Cyber AB CCA Exam Questions

61.

Unique individuals, processes, and devices must be assigned Identifiers. CMMC requires that an OSC defines a period of inactivity after which an identifier is disabled. The identifier must be disabled after the defined period of inactivity lapses. All of the following are effective strategies the OSC can use to meet the requirements of CMMC practice IA.L2-3.5.6-Identifier Handling, EXCEPT?

• Subscribing to RSS feeds

• Automated monitoring and periodic auditing and administrator review

• Setting up automated alerts and implementing a secure reactivation process

• Implementing an automated inactivity threshold policy

62.

An OSC allows some employees to use their personal devices (laptops, tablets) for work purposes. The OSC enforces a BYOD policy that requires employees to install Mobile Device Management (MDM) software on their devices. The MDM allows for remote wiping of lost or stolen devices and enforces access control policies. Employees use VPNs to remotely access the OSC network from their personal devices. What challenges might a CCA face when collecting evidence to assess the OSC's compliance with AC.L2-3.1.12 – Control Remote Access?

• Privacy concerns arise due to the personal nature of BYOD devices

• The use of VPNs ensures a secure connection regardless of the device used for remote access

• The CCA can rely solely on employee attestation to verify compliance with the BYOD policy

• The use of MDM software simplifies evidence collection on mobile device security configurations

63.

A C3PAO and OSC have agreed to proceed with CMMC assessment planning. The OSC assessment official and the C3PAO are working to determine the planning details and purview of the Assessment, which includes scoping. What are the two types of "scoping" activities that a C3PAO will encounter during Phase 1 of a CMMC assessment?

• Assessment Framing and CMMC Assessment Scope

• Technical scoping and logistical scoping

• Asset scoping and environment scoping

• Initial scoping and final scoping

64.

While reviewing a contractor's Microsoft Active Directory authentication policies, you observe that the account lockout threshold is configured to allow 5 consecutive invalid login attempts before locking the account for 15 minutes. Additionally, the reset account lockout counter is set to 30 seconds after each unsuccessful login attempt. Based on this scenario, which of the following statements are TRUE about the contractor's implementation of CMMC practice AC.L2-3.1.8-Unsuccessful Logon Attempts?

• The contractor has successfully implemented practice AC.L2-3.1.8-Unsuccessful Logon Attempts warranting a score of MET

• Based on the current implementation, CMMC practice AC.L2-3.1.8 cannot be scored as MET.

• The contractor's approach does not provide sufficient protection against unauthorized access attempts.

• The contractor's approach does not adequately address the required assessment objectives

65.

An OSC uses a web application for document management. Employees can access this application from any internet-connected device through a web browser. The application resides on servers in a secure data center managed by a third-party vendor. The OSC maintains separate servers within its network to store the documents. When employees use the web application to upload documents, what type of locations are they interacting with?

• A logical location for the web application and a physical location for the document storage servers

• The physical location of their internet-connected devices

• The physical location of the vendor's data center

• A secure area within the OSC's data center

66.

During scoping discussions with a Lead Assessor, the OSC mentions that there are several connected systems within the organization's network. How should the Lead Assessor consider connected systems in the scoping of the CMMC assessment?

• Connected systems would be considered in scope for the assessment if the systems could impact the security of the CUI (or FCI) environment or if they store, process, or transmit CUI (or FCI) within the organization's network.

• Connected systems are only in scope if they directly transmit FCI and/or CUI.

• Only internally connected systems directly handling FCI and/or CUI are in scope.

• Connected systems are never in scope unless specifically requested by the OSC.

67.

An OSC has documented HR and personnel security policies, which are well integrated. A key requirement is that credentials and systems are revoked upon a transfer or termination. Their personnel security policy includes procedures for transfer and termination, a list of system accounts tied to each employee, and management of revoked or terminated credentials and authenticators. Examining the procedures addressing personnel transfer and termination, you learn that besides revoking or terminating system access, authenticators, and credentials, the OSC recovers all company IT equipment, access/identification cards, and keys from the transferred or terminated employee. They also interview the employee to remind them of their CUI handling obligations even after transfer and require them to sign an NDA. After every termination, they also change the password and other access control mechanisms and notify all the stakeholders that the employee has been terminated or transferred. Based on the scenario, the OSC can cite the following as evidence of collaborating on their implementation of CMMC practice PS.L2-3.9.2-Personnel Actions, EXCEPT?

• List of usernames and passwords of all the employees

• Records of personnel transfer and termination actions

• Records of exit interviews accompanied by a list of terminated employees' identifiers

• Records of terminated or revoked authenticators and credentials

68.

You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. What risks does this pose related to separation of duties?

