CCP Lesson 7 Flashcards

1
Q

Evidence

A

The observable proof that an organization has either met or not met the standard for a particular CMMC practice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Artifacts

A

Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person or persons performing a role in that practice, control, or process. Artifacts may be a printed hard-copy or a soft-or electronic copy of a document or file embedded in a system or software but must be a result or an output from the performance of a process within the OSC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Stakeholder

A

A person with an interest or concern in the success of a business, interviews with them provide an excellent opportunity to gain insight and establish context

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Observation

A

A real-time demonstration or review of a test, system, tool, software, hardware, practice, control, or process being performed and witnessed first-hand by the Lead Assessor and, if applicable, Assessment Team.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Acceptable Evidence

A

Must be created, provided, or demonstrated by people who implement the practice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

OSC

A

Organization seeking certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CAP requirements for evidence

A

adequacy- does information provided meet the intent of cmmc practice (do I have the right data)

sufficiency- does information provided contain enough of the “right data” (do I have ENOUGH of that data)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

3 Assessment methods used by CCP’s and CCA’s

A

Examine - process of analyzing assessment objects (artifacts) EX: reading privacy/security policies

Interview - discussing with groups or individuals to facilitate understanding, or obtain evidence Ex: interviewing SysAdmins/DevTeams

Test - exercising assessment objectives with specified conditions to compare actual results with expected results. Ex: Observe notification banner warnings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CMMC Assessment Process (CAP) phases

A
  1. Plan and prepare the assesment
  2. Conduct the assessment
  3. Report Recommended assessment results.
  4. CMMC Plans of action and Milestones (POA&M) Close-out Assessment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

NIST SP 800-171A

A

Superceding and Authoritative guidance for assessing CUI security requirements in NIST SP 800-171

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

MET, NOT MET, or N/A

A

How objectives are scored during a CMMC assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Assessment Depth

A

Addresses the level of detail of the assessment: Basic, focused, or comprehensive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Assessment Coverage

A

Addresses the scope or breadth of the assessment: Basic, focused, or comprehensive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CMMC Level 1 & 2 practices are derived from

A

NIST SP 800-171

How well did you know this?
1
Not at all
2
3
4
5
Perfectly