CMMC 2.0 Glossary of terms for CCP test | Questions & Answers (100 %Score) Latest
Updated 2024/2025 Comprehensive Questions A+ Graded Answers | 100% Pass
Access - ✔✔Ability to make use of any Information System (IS) resource.
Access Authority - ✔✔An entity responsible for monitoring and granting access privileges for other
authorized entities.
Access Control (AC) - ✔✔The process of granting or denying specific requests to 1.Obtain and use
information and related information processing services. 2.Enter specific physical facilities (e.g., federal
buildings, military establishments, border crossing entrances).
Access Control Policy (Access Management Policy) - ✔✔The set of rules that define the conditions under
which an access may take place.
Access Profile - ✔✔Association of a user with a list of protected objects the user may access.
Accountability - ✔✔The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion
detection and prevention, and after- action recovery and legal action.
Activity / Activities - ✔✔Set of actions that are accomplished within a practice in order to make it
successful. Multiple activities can make up a practice. Practices may have only one activity or a set of
activities.
Administrative Safeguards - ✔✔Administrative actions and policies and procedures to manage the
selection, development, implementation, and maintenance of security measures to protect any
electronic information that is by definition "protected information" (e.g., protected health information)
and to manage the conduct of the covered entity's workforce in relation to the protection of that
information.
Advanced Persistent Threat - ✔✔An adversary that possesses sophisticated levels of expertise and
significant resources which allow it to create opportunities to achieve its objectives by using multiple
attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and
,extending footholds within the information technology infrastructure of the targeted organizations for
purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or
organization; or positioning itself to carry out these objectives in the future. The advanced persistent
threat: 1.Pursues its objectives repeatedly over an extended period of time.2. Adapts to defenders'
efforts to resist it.3. Is determined to maintain the level of interaction needed to execute its objectives.
Adversary - ✔✔Individual, group, organization, or government that conducts or has the intent to
conduct detrimental activities.
Adequate Security - ✔✔Security protections commensurate with the risk resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction of information. This
includes ensuring that information hosted on behalf of an agency and information systems and
applications used by the agency operate effectively and provide appropriate confidentiality, integrity,
and availability protections through the application of cost- effective security controls.
Adversarial Assessment - ✔✔Assesses the ability of an organization equipped with a system to support
its mission while withstanding cyber threat activity representative of an actual adversary.
Air Gap - ✔✔An interface between two systems that: 1. Are not connected physically and 2. Do not have
any logical connection automated (i.e., data is transferred through the interface only manually, under
human control).
Agency - ✔✔Any executive agency or department, military department, Federal Government
corporation, Federal Government-controlled corporation, or other establishment in the Executive
Branch of the Federal Government, or any independent regulatory agency.
Alert - ✔✔An internal or external notification that a specific action has been identified within an
organization's information systems.
Anti-Malware Tools - ✔✔Tools that help identify, prevent execution, and reverse engineer malware.
Anti-Spyware Software - ✔✔A program that specializes in detecting both malware and non-malware
forms of spyware.
,Anti-Tamper - ✔✔Systems engineering activities intended to deter and/or delay exploitation of
technologies in a system in order to impede countermeasure development, unintended technology
transfer, or alteration of a system.
Anti-Virus Software - ✔✔A program that monitors a computer or network to identify all major types of
malware and prevent or contain malware incidents.
Agreements / Arrangements - ✔✔Agreements and arrangements are any vehicle that sets out specific
CUI handling requirements for contractors and other information-sharing partners when the
arrangement with the other party involves CUI. Agreements and arrangements include, but are not
necessarily limited to, contracts, grants, licenses, certificates, and memoranda of understanding. When
disseminating or sharing CUI with non- executive branch entities, agencies should enter into a written
agreement/arrangement or understanding (see§2002.16(a)(5) and (6) for details). When sharing
information with foreign entities, agencies should also enter agreements or arrangements, where
feasible (see 2002.16(a)(5)(iii) and (a) (6) for details).
Artifacts - ✔✔Tangible and reviewable records that are the direct outcome of a practice or process
being performed by a system, person, or persons performing a role in that practice, control, or process.
Artifacts may be a printed hard-copy or a soft- or electronic copy of a document or file embedded in a
system or software but must be a result or an output from the performance of a process within the
Organization Seeking Certification.
Assessment - ✔✔The testing or evaluation of security controls to determine the extent to which the
controls are implemented correctly, operating as intended, and producing the desired outcome with
respect to meeting the security requirements for an information system or organization. Assessment is
the term used by CMMC for the activity performed by the C3PAO to evaluate the CMMC level of a DIB
contractor. Self-assessment is the term used by CMMC for the activity performed by a DIB contractor to
evaluate their own CMMC level.
