Cyber AB CCA Exam Questions

161.

An Assessment Team is reviewing the network diagram provided by an OSC. The diagram will help the team understand how the OSC has set up assets across its network and determine whether it has implemented network separation and enclaves to protect its CUI. During the review, the team notices that the network diagram does not clearly delineate the boundaries between the enterprise and CUI environments, raising concerns about the assessment scope. What should the Assessment Team do in this situation?

• Inform the Lead Assessor, who will request additional information and clarification from the OSC to better understand the separation and enclave implementation

• Proceed with the assessment based on the information provided in the SSP and adjust the scope during the assessment

• Proceed with the assessment based on the information provided in the network diagram

• Recommend that the OSC engage a network security specialist to revise the network diagram

162.

One of the most important roles in a CMMC Assessment is a CQAP. They have diverse but specific roles to perform during an assessment. A CQAP can help a Lead Assessor and the Assessment Team in the following various ways during the assessment process, EXCEPT?

• Validating the adequacy and sufficiency of the evidence.

• Verifying pre-assessment documentation to ensure its accuracy and completeness.�

• Verifying that the POA&M Close-Out documentation is accurate and complete.

• Verifying the accuracy and completeness of the Assessment Results Package.

163.

In assessing the security boundaries, you determine that an OSC processes, stores, and transmits CUI and FCI within the same assessment scope. To what maturity Level will you at a minimum assess and certify the OSC?

• CMMC Level 2

• The OSC must separate the scope for assets that process, store or transmit CUI from those that handle FCI.

• You should refer the OSC to Cyber AB

• CMMC Level 1

164.

A software development company wins a DoD contract requiring CMMC Level 2. The Company is small and has one main office. However, it outsources some data storage requirements to a cloud service provider (CSP). What type of organization would the cloud service provider be considered in the CMMC assessment scope?

• A Supporting Unit

• An Enclave

• The Host Unit

• The HQ Organization

165.

After a security audit, a contractor documents specific vulnerabilities and deficiencies in an audit report. After examining its POA&M, you realize it has a clearly defined policy on addressing these deficiencies and by when. However, after interviewing the contractor?s security and compliance team, you learn that while an audit is regularly conducted, the remediating measures are not always taken, and when taken, they are not always practical. The security and compliance team informs you they have tried reaching the system administrator to explain the repercussions of this without success. Based on the scenario, how would you rate the contractor?s implementation of CA.L2-3.12.2-Plan of Action?

• Not Met

• Met

• Not Applicable

• Partially Met

166.

As a CCA on a C3PAO Assessment Team, you have determined that the assessment scope provided by an OSC indicates plans to subcontract some elements of their contract to DelTech Inc. The OSC plans to bid on a DoD contract to develop guidance and targeting software. However, the software needs testing after installing a new surface-to-air defense system. Unfortunately, the OSC lacks the means to test the software, which is where DelTech comes in. As a CCA, what must you do in this scenario?

• Confirm that the OSC has flowdown requirements in their subcontact with DelTech Inc. and that DelTech is CMMC Certified at a level commensurate with the risk of information they will handle

• Continue assessing the OSC's implementation of the CMMC practices

• Assess DelTech Inc.'s CMMC compliance status

• Inform the OSC that they cannot subcontract

167.

During a CMMC assessment for an OSC, the CCA needs to assess their implementation of CMMC practice MP.L2-3.8.4-Media Markings, which requires proper marking and labeling of CUI. The interview with the information security personnel reveals a well-defined policy, but you need concrete evidence to verify its effectiveness. Which of the following would provide sufficient evidence to assess a contractor's implementation of CMMC practice MP.L2-3.8.4-Media Markings?

• Reviewing a sample of media containing CUI for proper markings and labelling

• Interviewing personnel responsible for information security.

• Observing the physical security controls in designated controlled areas.

• Examining the organization's system security plan.

168.