• The engineer has too much concentrated privilege which increases risk of errors or malicious activity.

• The development timeline might be delayed.

• The engineer might forget important details during the development process.

• The engineer's role and responsibilities in the development process are clearly defined.

69.

You are part of the Assessment Team that has been conducting a CMMC assessment for an OSC. You have just completed the third phase, and it appears that the OSC is in a good position. If they address the deficiencies in the POA&M, they have a good chance of achieving full certification. Which of the following is not an output of the CMMC Assessment Process Phase 3?

• Pre-Assessment Data Form

• Practice Scores and Justification

• Records of evidence reviewed and examined.

• Assessment Results Package

70.

A defense contractor has implemented a secure wireless network infrastructure to support their operations and client engagements. They use the WPA2-Enterprise encryption protocol with AES-CCMP ciphers and the 802.1X port-based authentication framework to secure their wireless network. The wireless network infrastructure includes a Remote Authentication Dial-In User Service (RADIUS) server for centralized authentication and authorization of wireless clients. The contractor has deployed multiple Wireless Access Points (WAPs) throughout their office premises, each with its own Service Set Identifier (SSID) and VLAN configuration. Before granting wireless access, the contractor?s IT team verifies the device's compliance with their security standards and validates the user's credentials against the RADIUS server using EAP-TLS authentication. Based on the scenario, which of the following recommendations would be MOST appropriate for the contractor to improve their security posture under AC.L2-3.1.16-Wireless Access Authorization?

• Implementing additional network segmentation to isolate sensitive data from other network traffic.

• Replacing the 802.1X framework with a simpler password-based authentication mechanism.

• Disabling individual SSID and VLAN configurations on each WAP for a more centralized approach.

• Increasing the frequency of wireless password changes for all users accessing the network.

71.

As the Lead Assessor for a CMMC Level 2 assessment team, you have completed the examination of evidence and generated Preliminary Recommended Findings. Now, it is time to submit, package, and archive the assessment documentation, ensuring accuracy, completeness, and adherence to protocol. According to the CMMC Assessment Process, how long after the Final Findings Briefing must you submit the Assessment Results Package to the C3PAO CQAP?

• 10 business days

• 15 business days

• 20 business days

• 30 business days

72.

An OSC is planning a CMMC Level 2 assessment that your C3PAO will conduct. In Phase 1.6.1-Access and Verify Evidence, as the Lead Assessor, you are verifying the existence and accessibility of the evidence provided by the OSC. While reviewing the list of evidence mapped against the CMMC practices, you discover that the OSC cannot locate several critical system security policies for key IT systems supporting their DoD contracts. These missing policies are essential for demonstrating compliance with various CMMC practices related to access control, incident response, and system maintenance. What is the most appropriate course of action for you as the Lead Assessor in this scenario?

• Replan the assessment to allow the OSC additional time to locate the missing evidence.

• Proceed with the assessment as planned, relying on interviews to understand the missing policies.

• Advise the OSC on how to improve or enhance their missing policies.

• Cancel the assessment entirely due to missing evidence.

73.

During a social event after work, a CCA from your C3PAO team brags about providing "consulting advice" to an OSC they recently assessed for CMMC compliance. You know this directly violates the CoPC's restrictions on CCAs offering such services during an assessment. What is your ethical obligation in this situation?

• Discreetly approach the CCA and offer to help them understand the CoPC guidelines

• Ignore the situation, as it doesn’t involve you directly

• Immediately report the incident to the Cyber AB

• Publicly confront the CCA and remind them of the CoPC violation

74.

Examining an OSC password policy, you learn that a password should have a minimum of 15 characters. It also should have 3 uppercase, 2 special characters, and other alphanumeric characters. Passwords have to be changed every 45 days and cannot be easily tied to the account owner. Passwords cannot be reused until 30 cycles are complete. The OSC's systems send a temporary password to the user's email or authentication app, which is one of the events described in their password usage policy. However, a recent penetration test report shows that the generated temporary passwords did not have sufficient entropy, and an attacker may guess a temporary password through brute force attacks. How would you score the contractor's implementation of the IA domain requirement on Temporary Passwords?

• Not Met (-1 point)

• Met (+5 points)

• Met (+1 point)

• Not Met (-5 points)

75.

As the Lead Assessor, you are interviewing an OSC's security team to assess their Incident Response (IR) capabilities for CMMC Practice IR.L2-3.6.1 - 'Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities'. The security team outlines their general approach to incident response, including procedures for identifying and reporting security incidents. However, when asked about specific details of their response plan, such as containment strategies or user notification procedures, their answers seem vague and lack specifics. During an interview with a member of the OSC's IT support team, you notice that the interviewee seems hesitant to provide detailed responses and appears concerned about potential repercussions from the organization. How should you handle this situation?

