Verified CMMC-CCA Dumps Q&As - CMMC-CCA Test Engine with Correct Answers
Pass Your CMMC-CCA Dumps as PDF Updated on 2025 With 152 Questions
Cyber AB CMMC-CCA Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
NEW QUESTION # 62
An OSC outsources all of its security incident and event monitoring work to a third-party SOC. Additionally, the OSC utilizes a cloud-hosted antivirus (AV) system to fulfill the requirement of having virus protection without hosting additional servers on-site.
During the scoping discussion, both the SOC and AV should be listed as what type of asset?
- A. They are Out-of-Scope Assets due to being fully hosted/operated by third parties.
- B. They are CUI Assets due to their operation within a CUI network.
- C. They are Contractor Risk Managed Assets because they are not physically or logically isolated from CUI assets.
- D. They are Security Protection Assets due to their performance of security functions.
Answer: D
Explanation:
The Scoping Guidance defines Security Protection Assets as systems, tools, or services that provide security functions protecting CUI assets, even if outsourced to third parties.
Extract:
"Security Protection Assets are tools, systems, or services that provide security functionality (e.g., SOC, antivirus, logging) to protect CUI assets. These must be included in scope." Therefore, SOC and AV must be categorized as Security Protection Assets.
Reference: CMMC Scoping Guidance - Security Protection Assets.
NEW QUESTION # 63
The Lead Assessor has conducted an assessment for an OSC. The OSC's practices have been scored and preliminary results validated. Based on this information, what is the NEXT logical step?
- A. Deliver recommended assessment results.
- B. Determine CMMC Assessment scope.
- C. Create, finalize, and record recommended final findings.
- D. Consider additional evidence and record gaps.
Answer: C
Explanation:
* Applicable Requirement: CAP - Assessment Execution Phase.
* Why D is Correct: After scoring and validating preliminary results, the next step is to finalize and record recommended final findings for submission. This closes the assessment process and supports certification decisions.
Why Other Options Are Insufficient:
* A: Scope determination occurs in planning, not after validation.
* B: Results are delivered after finalization, not immediately after validation.
* C: Considering additional evidence occurs during data collection, before validation.
References (CCA Official Sources):
* CMMC Assessment Process (CAP) v1.0 - Reporting Phase
* CMMC Assessment Guide - Level 2 - Assessment Closure
NEW QUESTION # 64
An organization's password policy includes these requirements:
* Passwords must be at least 8 characters in length.
* Passwords must contain at least one uppercase character, one lowercase character, and one numeric digit.
* Passwords must be changed at least every 90 days.
* When a password is changed, none of the previous 3 passwords can be reused.
Per IA.L2-3.5.7: Password Complexity, what requirement is missing from this password policy?
- A. It does not require the password to contain at least one special character.
- B. It does not specify a minimum change of character requirement.
- C. It does not include a list of prohibited passwords.
- D. It does not require MFA.
Answer: A
Explanation:
IA.L2-3.5.7 requires password complexity rules that include uppercase, lowercase, numeric, and special characters. The given policy addresses three requirements but does not mandate at least one special character.
Extract:
"Enforce password complexity by requiring combinations of upper-case letters, lower-case letters, numbers, and special characters." Thus, the missing requirement is the use of a special character.
Reference: CMMC Assessment Guide - Level 2, IA.L2-3.5.7.
NEW QUESTION # 65
You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. What would you recommend the contractor do to avert the risk?
- A. Increase the engineer's salary to incentivize careful work
- B. Invest in more powerful development machines
- C. Fully implement AC.L2-3.1.4, Separation of Duties by assigning different engineers responsibility for design, coding, testing, and deployment. Implement peer code reviews and separate test and deployment duties
- D. Institute mandatory overtime for the engineer to complete tasks faster
Answer: C
Explanation:
Comprehensive and Detailed In-Depth Explanation:
AC.L2-3.1.4 - Separation of Duties aims to "reduce unauthorized activity risk by separating duties." A single engineer handling all tasks concentrates privileges, increasing error or malice risks. Assigning separate roles and adding peer reviews (B) mitigates this, aligning with CMMC intent. Overtime (A), hardware (C), and salary (D) don't address duty separation or risk reduction.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separate duties to reduce risk; implement peer reviews."
