• Home
  • Articles
  • Latest Cyber AB CMMC-CCA Exam questions and answers [Q76-Q99]

Latest Cyber AB CMMC-CCA Exam questions and answers [Q76-Q99]

Share

Latest Cyber AB CMMC-CCA Exam questions and answers

TestkingPass CMMC-CCA Exam Practice Test Questions (Updated 152 Questions)


Cyber AB CMMC-CCA Exam Syllabus Topics:

TopicDetails
Topic 1
  • CMMC Assessment Process (CAP): This section of the exam measures skills of compliance professionals and tests knowledge of the full assessment lifecycle. It covers the steps needed to plan, prepare, conduct, and report on a CMMC Level 2 assessment, including the phases of execution and how to document and follow up on findings in alignment with DoD and CMMC-AB expectations.
Topic 2
  • Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 Requirements: This section of the exam measures skills of cybersecurity assessors and focuses on evaluating the environments of organizations seeking certification at CMMC Level 2. It covers understanding differences between logical and physical settings, recognizing constraints in cloud, hybrid, on-premises, single, and multi-site environments, and knowing what environmental exclusions apply for Level 2 assessments.
Topic 3
  • CMMC Level 2 Assessment Scoping: This section of the exam measures skills of cybersecurity assessors and revolves around determining the proper scope of a CMMC assessment. It involves analyzing and categorizing Controlled Unclassified Information (CUI) assets, interpreting the Level 2 scoping guidelines, and making accurate judgments in scenario-based exercises to define what assets and systems fall within assessment boundaries.
Topic 4
  • Assessing CMMC Level 2 Practices: This section of the exam measures skills of cybersecurity assessors in evaluating whether organizations meet the required practices of CMMC Level 2. It emphasizes applying CMMC model constructs, understanding model levels, domains, and implementation, and using evidence to determine compliance with established cybersecurity practices.

 

NEW QUESTION # 76
During preparations for a CMMC Level 2 Assessment, a client submits a request to their consulting RP to learn more about Specialized Asset requirements. The client is unsure if their camera system, used for safety data collection purposes within their machining shop, should be documented within the SSP. Which reason is a satisfactory reason to exclude the camera system from the SSP, and thus the assessment scope?

  • A. The Technology Control Plan does not address the camera system.
  • B. The camera system network is physically and logically isolated and does not capture data related to controlled projects.
  • C. The camera data are uploaded to a FedRAMP MODERATE authorized cloud storage system.
  • D. The video data are deleted every seven days.

Answer: B

Explanation:
The Scoping Guidance for Specialized Assets allows exclusion of assets when they are physically and logically isolated from the CMMC assessment boundary and do not process, store, or transmit CUI.
Extract from CMMC Scoping Guidance:
"Specialized Assets may be designated as out-of-scope if they are physically or logically separated from CUI assets, or if they are inherently unable to process, store, or transmit CUI." The camera system in this case does not interact with CUI and is fully isolated, making exclusion appropriate.
Reference: CMMC Scoping Guidance, Specialized Assets Section.


NEW QUESTION # 77
An OSC is planning a CMMC Level 2 assessment that your C3PAO will conduct. In Phase 1.6.1 - Access and Verify Evidence, as the Lead Assessor, you are verifying the existence and accessibility of the evidence provided by the OSC. While reviewing the list of evidence mapped against the CMMC practices, you discover that the OSC cannot locate several critical system security policies for key IT systems supporting their DoD contracts. These missing policies are essential for demonstrating compliance with various CMMC practices related to access control, incident response, and system maintenance. According to the CMMC Assessment Process (CAP), which of the following is not permitted for the Lead Assessor to do during the evidence verification stage?

  • A. Review the content of the evidence to identify potential weaknesses.
  • B. Offer advice on how the OSC can improve the sufficiency of their evidence.
  • C. Ensure that no proprietary data is included in the evidence for review.
  • D. Verify that the evidence exists and is accessible.

