Cyber AB CCA Exam Questions

Page 2 of 25

21.

You are evaluating an OSC for compliance with CMMC Level 2 practices. During your assessment of SC controls, you use a series of assessment methods to understand how effectively the OSC has implemented them. The OSC has a documented security policy outlining user roles and responsibilities. The OSC?s system and communications protection policy states that basic user and privileged functionalities are separated. They have deployed Azure AD to help enforce this requirement through identity management. Interviews with system administrators reveal they have elevated privileges for system management tasks. A review of system configuration settings shows separate user accounts for standard users and administrators. However, you notice that some employees use personal cloud storage services for storing work documents. Which of the following assessment methods would be most helpful in gathering additional evidence regarding the OSC?s compliance with CMMC practice SC.L2-3.13.4-Shared Resource Control?

  • Examining the OSC?s acceptable use policy (AUP) for restrictions on cloud storage usage.

  • Reviewing interview transcripts with system developers.

  • Analyzing network traffic logs for suspicious data transfer activity.

  • Testing system configurations related to data encryption at rest.

The OSC?s acceptable use policy (AUP) is the most likely document to outline restrictions on shared resources, including cloud storage services. CMMC practice SC.L2-3.13.4-Shared Resource Control focuses on preventing unauthorized information transfer through shared resources, and the AUP should detail the organization?s controls to achieve this objective. Reviewing the AUP would provide direct evidence of the OSC?s approach to managing shared resources and any potential limitations on personal cloud storage usage.

22.

As the Lead Assessor for an OSC, John admires their advanced security solutions during the assessment. However, his admiration distracts him from the assessment's focus. Instead, he engages in conversation about the OSC's robust security, becoming swayed by their capabilities. Consequently, John becomes hesitant to identify deficiencies or noncompliances, displaying a positive bias toward the OSC. What is the impact of this positive bias on the CMMC assessment of the OSC?

  • It can result in a more lenient and inaccurate assessment of the OSC

  • It has no effect on the assessment process and outcomes

  • It is not a concern in CMMC assessments

  • It may lead to a more thorough and rigorous evaluation of the OSC

Correct answer: It can result in a more lenient and inaccurate assessment of the OSC

Just as negative bias can lead to an overly critical evaluation, positive bias can cause an assessor to overlook deficiencies or noncompliances, resulting in a more lenient and potentially inaccurate assessment. Assessors must remain vigilant in identifying and managing any personal biases, whether positive or negative, to ensure they deliver objective and reliable CMMC assessments.

23.

An OSC uses VoIP from a reputable vendor for video conferencing with external partners. They have a documented policy outlining authorized users and approved platforms for video conferencing. All VoIP traffic is encrypted to protect the content of the communication from interception and eavesdropping. The security team has deployed a firewall and an Intrusion Detection and Prevention System (IDPS) specifically for the VoIP system. When interviewing the communications team about access controls, you learn that users receive an autogenerated link to enter the conference upon clicking. The team also monitors the system daily to ensure that any malicious activities are detected and addressed according to their incident response plan. From a CMMC compliance perspective with SC.L2-3.13.14-Voice over Internet Protocol, which aspect of the organization's video conferencing setup raises the most concern regarding the control of VoIP usage?

  • Encryption protects the content of communication, but user access control is not addressed.

  • The documented policy outlines authorized users and platforms, which is good practice.

  • A firewall and Intrusion Detection and Prevention System (IDPS) are deployed for the VoIP system, providing network protection.

  • Using a reputable VoIP vendor ensures a secure platform.

SC.L2-3.13.14-Voice over Internet Protocol, [a] emphasizes controlling VoIP usage. While other measures highlight security aspects, the primary concern is user access control. Relying solely on auto-generated links for access might not ensure user authentication, potentially allowing unauthorized individuals to join conferences if they obtain a link.

24.

A vulnerability scan on a defense contractor's system identifies a critical security flaw in a legacy database application that stores CUI. Remediating the flaw would require a complete overhaul of the application, causing significant downtime and potentially disrupting critical business functions. Given the potential consequences of remediation, the contractor is considering deferring the fix. Which course of action best aligns with the guidance of CMMC practice RA.L2-3.11.3-Vulnerability Remediation?