* NIST SP 800-171A, 3.1.4: "Recommend role distribution."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf
NEW QUESTION # 66
When preparing for an assessment, the assessor determines that the client's proprietary data resides within an enclave. However, the assessor is unable to review policies containing proprietary data onsite and plans to have the policies copied on removable media by the client's IT staff, whom they are scheduled to interview.
What should the assessor consider as part of their planning?
- A. No proprietary data can leave the client's environment under any circumstances.
- B. The assessor can transmit data outside the client's environment if the client's IT support staff grants access.
- C. No proprietary data can leave the client's environment without the express written consent of the OSC POC.
- D. No proprietary data can leave the client's environment without the express written consent of the OSC Assessment Official.
Answer: D
Explanation:
Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC's Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.
Exact Extracts:
* CMMC Assessor Code of Professional Conduct: "No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC's designated Assessment Official."
* "Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization." Why the other options are not correct:
* A: Too absolute - proprietary data can leave if AO provides written consent.
* B: IT staff cannot authorize release of proprietary data.
* C: POC is not the authority for data release - only the Assessment Official is.
References:
CMMC Code of Professional Conduct: Confidentiality requirements.
CMMC Assessment Guide - Level 2: Ethical responsibilities of assessors.
NEW QUESTION # 67
Security Protection Assets (SPAs) include people, technologies, and facilities. Which of the following technologies is not an SPA?
- A. Virtualized desktops
- B. SIEM Solutions
- C. Hosted VPN Services
- D. Cloud-based security solutions
Answer: A
Explanation:
Comprehensive and Detailed Explanation:
SPAs, per the CMMC Assessment Scope - Level 2, are assets providing security functions or capabilities to the CMMC Assessment Scope, regardless of CUI handling. Hosted VPN Services (Option A), Cloud-based security solutions (Option C), and SIEM Solutions (Option D) all provide security (e.g., encryption, monitoring), qualifying as SPAs. Virtualized desktops (Option B) are endpoints for user access, not security tools, unless configured as such (not indicated here). B is the correct answer.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.3 (SPAs), p. 6: "SPAs provide security functions, e.g., VPNs, SIEMs, not general-purpose endpoints."
NEW QUESTION # 68
During a CMMC Level 2 assessment, a CCA is evaluating whether the organization meets the requirement to
"Employ FIPS-validated cryptography when used to protect the confidentiality of CUI." According to the CMMC requirement, the CCA must determine whether FIPS-validated cryptography is employed to protect the confidentiality of CUI. Which assessment procedure would the CCA most likely use to evaluate this requirement?
- A. Observe the organization's use of cryptographic controls in practice
- B. Examine the cryptographic modules
- C. Interview personnel responsible for implementing cryptographic controls and review documentation of the organization's cryptographic policies and procedures
- D. Examine validation certificates of the cryptographic modules used by the OSC
Answer: D
Explanation:
Comprehensive and Detailed in Depth Explanation:
SC.L2-3.13.11 requires FIPS-validated cryptography for CUI confidentiality, per NIST SP 800-171.
Examining validation certificates (Option D) directly confirms FIPS compliance, as mandated by NIST SP
800-171A's examine method, providing the most conclusive evidence. Option A(examining modules) is vague without certificates. Option B (interviews/documentation) supports but isn't definitive. Option C (observing use) doesn't verify FIPS validation. Option D is the correct answer.
Reference Extract:
* NIST SP 800-171A, SC-3.13.11:"Examine FIPS validation certificates to confirm cryptography meets standards."Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final
NEW QUESTION # 69
In assessing the security boundaries, you determine that an OSC processes, stores, and transmits CUI and FCI within the same assessment scope. To what maturity level will you at a minimum assess and certify the OSC?
