Improve Your Knowledge with CMMC-CCA Exam Dumps

1. The Daily Checkpoint meeting is a required component of the CMMC assessment process. It is conducted at the end of every day and includes the Assessment Team, Lead Assessor, OSC PoC, OSC Assessment Official, and other key personnel.

This meeting helps ensure all the following EXCEPT what?

2. You are performing an on-site assessment for a defense contractor that develops and manufactures embedded control systems for military drones. During your documentation review, you discover they have a System Security Plan (SSP) outlining a configuration management process. The SSP mentions the creation of baseline configurations for their drone control systems, but details are limited.

You interview the IT manager responsible for configuration management. They explain they use a commercial configuration management tool to capture hardware and software configurations for the drone systems. They confirm the baseline configurations include initial software versions but do not track firmware or network configurations. Additionally, while they update software versions through the tool, they do not have a documented process for reviewing and updating baseline configurations in response to security vulnerabilities or system modifications.

The IT manager mentioned using a commercial tool to capture hardware and software configurations. However, the scenario suggests potential gaps in the contractor's implementation of CM.L2-3.4.1-System Baselining.

Which of the following aspects is most likely NOT adequately addressed by their current practices?

3. You are conducting a CMMC assessment for an OSC. During the assessment, the OSC's lead security officer offers you a paid consultancy position after the assessment to help them address the identified issues.

How should you respond to this offer according to the Code of Professional Conduct?

4. When examining procedures addressing system security plan development and implementation, you realize the contractor has developed an SSP that defines and documents system boundaries. The SSP also contains the non-applicable security requirements approved by designated authorities. It also outlines other essential aspects, such as relationships with or connections to other systems, how security requirements will be implemented, etc. Upon interviewing personnel with information security responsibilities, you realize the contractor has not reviewed or updated the SSP and has no defined timelines.

What are the deficiencies within the contractor's system security plan from the scenario above? Choose all that apply.

5. An OSC previously received a Conditional CMMC Level 2 Certification during Phase 3 of the assessment process. The OSC has been working on implementing a POA&M to address the practice deficiencies identified during the initial assessment. Now, within 180 days from the Final Recommended Findings Briefing, you are to conduct a POA&M Closeout Assessment. As the Lead Assessor, you and your assessment team review the OSC's updated POA&M, accompanying evidence, and any scheduled observations, interviews, or tests to validate the implementation of the corrective actions.

What is the Organization Seeking Certification's (OSC's) recourse if it disagrees with the C3PAO's findings during the POA&M Closeout Assessment?

6. Change is a part of any production process and must be meticulously managed. System Change Management is a CMMC requirement, and you have been called in to assess the implementation of CMMC requirements. When examining the contractor’s change management policy, you realize there is a defined change advisory board that has a review and approval mandate for any proposed changes. The change advisory board maintains a change request system where all the changes are submitted and documented for easy tracking and review. The contractor also has a defined rollback plan defining what to do if the approved changes result in unexpected issues or vulnerabilities.

How would you score the contractor's implementation of CM.L2-3.4.3-System Change Management?

7. During a CMMC assessment, the Lead Assessor, Emily, notices one of the CCAs on her team, Alex, seems overly critical and skeptical of the evidence presented by the OSC. Although the OSC demonstrates compliance with the required CMMC practices, Alex repeatedly questions the validity of the evidence and suggests the OSC is not meeting the criteria.

Concerned that Alex's behavior may be influenced by bias, Emily decides to address the issue directly. She recalls a previous incident in which Alex took a similar approach to evaluating practices and evidence, and shortly afterward, the OSC experienced a data breach.

What steps should Emily and, most importantly, the C3PAO have taken to prevent this eventuality?

8. You have been hired to assess a contractor's implementation of remote access capabilities for information systems that handle CUI. While interviewing the network administrator, you realize they perform privileged activities remotely when at alternate worksites.

In addition to identifying authorized privileged commands and security-relevant information, which of the following measures MUST the contractor consider to ensure compliance with CMMC practice AC.L2-3.1.15-Privileged Remote Access?

9. Jane is a CCA leading a CMMC assessment for an OSC. During the evaluation, Jane discovers the OSC's Chief Information Security Officer (CISO) is a former colleague with whom she had a contentious relationship. Unbeknownst to the OSC, Jane still harbors resentment towards the CISO due to their previous conflicts. As the assessment progresses, Jane becomes increasingly critical of the CISO's security practices, scrutinizing every detail and finding fault despite the OSC's best efforts to demonstrate compliance.

