Free CyberAB CMMC-CCA Exam Questions

During your review of an OSC’s system security control, you focus on CMMC practice SC.L2-3.13.9 – Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company’s internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. Based on the scenario, what is the MOST concerning aspect from a CMMC compliance perspective regarding CMMC practice SC.L2-3.13.9 – Connections Termination?

A. The application is hosted on a dedicated server within the company’s internal network

B. Users log in with usernames and passwords, potentially lacking multi-factor authentication

C. The lack of a documented policy or a defined period of inactivity for terminating remote access connections creates uncertainty and inconsistency

D. The server operating system utilizes default settings for connection timeouts, which may be insufficient

You are assessing a contractor’s implementation for CMMC practice MA.L2-3.7.4 – MediaInspection by examining their maintenance records. You realize the maintenance logs identify a repeating problem. A recently installed central server has been experiencing issues affecting the performance of the contractor’s information systems. This is confirmed by your interview with the contractor’s IT team. You requested to investigate the server, and the IT team agreed. On the server, there is a file named conf.zip that gets your attention. You decide to open the file in an isolated computer for further review. To your surprise, the file is a .exe used when testing the server for data exfiltration. How should this incident be handled?

A. By immediately reporting it to the FBI's Cyber Division

B. Decommissioning the server and installing a new one

C. In accordance with the incident response plan

D. By sandboxing the malicious code and continuing with business as usual

A mid-sized company specializing in machining is preparing to bid for an upcoming DoD contract to provide machined components crucial for defense systems. As CMMC compliance will be required, the company’s top executives have invited you to assess their implementation of CMMC Level 2 requirements. During your visit to their environment of operations, you discover that its production floor has several Computer Numerical Control (CNC) machines for precision machining, which are all connected to a local network for data transfer and control. The CNC machines receive design files from a central server in the company’s data center and communicate with a SCADA quality control system that monitors production metrics and performance. The central server hosts the design files, which are only accessible to authorized engineers and operators and backed up in an Amazon EBS cloud instance to ensure availability across the company’s multiple machining shops in different states. Furthermore, the company allows employees to upload designs to the server remotely using VPNs and virtual desktop instances. What is the BEST physical control the company can use for preventive purposes?

A. Using proximity card readers

B. Installing CCTVs

C. Displaying a large banner written "Authorized Personnel Only"

D. Locking all entrances

During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI)handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Once the inconsistencies are addressed, when should the contractor’s privacy and security notice be displayed?

A. Only during the initial system logon

B. During the initial system logon and when accessing specific CUI-related applications and data

C. Only when handling or processing export-controlled technical data

D. Continuously on all systems and workstations, regardless of user activity

You decide to interview the IT security team to understand if and how a contractor has implemented audit failure alerting. You learn they have deployed AlienVault OSSIM, a feature-rich security information and event management (SIEM) tool. The SIEM tool has been configured to send automatic alerts to system and network administrators if an event affects the audit logging process. Alerts are generated for the defined events that lead to failure in audit logging and can be found in the notification section of the SIEM portal. However, the alerts are sent to the specified personnel 24 hours after the occurrence of an event. As an assessor evaluating the implementation of AU.L2-3.3.4 – Audit Failure Alerting, which of the following would be a key consideration regarding the evidence provided by the contractor?

A. Ensuring the defined alert notification methods (e.g., email, SMS) are secure and encrypted

B. Verifying that the types of audit logging failures defined cover a comprehensive range of potential scenarios

C. Determining if the documented personnel roles for alert notification align with the organization's hierarchy

D. Checking if the alert notification process integrates with third-party monitoring services

A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 – Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 – System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, why is time synchronization with the NTP server necessary, and what is the recommended synchronization time?

A. To ensure that all systems record the audit logs using the same time source, with a recommended synchronization time of 1 second

B. To allow users to set their preferred time zones on individual systems, with a recommended synchronization time of 24 hours

C. To reduce the network bandwidth used by system clocks, with a recommended synchronization time of once a month

D. To increase the accuracy of digital clocks on devices, with a recommended synchronization time of 1 week

You are assessing an organization’s implementation of the System and Information Integrity (SI) practices. During your assessment, you find that the organization has subscribed to security alert and advisory services from reputable sources, such as USCERT and relevant industry-specific organizations. In interviews with their network and system administrators, you learn that they have deployed an intrusion detection system (IDS) to monitor network traffic for known threats and suspicious activities. They also have a Security Information and Event Management (SIEM) system in place to aggregate and analyze logs from various sources for potential security incidents. Additionally, the network administrator informs you that they have established a Security Operations Center (SOC) to monitor and analyze activity on networks, servers, databases, applications, and other systems. However, you notice that while the organization receives these alerts and advisories, there is no documented process or assigned personnel responsible for reviewing and acting upon them. After reviewing the organization’s implementation, which of the following would be the most appropriate next step for the assessor to validate compliance with CMMC practice SI.L2-3.14.3 – Security Alerts & Advisories?

A. Test the organization’s processes for defining, receiving, and disseminating security alerts and advisories

B. Examine the organization’s system and information integrity policies and procedures

C. Review system audit logs and records for evidence of actions taken in response to security alerts and advisories

D. Interview the personnel responsible for the Security Operations Center (SOC) to determine whether they take actions in response to security alerts and advisories

When assessing an OSC for CMMC compliance, you examine its risk assessment policy and procedures addressing organizational risk assessments. According to their policy, comprehensive risk assessments on all systems processing, storing, or transmitting CUI and facilities are performed annually. However, reviewing past risk assessment reports, you find that a risk assessment was conducted in January 2022 covering all CUI systems. The next risk assessment was not conducted until November 2023, over 21 months later. There are no records of any other risk assessments in the intervening period between January 2022 and November 2023. Interviewing the OSC’s personnel with risk assessment responsibilities, you learn they have slated the next risk assessment within the year. Based on the scenario, which of the following would you determine regarding OSC’s adherence to CMMC practice RA.L2-3.11.1 – Risk Assessments?

A. They are fully compliant

B. They are non-compliant

C. They are partially compliant, as at least one risk assessment was completed

D. More information is needed to make a determination

When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal websites. Why is it critical to implement practice AC.L2-3.1.6 – Non- Privileged Account Use?

A. Enables easier auditing and logging of privileged activities

B. Mitigates the consequences of a security breach by safeguarding against data loss

C. Prevents unauthorized modification of security functions

D. Reduces exposure to threats that might exploit the misuse of privileges

A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks. While chatting with the network’s system admins, you realize they have deployed a modern compliance checking andmonitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy. When examining the contractor's security configuration checklists, which of the following parameters are you not likely to find?

A. The contractor's assessment readiness status

B. File and directory permissions

C. Protocol usage and application allowlisting

D. Network configuration and port management