Assessment Appeals Process - ✔✔A formal process managed by the Cyber AB to seek resolution of a
disagreement of an assessment result.
Assessment Official - ✔✔The most senior representative of an Organization Seeking Certification (OSC)
who is directly and actively responsible for leading and managing the OSC's engagement in the
Assessment.
, Assessor - ✔✔An individual who is both certified and authorized to participate on a C3PAO Assessment
Team and evaluate the conformity of an Organization Seeking Certification to meeting a particular
CMMC level standard.
Asset (Organizational Asset) - ✔✔Anything that has value to an organization, including, but not limited
to, another organization, person, computing device, Information Technology (IT) system, IT network, IT
circuit, software (both an installed instance and a physical instance), virtual computing platform
(common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).
Asset Custodian (Custodian) - ✔✔A person or group responsible for the day-to- day management,
operation, and security of an asset.
Asset Management (AM) - ✔✔Management of organizational assets. This may include inventory,
configuration, destruction, disposal, and updates to organizational assets.
Asset Owner (Information Asset Owner) - ✔✔A person or organizational unit (internal or external to the
organization) with primary responsibility for the viability, productivity, security, and resilience of an
organizational asset. For example, the accounts payable department is the owner of the vendor
database.
Asset Types - ✔✔The following asset types should be included when classifying assets: 1. People —
employees, contractors, vendors, and external service provider personnel. 2. Technology — servers,
client computers, mobile devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP
devices, applications, virtual machines, and database systems. 3. Facilities — physical office locations,
satellite offices, server rooms, datacenters, manufacturing plants, and secured rooms. 4. External
Service Provider (ESP) — external people, technology, or facilities that the organization utilizes, including
Cloud Service Providers, Managed Service Providers, Managed Security Service Providers, Cybersecurity-
as-a- Service Providers.
Assignment Operation - ✔✔A control parameter that allows an organization to assign a specific,
organization-defined value to the control or control enhancement (e.g., assigning a list of roles to be
notified or a value for the frequency of testing).
Attack Surface - ✔✔The set of points on the boundary of a system, a system element, or an
environment where an attacker can try to enter, cause an effect on, or extract data from.
Updated 2024/2025 Comprehensive Questions A+ Graded Answers | 100% Pass
Access - ✔✔Ability to make use of any Information System (IS) resource.
Access Authority - ✔✔An entity responsible for monitoring and granting access privileges for other
authorized entities.
Access Control (AC) - ✔✔The process of granting or denying specific requests to 1.Obtain and use
information and related information processing services. 2.Enter specific physical facilities (e.g., federal
buildings, military establishments, border crossing entrances).
Access Control Policy (Access Management Policy) - ✔✔The set of rules that define the conditions under
which an access may take place.
Access Profile - ✔✔Association of a user with a list of protected objects the user may access.
Accountability - ✔✔The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion
detection and prevention, and after- action recovery and legal action.
Activity / Activities - ✔✔Set of actions that are accomplished within a practice in order to make it
successful. Multiple activities can make up a practice. Practices may have only one activity or a set of
activities.
Administrative Safeguards - ✔✔Administrative actions and policies and procedures to manage the
selection, development, implementation, and maintenance of security measures to protect any
electronic information that is by definition "protected information" (e.g., protected health information)
and to manage the conduct of the covered entity's workforce in relation to the protection of that
information.
Advanced Persistent Threat - ✔✔An adversary that possesses sophisticated levels of expertise and
significant resources which allow it to create opportunities to achieve its objectives by using multiple
attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and
,extending footholds within the information technology infrastructure of the targeted organizations for
purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or
organization; or positioning itself to carry out these objectives in the future. The advanced persistent
threat: 1.Pursues its objectives repeatedly over an extended period of time.2. Adapts to defenders'
efforts to resist it.3. Is determined to maintain the level of interaction needed to execute its objectives.
Adversary - ✔✔Individual, group, organization, or government that conducts or has the intent to
conduct detrimental activities.
Adequate Security - ✔✔Security protections commensurate with the risk resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction of information. This
includes ensuring that information hosted on behalf of an agency and information systems and
applications used by the agency operate effectively and provide appropriate confidentiality, integrity,
and availability protections through the application of cost- effective security controls.
Adversarial Assessment - ✔✔Assesses the ability of an organization equipped with a system to support
its mission while withstanding cyber threat activity representative of an actual adversary.
