Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Cyber AB CMMC-CCA Exam
Certified CMMC Assessor (CCA) (Page 7 )

Updated On: 7-Feb-2026
Page 7 of 66
PDF with 325 Questions

When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal websites.
Why is it critical to implement practice AC.L2-3.1.6 ­ Non-Privileged Account Use?

  1. Enables easier auditing and logging of privileged activities
  2. Mitigates the consequences of a security breach by safeguarding against data loss
  3. Prevents unauthorized modification of security functions
  4. Reduces exposure to threats that might exploit the misuse of privileges

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.6 requires "non-privileged accounts for non-security functions." Using privileged accounts for routine tasks increases exposure to threats (e.g., malware) that could exploit those privileges (D), per CMMC intent. Auditing (A), breach mitigation (B), and function modification (C) are related but not the primary criticality.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.6: "Reduces threat exposure by limiting privileged account use."
NIST SP 800-171A, 3.1.6: "Minimize risk from privilege misuse."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



After a security audit, a contractor documents specific vulnerabilities and deficiencies in an audit report. After examining its POA&M, you realize it has a clearly defined policy on addressing these deficiencies and by when. However, after interviewing the contractor's security and compliance team, you learn that while an audit is regularly conducted, the remediating measures are not always taken, and when taken, they are not always practical. The security and compliance team informs you they have tried reaching the system administrator to explain the repercussions of this without success.
What assessment objective has the contractor failed to implement from CMMC practice
CA.L2-3.12.2 ­ Plan of Action?

  1. The contractor has implemented all the assessment objectives in CL2-3.12.2 ­ Plan of Action
  2. Develop a change management plan that describes how to implement the remediation actions
  3. Implement a plan of action to correct the identified deficiencies and reduce or eliminate identified vulnerabilities that are ineffective
  4. Identify the vulnerabilities and deficiencies that the plan of action will address

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
CA.L2-3.12.2 requires "developing and implementing plans of action to correct deficiencies." Objectives include: [a] identifying deficiencies, and [c] implementing the POA&M to correct them. The contractor identifies issues (objective [a]), but fails to consistently implement remediation (C), per interview evidence, violating the practice's intent. A (all met) is false, B isn't an objective, and D is met.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.2: "[c] Implement POA&M to correct deficiencies; failure to act is non-compliant."
NIST SP 800-171A, 3.12.2: "Verify implementation of remediation actions."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When assessing an OSC's compliance with IR requirements, you realize they have deployed a system that tracks incidents, documents details, and updates the status throughout the incident response process. Personnel to whom incidents must be reported are identified and designated.
While examining their documentation, you come across an incident response template that they use to capture all relevant information and ensure consistency in reporting to the identified authorities and organizational officials. Interviewing the IR team, you learn there is an escalation process that the contractor's cybersecurity team can use to address more serious incidents. From the scenario, the contractor has met all the required objectives for CMMC practice IR.L2-3.6.2 ­ Incident Reporting, meaning its implementation of the said practice will be scored MET with a total of 5 points. For how long must the OSC retain the incident records?

  1. 72 hours
  2. 90 days
  3. 90 hours
  4. 72 days

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
IR.L2-3.6.2 requires "tracking and documenting security incidents." While CMMC doesn't specify a retention period, DFARS 252.204-7012 mandates retaining incident records for 90 days (B) to support DoD investigations, serving as a practical baseline for CMMC-aligned contractors. Other options (A, C, D) lack regulatory support and are either too short or arbitrary. The CMMC guide references DFARS for operational consistency.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), IR.L2-3.6.2: "Document incidents; retention aligns with applicable regulations like DFARS."
DFARS 252.204-7012: "Retain incident-related information for at least 90 days."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. All of the following are required to satisfy AU.L2-3.3.1 ­ System Auditing assessment objectives [b] and [d], EXCEPT?

  1. Process identifiers
  2. Failure or success indications
  3. Timestamps
  4. File permissions

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.1 requires "creating and retaining system audit records" with content sufficient for monitoring and investigation (objectives [b] and [d]). Required content includes process identifiers, success/failure indications, and timestamps to identify and sequence events. File permissions, while useful for access control, aren't explicitly required for audit record content under this practice. The CMMC guide lists specific elements like those in A, B, and C, but not D.
Extract from Official CMMC Documentation:

CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.1: "Audit records include timestamps, process identifiers, and success/failure indications."
NIST SP 800-171A, 3.3.1: "Content includes event type, time, and outcome, not necessarily file permissions."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



After you ask to examine some audit records, the contractor's system administrator informs you that there is a process to follow before accessing them. The logs are hashed using SHA-512 algorithms, and the system administrator has to run an algorithm to recalculate the hashes for the audit records to verify their integrity before running a decryption algorithm to decrypt the data. Since this might take some time, you tour the facility while interviewing personnel with audit and accountability roles. You see an employee holding the door for another without using their physical access card.
While interviewing the contractor's employees, you find that they can access all audit logging tools and tweak the settings according to their needs or requirements. Upon examining the contractor's access control policy, you realize they have not defined the measures to protect audit logging tools.
Which of the following statements accurately describes the contractor's compliance with protecting audit logging tools from unauthorized access, modification, and deletion, as required by AU.L2-3.3.8 ­ Audit Protection?

  1. The contractor's compliance cannot be determined based on the information provided
  2. The contractor is partially compliant, as audit logging tools are protected by the same measures as audit information
  3. The contractor is fully compliant; employees can access audit logging tools to meet their requirements
  4. The contractor is not compliant, as there are no defined measures to protect audit logging tools from unauthorized access, modification, or deletion

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.8 requires "protecting audit information and tools from unauthorized access, modification, and deletion." The lack of defined measures and unrestricted employee access to tweak settings violate this, scoring Not Met (-1) for this 1-point practice. A is false given clear evidence, B assumes protection not shown, and C misinterprets compliance.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.8: "Protect audit tools with defined access controls; unrestricted access is non-compliant."
DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf






Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

Join the CMMC-CCA Discussion