Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Free Cyber AB CMMC-CCA Exam Questions (page: 3)

Page 3 of 42
PDF with 325 Questions

When interviewing a contractor's CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates that the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that after every four months, the contractor tests its incident response plan and regularly updates its monitoring tools. Impressed by the contractor's policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited their security systems in over two years. How many points would you score the contractor's implementation of the practice CA.L2-3.12.1 ­ Security Control Assessment?

  1. -5
  2. -3
  3. -1
  4. 5

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CA.L2-3.12.1 requires "periodically assessing security controls to determine effectiveness." The policy defines a 10-month cycle, but no audits have occurred in over two years, failing the implementation objective. Per the DoD Scoring Methodology, this 5-point practice scores -5 (Not Met) when not fully implemented, as partial compliance isn't recognized. The CMMC guide stresses actual execution over documented intent.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.1: "Assess controls at defined frequency." DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Change is a part of any production process and must be meticulously managed. System Change Management is a CMMC requirement, and you have been called in to assess the implementation of CMMC requirements.
When examining the contractor's change management policy, you realize there is a defined change advisory board that has a review and approval mandate for any proposed changes. The change advisory board maintains a change request system where all the changes are submitted and documented for easy tracking and review. The contractor also has a defined rollback plan defining what to do in case the approved changes result in unexpected issues or vulnerabilities.
What evidence artifacts can the contractor also cite as evidence to show their compliance with CM.L2-3.4.3 ­ System Change Management besides their change management policy?

  1. Employee satisfaction surveys regarding the change management process
  2. System uptime statistics showing improved stability after change management implementation
  3. Organizational procedures addressing system configuration change control and change control/audit review reports
  4. Antivirus scan reports detailing detected and quarantined threats

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
CM.L2-3.4.3 requires organizations to "track, review, approve/disapprove, and log changes to organizational systems." Beyond the policy, evidence like procedures for change control and review reports directly demonstrates implementation, tracking, and oversight--aligning with the practice's objectives. Surveys (A) and uptime stats (B) are indirect and not specific to change management processes, while antivirus reports (D) are unrelated. The CMMC guide lists procedural documents and logs as key artifacts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.3: "Examine procedures addressing change control and audit review reports."
NIST SP 800-171A, 3.4.3: "Artifacts include change control procedures and logs."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. How is Session Lock typically initiated?

  1. Automatically, after a predefined period of inactivity
  2. By the system administrator manually
  3. Through user authentication processes
  4. Only when manually triggered by the user before leaving their workstation

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice AC.L2-3.1.10 ­ Session Lock mandates that organizations "initiate a session lock after a defined period of inactivity" to prevent unauthorized access to systems handling CUI. The typical and required initiation method is automatic, triggered by a predefined inactivity threshold (e.g., 5 minutes in this case), ensuring consistent protection without relying on user or admin intervention. Manual initiation by a system administrator or user is less effective and not scalable, while user authentication processes relate to unlocking, not initiating the lock. The CMMC guide emphasizes automation to enforce this control uniformly across systems.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Initiate session lock after an organization- defined time period of inactivity (e.g., 15 minutes or less)." NIST SP 800-171A, 3.1.10: "Test mechanisms to ensure session lock occurs automatically after a specified period of inactivity."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



During your assessment of CA.L2-3.12.3 ­ Security Control Monitoring, the contractor's CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls.
When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented. You would rely on all of the below evidence to assess the contractor's implementation of CA.L2-3.12.3 ­ Security Control Monitoring, EXCEPT?

  1. Records/logs of monitoring activities over time
  2. Customer feedback on the contractor's security measures
  3. Reports or dashboards from the monitoring activities
  4. The contractor's security monitoring policies and procedures

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth

CA.L2-3.12.3 requires "continuous monitoring of security controls." Evidence like logs (A), reports (C), and policies (D) directly demonstrate the program's operation and effectiveness. Customer feedback (B) is external and unrelated to internal monitoring processes, per the CMMC guide's focus on operational artifacts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.3: "Examine logs, reports, and monitoring policies."
NIST SP 800-171A, 3.12.3: "Focus on internal monitoring evidence."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. As a CCA, you will potentially use the following assessment methods to examine the contractor's implementation of session lock EXCEPT?

