CCP Lesson 9

Question 1

AC.L2-3.1.3

Answer 1

Control the flow of CUI in accordance with approved authorizations.

Question 2

AC.L2-3.1.4

Answer 2

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Question 3

AC.L2-3.1.5

Answer 3

Employ the principle of least privilege, including for specific security functions and privileged accounts.

Question 4

AC.L2-3.1.6

Answer 4

Use non-privileged accounts or roles when accessing nonsecurity functions.

Question 5

AC.L2-3.1.7

Answer 5

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Question 6

AC.L2-3.1.8

Answer 6

Limit unsuccessful logon attempts.

Question 7

AC.L2-3.1.9

Answer 7

Provide privacy and security notices consistent with applicable CUI rules.

Question 8

AC.L2-3.1.10

Answer 8

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Question 9

AC.L2-3.1.11

Answer 9

Terminate (automatically) a user session after a defined condition.

Question 10

AC.L2-3.1.12

Answer 10

Monitor and control remote access sessions.

Question 11

AC.L2-3.1.13

Answer 11

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

Question 12

AC.L2-3.1.14

Answer 12

Route remote access via managed access control points.

Question 13

AC.L2-3.1.15

Answer 13

Authorize remote execution of privileged commands and remote access to security-relevant information.

Question 14

AC.L2-3.1.16

Answer 14

Authorize wireless access prior to allowing such connections.

Question 15

AC.L2-3.1.17

Answer 15

Protect wireless access using authentication and encryption.

Question 16

AC.L2-3.1.18

Answer 16

Control connection of mobile devices.

Question 17

AC.L2-3.1.19

Answer 17

Encrypt CUI on mobile devices and mobile computing platforms.

Question 18

AC.L2-3.1.21

Answer 18

Limit use of portable storage devices on external systems.

Question 19

AU.L2-3.3.1

Answer 19

Create and retain system audit logs and records to the extent needed to enable the monitoring analysis, investigation, and reporting of unlawful or unauthorized system activity.

Question 20

AU.L2-3.3.2

Answer 20

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

Question 21

AU.L2-3.3.3

Answer 21

Review and update logged events.

Question 22

AU.L2-3.3.4

Answer 22

Alert in the event of an audit logging process failure.

Question 23

AU.L2-3.3.5

Answer 23

Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

Question 24

AU.L2-3.3.6

Answer 24

Provide audit record reduction and report generation to support on-demand analysis and reporting.

Question 25

AU.L2-3.3.7

Answer 25

Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit checks.

Question 26

AU.L2-3.3.8

Answer 26

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

Question 27

AU.L2-3.3.9

Answer 27

Limit management of audit logging functionality to a subset of privileged users.

Question 28

AT.L2-3.2.1

Answer 28

Ensure that managers, system administrators, and users of organizational systems are made aware of the secutiy risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

Question 29

AT.L2-3.2.2

Answer 29

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

Question 30

AT.L2-3.2.3

Answer 30

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

Question 31

CM.L2-3.4.1

Answer 31

Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles.

Question 32

CM.L2-3.4.2

Answer 32

Establish and enforce security configuration settings for information technology product employed in organizational systems.

Question 33

CM.L2-3.4.3

Answer 33

Track, review, approve or disapprove, and log changes prior to implementation.

Question 34

CM.L2-3.4.4

Answer 34

Analyze the security impact of changes prior to implementation.

Question 35

CM.L2-3.4.5

Answer 35

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

Question 36

CM.L2-3.4.6

Answer 36

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

Question 37

CM.L2-3.4.7

Answer 37

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Question 38

CM.L2-3.4.8

Answer 38

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

Question 39

CM.L2-3.4.9

Answer 39

Control and monitor user-installed software.

Question 40

IA.L2-3.5.3

Answer 40

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Question 41

IA.L2-3.5.4

Answer 41

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

Question 42

IA.L2-3.5.5

Answer 42

Prevent resus of identifiers for a defined period.

Question 43

IA.L2-3.5.6

Answer 43

Disable identifiers after a defined period of inactivity.

Question 44

IA.L2-3.5.7

Answer 44

Enforce a minimum password complexity and change characters when new passwords are created.

Question 45

IA.L2-3.5.8

Answer 45

Prohibit password reuse for a specified number of generations.

