Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Cyber AB CMMC-CCA Exam
Certified CMMC Assessor (CCA) (Page 8 )

Updated On: 7-Feb-2026
Page 8 of 66
PDF with 325 Questions

When assessing an OSC's implementation of the System and Information Integrity (SI) practices, you examine their system and information integrity policy. You find that they have documented procedures addressing system monitoring tools and techniques, along with a monitoring strategy. The OSC has implemented a user behavior analytics tool to detect abnormal behavior anddeviations from normal patterns. To ensure that only authorized users access the system, the OSC uses robust access controls and regularly audits security and system logs for unusual activities. Interviewing the network administration team, you learn they use a network monitoring tool to track inbound and outbound network traffic and identify any distinctive patterns that may suggest unauthorized use. You also learn that they use an IDS to identify suspicious activities, which are aggregated and analyzed using a state-of-the-art SIEM. The scenario mentions that the OSC uses a network monitoring tool to track inbound and outbound traffic and identify unusual patterns. However, it does not provide details on the tool's specific techniques or methods.
Which of the following techniques would be most relevant for the assessor to inquire about during the assessment?

  1. Anomaly-based detection techniques
  2. Signature-based detection techniques
  3. Both signature-based and anomaly-based detection techniques
  4. Deep packet inspection techniques

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice SI.L2-3.14.6 ­ Monitor Communications for Attacks requires organizations to "monitor organizational communications at external boundaries and key internal boundaries for attacks or indicators of potential attacks." Effective monitoring typically employs bothsignature- based detection(identifying known threats via predefined patterns) andanomaly-based detection(flagging deviations from normal behavior), as these complementary techniques provide comprehensive coverage against known and emerging threats. The OSC's use of IDS, SIEM, and user behavior analytics suggests a mix of capabilities, but the specific techniques aren't detailed. Inquiring about both (C) ensures the assessor verifies a robust approach, as recommended by the CMMC guide. Anomaly-based (A) or signature-based (B) alone are insufficient, and while deep packet inspection (D) is useful, it's a narrower method not explicitly required.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SI.L2-3.14.6: "Monitoring includes signature-based and anomaly-based detection to identify attacks."
NIST SP 800-171A, 3.14.6: "Interview personnel to determine monitoring techniques, including signature and anomaly detection."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing an OSC that uses various collaborative computing devices, such as video conferencing systems, networked whiteboards, and webcams, for remote meetings and presentations. During your assessment, you examine the OSC's collaborative device inventory and find that they have identified and documented all collaborative computing devices. Most of the identified devices have indicators (e.g., LED lights) that notify users when the devices are in use. The OSC has also implemented a policy prohibiting the remote activation of collaborative computing devices without user consent. However, you find that the web cameras can be activated remotely by authorized IT personnel for troubleshooting purposes. In addition to interviewing personnel, what other evidence would be helpful to assess the OSC's compliance with CMMC practice SC.L2-3.13.12 ­ Collaborative Device Control regarding the remote activation of web cameras? Choose all that apply.

  1. A documented risk assessment that identifies the potential risks associated with remote camera activation and outlines mitigation strategies
  2. Network traffic logs showing no instances of remote activation attempts on the web cameras
  3. User training records indicating that employees are aware of the policy and understand thepotential consequences of unauthorized remote camera activation
  4. System configuration settings for the web cameras, verifying that remote activation is enabled

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.12 requires "prohibiting remote activation of collaborative devices without user authorization, or controlling it to prevent unacceptable risk." The IT exception for webcams suggests a controlled allowance. A risk assessment (A) justifies this exception, showing risks (e.g., privacy) and mitigations (e.g., IT authorization), aligning with CMMC's risk-based approach. Logs (B) show usage, not policy compliance; training (C) supports awareness, not control; configs (D) confirm capability, not authorization rationale. A is most directly tied to compliance evidence.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.12: "Examine risk assessments for exceptions to remote activation prohibitions."
NIST SP 800-171A, 3.13.12: "Assess documented risk mitigations for controlled exceptions."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are conducting a CMMC assessment for a contractor that develops software applications for the DoD. During the assessment of the AU domain, you request to examine the contractor's audit and accountability policies, access control procedures, and system configuration documentation related to the management of audit logging functionality. Upon reviewing the documentation, the contractor has implemented a Role-Based Access Control (RBAC) model, where privileged users are assigned different roles based on their responsibilities. One of these roles is the "Audit Administrator" role, which is granted the necessary privileges to manage audit logging functionality across the contractor's systems. However, during interviews with the system administrators, you learn that besides the Audit Administrator role, several other privileged roles, such as the "System Administrator" and "Network Administrator" roles, can also manage audit logging functionality.
When you inquire about the rationale behind granting multiple privileged roles access to audit management functions, the contractor's security team explains that this approach allows for better operational flexibility and ensures that different teams can perform audit logging tasks based on their areas of responsibility. Based on the information provided in the scenario, how would you assess the contractor's compliance with CMMC practice AU.L2-3.3.9 ­ Audit Management?

  1. Partially Met ­ The contractor has limited audit management privileges to a subset of privileged users, but the roles may not be appropriately defined
  2. Met ­ The contractor has defined privileged user roles for audit management
  3. Not Applicable ­ The practice is not relevant to the contractor's environment
  4. Not Met ­ The contractor has granted audit management privileges to multiple privileged roles, which goes against the requirement to limit access to a subset of defined privileged users

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.9 requires "limiting management of audit logging functionality to a subset of privileged users." Granting access to multiple roles beyond the Audit Administrator (e.g., System and Network Admins) exceeds this subset, violating the practice's intent for tight control. This 1-point practice scores Not Met (-1) due to unrestricted access, per DoD methodology. Partial Met (A) isn't an option under CMMC scoring.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.9: "Limit audit management to a defined subset of privileged users."
DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



In your assessment of an OSC's information systems, you realize that the OSC has been having issues determining what is and isn't CUI. One of the employees asks for your help identifying CUI so that they can take measures to protect it. They also request that you recommend a resource where they can understand the national CUI policy.
Which of the following is the BEST resource they should visit to understand what CUI is and the national CUI policy?

  1. 48 CFR 52.204-21 and NIST SP 800-171
  2. DFARS 252.204-7012 and ISOO CUI Registry
  3. 32 CFR Part 2002 and ISOO CUI Registry
  4. 22 CFR Part 120-130

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
32 CFR Part 2002defines CUI and establishes the national policy, while theISOO CUI Registrycategorizes CUI types--together providing the authoritative resource for understanding CUI. Other options (A, B) are contract-specific or implementation-focused, and 22 CFR (D) relates to ITAR, not CUI policy. The CMMC guide references these sources.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0): "Refer to 32 CFR Part 2002 and ISOO Registry for CUI definition."
32 CFR 2002.4(h): "CUI defined."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks.
While chatting with the network's system admins, you realize they have deployed a modern compliance checking andmonitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy.
When examining the contractor's security configuration checklists, which of the following parameters are you not likely to find?

  1. The contractor's assessment readiness status
  2. File and directory permissions
  3. Protocol usage and application allowlisting
  4. Network configuration and port management

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CM.L2-3.4.2 involves "enforcing security configuration settings." Checklists typically include technical parameters like permissions (B), protocols (C), and network settings (D), per CMMC guidance. Assessment readiness status (A) is an administrative metric, not a config setting, and belongs in a CA- RR checklist, not security configs.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.2: "Checklists include permissions, protocols, network settings; readiness status separate."
NIST SP 800-171A, 3.4.2: "Examine technical config parameters."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf






Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

Join the CMMC-CCA Discussion