Cyber AB CCA Exam Questions

141.

A leading technology solutions provider that works with various government agencies and commercial clients. To ensure the secure handling of CUI, the solutions provider has implemented a dedicated CUI enclave within its network infrastructure. As a Certified CMMC Assessor, you are tasked with assessing the scope of the solutions provider's CMMC requirements. Which statement best describes the appropriate approach for scoping the Assessment within the context of the CUI enclave?

• The assessment scope should include the solution provider?s CUI enclave and any Supporting Organization's components or systems that interact with or provide services to the CUI security domain.

• Regardless of the CUI security domain implementation, the entire solutions provider?s network and all system components must be assessed.

• The assessment scope is limited to the physical boundaries of the Solutions provider?s CUI security domain, excluding any logical or network-based interactions.

• Only the solutions provider?s CUI security domain needs to be assessed, as it is the designated system component for handling CUI data.

142.

After you ask to examine some audit records, the contractor's system admininstrator informs you that there is a process to follow before accessing them. The logs are hashed using SHA-512 algorithms, and the system administrator has to run an algorithm to recalculate the hashes for the audit records to verify their integrity before running a decryption algorithm to decrypt the data. Since this might take some time, you tour the facility while interviewing personnel with audit and accountability roles. You see an employee holding the door for another without using their physical access card. While interviewing the contractor's employees, you find that they can access all audit logging tools and tweak the settings according to their needs or requirements. Upon examining the contractor's access control policy, you realize they have not defined the measures to protect audit logging tools. Which of the following statements accurately describes the contractor's compliance with protecting audit logging tools from unauthorized access, modification, and deletion, as required by AU.L2-3.3.8-Audit Protection?

• The contractor is not compliant, as there are no defined measures to protect audit logging tools from unauthorized access, modification, or deletion

• The contractor is fully compliant; employees can access audit logging tools to meet their requirements.

• The contractor is partially compliant, as audit logging tools are protected by the same measures as audit information.

• The contractor's compliance cannot be determined based on the information provided.

143.

When examining procedures addressing system security plan development and implementation, you realize that the contractor has developed an SSP that defines and documents system boundaries. The SSP also contains the non-applicable security requirements approved by designated authorities. It also outlines other essential aspects, such as relationships with or connection to other systems, how security requirements will be implemented, etc. Upon interviewing personnel with information security responsibilities, you realize that the contractor has not reviewed or updated the SSP and has no defined timelines. How can the contractor treat practice CA.L2-3.12.4-System Security Plan in this scenario if it is found to be Not Met?

• Place it in a POA&M

• CA.L2-3.12.4 is not applicable for the contractor's systems.

• Subcontract an RPO to help with the implementation

• Negotiate with the Lead Assessor for a favorable outcome.

144.

A CMMC Level 2 certified DoD contractor plans to use a Cloud Service Provider (CSP) to support data storage and application hosting for their business operations. The contractor is aware of the CMMC requirements and wants to ensure compliance before engaging with the cloud service provider. After discussing this with them, you learn that most of the hosted applications aren't used for any activities related to the DoD contract. However, the stored data may contain CUI. What requirement must the CSP have met before the DoD contractor can hire them?

• Security requirements equivalent to the FedRAMP Moderate baseline or CMMC Level 2 Certification

• CMMC Level 1 Certification

• Employment of personnel compliant with DoD 8570 requirements

• FedRAMP High ATO

145.

You are the Lead Assessor of the Assessment Team conducting a CMMC Level 2 assessment for an OSC. You have completed the first phase of the assessment process, which included the assessment kickoff meeting. Now, you are moving into the second phase, which involves collecting and examining evidence to determine the OSC's compliance with the CMMC practices. Which of the following is not one of the recommended methods for collecting evidence during a CMMC assessment?

• Self-Assessment by the OSC.

• Examine

• Interview

• Test

146.

To transfer CUI between a government client and its internal systems, a defence contractor uses a Secure File-Sharing Application provided by the DoD. However, all the data traversing this boundary MUST pass through a next generation firewall (NGFW) managed by the contractor?s Network Admin. All CUI is stored on an Solid State Drive (SSD) and accessed through a laptop. What type of asset is the Secure File-Sharing Application?

• Out of Scope

• Security Protection Asset (SPA)

• Contractor Risk Managed Asset (CRMA)

• CUI Asset

147.

