Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Free Cyber AB CMMC-CCA Exam Questions (page: 2)

Page 2 of 42
PDF with 325 Questions

You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory ­ a privileged function. How should execution of the debugging permission be handled to align with AC.L2-3.1.7 ­ Privileged Functions?

  1. Require it to generate an email alert
  2. Perform automatic termination of the action
  3. Implement geo-IP blocking on the workstation
  4. Ensure it is logged to the central SIEM system

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.7 requires "preventing non-privileged users from executing privileged functions and logging such attempts." The developer's access to kernel memory (a privileged function) violates least privilege, and logging to a SIEM (D) ensures visibility and auditability, aligning with the practice. Alerts (A) are supplementary, termination (B) isn't required, and geo-IP blocking (C) is unrelated. The CMMC guide emphasizes logging for accountability.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.7: "Log attempts by non-privileged users to execute privileged functions."
NIST SP 800-171A, 3.1.7: "Examine logs for privileged function attempts."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



While reviewing a contractor's Microsoft Active Directory authentication policies, you observe that the account lockout threshold is configured to allow 5 consecutive invalid login attempts before locking the account for 15 minutes. Additionally, the reset account lockout counter is set to 30 seconds after each unsuccessful login attempt. Based on this scenario, which of the following statements are TRUE about the contractor's implementation of CMMC practice AC.L2-3.1.8 ­ Unsuccessful Logon Attempts?

  1. The contractor has successfully implemented practice AC.L2-3.1.8 ­ Unsuccessful Logon Attempts warranting a score of MET
  2. The contractor's approach does not provide sufficient protection against unauthorized access attempts
  3. Based on the current implementation, CMMC practice AL2-3.1.8 cannot be scored as MET
  4. The contractor's approach does not adequately address the required assessment objectives

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.8 requires "limiting unsuccessful logon attempts" by defining: [a] a threshold, and [b] a lockout duration or delay. The contractor's settings (5 attempts, 15-minute lockout, 30-second reset) meet these objectives, providing reasonable protection against brute-force attacks.
While stricter settings (e.g., fewer attempts) could enhance security, CMMC doesn't mandate specific values, only that limits are enforced. This 1-point practice scores Met (+1), making A true. B, C, and D assume inadequacy without evidence of failure.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.8: "Define and enforce [a] number of attempts, [b] lockout duration or delay."
DoD Scoring Methodology: "1-point practice: Met = +1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring,analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted.
Which of the following is a potential assessment method for AU.L2-3.3.1 ­ System Auditing?

  1. Examine procedures addressing audit record generation
  2. Testing procedures addressing control of audit records
  3. Testing the system configuration settings and associated documentation
  4. Examining the mechanisms for implementing system audit logging

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.1 requires "creating and retaining audit records with sufficient content." Examining procedures (A) verifies if defined content meets requirements, addressing the scenario's deficiency (limited logs). Testing procedures (B) isn't standard, testing configs (C) is secondary, and examining mechanisms (D) isn't a method--testing them is. The CMMC guide lists procedural examination as key.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.1: "Examine procedures addressing audit record generation."
NIST SP 800-171A, 3.3.1: "Examine documented processes for content sufficiency."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing a contractor's implementation for CMMC practice MA.L2-3.7.4 ­ MediaInspection by examining their maintenance records. You realize the maintenance logs identify a repeating problem. A recently installed central server has been experiencing issues affecting the performance of the contractor's information systems. This is confirmed by your interview with the contractor's IT team. You requested to investigate the server, and the IT team agreed. On the server, there is a file named conf.zip that gets your attention. You decide to open the file in an isolated computer for further review. To your surprise, the file is a .exe used when testing the server for data exfiltration.
How should this incident be handled?

  1. By immediately reporting it to the FBI's Cyber Division
  2. Decommissioning the server and installing a new one
  3. In accordance with the incident response plan
  4. By sandboxing the malicious code and continuing with business as usual

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice MA.L2-3.7.4 ­ Media Inspection requires organizations to "inspect media containing diagnostic and test programs prior to maintenance to ensure no malicious code is present and handle incidents appropriately." The discovery of a .exe file used for data exfiltration testing on a production server indicates a potential security incident (malicious or unauthorized code). The practice's intent is to identify and manage such risks, and the CMMC framework mandates handling incidents per the organization's incident response plan (IR.L2-3.6.1), which should include steps like verification, containment, eradication, and reporting.
Option C: In accordance with the incident response plan­ This is the correct approach, as it ensures a structured response (e.g., isolate the server, investigate the .exe's origin, remove it, and report if needed), aligning with CMMC's integrated security processes. Option A: Reporting to the FBI immediately­ Premature without internal verification and escalation per the IR plan; external reporting may follow but isn't the first step. Option B: Decommissioning the server­ Drastic and potentially unnecessary without analysis; it disrupts operations and skips investigation.
Option D: Sandboxing and continuing­ Sandboxing is part of analysis, but continuing business as usual ignores the risk of active compromise.
Why C?The CMMC guide ties media inspection incidents to the IR process, ensuring a systematic response that balances security and operational needs. The assessor's role is to verify compliance, not dictate actions, but C reflects the required process.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MA.L2-3.7.4: "Handle identified malicious code in accordance with organizational incident response procedures." CMMC Assessment Guide Level 2 (v2.0), IR.L2-3.6.1: "Establish an operational incident-handling capability to investigate, contain, and recover from incidents." NIST SP 800-171A, 3.7.4: "Examine incident response plans for handling malicious code found during media inspection."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 ­ Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 ­ Encrypt CUI on Mobile requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted.
Which of the following is a reason why would you recommend container-based over full-device-based encryption?