Given this scenario, how can a Certified CMMC Assessor's personal bias impact the assessment of the OSC?

10. An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper and microfilms as well as digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineering company has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets.

To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn the contractor maintains a comprehensive inventory of all CUI media.

Basing your answer on the scenario, how would you score the contractor's implementation of CMMC practice MP.L2-3.8.1-Media Protection?

11. An OSC is planning to have a C3PAO perform a CMMC L2 assessment. When validating the OSC's proposed assessment scope, you realize they use an ESP for various cybersecurity services.

What action must you, as a CCA, take regarding the ESP?

12. A contractor has recently allowed its employees to work remotely. Employees can access CUI remotely through VPN with encrypted tunnels for remote access into their VDIs. The company has a variety of system components (servers, workstations, notebook computers, smartphones, and tablets) that employees can access remotely. In your assessment, you also realize that some employees are using SSH to access information stored in cloud instances and server infrastructures that contain CUI.

Which of the following is a reason the contractor's use of SSH should concern you?

13. You are a CCA collaborating with an OSC to provide specialized consulting services. The OSC representative has inquired about strategies to validate the accuracy of their project scope. In response, you suggest leveraging a data flow diagram. This sounds interesting to the OSC. This visual representation could assist in mapping the flow of information and processes within the project, enabling a comprehensive review and verification of the scope's alignment with the client's requirements.

If you were on the Assessment Team, how would you use the data flow diagram after it is created?

14. An OSC has produced two assessment scopes. When the Lead Assessor questioned the OSC POC about why they did it, they explained they process, store, or transmit FCI within one assessment scope and CUI in another.

Which scope will the OSC obtain a CMMC Level 2 Certification for?

15. You are the Lead Assessor assigned by your C3PAO to conduct a CMMC Assessment for a small manufacturing company, Precision Parts Inc. (PPI). During the initial coordination call with PPI's management team, you learn that PPI is a wholly-owned subsidiary of a larger corporation, Acme Manufacturing Holdings (AMH). PPI operates as an independent business unit within AMH and has its own IT infrastructure and cybersecurity policies. You need to determine the appropriate corporate entity to be assessed as the " Organization Seeking Certification" (OSC). During the coordination call, you discover that PPI has a dedicated enclave for its engineering design activities.

How would this enclave be addressed in the CMMC Assessment?

16. Dwayne is the Lead Assessor for a C3PAO Assessment Team conducting an assessment for an OSC. During the evaluation, he learned the OSC recently won a lucrative contract with the Department of Defense, a significant milestone for the organization. Impressed by the OSC's accomplishment, Dwayne begins to view the organization more favorably and is inclined to interpret the evidence gathered during the assessment in a way that would enable the OSC to achieve the desired CMMC certification level.

What is the primary reason Dwayne's assessment of the OSC may be influenced?

17. You are the Lead Assessor for a C3PAO Assessment Team that has recently completed a CMMC Level 2 assessment for an OSC. You and your Assessment Team have finalized the assessment process and are now in Phase 3 - Report Recommended Assessment Results. You are preparing to present the final recommended findings to the OSC Assessment Official and participants during the Final Findings Briefing.

After you present the final recommended findings and practice scores, what is the next step in the CMMC Assessment Process?

18. During your on-site assessment, you examine an OSC's network architecture and the components that make up its defined security boundary. You notice various network devices, servers, and endpoints that are considered part of the OSC's information system. Additionally, the design team also uses a 3D printer to produce model prototypes.

Which of the following is not a boundary component?

19. During a CMMC assessment for an OSC, the POC mentioned they conducted a self-assessment beforehand. The self-assessment was part of the organization's preparations for the CMMC assessment by your C3PAO.

Which publication offers the best guidance for the self-assessment procedures OSCs might use for CMMC compliance?

20. Ron is the lead assessor for an OSC's CMMC assessment. His team has scheduled interviews and demonstrations with the OSC's system administrator, Olivia. However, on the first day, the CEO informs Ron that Olivia is very ill and is unavailable. The CEO offers to be interviewed about Olivia's responsibilities instead, even though he does not perform those tasks.

What should Ron do in this scenario?

21. A software development company wins a DoD contract requiring CMMC Level 2. The company is small and has one main office. However, it outsources some data storage requirements to a cloud service provider (CSP).

What type of organization would the cloud service provider be considered in the CMMC assessment scope?

