Free CyberAB CMMC-CCA Exam Questions

An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineering company has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. The scenario describes a multi-factor authentication (MFA) solution being used to access digital media containing CUI. However, the access control procedures for non-digital media require authorized personnel to sign three separate forms. While both methods aim to verify user identity, which of the following is the MOST significant security concern associated with the reliance on a paper-based form process?

A. The paper forms cannot be easily integrated with other security systems

B. It can be time-consuming to complete the forms for frequent access

C. It requires users to memorize more information for access

D. The forms are susceptible to forgery, resulting in unauthorized access

When examining an OSC’s procedures for addressing transmission integrity and confidentiality, you interview their system administrator and learn that they use Secure File Transfer Protocol (SFTP)for secure CUI transmission. The OSC employs AES-256 to encrypt data before transmitting it. Any external connections to their internal servers or systems can only occur via a VPN. All emails containing CUI are encrypted and sent using Secure/Multipurpose Internet Mail Extensions (S/MIME). Internal CUI transfers are conducted over WPA3 secure Wi-Fi. All areas of the OSC’s facilities where CUI is stored or processed are secured with biometrics. To prevent unauthorized CUI exfiltration or transfer, the OSC has deployed a data loss prevention solution. During employee interviews, you learn they receive regular awareness training on the importance of data encryption during transmission. Additionally, they conduct regular audits of transmission protocols and encryption measures to ensure their effectiveness. While AES-256 is a strong encryption algorithm, according to CMMC practice SC.L2-3.13.8 – Data in Transit, what additional factor is crucial for ensuring FIPS compliance with cryptographic modules used for protecting CUI in transit?

A. The encryption algorithm must be open-source and publicly available for scrutiny

B. The encryption software must be user-friendly and easy to implement for widespread adoption

C. The cryptographic module used to implement AES-256 encryption must be validated against the FIPS 140-2 or FIPS 140-3 standards

D. The encryption algorithm must be mathematically complex and resistant to brute-force attacks

You are a CCA reviewing the security measures for a defense contractor seeking CMMC Level 2 compliance. CMMC practice PE.L2-3.10.6 – Alternative Work Sites requires the organization to safeguard CUI at alternate work sites, like employee home offices. You are examining their list of safeguards and the system security plan to assess their compliance. When assessing a contractor's implementation of CMMC practice PE.L2-3.10.6 – Alternative Work Sites, which of the following would be the least effective method for gathering information?

A. Using Full Disk Encryption (FDE) or container-based encryption to encrypt CUI when stored or transmitted from or to alternate work sites

B. Employing technologically savvy guards to man the alternate worksite

C. Deploying a patch management and anti-malware solution for every laptop or desktop on the alternate worksite

D. Requiring remote staff connecting to their internal networks to use a VPN that prevents split tunneling and requires multifactor authentication to verify remote users are who they claim to be

When assessing an OSC’s implementation of the System and Information Integrity (SI) practices, you examine their system and information integrity policy. You find that they have documented procedures addressing system monitoring tools and techniques, along with a monitoring strategy. The OSC has implemented a user behavior analytics tool to detect abnormal behavior anddeviations from normal patterns. To ensure that only authorized users access the system, the OSC uses robust access controls and regularly audits security and system logs for unusual activities. Interviewing the network administration team, you learn they use a network monitoring tool to track inbound and outbound network traffic and identify any distinctive patterns that may suggest unauthorized use. You also learn that they use an IDS to identify suspicious activities, which are aggregated and analyzed using a state-of-the-art SIEM. The scenario mentions that the OSC uses a network monitoring tool to track inbound and outbound traffic and identify unusual patterns. However, it does not provide details on the tool's specific techniques or methods. Which of the following techniques would be most relevant for the assessor to inquire about during the assessment?

A. Anomaly-based detection techniques

B. Signature-based detection techniques

C. Both signature-based and anomaly-based detection techniques

D. Deep packet inspection techniques

You have been sent to assess an OSC’s implementation of CMMC practices, one of which is AC.L2-3.1.11 – Session Termination. In assessing the contractor's implementation of AC.L2-3.1.11, you’ll likely need to examine the following specifications, EXCEPT?

A. Mechanisms for implementing user session termination

B. The access control policy

C. The session termination policy

D. System security plan

When assessing a contractor’s implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. How would you score the contractor’s implementation of AU.L2-3.3.6 – Reduction & Reporting?

A. Partially Met

B. Not Applicable

C. Not Met

D. Met

When assessing a contractor’s implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. What key features regarding the deployment of Splunk for AU.L2-3.3.6 – Reduction & Reporting would you be interested in assessing?

A. Ensure that Splunk is configured with appropriate RBAC to restrict access to log data, reports,and dashboards, ensuring that only authorized personnel can view or modify audit logs

B. Ensure Splunk can retain audit records for a protracted amount of time

C. Ensure that Splunk employs various filter rules for reducing audit logs to eliminate nonessential data and processes to analyze large volumes of log files or audit information, identifying anomalies and summarizing the data in a format more meaningful to analysts, thus generating customized reports

D. Ensure Splunk can support compliance dashboards that provide real-time visibility into CMMC compliance status

An OSC can use either of the following strategies to meet the requirements of CMMC practice MP.L2-3.8.8 – Shared Media, EXCEPT?

A. Permitting unrestricted use of portable storage devices after users complete security awareness training

B. Ensuring every portable storage device is assigned an owner, project, or department with an identifiable label or registered in a central database

C. Implementing strong access controls that only allow registered devices to connect to the system

D. Implementing a strict usage policy that allows for the use of owned portable or owned storage devices

While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. All of the following are required to satisfy AU.L2-3.3.1 – System Auditing assessment objectives [b] and [d], EXCEPT?

A. Process identifiers

B. Failure or success indications

C. Timestamps

D. File permissions

You have been hired to assess an OSC's implementation of secure password storage and transmission mechanisms. The OSC uses a popular identity and access management (IAM) solution from a reputable vendor to manage user authentication across their systems. During the assessment, you examine the IAM solution's configuration and documentation, which indicate that passwords are hashed using industry-standard algorithms like SHA-256 or bcrypt before being stored in the system's database. Additionally, the IAM solution leverages TLS encryption for all communications, ensuring that passwords are transmitted securely over the network. Based on the information provided, how would you assess the OSC's compliance with CMMC practice IA.L2-3.5.10 – Cryptographically-Protected Passwords, which requires organizations to store and transmit only cryptographically protected passwords?

A. Not Met (-5 points)

B. Met (+5 points)

C. Met (+1 point)

D. Not Met (-1 point)