  • Document the risk acceptance rationale and continue monitoring the risk from the vulnerability

  • Permanently disregard the vulnerability and take no further action

  • Implement compensating controls to reduce the associated risk

  • Immediately contract a third party to assist with remediation

CMMC practice RA.L2-3.11.3-Vulnerability Remediation, requires action to be taken for remediation, acceptance, avoidance or transference. If a vulnerability cannot be remediated then the organization needs to accept the risk and make a risk-based decision. To do this, the OSC must document the vulnerability, acknowlegde they are accepting the risk, along with the rationale for risk acceptance, and ensure the risk from the unmitigated vulnerability is monitored continuously in case risk factors change.

25.

After numerous discussions and iterations, the OSC and Lead Assessor have finalized the Pre-Assessment Plan, which outlines the key details of how the assessment will be conducted, including the scope, timeline, resource requirements, and other logistical considerations. What is the final step before commencing a CMMC assessment?

  • Uploading the Pre-Assessment Data Form into CMMC eMASS.

  • Reviewing the Pre-Assessment Data Form.

  • Creating a new data upload in CMMC eMASS.

  • Obtaining approval from the Lead Assessor.

After the OSC and Lead Assessor agree on the content and submit the final Pre-Assessment Plan, it is uploaded into CMMC eMASS at the completion of Phase 1. This must be done before the assessment commences.

26.

When validating an OSC's proposed CMMC assessment scope, the Assessment Team finds that the OSC has properly categorized its assets. The OSC has contracted an External Service Provider (ESP) for various cybersecurity functions. The ESP has deployed FortiSIEM and Splunk for real-time security monitoring, threat intelligence, application monitoring, log management, and reporting. They also deployed Microsoft Intune and configured app protection policies blocking proscribed apps and those suspected of data exfiltration. How should you handle the ESP during the CMMC Assessment?

  • Assess against CMMC practices

  • They are out of scope; there is no need to assess them against CMMC practices.

  • Assess them against CA.L2-3.12.4 - System Security Plan only.

  • Review the SSP per practice CA.L2-3.12.4 - System Security Plan.

CMMC Level 2 scoping guidance requires assessing Security Protection Assets, including ESPs and their tools, against relevant CMMC practices. This ensures a comprehensive evaluation of the overall cybersecurity posture protecting CUI within the contractor's environment. While all 110 controls might not be directly applicable, the assessment should focus on the controls that align with how the ESP contributes to CUI security.

27.

The Daily Checkpoint meeting is a required component of the CMMC assessment process. It is conducted at the end of every day and includes the Assessment Team, Lead Assessor, OSC PoC, OSC Assessment Official, and other key personnel. This meeting helps ensure all the following, EXCEPT?

  • The C3PAO Assessment Team is comfortable.

  • Issues impacting the completion of the assessment are identified, mitigated, and resolved.

  • Data collection needs are being met.

  • The assessment is proceeding as planned.

The goal of the daily checkpoint meeting is to maintain context during the review of evidence and to identify and resolve any issues that may be impacting the completion of the assessment. However, ensuring that the C3PAO Assessment Team is comfortable is not one of the purposes of the daily checkpoint meeting. The meeting is focused on ensuring the assessment is progressing as planned, that data collection needs are being met, and that any issues are identified and addressed promptly.

28.

During CMMC assessment preparation, the OSC's executive team decides to hold a meeting to review the company's CMMC readiness and provide guidance. The OSC informs the CCA about this meeting, but the CCA notes that this event does not require an update to the Pre-Assessment Data Form. The Pre-Assessment Data Form should be updated whenever the following arise, EXCEPT?

  • When the OSC?s executives meet.

  • When any change to the OSC?s CMMC Assessment Scope is declared.

  • The C3PAO makes changes to the makeup of its Assessment Team.

  • When any unplanned disruptions like natural disasters emerge.

The Pre-Assessment Data Form should be continuously updated whenever significant change occurs including but not limited to: 1. If/when any significant changes to the framing of the Assessment and the OSC-C3PAO contract occur; 2. Any change to the OSC?s CMMC Assessment Scope (e.g., added or removed assets or removed process roles) is declared; 3. Changes to dates/times or scheduled Assessment events, including the scheduled dates for the Assessment itself are agreed upon; 4. C3PAO effects changes to the makeup of its Assessment Team; and 5. Any unplanned disruptions (e.g., COVID-19 travel restrictions or protocols, natural disasters, etc.) emerge. These significant events do not include a meeting of the OSC?s executives unless it has a significant bearing on the assessment, such as when the OSC PoC or Assessment Lead is terminated or transferred.

29.