22. An OSC plans to undergo a CMMC Level 2 assessment with your C3PAO firm. As the Lead Assessor, you are collaborating with the OSC to develop the evidence collection approach for Phase 1. The OSC proposes conducting most interviews virtually due to geographically dispersed employees. You are responsible for defining the evidence collection methods for artifacts, interviews, tests or demonstrations, and information requests. Additionally, you must determine how virtual data collection will be managed, including security protocols for CUI and FCI.

Which of the following is the most appropriate approach for artifact collection in this scenario?

23. While assessing a defense contractor for CMMC compliance, you examined their audit and accountability policy, which outlined the requirements for user accountability through audit logs. You interviewed the system administrator responsible for this control to validate the implementation. The system administrator explained that for every device connecting to the contractor's systems or network, they capture process IDs, source/destination IP addresses, machine name/ID, user ID, timestamps, and geolocation data. Their deployed SentinelOne Endpoint Protection Platform (EPP) enables this, providing robust endpoint detection and response capabilities to monitor real-time events.

Additionally, the Contractor has implemented SentinelOne's Singularity XDR (Extended Detection and Response) solution to monitor network traffic for potential data exfiltration of sensitive information. The system administrator confirmed that all audit log data collected is retained for 120 days, even after being reviewed.

Which of the following statements best describes the maintenance of the Contractor's audit records in compliance with CMMC requirements?

24. The OSC Assessment Official and the Lead Assessor have completed the Pre-Assessment Form and are ready to upload it to the eMASS system. However, before proceeding, the CMMC Quality Assurance Professional (CQAP) needs to ensure the data is properly structured in JavaScript Object Notation (JSON) format. The team is now considering the reasons for this requirement and its implications for their assessment process.

What is the primary purpose of structuring the Pre-Assessment Form data in the JavaScript Object Notation (JSON) format?

25. While examining an OSC's system design documentation, you notice they have implemented a CUI enclave and have a documented procedure addressing boundary protection. They have segmented their network into different zones, each having its own rules to allow or deny traffic. The OSC has implemented strict firewall rules that deny all incoming and outgoing traffic by default, only allowing specific traffic as required. The OSC has provisioned a state-of-the-art Intrusion Detection and Prevention System (IDPS) to block unrecognized traffic patterns automatically. During an interview with the network administrator, you realize that OSC uses a whitelisting approach to explicitly allow only certain IP addresses, domains, or services to communicate with their system. Their IT security team monitors network traffic to detect any unauthorized attempts to connect or communicate with their system. The scenario states that network traffic is monitored to detect unauthorized connection attempts.

Which of the following best describes the purpose of monitoring network traffic in the context of CMMC practice SC.L2-3.13.6-Network Communication by Exception?

26. A contractor is preparing to bid on an upcoming DoD contract to provide next-generation upper limb prostheses for injured servicemen. Part of the preparation is undergoing a CMMC assessment, and they have hired you to assess their implementation of CMMC practices.

The contractor has multiple design, manufacturing, and supply chain management systems. Each system generates its audit logs, which are stored in separate repositories. Different teams analyze and review them independently, with each team reporting the findings to the respective departmental heads. For instance, the engineering team reviews and analyzes logs related to the design systems and reports to the lead engineer, while the operations team focuses on the manufacturing system logs. When interviewing personnel responsible for audit record review, analysis, and reporting, they inform you that this is deliberately set up to ensure departmental independence and granular risk identification.

Based on the CMMC practice AU.L2-3.3.5-Audit Correlation, what is the likely issue you would identify with the contractor's current approach?

27. Examining an OSC's system design documentation, you notice they have implemented a CUI enclave and have a documented procedure addressing boundary protection. They have segmented their network into different zones, each having its own rules to allow or deny traffic.

The OSC has implemented strict firewall rules that deny all incoming and outgoing traffic by default, only allowing specific traffic as required. To automatically block unrecognized traffic patterns, the OSC has provisioned a state-of-the-art Intrusion Detection and Prevention System (IDPS). During an interview with the network administrator, you realize the OSC uses a whitelisting approach to explicitly allow only certain IP addresses, domains, or services to communicate with their system.

Their IT security team monitors network traffic to detect any unauthorized attempts to connect or communicate with their system. The scenario states that network traffic is monitored to detect unauthorized connection attempts.

Based on the scenario and your understanding of the CMMC scoring methodology, how would you score the OSC's implementation of CMMC practice SC.L2-3.13.6-Network Communication by Exception?

