Cyber AB CCA Exam Questions

181.

You are a Lead Assessor on a CMMC Assessment Team preparing for an upcoming assessment. You have received the final assessment scope and supporting documentation from the OSC. What shoud you do next?

• Determine the feasibility of conducting the assessment

• Immediately begin the Assessment based on the provided scope and documentation.

• Submit the assessment scope and documentation to the C3PAO for approval.

• Verify that the assessment team members are familiar with the assessment scope, method, plan, and tools.

182.

Before an OSC categorizes its assets into different categories, it must determine the Scope of applicability. However, after discussing with the OSC� PoC, you learn that although they follow CUI and FCI in all forms and stages, they are mostly considered technical components. What is the issue with the OSC?s approach to determining scope of applicability?

• They have fallen into the 'technical system' trap.

• The OSC?s approach might result in too many CUI assets.

• The OSC?s approach may result in a scope that is too broad for the assessment.

• The OSC's approach focuses on saving money by narrowing the scope.

183.

After a security audit, a contractor documents specific vulnerabilities and deficiencies in an audit report. After examining its POA&M, you realize it has a clearly defined policy on addressing these deficiencies and by when. However, after interviewing the contractor?s security and compliance team, you learn that while an audit is regularly conducted, the remediating measures are not always taken, and when taken, they are not always practical. The security and compliance team informs you they have tried reaching the system administrator to explain the repercussions of this without success. When examining the contractor?s plan of action, you expect to find all the following, EXCEPT?

• The guilty party for introducing the deficiency or vulnerability

• Ownership of who is accountable for ensuring the plan?s performance

• Specific clear and actionable steps or milestones, including completion dates

• Milestones to measure plan progress and assign responsibility for each step or milestone

184.

You are a CCA collaborating with an OSC to provide specialized consulting services. The OSC representative has inquired about strategies to validate the accuracy of their project scope. In response, you suggest leveraging a data flow diagram. This sounds interesting to the OSC. This visual representation could assist in mapping the flow of information and processes within the project, enabling a comprehensive review and verification of the scope's alignment with the client's requirements.

If you were on the Assessment Team, how would you use the data flow diagram after it is created?

• Ensure the systems and assets included in the data flow diagram are also included in the network diagram for the assessment's scope and in the asset inventory

• Use the data flow diagram to identify potential vulnerabilities and weaknesses in the information flow, as it is primarily a security analysis tool

• Use the data flow diagram as a baseline for a new system architecture, as it provides a comprehensive view of the existing data flows

• Compare the data flow diagram with the organization's documented policies and procedures to identify any deviations or noncompliance

185.

You are the Lead Assessor assigned by your C3PAO to conduct a CMMC Assessment for a small manufacturing company, Precision Parts Inc. (PPI). During the initial coordination call with PPI's management team, you learn that PPI is a wholly-owned subsidiary of a larger corporation, Acme Manufacturing Holdings (AMH). PPI operates as an independent business unit within AMH and has its own IT infrastructure and cybersecurity policies. You need to determine the appropriate corporate entity to be assessed as the "Organization Seeking Certification" (OSC). If PPI outsources its payroll and human resources functions to an external service provider, HR Solutions, LLC, how would HR Solutions, LLC be categorized in the context of a CMMC assessment?

• HR Solutions, LLC would likely be considered a Supporting Organization.

• HR Solutions, LLC would be considered the Host Unit (OSC).

• HR Solutions, LLC would not be involved in the CMMC Assessment Scope.

• HR Solutions, LLC would be considered part of PPI.

186.

When assessing a contractor?s implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised. In assessing the contractor's implementation of AC.L2-3.1.14- Remote Access Routing, what must you determine?

• Managed access control points are identified, implemented, and remote access is routed through these managed network access control points.

• The contractor manages access control points

• All remote access is monitored

• All users are authenticated before being granted remote access.

187.

A software development company is applying for a CMMC Level 2 assessment. As the Lead Assessor, you request access to the company?s System Security Plan (SSP) as part of the initial objective evidence for validating the scope. Which of the following is true about the software development companys obligations in honoring the request?

• The software development company must furnish the Lead Assessor with the SSP.

• The software development company can choose to provide a redacted version of the SSP, omitting sensitive information.

• The software development company is not obligated to provide the SSP until after the assessment has begun.

• The software development company can refuse to provide the SSP if they deem it contains proprietary information.

188.

