Check the Top Quality CMMC-CCA Dumps (V8.02) by Reading CMMC-CCA Free Dumps (Part 3, Q81-Q120): DumpsBase Guarantees Your Success

1. During a CMMC Level 2 assessment, an OSC receives a Conditional Certification with several practices placed on a Plan of Action and Milestones (POA&M). After implementing corrective actions, the OSC requests the Assessment Team to conduct a POA&M Close-Out Assessment.

Which of the following is the correct action for the Team's Lead Assessor during the POA&M Close-Out Assessment?

2. A CMMC Level 2 certified DoD contractor plans to use a Cloud Service Provider (CSP) to support data storage and application hosting for their business operations. The contractor is aware of the CMMC requirements and wants to ensure compliance before engaging with the cloud service provider. After discussing this with them, you learn that most of the hosted applications aren't used for any activities related to the DoD contract. However, the stored data may contain CUI.

What requirement must the CSP meet before the DoD contractor can hire them?

3. You are a CCA working for a C3PAO. An OSC has submitted a request for a CMMC Assessment, and the C3PAO is in the process of assigning a Lead Assessor for this engagement. As an experienced Assessor, you are being considered for the role of Lead Assessor.

Which of the following factors should the C3PAO NOT consider when selecting a Lead Assessor for this assessment?

4. An OSC specializing in developing directed energy systems plans to bid on a DoD contract to produce a 250kW High Energy Laser Weapon System (HELWS). This system is to be deployed on military bases across the globe to protect U.S. service personnel against aerial threats, including mortars, rockets, and unmanned aerial vehicles (UAVs), including swarms of mini-UAVs. Because of the sensitivity of the information, the OSC has prohibited using emails to transmit information regarding the project, whether encrypted or otherwise. They also have instituted procedures to remove CUI from the email system.

What CMMC assessment requirements must the Assessment Team follow regarding the OSC's email system?

5. In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements.

Where can you find information about a cryptographic module's current status with FIPS?

6. When discussing the OSC's proposed assessment scope, the lead assessor learned that some laptops and workstations share a network with CUI assets, but their users do not work with CUI. These assets do not store CUI or run applications that process CUI. Reviewing the OSC's SSP, the implemented risk-based security policies, procedures, and practices raised questions and were found to be deficient.

What can the Lead Assessor do in this scenario?

7. You are assessing a contractor with a well-defined personnel security policy and procedures for screening individuals before granting access to CUI as part of their CMMC compliance. However, chatting with the security guards, you discover the contractor sometimes grants temporary access to CUI systems before completing the screening process, citing operational urgency.

When examining the contractor's procedures addressing personnel screening, which background checks would you NOT expect to find included?

8. You are a CCA participating in an assessment exercise for an OSC. You have completed the exercise, and the OSC has hashed the evidence artifacts in accordance with the CMMC Artifact Hashing Tool User Guide.

What is the next step for your Assessment Team with respect to the Evidence Artifact Hashes?

9. You are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows the Contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network.

However, the Contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks.

What risks does the hybrid infrastructure with cloud storage and remote access introduce regarding CUI data flow?

10. During a social event after work, a CCA from your C3PAO team brags about providing "consulting advice" to an OSC they recently assessed for CMMC compliance. You know this directly violates the CoPC's restrictions on CCAs offering such services during an assessment.

What is your ethical obligation in this situation?

11. During a CMMC Level 2 assessment, a CCA will evaluate whether the organization meets the requirement to "Employ FIPS-validated cryptography when used to protect the confidentiality of CUI." According to the CMMC requirement, the CCA must determine whether FIPS-validated cryptography is employed to protect the confidentiality of CUI.

Which assessment procedure would the CCA most likely use to evaluate this requirement?

12. The CMMC Assessment Process (CAP) requires the Lead Assessor to validate the CMMC Assessment Scope proposed by the OSC.

What is the main task the Lead Assessor must conduct in validating the CMMC Assessment Scope? Choose the option that best describes the validation.

13. During your assessment of CA.L2-3.12.3-Security Control Monitoring, the contractor's CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls. When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls.

The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented.

Can the contractor place practice CA.L2-3.12.3-Security Control Monitoring under a POA&M if unimplemented or not fully met?

14. A software development company is applying for a CMMC Level 2 assessment. As the Lead Assessor, you request access to the company’s System Security Plan (SSP) as part of the initial objective evidence for validating the scope.

Which of the following is true about the software development company's obligations in honoring the request?

15. You are the Lead Assessor for a CMMC Assessment engagement with the OSC for CMMC Level 2. The OSC has provided you with their proposed CMMC Assessment Scope, which includes a network schematic diagram, their SSP, relevant policies, and organizational charts. During your review of the documentation, you notice they have excluded a subsidiary company's network and assets from the proposed CMMC Assessment Scope despite the subsidiary being involved in handling CUI related to federal contracts. During the review of the OSC's proposed CMMC Assessment Scope, you notice the OSC has included assets and networks not involved in handling CUI or related to federal contracts.