  1. Interview the system administrator
  2. Examine the system design documentation
  3. Test the strength of the user's password
  4. Test the mechanisms implementing the access control policy for session lock

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.10 ­ Session Lock requires "initiating a session lock after inactivity." Interviewing admins (A), examining docs (B), and testing mechanisms (D) assess implementation. Password strength (C) relates to IA.L2-3.5.7, not session lock, per the CMMC guide's focus on lock-specific methods.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Interview, examine docs, test lock mechanisms."
NIST SP 800-171A, 3.1.10: "Exclude password strength from lock assessment."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. How will proper separation of duties help the contractor meet the intent of AC.L2-3.1.4 ­ Separation of Duties?

  1. It allows the engineers to specialize in specific areas
  2. It reduces concentrated privileges and power and improves checks & balances. Errors and malicious actions are more likely to be caught. Risk is reduced without relying solely on one individual
  3. It reduces the overall cost of software development
  4. It simplifies the development process

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.4 requires "separating duties to reduce risk of unauthorized activity." A single engineer handling all tasks concentrates privileges, increasing error or malice risks. Separation (B) distributes responsibilities, enhancing oversight and reducing reliance on one person, per CMMC intent. Specialization (A), cost (C), and simplicity (D) are secondary or irrelevant.

Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separation reduces risk via checks and balances."
NIST SP 800-171A, 3.1.4: "Distribute duties to mitigate insider threats."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineering company has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. The scenario describes a multi-factor authentication (MFA) solution being used to access digital media containing CUI. However, the access control procedures for non-digital media require authorized personnel to sign three separate forms.
While both methods aim to verify user identity, which of the following is the MOST significant security concern associated with the reliance on a paper-based form process?

  1. The paper forms cannot be easily integrated with other security systems
  2. It can be time-consuming to complete the forms for frequent access
  3. It requires users to memorize more information for access
  4. The forms are susceptible to forgery, resulting in unauthorized access

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
MP.L2-3.8.2 requires "restricting access to CUI on system media to authorized users." The paper- based form process for non-digital media, while aiming to verify identity, is vulnerable to forgery (D), which could allow unauthorized access to CUI--a direct security threat. Integration issues (A) and time consumption (B) are operational concerns, not immediate risks, and memorization (C) isn't relevant. The CMMC guide prioritizes robust, tamper-resistant access controls, and paper forms lack the security of MFA.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.2: "Ensure access controls prevent unauthorized access; paper processes should be secure."
NIST SP 800-171A, 3.8.2: "Assess risks of forgery in manual access methods."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A vulnerability scan on a defense contractor's system identifies a critical security flaw in a legacy database application that stores CUI. Remediating the flaw would require a complete overhaul of the application, causing significant downtime and potentially disrupting critical business functions. Given the potential consequences of remediation, the contractor is considering deferring the fix.
Which course of action best aligns with the guidance of CMMC practice RA.L2-3.11.3 ­ Vulnerability Remediation?

  1. Immediately contract a third party to assist with remediation
  2. Document the risk acceptance rationale and continue monitoring the risk from the vulnerability
  3. Permanently disregard the vulnerability and take no further action
  4. Implement compensating controls to reduce the associated risk

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
RA.L2-3.11.3 requires "remediating vulnerabilities in accordance with risk assessments." If remediation isn't feasible, the practice allows risk acceptance with documentation and ongoing monitoring, balancing operational needs and security. Ignoring the vulnerability (C) violates the practice, while third-party help (A) or compensating controls (D) may not be immediately practical. The CMMC guide supports risk-based decisions with proper documentation.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.3: "Document risk acceptance and monitor unremediated vulnerabilities."
NIST SP 800-171A, 3.11.3: "Examine risk acceptance rationale and monitoring plans."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Viewing page 3 of 42
Viewing questions 17 - 24 out of 325 questions



Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

CMMC-CCA Exam Discussions & Posts