×

Quiz Session - Attempts With Random Questions

Cyber AB CCA Exam Questions

Page 7 of 25

121.

When interviewing a contractor?s CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates that the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that after every four months, the contractor tests its incident response plan and regularly updates its monitoring tools. Impressed by the contractor?s policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited their security systems in over two years. Which of the following actions would best address the identified gap in the contractor?s implementation of CA.L2.3.12.1-Security Control Assessment?

  • Developing a plan to conduct security audits following the documented frequency in the policy and ensuring continuous adherence.

  • Updating the security policy to reflect the actual frequency of security audits

  • Assigning additional personnel to the security team to manage frequent assessments

  • Conducting immediate security audits without prior planning.

Developing and implementing a plan to conduct security audits resolves the core issue of not adhering to the stated assessment frequency policy. Developing a plan lays out the roadmap to get assessments back on track per the existing requirements rather than changing the policy. Ensuring this is followed going forward closes the gap.

122.

A mid-sized defense supplier has been working to achieve CMMC Level 2 certification. You are part of the Assessment Team contracted to review their documentation and assess their Implementation of CMMC practices. During your review, you notice that the OSC has produced documentation for their risk-managed assets. Which of the following is NOT required documentation for contractor risk-managed assets under the CMMC Model?

  • Separation methodology

  • Asset Inventory

  • Network Diagram

  • System Security Plan

Separation methodology only applies to out-of-scope assets, while risk-managed assets must be documented in the asset inventory, network diagram, and system security plan.

123.

You are part of the team conducting a CMMC assessment for an OSC. Because of the sensitive nature of the OSC's technologies, your team signed an NDA. However, you observe one of the Assessment Team members copying something from the OSC's computer systems. You know they don’t have permission because the NDA states that the OSC POC will provide any required material. What should you do in this case?

  • Approach the team member and remind them of their confidentiality obligations under the CoPC

  • Report the team member to the Cyber AB

  • Inform the OSC of the incident

  • Allow them to copy the files

Correct answer: Approach the team member and remind them of their confidentiality obligations under the CoPC

The CMMC Code of Professional Conduct prohibits copying materials or tools from external entities without explicit permission. Since the team member doesn’t have permission from the OSC, remind them of the confidentiality requirements of the NDA and the CoPC.

124.

A leading technology solutions provider that works with various government agencies and commercial clients. To ensure the secure handling of CUI, the solutions provider has implemented a dedicated CUI enclave within its network infrastructure. As a Certified CMMC Assessor, you are tasked with assessing the scope of the solutions provider's CMMC requirements. Which separation technique can the technology solutions provider use to isolate the network assets in its CUI enclave?

  • Logical isolation

  • Physical separation

  • Segmentation

  • Encryption

Logical isolation is the most suitable technique for isolating network assets within an enclave. It leverages software and network configurations (firewalls, VLANs) to create separate logical segments within the same physical infrastructure.

125.

Pre-assessment information must be uploaded to CMMC eMASS by the end of the planning phase (Phase 1). Who uploads this information and what happens if the pre-assessment information changes after the upload?

  • A CMMC eMASS-authorized C3PAO representative uploads the information to the eMASS system. If the information changes, the representative updates it in the eMASS system.

  • If the information changes, the OSC Assessment Official ensures it is uploaded again.

  • If the information changes, the CQAP ensures that it is uploaded again.

  • The Lead Assessor ensures that any uploaded information deemed incorrect is deleted.

According to the CMMC Assessment Process (CAP), the final version of the Pre-Assessment Data Form must be uploaded to the CMMC eMASS system at the end of the planning phase (Phase 1). The responsible party for uploading the Pre-Assessment Data Form is an eMASS-authorized representative from the C3PAO conducting the CMMC assessment. If the pre-assessment information changes after the initial upload, the eMASS-authorized C3PAO representative is required to upload the updated information again. This ensures that the information in the eMASS system remains accurate and up-to-date throughout the assessment process. Previous data uploads are retained in CMMC eMASS to allow for audit tracking.

126.

You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory - a privileged function. Which of the following controls could have prevented the developer from executing this privileged function?

  • Prohibiting inheritance of privileged permissions.

  • Enforcing dual authorization

  • Implementing time of day restrictions.

  • Removing internet access.

Explicitly defining the permissions for the Dev_Roles group, without allowing inheritance from Admin_Roles, would help enforce least privilege and separation of duties. The developers would retain only the specific privileges needed for their coding and testing work, without inheriting any elevated admin capabilities. Setting explicit privileges for each role, rather than relying on group nesting or inheritance, is a best practice for access control and aligns with the principles of least privilege and separation of duties in CMMC. This strict role definition prevents privilege creep and enforces segregation of duties across different teams and job functions.

