Cyber AB CCA Exam Questions

1.

As the Lead Assessor, you determine that some details, like wireless entry points, are not included in the assessment scope. However, the OSC assessment official claims that this is covered in the network enclave. Examining their enclave architecture, you determine it is not covered, but the OSC AO insists. What should you do?

• Try to resolve the disagreement before the Assessment starts

• Report the OSC Assessment Official to the CMMC Accreditation body

• Demand the OSC nominates another Assessment Official

• Give in to the OSC Assessment Official?s Demands

2.

Jane is a CCA leading a CMMC assessment for an OSC. During the evaluation, Jane discovers that the OSC's Chief Information Security Officer (CISO) is a former colleague with whom she had a contentious relationship in the past. Unbeknownst to the OSC, Jane still harbors resentment toward the CISO due to their previous conflicts. As the assessment progresses, Jane becomes increasingly critical of the CISO's security practices, scrutinizing every detail and finding fault despite the OSC's best efforts to demonstrate compliance. Given this scenario, how can a Certified CMMC Assessor's personal bias impact the assessment of the OSC?

• Personal bias may result in an unfairly harsh and critical assessment of the OSC

• Assessor bias is not a concern in CMMC assessments

• Assessor bias has no effect on the assessment process and outcomes

• Assessor bias can lead to an overly lenient evaluation of the OSC

3.

You are a Certified CMMC Assessor (CCA) working with a small defense contractor who needs a CMMC Level 2 assessment. This is their first CMMC assessment. During your initial meeting with the OSC, they express a desire for a quick assessment to minimize disruption to their daily operations. They also mention their limited budget for the assessment. How will you proceed with assessment framing in this scenario?

• Determine the Rough-Order-of-Magnitude (ROM), by having the C3PAO work with the OSC Assessment Official to determine an anticipated level-of-effort and associated cost estimate to conduct the CMMC Assessment.

• Define the specific systems, data, and processes in scope for the assessment.

• Discuss the assessment timeline and resource requirements with the OSC

• Negotiate the cost of the assessment with the OSC.

4.

Any user that accesses CUI on system media should be authorized and have a lawful business purpose. While assessing a contractor?s implementation of MP.L2-3.8.2-Media Access, you examine the CUI access logs and the role of employees. Something catches your eye where an ID of an employee listed as terminated regularly accesses CUI remotely. Walking into the contractor?s facilities, you observe the janitor cleaning an office where documents marked CUI are visible on the table. Interviewing the organization?s data custodian, they informed me that a media storage procedure is augmented by a physical protection and access control policy. Based on the scenario and the requirements of CMMC practice MP.L2-3.8.2-Media Access, which of the following actions would be the highest priority recommendation for the contractor?

• Develop and implement a process for timely disabling or revoking access to CUI upon employee termination.

• Invest in more sophisticated access control technology for their systems.

• Implement a system for logging and monitoring all access attempts to CUI resources.

• Conduct additional training for employees on handling CUI materials.

5.

The Cyber AB is the sole authorized certification and accreditation partner for the DoD in its CMMC program. It is responsible for overseeing and establishing a trained, qualified, and high-fidelity community of assessors, including C3PAOs and CCAs. What is the main requirement before The Cyber AB can accredit an Assessor?

• The Cyber AB must achieve and maintain ISO/IEC 17011 accreditation standard.

• The Cyber AB must be compliant at a FISMA moderate level.

• The Cyber AB must be DFARS 7012 compliant.

• The Cyber AB must be approved by the DoD.

6.

As the Lead Assessor conducting a CMMC Level 2 assessment for an OSC, the Assessment Team has thoroughly reviewed all evidence provided by the OSC for the in-scope CMMC practices. Throughout the assessment process, daily checkpoint meetings were held with the OSC to allow them to present additional evidence and clarify any concerns. After the final evidence review and discussions, the Team has determined that 92 out of the 110 CMMC Level 2 practices have been scored as 'MET.' Additionally, 18 practices have been scored as 'NOT MET,' with 5 of those practices deemed ineligible for a Plan of Action and Milestones (POA&M) due to their potential impact on network exploitation or CUI exfiltration. The OSC has provided a draft POA&M for the remaining 13 'NOT MET' practices, outlining their proposed remediation actions and timelines. Based on the assessment results, what recommendation should you, as the Lead Assessor, make regarding the OSC?s CMMC Level 2 certification status?

