CCA CCA Risk Management & Vulnerabilities

Question 1

In the context of CMMC, what is the primary goal of risk management for defense contractors?

Accepted Answer

To identify, assess, and mitigate risks to CUI and FCI handled within the contractor environment

Answer

To maximize profit margins on defense contracts

Answer

To eliminate all cybersecurity tools to reduce attack surface

Answer

To transfer all cybersecurity risk to the DoD

Question 2

Which NIST framework provides the foundational risk management guidance that underpins CMMC requirements?

Accepted Answer

NIST SP 800-171

Answer

NIST SP 800-53

Answer

NIST Cybersecurity Framework (CSF)

Answer

NIST SP 800-37

Question 3

What does a Plan of Action & Milestones (POA&M) represent in a CMMC assessment context?

Accepted Answer

A documented plan to remediate identified security weaknesses with target completion dates

Answer

A roadmap for implementing new DoD contracts

Answer

A report submitted to CMMC-AB after certification

Answer

A list of approved third-party vendors

Question 4

Which CMMC domain specifically addresses the requirement for organizations to identify and manage risk to operations?

Accepted Answer

Risk Management (RM)

Answer

Access Control (AC)

Answer

Incident Response (IR)

Answer

Configuration Management (CM)

Question 5

A CCA assessor finds that an OSC has not conducted a periodic risk assessment. Which CMMC practice is most likely 'Not Met'?

Accepted Answer

RM.2.141

Answer

AC.2.005

Answer

IR.2.092

Answer

SI.1.210

Question 6

What is the relationship between vulnerability management and CMMC compliance?

Accepted Answer

CMMC requires organizations to identify, report, and remediate vulnerabilities in organizational systems

Answer

Vulnerability management is optional for CMMC Level 2

Answer

Vulnerability management only applies to CMMC Level 3

Answer

CMMC delegates vulnerability management entirely to the DoD CSOC