Free Cyber AB CMMC-CCA Exam Questions

As a Lead Assessor, you are in contact with the OSC Assessment Official. The Assessment Official has submitted a document that outlines the scope of your assessment engagement. You expect to find all the following elements on the Assessment Scope document, EXCEPT?

A defense contractor has implemented a secure wireless network infrastructure to support their operations and client engagements. They use the WPA2-Enterprise encryption protocol with AES-CCMP ciphers and the 802.1X port-based authentication framework to secure their wireless network. The wireless network infrastructure includes a Remote Authentication Dial-In User Service (RADIUS) server for centralized authentication and authorization of wireless clients. The contractor has deployed multiple Wireless Access Points (WAPs) throughout their office premises, each with its own Service Set Identifier (SSID) and VLAN configuration. Before granting wireless access, the contractor?s IT team verifies the device's compliance with their security standards and validates the user's credentials against the RADIUS server using EAP-TLS authentication. Which of the following actions would NOT be considered a best practice for the contractor to further strengthen their compliance with CMMC AC.L2-3.1.16-Wireless Access Authorization?

As the Lead Assessor conducting a CMMC Level 2 assessment for an OSC, the Assessment Team has thoroughly reviewed all evidence provided by the OSC for the in-scope CMMC practices. Throughout the assessment process, daily checkpoint meetings were held with the OSC to allow them to present additional evidence and clarify any concerns. After the final evidence review and discussions, the Team has determined that 92 out of the 110 CMMC Level 2 practices have been scored as 'MET.' Additionally, 18 practices have been scored as 'NOT MET,' with 5 of those practices deemed ineligible for a Plan of Action and Milestones (POA&M) due to their potential impact on network exploitation or CUI exfiltration. The OSC has provided a draft POA&M for the remaining 13 'NOT MET' practices, outlining their proposed remediation actions and timelines. After reviewing and validating the OSC?s revised POA&M, you determine that it meets all necessary criteria. However, during the Final Findings presentation, the OSC expresses disagreement with the scoring of one particular practice, claiming that they have substantial evidence demonstrating compliance with all objectives. How would you address this disagreement?

A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7-Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1-System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the time stamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score the OSC's implementation of CMMC practice AU.L2-3.3.7-Authoritative Time Source?

You are a CCA tasked with leading an Assessment Team conducting a CMMC Assessment for an OSC. Your team is assessing the OSC's readiness to determine whether you can proceed with the second phase of the assessment. To verify the OSC's readiness to proceed with the assessment, which of the following tasks will you not carry out?