Answer: B

Explanation:
Comprehensive and Detailed in Depth Explanation:
During Phase 1.6.1, the Lead Assessor's role is to verify the existence, accessibility, and relevance of evidence, not to provide consulting or improvement advice, which is explicitly prohibited by the CAP to maintain objectivity. Option A (reviewing content) is part of the verification process. OptionB (ensuring no proprietary data) is a reasonable precaution, though not explicitly mandated. Option C (verifying existence and accessibility) is a core duty. Option D (offering advice) violates the CAP's strict separation between assessment and consulting roles, ensuring impartiality.
Extract from Official Document (CAP v1.0):
* Section 1.6.1 - Access and Verify Evidence (pg. 19):"At no time during this preliminary review of the Evidence shall the Assessment Team provide any advice or recommendation on how the OSC could improve or enhance the sufficiency or adequacy of their presented Evidence." References:
CMMC Assessment Process (CAP) v1.0, Section 1.6.1.


NEW QUESTION # 78
An OSC and a C3PAO Assessment Team are in the early stages of preparing for their CMMC assessment.
During the process of confirming the corporate identity for the assessment, the Assessment Team discovers that the OSC does not have a valid Commercial and Government Entity (CAGE) code issued by the Department of Defense. The team is now considering the implications of this finding and the next steps they should take. When confirming the corporate identity to be assessed, what can happen if you determine that the HQ organization doesn't have a valid CAGE code?

  • A. You would continue with the assessment as planned.
  • B. The assessment cannot continue.
  • C. You would help the OSC register and obtain a CAGE code from the DoD.
  • D. You would request a waiver from the DoD.

Answer: B

Explanation:
Comprehensive and Detailed in Depth Explanation:
A valid CAGE code is mandatory for DoD contractors, and CAP requires it for assessment continuation.
Option A (helping register) is consulting, prohibited by CoPC. Option C (waiver) is not a CAP option. Option D (continuing) violates CAP. Option B is correct.
Extract from Official Document (CAP v1.0):
* Section 1.2 - Confirm Corporate Identity (pg. 11):"If the OSC does not have a valid CAGE code, the assessment cannot continue." References:
CMMC Assessment Process (CAP) v1.0, Section 1.2.


NEW QUESTION # 79
A CCA is conducting an interview with an OSC team member about an offering from a well-known Cloud Service Provider (CSP). The offering is known to be secure, but the OSC has not provided evidence and the person being interviewed is unsure how the offering works. Will this offering be accepted by the Assessment Team?

  • A. No, the OSC failed to train on the offering
  • B. Yes, because of the process of reciprocity
  • C. Yes, because the CSP offering is a well-known, secure offering
  • D. No, because the OSC lacks adequate and sufficient evidence

Answer: D

Explanation:
CMMC assessments are evidence-based. An offering cannot be accepted solely on reputation or assumptions of security. The OSC must provide adequate and sufficient evidence that the CSP offering meets CMMC requirements. Without evidence, the assessor cannot mark the practice as MET.
Exact Extracts:
* CMMC Assessment Guide: "Assessment determinations must be based on objective evidence; absence of evidence results in a finding of NOT MET."
* "Evidence may include documentation, interviews, and tests but must be sufficient to confirm implementation."
* "Reciprocity is not granted for external offerings unless evidence is provided." Why other options are not correct:
* A (reciprocity): CMMC does not allow blanket reciprocity for cloud offerings without validation.
* B (training issue): Training is separate; the core issue is lack of evidence.
* D (well-known CSP): Reputation alone is not evidence; objective evidence is required.
References:
CMMC Assessment Guide - Level 2, Version 2.13: Evidence-based assessments (pp. 5-7).
NIST SP 800-171A: Requirement to use objective evidence.


NEW QUESTION # 80
An OSC has a hardware and software list used to manage company assets. Which is the BEST evidence to show the OSC is managing the system baseline?

  • A. Identification and authentication policy
  • B. Media protection
  • C. Configuration management
  • D. Physical protection

