×

Quiz Session - Attempts With Random Questions

Cyber AB CCA Exam Questions

Page 3 of 25

41.

AC.L1-3.1.2 requires OSCs to "limit information system access to the types of transactions and functions that authorized users are permitted to execute." Assessment Objective [a] of AC.L1-3.1.2 requires the Assessor to determine whether "the types of transactions and functions that authorized users are permitted to execute are defined." What assessment method would you use to determine whether the OSC has met this assessment objective?

  • Examine the list of approved authorizations, including remote access authorizations

  • Test the system configuration settings

  • Review the System Security Plan

  • Interview system developers

Correct answer: Examine the list of approved authorizations, including remote access authorizations

Assessment objective [a] of AC.L1-3.1.2 requires the Assessor to determine whether "the types of transactions and functions that authorized users are permitted to execute are defined." To make this determination, the most appropriate assessment method is to examine the list of approved authorizations, including remote access authorizations. This list defines the specific transactions and functions that each authorized user is permitted to execute within the information system.

42.

You are assessing a contractor that develops missile guidance software containing CUI data. The software developers have administrative privileges on their workstations to be able to install tools and edit configuration files needed for their jobs. However, you have noted that many of the developers have access to modify components critical to system security, which is beyond what is needed for their specific roles. Which of the following is a potential risk if AC.L2-3.1.5, Least Privilege is not properly implemented for developers?

  • Unauthorized changes leading to vulnerabilities

  • Excessive workflow disruptions

  • Impacts to patch and update processes

  • Inability to complete projects timely

Providing excess privileges beyond what is needed for a specific role risks developers making unintended or malicious changes that could introduce vulnerabilities. This potential risk highlights the importance of adhering to least privilege.

43.

During a POA&M Close-Out Assessment, the Lead Assessor notes that the organization has updated their Risk Assessment to remove the previous CMMC practices listed on the POA&M. Which of the following statements accurately describes the Lead Assessor's responsibility in this scenario?

  • Verify that the updated Risk Assessment shows the removal of the previous CMMC practices listed on the POA&M before making a recommendation.�

  • Recommend the organization for CMMC Level 2 Final Certification, regardless of the Risk Assessment updates.

  • Update the POA&M and recommend the organization for CMMC Level 2 Final Certification, without considering the Risk Assessment updates.

  • Defer the recommendation and request the organization to undergo a full reassessment.

The CAP identifies the criteria for the Lead Assessor to recommend CMMC Level 2 Final Certification: the organization's updated Risk Assessment must show the removal of the previous CMMC practices listed on the POA&M.

44.

You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. What would you recommend the contractor do to avert the risk?

  • Fully implement AC.L2-3.1.4, Separation of Duties by assigning different engineers responsibility for design, coding, testing, and deployment. Implement peer code reviews and separate test and deployment duties.

  • Increase the engineer's salary to incentivize careful work.

  • Institute mandatory overtime for the engineer to complete tasks faster.

  • Invest in more powerful development machines.

Implementing a Separation of Duties practice, directly addresses the identified risk. Separating the duties of design, code, test, deploy and implementing peer reviews creates a system where errors and malicious actions are more likely to be caught.

45.

During the Awareness and Training (AT) domain assessment, you examine the company's security awareness and training program. All new hires undergo a one-time security awareness training session during their onboarding process. After that, the IT department sends periodic email reminders about general security best practices, such as password management and phishing awareness. The contractor also offers an annual refresher training for managers and supervisors, covering topics related to data protection and incident response procedures. However, chatting with personnel from different roles, you discover personnel responsible for managing the company's networks and systems have yet to receive any specific training on secure configuration practices or identifying potential security risks associated with their roles. Production line workers and technicians handling CUI data during the manufacturing process are unaware of the specific security risks or procedures for handling and protecting CUI. Which of the following techniques can the contractor use to attain compliance with AT.L2-3.2.1-Role-Based Risk Awareness?

  • Develop and deliver role-specific training for personnel managing networks and systems, and provide specialized training to production line workers and technicians, covering secure configuration practices, identifying potential security risks associated with their roles, and handling CUI appropriately.