• Take steps to ensure and verify that confidentiality and non-attribution are addressed so the interviewee can speak openly without fear or concern about retribution.

• Proceed with the interview as planned, assuming that the interviewee's responses are accurate and complete.

• Terminate the interview and exclude the IT support team member from further assessment activities.

• Request the OSC to assign a different representative for the IT support team who is more comfortable with the interview process.

76.

You are a CCA working for a C3PAO. An OSC has submitted a request for a CMMC Assessment, and the C3PAO is in the process of assigning a Lead Assessor for this engagement. As an experienced Assessor, you are being considered for the role of Lead Assessor. Once the C3PAO assigns the Lead Assessor, what is the next step in the process?

• The C3PAO replies to the OSC in writing and introduces the Lead Assessor to begin the engagement with the OSC.

• The Lead Assessor assigns other members to the Assessment Team.

• The OSC submits additional documentation to the Lead Assessor.

• The Lead Assessor immediately begins conducting the assessment.

77.

A medium-sized company that develops software components for DoD's military applications has a dedicated IT team responsible for maintaining its infrastructure and systems. They have retained your services to assess their compliance with CMMC requirements for certification so they can continue offering services to the DoD. Recently, the contractor experienced several security incidents where unauthorized changes were made to their systems, resulting in potential data breaches and system instability. Upon investigation, it was discovered that some IT team members were using unauthorized tools and techniques for system maintenance, and there was a lack of proper controls and oversight over the maintenance processes. Which measures should the contractor implement to comply with CMMC practice MA.L2-3.7.2-System Maintenance Control?

• Establish and enforce policies and procedures for approving, controlling, and monitoring maintenance tools, techniques, and mechanisms.

• Outsource all system maintenance activities to a third-party vendor to avoid potential issues.

• Provide unrestricted access to maintenance tools and techniques for all IT personnel to facilitate efficient maintenance activities.

• Implement strict access controls for maintenance personnel but allow them to use any necessary tools and techniques.

78.

During a POA&M Close-Out Assessment, the Lead Assessor encounters a situation where the organization's corrective actions for a specific practice have inadvertently limited the effectiveness of another practice that was previously scored as 'MET' during the initial assessment. In this scenario, what should the Lead Assessor's recommendation to their C3PAO be?

• Recommend the organization not be granted CMMC Level 2 Final Certification.

• Update the POA&M and recommend the organization for CMMC Level 2 Final Certification, adding the affected practice to the POA&M.

• Defer the recommendation and request the organization to undergo a full reassessment.�

• Recommend the organization for CMMC Level 2 Final Certification.�

79.

During your assessment of an OSC's implementation of security engineering principles throughout its system and software development lifecycles, you review their policies and interview personnel. The OSC has a documented security architecture that includes high-level security requirements such as data encryption, least privilege access controls, and input validation. However, this guidance remains fairly general. You then examine the system design documentation for a key application processing CUI. Although security requirements are mentioned, there is no evidence that specific security engineering techniques?such as threat modeling, layered protections, or secure design patterns?were employed during the design phase. Interviews with the development team reveal limited experience with advanced security engineering practices beyond basic secure coding. The team admits they did not perform activities like misuse case analysis, abuse case modeling, or attack surface reviews during the design process. In further testing, you find that the OSC has established secure coding standards, conducts static code analysis, and performs penetration testing before production releases. However, there are no documented processes for incorporating explicit security engineering activities during the design and architecture phases. Based on this scenario how does the lack of documented processes for security engineering activities during the design and architecture phases most likely impact the security of the OSC?s CUI? Chose the best answer

• Security vulnerabilities are likely to be introduced during the design phase and may remain undetected throughout the development lifecycle.

• Secure coding practices and penetration testing will still identify most vulnerabilities.

• It makes it more difficult for developers to understand the security requirements.

• The OSC will not be able to comply with other CMMC security practices.

80.

An OSC has contacted your C3PAO organization for a prospective CMMC L2 assessment. You have been selected to lead the Assessment team. When ascertaining the Assessment conditions and requirements, you discuss the prospective CMMC assessment scope with the OSC. Before proceeding to phase 2 of the CMMC assessment process, the OSC must complete the following steps of its High-Level scoping process, EXCEPT?

• Evaluate Model Non-Duplication

• Establish the CMMC Assessment Scope of their networked environment

• Identify and take inventory of the various categories of CMMC assets contained in the networked environment.

• Propose the scope of the CMMC assessment that will be evaluated by the Lead Assessor and validated by the C3PAO.