• Recommend 'CMMC Level 2 Conditional Certification,' provided the OSC corrects the deficiencies outlined in the POA&M within the specified timeframe.

• Recommend 'Not Achieved' for CMMC Level 2 Certification, as more than 20% of practices were scored as 'NOT MET.'

• Defer the recommendation until the OSC has fully remediated all 'NOT MET' practices, including those ineligible for a POA&M.

• Recommend 'CMMC Level 2 Certification' without any conditions, as more than 80% of practices have been scored as 'MET.

7.

During a CMMC assessment, you, as a CCA, are interviewing a key OSC employee with information security responsibilities about the access control procedures. As the interview progresses, you realize that the initial information provided in the System Security Plan (SSP) doesn't fully align with the employee's explanation. Based on the scenario and your role as a CCA, what is not one of your responsibilities as an assessment team member?

• Inform the OSC management about the potential discrepancy between the SSP and actual practices.

• Map the interview findings regarding access control to the relevant CMMC practices.

• Update the assessment plan to reflect the newly discovered information about access control procedures.

• Interview additional personnel to corroborate the information provided by the POC.

8.

You decide to interview the IT security team to understand if and how a contractor has implemented audit failure alerting. You learn they have deployed AlienVault OSSIM, a feature-rich security information and event management (SIEM) tool. The SIEM tool has been configured to send automatic alerts to system and network administrators if an event affects the audit logging process. Alerts are generated for the defined events that lead to failure in audit logging and can be found in the notification section of the SIEM portal. However, the alerts are sent to the specified personnel 24 hours after the occurrence of an event. For the implementation of CMMC practices, how would you score AU.L2-3.3.4-Audit Failure Alerting?

• Not Met

• Fully Met

• Not Applicable

• Partially Met

9.

When examining an OSC?s procedures for addressing transmission integrity and confidentiality, you interview their system administrator and learn that they use Secure File Transfer Protocol (SFTP) for secure CUI transmission. The OSC employs AES-256 to encrypt data before transmitting it. Any external connections to their internal servers or systems can only occur via a VPN. All emails containing CUI are encrypted and sent using Secure/Multipurpose Internet Mail Extensions (S/MIME). Internal CUI transfers are conducted over WPA3 secure Wi-Fi. All areas of the OSC?s facilities where CUI is stored or processed are secured with biometrics. To prevent unauthorized CUI exfiltration or transfer, the OSC has deployed a data loss prevention solution. During employee interviews, you learn they receive regular awareness training on the importance of data encryption during transmission. Additionally, they conduct regular audits of transmission protocols and encryption measures to ensure their effectiveness. While WPA3 offers improved security compared to previous versions, what additional control measure could further enhance the protection of CUI on the Wi-Fi network, specifically focusing on data in transit?

• Segmenting the Wi-Fi network to isolate CUI-related traffic from other types network activity.

• Implementing a guest network that restricts access to non-essential devices.

• Enforcing stricter password complexity requirements for Wi-Fi access.

• Disabling unused Wi-Fi access points within the facility to reduce attack surfaces.

10.

You are a Lead Assessor working with your C3PAO to conduct a CMMC Assessment for an OSC. During the preparation and planning phase, you meet with the OSC's Assessment Official to identify the resources and schedule for the upcoming assessment. Together, you review the OSC's pre-assessment information to estimate the level of effort required. You then collaborate to determine the specific resources needed, including the Assessment Team members, facilities, and any support personnel from the OSC. You also discuss scheduling factors like duration, key activities, and potential constraints. Based on these discussions, you develop a Rough Order of Magnitude (ROM) cost estimate and a proposed daily schedule for the assessment activities.Which of the following is not a requirement when identifying resources and schedules?

