Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Cyber AB CMMC-CCA Exam
Certified CMMC Assessor (CCA) (Page 20 )

Updated On: 9-Feb-2026
Page 13 of 66
PDF with 325 Questions

When assessing an OSC for CMMC compliance, you examine its risk assessment policy and procedures addressing organizational risk assessments. According to their policy, comprehensive risk assessments on all systems processing, storing, or transmitting CUI and facilities are performed annually. However, reviewing past risk assessment reports, you find that a risk assessment was conducted in January 2022 covering all CUI systems. The next risk assessment was not conducted until November 2023, over 21 months later. There are no records of any other risk assessments in the intervening period between January 2022 and November 2023. Interviewing the OSC's personnel with risk assessment responsibilities, you learn they have slated the next risk assessment within the year. Based on the scenario, which of the following would you determine regarding OSC's adherence to CMMC practice RA.L2-3.11.1 ­ Risk Assessments?

  1. They are fully compliant
  2. They are non-compliant
  3. They are partially compliant, as at least one risk assessment was completed
  4. More information is needed to make a determination

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
RA.L2-3.11.1 requires "periodically assessing risks to operations, assets, and individuals from system use." The OSC's policy defines annual assessments, but a 21-month gap (Jan 2022­Nov 2023) violates this frequency, failing the practice's intent. This 5-point practice scores Not Met (-5), as partial compliance (C) isn't recognized, and more info (D) isn't needed given the clear lapse. Full compliance (A) requires adherence to the defined period.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.1: "Assess risks at defined intervals; non- compliance if periodicity unmet."
DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing an OSC that utilizes containerization technology for deploying microservices within a Kubernetes cluster. These microservices leverage various JavaScript frameworks for functionality.
While a mobile device management (MDM) solution secures company phones, access to these microservices is primarily through web interfaces. From a mobile code control perspective, what is the primary concern in this scenario?

  1. The lack of mobile device management (MDM) for access through web interfaces
  2. Containerization technology itself might introduce security vulnerabilities
  3. The use of JavaScript in containerized microservices
  4. The potential execution of unauthorized mobile code through web interfaces

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.13 ­ Mobile Code requires "controlling and monitoring mobile code use to prevent unacceptable risk." Mobile code (e.g., scripts executed in browsers) is a concern via web interfaces accessing microservices. Unauthorized code execution (D) is the primary risk, as it could exploit users or systems. MDM (A) secures devices, not web code; container vulnerabilities (B) are separate; and JavaScript use (C) isn't inherently mobile code unless executed client-side without control. The CMMC guide focuses on execution risks.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.13: "Control mobile code to prevent unauthorized execution via web interfaces."
NIST SP 800-171A, 3.13.13: "Assess risks of mobile code in user-accessible systems."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory ­ a privileged function.
Which of the following controls could have prevented the developer from executing this privileged function?

  1. Removing internet access
  2. Prohibiting inheritance of privileged permissions
  3. Enforcing dual authorization
  4. Implementing time of day restrictions

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth

AC.L2-3.1.7 ­ Privileged Functions requires "preventing non-privileged users from executing privileged functions." The developer's access to kernel memory suggests inherited or misconfiguredpermissions from the Admin_Roles group. Prohibiting inheritance (B) ensures Dev_Roles don't gain elevated privileges, enforcing least privilege. Internet removal (A), dual authorization (C), and time restrictions (D) don't directly address role-based privilege creep, per the CMMC guide's focus on RBAC configuration.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.7: "Prevent privilege inheritance in role-based access controls to limit non-privileged users."
NIST SP 800-171A, 3.1.7: "Examine RBAC settings to ensure no unintended privilege escalation."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You have been hired to assess an OSC's implementation of secure password storage and transmission mechanisms. The OSC uses a popular identity and access management (IAM) solution from a reputable vendor to manage user authentication across their systems. During the assessment, you examine the IAM solution's configuration and documentation, which indicate that passwords are hashed using industry-standard algorithms like SHA-256 or bcrypt before being stored in the system's database. Additionally, the IAM solution leverages TLS encryption for all communications, ensuring that passwords are transmitted securely over the network. Based on the information provided, how would you assess the OSC's compliance with CMMC practice IA.L2-3.5.10 ­ Cryptographically- Protected Passwords, which requires organizations to store and transmit only cryptographically protected passwords?

  1. Not Met (-5 points)
  2. Met (+5 points)
  3. Met (+1 point)
  4. Not Met (-1 point)

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
IA.L2-3.5.10 mandates that passwords be "cryptographically protected in storage and transit." Hashing with SHA-256 or bcrypt (one-way functions) secures storage, and TLS encryption protects transmission--both meeting the practice's objectives. Per the DoD Scoring Methodology, IA.L2- 3.5.10 is a 5-point practice, scoring +5 when fully met. The OSC's implementation aligns with industry standards and CMMC requirements, warranting a "Met (+5 points)" score. Partial compliance isn't an option here, as both storage and transit are addressed.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.10: "Passwords must be hashed (e.g., bcrypt) for storage and encrypted (e.g., TLS) in transit."
DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Upon examining a contractor's security and awareness training policy for compliance with AT.L2-3.2.2 ­ Role-Based Training, you determine that they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices. How would you assess the contractor's implementation of CMMC practice AT.L2-3.2.2 ­ Role-Based Training?

  1. Not Met
  2. Partially Met
  3. Not Applicable
  4. Met

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
AT.L2-3.2.2 requires "role-based training for personnel with assigned security roles before authorizing system access." Generic biannual training on CUI and best practices doesn't meet the practice's requirement for tailored, role-specific training (e.g., auditors need audit-specific training, not just CUI handling). The lack of specialization fails the intent, scoring Not Met (-1 point per DoD methodology for this 1-point practice). Partial compliance (B) isn't an option under CMMC scoring.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AT.L2-3.2.2: "Training must be specific to security roles." DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf






Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

Join the CMMC-CCA Discussion