- A. The OSC must separate the scope for assets that process, store, or transmit CUI from those that handle FCI.
- B. You should refer the OSC to Cyber AB.
- C. CMMC Level 2
- D. CMMC Level 1
Answer: C
Explanation:
Comprehensive and Detailed Explanation:
The CMMC framework allows FCI and CUI to be within the same assessment scope, but the presence of CUI mandates a minimum of Level 2 certification, as Level 1 only addresses FCI protection (17 practices). The CMMC Assessment Scope - Level 2 states that if CUI is processed, stored, or transmitted, the OSC must meet all 110 Level 2 practices. Separation (Option C) is optional, not required, and a single Level 2 certification can cover both. Option B is irrelevant to the question, and Option D is insufficient for CUI. A is correct.
Reference:
CMMC Assessment Scope - Level 2, Section 1.1 (Level Applicability), p. 2: "Level 2 is required when CUI is present."
NEW QUESTION # 70
CMMC MA.L2-3.7.6 - Maintenance Personnel requires that maintenance personnel without required access authorization be supervised during maintenance activities. One of the ways organizations can achieve this is to develop a documented procedure for supervised maintenance activities. Which of the following elements should be excluded from the documented procedure?
- A. The method used to authenticate and monitor the supervisor's activity during the maintenance session
- B. A detailed list of all CUI assets that the maintenance activity might impact
- C. The specific steps authorized for the visiting maintenance personnel with limited access
- D. Contact information for the organization's IT security team in case of emergencies or unexpected issues
Answer: B
Explanation:
Comprehensive and Detailed In-Depth Explanation:
MA.L2-3.7.6 requires "supervising maintenance personnel without access authorization." Procedures should focus on supervision logistics: steps for personnel (B), IT contact (C), and supervisor monitoring (D). A list of CUI assets (A) is unnecessary and impractical, as it may vary per task and isn't required for supervision, per the CMMC guide.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), MA.L2-3.7.6: "Include supervision steps, not asset lists."
* NIST SP 800-171A, 3.7.6: "Examine supervision procedures."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf
NEW QUESTION # 71
The CMMC Assessment Process (CAP) requires the Lead Assessor to validate the CMMC Assessment Scope proposed by the OSC. What is the main task that the Lead Assessor must conduct in validating the CMMC Assessment Scope?
- A. Verify that the boundaries within the organization's networked environment contain all the assets that will be assessed based on the assessment scope.
- B. Ensure that the OSC has reviewed and approved the assessment scope.
- C. Document any discrepancies between the OSC's proposed scope and the actual systems and data.
- D. Determine if any additional systems or data should be included in the assessment scope.
Answer: A
Explanation:
Comprehensive and Detailed Explanation:
The CAP designates scope validation as the Lead Assessor's primary responsibility in Phase 1, ensuring the proposed scope accurately encompasses all assets to be assessed (CUI Assets, SPAs, etc.) within the defined boundaries. Option A is a byproduct, not the main task. Option C is part of the process but secondary to verification. Option D shifts responsibility to the OSC, contrary to the CAP. B is the core task per the CAP and scoping guide.
Reference:
CMMC Assessment Process (CAP) v1.0, Section 2.2 (Scope Validation), p. 9: "The Lead Assessor verifies that the scope contains all assets to be assessed."
NEW QUESTION # 72
You are a CCA on an Assessment Team. During a daily checkpoint meeting, the OSC PoC complains that the assessment process is taking too long and asks if some practices can be skipped to speed things up. How should you respond?
- A. Agree to skip non-critical practices to accommodate the OSC's timeline.
- B. Suggest that the OSC discuss the issue with the Lead Assessor to negotiate a reduced scope.
- C. Explain that all practices must be assessed as required by the CMMC Assessment Process and cannot be skipped.
- D. Recommend that the OSC hire additional staff to expedite evidence collection.
Answer: C
Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP mandates assessing all practices, making Option A correct. Options B, C, and D violate CAP and CoPC standards.