• Negotiating the pricing structure of the contract with the OSC.

• Identifying potential triggers for replanning or updating the assessment plan.

• Documenting the names and roles of all assessment participants.

• Recording the facilities to be used and their configurations.

11.

An OSC has an established Incident Response plan and a dedicated team specifically trained to handle any potential incidents and conduct necessary analysis. When performing the assessments, you also realize the OSC has deployed IDS and SIEM tools to identify possible incidents. Examining the Contractor's incident response policy, you also learn they have defined and implemented containment strategies and have developed clear procedures for system and data recovery after an incident, including backup and restore procedures. There is also a communication protocol in place to inform the affected stakeholders and users after a security incident. Chatting with a few members of the OSC's incident response team, you learn they conduct regular drills to test and improve the effectiveness of the incident-handling capability. There also are defined and documented incident response mechanisms and a post incident analysis procedure to identify lessons learned and make necessary improvements to the incident-handling process. If a subcontractor or contractor discovers malware connected to an incident when assessing the impact of the incident, what should they do?

• Quarantine and submit the malware to the DoD Cyber Crime Center (DC3)

• Send the malware to the contracting officer

• Delete everything affected by the malware

• Quarantine and send the malware to their CISO

12.

A Defense Contractor is a CMMC Level 2 organization that frequently needs to transport digital media containing CUI between their main office and an off-site data storage facility. In preparing for their upcoming CMMC assessment, the organization's OSC has closely reviewed the requirements of CMMC practice MP.L2-3.8.6-Portable Storage Encryption, which specifically addresses the protection of CUI stored on digital devices during transport. The OSC recognizes that their current practices of simply placing the media in standard packaging and using commercial shipping services do not fully meet the control's mandatory requirements. Under CMMC practice MP.L2-3.8.6-Portable Storage Encryption, what is the mandatory requirement to protect CUI stored on digital devices during transport? Under CMMC practice MP.L2-3.8.6-Portable Storage Encryption, what is the mandatory requirement to protect CUI stored on digital devices during transport?

• To protect its confidentiality by encrypting it using FIPS 140-2 compliant cryptographic modules

• To ensure it is safeguarded by trained guards and transported using a reputable shipping company

• To never transport CUI outside the controlled environment

• To store CUI only on self-destructing media that erases data if tampered with.

13.

During an assessment, it is uncovered that a CCA worked as a consultant for the OSC through their RPO. Unfortunately, the CCA didn’t disclose this when their C3PAO appointed them to participate in the assessment. Did the CCA behave professionally? If not, what issues are likely to arise?

• No, assessor bias

• No, breach of confidentiality

• No, lack of objectivity

• Yes, the CCA behaved professionally

14.

During a CMMC assessment of an OSC, you discover that they rely heavily on a reputable CSP for their email services. As you delve deeper into the assessment, you suspect the OSC is incorrectly assuming that the CSP's security measures are sufficient to meet all the CMMC requirements related to email security. Given the critical nature of email communications and the potential exposure of sensitive information, you recognize the importance of clearly understanding the division of responsibilities between the OSC and the CSP for email security controls.

To effectively assess how email security responsibilities are divided between the OSC and the CSP, which document should you prioritize reviewing?

• The Shared Responsibility Matrix (SRM) between the OSC and the CSP

• The Service Level Agreement (SLA) between the OSC and the CSP

• The OSC's overall security policy

• The CSP's publicly available security documentation

15.

David, a Certified CMMC Assessor (CCA), is conducting a CMMC assessment for a defense contractor. During the assessment, he observes the organization's CEO making several statements to the Assessment Team about the company’s security practices that turn out to be false. How should David respond to the CEO's behavior according to the CMMC CoPC?

• Document the CEO's false statements in the assessment report and continue the assessment objectively

• Report the CEO's behavior to the Cyber AB, as it constitutes perjury

• Ignore the CEO's false statements, as they are not directly related to the role of the CCA

• Confront the CEO directly and demand that they provide accurate information

16.