Answer: C

Explanation:
System baselines are part of Configuration Management (CM). Maintaining an inventory of hardware and software is important, but the evidence of managing baselines lies in the configuration management process, which establishes and documents standard system configurations, approved software, and change control
. The CMMC practice CM.L2-3.4.1 requires the OSC to establish and maintain baseline configurations.
Exact extracts:
* "Baseline configurations are documented, formally reviewed, and maintained as part of configuration management."
* "Assessment Objectives ... Determine if: baseline configurations are established; baseline configurations are maintained."
* "Potential Assessment Methods - Examine: configuration management policy; documented baseline configuration; inventory of system components." Expanded explanation:
* Hardware/software lists show what exists, but without baseline control they do not demonstrate effective management.
* Configuration management evidence includes: CM policies, baselines for operating systems, software versions, patch levels, and configuration checklists.
* This ensures that unauthorized changes or unapproved software do not deviate from the security posture.
Why the other options are incorrect:
* A (Media protection): Relates to storage devices and handling, not baselines.
* B (Physical protection): Relates to facility and hardware security, not configuration.
* D (Identification and authentication policy): Addresses user access, not baseline configuration.
References:
CMMC Assessment Guide - Level 2, CM.L2-3.4.1 "Establish and Maintain Baseline Configurations." NIST SP 800-171 Rev. 2, 3.4.1.


NEW QUESTION # 81
During a CMMC assessment, the OSC's PoC asks the Lead Assessor if they can skip the daily checkpoint meetings to save time, promising to provide all evidence upfront. What should the Lead Assessor do?

  • A. Agree to skip the meetings if all evidence is provided upfront.
  • B. Explain that daily checkpoint meetings are a required part of the CMMC Assessment Process and cannot be skipped.
  • C. Allow skipping the meetings but require written updates instead.
  • D. Consult with the C3PAO to determine if the meetings can be waived.

Answer: B

Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP mandates daily checkpoint meetings, making Option B correct. Options A, C, and D violate this requirement.
Extract from Official Document (CAP v1.0):
* Section 2.3 - Daily Checkpoint Meetings (pg. 27):"Daily checkpoint meetings are a required component of the CMMC assessment process." References:
CMMC Assessment Process (CAP) v1.0, Section 2.3.


NEW QUESTION # 82
After numerous discussions and iterations, the OSC and Lead Assessor have finalized the Pre-Assessment Plan, which outlines the key details of how the assessment will be conducted, including the scope, timeline, resource requirements, and other logistical considerations. What is the final step before commencing a CMMC assessment?

  • A. Uploading the Pre-Assessment Data Form into CMMC eMASS.
  • B. Reviewing the Pre-Assessment Data Form.
  • C. Creating a new data upload in CMMC eMASS.
  • D. Obtaining approval from the Lead Assessor.

Answer: A

Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP mandates uploading the Pre-Assessment Data Form to CMMC eMASS as the final step before Phase 2 (Option C). Options A, B, and D are not the final step.
Extract from Official Document (CAP v1.0):
* Section 1.6 - Prepare for Assessment (pg. 18):"The final step before commencing the assessment is uploading the Pre-Assessment Data Form into CMMC eMASS." References:
CMMC Assessment Process (CAP) v1.0, Section 1.6.


NEW QUESTION # 83
Both the SSP and network diagrams presented to the Lead Assessor by the OSC indicate managed service providers (MSPs) within the assessment boundary. In order to BEST understand the impact of the MSPs, what should the Lead Assessor do?

  • A. Review the inventory to see how the assets have been classified
  • B. Inspect the other initial documents presented including policies and organization charts
  • C. Ascertain what employees the MSP has onsite
  • D. Request the customer responsibility matrix related to the MSPs

Answer: D

Explanation:
The Shared Responsibility Matrix (Customer Responsibility Matrix) is a key artifact in CMMC assessments involving MSPs or cloud service providers. It defines what security responsibilities belong to the OSC and which belong to the service provider. To evaluate the MSP's impact, the assessor must review this matrix to understand boundaries of responsibility for CUI protection.
Exact extracts:
* "When external service providers are included in the assessment boundary, organizations must provide documentation that specifies security responsibilities."
* "A Shared Responsibility Matrix (or Customer Responsibility Matrix) defines which controls are implemented by the OSC versus the external provider."
* "Assessors should request and review this matrix to understand division of responsibilities." Why the other options are incorrect:
* A: Onsite MSP staff presence does not clarify responsibility for security controls.
* C: Reviewing classification helps, but it does not explain responsibility allocation.
* D: Policies/org charts do not establish shared control responsibilities.
References:
CMMC Assessment Guide - Level 2, External Service Providers; OSC documentation requirements.
CMMC Scoping Guide - Managed Service Provider treatment.