You decide to interview the IT security team to understand if and how a contractor has implemented audit failure alerting. You learn they have deployed AlienVault OSSIM, a feature-rich security information and event management (SIEM) tool. The SIEM tool has been configured to send automatic alerts to system and network administrators if an event affects the audit logging process. Alerts are generated for the defined events that lead to failure in audit logging and can be found in the notification section of the SIEM portal. However, the alerts are sent to the specified personnel 24 hours after the occurrence of an event. As an assessor evaluating the implementation of AU.L2-3.3.4-Audit Failure Alerting, which of the following would be a key consideration regarding the evidence provided by the contractor?

  • Verifying that the types of audit logging failures defined cover a comprehensive range of potential scenarios

  • Ensuring the defined alert notification methods (e.g., email, SMS) are secure and encrypted

  • Determining if the documented personnel roles for alert notification align with the organization's hierarchy

  • Checking if the alert notification process integrates with third-party monitoring services

When assessing the sufficiency and adequacy of a contractor's implementation of AU.L2-3.3.4-Audit Failure Alerting, a key consideration should be verifying that the types of audit logging failures defined cover a comprehensive range of potential scenarios. Per CMMC guidance, practice AU.L2-3.3.4 requires defining the "types of audit logging process failures for which alerts will be generated." An assessor should review the contractor's documentation to ensure they have identified a sufficiently broad range of failure scenarios, including software errors, hardware failures, storage capacity issues, component-level failures, and overall system/centralized logging solution failures. Comprehensively defining these failure types is crucial to ensure appropriate alerting mechanisms are in place to effectively detect and respond to various audit logging process failures. The other options, while relevant to the practice, may not be the primary focus areas for an assessor evaluating the sufficiency and adequacy of the implementation evidence provided by the contractor.

30.

A CCA who works for a C3PAO doubles as a penetration tester. When conducting a CMMC assessment for an OSC, he realizes their cybersecurity practices are lacking. Recognizing potential vulnerabilities in their systems, the CCA approaches the OSC's cyber team and offers his penetration testing services. Which CoPC guiding principle or practice has the CCA failed to live up to?

  • Professionalism

  • Conflict of interest

  • Assurance

  • Confidentiality

Correct answer: Professionalism

The C3PAO must take steps to prevent these types of missteps, such as training or informing their sponsored CMMC-credentialed individuals to never actively solicit business from customers, either for the organization or for themselves in their line of duty. Therefore, although the guilty party is the CCA, the C3PAO did not live up to the CoPC's professional expectations.

31.

An OSC has documented HR and personnel security policies, which are well integrated. A key requirement is that credentials and systems are revoked upon a transfer or termination. Their personnel security policy includes procedures for transfer and termination, a list of system accounts tied to each employee, and management of revoked or terminated credentials and authenticators. Examining the procedures addressing personnel transfer and termination, you learn that besides revoking or terminating system access, authenticators, and credentials, the OSC recovers all company IT equipment, access/identification cards, and keys from the transferred or terminated employee. They also interview the employee to remind them of their CUI handling obligations even after transfer and require them to sign an NDA. After every termination, they also change the password and other access control mechanisms and notify all the stakeholders that the employee has been terminated or transferred. After personnel termination or transfer, the OSC should do all the following, EXCEPT? Choose all that apply.

  • Keep tabs on the terminated employee to ensure they do not sell company secrets or disseminate CUI

  • Notify stakeholders that an employee has been terminated and is no longer associated with the company.

  • Change passwords and shared keys to which a transferring or departing individual had access.

  • Implement continuous monitoring to detect any unauthorized access attempts after personnel changes.

CMMC practice PS.L2-3.9.2-Personnel Actions, focuses on revoking access, retrieving equipment, conducting exit interviews, and notifying stakeholders upon personnel termination or transfer. Although not explicitly mentioned, monitoring information systems after personnel changes is necessary to ensure any attempts to use old credentials and authenticators to access information systems are detected. However, spying on or keeping tabs on terminated employees may infringe on their privacy and is not recommended.

32.

When validating an OSC's proposed CMMC assessment scope, the Assessment Team finds that the OSC has properly categorized its assets. The OSC has contracted an External Service Provider (ESP) for various cybersecurity functions. The ESP has deployed FortiSIEM and Splunk for real-time security monitoring, threat intelligence, application monitoring, log management, and reporting. They also deployed Microsoft Intune and configured app protection policies blocking proscribed apps and those suspected of data exfiltration. What type of Asset is the ESP?

