Cyber AB CCA Exam Questions

Page 5 of 25

81.

After completing a CMMC assessment, the OSC should hash all the evidence artifacts in accordance with the CMMC Artifact Hashing Tool User Guide. However, you have just realized that this requirement was not fulfilled, and the OSC Assessment Official cannot be reached to confirm it was done. To avoid any issues, you quickly complete this step and later inform the OSC Assessment Official.

Which CoPC principle have you just violated by hashing the evidence artifacts in place of the OSC?

  • Information integrity

  • Confidentiality

  • Professionalism

  • Objectivity

Correct answer: Information integrity

After completing an assessment, the Lead Assessor must ensure that the OSC has hashed all artifacts in accordance with the CMMC Artifact Hashing Tool User Guide. The OSC must hash and retain artifacts for three years. Hashing is done primarily to ensure the integrity of the evidence artifacts and is the responsibility of the OSC and not the Lead Assessor. By hashing the evidence artifacts, the Lead Assessor is compromising the integrity of the evidence package and violating the guiding principle and practice.

82.

You are part of an Assessment Team tasked with conducting a CMMC Assessment for an OSC. When assessing the contractor's implementation of SC.L2-3.13.6-Network Communication by Exception, objectives [a] and [b], the OSC's system admin informs you that they use Fortinet Next-Generation Firewall (NGFW). Fortinet NGFWs are hardcoded to deny all traffic by default, and traffic is only allowed on an exception basis. While this is factual, the Lead Assessor asks you to test the NGFW to ascertain whether it meets the intent of Assessment Objectives in SC.L2-3.13.6- Network Communication by Exception. What is the benefit of testing as an assessment method?

  • Testing allows you to observe what has been done and what has not been done.

  • Testing allows you to determine if the OSC has the intent to meet the Assessment Objectives.

  • Testing helps determine if CMMC practices are implemented and whether adequate resources were provided to the individuals performing the practices.

  • Testing provides insight into the OSC's handling of CMMC practices.

The test method is the process of exercising Assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior. The key benefit of testing as an assessment method in this scenario is that it allows you to directly observe the implementation of security controls, rather than solely relying on the system administrator's description. By testing the Fortinet NGFW, you can directly observe how the device is configured and operating, which is crucial for verifying whether the security controls required by the CMMC practice (SC.L2-3.13.6- Network Communication by Exception) are implemented correctly.

83.

Members of the CMMC ecosystem take due care to ensure that privileged information gathered during assessments or consulting remains private, even after the work engagement has ended. Which CoPC practice is described in this scenario?

  • Confidentiality

  • Adherence to materials and methods

  • Information integrity

  • Lawful and ethical practices

Correct answer: Confidentiality

One of the confidentiality practices under CoPC requires protecting identifiable and confidential customer data from unauthorized disclosure unless permitted in writing by the Cyber AB or required by a legal obligation. Members of the CMMC ecosystem must take due care to ensure that confidential or privileged information gathered during assessments or consulting remains protected, even after the work engagement has ended.

84.

You are the Lead Assessor conducting a CMMC assessment for an OSC. During the initial stages of the assessment, the OSC provided a comprehensive list of evidence sources, including various documents, policies, and procedures. However, as the assessment progresses, you notice that the OSC has started to rely more heavily on demonstrations and live system tests to showcase their compliance with certain CMMC practices. While these demonstrations and tests provide valuable insights, they deviate from the originally planned approach of primarily relying on documented evidence. This change in the evidence collection approach could potentially impact the assessment timeline and the overall assessment plan. What is the purpose of continuously monitoring the progress of evidence collection during the CMMC assessment?

  • To track any discrepancies between the evidence reviewed and the evidence needed.

  • To identify any changes in the OSC?s approach to evidence collection.

  • To ensure that the assessment team meets daily deadlines.

  • To minimize the duration impacts of evidence collection efforts.