What should be your course of action?

16. Change is a part of any production process and must be meticulously managed. System Change Management is a CMMC requirement, and you have been called in to assess the implementation of CMMC requirements. When examining the contractor’s change management policy, you realize there is a defined change advisory board that has a review and approval mandate for any proposed changes. The change advisory board maintains a change request system where all the changes are submitted and documented for easy tracking and review. The contractor also has a defined rollback plan defining what to do if the approved changes result in unexpected issues or vulnerabilities.

What evidence artifacts can the contractor also cite as evidence to show their compliance with CM.L2-3.4.3-System Change Management besides their compliance management policy?

17. A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7-Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1-System Auditing across both the new and existing systems, generating audit logs.

Upon examining these logs, you notice inconsistencies in the time stamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds.

How would you assess the contractor's implementation of AU.L2-3.3.7-Authoritative Time Source?

18. You are a CCA collaborating with an OSC to provide specialized consulting services. The OSC representative has inquired about strategies to validate the accuracy of their project scope. In response, you suggest leveraging a data flow diagram. This sounds interesting to the OSC. This visual representation could assist in mapping the flow of information and processes within the project, enabling a comprehensive review and verification of the scope's alignment with the client's requirements.

If you were on the Assessment Team, how would you use the data flow diagram after it is created?

19. You have been hired to assess a contractor’s implementation of remote access capabilities for information systems that handle CUI. While interviewing the network administrator, you realize they perform privileged activities remotely when at alternate worksites.

What is the primary concern about allowing remote execution of privileged commands or remote access to security-relevant information under AC.L2-3.1.15-Privileged Remote Access?

20. When interviewing a contractor’s CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that the contractor tests its incident response plan every four months and regularly updates its monitoring tools. Impressed by the contractor's policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited its security systems in over two years.

Which of the following must be considered for the contractor's implementation of CA.L2-3.12.1-Security Control Assessment to be successful?

21. During your on-site CMMC assessment of an OSC, you determine that the organization is performing the practical aspects of PE.L1-3.10.3-Escort Visitors. However, upon further review, you notice their standard operating procedures (SOPs) do not align with the new processes being implemented by the outsourced security guard company they recently hired.

Given this discrepancy between the documented procedures and the actual implementation, what should the OSC do with respect to practice PE.L1-3.10.3-Escort Visitors?

22. A vulnerability scan on a defense contractor's system identifies a critical security flaw in a legacy database application that stores CUI. Remediating the flaw would require a complete overhaul of the application, causing significant downtime and potentially disrupting critical business functions. Given the potential consequences of remediation, the contractor is considering deferring the fix.

According to CMMC practice RA.L2-3.11.3 -Vulnerability Remediation, what factors should drive the prioritization of vulnerability remediation efforts?

23. During the planning and preparation discussions, a key member of the C3PAO Assessment team falls ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as planned and has expressed willingness to accommodate a smaller assessment team.

If the OSC Assessment Official asks the C3PAO for advice on how to proceed, the Lead Assessor, on behalf of the C3PAO, should do which of the following?

24. After the Assessment Team has been formed and the OSC Point Of Contact (POC) and assessment official have been identified, your C3PAO appoints John as the Lead Assessor. During the kickoff meeting, John reassures the OSC assessment official not to worry; they are guaranteed to pass the CMMC assessment. If they don't, John has agreed to refund 40% of the assessment fee.

Which of the following is true about John's behavior as a Certified CMMC Assessor?

25. Removable media can pose significant cybersecurity risks to an organization if not adequately controlled and secured. Understanding the dangers of this, an OSC has crafted a meticulous removable media policy. It defines removable media, types of removable media, examples of removable media, etc.

The policy limits the use of removable media unless authorized; even then, the media must be scanned for malware. Organizational removable media has specific signatures unique to organizational systems and provided to a defined group of personnel. Any data stored on such media is encrypted, and the OSC has disabled autorun and closed some ports on their computer systems.

The contractor also has deployed an endpoint protection solution for every employee searched while entering or leaving the facility. Users must also pass through a walk-in metal detector to ensure they do not sneak in thumb drives or SD cards.

Which of the following does an OSC NOT have to define in their removable media use policy?

26. While reviewing an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9-Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network.

The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, no documented policy or procedure outlines a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. The scenario mentions that the server utilizes default settings for connection timeouts.

Besides relying solely on user awareness, what additional approach could be implemented to achieve connection termination based on inactivity and comply with CMMC practice SC.L2-3.13.9-Connections Termination?

27. Any user that accesses CUI on system media should be authorized and have a lawful business purpose. While assessing a contractor’s implementation of MP.L2-3.8.2-Media Access, you examine the CUI access logs and the role of employees. Something catches your eye when an ID of an employee listed as terminated regularly accesses CUI remotely. Walking into the contractor's facilities, you observe the janitor cleaning an office where documents marked CUI are visible on the table. When you interviewed the organization's data custodian, they informed you that a media storage procedure is augmented by a physical protection and access control policy.

