Free Cyber AB CMMC-CCA Exam Questions

An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1-System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet. Which of the following is not true about the handling the OSC's implementation of CM.L2-3.4.1-System Baselining?

An OSC has documented HR and personnel security policies, which are well integrated. A key requirement is that credentials and systems are revoked upon a transfer or termination. Their personnel security policy includes procedures for transfer and termination, a list of system accounts tied to each employee, and management of revoked or terminated credentials and authenticators. Examining the procedures addressing personnel transfer and termination, you learn that besides revoking or terminating system access, authenticators, and credentials, the OSC recovers all company IT equipment, access/identification cards, and keys from the transferred or terminated employee. They also interview the employee to remind them of their CUI handling obligations even after transfer and require them to sign an NDA. After every termination, they also change the password and other access control mechanisms and notify all the stakeholders that the employee has been terminated or transferred. Based on the scenario, the OSC can cite the following as evidence of collaborating on their implementation of CMMC practice PS.L2-3.9.2-Personnel Actions, EXCEPT?

As a CCA, John feels he can make some extra cash by aggregating and rewriting CMMC materials into a book titled Acing Your CMMC Assessment: A Complete Guide. You ask him about potential issues, such as the failure to get permission from the Cyber Accreditation Body. John tells you that since he is a CCA, this is not a requirement, and in any case, the information is already publicly available.Has John broken any CoPC guiding principles or practices? If so, which one?

You are a CCA working for a C3PAO. An OSC has submitted a request for a CMMC Assessment, and the C3PAO is in the process of assigning a Lead Assessor for this engagement. As an experienced Assessor, you are being considered for the role of Lead Assessor. Once the C3PAO assigns the Lead Assessor, what is the next step in the process?

During the Awareness and Training (AT) domain assessment, you examine the company's security awareness and training program. All new hires undergo a one-time security awareness training session during their onboarding process. After that, the IT department sends periodic email reminders about general security best practices, such as password management and phishing awareness. The contractor also offers an annual refresher training for managers and supervisors, covering topics related to data protection and incident response procedures. However, chatting with personnel from different roles, you discover personnel responsible for managing the company's networks and systems have yet to receive any specific training on secure configuration practices or identifying potential security risks associated with their roles. Production line workers and technicians handling CUI data during the manufacturing process are unaware of the specific security risks or procedures for handling and protecting CUI. Which of the following techniques can the contractor use to attain compliance with AT.L2-3.2.1-Role-Based Risk Awareness?