Free CMMC-CCA Practice Test (Page 3 ) & Exam Questions

QUESTION: 6 Exam Topic: 3, Assessing CMMC Level 2 Practices

During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9 Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. The scenario mentions that the server utilizes default settings for connection timeouts.
What additional approach, besides relying solely on user awareness, could be implemented to achieve connection termination based on inactivity and comply with CMMC practice SC.L2-3.13.9 Connections Termination?

Modify the server-side application settings to automatically terminate inactive user sessions after a defined period
Implement a centralized inactivity monitoring tool to identify inactive connections across the network and notify administrators for manual termination
Upgrade the server operating system to the latest version, as newer versions may have stricter default timeouts for idle connections
Educate users about the importance of logging out and the risks associated with leaving sessions open

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.9 requires "terminating connections after a defined inactivity period." Modifying application settings to auto-terminate sessions (A) directly enforces this, replacing user reliance with a technical control, per CMMC intent. Monitoring with manual action (B) isn't automatic, OS upgrades (C) don't guarantee compliance, and education (D) supplements, not replaces,enforcement.
Extract from Official CMMC Documentation:

CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.9: "Implement auto-termination at application level for inactivity."
NIST SP 800-171A, 3.13.9: "Test application settings for timeout enforcement."

Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

Show Answer Next Question

QUESTION: 7 Exam Topic: 3, Assessing CMMC Level 2 Practices

Mobile devices are increasingly becoming important in many contractors' day-to-day activities. Thus, the contractors must institute measures to ensure they are correctly identified and any connections are authorized, monitored, and logged, especially if the devices or their connections process, store, or transmit CUI. You have been hired to assess a contractor's implementation of CMMC practices, one of which is AC.L2-3.1.18 Mobile Device Connections. To successfully test the access control capabilities authorizing mobile device connections to organizational systems, you must first identify what a mobile device is. Mobile devices connecting to organizational systems must have a device- specific identifier.
Which of the following is the main consideration for a contractor when choosing an identifier?

Choosing an identifier that can accommodate all devices and be used consistently within the organization
Prioritize using identifiers that are easy to remember and user-friendly
The identifier must be easily differentiable from one device to another
Use random identifiers to identify mobile devices on the network easily

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.18 requires "controlling mobile device connections with device-specific identifiers." The main consideration is consistency and scalability across all devices (A), ensuring uniform management and authorization, per CMMC guidance. User-friendliness (B) is secondary, differentiation (C) is a byproduct of uniqueness, and randomness (D) lacks organizational coherence.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.18: "Use consistent, scalable identifiers for all mobile devices."
NIST SP 800-171A, 3.1.18: "Examine identifier consistency across devices."

Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

Show Answer Next Question

QUESTION: 8 Exam Topic: 3, Assessing CMMC Level 2 Practices

Assessing a DoD contractor, you observe they have implemented physical security measures to protect their facility housing organizational systems that process or store CUI. The facility has secure locks on all entrances, exits, and windows. Additionally, video surveillance cameras are installed at entry/exit points, and their feeds are monitored by security personnel. Feeds from areas where CUI is processed or stored and meeting rooms where executives meet to discuss things that have to do with CUI and other sensitive matters are segregated and stored on a designated server after monitoring. Walking around the facility, you notice network cables are hanging from the walls. To pass through a door, personnel must swipe their access cards. However, you observe an employee holding the door for others to enter. Although power cables are placed in wiring closets, they aren't locked, and the cabling conduits are damaged.
Which of the following is NOT a concern regarding the contractor's implementation of CMMC practice PE.L2-3.10.2 Monitor Facility?

Video surveillance monitoring at entry/exit points
Unlocked wiring closets
Network cables hanging from the walls
Damaged cable conduits

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
PE.L2-3.10.2 requires "protecting and monitoring the physical facility and support infrastructure." Video surveillance at entry/exit points (A) is a strength, not a concern, fulfilling monitoring requirements. Unlocked wiring closets (B), exposed network cables (C), and damaged conduits (D) are vulnerabilities risking tampering or unauthorized access to infrastructure supporting CUIsystems, per the CMMC guide.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), PE.L2-3.10.2: "Monitor facility with cameras; protect infrastructure from tampering."
NIST SP 800-171A, 3.10.2: "Examine monitoring and protection of physical assets."

Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

Show Answer Next Question

QUESTION: 9 Exam Topic: 3, Assessing CMMC Level 2 Practices

When interviewing a contractor's CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates that the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that after every four months, the contractor tests its incident response plan and regularly updates its monitoring tools. Impressed by the contractor's policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited their security systems in over two years. How many points would you score the contractor's implementation of the practice CA.L2-3.12.1 Security Control Assessment?

-5
-3
-1
5

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CA.L2-3.12.1 requires "periodically assessing security controls to determine effectiveness." The policy defines a 10-month cycle, but no audits have occurred in over two years, failing the implementation objective. Per the DoD Scoring Methodology, this 5-point practice scores -5 (Not Met) when not fully implemented, as partial compliance isn't recognized. The CMMC guide stresses actual execution over documented intent.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.1: "Assess controls at defined frequency." DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."

Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

Show Answer Next Question

QUESTION: 10 Exam Topic: 3, Assessing CMMC Level 2 Practices

Change is a part of any production process and must be meticulously managed. System Change Management is a CMMC requirement, and you have been called in to assess the implementation of CMMC requirements.
When examining the contractor's change management policy, you realize there is a defined change advisory board that has a review and approval mandate for any proposed changes. The change advisory board maintains a change request system where all the changes are submitted and documented for easy tracking and review. The contractor also has a defined rollback plan defining what to do in case the approved changes result in unexpected issues or vulnerabilities.
What evidence artifacts can the contractor also cite as evidence to show their compliance with CM.L2-3.4.3 System Change Management besides their change management policy?

Employee satisfaction surveys regarding the change management process
System uptime statistics showing improved stability after change management implementation
Organizational procedures addressing system configuration change control and change control/audit review reports
Antivirus scan reports detailing detected and quarantined threats

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
CM.L2-3.4.3 requires organizations to "track, review, approve/disapprove, and log changes to organizational systems." Beyond the policy, evidence like procedures for change control and review reports directly demonstrates implementation, tracking, and oversight--aligning with the practice's objectives. Surveys (A) and uptime stats (B) are indirect and not specific to change management processes, while antivirus reports (D) are unrelated. The CMMC guide lists procedural documents and logs as key artifacts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.3: "Examine procedures addressing change control and audit review reports."
NIST SP 800-171A, 3.4.3: "Artifacts include change control procedures and logs."

Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

Show Answer Next Question

Cyber AB CMMC-CCA Exam
Certified CMMC Assessor (CCA) (Page 3 )

QUESTION: 6 Exam Topic: 3, Assessing CMMC Level 2 Practices

Explanation:

Reference:

QUESTION: 7 Exam Topic: 3, Assessing CMMC Level 2 Practices

Explanation:

Reference:

QUESTION: 8 Exam Topic: 3, Assessing CMMC Level 2 Practices

Explanation:

Reference:

QUESTION: 9 Exam Topic: 3, Assessing CMMC Level 2 Practices

Explanation:

Reference:

QUESTION: 10 Exam Topic: 3, Assessing CMMC Level 2 Practices

Explanation:

Reference:

Join the CMMC-CCA Discussion

Cyber AB CMMC-CCA Exam Certified CMMC Assessor (CCA) (Page 3 )

QUESTION: 6 Exam Topic: 3, Assessing CMMC Level 2 Practices

Explanation:

Reference:

QUESTION: 7 Exam Topic: 3, Assessing CMMC Level 2 Practices

Explanation:

Reference:

QUESTION: 8 Exam Topic: 3, Assessing CMMC Level 2 Practices

Explanation:

Reference:

QUESTION: 9 Exam Topic: 3, Assessing CMMC Level 2 Practices

Explanation:

Reference:

QUESTION: 10 Exam Topic: 3, Assessing CMMC Level 2 Practices

Explanation:

Reference:

Join the CMMC-CCA Discussion

Cyber AB CMMC-CCA Exam
Certified CMMC Assessor (CCA) (Page 3 )