Free CyberAB CMMC-CCA Exam Questions

A Defense Contractor is preparing for their upcoming CMMC Level 2 assessment. One of the key controls they need to address is CMMC practice MP.L2-3.8.5 – Media Accountability, which deals with maintaining accountability for media containing CUI during transport outside of controlled areas. The organization regularly needs to transport physical media, such as hard drives and backup tapes, between their primary data center and an off-site storage facility. In the past, they have simply used standard packaging and commercial shipping services to move this media. Which of the following is NOT an assessment method for MP.L2-3.8.5 – Media Accountability?

A. Testing mechanisms supporting or implementing media storage and media protection

B. Examining designated controlled areas

C. Interviewing organizational processes for storing media

D. Examining procedures addressing media storage and access control policy

You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory – a privileged function. How should execution of the debugging permission be handled to align with AC.L2-3.1.7 – Privileged Functions?

A. Require it to generate an email alert

B. Perform automatic termination of the action

C. Implement geo-IP blocking on the workstation

D. Ensure it is logged to the central SIEM system

An OSC has documented HR and personnel security policies, which are well integrated. A key requirement is that credentials and systems are revoked upon a transfer or termination. Their personnel security policy includes procedures for transfer and termination, a list of system accounts tied to each employee, and management of revoked or terminated credentials and authenticators. Examining the procedures addressing personnel transfer and termination, you learn that besides revoking or terminating system access, authenticators, and credentials, the OSC recovers all company IT equipment, access/identification cards, and keys from the transferred or terminated employee. They also interview the employee to remind them of their CUI handling obligations even after transfer and require them to sign an NDA. After every termination, they also change the password and other access control mechanisms and notify all the stakeholders that the employee has been terminated or transferred. Based on the scenario, the OSC can cite the following as evidence of collaborating on their implementation of CMMC practice PS.L2- 3.9.2 – Personnel Actions, EXCEPT?

A. List of usernames and passwords of all the employees

B. Records of personnel transfer and termination actions

C. Records of exit interviews accompanied by a list of terminated employees' identifiers

D. Records of terminated or revoked authenticators and credentials

You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory – a privileged function. Which of the following controls could have prevented the developer from executing this privileged function?

A. Removing internet access

B. Prohibiting inheritance of privileged permissions

C. Enforcing dual authorization

D. Implementing time of day restrictions

A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 – Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 – System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score theOSC's implementation of CMMC practice AU.L2-3.3.7 – Authoritative Time Source?

A. 5

B. -1

C. 1

D. -5

When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal websites. What CMMC practice does this violate?

A. AC.L2-3.1.7

B. AC.L2-3.1.6

C. AC.L2-3.1.4

D. AC.L2-3.1.2

A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 – Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 – Encrypt CUI on Mobile requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted. Which of the following is a reason why would you recommend container-based over full-device-based encryption?

A. Container-based encryption offers granular control over sensitive data, improves device performance by encrypting selectively, and enhances security in Bring-Your-Own-Device (BYOD) environments

B. Container-based encryption is more cost-effective

C. It is more user-friendly and easier to deploy on a large scale

D. Full-device encryption is not compatible with modern mobile operating systems

While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. Which of the following is a potential assessment method for AU.L2- 3.3.1 – System Auditing?

A. Examine procedures addressing audit record generation

B. Testing procedures addressing control of audit records

C. Testing the system configuration settings and associated documentation

D. Examining the mechanisms for implementing system audit logging

While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. Which of the following is a potential assessment method for AU.L2- 3.3.1 – System Auditing?

A. Examine procedures addressing audit record generation

B. Testing procedures addressing control of audit records

C. Testing the system configuration settings and associated documentation

D. Examining the mechanisms for implementing system audit logging

reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. What key features regarding the deployment of Splunk for AU.L2-3.3.6 – Reduction & Reporting would you be interested in assessing?

A. Ensure that Splunk is configured with appropriate RBAC to restrict access to log data, reports, and dashboards, ensuring that only authorized personnel can view or modify audit logs

B. Ensure Splunk can retain audit records for a protracted amount of time

C. Ensure that Splunk employs various filter rules for reducing audit logs to eliminate nonessential data and processes to analyze large volumes of log files or audit information, identifying anomalies and summarizing the data in a format more meaningful to analysts, thus generating customized reports

D. Ensure Splunk can support compliance dashboards that provide real-time visibility into CMMC compliance status