Practice CMMC-CCA Exam Questions in V8.02 to Make Preparations: Continue to Check the CMMC-CCA Free Dumps (Part 2, Q41-Q80) Online

1. Members of the CMMC ecosystem must meet the CoPC's expectations. However, certain factors might trigger a Cyber AB investigation of a credentialed individual or organization.

Which of the following can trigger an investigation by the Cyber AB? The Cyber AB receives information relating to a violation of the CoPC

2. Examining an OSC password policy, you learn that a password should have a minimum of 15 characters. It also should have 3 uppercase letters, 2 special characters, and other alphanumeric characters. Passwords must be changed every 45 days and cannot be easily tied to the account owner. Passwords cannot be reused until 30 cycles are complete.

The OSC's systems send a temporary password to the user's email or authentication app, which is one of the events described in their password usage policy. However, a recent penetration test report shows the generated temporary passwords did not have sufficient entropy, and an attacker may guess a temporary password through brute force attacks.

How would you score the contractor's implementation of the IA domain requirement on Temporary Passwords?

3. You are working as a CCA on a Level 2 Assessment for a DoD prime contractor. The OSC seeks to keep assessment costs down, and the C3PAO and OSC have decided to conduct all possible work remotely. You are assigned to work primarily on the Media Protection (MP), Personnel Security (PS), and Physical Protection (PE) domains. In addition, the Lead Assessor has designated you as the one person from the Assessment Team to conduct all the on-premises work.

Which of the following factors do you and the Assessment Team NOT need to consider as part of your on-site work?

4. An OSC uses a third party in all system repairs and has hired an MSP for penetration testing. The third party comes for adaptive, preventive, perfective, or corrective system maintenance every three months, and the penetration tester does so continuously. Whenever the third party comes for maintenance, there's no documentation of the issues they tackled. On the other hand, the penetration tester delivers meticulously detailed documentation per their contract with the OSC.

To comply with CMMC practice MA.L2-3.7.1-Perform Maintenance, what should the OSC implement for the maintenance activities performed by the third-party vendor?

5. During the planning and preparation discussions, a key member of the C3PAO Assessment team falls ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as planned and has expressed willingness to accommodate a smaller assessment team.

Can the Lead Assessor proceed with the assessment using a reduced assessment team size?

6. During a CMMC assessment, the CCAs, CCPs, and Lead Assessor validate the assessment scope provided by the OSC. They must review documents and records specific to the agreed-upon scope and boundaries of the assessment. There are several documents the Assessment Team may review or analyze; some are required, while others are not.

Which of the following documents is NOT required when scoping a CMMC Assessment for Level 2 maturity?

7. During a CMMC assessment for an OSC, the CCA needs to assess their implementation of CMMC practice MP.L2-3.8.4-Media Markings, which requires proper marking and labeling of CUI. The interview with the information security personnel reveals a well-defined policy, but you need concrete evidence to verify its effectiveness.

Which of the following would provide sufficient evidence to assess a contractor's implementation of CMMC practice MP.L2-3.8.4-Media Markings?

8. Your organization has informed you that an OSC has contacted them for a prospective CMMC assessment. Your C3PAO has a specified number of days to acknowledge the request and proposes a date for the initial coordination call.

Who is responsible for overseeing and managing a dedicated CMMC Assessment Team for a specific OSC?

9. You are the Lead Assessor on a CMMC Assessment Team preparing for an upcoming assessment. You have received the final assessment scope and supporting documentation from the OSC.

What should you do next to ensure the assessment can proceed as planned?

10. You are a CCA working for a well-known C3PAO. You have been selected for an Assessment Team tasked with conducting a CMMC assessment on a C3PAO. While you are reviewing the presented evidence, one of the Assessment Team members informs you that they weren’t trained for the job and that a friend helped them get the position.

By employing non-credentialed individuals and assigning them assessment tasks, which requirement of the CoPC has the C3PAO violated?

11. As a CCA, you can assess an OSC's implementation of CMMC practices or assist OSCs in preparing for upcoming third-party assessments through two different roles. However, CCAs can only deliver certified services through a C3PAO.

What are these two roles?

12. You have been hired to assess an OSC's implementation of secure password storage and transmission mechanisms. The OSC uses a popular identity and access management (IAM) solution from a reputable vendor to manage user authentication across their systems. During the assessment, you examine the IAM solution's configuration and documentation, which indicate that passwords are hashed using industry-standard algorithms like SHA-256 or bcrypt before being stored in the system's database. Additionally, the IAM solution leverages TLS encryption for all communications, ensuring that passwords are transmitted securely over the network.

Which of the following measures would NOT be considered an acceptable implementation of CMMC practice IA.L2-3.5.10-Cryptographically-Protected Passwords?

13. The Cyber AB has completed an investigation into a report submitted by a CCA regarding a potential violation by another CCA. They have determined the violation falls within the scope of the relevant Industry Working Group's authority.

What is the likely course of action for the Cyber AB in this scenario?

14. A mid-sized company specializing in machining is preparing to bid for an upcoming DoD contract to provide machined components crucial for defense systems. As CMMC compliance will be required, the company’s top executives have invited you to assess their implementation of CMMC Level 2 requirements. During your visit to their environment of operations, you discover its production floor has several Computer Numerical Control (CNC) machines for precision machining, all connected to a local network for data transfer and control.

The CNC machines receive design files from a central server in the company's data center and communicate with a SCADA quality control system that monitors production metrics and performance. The central server hosts the design files, which are only accessible to authorized engineers and operators and backed up in an Amazon EBS cloud instance to ensure availability across the company's multiple machining shops in different states. Furthermore, the company allows employees to upload designs to the server remotely using VPNs and virtual desktop instances.

What is the BEST physical control the company can use for preventive purposes?

15. A remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from deciphering session information.

To demonstrate compliance with AC.L2-3.1.13-Remote Access Confidentiality, what can't the contractor provide as evidence?

16. In preparation for a CMMC Level 2 assessment, an OSC must ensure their CUI handling practices are fully compliant with the laws, regulations, and government-wide policies.

Which of the following Laws, Regulations, or Government-wide Policies does the OSC employee NOT have to acquaint themselves with?

17. You are the Lead Assessor for a CMMC Assessment engagement with OSC for CMMC Level 2. The OSC has provided you with their proposed CMMC Assessment Scope, which includes a network schematic diagram, their SSP, relevant policies, and organizational charts. During your review of the documentation, you notice they have excluded a subsidiary company's network and assets from the proposed CMMC Assessment Scope despite the subsidiary being involved in handling CUI related to federal contracts.

If the OSC shares proprietary information with the Lead Assessor during the assessment engagement, what is the C3PAO's responsibility regarding this information after the completion of the assessment?

18. When assessing a contractor's implementation of configuration management practices, you interview a system security manager to understand how best they have implemented CM.L2-3.4.4-Security Impact Analysis. They inform you the contractor has a change review board that reviews any system changes and approves or rejects them. The system security manager is a member. Any configuration changes are tested, validated, and documented before installing them on the operational system.

However, after chatting with the development team, you learn that sometimes they patch vulnerabilities found by the penetration testing team without necessarily having to send recommended patches to the change review board. This is aimed at quickly addressing the vulnerabilities before they are exploited.

Based on the scenario, what score does the contractor's implementation of CM.L2-3.4.4-Security Impact Analysis warrant?

19. You are assessing an OSC that utilizes containerization technology for deploying microservices within a Kubernetes cluster. These microservices leverage various JavaScript frameworks for functionality. While a mobile device management (MDM) solution secures company phones, access to these microservices is primarily through web interfaces.

Which security tool would be most beneficial to use for effectively monitoring mobile code usage within the described scenario (SC.L2-3.13.13-Mobile Code)?

20. You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery.

What would you recommend the contractor do to avert the risk?

21. As a Certified CMMC Assessor, you are part of a team assessing a small defense contractor. During the assessment, an employee being interviewed appears unsure about some security practices and asks for your advice on how to answer certain questions to make their compliance appear better.

As a Certified CMMC assessor, what should you do in this situation?

22. 1.A Defense Contractor is a CMMC Level 2 organization that frequently needs to transport digital media containing CUI between their main office and an off-site data storage facility. In preparing for their upcoming CMMC assessment, the organization's OSC has closely reviewed the requirements of CMMC practice MP.L2-3.8.6-Portable Storage Encryption, which specifically addresses the protection of CUI stored on digital devices during transport. The OSC recognizes their current practices of simply placing the media in standard packaging and using commercial shipping services do not fully meet the control's mandatory requirements.

Under CMMC practice MP.L2-3.8.6-Portable Storage Encryption, what is the mandatory requirement to protect CUI stored on digital devices during transport?

23. An OSC has an established Incident Response plan and a dedicated team specifically trained to handle any potential incidents and conduct necessary analysis. When performing the assessments, you also realize the OSC has deployed IDS and SIEM tools to identify possible incidents.

