Free Cyber AB CMMC-CCA Exam Questions

An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1-System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet. What is the Assessment Team's initial finding regarding the OSC's implementation of CM.L2-3.4.1-System Baselining, and how should it be scored?

A contractor has recently allowed their employees to work remotely. The employees can access CUI remotely through VPN with encrypted tunnels for remote access into their VDIs. The company has a variety of system components (servers, workstations, notebook computers, smartphones, and tablets) that employees can access remotely. In your assessment, you also realize that some employees are using SSH to access information stored in cloud instances and server infrastructures that contain CUI. Which of the following is a reason why the contractor?s use of SSH should concern you?

Any user that accesses CUI on system media should be authorized and have a lawful business purpose. While assessing a contractor?s implementation of MP.L2-3.8.2-Media Access, you examine the CUI access logs and the role of employees. Something catches your eye where an ID of an employee listed as terminated regularly accesses CUI remotely. Walking into the contractor?s facilities, you observe the janitor cleaning an office where documents marked CUI are visible on the table. Interviewing the organization?s data custodian, they informed me that a media storage procedure is augmented by a physical protection and access control policy. Based on the scenario and the requirements of CMMC practice MP.L2-3.8.2-Media Access, which of the following actions would be the highest priority recommendation for the contractor?

An OSC has recently obtained an ISO 27001 certification and a FedRAMP Authorization to Operate (ATO) for its information systems. During the initial stages of the CMMC Assessment Process, the OSC claims that these certifications should grant them automatic credit or exemption from certain CMMC requirements. As the Lead Assessor, what should be your response?

During your assessment of CA.L2-3.12.3-Security Control Monitoring, the contractor?s CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls. When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in insecurity controls implemented. You would rely on all of the below evidence to assess the contractor?s implementation of CA.L2-3.12.3-Security Control Monitoring, EXCEPT?