Cyber AB CCA Exam Questions

101.

After being selected for a C3PAO Assessment Team, you have been chosen as the Lead Assessor for an upcoming project involving an OSC that produces aircraft parts. Your C3PAO has assigned you various responsibilities. Which of the following is not your responsibility as a Lead Assessor?

• Review and collect Evidence to demonstrate that the practice that is being performed is effectively implemented and conforms to the CMMC standard

• Framing and planning the assessment.

• Validating site access and communicating visitation policies with the Assessment Team.

• Developing the evidence collection approach and managing the assessment team.

102.

CMMC practice CM.L2-3.4.9-User-Installed Software, requires OSCs to establish a policy controlling software installation, ensure any software installations by any user follow the established policy, and monitor user software installation. Which of the following is not something the OSC can cite as evidence to demonstrate their efforts to meet the requirements of CM.L2-3.4.9-User-Installed Software?

• Installed software specifications

• The OSC's formal process for users to request the installation of approved software

• The OSC's procedures addressing user-installed software

• The list of rules governing user-installed software

103.

An OSC is preparing for a CMMC assessment. It has multiple information systems, some of which process CUI and others that do not. The OSC has identified a specific system that processes CUI and defined this as its System Boundary. However, this system is connected to other systems within the OSC that are separately authorized and do not process CUI. As a Certified CMMC Assessor, which of the following best describes your approach to defining the CMMC Certification Boundary and Assessment Scope for the OSC?

• The CMMC Certification Boundary should include the specific system that processes CUI. In contrast, the Assessment Scope should consist of all components of the information system that require authorization and excludes separately authorized systems to which the information system is connected.

• The CMMC Certification Boundary should include the specific system that processes CUI, while the Assessment Scope should encompass all systems within the OSC.

• The CMMC Certification Boundary and Assessment Scope should only include the specific system that processes CUI and exclude all other systems.

• The CMMC Certification Boundary and Assessment Scope should include all information systems within the organization, regardless of whether they process CUI or not.

104.

When assessing a contractor?s implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. What key features regarding the deployment of Splunk for AU.L2-3.3.6-Reduction & Reporting, would you be interested in assessing?

• Ensure that Splunk employs various filter rules for reducing audit logs to eliminate non-essential data and processes to analyze large volumes of log files or audit information, identifying anomalies and summarizing the data in a format more meaningful to analysts. Thus generating customized reports.

• Ensue Splunk can retain audit records for a protracted amount of time

• Ensure Splunk can support compliance dashboards that provide real-time visibility into CMMC compliance status

• Ensure that Splunk is configured with appropriate RBAC to restrict access to log data, reports, and dashboards, ensuring that only authorized personnel can view or modify audit logs.

105.

During your assessment of an OSC's implementation of security engineering principles throughout its system and software development lifecycles, you review their policies and interview personnel. The OSC has a documented security architecture that includes high-level security requirements such as data encryption, least privilege access controls, and input validation. However, this guidance remains fairly general. You then examine the system design documentation for a key application processing CUI. Although security requirements are mentioned, there is no evidence that specific security engineering techniques?such as threat modeling, layered protections, or secure design patterns?were employed during the design phase. Interviews with the development team reveal limited experience with advanced security engineering practices beyond basic secure coding. The team admits they did not perform activities like misuse case analysis, abuse case modeling, or attack surface reviews during the design process. In further testing, you find that the OSC has established secure coding standards, conducts static code analysis, and performs penetration testing before production releases. However, there are no documented processes for incorporating explicit security engineering activities during the design and architecture phases. For an OSC?s legacy applications, what does CMMC practice SC.L2-3.13.2-Security Engineering require regarding the application of security engineering principles?

• Principles should be applied to the extent feasible based on the current state of the component.

• You must retroactively apply security engineering principles to all legacy components.

• You must re-architect and remediate all legacy components to align with the security engineering principles.

• There is no requirement to apply security engineering principles to legacy components, only to new development.

106.

A medium-sized company that develops software components for DoD's military applications has a dedicated IT team responsible for maintaining its infrastructure and systems. They have retained your services to assess their compliance with CMMC requirements for certification so they can continue offering services to the DoD. Recently, the contractor experienced several security incidents where unauthorized changes were made to their systems, resulting in potential data breaches and system instability. Upon investigation, it was discovered that some IT team members were using unauthorized tools and techniques for system maintenance, and there was a lack of proper controls and oversight over the maintenance processes. According to CMMC practice MA.L2-3.7.2-System Maintenance Control, which of the following controls should the contractor implement for personnel involved in system maintenance?