127.

The Cyber AB has completed an investigation into a report submitted by a CCA regarding a potential violation by another CCA. They have determined that the violation falls within the scope of the relevant Industry Working Group's authority. What is the likely course of action for the Cyber AB in this scenario?

  • Refer the incident to the relevant Industry Working Group for resolution, which may include remediation, coaching, or termination, with a right of appeal

  • Dismiss the report and take no further action

  • Continue the investigation and make a final determination on the violation

  • Immediately suspend the CCA's certification pending the working group's resolution of the incident

Correct answer: Refer the incident to the relevant Industry Working Group for resolution, which may include remediation, coaching, or termination, with a right of appeal

In this scenario, the Cyber AB has determined that the potential violation is within the scope of the relevant Industry Working Group's authority. Therefore, the Cyber AB should refer the incident to the working group for resolution, which may include remediation, coaching, or termination of the CCA's certification, with the right to appeal the decision.

128.

You are the CCA working with a client to deliver certified consulting services, and the OSC has asked how to ensure their scope is accurate. You mention the use of a data flow diagram, which intrigues the OSC. What would be the first step in constructing the data flow diagram for the OSC?

  • Identify how data flows through the OSC's business, including systems, subprocesses, and data stores, identifying major inputs and outputs to the environment

  • Implement a Data Loss Prevention (DLP) tool to monitor data flows within the OSC

  • Conduct interviews with key stakeholders to understand the organization's business processes

  • Gather information about the OSC's network infrastructure and create a network diagram

Correct answer: Identify how data flows through the OSC's business, including systems, subprocesses, and data stores, identifying major inputs and outputs to the environment

The first step in constructing a data flow diagram for the OSC is to start by documenting major inputs and outputs to the assessment environment or system. This helps identify and capture details of how data flows through the organization's business processes. By documenting the inputs and outputs, the CCA can map the entities and activities, which then informs the development of a comprehensive and accurate data flow diagram that visually represents the movement of data within the OSC's environment. This foundational step ensures the diagram is easy to understand and accurately reflects the OSC's business processes and information systems.

129.

A C3PAO and OSC have agreed to proceed with CMMC assessment planning. The OSC assessment official and the C3PAO are working to determine the planning details and purview of the Assessment, which includes scoping. Who is responsible for initially determining the CMMC Assessment Scope?

  • The Organization Seeking Certification (OSC)

  • CMMC Accreditation Body

  • The CMMC Third-Party Assessment Organization (C3PAO)

  • Both the C3PAO and the OSC jointly.

The OSC has the initial responsibility to establish the CMMC Assessment Scope of their networked environment. This includes identifying and taking inventory of the various categories of assets contained therein that will be the subject of the CMMC Assessment.

130.

An OSC employs guards to protect the manufacturing shop where the magnetic radar-absorbing coating is manufactured. The Army uses this specific coating for a particular fleet of unmanned aerial vehicles (UAVs). The facility is under constant surveillance with the help of HD CCTVs. Within the OSC?s facilities is a Vector Network Analyzer (VNA) that measures the reflection and transmission properties of the coating over a range of frequencies. Guards protect the OSC?s anechoic chamber, and anyone to enter must use an Iris scanner and sign a physical form detailing their name and reason for being there. At the door is a huge sign reading ?authorized personnel ONLY.? The OSC has implemented the following physical separation methods to secure its facilities, EXCEPT?

  • Monitoring

  • Guards

  • Biometric locks

  • Signage

The High Definition (HD) CCTVs do not directly create a physical separation. While it can help detect and deter unauthorized access, it doesn?t physically prevent someone from entering a restricted area.

131.

An OSC has an established Incident Response plan and a dedicated team specifically trained to handle any potential incidents and conduct necessary analysis. When performing the assessments, you also realize the OSC has deployed IDS and SIEM tools to identify possible incidents. Examining the Contractor's incident response policy, you also learn they have defined and implemented containment strategies and have developed clear procedures for system and data recovery after an incident, including backup and restore procedures. There is also a communication protocol in place to inform the affected stakeholders and users after a security incident. Chatting with a few members of the OSC's incident response team, you learn they conduct regular drills to test and improve the effectiveness of the incident-handling capability. There also are defined and documented incident response mechanisms and a post incident analysis procedure to identify lessons learned and make necessary improvements to the incident-handling process. Based on the information provided, the following aspects of IR.L2-3.6.1-Incident Handling can be definitively confirmed for the OSC's incident response capability, EXCEPT?