Question 46

IA.L2-3.5.9

Answer 46

Allow temporary password use for system logons with an immediate change to a permanent password.

Question 47

IA.L2-3.5.10

Answer 47

Store and transmit only cryptographically-protected passwords.

Question 48

IA.L2-3.5.11

Answer 48

Obscure feedback of authentication information.

Question 49

IR.L2-3.6.1

Answer 49

Establish operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Question 50

IR.L2-3.6.2

Answer 50

Track, document, and report incidents to designated officials, and/or authorities both internal and external to the organization.

Question 51

IR.L2-3.6.3

Answer 51

Test the organizational incident response capability.

Question 52

MA.L2-3.7.1

Answer 52

Perform maintenance on organizational systems.

Question 53

MA.L2-3.7.2

Answer 53

Provide controls on the tools techniques, mechanisms, and personnel used to conduct system maintenance.

Question 54

MA.L2-3.7.3

Answer 54

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

Question 55

MA.L2-3.7.4

Answer 55

Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

Question 56

MA.L2-3.7.5

Answer 56

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Question 57

MA.L2-3.7.6

Answer 57

Supervise the maintenance activities of maintenance personnel without required access authorization.

Question 58

MP.L2-3.8.1

Answer 58

Protect system media containing CUI, both paper and digital.

Question 59

MP.L2-3.8.2

Answer 59

Limit access to CUI on system media to authorized users.

Question 60

MP.L2-3.8.4

Answer 60

Mark media with necessary CUI markings and distribution limitations.

Question 61

MP.L2-3.8.5

Answer 61

Control access to medica containing CUI and maintain accountability for media during transport outside of controlled areas.

Question 62

MP.L2-3.8.6

Answer 62

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternate physical safeguards.

Question 63

MP.L2-3.8.7

Answer 63

Control the use of removable media on system components.

Question 64

MP.L2-3.8.8

Answer 64

Prohibit the use of portable storage devices when such devices have no identifiable owner.

Question 65

MP.L2-3.8.9

Answer 65

Protect the confidentiality of backup CUI at storage locations.

Question 66

PE.L2-3.10.2

Answer 66

Protect and monitor the physical facility and support infrastructure for organizational systems.

Question 67

PE.L2-3.10.6

Answer 67

Enforce safeguarding measures for CUI at alternate work sites.

Question 68

RA.L2-3.11.1

Answer 68

Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated process, storage, or transmission of CUI.

Question 69

RA.L2-3.11.2

Answer 69

Scan for vulnerabilities in the organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

Question 70

RA.L2-3.11.3

Answer 70

Remediate vulnerabilities in accordance with risk assessments.

Question 71

CA.L2-3.12.1

Answer 71

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Question 72

CA.L2-3.12.2

Answer 72

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

Question 73

CA.L2-3.12.3

Answer 73

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Question 74

CA.L2-3.12.4

Answer 74

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Question 75

SC.L2-3.13.2

Answer 75

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Question 76

SC.L2-3.13.3

Answer 76

Separate user functionality from system management functionality.

Question 77

SC.L2-3.13.4

Answer 77

Prevent unauthorized and unintended information transfer via shared system resources.

Question 78

SC.L2-3.13.6

Answer 78

Deny network communications traffic by default and allow network communications traffic by exception.

Question 79

SC.L2-3.13.7

Answer 79

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks.

Question 80

SC.L2-3.13.8

Answer 80

Implement cryptographic mechanisms to prevent unauthorized disclosure or CUI during transmission unless otherwise protected by alternative physical safeguards.

Question 81

SC.L2-3.13.9

Answer 81

Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

Question 82

SC.L2-3.13.10

Answer 82

Establish and manage cryptographic keys for cryptography employed in organizational structure.

Question 83

SC.L2-3.13.11

Answer 83

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Question 84

SC.L2-3.13.12

Answer 84

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users to present at the device.

Question 85

SC.L2-3.13.13

Answer 85

Control and monitor the use of mobile code.

Question 86

SC.L2-3.13.14

Answer 86

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

Question 87

SC.L2-3.13.15

Answer 87

Protect the authenticity of communications sessions.

Question 88

SC.L2-3.13.16

Answer 88

Protect the confidentiality of CUI at rest.