Free CyberAB CMMC-CCA Exam Questions

During your review of an OSC’s system security control, you focus on CMMC practice SC.L2-3.13.9 – Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company’s internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. The scenario mentions that the server utilizes default settings for connection timeouts. What additional approach, besides relying solely on user awareness, could be implemented to achieve connection termination based on inactivity and comply with CMMC practice SC.L2-3.13.9 – Connections Termination?

A. Modify the server-side application settings to automatically terminate inactive user sessions after a defined period

B. Implement a centralized inactivity monitoring tool to identify inactive connections across the network and notify administrators for manual termination

C. Upgrade the server operating system to the latest version, as newer versions may have stricter default timeouts for idle connections

D. Educate users about the importance of logging out and the risks associated with leaving sessions open

A Defense Contractor is preparing for their upcoming CMMC Level 2 assessment. One of the key controls they need to address is CMMC practice MP.L2-3.8.5 – Media Accountability, which deals with maintaining accountability for media containing CUI during transport outside of controlled areas. The organization regularly needs to transport physical media, such as hard drives and backup tapes, between their primary data center and an off-site storage facility. In the past, they have simply used standard packaging and commercial shipping services to move this media. Which of the following best describes a control that maintains accountability for media containing CUI during transport outside of controlled areas?

A. Using tamper-proof packaging and a reputable shipping service with tracking

B. Implementing strong passwords for all user accounts

C. Training employees on information security best practices

D. Restricting access to the system where the CUI data resides

CMMC practice PS.L2-3.9.1 – Screen Individuals requires individuals to be screened before authorizing access to organizational systems containing CUI. However, in the assessment you are currently conducting, there is no physical evidence confirming the completion of personnel screens, such as background checks, only affirmations derived from an interview session. In an interview with the HR Manager, they informed you that before an individual is hired, they submit their information through a service that performs criminal and financial checks. How would you score the OSC's implementation of CMMC practice PS.L2-3.9.1 – Screen Individuals, objective [a]?

A. More information is needed

B. Not Met

C. Not Applicable

D. Met

You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. How will proper separation of duties help the contractor meet the intent of AC.L2-3.1.4 – Separation of Duties?

A. It allows the engineers to specialize in specific areas

B. It reduces concentrated privileges and power and improves checks & balances. Errors and malicious actions are more likely to be caught. Risk is reduced without relying solely on one individual

C. It reduces the overall cost of software development

D. It simplifies the development process

In your assessment of an OSC’s information systems, you realize that the OSC has been having issues determining what is and isn’t CUI. One of the employees asks for your help identifying CUI so that they can take measures to protect it. They also request that you recommend a resource where they can understand the national CUI policy. Which of the following is the BEST resource they should visit to understand what CUI is and the national CUI policy?

A. 48 CFR 52.204-21 and NIST SP 800-171

B. DFARS 252.204-7012 and ISOO CUI Registry

C. 32 CFR Part 2002 and ISOO CUI Registry

D. 22 CFR Part 120-130

You are conducting a CMMC assessment for a contractor that develops software applications for the DoD. During the assessment of the AU domain, you request to examine the contractor's audit and accountability policies, access control procedures, and system configuration documentation related to the management of audit logging functionality. Upon reviewing the documentation, the contractor has implemented a Role-Based Access Control (RBAC) model, where privileged users are assigned different roles based on their responsibilities. One of these roles is the "Audit Administrator" role, which is granted the necessary privileges to manage audit logging functionality across the contractor's systems. However, during interviews with the system administrators, you learn that besides the Audit Administrator role, several other privileged roles, such as the "System Administrator" and "Network Administrator" roles, can also manage audit logging functionality. When you inquire about the rationale behind granting multiple privileged roles access to audit management functions, the contractor's security team explains that this approach allows for better operational flexibility and ensures that different teams can perform audit logging tasks based on their areas of responsibility. Based on the information provided in the scenario, how would you assess the contractor's compliance with CMMC practice AU.L2- 3.3.9 – Audit Management?

A. Partially Met – The contractor has limited audit management privileges to a subset of privileged users, but the roles may not be appropriately defined

B. Met – The contractor has defined privileged user roles for audit management

C. Not Applicable – The practice is not relevant to the contractor's environment

D. Not Met – The contractor has granted audit management privileges to multiple privileged roles, which goes against the requirement to limit access to a subset of defined privileged users

Understanding that changes are critical in any production environment, a DoD contractor has instituted measures to manage them. All software changes can only be implemented by defined individuals. These changes must have gone through a rigorous change approval process and must be implemented from a secure server located in the company's headquarters. The personnel affecting the changes access the server room using access cards and an iris scan. To log into the server, they must enter their passwords to receive a one-time password (OTP), which must be keyed in within 2 minutes. After any changes are made, the chairperson of the contractor's Change Review Board and the CISO get a notification to approve the changes before they take effect. To determine if the contractor has implemented enough measures to meet CM.L2-3.4.5 – Access Restrictions for Change, you need to examine all the following EXCEPT?

A. Procedures addressing access restrictions for changes to the system

B. Plan of Action and Milestones

C. Contractor's configuration management policy

D. System architecture and configuration documentation

When assessing a contractor’s implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised. Why should all traffic be routed through a managed Access Control point?

A. It simplifies network architecture and reduces complexity

B. Reduces the susceptibility to unauthorized access to organizational systems

C. It enables easier troubleshooting and monitoring of network traffic

D. It provides better performance and lower latency for remote users

CMMC practice MA.L2-3.7.3 – Equipment Sanitization requires organizations to sanitize equipment leaving their facilities for off-site maintenance for CUI. What standard would the OSC use to sanitize various media?

A. NIST SP 800-53

B. NIST SP 800-88

C. NIST SP 800-171

D. NIST SP 800-171A

Assessing a DoD contractor, you observe they have implemented physical security measures to protect their facility housing organizational systems that process or store CUI. The facility has secure locks on all entrances, exits, and windows. Additionally, video surveillance cameras are installed at entry/exit points, and their feeds are monitored by security personnel. Feeds from areas where CUI is processed or stored and meeting rooms where executives meet to discuss things that have to do with CUI and other sensitive matters are segregated and stored on a designated server after monitoring. Walking around the facility, you notice network cables are hanging from the walls. To pass through a door, personnel must swipe their access cards. However, you observe an employee holding the door for others to enter. Although power cables are placed in wiring closets, they aren't locked, and the cabling conduits are damaged. Which of the following is NOT a concern regarding the contractor's implementation of CMMC practice PE.L2-3.10.2 – Monitor Facility?

A. Video surveillance monitoring at entry/exit points

B. Unlocked wiring closets

C. Network cables hanging from the walls

D. Damaged cable conduits