  • Risk tolerance

  • Preparation

  • Detection

  • Analysis

The OSC has established an incident response plan, a trained team, and user training, which indicates preparation. The use of IDS/SIEM tools suggests a focus on detection. There's no mention of specific analysis techniques, but a trained team implies some level of analysis capability. Additionally, there is no mention of the OSC's risk tolerance, which refers to the level of risk the organization is willing to accept before taking action or implementing additional controls. This aspect is crucial in defining how aggressively the OSC responds to different incidents but isn't covered in the provided details.

132.

As a CCA, you must follow elaborate steps during an OSC?s CMMC assessment, which is categorized into four phases. The CMMC Assessment Process contains the following phases, EXCEPT?

  • Conducting tests on the OSC.

  • Planning and preparing the assessment.

  • Closing out POA&Ms and Assessment.

  • Report the recommended results of the assessment.

The CMMC assessment process (CAP) is organized into four phases: 1) Plan and Prepare the Assessment, 2) Conduct the Assessment, 3) Report Recommended Assessment Results, and 4) Close-out POA&Ms and Assessment. Testing is an assessment methodology rather than a phase in the CMMC Assessment Process.

133.

As a CCA, you are conducting an assessment of an OSC's implementation of AC.L2-3.1.7 – Privileged Functions. This requirement mandates that the organization prevent non-privileged users from executing privileged functions and capture the execution of such tasks in audit logs. During your assessment, you want to determine whether the OSC has properly defined privileged functions, as assessment objective [a] requires. Which Assessment Objects would you most likely examine to make this determination?

  • The organization's Privacy and Security policies and System Design documentation

  • User acknowledgements of notification message or banner

  • System use notification messages

  • Interviews with System Developers

Correct answer: The organization's Privacy and Security policies and System Design documentation

To determine whether the privileged functions have been properly defined as required by AC.L2-3.1.7[a], the CCA would most likely examine the organization's privacy and security policies and the system design documentation.

The privacy and security policies would contain the definitions and descriptions of the functions that are to be protected from non-privileged users. The system design documentation would also provide details on the identified privileged functions and how they are implemented within the organization's systems. Examining these assessment objects would allow the CCA to directly evaluate whether the privileged functions have been appropriately defined, as per the assessment objective.

134.

An OSC previously received a Conditional CMMC Level 2 Certification during Phase 3 of the assessment process. The OSC has been working on implementing a POA&M to address the practice deficiencies identified during the initial assessment. Now, within 180 days from the Final Recommended Findings Briefing, you are to conduct a POA&M Closeout Assessment. As the Lead Assessor, you and your assessment team review the OSC's updated POA&M, accompanying evidence, and any scheduled observations, interviews, or tests with the aim of validating the implementation of the corrective actions. If the Organization Seeking Certification (OSC) disagrees with the C3PAO's findings during the POA&M Closeout Assessment, what is the recourse?

  • Submit an appeal using the Assessment Appeals Process outlined in the CAP.

  • Immediately reapply for CMMC Level 2 certification with a different C3PAO.

  • Demand a reassessment by the same C3PAO and Lead Assessor.

  • Request an extension of the timeline for corrective actions.

If the OSC feels that the wrong approach was taken or the timeline for corrective actions was insufficient, the OSC can submit an appeal using the Assessment Appeals Process outlined in the CAP. This indicates that the appropriate course of action for the OSC to dispute the C3PAO's findings is to submit an appeal through the prescribed Assessment Appeals Process.

135.

You are assessing a contractor with a well-defined personnel security policy and procedures for screening individuals before granting access to CUI as part of their CMMC compliance. However, chatting with the security guards, you discover that the contractor sometimes grants temporary access to CUI systems before completing the screening process, citing operational urgency. While examining the contractor's procedures addressing personnel screening, you expect to find the following background checks included, EXCEPT?

  • Health Background Checks

  • Criminal background and drug screening

  • Credit and Civil Background checks

  • Employment verification and education checks

The practice states that personnel security screening involves evaluating an individual's conduct, integrity, judgment, loyalty, reliability, and stability (trustworthiness) before granting access to CUI systems. While criminal, credit, civil, employment, and educational background checks are relevant for assessing trustworthiness, health background checks are not explicitly mentioned as part of the screening processes for this practice.

136.

In your assessment of an OSC?s information systems, you realize that the OSC has been having issues determining what is and isn?t CUI. One of the employees asks for your help identifying CUI so that they can take measures to protect it. They also request that you recommend a resource where they can understand the national CUI policy. Which of the following is the BEST resource they should visit to understand what CUI is and the national CUI policy?