  • Install antivirus software on all user devices to prevent malware infections.

  • Implement advanced firewalls to protect against unauthorized access.

  • Regularly update and patch software to fix security vulnerabilities

Role-specific training ensures that the content is directly relevant to the tasks and responsibilities of each role. For example, network administrators need to understand secure configuration practices, while those handling Controlled Unclassified Information (CUI) must know how to protect that data. This targeted approach reduces the risk of security incidents by equipping personnel with the specific knowledge and skills they need to identify and mitigate the threats they are most likely to encounter in their daily work. Focus on High-Risk Areas: Personnel managing networks and systems typically have access to critical infrastructure and sensitive data. Training them on secure configuration and risk identification is crucial because mistakes in these areas can lead to significant security breaches, such as unauthorized access, data leaks, or system downtime. By focusing on high-risk areas relevant to each role, the training effectively reduces the likelihood of such breaches. The other options do not directly address the requirement: Installing antivirus software: This is a technical control rather than a training or awareness initiative, so it doesn't directly address the requirement for role-based risk awareness. Implementing advanced firewalls: This is also a technical control, not related to security awareness or training. Regularly updating and patching software: This is a security practice rather than a training or awareness technique, so it does not fulfill the requirement for role-based training.

46.

An OSC specializing in developing directed energy systems plans to bid on a DoD contract to produce a 250kW High Energy Laser Weapon System (HELWS). This system is to be deployed on Military bases across the globe to protect U.S. servicemen against aerial threats, including mortars, rockets, and unmanned aerial vehicles (UAVs), as well as swarms of mini-UAVs. Because of the sensitivity of the information, the OSC has prohibited using emails to transmit information regarding the project, whether encrypted or otherwise. They also have instituted procedures to remove CUI from the email system. What CMMC assessment requirements must the Assessment Team follow regarding the OSC's email system?

  • Review the SSP in accordance with practice CA.L2-3.12.4 - System Security Plan.

  • Review the SSP in accordance with CA.L2-3.12.4 - System Security Plan and assess against other CMMC practices.

  • Since there are measures in place to prevent CUI transfer through email, the email system is out of scope and there is no need to assess it against CMMC practices.

  • The Assessment Team must assess the email system against all CMMC practices.

The OSC's email system is a Contractor Risk Managed Asset (CRMA). These assets can, but are not intended to, process, store, or transmit CUI due to the security policies, procedures, and practices in place. CRMAs are part of the CMMC Assessment Scope. The Assessment Team may review the policy and procedure documentation to ensure these assets do not process, store, or transmit CUI. The email system should be reviewed in the SSP per CMMC practice CA.L2-3.12.4 - System Security Plan, to ensure the system is documented in the SSP, but should not be assessed against other CMMC practices.

47.

When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal web sites. Why is it critical to implement practice AC.L2-3.1.6-Non-Privileged Account Use?

  • Reduces exposure to threats that might exploit the misuse of privileges

  • Mitigates the consequences of a security breach by safeguarding against data loss.

  • Enables easier auditing and logging of privileged activities.

  • Prevents unauthorized modification of security functions.

By requiring the use of non-privileged accounts for common non-security functions like email and web browsing, the exposure from potential compromise or misuse of privileged accounts is reduced.

48.

You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory - a privileged function. Which of the following implementation deficiencies allowed the developer to carry out a privileged function?

  • Improper role assignments.

  • Lack of account review procedures.

  • Insufficient network segmentation

  • Weak account credential requirements.

Improper role assignments enabled the developer to carry out privileged functions outside their responsibilities. The Dev_Roles group likely inherited permissions from Admin_Roles inappropriately. This type of privilege creep, where a non-privileged role inherits elevated permissions, enables users to execute actions well outside their responsibilities and job functions. The Dev_Roles group should have only the explicit privileges needed for software development and testing. Allowing it to inherit the elevated Admin_Roles permissions violates the principles of least privilege and separation of duties.

49.

