Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Cyber AB CMMC-CCA Exam
Certified CMMC Assessor (CCA) (Page 5 )

Updated On: 7-Feb-2026
Page 5 of 66
PDF with 325 Questions

A vulnerability scan on a defense contractor's system identifies a critical security flaw in a legacy database application that stores CUI. Remediating the flaw would require a complete overhaul of the application, causing significant downtime and potentially disrupting critical business functions. Given the potential consequences of remediation, the contractor is considering deferring the fix.
Which course of action best aligns with the guidance of CMMC practice RA.L2-3.11.3 ­ Vulnerability Remediation?

  1. Immediately contract a third party to assist with remediation
  2. Document the risk acceptance rationale and continue monitoring the risk from the vulnerability
  3. Permanently disregard the vulnerability and take no further action
  4. Implement compensating controls to reduce the associated risk

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
RA.L2-3.11.3 requires "remediating vulnerabilities in accordance with risk assessments." If remediation isn't feasible, the practice allows risk acceptance with documentation and ongoing monitoring, balancing operational needs and security. Ignoring the vulnerability (C) violates the practice, while third-party help (A) or compensating controls (D) may not be immediately practical. The CMMC guide supports risk-based decisions with proper documentation.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.3: "Document risk acceptance and monitor unremediated vulnerabilities."
NIST SP 800-171A, 3.11.3: "Examine risk acceptance rationale and monitoring plans."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Any user that accesses CUI on system media should be authorized and have a lawful business purpose.
While assessing a contractor's implementation of MP.L2-3.8.2 ­ Media Access, youexamine the CUI access logs and the role of employees. Something catches your eye where an ID of an employee listed as terminated regularly accesses CUI remotely. Walking into the contractor's facilities, you observe the janitor cleaning an office where documents marked CUI are visible on the table. Interviewing the organization's data custodian, they informed you that a media storage procedure is augmented by a physical protection and access control policy. Based on the scenario and the requirements of CMMC practice MP.L2-3.8.2 ­ Media Access, which of the following actions would be the highest priority recommendation for the contractor?

  1. Conduct additional training for employees on handling CUI materials
  2. Develop and implement a process for timely disabling or revoking access to CUI upon employee termination
  3. Implement a system for logging and monitoring all access attempts to CUI resources
  4. Invest in more sophisticated access control technology for their systems

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth

CMMC practice MP.L2-3.8.2 ­ Media Access requires organizations to "restrict access to CUI on system media to authorized users." The scenario reveals a critical failure: a terminated employee's ID continues to access CUI remotely, indicating a lack of timely revocation processes. This poses an immediate security risk, as unauthorized access to CUI violates the practice's core intent. Developing and implementing a process to disable access upon termination (B) directly addresses this gap and is the highest priority to ensure compliance and protect CUI. Training (A) is beneficial but doesn't fix the revocation issue, logging (C) is already partially in place and doesn't address termination, and new technology (D) is secondary to procedural fixes. The CMMC guide emphasizes timely access control as critical.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.2: "Restrict media access to authorized users; ensure processes revoke access when no longer needed."
NIST SP 800-171A, 3.8.2: "Examine processes for removing access upon termination."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



CMMC practice PS.L2-3.9.1 ­ Screen Individuals requires individuals to be screened before authorizing access to organizational systems containing CUI. However, in the assessment you are currently conducting, there is no physical evidence confirming the completion of personnel screens, such as background checks, only affirmations derived from an interview session. In an interview with the HR Manager, they informed you that before an individual is hired, they submit their information through a service that performs criminal and financial checks. How would you score the OSC's implementation of CMMC practice PS.L2-3.9.1 ­ Screen Individuals, objective [a]?

  1. More information is needed
  2. Not Met
  3. Not Applicable
  4. Met

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
PS.L2-3.9.1, objective [a], requires "screening individuals prior to authorizing access to CUI systems." The HR Manager's affirmation suggests a process, but without physical evidence (e.g., screening records), compliance can't be confirmed. More information (A) is needed to verify, per CMMC's evidence-based assessment. Met (D) requires proof, Not Met (B) assumes failure prematurely, and N/A (C) doesn't apply.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), PS.L2-3.9.1: "Examine screening records; interviews support but don't replace evidence."
NIST SP 800-171A, 3.9.1: "Verify with documentation."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When assessing a contractor's implementation of CMMC practices, you examine its SystemSecurity Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs.
What key features regarding the deployment of Splunk for AU.L2-3.3.6 ­ Reduction & Reporting would you be interested in assessing?

  1. Ensure that Splunk is configured with appropriate RBAC to restrict access to log data, reports, and dashboards, ensuring that only authorized personnel can view or modify audit logs
  2. Ensure Splunk can retain audit records for a protracted amount of time
  3. Ensure that Splunk employs various filter rules for reducing audit logs to eliminate non-essential data and processes to analyze large volumes of log files or audit information, identifying anomalies and summarizing the data in a format more meaningful to analysts, thus generating customized reports
  4. Ensure Splunk can support compliance dashboards that provide real-time visibility into CMMC compliance status

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.6 requires "audit reduction and report generation capabilities." Key features to assess in Splunk are filtering to reduce logs and analysis/reporting (C), directly meeting objectives [a] and [b]. RBAC (A) relates to AU.L2-3.3.8, retention (B) to AU.L2-3.3.2, and dashboards (D) aren't required, per CMMC focus.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.6: "Assess tools for [a] reducing logs via filters, [b] generating reports with analysis."
NIST SP 800-171A, 3.3.6: "Examine reduction and reporting functions."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



CMMC practice MA.L2-3.7.3 ­ Equipment Sanitization requires organizations to sanitize equipment leaving their facilities for off-site maintenance for CUI.
What standard would the OSC use to sanitize various media?

  1. NIST SP 800-53
  2. NIST SP 800-88
  3. NIST SP 800-171
  4. NIST SP 800-171A

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth

MA.L2-3.7.3 mandates "sanitizing equipment for CUI prior to off-site maintenance."NIST SP 800-88 ­ Guidelines for Media Sanitization(B) provides specific methods (e.g., clearing, purging, destroying) tailored to media types, ensuring CUI is irrecoverable--directly supporting this practice. NIST SP 800- 53 (A) is a broader control framework, NIST SP 800-171 (C) defines CMMC requirements without sanitization details, and NIST SP 800-171A (D) is an assessment guide, not a sanitization standard.
The CMMC guide references NIST SP 800-88 explicitly.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MA.L2-3.7.3: "Sanitize per NIST SP 800-88 guidelines." NIST SP 800-171A, 3.7.3: "Refer to NIST SP 800-88 for sanitization standards."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf






Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

Join the CMMC-CCA Discussion