An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineering company has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. The scenario describes a multi-factor authentication (MFA) solution being used to access digital media containing CUI. However, the access control procedures for non-digital media require authorized personnel to sign three separate forms. While both methods aim to verify user identity, which of the following is the MOST significant security concern associated with the reliance on a paper-based form process?

• The forms are susceptible to forgery, resulting in unauthorized access.

• It can be time-consuming to complete the forms for frequent access.

• The paper forms cannot be easily integrated with other security systems.

• It requires users to memorize more information for access.

169.

You are the Lead Assessor assigned by your C3PAO to conduct a CMMC Assessment for a small manufacturing company, Precision Parts Inc. (PPI). During the initial coordination call with PPI's management team, you learn that PPI is a wholly-owned subsidiary of a larger corporation, Acme Manufacturing Holdings (AMH). PPI operates as an independent business unit within AMH and has its own IT infrastructure and cybersecurity policies. You need to determine the appropriate corporate entity to be assessed as the "Organization Seeking Certification" (OSC). During the coordination call, you learn that PPI has recently acquired a smaller company that will be integrated into its operations. How might this acquisition impact the CMMC Assessment scope?

• The acquired company's assets and operations may need to be evaluated for inclusion in the Assessment scope

• The acquired company would be excluded from the CMMC Assessment scope

• The acquired company would be automatically included in the CMMC Assessment scope

• The acquisition would prevent PPI from being the OSC

170.

An OSC uses a cloud-based database for storing customer information. Employees access this database through a secure application on their company laptops. The database itself resides on servers managed by the Cloud Service Provider (CSP). When employees use the application to access customer data, what type of location are they reaching?

• A logical location on the CSP's servers

• The physical location of the company laptops

• A specific room within the CSP's facility

• A secure area within the OSC's data center

171.

You are a CCA reviewing the security measures for a defense contractor seeking CMMC Level 2 compliance. CMMC practice PE.L2-3.10.6-Alternative Work Sites requires the organization to safeguard CUI at alternate work sites, like employee home offices. You are examining their list of safeguards and the system security plan to assess their compliance. When assessing a contractor's implementation of CMMC practice PE.L2-3.10.6-Alternative Work Sites, which of the following would be the least effective method for gathering information?

• Interviewing personnel with information security responsibilities

• Testing the actual security controls employed at alternate work sites

• Examining procedures addressing alternate work sites for personnel

• Reviewing assessments of safeguards at alternate work sites

172.

During your review of an OSC?s system security control, you focus on CMMC practice SC.L2-3.13.9-Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company?s internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. The scenario describes using a central firewall for network security. How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9-Connections Termination, for the remote access application?

• Creating firewall rules to identify and terminate connections associated with the CUI access application that have been inactive for a predefined period.

• Encrypting all traffic between the user device and the server to protect CUI in transit.

• Implementing intrusion detection and prevention systems (IDS/IPS) to identify and block suspicious activity on the server.

• Blocking all incoming traffic to the server hosting the CUI access application, except from authorized IP addresses.

173.

Prior to starting an assessment, an OSC must develop a data flow diagram. This diagram can then be used as a tool to help establish the context and boundaries of the CMMC assessment activities. What is critical to capture while developing the data flow diagram?

• Business processes, subprocesses, and assets and systems used to support the process

• A list of all employees and their job functions

• The organization's network topology and hardware configurations

• The physical layout of the organization's office spaces

174.

When assessing a contractor?s implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. What assessment method would you use in evaluating CMMC practice AU.L2-3.3.6-Reduction & Reporting?

• Testing

• Evaluating

• Examining

• Interviewing

175.

As a CCA, understanding the guiding principles of the CoPC can help you when you face situations in which you are asked to compromise your values and integrity. Which of the following is NOT a guiding principle of the CoPC?

• Availability

• Confidentiality

• Proper use of methods

• Professionalism

176.