The Evidence collection status summarizes the differences between the Evidence reviewed thus far, and the Evidence needed to support the completion of the Assessment results, including the recommended findings and findings. If significant changes are incurred to the manner or nature of how the OSC?s Evidence is being collected and examined, those changes should be reflected in the Pre- Assessment Data Form and updated file should be exported to CMMC eMASS. Continuous monitoring of evidence collection progress allows the assessment team to identify any gaps or discrepancies between the evidence reviewed so far and the evidence required to complete the assessment. This ensures that the assessment remains on track and that all necessary evidence is obtained to support the assessment results and findings.

85.

An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineering company has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. Basing your answer on the scenario, how would you score the contractor?s implementation of CMMC practice MP.L2-3.8.1-Media Protection?

  • Met

  • Not Met

  • Not Applicable

  • Partially Met

The contractor meets the CMMC practice MP.L2-3.8.1-Media Protection requirements showing strengths in inventory management, access control, and secure storage of Controlled Unclassified Information (CUI) media, with biometric cabinets and Multi-Factor Authentication (MFA) for digital access.

86.

An OSC is looking to bid for a contract to manufacture turboprop engines for a unmanned aerial vehicle (UAV) fleet used by the Army for Long-Range Reconnaissance. To manage production, the OSC will use Industrial Control systems (ICS) and has documented them in its Operational Technology (OT) inventory. While validating the OSC's proposed assessment scope, the Assessment Team reviews their SSP. How should the C3PAO Assessment Team handle the OSC's OT during the assessment?

  • Review the SSP and not assess the OT against other CMMC practices

  • Accept the OSC's documentation of policies and procedures as they are.

  • Assess them against CA.L2-3.12.3 - Security Control Monitoring.

  • Assess them against all CMMC practices.

The CMMC Level 2 Scoping Guide requires that Operational Technology (OT) be categorized as a Specialized Asset in the proposed assessment scope. These assets are within the scope of a CMMC assessment. The Assessment Team or Lead Assessor should review the SSP in accordance with practice CA.L2-3.12.4. However, OT should not be assessed against other CMMC practices.

87.

An OSC receives a Conditional CMMC Level 2 Certification in Phase 3. During the 180-day window for Phase 4, it implements all corrective actions outlined in its POA&M. The Assessment Team and Lead Assessor review the updated POA&M and the accompanying evidence. Which of the following criteria must all be met for the OSC to receive a final CMMC L2 Certification?

  • All POA&M items are scored as 'MET' and do not impact the effectiveness of other practices.

  • The CMMC eMASS system has been updated with the assessment results.

  • The C3PAO approves the OSC's appeal regarding the timeline for corrective actions.

  • The OSC has completed a new Risk Assessment.�

While a new Risk Assessment might be advisable, it's not mandatory for achieving final certification. The OSC must fully implement all POA&M items in a manner that does not change or limit the effectiveness of another practice that was scored 'MET' during the CMMC L2 assessment for which the conditional certification was issued. Specifically, the OSC must have fulfilled all the items required as part of the POA&M Close-out Assessment, which include: 1) The specific security weakness revealed by POA&M during the CMMC L2 Assessment has been ?Fully-Implemented? and scored ?MET? 2) All POA&M items ?Fully-Implemented? do not change and/or limit the effectiveness of another practice that has been scored ?MET? during the CMMC L2 assessment for which the CMMC L2 interim certification was issued 3) An updated Risk Assessment shows the removal of the previous CMMC Practices listed on the POA&M 4) An updated POA&M shows no CMMC practice deficiencies

88.

Your organization has informed you that an OSC has contacted them for a prospective CMMC assessment. Your C3PAO has a specified number of days to acknowledge the request and proposes a date for the initial coordination call. How many days does the C3PAO have to respond to the OSC?s request?

  • 5 business days

  • 14 business days

  • 7 business days

  • 10 business days

The CMMC Assessment process v5.6.1 states that the 'C3PAO should respond to the OSC within five (5) business days, acknowledging the request and proposing the scheduling of an initial coordination call or virtual meeting.

89.

