Free Cyber AB CMMC-CCA Exam Questions

During the Awareness and Training (AT) domain assessment, you examine the company's security awareness and training program. All new hires undergo a one-time security awareness training session during their onboarding process. After that, the IT department sends periodic email reminders about general security best practices, such as password management and phishing awareness. The contractor also offers an annual refresher training for managers and supervisors, covering topics related to data protection and incident response procedures. However, chatting with personnel from different roles, you discover personnel responsible for managing the company's networks and systems have yet to receive any specific training on secure configuration practices or identifying potential security risks associated with their roles. Production line workers and technicians handling CUI data during the manufacturing process are unaware of the specific security risks or procedures for handling and protecting CUI. Which of the following techniques can the contractor use to attain compliance with AT.L2-3.2.1-Role-Based Risk Awareness?

As the Lead Assessor conducting a CMMC Level 2 assessment for an OSC, the Assessment Team has thoroughly reviewed all evidence provided by the OSC for the in-scope CMMC practices. Throughout the assessment process, daily checkpoint meetings were held with the OSC to allow them to present additional evidence and clarify any concerns. After the final evidence review and discussions, the Team has determined that 92 out of the 110 CMMC Level 2 practices have been scored as 'MET.' Additionally, 18 practices have been scored as 'NOT MET,' with 5 of those practices deemed ineligible for a Plan of Action and Milestones (POA&M) due to their potential impact on network exploitation or CUI exfiltration. The OSC has provided a draft POA&M for the remaining 13 'NOT MET' practices, outlining their proposed remediation actions and timelines. After reviewing and validating the OSC?s revised POA&M, you determine that it meets all necessary criteria. However, during the Final Findings presentation, the OSC expresses disagreement with the scoring of one particular practice, claiming that they have substantial evidence demonstrating compliance with all objectives. How would you address this disagreement?

Tina is working on a team conducting a Level 2 assessment for Humvees-R-Us (HRU). While gathering evidence, Tina notices that HRU has not updated several critical policies in years. Knowing that HRU is investing a significant amount of money in the assessment, she tells Bob, the CEO of HRU, that she will date the policies to make them appear as if they have been regularly revised. She explains that this will help HRU pass their assessment and save them the cost of a reassessment. Tina believes changing the dates isn’t a big deal since HRU has policies written but has not revised them as frequently as required.Was it right for Tina to adjust the dates during the assessment? If not, which principle of the CMMC Code of Professional Conduct did she violate?

An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1-System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet. What is the Assessment Team's initial finding regarding the OSC's implementation of CM.L2-3.4.1-System Baselining, and how should it be scored?

Proper authentication is a key requirement of a secure system. To this end, you are assessing an OSC's implementation of IA.L2-3.5.3-Multifactor Authentication. The contractor has deployed Okta in their systems, integrated it into Active Directory (AD), and set up multifactor authentication (MFA). The OSC has documented all the privileged accounts, which must be authenticated through the MFA solution for any network or local access. Their procedures addressing user identification and authentication require everyone, privileged or nonprivileged, to be authenticated using multifactor authentication. The OSC (Organization Seeking Certification) can produce the following evidence to show their compliance with IA.L2-3.5.3-Multifactor Authentication, EXCEPT?