Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Cyber AB CMMC-CCA Exam
Certified CMMC Assessor (CCA) (Page 11 )

Updated On: 9-Feb-2026
Page 11 of 66
PDF with 325 Questions

An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineeringcompany has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. Basing your answer on the scenario, how would you score the contractor's implementation of CMMC practice MP.L2-3.8.1 ­ Media Protection?

  1. Partially Met
  2. Not Applicable
  3. Not Met
  4. Met

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
MP.L2-3.8.1 requires "protecting CUI on media with physical and logical controls." The contractor's biometric storage, MFA, access lists, and inventory meet these objectives, showing robust protection. This 1-point practice scores Met (+1) with no gaps, per DoD methodology. Partial (A) and Not Met (C) require deficiencies, and N/A (B) doesn't apply.

Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.1: "Protect media with physical (e.g., locked storage) and logical (e.g., MFA) controls."
DoD Scoring Methodology: "1-point practice: Met = +1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When assessing a contractor's implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. How would you score the contractor's implementation of AU.L2-3.3.6 ­ Reduction & Reporting?

  1. Partially Met
  2. Not Applicable
  3. Not Met
  4. Met

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.6 requires "providing audit reduction and report generation capabilities." The SSP documents measures, and Splunk (a SIEM) supports reduction and reporting, meeting both objectives. With no gaps noted, this 1-point practice scores Met (+1) per DoD methodology. Partial (A) and Not Met (C) require deficiencies, and N/A (B) doesn't apply.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.6: "Examine tools like SIEM for reduction and reporting."
DoD Scoring Methodology: "1-point practice: Met = +1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing an organization's implementation of the System and Information Integrity (SI) practices. During your assessment, you find that the organization has subscribed to security alert and advisory services from reputable sources, such as US-CERT and relevant industry-specific organizations. In interviews with their network and system administrators, you learn that they have deployed an intrusion detection system (IDS) to monitor network traffic for known threats and suspicious activities. They also have a Security Information and Event Management (SIEM) system in place to aggregate and analyze logs from various sources for potential security incidents. Additionally, the network administrator informs you that they have established a Security Operations Center (SOC) to monitor and analyze activity on networks, servers, databases, applications, and other systems. However, you notice that while the organization receives these alerts and advisories,

there is no documented process or assigned personnel responsible for reviewing and acting upon them. After reviewing the organization's implementation, which of the following would be the most appropriate next step for the assessor to validate compliance with CMMC practice SI.L2-3.14.3 ­ Security Alerts & Advisories?

  1. Test the organization's processes for defining, receiving, and disseminating security alerts and advisories
  2. Examine the organization's system and information integrity policies and procedures
  3. Review system audit logs and records for evidence of actions taken in response to security alerts and advisories
  4. Interview the personnel responsible for the Security Operations Center (SOC) to determine whether they take actions in response to security alerts and advisories

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
SI.L2-3.14.3 requires organizations to "monitor security alerts and advisories and take appropriate actions in response." While the organization has tools (IDS, SIEM, SOC) and subscriptions to alerts, the lack of a documented process or assigned personnel to act on them raises a compliance gap. Interviewing SOC personnel is the most direct next step to determine if actions are taken, as they are operationally positioned to respond to alerts. Testing processes (A) assumes a process exists, which isn't evident. Examining policies (B) won't reveal operational actions, and reviewing logs (C) requires prior knowledge of actions to look for. The CMMC guide prioritizes interviews to validate operational implementation.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SI.L2-3.14.3: "Interview: Personnel with security responsibilities; SOC personnel to determine actions taken in response to alerts." NIST SP 800-171A, 3.14.3: "Interview personnel to verify that alerts and advisories are reviewed and acted upon."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery.
What would you recommend the contractor do to avert the risk?

  1. Institute mandatory overtime for the engineer to complete tasks faster
  2. Fully implement AC.L2-3.1.4, Separation of Duties by assigning different engineers responsibility for design, coding, testing, and deployment. Implement peer code reviews and separate test and deployment duties
  3. Invest in more powerful development machines
  4. Increase the engineer's salary to incentivize careful work

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.4 ­ Separation of Duties aims to "reduce unauthorized activity risk by separating duties." A single engineer handling all tasks concentrates privileges, increasing error or malice risks. Assigning separate roles and adding peer reviews (B) mitigates this, aligning with CMMC intent. Overtime (A), hardware (C), and salary (D) don't address duty separation or risk reduction.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separate duties to reduce risk; implement peer reviews."
NIST SP 800-171A, 3.1.4: "Recommend role distribution."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 ­ Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 ­ System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score theOSC's implementation of CMMC practice AU.L2-3.3.7 ­ Authoritative Time Source?

  1. 5
  2. -1
  3. 1
  4. -5

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.7 requires organizations to "synchronize system clocks with an authoritative time source" to ensure consistent timestamps for audit records. The contractor has an NTP server, but the 30- second synchronization threshold on new systems leads to inconsistent timestamps, failing the practice's intent. Per the DoD Assessment Scoring Methodology, AU.L2-3.3.7 is a 1-point practice. If not fully met, it scores -1 (Not Met). The partial implementation (NTP server exists but not effectively applied) doesn't qualify as Met, so no positive points are awarded. The CMMC guide stresses uniformity in timestamps, which this configuration undermines.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.7: "Synchronize clocks to ensure uniformity of timestamps for audit records."
DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf






Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

Join the CMMC-CCA Discussion