• Implement strict access controls and monitoring mechanisms for maintenance personnel.

• Rely on maintenance personnel's professional certifications as sufficient vetting.

• Only allow maintenance personnel to work during off-hours to minimize operational disruptions.

• Maintenance personnel should be provided unrestricted access to all systems and components.

107.

As the Lead Assessor for your Assessment Team,�you are validating an OSC?s Scope in readiness to start the assessment. You learn that the OSC provides its employees with laptops to work on DoD projects. These laptops have an antivirus solution that connects to a management console to receive updates, send alerts, and control settings. However, the server does not process, store, or transmit CUI but implements several CMMC controls. Which of the following is NOT part of the OSC?s requirements regarding the antivirus solution?

• Logically separate the antivirus solution from other CUI Assets

• They should document the specifics of the Antivirus solution in the asset inventory.

• Itemize the solution in the CMMC Assessment Scope's network diagram and prepare it to be assessed against CMMC practices.

• The OSC should document it the System Security Plan (SSP)

108.

During the assessment process, a CCA encounters a situation in which the evidence provided by the OSC raises concerns about its adequacy and alignment with the CMMC practice being assessed. What priority factors must the CCA have considered to arrive at these concerns?

• Whether the evidence is the right evidence and meets the intent of the CMMC practice

• The completeness of the evidence across all systems and processes

• The level of detail and granularity provided in the evidence

• The format and presentation of the evidence

109.

In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Based on the information provided, is the OSC compliant with CMMC practice SC.L2-3.13.11-CUI Encryption? How would you score their implementation of this practice?

• No, the OSC is not compliance. This practice would be scored as a deduction of 3 (-3) points.

• Yes, 5 points.

• Partially compliant; 1 point.

• More information is needed to determine compliance.

110.

After a security audit, a contractor documents specific vulnerabilities and deficiencies in an audit report. After examining its POA&M, you realize it has a clearly defined policy on addressing these deficiencies and by when. However, after interviewing the contractor?s security and compliance team, you learn that while an audit is regularly conducted, the remediating measures are not always taken, and when taken, they are not always practical. The security and compliance team informs you they have tried reaching the system administrator to explain the repercussions of this without success. What assessment objective has the contractor failed to implement from CMMC practice CA.L2.3.12.2-Plan of Action?

• Implement a plan of action to correct the identified deficiencies and reduce or eliminate identified vulnerabilities that are ineffective.

• Identify the vulnerabilities and deficiencies that the plan of action will address.

• Develop a change management plan that describes how to implement the remediation actions

• The contractor has implemented all the assessment objectives in CA.L2-3.12.2-Plan of Action.

111.

After you ask to examine some audit records, the contractor's system admininstrator informs you that there is a process to follow before accessing them. The logs are hashed using SHA-512 algorithms, and the system administrator has to run an algorithm to recalculate the hashes for the audit records to verify their integrity before running a decryption algorithm to decrypt the data. Since this might take some time, you tour the facility while interviewing personnel with audit and accountability roles. You see an employee holding the door for another without using their physical access card. While interviewing the contractor's employees, you find that they can access all audit logging tools and tweak the settings according to their needs or requirements. Upon examining the contractor's access control policy, you realize they have not defined the measures to protect audit logging tools. How can the contractor improve their access control for audit logging tools?

• Implement role-based access control (RBAC) to restrict access based on job duties.

• Train employees on the importance of protecting audit logs and the consequences of unauthorized access.

• Increase the complexity of algorithms used for hashing and encryption of audit records.

• While access control is essential, focusing on employee awareness is sufficient for CMMC compliance.

112.

A defense contractor has implemented a secure wireless network infrastructure to support their operations and client engagements. They use the WPA2-Enterprise encryption protocol with AES-CCMP ciphers and the 802.1X port-based authentication framework to secure their wireless network. The wireless network infrastructure includes a Remote Authentication Dial-In User Service (RADIUS) server for centralized authentication and authorization of wireless clients. The contractor has deployed multiple Wireless Access Points (WAPs) throughout their office premises, each with its own Service Set Identifier (SSID) and VLAN configuration. Before granting wireless access, the contractor?s IT team verifies the device's compliance with their security standards and validates the user's credentials against the RADIUS server using EAP-TLS authentication. Based on the scenario, which of the following statements BEST describes the contractor's compliance with CMMC AC.L2-3.1.16-Wireless Access Authorization?

• The scenario does not provide enough information to determine compliance with CMMC AC.L2-3.1.16-Wireless Access Authorization.

• The contractor partially complies as they lack pre-approval for specific devices.