Tina is working on a team conducting a Level 2 assessment for Humvees-R-Us (HRU). While gathering evidence, Tina notices that HRU has not updated several critical policies in years. Knowing that HRU is investing a significant amount of money in the assessment, she tells Bob, the CEO of HRU, that she will date the policies to make them appear as if they have been regularly revised. She explains that this will help HRU pass their assessment and save them the cost of a reassessment. Tina believes changing the dates isn’t a big deal since HRU has policies written but has not revised them as frequently as required.

Was it right for Tina to adjust the dates during the assessment? If not, which principle of the CMMC Code of Professional Conduct did she violate?

• No, information integrity

• No, confidentiality

• Yes, she has not violated any CoPC principle

• No, lawful and ethical practices

148.

When assessing a contractor?s implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. How would you score the contractor?s implementation of AU-L2-3.3.6-Reduction & Reporting?

• Met

• Not Met

• Not Applicable

• Partially Met

149.

You are a Lead Assessor tasked with conducting a CMMC Assessment for an OSC seeking to secure its CMMC Level 2 certification. The OSC has previously conducted a self-assessment and engaged a Registered Practitioner Organization (RPO) for a preliminary evaluation. As part of the CMMC Assessment process, you begin by determining the necessary evidence for each practice or process across the OSC's organizational functional areas. You consider both the adequacy and sufficiency of the evidence in relation to the CMMC's requirements. After initial preparations, you and the OSC?s POC schedule a joint review session to align on the scope and expectations for the upcoming assessment. Why is it important for the Lead Assessor and the OSC's POC to review the OSC's self-assessment findings before the formal CMMC assessment begins?

• To identify any gaps between the OSC's self-assessment and the CMMC Assessment Team's expectations.

• To decide the date and time for the formal CMMC Assessment.

• To determine the OSC's readiness for achieving CMMC Level 3 certification.

• To finalize the financial agreement between the C3PAO and the OSC.

150.

You are a CCA with an active and good standing on the Cyber AB Marketplace. An OSC has contracted your C3PAO for a prospective CMMC Assessment. The OSC provides signal processing services for the DoD. You assisted the OSC in preparing for the upcoming CMMC assessment by conducting an initial evaluation of their implementation practices. With your background in cybersecurity and extensive experience, your C3PAO and Lead Assessor have selected you to join the Assessment Team. Which of the following is the biggest concern about you being included in the Assessment Team?

• There is a potential conflict of interest.

• You lack the required years of experience.

• You recently received a poor professional reputation review.

• The travel costs associated with your location.

151.

A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks. While chatting with the network?s system admins, you realize they have deployed a modern compliance checking and monitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy. When examining the contractor's security configuration checklists, which of the following parameters are you not likely to find?

• The contractor's assessment readiness status

• Network configuration and port management

• File and Directory permissions

• Protocol usage and application allowlisting

152.

During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI) handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Which of the following is NOT a feature Defcon's Systems updated privacy and security notices should have?

• Display duration set to less than 5 seconds before automatically disappearing

• A general statement about monitoring and recording of system usage

• Specific information about the presence of CUI and associated handling requirements

• A warning about unauthorized use being subject to civil and criminal penalties

153.

Documentation is a key aspect of the CMMC assessment. When preparing for a prospective assessment and during the actual CMMC assessment, you will reference various documents and document various findings. Fortunately, you can download some of these documents from the DoD CIO's CMMC website, and other templates can be found in the CAP Appendices. You are part of the team assessing an OSC?s preparedness and readiness for a CMMC assessment. Before commencing the assessment phase, the C3PAO and its assessment team members should declare that they haven?t provided advisory, consulting, or CMMC implementation support. Where should this declaration be documented?

• The C3PAO and Assessor Conflict of Interest (COI) Attestation.

• The Conflict of Interest Brief.

• Employees' background information.

• The Assessment Team Member COI declaration form.

154.

An OSC has an established Incident Response plan and a dedicated team specifically trained to handle any potential incidents and conduct necessary analysis. When performing the assessments, you also realize the OSC has deployed IDS and SIEM tools to identify possible incidents. Examining the Contractor's incident response policy, you also learn they have defined and implemented containment strategies and have developed clear procedures for system and data recovery after an incident, including backup and restore procedures. There is also a communication protocol in place to inform the affected stakeholders and users after a security incident. Chatting with a few members of the OSC's incident response team, you learn they conduct regular drills to test and improve the effectiveness of the incident-handling capability. There also are defined and documented incident response mechanisms and a post incident analysis procedure to identify lessons learned and make necessary improvements to the incident-handling process. Based on the information provided, how would you assess the OSC's compliance with the IR.L2-3.6.1-Incident Handling practice?