NEW QUESTION # 84
After you ask to examine some audit records, the contractor's system administrator informs you that there is a process to follow before accessing them. The logs are hashed using SHA-512 algorithms, and the system administrator has to run an algorithm to recalculate the hashes for the audit records to verify their integrity before running a decryption algorithm to decrypt the data. Since this might take some time, you tour the facility while interviewing personnel with audit and accountability roles. You see an employee holding the door for another without using their physical access card. While interviewing the contractor's employees, you find that they can access all audit logging tools and tweak the settings according to their needs or requirements. Upon examining the contractor's access control policy, you realize they have not defined the measures to protect audit logging tools. Which of the following statements accurately describes the contractor's compliance with protecting audit logging tools from unauthorized access, modification, and deletion, as required by AU.L2-3.3.8 - Audit Protection?

  • A. The contractor's compliance cannot be determined based on the information provided
  • B. The contractor is fully compliant; employees can access audit logging tools to meet their requirements
  • C. The contractor is partially compliant, as audit logging tools are protected by the same measures as audit information
  • D. The contractor is not compliant, as there are no defined measures to protect audit logging tools from unauthorized access, modification, or deletion

Answer: D

Explanation:
Comprehensive and Detailed In-Depth Explanation:
AU.L2-3.3.8 requires "protecting audit information and tools from unauthorized access, modification, and deletion." The lack of defined measures and unrestricted employee access to tweak settings violate this, scoring Not Met (-1) for this 1-point practice. A is false given clear evidence, B assumes protection not shown, and C misinterprets compliance.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.8: "Protect audit tools with defined access controls; unrestricted access is non-compliant."
* DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf


NEW QUESTION # 85
Does CMMC Level 2 require that a Cloud Service Provider (CSP) hold a FedRAMP HIGH authorization hosted in a government community cloud (GCC)?

  • A. Yes. FedRAMP HIGH is required for CUI data controls due to the sensitive nature of the Defense Industrial Base systems.
  • B. Yes. FedRAMP HIGH authorization demonstrates the CSP compliance with NIST SP 800-53 and SP
    800-171 control requirements.
  • C. No. The CSP must hold a FedRAMP MODERATE authorization.
  • D. No. The CSP can obtain a FedRAMP MODERATE equivalency.

Answer: C

Explanation:
CMMC Level 2 requires CSPs that process, store, or transmit CUI to meet FedRAMP Moderate (or equivalent) authorization, not FedRAMP High. FedRAMP High is not a CMMC requirement but may be required by contract or specific agencies.
Exact Extracts:
* DoD CMMC Scoping Guide: "External Cloud Service Providers must meet FedRAMP Moderate equivalency when storing, processing, or transmitting CUI."
* CMMC Assessment Guide: "The baseline requirement for CUI in cloud environments is FedRAMP Moderate; higher levels may be contractually required." Why other options are not correct:
* A: Equivalency is allowed, but only to FedRAMP Moderate level.
* C/D: Incorrect, because CMMC Level 2 does not mandate FedRAMP High.
References:
CMMC Assessment Guide - Level 2, Version 2.13: External Service Providers and FedRAMP Moderate equivalency requirements.
DoD Cloud Computing SRG (referenced in CMMC documentation): CUI requires FedRAMP Moderate baseline.


NEW QUESTION # 86
An Assessment Team is reviewing the scope of a CMMC assessment for an OSC. The OSC has defined a narrow security boundary for their assessment, which the Assessment Team believes may not adequately protect all sensitive information. The OSC gives reasons for this, including financial constraints, and claims that CUI is only contained within an enclave defined by the boundary. However, after inspecting the facility and interviewing employees, you determine that some assets that may process CUI are outside the enclave.
What is the risk of the OSC defining a security boundary that is too narrow in scope for the CMMC assessment?

  • A. The OSC will have more systems that need to be managed separately.
  • B. The OSC may not have done proper due diligence to protect all sensitive information within their environment.
  • C. The assessment will take less time to complete.
  • D. The assessment will be less expensive for the contractor.

