When assessing an OSC for CMMC compliance, you examine its risk assessment policy and procedures addressing organizational risk assessments. According to their policy, comprehensive risk assessments on all systems processing, storing, or transmitting CUI and facilities are performed annually. However, reviewing past risk assessment reports, you find that a risk assessment was conducted in January 2022 covering all CUI systems. The next risk assessment was not conducted until November 2023, over 21 months later. There are no records of any other risk assessments in the intervening period between January 2022 and November 2023. Interviewing the OSC's personnel with risk assessment responsibilities, you learn they have slated the next risk assessment within the year. Based on the scenario, which of the following would you determine regarding OSC's adherence to CMMC practice RA.L2-3.11.1 Risk Assessments?
Answer(s): B
Comprehensive and Detailed In-Depth RA.L2-3.11.1 requires "periodically assessing risks to operations, assets, and individuals from system use." The OSC's policy defines annual assessments, but a 21-month gap (Jan 2022Nov 2023) violates this frequency, failing the practice's intent. This 5-point practice scores Not Met (-5), as partial compliance (C) isn't recognized, and more info (D) isn't needed given the clear lapse. Full compliance (A) requires adherence to the defined period.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.1: "Assess risks at defined intervals; non- compliance if periodicity unmet."DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
You are assessing an OSC that utilizes containerization technology for deploying microservices within a Kubernetes cluster. These microservices leverage various JavaScript frameworks for functionality. While a mobile device management (MDM) solution secures company phones, access to these microservices is primarily through web interfaces. From a mobile code control perspective, what is the primary concern in this scenario?
Answer(s): D
Comprehensive and Detailed In-Depth SC.L2-3.13.13 Mobile Code requires "controlling and monitoring mobile code use to prevent unacceptable risk." Mobile code (e.g., scripts executed in browsers) is a concern via web interfaces accessing microservices. Unauthorized code execution (D) is the primary risk, as it could exploit users or systems. MDM (A) secures devices, not web code; container vulnerabilities (B) are separate; and JavaScript use (C) isn't inherently mobile code unless executed client-side without control. The CMMC guide focuses on execution risks.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.13: "Control mobile code to prevent unauthorized execution via web interfaces."NIST SP 800-171A, 3.13.13: "Assess risks of mobile code in user-accessible systems."
You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory a privileged function. Which of the following controls could have prevented the developer from executing this privileged function?
Comprehensive and Detailed In-Depth AC.L2-3.1.7 Privileged Functions requires "preventing non-privileged users from executing privileged functions." The developer's access to kernel memory suggests inherited or misconfiguredpermissions from the Admin_Roles group. Prohibiting inheritance (B) ensures Dev_Roles don't gain elevated privileges, enforcing least privilege. Internet removal (A), dual authorization (C), and time restrictions (D) don't directly address role-based privilege creep, per the CMMC guide's focus on RBAC configuration.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.7: "Prevent privilege inheritance in role-based access controls to limit non-privileged users."NIST SP 800-171A, 3.1.7: "Examine RBAC settings to ensure no unintended privilege escalation."
You have been hired to assess an OSC's implementation of secure password storage and transmission mechanisms. The OSC uses a popular identity and access management (IAM) solution from a reputable vendor to manage user authentication across their systems. During the assessment, you examine the IAM solution's configuration and documentation, which indicate that passwords are hashed using industry-standard algorithms like SHA-256 or bcrypt before being stored in the system's database. Additionally, the IAM solution leverages TLS encryption for all communications, ensuring that passwords are transmitted securely over the network. Based on the information provided, how would you assess the OSC's compliance with CMMC practice IA.L2-3.5.10 Cryptographically- Protected Passwords, which requires organizations to store and transmit only cryptographically protected passwords?
Comprehensive and Detailed In-Depth IA.L2-3.5.10 mandates that passwords be "cryptographically protected in storage and transit." Hashing with SHA-256 or bcrypt (one-way functions) secures storage, and TLS encryption protects transmission--both meeting the practice's objectives. Per the DoD Scoring Methodology, IA.L2- 3.5.10 is a 5-point practice, scoring +5 when fully met. The OSC's implementation aligns with industry standards and CMMC requirements, warranting a "Met (+5 points)" score. Partial compliance isn't an option here, as both storage and transit are addressed.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.10: "Passwords must be hashed (e.g., bcrypt) for storage and encrypted (e.g., TLS) in transit."DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."
Upon examining a contractor's security and awareness training policy for compliance with AT.L2-3.2.2 Role-Based Training, you determine that they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices. How would you assess the contractor's implementation of CMMC practice AT.L2-3.2.2 Role-Based Training?
Answer(s): A
Comprehensive and Detailed In-Depth AT.L2-3.2.2 requires "role-based training for personnel with assigned security roles before authorizing system access." Generic biannual training on CUI and best practices doesn't meet the practice's requirement for tailored, role-specific training (e.g., auditors need audit-specific training, not just CUI handling). The lack of specialization fails the intent, scoring Not Met (-1 point per DoD methodology for this 1-point practice). Partial compliance (B) isn't an option under CMMC scoring.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AT.L2-3.2.2: "Training must be specific to security roles." DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."
Post your Comments and Discuss Cyber AB CMMC-CCA exam dumps with other Community members:
DynamoDB
S3
Cognito
RDS
EFS
/sbin/init
/etc/inittab
/etc/rc.d
/etc/init.d
/lib/init.so
/etc/rc.d/rcinit
/proc/sys/kernel/init
/boot/init
/bin/init
Amazon S3 Intelligent-Tiering
S3 Lifecycle
S3 Glacier Flexible Retrieval
Amazon Athena
Amazon EFS
EC2 instance store
ElastiCache for Redis
S3 Glacier Deep Archive
AWS Lake Formation
Amazon EMR Spark jobs
Amazon Kinesis Data Streams
Amazon DynamoDB
Defender for Endpoint
Defender for Identity
Defender for Cloud Apps
Defender for Office 365
S3 Object Lock
SFTP
AWS Transfer Family
Amazon SQS
API Gateway
Lambda
usage plan
AWS WAF
Amazon ECS
Application Load Balancer
AWS Global Accelerator
Network Load Balancer
EC2
Auto Scaling group
CloudFront
ALB
AWS PrivateLink
CRR
SSE-S3
Athena
SSE-KMS
RDS Custom for Oracle
s3:GetObject
Amazon OpenSearch Service
CloudWatch Logs
Kinesis Data Firehose
Kinesis
S3 bucket
Our website is free, but we have to fight against AI bots and content theft. We're sorry for the inconvenience caused by these security measures. You can access the rest of the CMMC-CCA content, but please register or login to continue.