Free Cyber AB CMMC-CCA Exam Questions

Angela, a CCA, is conducting a CMMC assessment for Obsidian Technologies, the OSC. During the assessment, Angela learns that her spouse owns a significant amount of stock in Obsidian Technologies, and she has not disclosed this information to Obsidian Technologies or the C3PAO. Which CMMC CoPC guiding principle has Angela violated in this scenario?

As the Lead Assessor conducting a CMMC Level 2 assessment for an OSC, the Assessment Team has thoroughly reviewed all evidence provided by the OSC for the in-scope CMMC practices. Throughout the assessment process, daily checkpoint meetings were held with the OSC to allow them to present additional evidence and clarify any concerns. After the final evidence review and discussions, the Team has determined that 92 out of the 110 CMMC Level 2 practices have been scored as 'MET.' Additionally, 18 practices have been scored as 'NOT MET,' with 5 of those practices deemed ineligible for a Plan of Action and Milestones (POA&M) due to their potential impact on network exploitation or CUI exfiltration. The OSC has provided a draft POA&M for the remaining 13 'NOT MET' practices, outlining their proposed remediation actions and timelines. After reviewing and validating the OSC?s revised POA&M, you determine that it meets all necessary criteria. However, during the Final Findings presentation, the OSC expresses disagreement with the scoring of one particular practice, claiming that they have substantial evidence demonstrating compliance with all objectives. How would you address this disagreement?

John, a CCA, has been assigned by his C3PAO to conduct a CMMC assessment for an OSC. During the assessment, John notices that the OSCs security practices leave much to be desired. After speaking with the OSCs IT staff, John offers to connect them with a vendor he knows who sells a vulnerability management tool that could address some of their weaknesses. According to the CMMC CoPC, which of the following best describes Johns actions?

Before an OSC categorizes its assets into different categories, it must determine the Scope of applicability. However, after discussing with the OSC� PoC, you learn that although they follow CUI and FCI in all forms and stages, they are mostly considered technical components. What is the issue with the OSC?s approach to determining scope of applicability?

In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. In your assessment of the contractor?s implementation of AC.L2-3.1.10-Session Lock, do you find that they have adequately addressed the practice requirements? When assessing the contractors implementation of practice AC.L2-3.1.10, which of the following objectives will NOT be considered as part of your review?