28. One of the most important roles in a CMMC Assessment is a CQAP. They have diverse but specific roles to perform during an assessment.

In which of the following ways can a CQAP NOT help a Lead Assessor and the Assessment Team during the assessment process?

29. When assessing a contractor’s implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its own access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure that remote access to CUI is not compromised.

Why should all traffic be routed through a managed Access Control point?

30. You are working as a CCA on a Level 2 Assessment for a DoD prime contractor. The OSC seeks to keep assessment costs down, and the C3PAO and OSC have decided to conduct all possible work remotely. You are assigned to work primarily on the Media Protection (MP), Personnel Security (PS), and Physical Protection (PE) domains. In addition, the Lead Assessor has designated you as the one person from the Assessment Team to conduct all the on-premises work.

Which of the following factors do you and the Assessment Team NOT need to consider as part of your on-site work?

31. An OSC employs guards to protect the manufacturing shop where the magnetic radar-absorbing coating is manufactured. This specific coating is used by the Army for a particular fleet of unmanned aerial vehicles (UAVs). The facility is under constant surveillance with the help of HD CCTVs.

Within the OSC's facilities, there is a Vector Network Analyzer (VNA) that measures the reflection and transmission properties of the coating over a range of frequencies. Guards protect the OSC's anechoic chamber, and anyone entering must use an iris scanner and sign a physical form detailing their name and reason for being there. At the door is a huge sign reading 'Authorized Personnel Only.'

Which of the following statements is true about handling the Vector Network Analyzer(VNA) in a CMMC assessment?

32. A contractor's system maintenance policy allows for non-local maintenance. It has implemented a strict access control policy, allowing only authorized personnel to initiate non-local maintenance sessions. The Access control policy is supported by using Common Access Cards (CACs) with automatic session timeouts to ensure maintenance connections are terminated when complete or inactive. The non-local maintenance team must use a secure VPN to establish connections with the contractor's facilities. However, people's identities or processes initiating the non-local maintenance sessions must be verified before authorization. The contractor also continually monitors active sessions to ensure they are legitimate and terminated after completion.

Which of the following evidence would NOT meet sufficiency and adequacy requirements to support a finding of Met?

33. A CCA was part of an Assessment Team tasked with conducting a CMMC assessment for an OSC. Happy to have been part of the team that completed the assessment, the CCA posted the OSC’s assessment results on their Twitter/X account.

Which CMMC Code of Professional Conduct (CoPC) principle has the CCA violated?

34. An OSC preparing for a CMMC assessment has multiple senior representatives involved in the assessment process with decision-making authority. However, the C3PAO requires them to identify and designate a single OSC Assessment Official who will make assessment-related decisions and agreements.

Why is it important to establish roles and assign responsibilities during the planning and preparation phase of a CMMC assessment?

35. While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has a defined, technical, and documented policy where identifiers can only be reused after 12 months.

How is the OSC likely to consider CMMC practice IA.L2-3.5.5-Identifier Reuse if you find issues with its implementation?

36. You are conducting a CMMC assessment for a contractor that develops software applications for the DoD. During the assessment of the AU domain, you request to examine the contractor's audit and accountability policies, access control procedures, and system configuration documentation related to the management of audit logging functionality.

Upon reviewing the documentation, the contractor has implemented a Role-Based Access Control (RBAC) model, where privileged users are assigned different roles based on their responsibilities. One of these roles is the "Audit Administrator" role; they are granted the necessary privileges to manage audit logging functionality across the contractor's systems.

However, during interviews with the system administrators, you learn that besides the Audit Administrator role, several other privileged roles, such as the "System Administrator" and "Network Administrator" roles, can also manage audit logging functionality. When you inquire about the rationale behind granting multiple privileged roles access to audit management functions, the contractor's security team explains that this approach allows for better operational flexibility and ensures that different teams can perform audit logging tasks based on their areas of responsibility.

Based on the information provided in the scenario, how would you assess the contractor's compliance with CMMC practice AU.L2-3.3.9-Audit Management?

37. Upon analyzing all the collected information and discussions conducted during Phase 1, the Lead Assessor can arrive at one of four possible determinations, including canceling the assessment.

What factors can result in the cancelation of the assessment?

38. A CCA is assessing an Organization Seeking Certification (OSC). During the assessment, they discover the OSC is pressuring the CCA to overlook certain security practices that do not meet the CMMC requirements. The organization threatens to withhold payment if the CCA does not modify their findings at the request of the OSC.