When examining a contractor's security configuration settings, you find they have thoroughly documented the essential ports, protocols, services, and programs required for their business operations. They follow industry security configuration standards, such as CIS Benchmarks, to ensure systems are securely configured and hardened. Interviewing the network administrator and reviewing their processes, you learn that the contractor has implemented a rigorous whitelisting approach to control the execution of programs on their systems. Only applications and services that are deemed necessary for the system's function are explicitly allowed to run and are tightly controlled. They use Secure File Transfer Protocol (SFTP) services on port 22, Simple Mail Transfer Protocol (SMTP) on port 25, and DNS services on port 53, while restricting all other unnecessary ports and services using robust firewall configurations. The contractor conducts regular reviews of system services and functionalities to identify and disable any nonessential components that may have been inadvertently enabled or introduced through software updates or changes. They maintain a comprehensive inventory of all approved software, ports, protocols, and services, which is regularly audited and reconciled against the actual system configurations.Which other Configuration Management practice does CM.L2-3.4.7-Nonessential Functionality extend?

  • CM.L2-3.4.6 ? Least Functionality

  • CM.L2-3.4.3 ? System Change Management

  • CM.L2-3.4.1 ? System Baselining

  • CM.L2-3.4.5 ? Access Restrictions for Change

As stated in the CMMC Assessment Guide - Level 2, CMMC practice CM.L2-3.4.7-Nonessential Functionality, requires contractors to limit functionality to only essential programs, ports, protocols, and services, which extends the requirements of CMMC practice CM.L2-3.4.6-Least Functionality. CM.L2-3.4.6 requires adherence to the principle of least functionality but does not specifically address which elements of a system should be limited.

50.

During an interview with network administrators responsible for managing remote access, they mentioned using a next-generation firewall (NGFW) to secure the VPN connection, which can inspect remote device configurations and identify signs of potential split tunneling. How can the functionality of this NGFW contribute to achieving the objectives of CMMC practice SC.L2-3.13.7-Split Tunneling?

  • By detecting and potentially blocking remote device connections that exhibit signs of split tunneling.

  • By automatically reconfiguring remote devices to disable split tunneling.

  • By encrypting all traffic on the local network, the system can prevent unauthorized access even if split tunneling occurs.

  • By creating a centralized repository of allowed split-tunnel configurations for different user groups.

While automatically reconfiguring remote access devices might seem desirable, modifying them without proper authorization or central management could be disruptive. The NGFW?s ability to detect potential split tunneling attempts is valuable. By identifying such connections, the NGFW can take further actions, such as blocking them or alerting administrators for investigation. This proactive approach helps enforce CMMC practice SC.L2-3.13.7-Split Tunneling by mitigating the risks associated with split tunneling.

51.

A defense contractor has a complex network design with multiple VLANs. The network is divided into three VLANs: VLAN 10 for the administrative offices, VLAN 20 for the engineering department, and VLAN 30 for the manufacturing floor. The company?s system security plan states that VLANs are used to create logical network segments and improve security. A Layer 3 switch is responsible for routing traffic between the VLANs, and the switch is configured to allow any type of traffic between the VLANs. How should VLANS be treated when defining the contractor?s CMMC Assessment scope?

  • Include them in the CMMC Assessment Scope.

  • Include only VLAN 30 in the CMMC assessment scope as it directly interacts with CUI.

  • Do not include any VLAN in the CMMC assessment scope.

  • Include only VLAN 20 and VLAN 30 in the assessment scope.

The VLAN itself does not provide effective segmentation because there is no boundary preventing unrestricted communication between VLANs. The Layer 3 switch routes all traffic between the VLANs on demand without any firewall rules set. In many companies, VLANs are used to create separate subnets for IP address management, but they do not serve as boundaries or segmentation. VLANs should only be considered effective boundaries if routing between them is disabled or if an Access Control List with deny-by-default rules effectively controls communications between the VLANs.

52.

During the on-site assessment, the assessment team thoroughly evaluated an OSC's systems, policies, procedures, and practices against the 110 CMMC Level 2 practices. Initially, they found several deficient areas where practices were not fully met. The OSC took advantage of the Limited Practice Deficiency Correction program, which allowed them to provide additional evidence and implement corrections for certain deficient practices during the assessment period. What status should the Lead Assessor recommend for CMMC Level 2 Certification if an OSC has 85 out of 110 practices scored as 'MET' after applying the Limited Practice Deficiency Correction program?

