Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. Cyber AB
  5. CMMC-CCA

Free Cyber AB CMMC-CCA Exam Questions (page: 9)

Page 8 of 42
PDF with 325 Questions

You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery.
What would you recommend the contractor do to avert the risk?

  1. Institute mandatory overtime for the engineer to complete tasks faster
  2. Fully implement AC.L2-3.1.4, Separation of Duties by assigning different engineers responsibility for design, coding, testing, and deployment. Implement peer code reviews and separate test and deployment duties
  3. Invest in more powerful development machines
  4. Increase the engineer's salary to incentivize careful work

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.4 ­ Separation of Duties aims to "reduce unauthorized activity risk by separating duties." A single engineer handling all tasks concentrates privileges, increasing error or malice risks. Assigning separate roles and adding peer reviews (B) mitigates this, aligning with CMMC intent. Overtime (A), hardware (C), and salary (D) don't address duty separation or risk reduction.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separate duties to reduce risk; implement peer reviews."
NIST SP 800-171A, 3.1.4: "Recommend role distribution."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 ­ Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 ­ System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score theOSC's implementation of CMMC practice AU.L2-3.3.7 ­ Authoritative Time Source?

  1. 5
  2. -1
  3. 1
  4. -5

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.7 requires organizations to "synchronize system clocks with an authoritative time source" to ensure consistent timestamps for audit records. The contractor has an NTP server, but the 30- second synchronization threshold on new systems leads to inconsistent timestamps, failing the practice's intent. Per the DoD Assessment Scoring Methodology, AU.L2-3.3.7 is a 1-point practice. If not fully met, it scores -1 (Not Met). The partial implementation (NTP server exists but not effectively applied) doesn't qualify as Met, so no positive points are awarded. The CMMC guide stresses uniformity in timestamps, which this configuration undermines.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.7: "Synchronize clocks to ensure uniformity of timestamps for audit records."
DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has defined a technical and documented policy where identifiers can only be reused after 12 months. How is the OSC likely to consider CMMC practice IA.L2-3.5.5 ­ Identifier Reuse if you find issues with its implementation?

  1. List it in their SSP
  2. Track it under limited deficiency correction
  3. Hire another C3PAO to verify your assessment
  4. Disregard it as it is not applicable

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
IA.L2-3.5.5 (1-point practice) requires "preventing identifier reuse for a defined period." If issues are found (e.g., reuse before 12 months), the OSC can track them in a POA&M for limited deficiency correction within 180 days, per CAP (B). Listing in the SSP (A) is for planning, not fixing; hiring another C3PAO (C) isn't standard; and N/A (D) doesn't apply. The CMMC guide allows POA&Ms for 1- point practices.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.5: "Deficiencies may be tracked in a POA&M for correction."
CAP v5.6.1, p. 25: "1-point practices eligible for POA&M within 180 days."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI) handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content.
Which of the following is NOT a feature Defcon's updated privacy and security notices should have?

  1. A warning about unauthorized use being subject to civil and criminal penalties
  2. A general statement about monitoring and recording of system usage
  3. Display duration set to less than 5 seconds before automatically disappearing
  4. Specific information about the presence of CUI and associated handling requirements

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.9 ­ Privacy & Security Notices requires "displaying system use notifications consistent with applicable CUI rules." Notices must inform users of CUI handling obligations (D), warn ofpenalties for unauthorized use (A), and note monitoring (B), ensuring awareness and compliance. A display duration of less than 5 seconds (C) is inadequate, as it prevents users from reading and acknowledging the content, contradicting the practice's intent. The CMMC guide stresses sufficient visibility and comprehension time.
Extract from Official CMMC Documentation:

CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.9: "Notices must be displayed long enough for users to read and understand."
NIST SP 800-171A, 3.1.9: "Examine notices for adequate display duration."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256)to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements.
Where can you find information about a cryptographic module's current status with FIPS?

  1. NIST CMVP
  2. FedRAMP Marketplace
  3. NIST CSRC
  4. FIPS 140-2 documentation

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.11 ­ CUI Encryption requires "FIPS-validated cryptography for CUI." TheNIST Cryptographic Module Validation Program (CMVP)(A) provides current validation status for modules, per the CMMC guide. FedRAMP (B) is for cloud services, CSRC (C) is a general resource, and FIPS 140- 2 docs (D) are static, not live statuses.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.11: "Verify FIPS status via NIST CMVP." NIST SP 800-171A, 3.13.11: "Refer to CMVP for validation."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9 ­

Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. Based on the scenario, what is the MOST concerning aspect from a CMMC compliance perspective regarding CMMC practice SC.L2-3.13.9 ­ Connections Termination?