According to the CoPC, which of the following actions would be most appropriate for the CCA to take in this situation?

39. You are assessing a contractor that develops missile guidance software containing CUI data. The software developers have administrative privileges on their workstations to be able to install tools and edit configuration files needed for their jobs. However, you have noted that many developers have access to modifying components critical to system security, which is beyond what they need for their specific roles.

What principle is being violated in this scenario?

40. While assessing the scope provided by an OSC, you realize they have two environments with distinct characteristics: the headquarters space located at 24 Industrial Pkwy and an off-site location at 25 Industrial Pkwy. The headquarters houses several offices where document processing occurs on a cloud-hosted Microsoft Dynamics 365 GCC environment.

At the off-site location, users access designs from servers hosted at the headquarters through a Virtual Private Network (VPN). These designs are used first in a 3D printer to develop prototypes and subsequently in a Computer Numerical Control (CNC) machine for production. All these operations are supported by a high-quality Industrial Control System (ICS).

What type of environment is the off-site facility located at 25 Industrial Pkwy?

41. While implementation validation of most CMMC requirements can be done virtually, the CMMC Assessment Process (CAP) identifies 15 CMMC practice objectives whose implementation must be observed by the Assessment Team in person and on the premises of the OSC. PE.L2-3.10.2 [c] and [d] are among these objectives. Both assessment objectives deal with monitoring the OSC's physical facilities and support infrastructure.

Which assessment procedure or method can a CCA use to determine how well the OSC has implemented PE.L2-3.10.2 [c] and [d]?

42. An OSC specializing in developing directed energy systems plans to bid on a DoD contract to produce a 250kW High Energy Laser Weapon System (HELWS). This system is to be deployed on military bases across the globe to protect U.S. service personnel against aerial threats including mortars, rockets, and unmanned aerial vehicles (UAVs), as well as swarms of mini-UAVs. Because of the sensitivity of the information, the OSC has prohibited using emails to transmit information regarding the project, whether encrypted or otherwise. They also have instituted procedures to remove CUI from the email system.

The documents containing project information from the DoD are likely to contain which banner marking?

43. A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks. While chatting with the network’s system admins, you realize they have deployed a modern compliance checking and monitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy.

Based on your understanding of the CMMC Assessment Process, how would you score CM.L2-3.4.2-Security Configuration Enforcement if the contractor is tracking it in a POA&M?

44. A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7-Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1-System Auditing across both the new and existing systems, generating audit logs.

Upon examining these logs, you notice inconsistencies in the time stamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds.

How would you assess the contractor's implementation of AU.L2-3.3.7-Authoritative Time Source?

45. A CCA receives a notification from the Cyber AB that they are being investigated for a potential violation of the CoPC. They are concerned about the potential consequences and want to understand the process better.

Who has the final authority to determine the corrective action taken against a CCA, if any?

46. After you ask to examine some audit records, the contractor's system administrator informs you there is a process to follow before accessing them. The logs are hashed using SHA-512 algorithms, and the system administrator has to run an algorithm to recalculate the hashes for the audit records to verify their integrity before running a decryption algorithm to decrypt the data.

Since this might take some time, you tour the facility while interviewing personnel with audit and accountability roles. You see an employee holding the door for another without using their physical access card. While interviewing the contractor's employees, you find they can access all audit logging tools and tweak the settings according to their needs or requirements. Upon examining the contractor's access control policy, you realize they have not defined the measures to protect audit logging tools. Considering CMMC AU.L2-3.3.8-Audit Protection and best practices, which of the following is the MOST concerning finding regarding the employees' access to audit logging tools?

47. When interviewing a contractor’s CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that the contractor tests its incident response plan every four months and regularly updates its monitoring tools. Impressed by the contractor's policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited its security systems in over two years.

Which of the following must be considered for the contractor's implementation of CA.L2-3.12.1-Security Control Assessment to be successful?

48. You are assessing an organization’s implementation of the System and Information Integrity (SI) practices. During your assessment, you find that the organization has subscribed to security alert and advisory services from reputable sources, such as US-CERT and relevant industry -specific organizations. In interviews with their network and system administrators, you learn they have deployed an intrusion detection system (IDS) to monitor network traffic for known threats and suspicious activities.

