Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Cyber AB CMMC-CCA Exam
Certified CMMC Assessor (CCA) (Page 6 )

Updated On: 7-Feb-2026
Page 6 of 66
PDF with 325 Questions

You decide to interview the IT security team to understand if and how a contractor has implemented audit failure alerting. You learn they have deployed AlienVault OSSIM, a feature-rich security information and event management (SIEM) tool. The SIEM tool has been configured to send automatic alerts to system and network administrators if an event affects the audit logging process. Alerts are generated for the defined events that lead to failure in audit logging and can be found in the notification section of the SIEM portal. However, the alerts are sent to the specified personnel 24 hours after the occurrence of an event. As an assessor evaluating the implementation of AU.L2-3.3.4 ­ Audit Failure Alerting, which of the following would be a key consideration regarding theevidence provided by the contractor?

  1. Ensuring the defined alert notification methods (e.g., email, SMS) are secure and encrypted
  2. Verifying that the types of audit logging failures defined cover a comprehensive range of potential scenarios
  3. Determining if the documented personnel roles for alert notification align with the organization's hierarchy
  4. Checking if the alert notification process integrates with third-party monitoring services

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.4 requires "alerting personnel when audit logging fails." A 24-hour delay is concerning for timeliness, but the key evidence consideration is whether defined failure types (B) are comprehensive (e.g., software, hardware, capacity issues), ensuring effective detection. Notification security (A), role alignment (C), and third-party integration (D) are secondary, per CMMC focus on failure coverage.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.4: "Verify that defined failure types cover a comprehensive range."
NIST SP 800-171A, 3.3.4: "Examine failure scenarios for completeness."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9 ­ Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9 ­ Connections Termination, for the remote access application?

  1. Creating firewall rules to identify and terminate connections associated with the CUI access application that have been inactive for a predefined period
  2. Encrypting all traffic between the user device and the server to protect CUI in transit
  3. Implementing intrusion detection and prevention systems (IDS/IPS) to identify and block suspicious activity on the server
  4. Blocking all incoming traffic to the server hosting the CUI access application, except from authorized IP addresses

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.9 requires "terminating connections after a defined period of inactivity." Firewall rules to terminate inactive connections (A) directly enforce this for the CUI application, meeting the practice's intent. Encryption (B) protects transit data (SC.L2-3.13.8), IDS/IPS (C) detects threats (SI.L2- 3.14.6), and IP blocking (D) limits access (AC.L2-3.1.2)--none address inactivity termination. The CMMC guide supports firewall-based timeouts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.9: "Configure firewalls for inactivity timeouts." NIST SP 800-171A, 3.13.9: "Examine firewall rules for termination."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When assessing a contractor's implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs.
What key features regarding the deployment of Splunk for AU.L2-3.3.6 ­ Reduction & Reporting would you be interested in assessing?

  1. Ensure that Splunk is configured with appropriate RBAC to restrict access to log data, reports,and dashboards, ensuring that only authorized personnel can view or modify audit logs
  2. Ensure Splunk can retain audit records for a protracted amount of time
  3. Ensure that Splunk employs various filter rules for reducing audit logs to eliminate non-essential data and processes to analyze large volumes of log files or audit information, identifying anomalies and summarizing the data in a format more meaningful to analysts, thus generating customized reports
  4. Ensure Splunk can support compliance dashboards that provide real-time visibility into CMMC compliance status

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice AU.L2-3.3.6 ­ Reduction & Reporting requires organizations to "provide audit reduction and report generation capabilities to support after-the-fact investigations without altering original records." The objectives are: [a] reducing audit records by filtering non-essential data, and [b] generating reports for analysis. Splunk, a SIEM tool, is deployed, and the assessor must evaluate its alignment with these goals.
Option C: Filter rules for reduction and analysis/reporting processes­ This directly addresses the practice's core requirements: reducing logs (e.g., filtering noise) and generating meaningful reports (e.g., anomaly detection, summaries). These features ensure Splunk meets AU.L2-3.3.6's intent, making it the key focus.
Option A: RBAC for access restriction­ Relevant to AU.L2-3.3.8 (Audit Protection), not reduction/reporting; it's a security control, not a capability of this practice. Option B: Retention time­ Pertains to AU.L2-3.3.2 (Audit Retention), not reduction/reporting functionality.
Option D: Compliance dashboards­ Useful but not required by AU.L2-3.3.6; the focus is on reduction and reporting, not real-time compliance visibility.
Why C?The CMMC guide specifies assessing tools for reduction (filtering) and reporting (analysis/report generation), and Splunk's effectiveness hinges on these features, per the scenario's SOC context.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.6: "Examine tools for capabilities to [a] reduce audit records by filtering non-essential data, and [b] generate reports identifying anomalies and summarizing data."
NIST SP 800-171A, 3.3.6: "Assess reduction and reporting functions, such as filtering and customized report generation."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Understanding that changes are critical in any production environment, a DoD contractor has instituted measures to manage them. All software changes can only be implemented by defined individuals. These changes must have gone through a rigorous change approval process and must be implemented from a secure server located in the company's headquarters. The personnel affecting the changes access the server room using access cards and an iris scan. To log into the server, they must enter their passwords to receive a one-time password (OTP), which must be keyed in within 2 minutes. After any changes are made, the chairperson of the contractor's Change Review Board and the CISO get a notification to approve the changes before they take effect. To determine if the contractor has implemented enough measures to meet CM.L2-3.4.5 ­ Access Restrictions for Change, you need to examine all the following EXCEPT?

  1. Procedures addressing access restrictions for changes to the system
  2. Plan of Action and Milestones
  3. Contractor's configuration management policy
  4. System architecture and configuration documentation

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
CM.L2-3.4.5 requires "defining, documenting, approving, and enforcing access restrictions for system changes." Procedures (A), policy (C), and configs (D) provide direct evidence of these controls. A POA&M (B) documents deficiencies, not implementation, and isn't listed as an assessment object in the CMMC guide.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.5: "Examine procedures, policy, and configs; POA&M not included."
NIST SP 800-171A, 3.4.5: "Focus on access restriction artifacts."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks.
While chatting with the network's system admins, you realize they have deployed a modern compliance checking and monitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy. Based on your understanding of the CMMC Assessment Process, how would you score CM.L2-3.4.2 ­ Security Configuration Enforcement if the contractor is tracking it in a POA&M?

  1. Not Met
  2. Need more information to score this practice
  3. Met
  4. Not Applicable

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice CM.L2-3.4.2 ­ Security Configuration Enforcement requires organizations to "enforce security configuration settings for information technology products employed in organizational systems." The contractor uses CFEngine 3 and a monitoring tool, but deviates from vendor- recommended configs, claiming alignment with organizational baselines. However, the practice being tracked in a POA&M indicates it's not fully implemented. Per the CMMC Assessment Process (CAP), any practice in a POA&M is scored as Not Met until a closeout assessment verifies full implementation. For CM.L2-3.4.2, a 5-point practice, partial implementation isn't accepted, and POA&M status confirms non-compliance at assessment time, scoring Not Met (-5). More info (B) isn't needed given the POA&M, Met (C) contradicts CAP, and N/A (D) doesn't apply.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.2: "Enforce security configs; full implementation required."
CAP v5.6.1, p. 24: "Practices tracked in a POA&M are scored as Not Met until closeout." DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf






Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

Join the CMMC-CCA Discussion