An Assessment Team is conducting interviews with team members about their roles and responsibilities. The team member responsible for maintaining the antivirus program knows that it was deployed but has very little knowledge on how it works. Is this adequate for the practice?
正解: C
For a practice to beadequately implementedin aCMMC Level 2 assessment, theresponsible personnel must demonstrate knowledge of deployment, maintenance, and operationof security tools such asantivirus programs. Simply having the tool in place isnot sufficient-there must be evidence that it isproperly configured, updated, and monitoredto protect against threats. Step-by-Step Breakdown:#1. Relevant CMMC and NIST SP 800-171 Requirements * CMMC Level 2 aligns with NIST SP 800-171, which includes: * Requirement 3.14.5 (System and Information Integrity - SI-3): * "Employautomatedmechanisms toidentify, report, and correctsystem flaws in a timely manner." * Requirement 3.14.6 (SI-3(2)): * "Employautomated toolsto detect and prevent malware execution." * These requirements imply that theperson responsible for antivirus must understand how it is deployed and maintainedto ensure compliance. #2. Why the Team Member's Knowledge is Insufficient * Antivirus tools requireregular updates,configuration adjustments, andmonitoringto function properly. * The responsible team member must: * Knowhow the antivirus was deployedacross systems. * Be able toconfirm updates, logs, and alerts are monitored. * Understand how torespond to malware detectionsand failures. * If the team member lacks this knowledge, assessors maydetermine the practice is not fully implemented. #3. Why the Other Answer Choices Are Incorrect: * (A) Yes, the antivirus program is available, so it is sufficient.# * Incorrect:Just having antivirus softwareinstalleddoes not prove compliance. It must bemanaged and maintained. * (B) Yes, antivirus programs are automated to run independently.# * Incorrect:While automation helps, security toolsrequire oversight, updates, and configuration. * (D) No, the team member's interview answers about deployment and maintenance are insufficient.# * Partially correct but incomplete:Themain issueis that the team membermust have sufficient knowledge, not just that their answers are weak. Final Validation from CMMC Documentation:TheCMMC Assessment Guide for SI-3 and SI-3(2)states that personnel mustunderstand the function, deployment, and maintenance of security toolsto ensure proper implementation. Thus, the correct answer is:
CMMC 2.0におけるスコープ設定の理解 CMMC 2.0フレームワークは、CUIを処理、保存、または送信する非連邦システムに適用されます。 スコープ設定によって、どのシステムコンポーネントがCMMCの基準に準拠する必要があるかが決定されます。 システムがCUI(機密情報)を処理、保存、または送信する場合、あるいはこれらのシステムのセキュリティを提供する場合は、評価範囲に含める必要があります。 正解が「D. CUIを処理、保存、または送信する、あるいはシステムコンポーネントを保護する非連邦システム」である理由は? CMMCは請負業者に適用され、連邦政府のシステムには適用されない。 CMMCは、国防総省(DoD)の請負業者向けに設計されており、連邦政府のシステム向けではありません。 連邦政府のシステムは既にNIST SP 800-53およびその他の規制によって管理されている。 対象範囲には、CUIを処理するシステムと、それらを保護するシステムの両方が含まれます。 CUIを処理、保存、または送信するシステムは対象範囲に含まれる。 Systems thatprovide protection for CUI systems(e.g., firewalls, monitoring tools, security appliances) arealso in scope. Why Not the Other Options? A). Federal systems that process, store, or transmit CUI.#Incorrect CMMCdoes not apply to federal systems. B). Nonfederal systems that process, store, or transmit CUI.#Partially correct but incomplete Itexcludes security systemsthat protect CUI assets, whichare also in scope. C). Federal systems that process, store, or transmit CUI, or that provide protection for the system components. #Incorrect CMMConly applies to nonfederal systems. Relevant CMMC 2.0 References: CMMC Scoping Guide (Nov 2021)- Confirms that CMMCapplies to nonfederal systemsprocessingCUI. NIST SP 800-171 Rev. 2- Specifies security requirements fornonfederal systemshandling CUI. DFARS 252.204-7012- Requires DoD contractors to implementNIST SP 800-171onnonfederal systemshandling CUI. Final Justification: SinceCMMC applies to nonfederal systems that process CUI or protect those systems, the correct answer isD. Nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.
CMMC-CCP 試験問題 59
The Assessment Team has completed the assessment and determined the preliminary practice ratings. The preliminary practice ratings must be shared with the OSC prior to being finalized for submission. Based on this information, the assessor should present the preliminary practice ratings:
正解: A
According to the CMMC Assessment Process (CAP) v2.0, assessors are required to conduct Daily Checkpoint Meetings at the end of each day to summarize progress with the OSC (Organization Seeking Certification). The final Daily Checkpoint is where preliminary practice ratings are shared, before the quality assurance review and Out-Brief. The Out-Brief is reserved for the presentation of final results. Additionally, Department of Defense regulations (32 CFR 170.17(c)(2)) provide a 10-business-day re-evaluation window for requirements marked NOT MET before the final report is delivered, which necessitates that the OSC see preliminary ratings during the assessment process itself. Supporting Extracts from Official Content: CAP v2.0, 2.23: "The assessment team shall host a Daily Checkpoint Meeting with the OSC at the end of each assessment day to summarize progress." CAP v2.0, 3.7: "The C3PAO shall conduct the quality assurance review... prior to the conduct of the Out- Brief Meeting." CAP v2.0, 3.10: "The purpose of the Out-Brief Meeting is to convey the results of the assessment to the OSC." 32 CFR 170.17(c)(2): "A security requirement assessed as NOT MET may be re-evaluated... for 10 business days... if the CMMC Assessment Findings Report has not been delivered." Why Option A is Correct: The CAP specifies that Daily Checkpoint Meetings are the formal, structured mechanism for assessors to communicate progress and preliminary findings to the OSC. The final Daily Checkpoint provides the OSC with visibility into the preliminary practice ratings before they are finalized, ensuring transparency and alignment. The Out-Brief is explicitly for conveying the final assessment results after the C3PAO has completed QA. Federal regulation (32 CFR 170.17(c)(2)) requires the OSC to have access to preliminary results so they can provide additional evidence for re-evaluation before the report is locked, further confirming that this exchange must occur at the final Daily Checkpoint. References (Official CMMC v2.0 Content): CMMC評価プロセス(CAP)v2.0:セクション2.23(日々のチェックポイント)、3.7~3.10(品質保証と最終報告)。 32 CFR 170.17(c)(2): セキュリティ要件の再評価期間。 DoD CMMC評価ガイド - レベル2(v2.13):MET/NOT MET判定および所見に関するガイダンス。
