CMMC-CCA by Cyber AB Actual Free Exam Questions And Answers

Question 1

The Lead Assessor is ready to complete planning by developing the assessment schedule. The Lead Assessor and the OSC Assessment Official discuss the Assessment Team members.
What MUST be submitted to the Cyber-AB before the assessment?

A. Verified NIST SP 800-171 assessor qualifications

B. Absence of Conflict of Interest and Confirmation Statement

C. Individual travel plans

D. Non-disclosure agreements

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 2

The OSC's network consists of a single unmanaged switch that connects all devices, including OT equipment which cannot run a vendor-supported operating system. The OSC correctly scoped the OT equipment as a Specialized Asset, listed it in their inventory and SSP, and provided a network diagram showing plans to isolate the OT and apply additional security measures. What information does the Lead Assessor still require to ensure compliance?

A. Installation and configuration documentation for the OT to ensure it was correctly built

B. Evidence that the network isolation is completed by the end of the assessment as well as supporting evidence for all other applicable CMMC practices

C. Wording in the SSP detailing how the OT is managed using the OSC's risk-based security policies, procedures, and practices

D. Wording in the scoping document detailing how the OT adheres to all other applicable CMMC practices

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 3

A cloud-native OSC uses a vendor's FedRAMP MODERATE authorized cloud environment for all aspects of their CUI needs (identity, email, file storage, office suite, etc.) as well as the vendor's locally installable applications. The OSC properly configured the vendor's cloud-based SIEM system to monitor all aspects of the cloud environment. The OSC's SSP documents SI.L2-3.14.7: Identify Unauthorized Use, defining authorized use and referencing procedures for identifying unauthorized use.
How should the Certified Assessor score this practice?

A. NOT MET because logs from physical infrastructure are not captured by the SIEM.

B. MET because the cloud SIEM is configured to monitor all of the vendor's cloud environment.

C. NOT MET because locally installable applications from a cloud-native environment are not allowed.

D. MET because being cloud-native is a great way to contain risk to a vendor's environment.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 4

While conducting a CMMC Level 2 Assessment for a small waveguide manufacturer, the client provides a copy of their CMMC Level 1 Self-Assessment that their senior official has recently approved and uploaded to the Supplier Performance Risk System (SPRS). What type of information may be covered within the Level 1 Self-Assessment that is OUTSIDE the scope of a Level 2 assessment?

A. CUI in paper format

B. FCI within the CUI production enclave

C. Sensitive Compartmented Information (SCI) shredded by an approved vendor

D. FCI data within the description in the contractor self-assessment

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 5

FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the OSC's CMMC enclave. What source does the CCA use to verify that the cryptography the OSC has implemented is FIPS-validated?

A. Cryptographic section of the Shared Responsibility Matrix

B. NIST Module Validation Program

C. Cryptographic section of the OSC's SSP

D. Vendor cryptographic module documentation

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 6

A company has a firewall to regulate how data flows into and out of its network. Based on an interview with their IT staff, all connections to their systems are logged, and suspicious traffic generates alerts. Examination of which artifact should give the CCA the details on how these are implemented?

A. Account management document

B. Physical access logs

C. Boundary protection procedures

D. Configuration management policy

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 7

Video monitoring is used by an OSC to help meet PE.L2-3.10.2: Monitor Facility. The OSC's building has three external doors, each with badge access and a network-connected video camera above the door. The video cameras are connected to the same network as employee computers. The OSC contracted a local security company to provide surveillance services. The security company stores the recordings at its premises and requires access to the OSC's network to manage the video cameras. Which factor is a clear negative finding for the OSC's assessment?

A. Video surveillance needs to be of both private and public areas of the building

B. A non-certified third party's data center may not store video recordings for a company authorized to process CUI

C. Video surveillance alone does not satisfy the facility monitoring requirement of PE.L2-3.10.2

D. A non-certified third party accesses the OSC's network to manage the cameras

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 8

During discussions with an OSC, the assessment team learned that many employees often need to work from remote locations and, as a result, are permitted to access the organization's internal networks from those remote locations. To ensure secure remote access requirements are being met, remote access sessions need NOT be:

A. Permitted

B. Controlled

C. Validated

D. Identified

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 9

Does CMMC Level 2 require that a Cloud Service Provider (CSP) hold a FedRAMP HIGH authorization hosted in a government community cloud (GCC)?

A. Yes. FedRAMP HIGH is required for CUI data controls due to the sensitive nature of the Defense Industrial Base systems.

B. No. The CSP can obtain a FedRAMP MODERATE equivalency.

C. No. The CSP must hold a FedRAMP MODERATE authorization.

D. Yes. FedRAMP HIGH authorization demonstrates the CSP compliance with NIST SP 800-53 and SP
800-171 control requirements.

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 10

An OSC assigns new hires to work on their hire date. Human Resources ensures that all screening activities are completed before the end of the employees' first week. How should the CCA score PS.L2-3.9.1: Screen Individuals?

A. As NOT MET and this will cause the assessment to fail

B. As MET since the OSC ensured Human Resources was handling the screening

C. As NOT MET but it can be remediated post-assessment

D. As NOT MET because all screening must be completed prior to the start of employment

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Question 11

The Lead Assessor and OSC Assessment Official determined the resources, cost, and schedule for an upcoming assessment. The Lead Assessor noted the OSC Assessment Official's preferences regarding the limits of the method and the consequent resource, cost, and schedule constraints to arrive at an optimal Assessment Plan. In this situation, who has responsibility for signing the planning agreement?

A. OSC Assessment Official

B. OSC Assessment Official, Lead Assessor, and C3PAO

C. OSC Assessment Official and Lead Assessor

D. Lead Assessor

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for Fast2test members. You can sign-up / login (it's free).

Cyber AB Certified CMMC Assessor (CCA) - CMMC-CCA Exam Practice Test

Contact Us

Useful Links

Latest Updated