  1. The application is hosted on a dedicated server within the company's internal network
  2. Users log in with usernames and passwords, potentially lacking multi-factor authentication
  3. The lack of a documented policy or a defined period of inactivity for terminating remote access connections creates uncertainty and inconsistency
  4. The server operating system utilizes default settings for connection timeouts, which may be insufficient

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.9 requires "terminating connections after a defined period of inactivity." The absence of a documented policy and defined inactivity period (C) is most concerning, as it fails the practice's core requirement, leaving termination inconsistent and user-dependent. Hosting location (A) is neutral, MFA (B) relates to AC.L2-3.1.3, and default timeouts (D) are a symptom of the policy gap. The CMMC guide prioritizes defined inactivity controls.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.9: "Define and document inactivity period for termination; lack thereof is non-compliant."
NIST SP 800-171A, 3.13.9: "Examine policy for defined inactivity period."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are evaluating an OSC for compliance with CMMC Level 2 practices. During your assessment of SC controls, you use a series of assessment methods to understand how effectively the OSC has implemented them. The OSC has a documented security policy outlining user roles and responsibilities. The OSC's system and communications protection policy states that basic user and privileged functionalities are separated. They have deployed Azure AD to help enforce this requirement through identity management. Interviews with system administrators reveal they have elevated privileges for system management tasks. A review of system configuration settings shows separate user accounts for standard users and administrators. However, you notice that some employees use personal cloud storage services for storing work documents. Considering CMMC practice SC.L2-3.13.4 ­ Shared Resource Control, which of the following actions would be most effective in addressing the identified risk?

  1. Implementing stricter password complexity requirements for user accounts
  2. Conducting a vulnerability assessment of the OSC's network infrastructure
  3. Providing additional security awareness training to employees on data handling best practices
  4. Developing and enforcing a policy that prohibits the use of personal cloud storage for work documents

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.4 aims to "prevent unauthorized and unintended information transfer via shared system resources." Employees using personal cloud storage for work documents (including CUI) risks unauthorized transfer outside organizational control, violating this practice. Prohibiting such use via policy directly addresses the root cause, aligning with the practice's intent to control shared resource risks. Stricter passwords (A) don't prevent data transfer, vulnerability assessments (B) identify issues but don't fix behavior, and training (C) supports awareness but lacks enforcement. The CMMC guide emphasizes policy enforcement for resource control.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.4: "Develop policies to prevent unauthorized information transfer via shared resources."
NIST SP 800-171A, 3.13.4: "Examine policies prohibiting use of unapproved shared resources for CUI."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When assessing an OSC for CMMC compliance, you examine its risk assessment policy and procedures addressing organizational risk assessments. According to their policy, comprehensive risk assessments on all systems processing, storing, or transmitting CUI and facilities are performed annually. However, reviewing past risk assessment reports, you find that a risk assessment was conducted in January 2022 covering all CUI systems. The next risk assessment was not conducted until November 2023, over 21 months later. There are no records of any other risk assessments in the intervening period between January 2022 and November 2023. Interviewing the OSC's personnel with risk assessment responsibilities, you learn they have slated the next risk assessment within the year. Based on the scenario, which of the following would you determine regarding OSC's adherence to CMMC practice RA.L2-3.11.1 ­ Risk Assessments?

  1. They are fully compliant
  2. They are non-compliant
  3. They are partially compliant, as at least one risk assessment was completed
  4. More information is needed to make a determination

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
RA.L2-3.11.1 requires "periodically assessing risks to operations, assets, and individuals from system use." The OSC's policy defines annual assessments, but a 21-month gap (Jan 2022­Nov 2023) violates this frequency, failing the practice's intent. This 5-point practice scores Not Met (-5), as partial compliance (C) isn't recognized, and more info (D) isn't needed given the clear lapse. Full compliance (A) requires adherence to the defined period.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.1: "Assess risks at defined intervals; non- compliance if periodicity unmet."
DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Viewing page 9 of 42
Viewing questions 41 - 45 out of 325 questions



Post your Comments and Discuss Cyber AB CMMC-CCA exam prep with other Community members:

CMMC-CCA Exam Discussions & Posts