CMMC Certified Practitioner Exam | Questions & Answers (100 %Score) Latest Updated
2024/2025 Comprehensive Questions A+ Graded Answers | 100% Pass
potential impact [FIPS 199] - ✔✔The loss of confidentiality, integrity, or availability could be expected to
have: (i) a limited adverse effect (FIPS Publication 199 low); (ii) a serious adverse effect (FIPS Publication
199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS Publication 199 high) on
organizational operations, organizational assets, or individuals.
Agency - ✔✔See executive agency.
audit log - ✔✔A chronological record of system activities, including records of system accesses and
operations performed in a given period.
audit record - ✔✔An individual entry in an audit log related to an audited event.
Authentication - ✔✔[FIPS 200, Adapted] Verifying the identity of a user, process, or device, often as a
prerequisite to allowing access to resources in a system.
Availability - ✔✔[44 U.S.C., Sec. 3542] Ensuring timely and reliable access to and use of information.
baseline configuration - ✔✔A documented set of specifications for a system, or a configuration item
within a system, that has been formally reviewed and agreed on at a given point in time, and which can
be changed only through change control procedures.
Blacklisting - ✔✔A process used to identify software programs that are not authorized to execute on a
system or prohibited Universal Resource Locators (URL)/websites.
Confidentiality - ✔✔[44 U.S.C., Sec. 3542] Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary information.
configuration management - ✔✔A collection of activities focused on establishing and maintaining the
integrity of information technology products and systems, through control of processes for initializing,
,changing, and monitoring the configurations of those products and systems throughout the system
development life cycle.
configuration settings - ✔✔The set of parameters that can be changed in hardware, software, or
firmware that affect the security posture and/or functionality of the system.
controlled area - ✔✔Any area or space for which the organization has confidence that the physical and
procedural protections provided are sufficient to meet the requirements established for protecting the
information or system.
controlled unclassified information - ✔✔[E.O. 13556] Information that law, regulation, or
governmentwide policy requires to have safeguarding or disseminating controls, excluding information
that is classified under Executive Order 13526, Classified National Security Information, December 29,
2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
CUI categories or subcategories - ✔✔[Title 32 CFR, Part 2002] Those types of information for which laws,
regulations, or governmentwide policies require or permit agencies to exercise safeguarding or
dissemination controls, and which the CUI Executive Agent has approved and listed in the CUI Registry.
CUI Executive Agent - ✔✔[Title 32 CFR, Part 2002] The National Archives and Records Administration
(NARA), which implements the executive branch-wide CUI Program and oversees federal agency actions
to comply with Executive Order 13556. NARA has delegated this authority to the Director of the
Information Security Oversight Office (ISOO).
CUI program - ✔✔[Title 32 CFR, Part 2002] The executive branch-wide program to standardize CUI
handling by all federal agencies. The program includes the rules, organization, and procedures for CUI,
established by Executive Order 13556, 32 CFR Part 2002, and the CUI Registry.
CUI registry - ✔✔[Title 32 CFR, Part 2002] The online repository for all information, guidance, policy, and
requirements on handling CUI, including everything issued by the CUI Executive Agent other than 32 CFR
Part 2002. Among other information, the CUI Registry identifies all approved CUI categories and
subcategories, provides general descriptions for each, identifies the basis for controls, establishes
markings, and includes guidance on handling procedures.
, environment of operation - ✔✔[NIST SP 800-37, Adapted] The physical surroundings in which a system
processes, stores, and transmits information.
executive agency - ✔✔[41 U.S.C., Sec. 403] An executive department specified in 5 U.S.C., Sec. 105; a
military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C.,
Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C.,
Chapter 91.
external system (or component) - ✔✔A system or component of a system that is outside of the
authorization boundary established by the organization and for which the organization typically has no
direct control over the application of required security controls or the assessment of security control
effectiveness.
external system service - ✔✔A system service that is implemented outside of the authorization
boundary of the organizational system (i.e., a service that is used by, but not a part of, the organizational
system) and for which the organization typically has no direct control over the application of required
security controls or the assessment of security control effectiveness.
external system service provider - ✔✔A provider of external system services to an organization through
a variety of consumer-producer relationships including but not limited to: joint ventures; business
partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of
business arrangements); licensing agreements; and/or supply chain exchanges.
external network - ✔✔A network not controlled by the organization.
federal agency - ✔✔See executive agency.
federal information system - ✔✔[40 U.S.C., Sec. 11331] An information system used or operated by an
executive agency, by a contractor of an executive agency, or by another organization on behalf of an
executive agency.
FIPS-validated cryptography - ✔✔A cryptographic module validated by the Cryptographic Module
Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a
prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic
