Certified CMMC Assessor (CCA) Exam Questions and Answers
The OSC POC has supplied all of the procedures, policies, and plans at the start of the assessment. One of the assessors notes that some of the documents have very recent approval dates, while others have been in place for several years based on the document history.
In order to ensure the review of this evidence is sufficient, what is the BEST step to validate the sufficiency of these documents?
During an assessment, the IT security engineers responsible for password policy for the OSC provided documentation that all passwords are protected using a one-way hashing methodology. As a result, which statement is true?
An assessor is reviewing whether an organization appropriately analyzed the security impact of a new release of an application. Which of the following documents is MOST useful for the assessor to review?
The audit team is discussing the OSC’s Risk Managed Assets. For these types of assets, the contractor need NOT:
During preparations for a CMMC Level 2 Assessment, a client submits a request to their consulting RP to learn more about Specialized Asset requirements. The client is unsure if their camera system, used for safety data collection purposes within their machining shop, should be documented within the SSP. Which reason is a satisfactory reason to exclude the camera system from the SSP, and thus the assessment scope?
Both the SSP and network diagrams presented to the Lead Assessor by the OSC indicate managed service providers (MSPs) within the assessment boundary. In order to BEST understand the impact of the MSPs, what should the Lead Assessor do?
An OSC processes data in its owned data center. The data center includes a very early smoke detection apparatus (VESDA). The apparatus only captures log information from its sensors around the data center. It is not intended, nor capable of, processing CUI. The VESDA is on a separate VLAN and is in a separate locked room in the data center.
Should the assessor agree that the VESDA is out-of-scope?
While conducting a Level 2 Assessment, the Assessment Team begins reviewing assessment objects. The team identifies concerns with several of the objects presented. Which artifacts would require the MOST verification?
While examining controls on the use of portable storage devices, an assessor conducts an interview with a mid-level internal system administrator. The administrator describes the process to check out portable storage devices, which includes a user emailing IT staff directly, verifying that the media classification label matches the data classification, and limiting use of the device to a specified external system.
What is a MISSING element for the assessment of AC.L2-3.1.21: Portable Storage Use?
During an assessment, the team is interviewing the IT staff to understand the ways in which the organization protects backup data. Because the company’s backups contain CUI, the Lead Assessor asks the IT engineer which method is used to ensure that the confidentiality of the backup data is being protected. Which implementation is LEAST LIKELY to be acceptable?
While assessing a company, the CCA is determining whether the company controls and manages connections between its corporate network and all external networks. The company has: (1) a strict employee policy prohibiting personal Internet use and personal email on company computers, and (2) firewalls plus a connection allow-list so only authorized external networks can connect to the company network. Are these safeguards sufficient to meet the applicable CMMC requirement?
While conducting a CMMC Level 2 assessment at a 100-person manufacturing company, the assessor receives a yellow badge labeled “SPECIAL ACCESS.” The assessor observes multiple badge types used by staff and visitors. The client explains that only three badge colors correspond to controlled access (with electronic access), while the rest are identifiers for seniority. How can the assessor BEST verify that the three colors are the only badges capable of accessing controlled areas for CUI-related activities?
An OSC has a testing laboratory. The lab has several pieces of equipment, including a workstation that is used to analyze test information collected from the test equipment. All equipment is on the same VLAN that is part of the certification assessment. The OSC claims that the workstation is part of the test equipment (Specialized Asset) and only needs to be addressed under risk-based security policies. However, the OSC states that the data analysis output is CUI. What is the assessor’s BEST response?
While completing the Level 2 Assessment, the Lead Assessor found that the OSC was deficient on a number of CMMC practices. Forty practices were scored as NOT MET, all on the Authorized Deficiency Corrections list. The OSC remediated 17 of those during closeout, leaving 23 practices still NOT MET. What should the Lead Assessor recommend?
What should the Lead Assessor do to BEST ensure the evidence supplied effectively meets the intent of the standard for a practice?
An OSC seeking Level 2 certification is reviewing the physical security of their building. Currently, the building manager unlocks and locks the doors for business operations. The OSC would like the ability to automatically unlock the door for authorized personnel, track access individually, and maintain access history for all personnel. The BEST approach is for the OSC to:
The Lead Assessor is reviewing the Assessment Plan to identify people for interviews regarding a specific Level 2 practice. Some OSC personnel previously interviewed provided only brief answers without meaningful verification. What can the Lead Assessor do to improve this situation going forward?
A midsized professional services organization that frequently contracts with government entities is undergoing a CMMC Level 2 assessment. The CCA interviews IT leadership about their audit logging capabilities and determines that a third-party vendor is responsible for correlating and reviewing audit logs. During the interview, they discuss the process that has been implemented by the vendor to provide a monthly summary of their audit log review to the organization. What issue should the CCA resolve during the interview?
Different mechanisms can be used to protect information at rest. Which mechanism is MOST LIKELY to afford protection for information at rest?
During an assessment interview, the interviewee states that anyone can connect to the company Wi-Fi without prior approval. Within which domains is the Wi-Fi configuration covered?
What is NOT required for the Lead Assessor to confirm when verifying readiness to conduct an assessment?
A company employs an encrypted VPN to enhance confidentiality over remote connections. The CCA reads a document describing the VPN. It states the VPN allows automated monitoring and control of remote access sessions, helps detect cyberattacks, and supports auditing of remote access to ensure compliance with CMMC requirements.
What document is the CCA MOST LIKELY reviewing to see how these VPNs are controlled and monitored?
While scoping the assessment, the assessor learns that the OSC uses various cloud-based solutions sporadically as part of its normal course of business. The OSC states that most business is conducted on-premises and that only a small amount of business uses the cloud. The OSC thinks the cloud is only used for system backups, but there are isolated exceptions.