  • Security Protection Asset (SPA)

  • CUI Asset

  • Contractor Risk Managed Asset (CRMA)

  • Out-of-scope asset

Whether considered a consultant or managed services provider, the ESP is a Security Protection Asset and must be categorized as such. In fact, pages 3 and 4 of the CMMC assessment scope explicitly states that an ESP is an SPA.

33.

You are the Lead Assessor for a C3PAO Assessment Team that has recently completed a CMMC Level 2 assessment for an OSC. You and your Assessment Team have finalized the assessment process and are now in Phase 3 ? Report Recommended Assessment Results. You are preparing to deliver the final recommended findings to the OSC Assessment Official and OSC participants during the Final Findings Briefing. After you present the final recommended findings and practice scores, what is the next step in the CMMC Assessment Process?

  • The C3PAO CQAP conducts an internal quality review of the Assessment Results Package.

  • The OSC submits an appeal using the Assessment Appeals Process if it disagrees with the findings.

  • You archive all assessment artifacts and dispose of them after three years.

  • You submit the Assessment Results Package directly to CMMC eMASS.

CMMC Assessment reporting requirements mandate that the Lead Assessor submits the findings summary, practice scores, and respective scores to their C3PAO for review. The C3PAO CQAP then conducts an internal quality review. Once the quality review is complete, the results are submitted by the designated C3PAO CMMC eMASS account holder into CMMC eMASS. The assessment results must meet internal C3PAO review, quality assurance, and approval procedures before the Assessment results data are uploaded into CMMC eMASS. All results, successful or not, are to be uploaded to the CMMC instance within CMMC eMASS for official recording and tracking.

34.

An OSC has provided its System Security Plan (SSP) as evidence for several CMMC practices related to system security. During your examination of the SSP, you discover a section outlining procedures for user access controls. However, upon further review, you find no mention of procedures for managing privileged accounts, which is a critical aspect of secure system access. If the OSC provides a separate document outlining privileged account management procedures, and upon review, these procedures appear sufficient, how should the Lead Assessor proceed with the SSP as evidence?

  • Accept both the SSP and the separate document as evidence and proceed with the assessment.

  • Mark the related user access control practice as "Not Met" due to the initial deficiency in the SSP.

  • Request that the OSC formally incorporate the privileged account management procedures into the SSP for consistency.

  • Deduct points from the overall assessment score due to the initial oversight in the SSP.

Finding a separate document outlining sufficient privileged account management procedures demonstrates that the OSC has addressed the initial gap identified in the SSP. Punishing them for the initial oversight would not be fair if the separate document fulfills the requirement. Requesting integration into the SSP might improve document consistency, but it is not strictly necessary if both documents are clear and followed.

35.

A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7-Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1-System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the time stamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. How would you assess the contractor's implementation of AU.L2-3.3.7-Authoritative Time Source?

  • Not Met

  • Met

  • Not Applicable

  • Partially Met

The CMMC practice AU.L2-3.3.7-Authoritative Time Source requires that "internal system clocks used to generate time stamps for audit records are compared to and synchronized with an authoritative time source." While the contractor has implemented a central NTP server as the authoritative time source, the fact that the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds does not meet the requirement for consistent synchronization across all systems. This 30-second threshold means that the new systems may not be adequately synchronized with the NTP server for up to 30 seconds, potentially resulting in inconsistent time stamps across systems. This is not compliant with the practice's requirement for uniform time stamps.

36.

A CCA receives a notification from the Cyber AB that they are being investigated for a potential violation of the CoPC. They are concerned about the potential consequences and want to understand the process better. Who has the final authority to determine the corrective action taken against a CCA, if any?

  • The CMMC Accreditation Body (the Cyber AB)

  • The C3PAO

  • The Lead Assessor

  • The investigator assigned to the CCA's case

Correct answer: The CMMC Accreditation Body (the Cyber AB)

The CMMC Accreditation Body has sole authority to determine corrective action even though an investigation might be conducted by a designated investigator. However, working group chairs may, at times, determine corrective actions.

37.

John, a Certified CMMC Assessor (CCA), reports to the Cyber AB that he has observed his colleague, Jane, also a CCA, providing inaccurate guidance to a client during a CMMC assessment. The Cyber AB acknowledges the report and begins an investigation. What should the Cyber AB do in response to John's report?

