Free CyberAB CMMC-CCA Exam Questions

Change is a part of any production process and must be meticulously managed. System Change Management is a CMMC requirement, and you have been called in to assess the implementation of CMMC requirements. When examining the contractor’s change management policy, you realize there is a defined change advisory board that has a review and approval mandate for any proposed changes. The change advisory board maintains a change request system where all the changes are submitted and documented for easy tracking and review. The contractor also has a defined rollback plan defining what to do in case the approved changes result in unexpected issues or vulnerabilities. What evidence artifacts can the contractor also cite as evidence to show their compliance with CM.L2- 3.4.3 – System Change Management besides their change management policy?

A. Employee satisfaction surveys regarding the change management process

B. System uptime statistics showing improved stability after change management implementation

C. Organizational procedures addressing system configuration change control and change control/audit review reports

D. Antivirus scan reports detailing detected and quarantined threats

You are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows that the contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. Which of the following components of the contractor's environment should NOT be in scope when assessing practice AC.L2-3.1.3 – Control CUI Flow?

A. Azure cloud storage

B. The corporate firewall and ExpressRoute connections

C. The VPN and on-premises servers/file shares

D. Employees' homes

After a security audit, a contractor documents specific vulnerabilities and deficiencies in an audit report. After examining its POA&M, you realize it has a clearly defined policy on addressing these deficiencies and by when. However, after interviewing the contractor’s security and compliance team, you learn that while an audit is regularly conducted, the remediating measures are not always taken, and when taken, they are not always practical. The security and compliance team informs you they have tried reaching the system administrator to explain the repercussions of this without success. What assessment objective has the contractor failed to implement from CMMC practice CA.L2-3.12.2 – Plan of Action?

A. The contractor has implemented all the assessment objectives in CA.L2-3.12.2 – Plan of Action

B. Develop a change management plan that describes how to implement the remediation actions

C. Implement a plan of action to correct the identified deficiencies and reduce or eliminate identified vulnerabilities that are ineffective

D. Identify the vulnerabilities and deficiencies that the plan of action will address

When assessing an OSC’s compliance with IR requirements, you realize they have deployed a system that tracks incidents, documents details, and updates the status throughout the incident response process. Personnel to whom incidents must be reported are identified and designated. While examining their documentation, you come across an incident response template that they use to capture all relevant information and ensure consistency in reporting to the identified authorities and organizational officials. Interviewing the IR team, you learn there is an escalation process that the contractor’s cybersecurity team can use to address more serious incidents. From the scenario, the contractor has met all the required objectives for CMMC practice IR.L2-3.6.2 – Incident Reporting, meaning its implementation of the said practice will be scored MET with a total of 5 points. For how long must the OSC retain the incident records?

A. 72 hours

B. 90 days

C. 90 hours

D. 72 days

You are evaluating an OSC for compliance with CMMC Level 2 practices. During your assessment of SC controls, you use a series of assessment methods to understand how effectively the OSC has implemented them. The OSC has a documented security policy outlining user roles and responsibilities. The OSC’s system and communications protection policy states that basic user and privileged functionalities are separated. They have deployed Azure AD to help enforce this requirement through identity management. Interviews with system administrators reveal they have elevated privileges for system management tasks. A review of system configuration settings shows separate user accounts for standard users and administrators. However, you notice that some employees use personal cloud storage services for storing work documents. Considering CMMC practice SC.L2-3.13.4 – Shared Resource Control, which of the following actions would be most effective in addressing the identified risk?

A. Implementing stricter password complexity requirements for user accounts

B. Conducting a vulnerability assessment of the OSC’s network infrastructure

C. Providing additional security awareness training to employees on data handling best practices

D. Developing and enforcing a policy that prohibits the use of personal cloud storage for work documents

You are assessing an OSC that uses various collaborative computing devices, such as video conferencing systems, networked whiteboards, and webcams, for remote meetings and presentations. During your assessment, you examine the OSC’s collaborative device inventory and find that they have identified and documented all collaborative computing devices. Most of the identified devices have indicators (e.g., LED lights) that notify users when the devices are in use. The OSC has also implemented a policy prohibiting the remote activation of collaborative computing devices without user consent. However, you find that the web cameras can be activated remotely by authorized IT personnel for troubleshooting purposes. In addition to interviewing personnel, what other evidence would be helpful to assess the OSC’s compliance with CMMC practice SC.L2-3.13.12 – Collaborative Device Control regarding the remote activation of web cameras? Choose all that apply.

A. A documented risk assessment that identifies the potential risks associated with remote camera activation and outlines mitigation strategies

B. Network traffic logs showing no instances of remote activation attempts on the web cameras

C. User training records indicating that employees are aware of the policy and understand thepotential consequences of unauthorized remote camera activation

D. System configuration settings for the web cameras, verifying that remote activation is enabled

Removable media can pose significant cybersecurity risks to an organization if not adequately controlled and secured. Understanding the dangers of this, an OSC has crafted a meticulous removable media policy. It defines removable media, types of removable media, examples of removable media, etc. The policy limits the use of removable media unless authorized; even then, the media must be scanned for malware. Organizational removable media has specific signatures unique to organizational systems and provided to a defined group of personnel. Any data stored on such media is encrypted, and the OSC has disabled autorun and closed some ports on their computer systems. The contractor also has deployed an endpoint protection solution for every employee searched while entering or leaving the facility. Users must also pass through a walk-in metal detector to ensure they do not sneak in thumb drives and SD cards. Based on the OSC's effort, how would you score their implementation of CMMC practice MP.L2-3.8.7 – Removable Media?

A. Not Applicable

B. Met

C. Partially Met

D. Not Met

A vulnerability scan on a defense contractor's system identifies a critical security flaw in a legacy database application that stores CUI. Remediating the flaw would require a complete overhaul of the application, causing significant downtime and potentially disrupting critical business functions. Given the potential consequences of remediation, the contractor is considering deferring the fix. Which course of action best aligns with the guidance of CMMC practice RA.L2-3.11.3 – Vulnerability Remediation?

A. Immediately contract a third party to assist with remediation

B. Document the risk acceptance rationale and continue monitoring the risk from the vulnerability

C. Permanently disregard the vulnerability and take no further action

D. Implement compensating controls to reduce the associated risk

To comply with CMMC requirement IR.L2-3.6.3 – Incident Response Testing, organizations seeking certification (OSCs) must have a plan to regularly test their ability to respond to cyber incidents. This testing ensures that OSCs can effectively identify, contain, and recover from security breaches. An OSC can cite the following evidence artifacts to show compliance with the practice, EXCEPT?

A. Evidence of regular incident response drills and response time management, recovery testing, and post-incident analysis

B. Media sanitization plans

C. Documentation of tabletop exercises and their outcomes

D. Test documentation, including the scenario, response, findings, and any necessary corrective actions

An OSC uses a third party in all system repairs and has hired an MSP for penetration testing. The third party comes for either adaptive, preventative, perfective, or corrective system maintenance every three months, and the penetration tester does so continuously. Whenever the third party comes for maintenance, there's no documentation of the issues they tackled. On the other hand, the penetration tester delivers meticulously detailed documentation per their contract with the OSC. To comply with CMMC practice MA.L2- 3.7.1 – Perform Maintenance, what should the OSC implement for the maintenance activities performed by the third-party vendor?

A. Increase the frequency of maintenance activities to monthly intervals

B. Perform all maintenance activities in-house without relying on a third-party vendor

C. Require the third-party vendor to provide detailed maintenance logs and records

D. Discontinue the use of the MSP for penetration testing