What would you conclude based on the collected and observed evidence?

28. During an assessment, it was uncovered that a CCA worked as a consultant for the OSC through their RPO. Unfortunately, the CCA didn’t disclose this when their C3PAO appointed them to participate in the assessment.

Did the CCA behave professionally? If not, what issues are likely to arise?

29. A leading technology solutions provider works with various government agencies and commercial clients. To ensure the secure handling of CUI, the solutions provider has implemented a dedicated CUI enclave within its network infrastructure. As a Certified CMMC Assessor, you are tasked with assessing the scope of the solutions provider's CMMC requirements.

Which separation technique can the technology solutions provider use to isolate the network assets in its CUI enclave?

30. After completing a CMMC assessment, the OSC should hash all the evidence artifacts according to the CMMC Artifact Hashing Tool User Guide. However, you have just realized that this requirement was not fulfilled, and the OSC Assessment Official cannot be reached to confirm it was done. To avoid any issues, you quickly complete this step and later inform the OSC Assessment Official.

Which CoPC principle have you just violated by hashing the evidence artifacts in place of the OSC?

31. During CMMC assessment preparation, the OSC's executive team decides to hold a meeting to review the company's CMMC readiness and provide guidance. The OSC informs the CCA about this meeting, but the CCA notes this event does not require an update to the Pre-Assessment Data Form.

The Pre-Assessment Data Form should NOT be updated when which of the following occurs?

32. When examining procedures addressing system security plan development and implementation, you realize the contractor has developed an SSP that defines and documents system boundaries. The SSP also contains the non-applicable security requirements approved by designated authorities. It also outlines other essential aspects, such as relationships with or connections to other systems, how security requirements will be implemented, etc. Upon interviewing personnel with information security responsibilities, you realize the contractor has not reviewed or updated the SSP and has no defined timelines.

What are the deficiencies within the contractor's system security plan from the scenario above? Choose all that apply.

33. As a CCA, understanding the guiding principles of the CoPC can help you when you face situations in which you are asked to compromise your values and integrity.

Which of the following is NOT a guiding principle of the CoPC?

34. As a CCA, you lead an Assessment Team conducting a CMMC assessment for an OSC. During the assessment, the OSC CEO pulls you aside and offers you a substantial sum of money―$50,000―if you are willing to overlook certain noncompliance issues the company is aware of.

If you accept the money, which Guiding Principle of the Code of Professional Conduct (CoPC) would you be violating?

35. After a security audit, a contractor documents specific vulnerabilities and deficiencies in an audit report. After examining its POA&M, you realize it has a clearly defined policy on addressing these deficiencies and by when. However, after interviewing the contractor’s security and compliance team, you learn that while an audit is regularly conducted, the remediation measures are not always taken, and when taken, they are not always practical. The security and compliance team informs you they have tried reaching the system administrator to explain the repercussions of this without success.

Based on the scenario, how would you rate the contractor's implementation of CA.L2-3.12.2-Plan of Action?

36. An OSC is planning a CMMC Level 2 assessment that your C3PAO will conduct. In Phase 1.6.1 -Access and Verify Evidence, as the Lead Assessor, you are verifying the existence and accessibility of the evidence provided by the OSC. While reviewing the list of evidence mapped against the CMMC practices, you discover the OSC cannot locate several critical system security policies for key IT systems supporting their DoD contracts. These missing policies are essential for demonstrating compliance with various CMMC practices related to access control, incident response, and system maintenance.

What is the primary role of the CMMC Quality Assurance Professional (CQAP) regarding the Pre-Assessment Form?

37. After the OSC and the Assessment Team scheduled the initial meeting, they agreed the initial discussions would be held in the OSC's facilities. Walking into the conference room, the Lead assessor notices multiple laptops and printers tagged "U.S. Government Owned."

How should the OSC have categorized these assets in their proposed assessment scope?

38. You are conducting a CMMC assessment for an OSC. During the assessment, the OSC's lead security officer offers you a paid consultancy position after the assessment to help them address the identified issues.

How should you respond to this offer according to the Code of Professional Conduct?

39. The Cyber AB is the sole authorized certification and accreditation partner for the DoD in its CMMC program. It is responsible for overseeing and establishing a trained, qualified, and high-fidelity community of assessors, including C3PAOs and CCAs.

What is the main requirement before the Cyber AB can accredit an Assessor?

40. You are a Lead Assessor tasked with conducting a CMMC Assessment for an OSC seeking to secure its CMMC Level 2 certification. The OSC has previously conducted a self-assessment and engaged a Registered Practitioner Organization (RPO) for a preliminary evaluation. As part of the CMMC Assessment process, you begin to determine the necessary evidence for each practice or process across the OSC's organizational functional areas. You consider both the adequacy and sufficiency of the evidence in relation to the CMMC's requirements. After initial preparations, you and the OSC's POC schedule a joint review session to align on the scope and expectations for the upcoming assessment.

What is the primary focus of the 'Sufficiency' criterion during the evidence verification process in a CMMC assessment?