You are conducting a CMMC assessment for a contractor that develops software applications for the DoD. During the assessment of the AU domain, you request to examine the contractor's audit and accountability policies, access control procedures, and system configuration documentation related to the management of audit logging functionality. Upon reviewing the documentation, the contractor has implemented an Role-Based Access Control (RBAC) model, where privileged users are assigned different roles based on their responsibilities. One of these roles is the "Audit Administrator" role, which is granted the necessary privileges to manage audit logging functionality across the contractor's systems. However, during interviews with the system administrators, you learn that besides the Audit Administrator role, several other privileged roles, such as the "System Administrator" and "Network Administrator" roles, can also manage audit logging functionality. When you inquire about the rationale behind granting multiple privileged roles access to audit management functions, the contractor's security team explains that this approach allows for better operational flexibility and ensures that different teams can perform audit logging tasks based on their areas of responsibility. Based on the information provided in the scenario, how would you assess the contractor's compliance with CMMC practice AU.L2-3.3.9-Audit Management?

  • Not Met - The contractor has granted audit management privileges to multiple privileged roles, which goes against the requirement to limit access to a subset of defined privileged users.

  • Met - The contractor has defined privileged user roles for audit management.

  • Partially Met - The contractor has limited audit management privileges to a subset of privileged users, but the roles may not be appropriately defined.

  • Not Applicable - The practice is not relevant to the contractor's environment.

According to the scenario, the contractor has granted the ability to manage audit logging functionality to several privileged roles, such as System Administrators and Network Administrators, in addition to the Audit Administrator role. This goes against the requirements of CMMC practice AU.L2-3.3.9-Audit Management, to limit the management of audit logging functionality to a defined subset of privileged users.

90.

Organizations have to control what systems can be installed for the principle of least functionality to apply. You assess the contractor's implementation of Configuration Management requirements and start by examining their documentation. They maintain a regularly updated inventory of authorized software to support their allowlisting and blocklisting efforts. The contractor has configured their information systems such that only authorized software can be executed or installed after software approval. Any attempts to install unauthorized software by unauthorized personnel are automatically logged, and an alert is sent to the system administrator. To meet the requirements of CM.L2-3.4.8-Application Execution Policy the contractor can use the strategies below, EXCEPT?

  • Encrypting data at rest and in transit

  • Ensuring all software installed on their systems have undergone a rigorous approval process

  • Ensuring the use of automated configuration management tools

  • Application blocklisting and allowlisting

The contractors have leveraged various strategies to address the requirements of practice CM.L2-3.4.8-Application Execution Policy, including maintaining and regularly reviewing an inventory of allowed and prohibited applications. They are leveraging a software approval process to vet and authorize software before installation into organizational systems. Additionally, they use an automated tool that monitors unauthorized attempts to install software, logs violations and sends alerts to the system administrator.

91.

While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. Which of the following is a potential assessment method for AU.L2-3.3.1-System Auditing?

  • Examine procedures addressing audit record generation

  • Testing the system configuration settings and associated documentation

  • Examining the mechanisms for implementing system audit logging

  • Testing procedures addressing control of audit records

System configuration settings and procedures addressing control of audit records need to be examined while mechanisms are implemented. Thus, the only potential assessment method consistent with the definition provided in NIST SP 800-171A and CMMC practice AU.L2-3.3.1 is examining audit record generation procedures.

92.

An OSC and a C3PAO Assessment Team are in the early stages of preparing for their CMMC assessment. During the process of confirming the corporate identity for the assessment, the Assessment Team discovers that the OSC does not have a valid Commercial and Government Entity (CAGE) code issued by the Department of Defense. The team is now considering the implications of this finding and the next steps they should take. When confirming the corporate identity to be assessed, what can happen if you determine that the HQ organization doesn?t have a valid CAGE code?

  • The assessment cannot continue.

  • You would help the OSC register and obtain a CAGE code from the DoD.

  • You would request for a waiver from the DoD.

  • You would continue with the assessment as planned.

If you determine that the HQ organization does not have a valid CAGE code during the process of confirming the corporate identity for an assessment, the assessment cannot continue. A CAGE code is a unique five-character ID assigned by the DoD to its suppliers and corporations. It is a mandatory requirement for companies to have a valid CAGE code to do business with the U.S. federal government or receive federal contracts and awards. Without a valid CAGE code, the organization lacks proper identification and registration with the government contracting system. This would prevent the assessment from proceeding further, as the corporate identity cannot be established and verified per regulations.