Answer: B

Explanation:
Comprehensive and Detailed Explanation:
A narrow security boundary that excludes assets processing CUI poses a significant risk to the OSC's compliance with CMMC requirements. The CMMC Assessment Scope - Level 2 emphasizes that the scope must include all assets that process, store, or transmit CUI, and failure to do so indicates a lack of due diligence in identifying and protecting sensitive information. If assets outside the enclave handle CUI, they must be included in the scope to ensure comprehensive protection, as per NIST SP 800-171 and CMMC guidelines. A too-narrow scope could leave CUI vulnerable, undermining the OSC's security posture and potentially leading to non-compliance.
Option A is a consequence, not the primary risk. Options C and D focus on cost and time, which are secondary to the security risk identified in B. The CMMC CAP reinforces that proper scoping is critical to safeguarding CUI, making B the correct answer.
Reference:
CMMC Assessment Scope - Level 2, Section 2.1 (Scoping Guidance), p. 3: "A scope that is too narrow may fail to protect all sensitive information, indicating insufficient due diligence." CMMC Assessment Process (CAP) v1.0, Section 2.2 (Scope Validation)


NEW QUESTION # 87
The SSP for an OSC undergoing an assessment categorizes a device in the inventory that wirelessly connects to the network. In order to secure the connection of wireless devices that access a system that transmits, stores, or processes CUI, what are the requirements?

  • A. Wireless users must be vetted, and an Access Control List maintained for access to CUI.
  • B. Wireless access must be configured to use FIPS 140 validated cryptography.
  • C. Wireless access must be configured to use FIPS 140 validated cryptography and limited to authenticated users.
  • D. Wireless users must be specifically identified in network diagrams and configured to use FIPS 140 validated cryptography.

Answer: C

Explanation:
Wireless access to systems transmitting, processing, or storing CUI must be protected with FIPS 140- validated cryptography and access must be limited to authenticated users. This ensures confidentiality and integrity of CUI while preventing unauthorized wireless access.
Exact Extracts (official CMMC Assessor/Study documents):
* SC.L2-3.13.13: "Employ FIPS-validated cryptography when used to protect the confidentiality of CUI."
* AC.L2-3.1.1 / 3.1.2: "Limit system access to authorized users... and authenticate the identities of those users."
* SC.L2-3.13.17: "Protect wireless access to the system using authentication and encryption."
* Assessment Guide clarifies: "Wireless access must use FIPS 140 validated cryptographic modules and must be restricted to authenticated users." Why other options are not correct:
* A: Only requires encryption; does not address authenticated access, which is mandatory.
* B: Vetting and access lists may be useful, but they are not sufficient substitutes for cryptographic and authentication requirements.
* D: Identifying users in diagrams is good documentation practice but not a CMMC requirement for wireless protection.
References (official CCA/CMMC documents):
* CMMC Assessment Guide - Level 2, Version 2.13: Practices SC.L2-3.13.13 and SC.L2-3.13.17 (pp.
134-136).
* NIST SP 800-171A, Assessment Objectives for wireless access and cryptographic requirements.


NEW QUESTION # 88
You are a Lead Assessor tasked with conducting a CMMC Assessment for an OSC seeking to secure its CMMC Level 2 certification. The OSC has previously conducted a self-assessment and engaged a Registered Practitioner Organization (RPO) for a preliminary evaluation. As part of the CMMC Assessment process, you begin by determining the necessary evidence for each practice or process across the OSC's organizational functional areas. You consider both the adequacy and sufficiency of the evidence in relation to the CMMC's requirements. After initial preparations, you and the OSC's POC schedule a joint review session to align on the scope and expectations for the upcoming assessment. What is the primary focus of the 'Sufficiency' criterion during the evidence verification process in a CMMC assessment?

  • A. Checking if the evidence includes the latest cybersecurity trends and technologies.
  • B. Sufficiency verifies that there is enough evidence to comprehensively assess each practice against the CMMC Assessment scope.
  • C. Ensuring the evidence covers a wide range of cybersecurity threats.
  • D. Confirming the evidence has been reviewed and approved by all stakeholders.

Answer: B

Explanation:
Comprehensive and Detailed in Depth Explanation:
'Sufficiency' ensures there's enough evidence to assess all practices within scope, not stakeholder approval (Option A), trends (Option C), or threat coverage (Option D). Option B is the CAP focus.
Extract from Official Document (CAP v1.0):
* Section 2.1 - Evidence Collection (pg. 24):"Sufficiency verifies that there is enough evidence to comprehensively assess each practice against the CMMC Assessment scope." References:
CMMC Assessment Process (CAP) v1.0, Section 2.1.


