Free CyberAB CMMC-CCA Exam Questions

During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI) handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Which of the following is NOT a feature Defcon's updated privacy and security notices should have?

A. A warning about unauthorized use being subject to civil and criminal penalties

B. A general statement about monitoring and recording of system usage

C. Display duration set to less than 5 seconds before automatically disappearing

D. Specific information about the presence of CUI and associated handling requirements

A Defense Contractor is preparing for their upcoming CMMC Level 2 assessment. One of the key controls they need to address is CMMC practice MP.L2-3.8.5 – Media Accountability, which deals with maintaining accountability for media containing CUI during transport outside of controlled areas. The organization regularly needs to transport physical media, such as hard drives and backup tapes, between their primary data center and an off-site storage facility. In the past, they have simply used standard packaging and commercial shipping services to move this media. Which of the following is NOT an assessment method for MP.L2-3.8.5 – Media Accountability?

A. Testing mechanisms supporting or implementing media storage and media protection

B. Examining designated controlled areas

C. Interviewing organizational processes for storing media

D. Examining procedures addressing media storage and access control policy

A CCA is offered a significant discount on cybersecurity software from a vendor whose productthey will be evaluating during a CMMC assessment. How should the CCA handle this situation according to the CoPC’s conflict of interest principle?

A. Inform the vendor that they can accept such offers only after the CMMC assessment is done.

B. Accept the discount and disclose it to the C3PAO for transparency.

C. Decline the discount to avoid any appearance of a conflict.

D. Recommend the software to the OSC during the assessment, highlighting its value proposition.

You are the Lead Assessor for a CMMC Level 2 assessment. During the assessment, the OSC provides evidence that a practice is inherited from a cloud service provider (CSP). The CSP has a FedRAMP Moderate authorization, and the OSC argues that this should automatically satisfy the practice’s requirements. How should you respond?

A. Accept the FedRAMP authorization as sufficient evidence and score the practice as "MET."

B. Inform the OSC that FedRAMP authorization does not automatically satisfy CMMC requirements and request specific evidence from the CSP demonstrating compliance with the practice’s objectives.

C. Reject the evidence outright, as external certifications are not allowed under CMMC.

D. Consult with the Cyber AB to determine if FedRAMP can be accepted as equivalent to CMMC requirements.

An OSC has provided its System Security Plan (SSP) as evidence for several CMMC practices related to system security. During your examination of the SSP, you discover a section outlining procedures for user access controls. However, upon further review, you find no mention of procedures for managing privileged accounts, which is a critical aspect of secure system access. If the OSC provides a separate document outlining privileged account management procedures, and upon review, these procedures appear sufficient, how should the Lead Assessor proceed with the SSP as evidence?

A. Request that the OSC formally incorporate the privileged account management procedures into the SSP for consistency.

B. Accept both the SSP and the separate document as evidence and proceed with the assessment.

C. Deduct points from the overall assessment score due to the initial oversight in the SSP.

D. Mark the related user access control practice as "Not Met" due to the initial deficiency in the SSP.

You are a CCA with an active and good standing on the Cyber AB Marketplace. An OSC has contracted your C3PAO for a prospective CMMC Assessment. The OSC provides signal processing services for the DoD. You assisted the OSC in preparing for the upcoming CMMC assessment by conducting an initial evaluation of their implementation practices. With your background in cybersecurity and extensive experience, your C3PAO and Lead Assessor have selected you to join the Assessment Team. Based on this scenario, which of the following is the most important factor for the C3PAO to consider when assigning assessors to the Assessment Team?

A. The Assessor’s active status and good standing as a CMMC Certified Assessor or Professional, verified on the Cyber AB Marketplace, are important factors.

B. The Assessor’s hourly rate, especially for independent assessors.

C. The Assessor’s professional reputation within the CMMC ecosystem.

D. The Assessor’s specialization with the OSC’s lines of business or industry sub-sector.

A CCA is assessing an Organization Seeking Certification (OSC). During the assessment, they discover that the OSC is pressuring the CCA to overlook certain security practices that do not meet the CMMC requirements. The organization threatens to withhold payment if the CCA does not modify her findings at the request of the OSC. According to the CoPC, which of the followingactions would be most appropriate for the CCA to take in this situation?

A. Inform the OSC that the pressure to compromise her values is a violation of the CoPC and report the issues to the C3PAO.

B. Complete the assessment and then report the OSC’s unethical practices to the Cyber AB.

C. Comply with the organization’s requests to avoid the risk of non-payment and complete the assessment.

D. Discuss the concerns with the OSC, continue the assessment, and report the violations only if they are not resolved.

You are the Lead Assessor for a CMMC Assessment engagement with an OSC for CMMC Level 2. The OSC has provided you with their proposed CMMC Assessment Scope, which includes a network schematic diagram, their SSP, relevant policies, and organizational charts. During your review of the documentation, you notice they have excluded a subsidiary company’s network and assets from the proposed CMMC Assessment Scope despite the subsidiary being involved in handling CUI related to federal contracts. If the OSC shares proprietary information with the Lead Assessor during the assessment engagement, what is the C3PAO’s responsibility regarding this information after the completion of the assessment?

A. The C3PAO can share the OSC’s proprietary information with other clients for benchmarking purposes.

B. The C3PAO can retain the OSC’s proprietary information for future reference and use.

C. The C3PAO is not responsible for the OSC’s proprietary information once the Assessment is completed.

D. The C3PAO must return and/or destroy any OSC proprietary information.

During a CMMC assessment, the Assessment Team observes that the OSC is not enforcing practice objective CM.L2-3.4.5[d] – physical access restrictions associated with changes to the system are enforced. Understanding the deficiency, the OSC has requested to track the practice in the Limited Practice Deficiency Correction program, as it is part of their on-premises work. As a CCA, what should you do with respect to the OSC’s implementation of this practice?

A. Agree with the OSC and track the practice under the Limited Practice Deficiency Correction program.

B. Report the OSC to Cyber AB.

C. Mark it as ‘NOT MET’.

D. Score the practice as ‘MET’ since only one objective is not fulfilled.

After numerous discussions and iterations, the OSC and Lead Assessor have finalized the Pre-Assessment Plan, which outlines the key details of how the assessment will be conducted, including the scope, timeline, resource requirements, and other logistical considerations. What is the final step before commencing a CMMC assessment?

A. Obtaining approval from the Lead Assessor.

B. Reviewing the Pre-Assessment Data Form.

C. Uploading the Pre-Assessment Data Form into CMMC eMASS.

D. Creating a new data upload in CMMC eMASS.