Free Cyber AB CMMC-CCA Exam Questions

A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7-Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1-System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the time stamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score the OSC's implementation of CMMC practice AU.L2-3.3.7-Authoritative Time Source?

As a CCA, John feels he can make some extra cash by aggregating and rewriting CMMC materials into a book titled Acing Your CMMC Assessment: A Complete Guide. You ask him about potential issues, such as the failure to get permission from the Cyber Accreditation Body. John tells you that since he is a CCA, this is not a requirement, and in any case, the information is already publicly available.Has John broken any CoPC guiding principles or practices? If so, which one?

While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. When assessing the contractor's information systems, how would you mark their implementation of AU.L2-3.3.1-System Auditing? 

During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI) handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Which of the following is NOT a feature Defcon's Systems updated privacy and security notices should have?

The DoD has awarded a defense contractor a contract to deliver next-gen jet engine parts. The order requires the contractor to submit the blueprints/CAD files within six months, and once they are validated, the contractor submits a production schedule. The contractor indicates that they should be able to deliver the components in three years. Which of the following is true about the dates and schedule of the engine components?