NEW QUESTION # 89
While onsite conducting a CMMC Level 2 assessment at a small architecture firm that handles DoD construction contracts, the client offers a list of personnel for interviews. To answer questions regarding visitor access controls, which personnel would be MOST appropriate for interviewing?

  • A. Front-desk Receptionist
  • B. Senior Architecture Partner
  • C. System Administrator
  • D. Administrative Assistant

Answer: A

Explanation:
Visitor access control (PE.L2-3.10.3 and PE.L2-3.10.4) typically involves procedures at entry points. The front-desk receptionist is the staff member most directly involved in logging, controlling, and monitoring visitor access. While system admins and partners handle IT and business operations, they do not control physical visitor access day-to-day.
Exact extracts:
* "Assessment Method - Interview: personnel responsible for visitor access control (e.g., reception staff, security desk staff)."
* "Assessment Objectives ... Determine if visitor access is identified, logged, escorted, and monitored." Why the other options are incorrect:
* A: System admins focus on IT, not visitor management.
* C: Administrative assistants generally perform clerical tasks, not visitor logging.
* D: Senior partners may approve contracts but are not directly responsible for visitor control.
References:
CMMC Assessment Guide - Level 2, PE.L2-3.10.3 & PE.L2-3.10.4.


NEW QUESTION # 90
While examining controls on the use of portable storage devices, an assessor conducts an interview with a mid-level internal system administrator. The administrator describes the process to check out portable storage devices, which includes a user emailing IT staff directly, verifying that the media classification label matches the data classification, and limiting use of the device to a specified external system.
What is a MISSING element for the assessment of AC.L2-3.1.21: Portable Storage Use?

  • A. Method of destruction of portable storage devices
  • B. An inventory of portable storage devices provided by the National Security Agency
  • C. A directory of personnel background checks to be consulted prior to device checkout
  • D. Recorded management authorization for the use of portable storage devices

Answer: D

Explanation:
AC.L2-3.1.21 requires that the use of portable storage devices be restricted and explicitly authorized. The described process covers labeling and limiting use but does not include documented management authorization.
Extract:
"Restrict the use of portable storage devices on external systems. Authorization for use must be formally documented and approved by management." Thus, the missing element is recorded management authorization.
Reference: CMMC Assessment Guide - Level 2, AC.L2-3.1.21.


NEW QUESTION # 91
A CMMC assessment for an OSC finds it has fully implemented 87 out of 110 practices. Unfortunately, the Assessment Team determines that the POA&M Closeout Assessment option cannot be used. Consequently, the OSC will not be recommended for certification. However, the OSC Assessment Official humbly requests the Lead Assessor to adjust the findings to allow for POA&M closeout and mark a five-point practice as implemented. How should the Lead Assessor respond?

  • A. Report the request to the Cyber AB and recommend disciplinary action against the OSC Assessment Official.
  • B. Agree to the request and tweak the findings.
  • C. Negotiate with the OSC to implement additional practices and reassess the POA&M Closeout Assessment option.
  • D. Politely decline the request and cite ethical reasons of violating the CoPC.

Answer: D

Explanation:
Comprehensive and Detailed in Depth Explanation:
Adjusting findings violates CoPC Objectivity and Integrity (Option A). Options B, C, and D are inappropriate responses.
Extract from Official Document (CoPC):
* Paragraph 2.2 - Objectivity (pg. 5):"Do not alter findings to influence certification outcomes." References:
CMMC Code of Professional Conduct, Paragraph 2.2.


NEW QUESTION # 92
A CCA witnesses another CCA from their C3PAO team flirting with an OSC employee during a social event after completing the assessment. According to the CoPC, what is the most appropriate course of action for the observing CCA?

  • A. Ignore the situation, as it doesn't impact the assessment.
  • B. Discreetly remind the other CCA of the CoPC's harassment and discrimination guidelines.
  • C. Publicly confront the other CCA about their unprofessional behavior.
  • D. Report the incident directly to the Cyber AB.