93.

When assessing an OSC as part of a C3PAO assessment team, you learn that they conduct risk assessments whenever there is a considerable change in their overall security posture. However, after interviewing personnel responsible for risk assessments, you learn they have a documented policy of conducting risk assessments annually. Where should you find this information?

  • In their Risk Assessment Policy.

  • In the OSC?s vulnerability scanning results.

  • In their Plan of Actions and Milestones.

  • In the OSC?s SSP.

The OSC?s approach to risk assessments is appropriate. Their risk assessment requirements should be documented in the Risk Assessment Policy. However, the step-by-step process for conducting and reporting the results should be detailed in one or more procedures.

94.

John is a Certified CMMC Assessor (CCA) conducting an assessment for OmniTech Inc., a manufacturing company. During the assessment, John encounters a unique situation where OmniTech has implemented a customized system for managing its supply chain operations. The evidence presented for certain CMMC practices is unconventional compared to what John has seen in previous assessments. What is John's responsibility to the OSC in this scenario?

  • Evaluate the evidence within the context of OmniTech's organizational ecosystem and operational needs.�

  • Defer the assessment until OmniTech's system aligns with more common industry practices.

  • Strictly follow a predefined assessment checklist, regardless of OmniTech's unique circumstances.

  • Request that OmniTech modify their system to align with industry standards for easier evaluation.

As a CCA, John must understand that each CMMC assessment is unique, and organizations may present evidence in different ways based on their specific environments, systems, and configurations. His role is to evaluate the evidence within the context of OmniTech's organizational environment and operational needs, rather than expecting a one-size-fits-all approach or industry standards. John should maintain an open mindset and carefully review the evidence to validate whether OmniTech meets the CMMC practice objectives, regardless of their unconventional implementation.

95.

Examining an OSC?s system design documentation, you notice they have implemented a CUI enclave and have a documented procedure addressing boundary protection. They have segmented their network into different zones, each having its own rules to allow or deny traffic. The OSC has implemented strict firewall rules that deny all incoming and outgoing traffic by default, only allowing specific traffic as required. To automatically block unrecognized traffic patterns, the OSC has provisioned a state-of-the-art Intrusion Detection and Prevention System (IDPS). During an interview with the network administrator, you realize that OSC uses a whitelisting approach to explicitly allow only certain IP addresses, domains, or services to communicate with their system. Their IT security team monitors network traffic to detect any unauthorized attempts to connect or communicate with their system. The scenario states that network traffic is monitored to detect unauthorized connection attempts. Which of the following best describes the purpose of monitoring network traffic in the context of CMMC practice SC.L2-3.13.6-Network Communication by Exception?

  • To identify and potentially respond to suspicious or anomalous traffic patterns that might indicate attempted breaches.

  • To identify and automatically add to the allowlist new legitimate communication requests.

  • To verify that firewall rules are correctly configured and functioning as intended.

  • To generate reports on network bandwidth usage for capacity planning purposes.

CMMC practice SC.L2-3.13.6-Network Communication by Exception requires organizations to deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Monitoring network traffic in this context serves to identify and potentially respond to suspicious activity that might violate the deny-all principle of SC.L2-3.13.6. This proactive approach helps detect potential breaches and mitigate risks.

96.

An OSC's network diagram shows a separate network segment (192.168.50.0/24) designated for its engineering department. This segment restricts access to specific engineering resources. While the servers are physically located in a shared data center, the network configuration isolates them logically. Through which of the following does the network segmentation create isolation for the engineering department's resources?

  • Logical separation through network configuration

  • Encryption of engineering data at rest

  • Requirement of a security badge to access the data center

  • Physical barriers within the data center

Correct answer: Logical separation through network configuration

Network segmentation creates isolation for the engineering department's resources through logical separation, not physical barriers. Even though the servers are physically located in a shared data center, the network configuration of a separate network segment (192.168.50.0/24) for the engineering department logically isolates the engineering resources from the rest of the organization's network. This logical isolation is achieved through network segmentation, such as the use of subnets, firewalls, or access control lists, which restrict access to the engineering network segment and the resources within it. The physical location of the servers remains the same, but the logical network segmentation ensures the engineering resources are isolated and protected.