Examining the contractor's incident response policy, you also learn they have defined and implemented containment strategies and have developed clear procedures for system and data recovery after an incident, including backup and restore procedures. A communication protocol is also in place to inform the affected stakeholders and users after a security incident.

Chatting with a few members of the OSC's incident response team, you learn they conduct regular drills to test and improve the effectiveness of the incident-handling capability. There are also defined and documented incident response mechanisms and a post-incident analysis procedure to identify lessons learned and make necessary improvements to the incident-handling process.

Based on the information provided, how would you assess the OSC's compliance with the IR.L2-3.6.1-Incident Handling practice?

24. A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks. While chatting with the network’s system admins, you realize they have deployed a modern compliance checking and monitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy.

Based on your understanding of the CMMC Assessment Process, how would you score CM.L2-3.4.2-Security Configuration Enforcement if the contractor is tracking it in a POA&M?

25. During your assessment of an OSC's implementation of security engineering principles throughout its system and software development lifecycles, you review their policies and interview personnel. The OSC has a documented security architecture that includes high-level security requirements such as data encryption, least privilege access controls, and input validation. However, this guidance remains fairly general.

You then examine the system design documentation for a key application processing CUI. Although security requirements are mentioned, there is no evidence that specific security engineering techniques such as threat modeling, layered protections, or secure design patterns were employed during the design phase. Interviews with the development team reveal limited experience with advanced security engineering practices beyond basic secure coding. The team admits they did not perform activities like misuse case analysis, abuse case modeling, or attack surface reviews during the design process.

In further testing, you find the OSC has established secure coding standards, conducts static code analysis, and performs penetration testing before production releases. However, there are no documented processes for incorporating explicit security engineering activities during the design and architecture phases.

For an OSC's legacy applications, what does CMMC practice SC.L2-3.13.2-Security Engineering require regarding the application of security engineering principles?

26. Mobile devices are increasingly becoming important in many contractor's day-to-day activities. Thus, the contractors must institute measures to ensure they are correctly identified, and that any connections are authorized, monitored, and logged, especially if the devices or their connections process, store, or transmit CUI.

You have been hired to assess a contractor's implementation of CMMC practices, one of which is AC. L2.3.1.18 (Mobile Device Connections). To successfully test the access control capabilities authorizing mobile device connections to organizational systems, you must first identify what a mobile device is. Mobile devices connecting to organizational systems must have a device-specific identifier.

Which of the following is the main consideration for a contractor when choosing an identifier?

27. Documentation is a key aspect of the CMMC assessment. When preparing for a prospective assessment and during the actual CMMC assessment, you will reference various documents and document various findings. Fortunately, you can download some of these documents from the DoD CIO's CMMC website, and other templates can be found in the CAP Appendices. You are part of the team assessing an OSC's preparedness and readiness for a CMMC assessment.

Where would you document the OSC's readiness to proceed to the second phase of the CMMC Assessment Process (CAP)?

28. A CCA has been selected to lead a team conducting a CMMC assessment for an OSC. However, it is later determined that the OSC's Point Of Contact (POC) is the CCA’s sibling.

Could this situation present a potential Conflict of Interest (COI)?

If so, which guiding principle or practice of the CoPC (Code of Professional Conduct) might the CCA have violated?

29. While reviewing a contractor's Microsoft Active Directory authentication policies, you observe the account lockout threshold is configured to allow 5 consecutive invalid login attempts before locking the account for 15 minutes. Additionally, the reset account lockout counter is set to 30 seconds after each unsuccessful login attempt.

What specific threat is this configuration designed to mitigate?

30. Tina is working on a team conducting a Level 2 assessment for Humvees -R-Us (HRU). While gathering evidence, Tina notices that HRU has not updated several critical policies in years. Knowing that HRU is investing a significant amount of money in the assessment, she tells Bob, the CEO of HRU, that she will date the policies to make them appear as if they have been regularly revised. She explains that this will help HRU pass their assessment and save them the cost of a reassessment. Tina believes changing the dates isn’t a big deal since HRU has policies written but has not revised them as frequently as required. Was it right for Tina to adjust the dates during the assessment?

If not, which principle of the CMMC Code of Professional Conduct did she violate?

31. You are the lead CMMC assessor evaluating a defense contractor that develops advanced surveillance equipment and software for intelligence agencies. Given the sensitive nature of their work, the contractor has implemented robust insider threat monitoring. During your assessment, you discover the contractor's insider threat program tracks indicators like unauthorized data access attempts, unexplained wealth changes, workplace disputes, and disruptive behavior changes.