Are the data provided sufficient to determine that the OSC limits connection to external information systems?
An OSC seeking Level 2 certification is migrating to a fully cloud-based environment. The organization wants to select a Cloud Service Provider (CSP) that can share responsibilities for CMMC Level 2 requirements. Assume both CSPs can equally provide the technical capabilities and business value required.
CSP A has SOC 2 certification and is California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA) compliant.
CSP B has SOC 2 and FedRAMP Moderate certifications.
Based on this information, which CSP is MOST LIKELY to be acceptable?
While conducting a CMMC Level 2 Third-Party Assessment of a small defense contractor, an assessor discovers that the contractor’s Information Security Policy has no documented change records demonstrating executive approval. The IT director states that they will add change records in the future, but that other evidence exists. Which documentation is MOST able to demonstrate persistent and habitual adherence to CMMC requirements?
A company has a firewall to regulate how data flows into and out of its network. Based on an interview with their IT staff, all connections to their systems are logged, and suspicious traffic generates alerts. Examination of which artifact should give the CCA the details on how these are implemented?
While reviewing CA.L2-3.12.3: Security Control Monitoring, the CCA notices that the assessment period is defined as one year. An OSC's SSP states that under CA.L2-3.12.3, security controls are monitored using the same one-year periodicity to ensure the continued effectiveness of the controls. The assessor understands that some CMMC practices can reference other practices for the entirety of their implementation. Is the OSC’s implementation under CA.L2-3.12.3: Security Control Monitoring acceptable?
Which of the following can be taken into consideration when assessing AC.L2-3.1.3 Privacy & Security Notices?
A CCA is conducting an interview with an OSC team member about an offering from a well-known Cloud Service Provider (CSP). The offering is known to be secure, but the OSC has not provided evidence and the person being interviewed is unsure how the offering works. Will this offering be accepted by the Assessment Team?
An in-house compliance expert for a large defense contractor is reviewing the organization’s training materials for personnel handling CUI. After a widely publicized insider threat incident, management requires that training address insider threat risks. What is a critical component of insider threat awareness training?
A company receives data that they suspect is CUI, but it is not marked as such. What is an acceptable way for the company to handle unmarked potential CUI?
An OSC seeking Level 2 certification has recently configured system auditing capabilities for all systems within the assessment scope. The audit logs are generated based on the required events and contain the correct content that the organization has defined.
Which of the following BEST describes the next system auditing objective that the organization should define?
FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the OSC’s CMMC enclave. What source does the CCA use to verify that the cryptography the OSC has implemented is FIPS-validated?
During an assessment, the Assessment Team has identified, according to the SSP and network diagram, that there is a mission system that cannot be altered but that has privileged accounts which should have MFA applied. As it is not possible to deploy a typical type of MFA on the mission system, which of the following constitutes a sufficient second factor?
A company is undergoing a CMMC Level 2 Assessment. During the Conduct Assessment phase, an Assessment Team member is reviewing the policies and procedures in the incident response plan.
Which assessment method is being utilized?
While conducting a CMMC Level 2 gap analysis with a large defense contractor, a CMMC RP confirms that the organization uses a RADIUS server for authentication. What additional method could be used to comply with AC.L2-3.1.17: Wireless Access Protection?
A C3PAO is conducting a Level 2 assessment of a midsized construction contractor that does both private (commercial) and federal work. The contractor’s documentation states that all CUI flows through a single building on their office campus and is logically, physically, and administratively isolated from the rest of the environment. Why might an assessor request access to assess controls within a building or area not listed as in-scope in the documentation?
During the assessment of a company, the CCA learns that 50% of employees work from home using remote access. After reviewing the Access Control policy and audit logs, the CCA is unsure how the system ensures only employees with correct privileges can access CUI. The CCA decides a Test of functionality is required. Which question is of the LEAST concern to the CCA?
The OSC has assembled its documentation relating to how it controls remote access for assessment. The Lead Assessor compared this documentation to the provided topology map and noted several indications of external connections with External Service Providers (ESPs). Which document is MOST LIKELY to show acceptable evidence of the security controls related to the interface between the OSC and the ESP?
The OSC has changed its manner of operations in the past year to isolate its manufacturing division (which handles CUI) from its managerial team (which does not). Upon review of the provided information, the Lead Assessor was unable to identify this isolation in the environment. Which step should the Assessor take NEXT to understand how the current documentation isolates the operational components?
An OSC seeking Level 2 certification has a fully cloud-based environment. The assessor must evaluate fulfillment of Level 2 requirements the OSC implements versus those handled by the cloud service provider. Which document would be BEST to identify the Level 2 requirements handled by the OSC’s cloud provider?
A C3PAO has contracted by an OSC to perform its assessment. Before the assessment, the Lead Assessor asks the OSC to provide an extensive list of evidence, some of which is optional and beyond the minimum requirements. The OSC is not able to fulfill the entire request. One missing document was a current and organized list of the OSC’s evidence and mappings.
Given that this is a Level 2 Assessment, what should the Lead Assessor tell the OSC?
While conducting an assessment, an assessor is determining if privileged accounts are used for non-privileged functions. While interviewing a user with a privileged account, the assessor should ask if the person interviewed:
The Lead Assessor is planning to conduct an assessment for an OSC. The Assessor has been given a preliminary asset inventory list by the OSC. How would the Lead Assessor determine if any assets are out-of-scope for the assessment?
An Assessor is evaluating controls put in place by an OSC to restrict the use of privileged accounts. The Assessor interviews privileged users and confirms that the OSC has both a policy and specific procedures governing the use of privileged accounts for security functions. What else could the Assessor evaluate to validate the assertions made by the interviewed OSC staff?
