Free CyberAB CMMC-CCA Exam Questions

You are the Lead Assessor for a CMMC Level 2 Assessment of an OSC. During Phase 1 planning, the OSC’s Assessment Official informs you that several key personnel who manage the in-scope IT systems will be unavailable during the scheduled assessment dates due to a company-wide training event. The Assessment Official asks if the assessment can proceed with substitute personnel who are less familiar with the systems. What should you do?

A. Proceed with the assessment using the substitute personnel, as long as they can provide some information about the systems.

B. Agree to proceed but request that the OSC provide written documentation to compensate for the unavailable personnel.

C. Reschedule the assessment to a time when the key personnel are available, as their participation is critical for an accurate assessment.

D. Conduct the assessment virtually to accommodate the unavailable personnel.

Sarah, a Certified CMMC Assessor, is conducting an assessment for DataSecure, a cloud service provider that hosts various applications for the Defense Industrial Base (DIB). During the assessment, Sarah encounters a complex and highly specialized cloud architecture that leverages cutting-edge technologies such as containerization, serverless computing, and advanced security controls. As Sarah reviews the evidence provided by DataSecure for the relevant CMMC practices, she realizes that some of the evidence and implementations are unlike anything she has encountered in previous assessments. What is the most appropriate action for Sarah to take as a CCA in this scenario?

A. Request DataSecure to simplify their architecture and align with more traditional IT practices for easier evaluation.

B. Strictly adhere to a standardized assessment checklist, regardless of DataSecure’s unique architecture.

C. Defer the assessment until she can receive additional training on the specific technologies used by DataSecure.

D. Thoroughly research and understand DataSecure’s cloud architecture, seek clarification from subject matter experts, and evaluate the evidence within the context of their specialized environment.

You are part of the team conducting a CMMC assessment for an OSC. Because of the sensitive nature of the OSC’s technologies, your team signed an NDA. However, you observe one of the Assessment Team members copying something from the OSC’s computer systems. You know they don’t have permission because the NDA states that the OSC PoC will provide any required material. What should you do in this case?

A. Inform the OSC of the incident.

B. Allow them to copy the files.

C. Approach the team member and remind them of their confidentiality obligations under the CoPC.

D. Report the team member to the Cyber AB.

During the on-site assessment, the assessment team thoroughly evaluated an OSC’s systems, policies, procedures, and practices against the 110 CMMC Level 2 practices. Initially, they found several deficient areas where practices were not fully met. The OSC took advantage of the Limited Practice Deficiency Correction program, which allowed them to provide additional evidence and implement corrections for certain deficient practices during the assessment period. What status should the Lead Assessor recommend for CMMC Level 2 Certification if an OSC has 85 out of 110 practices scored as ‘MET’ after applying the Limited Practice Deficiency Correction program?.

A. The Lead Assessor will recommend the OSC receive a final finding of “Not Achieved” for CMMC Level 2 Certification. The OSC will be required to correct deficiencies and reapply for CMMC L2 Certification.

B. Defer the recommendation until the OSC has fully remediated all ‘NOT MET’ practices through a Plan of Action and Milestones (POA&M).

C. Recommend ‘CMMC Level 2 Conditional Certification’ with a requirement to correct the remaining deficiencies within a specified timeframe.

D. Recommend ‘CMMC Level 2 Certification’ without any conditions.

You are a CCA working for a well-known C3PAO. You have been selected for an Assessment Team tasked with conducting a CMMC assessment on a C3PAO. While you are reviewing the presented evidence, one of the Assessment Team members informs you that they weren’t trained for the job and that a friend helped them get the position. By employing non-credentialed individuals and assigning them assessment tasks, which requirement of the CoPC has the C3PAO violated?

A. Integrity

B. None; it is well within their rights to hire whomever they want.

C. Confidentiality

D. Professionalism

As part of a C3PAO Assessment Team, you are reviewing an OSC’s security practices and documentation. During your review, you notice that the OSC has presented the same evidence artifacts to support its implementation of several CMMC practices and objectives. Based on the scenario above and your understanding of the CMMC Assessment process, which of the following is true?

A. The same evidence artifacts can be used for practices across multiple CMMC domains, but not for assessment objectives.

B. Each CMMC domain or assessment objective requires a unique set of evidence artifacts.

C. The same evidence artifacts can be used for practices across multiple CMMC domains or assessment objectives.

D. A POA&M can be used in place of evidence.

During a CMMC assessment, the Assessment Team identifies that the OSC has not implemented a practice due to a recent system upgrade that disrupted their previous controls. The OSC requests to include this practice in a POA&M. However, the practice is listed as one that could lead to significant network exploitation if not implemented. What should the Lead Assessor do?

A. Allow the practice to be included in the POA&M, as it was disrupted by a recent upgrade.

B. Mark the practice as "NOT MET" and inform the OSC that it is ineligible for a POA&M due to its critical nature.

C. Recommend that the OSC implement the practice immediately and reassess it before concluding the assessment.

D. Report the OSC to the Cyber AB for failing to maintain critical controls.

During the planning and preparation discussions, a key member of the C3PAO Assessment Team falls ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as planned and has expressed willingness to accommodate a smaller assessment team. If the OSC Assessment Official asks the C3PAO for advice on how to proceed, the Lead Assessor, on behalf of the C3PAO, should do which of the following?

A. Provide sufficient advice and recommendations.

B. Politely refuse to provide any advice or recommendations.

C. Provide general advice but avoid specific recommendations that could be seen as implementation assistance.

D. Offer limited advice, but only if the OSC agrees to proceed with the assessment as originally scheduled.

During a CMMC assessment, the OSC provides a service-level agreement (SLA) with an external provider as evidence for an inherited practice. The SLA outlines general security commitments but lacks specific details on how the practice’s objectives are met. How should the Lead Assessor proceed?

A. Accept the SLA as sufficient evidence since it shows a contractual obligation.

B. Request additional detailed evidence from the external provider to demonstrate compliance with the practice’s objectives.

C. Score the practice as "NOT MET" due to the lack of specific details.

D. Ask the OSC to renegotiate the SLA to include detailed compliance information.

You are the Lead Assessor for a CMMC Level 2 assessment. The OSC has implemented a practice using a custom-built tool developed by their IT team. The tool appears to meet the practice’s objectives, but no formal documentation or testing records exist. How should you evaluate this evidence?

A. Accept the tool as sufficient evidence since it meets the objectives.

B. Document the lack of documentation and testing records as an evidence gap and assess based on observed functionality.

C. Score the practice as "NOT MET" due to the absence of formal documentation.

D. Request the OSC to create documentation and testing records during the assessment.