC requirements
• Scores and validates preliminary findings and documents procedures followed during assessment.
• Correct any limited practice deficiencies

Phase 3 - Report Recommended Assessment Results

• Delivers recommended assessment results to the OSC.
• Includes submission, packaging, and archiving of documentation into CMMC EMASS.
• This document provides links to templates used as part of the assessment
• This phase includes a Quality Assurance review of all deliverables before uploading them into CMMC EMASS

Phase 4 - Close-Out POA&Ms and Assessment

• Allows the OSC to close out POA&Ms (Plan of Action and Milestones).
• This includes determining if the OSC has corrected all deficiencies within a 180-day timeframe or requires a reassessment.

Description

Test your knowledge on the Cybersecurity Maturity Model Certification (CMMC) Assessment Process. This quiz covers eligibility, organizational requirements, documentation specifics, and key terms associated with the CMMC. Enhance your understanding of this important cybersecurity framework.