The contractor also has regular security awareness training covering reporting potential insider threats via an anonymous hotline and web portal. High-risk roles like developers with classified codebase access receive additional insider threat vector training and are closely monitored. To verify all this, you interview the CISO, who confirms their implementation of CMMC practice AT.L2-3.2.3-Insider Threat Awareness. The contractor uses an anonymous hotline and web portal for reporting potential insider threats. However, some employees might hesitate to use anonymous reporting due to fear of retaliation.

Which is the best way to encourage anonymous reporting within the contractor's organization?

32. In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed.

How is Session Lock typically initiated?

33. CMMC practice PS.L2-3.9.1-Screen Individuals, requires individuals to be screened before authorizing access to organizational systems containing CUI. However, in the assessment you are currently conducting, there is no physical evidence confirming the completion of personnel screens, such as background checks, only affirmations derived from an interview session. In an interview with the HR Manager, they inform you that before an individual is hired, they submit their information through a service that performs criminal and financial checks.

How would you score the OSC's implementation of CMMC practice PS.L2-3.9.1-Screen Individuals, objective [a]?

34. Understanding that changes are critical in any production environment, a DoD contractor has instituted measures to manage them. All software changes can only be implemented by defined individuals. These changes must go through a rigorous change approval process and must be implemented from a secure server located in the company's headquarters.

The personnel affecting the changes access the server room using access cards and an iris scan. To log into the server, they must enter their passwords to receive a one-time password (OTP), which must be keyed in within 2 minutes. After any changes are made, the chairperson of the contractor's Change Review Board and the CISO get a notification to approve the changes before they take effect.

To demonstrate their compliance with CM.L2-3.4.5-Access Restrictions for Change, what can the contractor NOT cite as evidence?

35. An aerospace company stores backups of their design schematics (containing CUI) on a cloud service provider (CSP). The company enforces access controls through the CSP's interface, restricting access to authorized personnel only. However, the company has no formal policy requiring data encryption at rest within the CSP environment.

Data stored on the CSP's infrastructure is segregated, with CUI stored on a separate cluster from other data types. The CSP is authorized at a FedRAMP Moderate baseline, and the OSC regularly monitors access to backups. The CSP provides alerts for any suspicious activity that is detected.

In the context of CMMC practice MP.L2.3.8.9-Protect Backups, which of the following controls best addresses the confidentiality risk in the scenario, considering the existing measures?

36. You were the Lead Assessor on a team that conducted a CMMC assessment for an OSC that passed and earned a CMMC L2 Certification. After meeting this requirement, the OSC bid on and won a DoD contract. However, a rival company disputes the OSC's CMMC certification status in court. As part of the evidence, the court has directed you to release the assessment results and any evidence you might have relied on to arrive at the assessment results.

Based on the CoPC, what action should you take in this situation?

37. As a Certified CMMC Assessor (CCA), you evaluate an OSC's implementation of the AC.L2-3.1.11 - Session Termination requirement during a CMMC Level 2 assessment. This requirement requires the organization to automatically terminate a user session after defined conditions are met. During your assessment, you want to determine whether the OSC has properly defined the conditions that would trigger the automatic termination of a user session, as required by assessment objective [a].

Which of the following assessment objects would you most likely examine to make this determination?

38. As a Lead Assessor working with an OSC in preparation for an upcoming assessment, you request they appoint an Assessment Official. This is the individual you will be collaborating with and has the OSC's decision-making authority regarding the CMMC Assessment. The OSC Assessment Official will lead and manage the OSC's engagement in the assessment.

As the Lead Assessor, which of the following responsibilities would you expect the OSC Assessment Official NOT to have?

39. To transfer CUI between a government client and its internal systems, a defense contractor uses a Secure File-Sharing Application provided by the DoD. However, all the data traversing this boundary MUST pass through a next generation firewall (NGFW) managed by the contractor's Network Admin. All CUI is stored on a Solid State Drive (SSD) and accessed through a laptop.

What type of asset is the Network Admin?

40. Jane is a CCA for a leading C3PAO. She is selected to be part of a team of four, headed by James, to assess how Micron Inc., an OSC, has implemented the requirements for a CMMC Level 2 certification.

However, she witnesses James striking a deal with Micron’s CISO to manipulate some findings to ensure the OSC is certified.

What should Jane do?