  • The Lead Assessor will recommend the OSC receive a final finding of ?Not Achieved? for CMMC Level 2 Certification. The OSC will be required to correct deficiencies and reapply for CMMC L2 Certification.

  • Defer the recommendation until the OSC has fully remediated all 'NOT MET' practices through a Plan of Action and Milestones (POA&M).

  • Recommend 'CMMC Level 2 Conditional Certification' with a requirement to correct the remaining deficiencies within a specified timeframe.

  • Recommend 'CMMC Level 2 Certification' without any conditions.

If the overall scoring of the assessment after placing eligible items on the Limited Practice Deficiency Correction program results in less than 80% (88 out of 110) of practices being scored as "MET," the OSC will receive a final finding of 'Not Achieved' for CMMC Level 2 Certification. In this case, with 85 out of 110 practices scored as 'MET,' the OSC has not met the 80% (88 out of 110) threshold required for CMMC Level 2 Certification. Therefore, the correct recommendation for the Lead Assessor is to recommend "Not Achieved" for CMMC Level 2 Certification, requiring the OSC to correct the deficiencies and reapply for certification in the future.

53.

A CCA witnesses another CCA from their C3PAO team flirting with an OSC employee during a social event after completing the assessment. According to the CoPC, what is the most appropriate course of action for the observing CCA?

  • Discreetly remind the other CCA of the CoPC’s harassment and discrimination guidelines

  • Ignore the situation, as it doesn't impact the assessment

  • Publicly confront the other CCA about their unprofessional behavior

  • Report the incident directly to the Cyber AB

Correct answer: Discreetly remind the other CCA of the CoPC’s harassment and discrimination guidelines

CoPC paragraph 3.6(2) prohibits harassment. While reporting the incident to the Cyber AB might seem like a strong reaction, reminding the CCA who is acting inappropriately of the CoPC's harassment and discrimination guidelines allows them to correct their behavior and allows the observing CCA to address the issue directly with the colleague while maintaining professionalism.

54.

An OSC can use either of the following strategies to meet the requirements of CMMC practice MP.L2-3.8.8-Shared Media, EXCEPT?

  • Permitting unrestricted use of portable storage devices after users complete security awareness training

  • Ensuring every portable storage device is assigned an owner, project, or department with an identifiable label or registered in a central database.

  • Implementing strong access controls that only allow registered devices to connect to the system.

  • Implementing a strict usage policy that allows for the use of owned portable or owned storage devices

The main assessment objective in CMMC practice MP.L2-3.8.8-Shared Media is ensuring that "the use of portable storage devices is prohibited when such devices have no identifiable owner." All the other options fulfil this objective. Permitting unrestricted use of portable storage devices is contrary to the requirements of the assessment objective, even if the users have completed a security awareness training program.

55.

An OSC receives a POA&M during their CMMC L2 assessment. 170 days later, they submit an updated POA&M with evidence of all corrective actions. Can the C3PAO still conduct a close-out assessment?

  • Yes, as long as all corrective actions are verified.�

  • Yes, but the OSC must re-perform the entire CMMC L2 assessment.

  • No, the OSC must wait for the next assessment cycle.

  • No, the 180-day window has closed.

Within 180 days from the Assessment Final Recommended Findings Briefing the OSC will select a C3PAO to conduct a POA&M Close-Out Assessment. A Lead Assessor and any additional assessor, if necessary, will review the OSCs updated POA&M with any accompanied evidence or scheduled collections (observations, interviews, or tests). The 180-day window is a guideline, not a hard deadline. The focus is on verifying successful implementation of corrective actions to mitigate the specific security weakness revealed by POA&M during the CMMC L2 Assessment and that the practice has been ?Fully-Implemented? and scored ?MET?

56.

You are a CCA participating in an assessment exercise for an OSC. You have completed the exercise, and the OSC has hashed the evidence artifacts in accordance with the CMMC Artifact Hashing Tool User Guide. What is the next step for your Assessment Team with respect to the Evidence Artifact Hashes?

  • Upload the Hashes to the OSC?s CMMC eMASS.

