Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Cyber AB CMMC-CCA Exam
Certified CMMC Assessor (CCA) (Page 10 )

Updated On: 7-Feb-2026
Page 10 of 66
PDF with 325 Questions

You are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows that the contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. The following evidence would help determine if the contractor is properly authorizing and enforcing controls on CUI data flow across their environment, EXCEPT?

  1. Reviewing firewall and ExpressRoute connections
  2. Reviewing audit logs related to the VPN connections
  3. Analyzing policies, records, and configurations related to data center connections
  4. Analyzing CCTV footage

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.3 ­ Control CUI Flow requires "controlling CUI flow per approved authorizations." Evidence like firewall configs (A), VPN logs (B), and data center policies (C) directly assess technical controls and enforcement. CCTV footage (D) is a physical security measure unrelated to data flow control, per the CMMC guide's focus on system artifacts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.3: "Examine configs, logs, and policies for CUI flow."
NIST SP 800-171A, 3.1.3: "Focus on system evidence, not physical monitoring."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are on-site with an Assessment Team at a medium-sized organization.
When discussing how they protect their company's information from malware, spyware, etc., the administrator you are interviewing offers to show you the entire process from start to finish since she had that on her to-do list for the day. She opens the machine, turns it on, and installs what she says is anti-malware software. She also demonstrates how their deployed Next Generation Firewall (NGFW) works. You have never heard of this software, so you ask her where it was purchased. You later learn it is an open-source solution. Based on the scenario and the requirements of CMMC practice SI.L2-3.14.6 ­ Monitor Communications for Attacks, what is your likely determination?

  1. Find the OSC's implementation as partially Met as they are achieving several objectives required of this practice
  2. Fail the OSC's implementation of the practice
  3. Find the OSC's implementation of the practice as Met
  4. Request for more information

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
SI.L2-3.14.6 requires "monitoring organizational communications for attacks or indicators of potential attacks." The NGFW supports this, but the unvetted open-source anti-malware raises concerns about reliability and effectiveness, which could impact overall monitoring. Without further details on vetting, configuration, and monitoring processes, a definitive score isn't possible. "Request more information" (D) is appropriate to assess compliance fully, per the CMMC guide's emphasis on evidence sufficiency.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SI.L2-3.14.6: "Examine tools and processes for monitoring; assess reliability of solutions."
NIST SP 800-171A, 3.14.6: "Interview and examine to verify monitoring effectiveness."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 ­ Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 ­ System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, why is time synchronization with the NTP server necessary, and what is the recommended synchronization time?

  1. To ensure that all systems record the audit logs using the same time source, with a recommended synchronization time of 1 second
  2. To allow users to set their preferred time zones on individual systems, with a recommended synchronization time of 24 hours
  3. To reduce the network bandwidth used by system clocks, with a recommended synchronization time of once a month
  4. To increase the accuracy of digital clocks on devices, with a recommended synchronization time of 1 week

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.7 requires synchronization with an authoritative time source to "generate consistent timestamps for audit records," critical for correlating events across systems. The 30-second threshold causes inconsistencies, failing this requirement. The CMMC guide doesn't specify an exact time, but best practices (e.g., NIST) recommend 1 second for audit log accuracy, ensuring precise event sequencing. Options B, C, and D undermine audit integrity or practicality--user time zones aren't relevant, monthly syncs are too infrequent, and weekly syncs lack precision.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.7: "Synchronization provides uniformity of timestamps for systems with multiple clocks."
NIST SP 800-171A, 3.3.7: "Best practice recommends synchronization within 1 second for audit accuracy."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A Defense Contractor is preparing for their upcoming CMMC Level 2 assessment. One of the key controls they need to address is CMMC practice MP.L2-3.8.5 ­ Media Accountability, which deals with maintaining accountability for media containing CUI during transport outside of controlled areas. The organization regularly needs to transport physical media, such as hard drives and backup tapes, between their primary data center and an off-site storage facility. In the past, they have simply used standard packaging and commercial shipping services to move this media.
Which of the following is NOT an assessment method for MP.L2-3.8.5 ­ Media Accountability?

  1. Testing mechanisms supporting or implementing media storage and media protection
  2. Examining designated controlled areas
  3. Interviewing organizational processes for storing media
  4. Examining procedures addressing media storage and access control policy

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
MP.L2-3.8.5 requires "maintaining accountability for CUI media during transport." Valid methods include testing mechanisms (A), examining areas (B), and procedures (D), per NIST SP 800-171A. Interviewing processes (C) is incorrect--only individuals can be interviewed, not processes. The CMMC guide specifies appropriate methods.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.5: "Test mechanisms, examine areas and procedures; interview personnel, not processes."
NIST SP 800-171A, 3.8.5: "Interview method applies to individuals only."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal websites.
What CMMC practice does this violate?

  1. AC.L2-3.1.7
  2. AC.L2-3.1.6
  3. AL2-3.1.4
  4. AC.L2-3.1.2

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice AC.L2-3.1.6 ­ Non-Privileged Account Use requires organizations to "use non- privileged accounts or roles when performing non-security functions." Using privileged accounts for routine tasks like email and browsing violates this practice, increasing the risk of privilege misuse or compromise. AC.L2-3.1.7 (A) restricts privileged functions, AC.L2-3.1.4 (C) addresses separation of duties, and AC.L2-3.1.2 (D) limits access--none specifically target non-security use of privileged accounts. The CMMC guide emphasizes least privilege for non-security activities.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.6: "Require non-privileged accounts for non- security functions such as email and web browsing."
NIST SP 800-171A, 3.1.6: "Examine account usage to ensure privileged accounts are not used for non- security tasks."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf






Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

Join the CMMC-CCA Discussion