  • 32 CFR Part 2002 and ISOO CUI Registry

  • DFARS 252.204-7012 and ISOO CUI Registry

  • 48 CFR 52.204-21 and NIST SP 800-171

  • 22 CFR Part 120-130

The definition of CUI is provided in 32 CFR 2002.4(h) and on the ISOO Registry. Information given to the OSC by the Government or a Prime to help in the performance of a contract should be protected per the Laws, regulations, and government-wide policies. However, the OSC should ask the following questions to determine whether the information is CUI: Is the information publicly available? If yes, that is not CUI. Is the information created for the Government? Does the OSC hold or create the information on behalf of the Government? Does a Law, regulation, or government-wide policy require its handling using defined disseminating and safeguarding controls? If the answer to these questions is affirmative, then that is CUI, and they should use the DoD or the ISOO CUI registry to determine which category or subcategory it falls in and mark it appropriately.

137.

Examining an OSC password policy, you learn that a password should have a minimum of 15 characters. It also should have 3 uppercase, 2 special characters, and other alphanumeric characters. Passwords have to be changed every 45 days and cannot be easily tied to the account owner. Passwords cannot be reused until 30 cycles are complete. The OSC's systems send a temporary password to the user's email or authentication app, which is one of the events described in their password usage policy. However, a recent penetration test report shows that the generated temporary passwords did not have sufficient entropy, and an attacker may guess a temporary password through brute force attacks. Which CMMC practice has the contractor successfully implemented? Select all that apply.

  • IA.L2-3.5.7-? Password Complexity and IA.L2-3.5.8 ? Password Reuse

  • IA.L2-3.5.3 - Multifactor Authentication

  • IA.L2-3.5.9 - Temporary Passwords

  • IA.L2-3.5.6 ? Identifier Handling

The contractor's password policy meets the requirements of CMMC practice IA.L2-3.5.7-Password Complexity by defining minimum length, character types, and character change rules for passwords. The policy also meets CMMC practice IA.L2-3.5.8-Password Reuse by prohibiting password reuse until 30 password cycles are complete.

138.

You are a CCA reviewing the security measures for a defense contractor seeking CMMC Level 2 compliance. CMMC practice PE.L2-3.10.6-Alternative Work Sites requires the organization to safeguard CUI at alternate work sites, like employee home offices. You are examining their list of safeguards and the system security plan to assess their compliance. When assessing a contractor's implementation of CMMC practice PE.L2-3.10.6-Alternative Work Sites, which of the following would be the least effective method for gathering information?

  • Employing technologically savvy guards to man the alternate worksite

  • Requiring remote staff connecting to their internal networks to use a VPN that prevents split tunneling and requires multifactor authentication to verify remote users are who they claim to be

  • Deploying a patch management and anti-malware solution for every laptop or desktop on the alternate worksite

  • Using Full Disk Encryption (FDE) or Container-based encryption to encrypt CUI when stored or transmitted from or to alternate work sites

Employing guards is a physical security measure to secure the alternate worksite, not a technical one related to information systems. Security guards by virtue of their duties, may rarely come across CUI. Hence, No matter how technologically savvy they are, their duties will be limited to manning the physical facility.

139.

SecureLogic Inc. is a cybersecurity consulting firm that provides managed security services to various defense contractors. During a CMMC assessment of one of their clients, the Lead Assessor finds that SecureLogic Inc. has provided evidence supporting several inherited practices related to incident response and vulnerability management. Which of the following actions should the Lead Assessor take?

  • Evaluate the evidence provided by SecureLogic Inc. to ensure it meets the assessment objectives for the inherited practices and is applicable to the client's in-scope assets.

  • Score the inherited practices as 'NOT MET' and require the client to implement them internally, regardless of SecureLogic Inc.'s evidence.

  • Recommend that the client implement the inherited practices internally, as inheriting them from external service providers is not allowed.

  • Automatically score the inherited practices as 'MET' based on SecureLogic Inc.'s evidence.

The Lead Assessor should evaluate the evidence provided by the external service provider, SecureLogic Inc., to ensure it meets the assessment objectives for the inherited practices and is applicable to the client's in-scope assets. The evidence should demonstrate that the service provider adequately performs the inherited practices.

140.

While reviewing a contractor's Microsoft Active Directory authentication policies, you observe that the account lockout threshold is configured to allow 5 consecutive invalid login attempts before locking the account for 15 minutes. Additionally, the reset account lockout counter is set to 30 seconds after each unsuccessful login attempt. To understand the contractor?s implementation of assessment objectives for AC.L2-3.1.8-Unsuccessful Logon Attempts, a CCA is required to examine all of the following EXCEPT?

  • Examining system developers

  • System security plan

  • Documentation on system configurations

  • Access control policies

AC.L2-3.1.8 requires the CCA to examine the contractor?s access control policy, procedures addressing unsuccessful logon attempts, system security plan, system design documentation, system configuration settings and associated documentation, system audit logs and records, among other relevant documents or records.

×