Answer: B

Explanation:
Comprehensive and Detailed in Depth Explanation:
The CMMC Code of Professional Conduct (CoPC) prohibits harassment and discrimination in all interactions related to CMMC roles, including post-assessment social events. The observing CCA must act professionally and ethically. Option A (reporting to Cyber AB) escalates prematurely without attempting internal resolution, which the CoPC encourages first. Option C (ignoring) fails to address a potential violation, breaching the CCA's duty to uphold the CoPC. Option D (public confrontation) risks unprofessional escalation. Option B (discreet reminder) aligns with CoPC's emphasis on addressing violations internally and professionally, allowing the offending CCA to correct their behavior while maintaining team integrity.
Extract from Official Document (CoPC):
* Paragraph 3.6(2) - Lawful and Ethical Practices (pg. 8):"Refrain from harassment ordiscrimination, sexual or otherwise, in all interactions with individuals encountered in connection with activities related to your role in the CMMC ecosystem."
* Paragraph 4.1(1)(a) - Violation Reporting (pg. 10):"Attempt to rectify the violation with the individual or entity in question prior to reporting." References:
CMMC Code of Professional Conduct, Paragraphs 3.6(2) and 4.1(1)(a).


NEW QUESTION # 93
While conducting a CMMC Level 2 assessment at a 100-person manufacturing company, the assessor receives a yellow badge labeled "SPECIAL ACCESS." The assessor observes multiple badge types used by staff and visitors. The client explains that only three badge colors correspond to controlled access (with electronic access), while the rest are identifiers for seniority. How can the assessor BEST verify that the three colors are the only badges capable of accessing controlled areas for CUI-related activities?

  • A. Borrowing a badge from another staff member and attempting to enter a controlled space
  • B. Interviewing CUI-cleared staff
  • C. Reviewing standard operating procedures for badge issuance
  • D. Reviewing retained electronic badge entry logs or audits thereof

Answer: D

Explanation:
Verification of physical access controls under PE.L2-3.10.3: Physical Access Control requires evidence from records, logs, and audit trails. Reviewing access logs provides direct confirmation of which badge types grant entry into controlled areas. SOPs or interviews may support the claim but are indirect; testing physical entry is not an approved method for CCAs.
Exact extracts:
* "Assessment Methods - Examine: access control policy; physical access control system records; physical access audit logs."
* "Assessment Methods - Interview: staff may be interviewed, but interviews must be supported by documentary evidence."
* "Testing physical entry by assessors is not an authorized assessment method." Why the other options are incorrect:
* A/B: Interviews or SOP reviews may provide supporting context, but they do not prove operational badge restrictions.
* D: Assessors are prohibited from attempting physical bypass or entry tests.
References:
CMMC Assessment Guide - Level 2, PE.L2-3.10.3 "Physical Access Control."


NEW QUESTION # 94
During an assessment, an assessor is trying to determine if the organization provides protection from malicious code at appropriate locations within organizational information systems. The assessor has decided to use the Interview method to gather evidence. It is BEST to interview:

  • A. System or network administrators
  • B. Personnel with audit and accountability responsibilities
  • C. Personnel with security alert and advisory responsibilities
  • D. System developers

Answer: A

Explanation:
Malicious code protection is typically implemented and managed by system or network administrators, who configure, deploy, and monitor anti-malware solutions. Interviews with these administrators provide direct evidence of control implementation.
Exact Extracts:
* SI.L2-3.14.2: "Provide protection from malicious code at appropriate locations within organizational information systems."
* CMMC Assessment Guide: "Interviews should be conducted with administrators responsible for deployment and monitoring of malicious code protection."
* NIST SP 800-171A (SI.L2-3.14.2): "Interview system or network administrators to determine how malicious code protection is implemented." Why other options are not correct:
* A (developers): Developers do not typically manage system-wide malicious code protections.
* C (audit personnel): They review logs, not deploy/manage protections.
* D (security advisory staff): They track alerts but don't operate malicious code defenses.
References:
CMMC Assessment Guide - Level 2, Version 2.13: SI.L2-3.14.2 (pp. 142-144).
NIST SP 800-171A: Assessment procedures for malicious code protection.