97.

Patrick has taken the CCP examination and registered with a Licensed Training Provider for a CCA course. After he completes the CCA training, the LTP recommends that he go to the Cyber AB for the examination. However, knowing that the exam will be challenging, Patrick pays John a certified CCA fee to take it on his behalf.

Has John violated any CoPC guiding principles? If so, which one(s)?

  • Yes, information integrity and professionalism

  • No, he has not

  • Yes, objectivity and proper use of methods

  • Yes, objectivity and respect for intellectual property

Correct answer: Yes, information integrity and professionalism

John has violated the professionalism and information integrity practices of the CMMC CoPC. Paragraph 3.4 (6) of the CoPC explicitly prohibits this kind of action, requiring members of the CMMC ecosystem not to cheat, assist another in cheating, or allow cheating on examinations. Cheating includes unauthorized reproducing, distributing, displaying, discussing, sharing, or otherwise misusing test questions or any part of test questions before, during, or after an examination.

98.

You are the Lead Assessor assigned by your C3PAO to conduct a CMMC Assessment for a small manufacturing company, Precision Parts Inc. (PPI). During the initial coordination call with PPI's management team, you learn that PPI is a wholly-owned subsidiary of a larger corporation, Acme Manufacturing Holdings (AMH). PPI operates as an independent business unit within AMH and has its own IT infrastructure and cybersecurity policies. You need to determine the appropriate corporate entity to be assessed as the "Organization Seeking Certification" (OSC). During the coordination call, you discover that PPI has a dedicated enclave for its engineering design activities. How would this enclave be addressed in the CMMC Assessment?

  • The enclave could be included within the Assessment scope of PPI as the OSC

  • The enclave would be treated as a separate OSC from PPI

  • The enclave would be excluded from the Assessment scope

  • The existence of the enclave would prevent PPI from being the OSC

An enclave refers to a set of system resources that operate within the same security domain and that share the protection of a single, common, and continuous security perimeter. A segmentation of an organization's network or data that is intended to "wall off" that network or database from all other networks or systems. A CMMC Assessment scope can be within the Assessment scope of an enclave. Since PPI's engineering design enclave is a segmented part of its network, it could be included within the Assessment scope of PPI as the OSC.

99.

A C3PAO has hired a full-time CCA and included them in an Assessment Team sent to conduct a CMMC assessment. However, as part of their agreement with Cyber AB, the CCA and, by extension, the C3PAO are expected to uphold a set of values during the assessment. What document sets the expectations for accredited and credentialed entities authorized to deliver CMMC services under Cyber AB licensing?

  • CMMC Code of Professional Conduct

  • CMMC Code of Ethical Conduct

  • Code of Ethical Conduct

  • Code of Professional Control

Correct answer: CMMC Code of Professional Conduct

The CMMC Code of Professional Conduct (CoPC) sets expectations for credentialed individuals and accredited entities authorized to deliver CMMC services under license from the Cyber AB. It also sets expectations for RPs and RPOs that deliver unlicensed, non-certified services and choose to register with the Cyber AB, as well as for other individuals and entities with a relationship to it.

100.

You are part of an Assessment Team that has just completed a CMMC assessment for an OSC. The assessment is deemed complete after the CMMC results and artifacts are uploaded to the CMMC eMASS system. You overhear one of the CCAs chatting with their friends about how sloppily the OSC categorized their evidence. They even share some information about the assessor's network designs. Based on this scenario, which of the following statements is true?

  • The CCA has violated the confidentiality principle of the CoPC

  • The CCA is not behaving objectively

  • The CCA is well within their rights to express their feelings

  • The CCA has failed to use materials and methods properly

Correct answer: The CCA has violated the confidentiality principle of the CoPC

Confidentiality requires that the CCA and Assessment Team protect identifiable and confidential customer data from unauthorized disclosure unless permitted in writing by the OSC or required by a legal obligation to disclose such information. Entities and individuals must also ensure that confidential or privileged information gathered during assessments or consulting remains protected even after a work engagement has ended.