You are the lead CMMC assessor evaluating a defense contractor that develops advanced surveillance equipment and software for intelligence agencies. Given the sensitive nature of their work, the contractor has implemented robust insider threat monitoring. During your assessment, you find out that the contractor's insider threat program tracks indicators like unauthorized data access attempts, unexplained wealth changes, workplace disputes, and disruptive behavior changes. The contractor also has regular security awareness training covering reporting potential insider threats via an anonymous hotline and web portal. High-risk roles like developers with classified codebase access receive additional insider threat vector training and are closely monitored. To verify all this, you interview the CISO, who confirms their implementation of CMMC practice AT.L2-3.2.3-Insider Threat Awareness. Your assessment reveals the contractor's insider threat monitoring system generates alerts based on a pre-defined set of thresholds. However, some security experts recommend a risk-based approach. What is the primary advantage of a risk-based approach to insider threat detection?

• A risk-based approach prioritizes alerts based on the potential severity from the threat.

• It reduces the overall number of alerts generated.

• It eliminates the need for human intervention in the monitoring process.

• It simplifies the training required for security personnel.

17.

As the Lead Assessor for a CMMC Level 2 assessment team, you have completed the examination of evidence and generated Preliminary Recommended Findings. Now, it is time to submit, package, and archive the assessment documentation, ensuring accuracy, completeness, and adherence to protocol. What should the Assessment Results Package submitted by you to the C3PAO include?

• The Final Report with detailed practices, scores, findings, and comments using the CMMC Assessment Results Template.

• The CMMC Assessment Findings Brief Template and the data from the Pre-Assessment Form.

• The CMMC Artifact Hashing Tool User Guide and the CMMC Assessment Quality Review Checklist.

• The Daily Checkpoint records and the CMMC Assessment In-Brief.

18.

Upon examining a contractor's Security and awareness training policy for compliance with AT.L2-3.2.2-Role-Based Training, you determine that they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices. During your assessment, you reviewed their training materials and curriculum for network engineers. You found that the training covers basic networking concepts and doesn't delve into secure network configuration practices or identify potential network security risks. Which of the following best describes the likely outcome of this finding in your assessment report?

• The lack of specific training for network engineers would likely result in a finding of non-compliance with AT.L2-3.2.2-Role-Based Training.

• The finding does not impact the assessment, as network security is not a CMMC requirement

• The assessment will be postponed until the contractor revises all training materials for all roles.

• The finding might be documented as an observation for improvement but wouldn't affect the overall compliance score.

19.

A CCA is assessing an Organization Seeking Certification (OSC). During the assessment, they discover that the OSC is pressuring the CCA to overlook certain security practices that do not meet the CMMC requirements. The organization threatens to withhold payment if the CCA does not modify her findings at the request of the OSC. According to the CoPC, which of the following actions would be most appropriate for the CCA to take in this situation?

• Inform the OSC that the pressure to compromise her values is a violation of the CoPC and report the issues to the C3PAO

• Comply with the organization's requests to avoid the risk of non-payment and complete the assessment

• Complete the assessment and then report the OSC's unethical practices to the Cyber AB

• Discuss the concerns with the OSC, continue the assessment, and report the violations only if they are not resolved

20.

While assessing the scope provided by an OSC, you realize they have two environments with distinct characteristics: the headquarters space located at 24 Industrial Pkwy and an off-site location at 25 Industrial Pkwy. The headquarters houses several offices where document processing occurs on a cloud-hosted Microsoft Dynamics 365 GCC environment.

At the off-site location, users access designs from servers hosted at the headquarters through a Virtual Private Network (VPN). These designs are used first in a 3D printer to develop prototypes and subsequently in a Computer Numerical Control (CNC) machine for production. All these operations are supported by a high-quality Industrial Control System (ICS).

What type of environment is the off-site facility located at 25 Industrial Pkwy?

• Industrial environment

• Professional environment

• Off-site environment

• Backup environment