Air Gap - ✔✔An interface between two systems that: 1. Are not connected physically and 2. Do not have
any logical connection automated (i.e., data is transferred through the interface only manually, under
human control).
Agency - ✔✔Any executive agency or department, military department, Federal Government
corporation, Federal Government-controlled corporation, or other establishment in the Executive
Branch of the Federal Government, or any independent regulatory agency.
Alert - ✔✔An internal or external notification that a specific action has been identified within an
organization's information systems.
Anti-Malware Tools - ✔✔Tools that help identify, prevent execution, and reverse engineer malware.
Anti-Spyware Software - ✔✔A program that specializes in detecting both malware and non-malware
forms of spyware.
,Anti-Tamper - ✔✔Systems engineering activities intended to deter and/or delay exploitation of
technologies in a system in order to impede countermeasure development, unintended technology
transfer, or alteration of a system.
Anti-Virus Software - ✔✔A program that monitors a computer or network to identify all major types of
malware and prevent or contain malware incidents.
Agreements / Arrangements - ✔✔Agreements and arrangements are any vehicle that sets out specific
CUI handling requirements for contractors and other information-sharing partners when the
arrangement with the other party involves CUI. Agreements and arrangements include, but are not
necessarily limited to, contracts, grants, licenses, certificates, and memoranda of understanding. When
disseminating or sharing CUI with non- executive branch entities, agencies should enter into a written
agreement/arrangement or understanding (see§2002.16(a)(5) and (6) for details). When sharing
information with foreign entities, agencies should also enter agreements or arrangements, where
feasible (see 2002.16(a)(5)(iii) and (a) (6) for details).
Artifacts - ✔✔Tangible and reviewable records that are the direct outcome of a practice or process
being performed by a system, person, or persons performing a role in that practice, control, or process.
Artifacts may be a printed hard-copy or a soft- or electronic copy of a document or file embedded in a
system or software but must be a result or an output from the performance of a process within the
Organization Seeking Certification.
Assessment - ✔✔The testing or evaluation of security controls to determine the extent to which the
controls are implemented correctly, operating as intended, and producing the desired outcome with
respect to meeting the security requirements for an information system or organization. Assessment is
the term used by CMMC for the activity performed by the C3PAO to evaluate the CMMC level of a DIB
contractor. Self-assessment is the term used by CMMC for the activity performed by a DIB contractor to
evaluate their own CMMC level.
Assessment Appeals Process - ✔✔A formal process managed by the Cyber AB to seek resolution of a
disagreement of an assessment result.
Assessment Official - ✔✔The most senior representative of an Organization Seeking Certification (OSC)
who is directly and actively responsible for leading and managing the OSC's engagement in the
Assessment.
, Assessor - ✔✔An individual who is both certified and authorized to participate on a C3PAO Assessment
Team and evaluate the conformity of an Organization Seeking Certification to meeting a particular
CMMC level standard.
Asset (Organizational Asset) - ✔✔Anything that has value to an organization, including, but not limited
to, another organization, person, computing device, Information Technology (IT) system, IT network, IT
circuit, software (both an installed instance and a physical instance), virtual computing platform
(common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).
Asset Custodian (Custodian) - ✔✔A person or group responsible for the day-to- day management,
operation, and security of an asset.
Asset Management (AM) - ✔✔Management of organizational assets. This may include inventory,
configuration, destruction, disposal, and updates to organizational assets.
Asset Owner (Information Asset Owner) - ✔✔A person or organizational unit (internal or external to the
organization) with primary responsibility for the viability, productivity, security, and resilience of an
organizational asset. For example, the accounts payable department is the owner of the vendor
database.
Asset Types - ✔✔The following asset types should be included when classifying assets: 1. People —
employees, contractors, vendors, and external service provider personnel. 2. Technology — servers,
client computers, mobile devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP
devices, applications, virtual machines, and database systems. 3. Facilities — physical office locations,
satellite offices, server rooms, datacenters, manufacturing plants, and secured rooms. 4. External
Service Provider (ESP) — external people, technology, or facilities that the organization utilizes, including
Cloud Service Providers, Managed Service Providers, Managed Security Service Providers, Cybersecurity-
as-a- Service Providers.
Assignment Operation - ✔✔A control parameter that allows an organization to assign a specific,
organization-defined value to the control or control enhancement (e.g., assigning a list of roles to be
notified or a value for the frequency of testing).
Attack Surface - ✔✔The set of points on the boundary of a system, a system element, or an
environment where an attacker can try to enter, cause an effect on, or extract data from.