  1. Container-based encryption offers granular control over sensitive data, improves device performance by encrypting selectively, and enhances security in Bring-Your-Own-Device (BYOD) environments
  2. Container-based encryption is more cost-effective
  3. It is more user-friendly and easier to deploy on a large scale
  4. Full-device encryption is not compatible with modern mobile operating systems

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.19 requires "encrypting CUI on mobile devices." Full-device encryption secures all data, but container-based encryption (A) offers granularity (protecting only CUI), performance (less overhead), and BYOD compatibility (separating work/personal data), enhancing security and usability. Cost (B) and ease (C) aren't primary drivers, and full-device encryption (D) is compatible with modern OSes, per CMMC discussion.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.19: "Container-based encryption provides granular control, performance, and BYOD support."
NIST SP 800-171A, 3.1.19: "Assess encryption methods for effectiveness."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9 ­ Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. The scenario mentions that the server utilizes default settings for connection timeouts.
What additional approach, besides relying solely on user awareness, could be implemented to achieve connection termination based on inactivity and comply with CMMC practice SC.L2-3.13.9 ­ Connections Termination?

  1. Modify the server-side application settings to automatically terminate inactive user sessions after a defined period
  2. Implement a centralized inactivity monitoring tool to identify inactive connections across the network and notify administrators for manual termination
  3. Upgrade the server operating system to the latest version, as newer versions may have stricter default timeouts for idle connections
  4. Educate users about the importance of logging out and the risks associated with leaving sessions open

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.9 requires "terminating connections after a defined inactivity period." Modifying application settings to auto-terminate sessions (A) directly enforces this, replacing user reliance with a technical control, per CMMC intent. Monitoring with manual action (B) isn't automatic, OS upgrades (C) don't guarantee compliance, and education (D) supplements, not replaces,enforcement.
Extract from Official CMMC Documentation:

CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.9: "Implement auto-termination at application level for inactivity."
NIST SP 800-171A, 3.13.9: "Test application settings for timeout enforcement."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Mobile devices are increasingly becoming important in many contractors' day-to-day activities. Thus, the contractors must institute measures to ensure they are correctly identified and any connections are authorized, monitored, and logged, especially if the devices or their connections process, store, or transmit CUI. You have been hired to assess a contractor's implementation of CMMC practices, one of which is AC.L2-3.1.18 ­ Mobile Device Connections. To successfully test the access control capabilities authorizing mobile device connections to organizational systems, you must first identify what a mobile device is. Mobile devices connecting to organizational systems must have a device- specific identifier.
Which of the following is the main consideration for a contractor when choosing an identifier?

  1. Choosing an identifier that can accommodate all devices and be used consistently within the organization
  2. Prioritize using identifiers that are easy to remember and user-friendly
  3. The identifier must be easily differentiable from one device to another
  4. Use random identifiers to identify mobile devices on the network easily

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.18 requires "controlling mobile device connections with device-specific identifiers." The main consideration is consistency and scalability across all devices (A), ensuring uniform management and authorization, per CMMC guidance. User-friendliness (B) is secondary, differentiation (C) is a byproduct of uniqueness, and randomness (D) lacks organizational coherence.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.18: "Use consistent, scalable identifiers for all mobile devices."
NIST SP 800-171A, 3.1.18: "Examine identifier consistency across devices."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Assessing a DoD contractor, you observe they have implemented physical security measures to protect their facility housing organizational systems that process or store CUI. The facility has secure locks on all entrances, exits, and windows. Additionally, video surveillance cameras are installed at entry/exit points, and their feeds are monitored by security personnel. Feeds from areas where CUI is processed or stored and meeting rooms where executives meet to discuss things that have to do with CUI and other sensitive matters are segregated and stored on a designated server after monitoring. Walking around the facility, you notice network cables are hanging from the walls. To pass through a door, personnel must swipe their access cards. However, you observe an employee holding the door for others to enter. Although power cables are placed in wiring closets, they aren't locked, and the cabling conduits are damaged.
Which of the following is NOT a concern regarding the contractor's implementation of CMMC practice PE.L2-3.10.2 ­ Monitor Facility?

  1. Video surveillance monitoring at entry/exit points
  2. Unlocked wiring closets
  3. Network cables hanging from the walls
  4. Damaged cable conduits

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
PE.L2-3.10.2 requires "protecting and monitoring the physical facility and support infrastructure." Video surveillance at entry/exit points (A) is a strength, not a concern, fulfilling monitoring requirements. Unlocked wiring closets (B), exposed network cables (C), and damaged conduits (D) are vulnerabilities risking tampering or unauthorized access to infrastructure supporting CUIsystems, per the CMMC guide.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), PE.L2-3.10.2: "Monitor facility with cameras; protect infrastructure from tampering."
NIST SP 800-171A, 3.10.2: "Examine monitoring and protection of physical assets."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Viewing page 2 of 42



Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

CMMC-CCA Exam Discussions & Posts