Extract from Official Document (CAP v1.0):
* Section 2.1 - Evidence Collection (pg. 24):"All practices must be assessed as required by the CMMC Assessment Process." References:
CMMC Assessment Process (CAP) v1.0, Section 2.1.
NEW QUESTION # 73
You are assessing an OSC that uses various collaborative computing devices, such as video conferencing systems, networked whiteboards, and webcams, for remote meetings and presentations. During your assessment, you examine the OSC's collaborative device inventory and find that they have identified and documented all collaborative computing devices. Most of the identified devices have indicators (e.g., LED lights) that notify users when the devices are in use. The OSC has also implemented a policy prohibiting the remote activation of collaborative computing devices without user consent. However, you find that the web cameras can be activated remotely by authorized IT personnel for troubleshooting purposes. In addition to interviewing personnel, what other evidence would be helpful to assess the OSC's compliance with CMMC practice SC.L2-3.13.12 - Collaborative Device Control regarding the remote activation of web cameras?
Choose all that apply.
- A. User training records indicating that employees are aware of the policy and understand thepotential consequences of unauthorized remote camera activation
- B. Network traffic logs showing no instances of remote activation attempts on the web cameras
- C. System configuration settings for the web cameras, verifying that remote activation is enabled
- D. A documented risk assessment that identifies the potential risks associated with remote camera activation and outlines mitigation strategies
Answer: D
Explanation:
Comprehensive and Detailed In-Depth Explanation:
SC.L2-3.13.12 requires "prohibiting remote activation of collaborative devices without user authorization, or controlling it to prevent unacceptable risk." The IT exception for webcams suggests a controlled allowance. A risk assessment (A) justifies this exception, showing risks (e.g., privacy) and mitigations (e.g., IT authorization), aligning with CMMC's risk-based approach. Logs (B) show usage, not policy compliance; training (C) supports awareness, not control; configs (D) confirm capability, not authorization rationale. A is most directly tied to compliance evidence.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.12: "Examine risk assessments for exceptions to remote activation prohibitions."
* NIST SP 800-171A, 3.13.12: "Assess documented risk mitigations for controlled exceptions." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf
NEW QUESTION # 74
Testing is one assessment method the Lead Assessor may choose depending on the assessment scope and evidence provided by the OSC. During the Plan Phase, the Lead Assessor and OSC POC agree on who the people are that are involved in a particular practice so that it could be tested if determined appropriate. During the discussion, the OSC POC tells the Lead Assessor that the production system is in use and cannot be stopped for the testing to take place but offers a mirrored system for testing. The Lead Assessor decides:
- A. Only to test the processes conducted by the supporting groups
- B. To ask the OSC for evidence that a mirrored system is exactly the same as the production system to conduct testing
- C. Not to perform testing as a mirrored system is not an acceptable substitute for the production system
- D. Only to test the Customer Matrices that are available
Answer: B
Explanation:
Testing may be performed on a mirrored system if the OSC can demonstrate that it is configured identically to the production system. The assessor must confirm equivalency through objective evidence before accepting test results.
Exact Extracts:
* NIST SP 800-171A: "Test assessment method involves exercising assessment objects under specified conditions... mirrored or replicated systems may be used if validated as equivalent."
* CMMC Assessment Guide: "If production systems cannot be tested, assessors may accept mirrored systems provided evidence demonstrates that the mirrored environment is representative of the production system." Why the other options are not correct:
* A/B: Testing must focus on systems and controls, not limited groups or customer matrices.
* C: Incorrect - mirrored systems are acceptable if validated as equivalent.
* D: Correct, as validation of equivalency is required.
References:
CMMC Assessment Guide - Level 2, Version 2.13: Testing methods and mirrored systems (pp. 6-8).
NIST SP 800-171A: Assessment methods (Examine, Interview, Test).
NEW QUESTION # 75
During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI)handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Once the inconsistencies are addressed, when should the contractor's privacy and security notice be displayed?