  • Upload them to your C3PAO?s cloud instance.

  • Tell the OSC to encrypt the hash.

  • Nothing, the assessment is complete.�

To maintain the integrity and confidentiality of the artifacts, the Lead Assessor must ensure that the OSC has hashed all artifacts in accordance with the CMMC Artifact Hashing Tool User Guide. The OSC is responsible for hashing and retaining the artifacts for three years. Once the OSC has hashed the evidence artifacts, the next step for the Assessment Team, specifically the CMMC eMASS-authorized C3PAO representative, is to report the OSC's hash values in the CMMC eMASS System.

57.

You are conducting a CMMC assessment for a contractor that develops software applications for the DoD. During the assessment of the AU domain, you request to examine the contractor's audit and accountability policies, access control procedures, and system configuration documentation related to the management of audit logging functionality. Upon reviewing the documentation, the contractor has implemented an Role-Based Access Control (RBAC) model, where privileged users are assigned different roles based on their responsibilities. One of these roles is the "Audit Administrator" role, which is granted the necessary privileges to manage audit logging functionality across the contractor's systems. However, during interviews with the system administrators, you learn that besides the Audit Administrator role, several other privileged roles, such as the "System Administrator" and "Network Administrator" roles, can also manage audit logging functionality. When you inquire about the rationale behind granting multiple privileged roles access to audit management functions, the contractor's security team explains that this approach allows for better operational flexibility and ensures that different teams can perform audit logging tasks based on their areas of responsibility. Which assessment methods would be most appropriate for the assessor to evaluate the contractor's implementation of AU.L2-3.3.9-Audit Management?

  • A combination of examining relevant documentation, conducting interviews, and testing access management mechanisms.

  • Examine the system configuration settings and access control lists.

  • Interview personnel with audit and accountability responsibilities.

  • Test the mechanisms for managing access to audit logging functionality.

AU.L2-3.3.9-Audit Management suggests using a combination of assessment methods, including examining policies, procedures, system documentation, access authorizations, and system-generated lists of privileged users with access to audit management functions. Interviews with relevant personnel and testing the mechanisms for managing access to audit logging functionality are also recommended.

58.

Upon examining a contractor's Security and awareness training policy for compliance with AT.L2-3.2.2-Role-Based Training, you determine that they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices. In your assessment, you would rely on all of the the following evidence, EXCEPT?

  • Codes of Federal Regulation

  • The contractor's training records

  • Security awareness and training policy

  • The contractor's security training curriculum and materials

While important for overall compliance, codes of federal regulations (CFRs) don't provide specific details about the contractor's implementation of role-based security training programs. CMMC focuses on the organization's internal practices and how they address the control requirements. However, you can examine the CFRs to determine what the contractor is required to comply with.

59.

You are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows that the Contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the Contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. What risks does the hybrid infrastructure with cloud storage and remote access introduce regarding CUI data flow?

  • It increases the number of entry and exit points for CUI data. The remote access also makes auditing and controlling flow more difficult.

  • Increases chances of CMMC non-compliance

  • Exposes the data to unauthorized access.

  • It has no impact on CUI data flow or risks.

By introducing cloud storage and remote access, there are more entry points for potential breaches. This wider access also makes it harder to track and control CUI data movement, increasing the risk of unauthorized access and making it more difficult to ensure compliance with data security regulations.

60.

An OSC is undergoing a CMMC Level 2 assessment, and the C3PAO Assessment Team has identified several practices that the organization has not yet fully implemented. During the assessment, the CCA notes significant progress by the OSC towards implementing control MP.L2-3.8.4-Media Markings, but acknowledges that not all required steps have been completed. The CCA explains to the OSC that this partially implemented practice will need to be tracked in the Limited Practice Deficiency Correction Program. How should CMMC practices tracked under the Limited Practice Deficiency Correction Program be scored?

  • Not Met

  • Met

  • Not Applicable

  • Partially Met

All practices placed on the Limited Practice Deficiency Correction Program will be scored as 'NOT MET' and recorded on the CMMC L2 Limited Practice Deficiency Correction Program Worksheet.

×