• Met (+5 points)

• Not Met (-5 point)

• Not Met (-1 point)

• Met (+1 point)

155.

In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Where can you find information about a cryptographic module?s current status with FIPS?

• NIST CMVP

• FIPS 140-2 documentation

• FedRAMP Marketplace

• NIST CSRC

156.

A contractor is preparing to bid on an upcoming DoD contract to provide next-generation upper limb prosthetics for injured servicemen. Part of the preparation is undergoing a CMMC assessment, and they have hired you to assess their implementation of CMMC practices. The contractor has multiple design, manufacturing, and supply chain management systems. Each system generates its audit logs, which are stored in separate repositories. Different teams analyze and review them independently, with each team reporting the findings to the respective departmental heads. For instance, the engineering team reviews and analyzes logs related to the design systems and reports to the lead engineer, while the operations team focuses on the manufacturing system logs. When interviewing personnel responsible for audit record review, analysis, and reporting, they inform you that this is deliberately set up to ensure departmental independence and granular risk identification. Based on the CMMC practice AU.L2-3.3.5-Audit Correlation, what is the likely issue you would identify with the contractor's current approach?

• The audit review, analysis, and reporting processes are not correlated across systems

• Lack of defined processes for audit record review, analysis, and reporting

• Failure to retain audit logs for an adequate duration

• Absence of automated mechanisms for analyzing and correlating audit records

157.

A defense contractor handles sensitive Controlled Unclassified Information (CUI) and has implemented strict policies and controls for using portable storage devices containing CUI on external systems. Their Information Security Policy outlines approved encrypted devices and defines circumstances for their limited use on external systems with prior approval. The approval process requires documenting the need, external systems involved, and data protection measures. All approved portable storage devices use FIPS 140-2 validated encryption and can only be unlocked on the contractor's internal or authorized external systems with proper authentication. Based on this scenario, has the contractor met all the assessment objectives for CMMC practice AC.L2.3.1.21-Portable Storage Use?

• Yes, the contractor has met all the assessment objectives

• No, the contractor has Not Met the assessment objectives

• The contractor has partially met the assessment objectives

• It is unclear based on the scenario

158.

Your organization has informed you that an OSC has contacted them for a prospective CMMC assessment. Your C3PAO has a specified number of days to acknowledge the request and proposes a date for the initial coordination call. In the initial exchange, you will do all of the following, EXCEPT?

• Ask the OSC for the budget for the prospective CMMC assessment.

• Confirm the OSC?s requested timeframes.

• Ascertain the OSC?s general preparedness for the upcoming CMMC assessment.

• Confirm the geographic location(s) for the Assessment.

159.

While implementation validation of most CMMC requirements can be done virtually, the CMMC Assessment Process (CAP) identifies 15 CMMC practice objectives whose implementation must be observed by the Assessment Team in person and on the premises of the OSC. PE.L2-3.10.2 [c] and [d] are among these objectives. Both assessment objectives deal with monitoring the OSC's physical facilities and support infrastructure. Which assessment procedure or method can a CCA use to determine how well the OSC has implemented PE.L2-3.10.2 [c] and [d]?

• Test or examine mechanisms supporting or implementing physical access monitoring

• Interview personnel with information security responsibilities

• Test the OSC's Incident Response Plan

• Examine the System Security Plan

160.

During the examination of evidence for access control procedures, you review an OSC's Access Control List (ACL). The ACL appears to include most user accounts, but you notice that it lacks entries for several newly hired employees. You also realize that some parts of the OSC's access control policy haven't been signed and endorsed by senior management. Additionally, you notice multiple attestations from employees who are not the proper system owners. How should you handle an attestation (affirmation) from an employee who is not the proper owner/operator/supervisor of the system or information being examined?

• Document the illegitimate attestation as an evidence gap.

• Accept the attestation as valid evidence.

• Request the OSC to provide a revised attestation from the correct personnel within a specified timeframe.

• Disregard the attestation and rely solely on other evidence sources for the associated practice.