- A. Continuously on all systems and workstations, regardless of user activity
- B. During the initial system logon and when accessing specific CUI-related applications and data
- C. Only during the initial system logon
- D. Only when handling or processing export-controlled technical data
Answer: B
Explanation:
Comprehensive and Detailed In-Depth Explanation:
AC.L2-3.1.9 requires "privacy and security notices consistent with applicable CUI rules" to be displayed at logon and when accessing CUI-related resources. Displaying notices only at logon (A) misses ongoing access points, while limiting to export-controlled data (C) is too narrow. Continuous display (D) is impractical and not required. The CMMC guide specifies initial logon and secondary notifications for CUI applications, ensuring users are reminded of obligations at key interaction points.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.9: "Display notices at logon and when accessing CUI-related applications."
* NIST SP 800-171A, 3.1.9: "Examine notices at initial logon and secondary access points." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf
NEW QUESTION # 76
A cloud-native OSC uses a vendor's FedRAMP MODERATE authorized cloud environment for all aspects of their CUI needs (identity, email, file storage, office suite, etc.) as well as the vendor's locally installable applications. The OSC properly configured the vendor's cloud-based SIEM system to monitor all aspects of the cloud environment. The OSC's SSP documents SI.L2-3.14.7: Identify Unauthorized Use, defining authorized use and referencing procedures for identifying unauthorized use.
How should the Certified Assessor score this practice?
- A. NOT MET because logs from physical infrastructure are not captured by the SIEM.
- B. MET because being cloud-native is a great way to contain risk to a vendor's environment.
- C. NOT MET because locally installable applications from a cloud-native environment are not allowed.
- D. MET because the cloud SIEM is configured to monitor all of the vendor's cloud environment.
Answer: D
Explanation:
SI.L2-3.14.7 requires the OSC to identify unauthorized use of organizational systems. The OSC meets this requirement by configuring the FedRAMP MODERATE provider's SIEM to monitor their entire cloud environment where CUI is processed.
Extract:
"Organizations must employ monitoring mechanisms to detect unauthorized use of information systems.
Cloud-native environments with FedRAMP authorized monitoring meet the requirement when properly configured and documented." Thus, the practice is MET because the SIEM covers the cloud environment.
Reference: CMMC Assessment Guide - Level 2, SI.L2-3.14.7.
NEW QUESTION # 77
A mid-sized company specializing in machining is preparing to bid for an upcoming DoD contract to provide machined components crucial for defense systems. As CMMC compliance will be required, the company's top executives have invited you to assess their implementation of CMMC Level 2 requirements. During your visit to their environment of operations, you discover that its production floor has several Computer Numerical Control (CNC) machines for precision machining, which are all connected to a local network for data transfer and control. The CNC machines receive design files from a central server in the company's data center and communicate with a SCADA quality control system that monitors production metrics and performance. The central server hosts the design files, which are only accessible to authorized engineers and operators and backed up in an Amazon EBS cloud instance to ensure availability across the company's multiple machining shops in different states. Furthermore, the company allows employees to upload designs to the server remotely using VPNs and virtual desktop instances. What is the BEST physical control the company can use for preventive purposes?
- A. Displaying a large banner written "Authorized Personnel Only"
- B. Locking all entrances
- C. Using proximity card readers
- D. Installing CCTVs
Answer: C
Explanation:
Comprehensive and Detailed In-Depth Explanation:
PE.L2-3.10.1 requires "limiting physical access to systems processing CUI." Proximity card readers (A) provide active, enforceable access control, preventing unauthorized entry to the production floor and data center, per CMMC intent. CCTVs (B) monitor, not prevent; banners (C) deter but don't enforce; locking entrances (D) is vague without authentication. The guide favors card-based systems.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), PE.L2-3.10.1: "Use card readers for preventive physical access control."
* NIST SP 800-171A, 3.10.1: "Examine active access controls like proximity cards." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf
NEW QUESTION # 78
......
Pass Cyber AB CMMC-CCA Exam Info and Free Practice Test: https://passguide.dumpexams.com/CMMC-CCA-vce-torrent.html