NEW QUESTION # 95
When assessing a contractor's implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. How would you score the contractor's implementation of AU.
L2-3.3.6 - Reduction & Reporting?

  • A. Not Met
  • B. Partially Met
  • C. Not Applicable
  • D. Met

Answer: D

Explanation:
Comprehensive and Detailed In-Depth Explanation:
AU.L2-3.3.6 requires "providing audit reduction and report generation capabilities." The SSP documents measures, and Splunk (a SIEM) supports reduction and reporting, meeting both objectives. With no gaps noted, this 1-point practice scores Met (+1) per DoD methodology. Partial (A) and Not Met (C) require deficiencies, and N/A (B) doesn't apply.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.6: "Examine tools like SIEM for reduction and reporting."
* DoD Scoring Methodology: "1-point practice: Met = +1."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf


NEW QUESTION # 96
To comply with CMMC requirement IR.L2-3.6.3 - Incident Response Testing, organizations seeking certification (OSCs) must have a plan to regularly test their ability to respond to cyber incidents. This testing ensures that OSCs can effectively identify, contain, and recover from security breaches. An OSC can cite the following evidence artifacts to show compliance with the practice, EXCEPT?

  • A. Documentation of tabletop exercises and their outcomes
  • B. Test documentation, including the scenario, response, findings, and any necessary corrective actions
  • C. Evidence of regular incident response drills and response time management, recovery testing, and post- incident analysis
  • D. Media sanitization plans

Answer: D

Explanation:
Comprehensive and Detailed In-Depth Explanation:
IR.L2-3.6.3 requires "testing the incident response capability annually." Artifacts like drills (A), tabletop exercises (C), and test documentation (D) demonstrate testing execution and outcomes, aligning with the practice. Media sanitization plans (B) relate to MP.L2-3.8.3, not incident response testing, making it irrelevant. The CMMC guide lists response-focused evidence.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), IR.L2-3.6.3: "Examine test records, drills, and tabletop exercise outcomes."
* NIST SP 800-171A, 3.6.3: "Artifacts focus on response testing, not sanitization." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf


NEW QUESTION # 97
During a CMMC assessment, the Lead Assessor discovers that the OSC has outsourced its incident response to a third-party provider. The OSC provides a contract with the provider but no detailed evidence of the provider's processes. What should the Lead Assessor do?

  • A. Accept the contract as sufficient evidence of incident response compliance.
  • B. Score the incident response practice as "NOT MET" due to insufficient evidence.
  • C. Terminate the assessment until the OSC implements incident response internally.
  • D. Request detailed evidence from the third-party provider demonstrating how they meet the CMMC incident response practice objectives.

Answer: D

Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP requires specific evidence from third parties for inherited practices (Option B). Options A, C, and D do not follow CAP evidence rules.
Extract from Official Document (CAP v1.0):
* Section 2.2 - Conduct Assessment (pg. 25):"Request detailed evidence from third-party providers to verify inherited practice objectives." References:
CMMC Assessment Process (CAP) v1.0, Section 2.2.


NEW QUESTION # 98
You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory - a privileged function. How should execution of the debugging permission be handled to align with AC.L2-3.1.7 - Privileged Functions?

  • A. Perform automatic termination of the action
  • B. Ensure it is logged to the central SIEM system
  • C. Implement geo-IP blocking on the workstation
  • D. Require it to generate an email alert

Answer: B

Explanation:
Comprehensive and Detailed In-Depth Explanation:
AC.L2-3.1.7 requires "preventing non-privileged users from executing privileged functions and logging such attempts." The developer's access to kernel memory (a privileged function) violates least privilege, and logging to a SIEM (D) ensures visibility and auditability, aligning with the practice. Alerts (A) are supplementary, termination (B) isn't required, and geo-IP blocking (C) is unrelated. The CMMC guide emphasizes logging for accountability.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.7: "Log attempts by non-privileged users to execute privileged functions."
* NIST SP 800-171A, 3.1.7: "Examine logs for privileged function attempts." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf


NEW QUESTION # 99
......

Pass Your Cyber AB Exam with CMMC-CCA Exam Dumps: https://prepaway.testkingpass.com/CMMC-CCA-testking-dumps.html

Related Articles

more
Cyber AB CMMC-CCA Certification Practice Exam