  • Conduct a thorough investigation of the incident, notify the accused (Jane), and give her an opportunity to respond, with a right of appeal to the Cyber AB

  • Refer the incident to the relevant industry working group for resolution

  • Immediately suspend Jane's CCA certification pending the outcome of the investigation

  • Dismiss the report, as it is not their responsibility to investigate potential violations by individual CCAs

Correct answer: Conduct a thorough investigation of the incident, notify the accused (Jane), and give her an opportunity to respond, with a right of appeal to the Cyber AB

In this scenario, John has reported a potential violation by his colleague, Jane, to the Cyber AB. The Cyber AB is required to conduct a thorough investigation, provide notice to Jane, and give her an opportunity to respond. Jane must also be granted the right to appeal the Cyber AB's decision.

38.

During your on-site CMMC assessment of an OSC, you determine that the organization is performing the practical aspects of PE.L1-3.10.3-Escort Visitors. However, upon further review, you notice that their standard operating procedures (SOPs) do not align with the new processes being implemented by the outsourced security guard company they recently hired. Given this discrepancy between the documented procedures and the actual implementation, what should the OSC do with respect to practice PE.L1-3.10.3-Escort Visitors?

  • Track it under Limited Practice Deficiency Correction (LPDC) program and correct it within 5 days.

  • Negotiate with the CCA to overlook it and promise to correct the discrepancy as early as possible.

  • Fire the security guards and bring in state police to guard the premises.

  • Track it under the Limited Practice Deficiency Correction (LPDC) program and correct it within 180 days.

PE.L1-3.10.3?Escort Visitors is one of the allowable practices for the Limited Practice Deficiency Correction program. A practice may be placed on the Limited Practice Deficiency Correction program if it is: 1) A practice that was implemented, but missing minor updates (e.g. updates to policy signatures, procedural documentation that exists but is outdated, etc.), but where the practice Evidence demonstrates the implementation has been in place for a period of time; and 2) Consensus among the C3PAO Assessment Team that the practice in question does not change and/or limit the effectiveness of another practice that has been scored as ?MET.? Both criteria must be in play for a particular practice to be tracked under the Limited Practice Deficiency Correction program. Additionally, deficiencies are required to be corrected within five (5) business days from the Final Findings Briefing or by an alternative date determined by the Lead Assessor, but a date not to exceed five (5) calendar days prior to the submission of the Final Findings Report into CMMC eMASS.

39.

When assessing an OSC?s compliance with IR requirements, you realize they have deployed a system that tracks incidents, documents details, and updates the status throughout the incident response process. Personnel to whom incidents must be reported are identified and designated. While examining their documentation, you come across an incident response template that they use to capture all relevant information and ensure consistency in reporting to the identified authorities and organizational officials. Interviewing the IR team, you learn there is an escalation process that the contractor?s cybersecurity team can use to address more serious incidents. From the scenario, the contractor has met all the required objectives for CMMC practice IR.L2-3.6.2-Incident Reporting, meaning its implementation of the said practice will be scored MET with a total of 5 points. For how long must the OSC retain the incident records?

  • 90 days

  • 72 days

  • 72 hours

  • 90 hours

Although CMMC doesn?t explicitly define the period by which the contractor should retain the incident-related records, DFARS 252.204-7012 is perhaps the best point of reference. Under the clause, the contractor should store such information for 90 days. This would allow the DoD to request information that can aid in their investigations, if necessary.

40.

During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI) handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. What is the biggest threat to the security of Defcon's systems from this scenario?

  • The biggest threat to the security of Defcon's systems is a lack of consistent user awareness and understanding of security and privacy responsibilities, particularly regarding Controlled Unclassified Information (CUI) handling.

  • The banners were too brief, providing insufficient time for users to read and acknowledge important security and privacy information.

  • The security and privacy banners were not integrated with mandatory user acknowledgment mechanisms, reducing their effectiveness in ensuring compliance.

  • The banners failed to include clear instructions or links to additional resources for proper CUI handling procedures, leaving users without guidance on next steps.

Inconsistent Display of Banners: If security and privacy notices, including those related to CUI handling, are not consistently displayed across all systems and workstations, some users may not be aware of their responsibilities or the importance of properly handling CUI. This inconsistency increases the risk of mishandling sensitive information. Insufficient Display Time: The fact that banners disappear after less than 5 seconds significantly reduces the likelihood that users will read, understand, and acknowledge the content. This can lead to users missing critical information about their legal obligations and the consequences of mishandling CUI. Lack of Specific Details: Banners that do not provide detailed information about CUI handling and legal implications fail to adequately inform users of the specific actions they need to take to protect sensitive information.