When assessing an OSC, you learn they have implemented several measures to protect the authenticity of their communications. All information marked CUI is encrypted using a FIPS-validated cryptographic module to ensure its confidentiality. In discussions with the system administrators, you find they use certificate-based authentication to verify the identities of communicating parties. The authenticity of digital files is verified using SHA-256 hashes. The OSC also produces logs of communication sessions to track and verify activity as evidence of compliance with SC requirements. How would you score the contractor?s implementation of CMMC practice SC.L2-3.13.15-Communications Authenticity based on this scenario?

• Met

• Not Met

• Not Applicable

• Partially Met

177.

One of the key areas the CCA wants to observe is how an OSC handles media sanitization, as required by the CMMC control MP.L2-3.8.4-Media Markings. The OSC arranges for the CCA to witness the organization's personnel performing a mock media sanitization process on a decommissioned hard drive. During the demonstration, the CCA carefully observes the steps taken by the OSC?s team, verifying that they follow the documented procedures and effectively sanitize the media as per the CMMC requirements. The CCA notes that the team executes the process seamlessly and without any issues. What is the outcome if a test or demonstration successfully demonstrates how a CMMC practice is implemented?

• It results in a "MET" rating for that practice.

• It is noted as "NOT MET" for that CMMC practice.

• It requires further investigation by the Lead Assessor.

• It leads to immediate certification approval for the OSC.

178.

Evidence is a critical aspect of an assessment. It attests that an OSC has implemented what they have documented. However, the CCA has various activities related to evidence depending on the phase they are in during a CMMC Assessment. Which of the following activities related to evidence is not true?

• In Phase 4, detailed reports of the evidence reviewed are created, and the evidence from the Limited Practice Deficiency Correction program is assessed and (re)scored.

• In Phase 1, the OSC provides a preliminary list of artifacts to be used as evidence.

• In Phase 2, the evidence is collected and assessed using assessment methods, resulting in preliminary and final scoring and results.

• In Phase 1, evidence is evaluated against adequacy and sufficiency requirements.

179.

During a CMMC assessment, you need to verify how a defense contractor protects sensitive data on storage devices. CMMC practice SC.L2-3.13.16-Data at Rest, specifically focuses on this requirement. What is the main requirement of CMMC practice SC.L2-3.13.16-Data at Rest?

• Ensuring CUI confidentiality while at rest.

• Control and monitor the use of VoIP technologies.

• Protect the confidentially of CUI at backup storage locations.

• Implementing access control measures for CUI storage devices.

180.

You are assessing an OSC that develops applications handling Controlled Unclassified Information (CUI). As part of the assessment, you review their vulnerability scanning process. According to their risk assessment policy, the OSC conducts system vulnerability scans every three months. However, they also utilize a centralized, automated vulnerability scanning tool that performs daily scans. Upon discovering any vulnerabilities, the OSC?s team applies patches and rescan their systems. Their environment includes backend database servers, web applications with custom Java code, virtual machine hosts running containerized applications, network firewalls, routers, switches, and developer workstations. During the assessment, you find that their scanning solution integrates the latest vulnerability feeds from the National Vulnerability Database (NVD), Open Vulnerability and Assessment Language (OVAL), and vendor sources. The tool generates reports using Common Vulnerability Scoring System (CVSS) metrics, and even remotely connected developer laptops are included in the scans. However, upon reviewing the vulnerability reports, you observe that the same high/critical vulnerabilities persist month after month without evidence of remediation. Furthermore, there is no record of source code scanning for their custom applications, and virtual machine hosts running the containerized applications are not included in the scans. To fully remediate the finding about containers being missed by vulnerability scans, which additional step would be required?

• Ensure that the vulnerability scanning tool is configured to include virtual machine hosts and containerized environments in its scans, and rebuilding/redeploying containers.

• Deploy a separate specialized container scanning solution

• Implement runtime application self-protection (RASP) for containerized applications

• Engage a third-party penetration testing firm to assess the containerized environment