Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Cyber AB CMMC-CCA Exam
Certified CMMC Assessor (CCA) (Page 9 )

Updated On: 7-Feb-2026
Page 9 of 66
PDF with 325 Questions

During your assessment of CA.L2-3.12.3 ­ Security Control Monitoring, the contractor's CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls.
When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented. Can the contractor place practice CA.L2-3.12.3 ­ Security Control Monitoring under a POA&M if unimplemented or not fully met?

  1. No, the practice cannot be placed on a POA&M
  2. Yes, for some aspects
  3. More information is required to make determination
  4. Yes, for all aspects

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CA.L2-3.12.3 (1-point practice) requires "continuous monitoring of security controls." Per CAP, 1- point practices can use a POA&M, but CA.L2-3.12.3's foundational nature (ongoing monitoring) means it must be fully implemented--no partial deferral is allowed (A). B and D contradict this, and C isn't needed given the practice's clarity.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.3: "Continuous monitoring must be fully implemented."
CAP v5.6.1: "Core practices like CA.L2-3.12.3 not deferrable."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are a CCA reviewing the security measures for a defense contractor seeking CMMC Level 2 compliance. CMMC practice PE.L2-3.10.6 ­ Alternative Work Sites requires the organization to safeguard CUI at alternate work sites, like employee home offices. You are examining their list of safeguards and the system security plan to assess their compliance.
When assessing a contractor's implementation of CMMC practice PE.L2-3.10.6 ­ Alternative Work Sites, which of the following would be the least effective method for gathering information?

  1. Using Full Disk Encryption (FDE) or container-based encryption to encrypt CUI when stored or transmitted from or to alternate work sites
  2. Employing technologically savvy guards to man the alternate worksite
  3. Deploying a patch management and anti-malware solution for every laptop or desktop on the alternate worksite
  4. Requiring remote staff connecting to their internal networks to use a VPN that prevents split tunneling and requires multifactor authentication to verify remote users are who they claim to be

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
PE.L2-3.10.6 requires "safeguarding CUI at alternate work sites." Effective methods focus on technical controls like encryption (A), patch management (C), and secure VPNs (D), which directly protect CUI data and systems. Employing guards (B) is a physical security measure suited for controlled facilities, not distributed alternate sites like homes, making it least effective for gathering information on CUI protection in this context. The CMMC guide emphasizes technical safeguards over physical presence at remote locations.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), PE.L2-3.10.6: "Implement technical safeguards (e.g., encryption, VPN) for CUI at alternate work sites."
NIST SP 800-171A, 3.10.6: "Examine technical controls, not physical guarding, for remote site compliance."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



To comply with CMMC requirement IR.L2-3.6.3 ­ Incident Response Testing, organizations seeking certification (OSCs) must have a plan to regularly test their ability to respond to cyber incidents. This testing ensures that OSCs can effectively identify, contain, and recover from security breaches. An OSC can cite the following evidence artifacts to show compliance with the practice, EXCEPT?

  1. Evidence of regular incident response drills and response time management, recovery testing, and post-incident analysis
  2. Media sanitization plans
  3. Documentation of tabletop exercises and their outcomes
  4. Test documentation, including the scenario, response, findings, and any necessary corrective actions

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
IR.L2-3.6.3 requires "testing the incident response capability annually." Artifacts like drills (A), tabletop exercises (C), and test documentation (D) demonstrate testing execution and outcomes, aligning with the practice. Media sanitization plans (B) relate to MP.L2-3.8.3, not incident response testing, making it irrelevant. The CMMC guide lists response-focused evidence.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), IR.L2-3.6.3: "Examine test records, drills, and tabletop exercise outcomes."
NIST SP 800-171A, 3.6.3: "Artifacts focus on response testing, not sanitization."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements.
Which of the following would be the most appropriate next step for the assessor?

  1. Interview personnel responsible for cryptographic protection to determine if FIPS-validated cryptography is used elsewhere in the organization
  2. Test the encryption mechanism by attempting to decrypt the encrypted data without the proper keys
  3. Recommend that the OSC switch to a different, approved algorithm
  4. Accept the OSC's implementation as compliant, given that they are using a strong encryption algorithm

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.11 requires "FIPS-validated cryptography for CUI." AES-256 alone isn't sufficient without FIPS validation. Interviewing personnel (A) gathers evidence on broader cryptographic practices, informing compliance status. Testing decryption (B) is impractical and unnecessary, switching algorithms (C) misses the validation issue, and accepting (D) ignores FIPS requirements. The CMMC guide prioritizes interviews for clarification.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.11: "Interview to verify FIPS validation." NIST SP 800-171A, 3.13.11: "Assess cryptographic implementation via interviews."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 ­ Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 ­ Encrypt CUI on Mobile, requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted.
Which of the following personnel should you interview to determine how well the contractor has implemented AC.L2-3.1.19 ­ Encrypt CUI on Mobile?

  1. Executives in the company
  2. Personnel with access control responsibilities for mobile devices
  3. IT helpdesk staff who troubleshoot basic mobile device issues
  4. Staff in the Human Resources department

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice AC.L2-3.1.19 requires that organizations "encrypt CUI on mobile devices and mobile computing platforms" to protect sensitive data from unauthorized access. To assess the implementation effectively, you need to interview personnel who have direct knowledge of and responsibility for the encryption measures on mobile devices. Personnel with access control responsibilities for mobile devices are best suited for this, as they are likely involved in configuring, managing, and enforcing encryption policies specific to mobile devices handling CUI. Executives may have a high-level overview but lack technical details. IT helpdesk staff typically handle basic troubleshooting and may not have insight into encryption implementation. HR staff focus on personnel management, not technical security controls. The CMMC Assessment Guide emphasizes interviewing individuals with operational responsibility for the specific control to verify implementation details.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.19: "Interview: Personnel with information security responsibilities; personnel with mobile device responsibilities; network and system administrators."
NIST SP 800-171A, 3.1.19: "Interview personnel with responsibilities for encrypting CUI on mobile devices to determine the processes and mechanisms in place."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf






Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

Join the CMMC-CCA Discussion