CMMC practice PS.L2-3.9.1-Screen Individuals, requires individuals to be screened before authorizing access to organizational systems containing CUI. However, in the assessment you are currently conducting, there is no physical evidence confirming the completion of personnel screens, such as background checks, only affirmations derived from an interview session. In an interview with the HR Manager, they informed you that before an individual is hired, they submit their information through a service that performs criminal and financial checks. How would you score the OSC's implementation of CMMC practice PS.L2-3.9.1-Screen Individuals, objective [a]?

• More information is needed.

• Not Met

• Not Applicable

• Met

189.

You are the Lead Assessor of the Assessment Team conducting a CMMC Level 2 assessment for an OSC. You have completed the first phase of the assessment process, which included the assessment kickoff meeting. Now, you are moving into the second phase, which involves collecting and examining evidence to determine the OSC's compliance with the CMMC practices. During the evidence collection phase, you need to examine the OSC's policies and procedures related to the CMMC practice AC.L2-3.1.5-Least Privilege. Which of the following would be an appropriate source of evidence for this practice?

• Examining the organization's system configuration documentation.

• Interviewing the system administrators about their daily activities.

• Testing the OSC's Role Based Access Control (RBAC) and Privilege Access Management (PAM) tools.

• Observing the system administrators as they configure the systems.

190.

CMMC MA.L2-3.7.6-Maintenance Personnel, requires that maintenance personnel without required access authorization be supervised during maintenance activities. One of the ways organizations can achieve this is to develop a documented procedure for supervised maintenance activities. Which of the following elements should be excluded from the documented procedure?

• A detailed list of all CUI assets that the maintenance activity might impact.

• The specific steps authorized for the visiting maintenance personnel with limited access

• The method used to authenticate and monitor the supervisor's activity during the maintenance session.

• Contact information for the organization's IT security team in case of emergencies or unexpected issues.

191.

When examining a contractor's security configuration settings, you find they have thoroughly documented the essential ports, protocols, services, and programs required for their business operations. They follow industry security configuration standards, such as CIS Benchmarks, to ensure systems are securely configured and hardened. Interviewing the network administrator and reviewing their processes, you learn that the contractor has implemented a rigorous whitelisting approach to control the execution of programs on their systems. Only applications and services that are deemed necessary for the system's function are explicitly allowed to run and are tightly controlled. They use Secure File Transfer Protocol (SFTP) services on port 22, Simple Mail Transfer Protocol (SMTP) on port 25, and DNS services on port 53, while restricting all other unnecessary ports and services using robust firewall configurations. The contractor conducts regular reviews of system services and functionalities to identify and disable any nonessential components that may have been inadvertently enabled or introduced through software updates or changes. They maintain a comprehensive inventory of all approved software, ports, protocols, and services, which is regularly audited and reconciled against the actual system configurations. How would you score the contractor's implementation of CM.L2-3.4.7-Nonessential Functionality?

• Met (+5 points)

• Not Met (-1 point)

• Met (+1 point)

• Not applicable

192.

You are a CCA with an active and good standing on the Cyber AB Marketplace. An OSC has contracted your C3PAO for a prospective CMMC Assessment. The OSC provides signal processing services for the DoD. You assisted the OSC in preparing for the upcoming CMMC assessment by conducting an initial evaluation of their implementation practices. With your background in cybersecurity and extensive experience, your C3PAO and Lead Assessor have selected you to join the Assessment Team. Based on this scenario, which of the following is the most important factor for the C3PAO to consider when assigning assessors to the Assessment Team?

• The Assessor's active status and good standing as a CMMC Certified Assessor or Professional, verified on the Cyber AB Marketplace, are important factors.

• The Assessor's hourly rate, especially for independent assessors.

• The Assessor's specialization with the OSC's lines of business or industry sub-sector.

• The Assessor's professional reputation within the CMMC ecosystem.

193.

Organizations have to control what systems can be installed for the principle of least functionality to apply. You assess the contractor's implementation of Configuration Management requirements and start by examining their documentation. They maintain a regularly updated inventory of authorized software to support their allowlisting and blocklisting efforts. The contractor has configured their information systems such that only authorized software can be executed or installed after software approval. Any attempts to install unauthorized software by unauthorized personnel are automatically logged, and an alert is sent to the system administrator. How would you rate the contractor's implementation of CM.L2-3.4.8-Application Execution Policy?

• Met (+5 points)

• Met (+1 point)

• Not Met(-5 points)

• Not Met (-1 point)

194.