• The contractor complies because they utilize strong encryption and authentication protocols.

• The contractor does not comply because they use multiple WAPs with different configurations.

113.

An Aerospace company has requested a CMMC assessment for the enclave only. Your team has verified that the company has a valid CAGE code and is registered with SAM.gov. However, the enclave has no separate CAGE code or SAM registration. Can the assessor proceed with the CMMC assessment solely for the enclave, or is an assessment of the entire Aerospace company's network required?

• The assessor can proceed with the enclave assessment for CMMC Level 2 compliance

• The assessor can proceed with the enclave assessment, but only for a lower CMMC level

• The assessor must assess the entire company network.

• The assessor cannot proceed with the enclave assessment.

114.

You have been sent to assess an OSC?s implementation of CMMC practices, one of which is AC.L2-3.1.11-Ssession Termination. In assessing the contractor's implementation of AC.L2-3.1.11, you?ll likely need to examine the following specifications, EXCEPT?

• Mechanisms for implementing user session termination

• System Security plan

• The Session termination policy

• The Access control policy

115.

When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal web sites. What CMMC practice does this violate?

• AC.L2-3.1.6

• AC.L2-3.1.7

• AC.L2-3.1.4

• AC.L2-3.1.2

116.

Mobile devices are increasingly becoming important in many contractors? day-to-day activities. Thus, the contractors must institute measures to ensure they are correctly identified and any connections are authorized, monitored, and logged, especially if the devices or their connections process, store, or transmit CUI. You have been hired to assess a contractor?s implementation of CMMC practices, one of which is AC. L2.3.1.18 (Mobile Device Connections). To successfully test the access control capabilities authorizing mobile device connections to organizational systems, you must first identify what a mobile device is. Which of the following is not considered a mobile device?

• Laptops

• Tablets

• E-Readers

• Smartphones

117.

Mobile devices are increasingly becoming important in many contractors? day-to-day activities. Thus, the contractors must institute measures to ensure they are correctly identified and any connections are authorized, monitored, and logged, especially if the devices or their connections process, store, or transmit CUI. You have been hired to assess a contractor?s implementation of CMMC practices, one of which is AC. L2.3.1.18 (Mobile Device Connections). To successfully test the access control capabilities authorizing mobile device connections to organizational systems, you must first identify what a mobile device is. Mobile devices connecting to organizational systems must have a device-specific identifier. Which of the following is the main consideration for a contractor when choosing an identifier?

• Choosing an identifier that can accommodate all devices and be used consistently within the organization.

• Use random identifiers to identify mobile devices on the network easily.

• The identifier must be easily differentiable from one device to another.

• Prioritize using identifiers that are easy to remember and user-friendly.

118.

The Certification Assessment Readiness Review (CA-RR) aims to determine whether the OSC and the Assessment Team are ready to conduct the assessment as planned and within the allocated time. It addresses all of the following aspects of readiness to conduct the assessment except which one?

• OSC cybersecurity posture.

• Logistics

• Assessment risk status

• Assessment readiness

119.

You are on-site with an Assessment Team at a medium-sized organization. When discussing how they protect their company's information from malware, spyware, etc., the administrator you are interviewing offers to show you the entire process from start to finish since she had that on her to-do list for the day. She opens the machine, turns it on, and installs what she says is anti-malware software. She also demonstrates how their deployed Next Generation Firewall (NGFW) works. You have never heard of this software, so you ask her where it was purchased. You later learn it is an open-source solution. Based on the scenario and the requirements of CMMC practice SI.L2-3.14.6-Monitor Communications for Attacks, what is your likely determination?

• Request for more information.

• Find the OSC's implementation of the practice as Met.

• Fail the OSC's implementation of the practice.

• Find the OSC's implementation as partially Met as they are achieving several objectives required of this practice.

120.

During a CMMC assessment, the Lead Assessor, Emily, notices that one of the CCAs on her team, Alex, seems overly critical and skeptical of the evidence presented by the OSC. Although the OSC demonstrates compliance with the required CMMC practices, Alex repeatedly questions the validity of the evidence and suggests the OSC is not meeting the criteria.

Concerned that Alex's behavior may be influenced by bias, Emily decides to address the issue directly. She recalls a previous incident in which Alex took a similar approach to evaluating practices and evidence, and shortly afterward, the OSC experienced a data breach. What steps should Emily and, most importantly, the C3PAO have taken to prevent this eventuality?

• Identify and manage assessor bias to deliver objective assessments

• Undergo additional training in the CMMC requirements

• Avoid working with assessors who have previous experience with the OSC

• Rely on the Lead Assessor to mitigate any potential bias