In preparation for a CMMC Level 2 assessment, an OSC must ensure their CUI handling practices are fully compliant with the laws, regulations, and government-wide policies. The OSC employee should acquaint themselves with the following Laws, Regulations, or Government Wide Policies EXCEPT?

• Executive Order 13526 and Regulatory Authority: 48 CFR 52.204-21

• Regulatory Authority: 32 CFR Part 2002, Controlled Unclassified Information (CUI)

• Legal authorities: 2002 Federal Information Security Management Act (FISMA) Amended in 2014 and Executive Order 13556, Controlled Unclassified Information

• Policy: National Archive & Records Administration (NARA) Information Security Oversight Office (ISOO) CUI Notices

195.

During a CMMC assessment, the CCAs, CCPs, and Lead Assessor validate the assessment scope provided by the OSC. They must review documents and records specific to the agreed-upon scope and boundaries of the assessment. There are several documents the Assessment Team may review or analyze; some are required, and others not. Which of the following documents is NOT required when scoping a CMMC Assessment for Level 2 maturity?

• System Design documentation

• System Security Plan (SSP)

• Preliminary List of Evidence

• Network diagrams

196.

As a CCA, you decide to write a book to help OSCs prepare for prospective CMMC assessments. During discussions with your publisher, they inform you that you can include Cyber AB and CAICO logos in the book to make it appear more authentic to potential buyers. Given the provisions of the CMMC Code of Professional Conduct (CoPC), how should you respond?

• First, seek authorization from Cyber AB and CAICO to use their intellectual property

• Agree to include the logos

• Negotiate with the publisher to include only the Cyber AB logo and omit the CAICO logo

• Place one logo on the front page and the other on the inside cover

197.

A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks. While chatting with the network?s system admins, you realize they have deployed a modern compliance checking and monitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy. Based on your understanding of the CMMC Assessment Process, how would you score CM.L2-3.4.2-Security Configuration Enforcement if the contractor is tracking it in a POA&M?

• Not Met

• Not Applicable

• Met

• Need more information to score this practice.

198.

You are assessing a contractor?s implementation for CMMC practice MA.L2-3.7.4-Media Inspection, by examining their maintenance records. You realize the maintenance logs identify a repeating problem. A recently installed central server has been experiencing issues affecting the performance of the contractor?s information systems. This is confirmed by your interview with the contractor?s IT team. You requested to investigate the server, and the IT team agreed. On the server, there is a file named conf.zip that gets your attention. You decide to open the file in an isolated computer for further review. To your surprise, the file is a .exe used when testing the server for data exfiltration. How should this incident be handled?

• In accordance with the incident response plan

• By sandboxing the malicious code and continuing with business as usual

• Decommissioning the server and installing a new one

• By immediately reporting it to the FBI's Cyber Division

199.

Examining an OSC?s system design documentation, you notice they have implemented a CUI enclave and have a documented procedure addressing boundary protection. They have segmented their network into different zones, each having its own rules to allow or deny traffic. The OSC has implemented strict firewall rules that deny all incoming and outgoing traffic by default, only allowing specific traffic as required. To automatically block unrecognized traffic patterns, the OSC has provisioned a state-of-the-art Intrusion Detection and Prevention System (IDPS). During an interview with the network administrator, you realize that OSC uses a whitelisting approach to explicitly allow only certain IP addresses, domains, or services to communicate with their system. Their IT security team monitors network traffic to detect any unauthorized attempts to connect or communicate with their system. The scenario states that network traffic is monitored to detect unauthorized connection attempts. Based on the scenario and your understanding of the CMMC scoring methodology, how would you score the OSC?s implementation of CMMC practice SC.L2-3.13.6-Network Communication by Exception?

• Met (5 points)

• Met (1 point)

• Met (3 points)

• Not applicable

200.

Change is a part of any production process and must be meticulously managed. System Change Management is a CMMC requirement, and you have been called in to assess the implementation of CMMC requirements. When examining the contractor?s change management policy, you realize there is a defined change advisory board that has a review and approval mandate for any proposed changes. The change advisory board maintains a change request system where all the changes are submitted and documented for easy tracking and review. The contractor also has a defined rollback plan defining what to do in case the approved changes result in unexpected issues or vulnerabilities. What evidence artifacts can the contractor also cite as evidence to show their compliance with CM.L2-3.4.3-System Change Management besides their compliance management policy?

• Organizational procedures addressing system configuration change control and change control/audit review reports

• Antivirus scan reports detailing detected and quarantined threats.

• System uptime statistics showing improved stability after change management implementation.

• Employee satisfaction surveys regarding the change management process.