They also have a Security Information and Event Management (SIEM) system in place to aggregate and analyze logs from various sources for potential security incidents. Additionally, the network administrator informs you that they have established a Security Operations Center (SOC) to monitor and analyze activity on networks, servers, databases, applications, and other systems. However, you notice that while the organization receives these alerts and advisories, there is no documented process or assigned personnel responsible for reviewing and acting upon them.

Based on the information provided in the scenario, which of the following assessment objectives of CMMC practice SI.L2-3.14.3-Security Alerts & Advisories has the organization satisfied?

49. Documentation is a key aspect of the CMMC assessment. When preparing for a prospective assessment and during the actual CMMC assessment, you will reference various documents and document various findings. Fortunately, you can download some of these documents from the DoD CIO's CMMC website, and other templates can be found in the CAP Appendices. You are part of the team assessing an OSC's preparedness and readiness for a CMMC assessment.

Which document/template includes the OSC's evidence, assets, and CMMC assessment scope, among other data?

50. To transfer CUI between a government client and its internal systems, a defense contractor uses a Secure File-Sharing Application provided by the DoD. However, all the data traversing this boundary MUST pass through a next generation firewall (NGFW) managed by the contractor's Network Admin. All CUI is stored on a Solid State Drive (SSD) and accessed through a laptop.

What type of asset is the Network Admin?

51. During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9-

Connections Termination. The OSC uses a custom web application for authorized personnel to access

CUI remotely. Users log in with usernames and passwords.

The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal they rely solely on users to remember to log out of the application after completing their work. The scenario describes using a central firewall for network security.

How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9-Connections Termination, for the remote access application?

52. Security Protection Assets (SPAs) include people, technologies, and facilities.

Which of the following technologies is not an SPA?

53. An OSC has an established Incident Response plan and a dedicated team specifically trained to handle any potential incidents and conduct necessary analysis. When performing the assessments, you also realize the OSC has deployed IDS and SIEM tools to identify possible incidents. Examining the Contractor's incident response policy, you also learn they have defined and implemented containment strategies and have developed clear procedures for system and data recovery after an incident, including backup and restore procedures. There is also a communication protocol in place to inform the affected stakeholders and users after a security incident.

Chatting with a few members of the OSC's incident response team, you learn they conduct regular drills to test and improve the effectiveness of the incident-handling capability. There also are defined and documented incident response mechanisms and a post-incident analysis procedure to identify lessons learned and make necessary improvements to the incident-handling process.

Based on the information provided, which aspect of IR.L2-3.6.1-Incident Handling can NOT be definitively confirmed for the OSC's incident response capability?

54. You are a Lead Assessor tasked with conducting a CMMC Assessment for an OSC seeking to secure its CMMC Level 2 certification. The OSC has previously conducted a self-assessment and engaged a Registered Practitioner Organization (RPO) for a preliminary evaluation. As part of the CMMC Assessment process, you begin to determine the necessary evidence for each practice or process across the OSC's organizational functional areas. You consider both the adequacy and sufficiency of the evidence in relation to the CMMC's requirements. After initial preparations, you and the OSC's POC schedule a joint review session to align on the scope and expectations for the upcoming assessment.

What is the primary focus of the 'Sufficiency' criterion during the evidence verification process in a CMMC assessment?

55. A software development company is applying for a CMMC Level 2 assessment. As the Lead Assessor, you request access to the company’s System Security Plan (SSP) as part of the initial objective evidence for validating the scope.

Which of the following is true about the software development company's obligations in honoring the request?

56. You are a CCA who is part of an Assessment Team conducting a CMMC assessment on an aerospace company. While analyzing their network architecture, you realize that it includes a Demilitarized Zone (DMZ) to host their public-facing web servers.

What is the primary purpose of a DMZ in a network architecture?

57. You are assessing a contractor that develops missile guidance software containing CUI data. The software developers have administrative privileges on their workstations to be able to install tools and edit configuration files needed for their jobs. However, you have noted that many of the developers have access to modifying components critical to system security, which is beyond what is needed for their specific roles.

Which of the following is a potential risk if AC.L2-3.1.5, Least Privilege is not properly implemented for developers?

58. While reviewing an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9-Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network.

The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, no documented policy or procedure outlines a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. The scenario mentions that the server utilizes default settings for connection timeouts.

Besides relying solely on user awareness, what additional approach could be implemented to achieve connection termination based on inactivity and comply with CMMC practice SC.L2-3.13.9-Connections Termination?

59. During the examination of evidence for access control procedures, you review an OSC's Access Control List (ACL). The ACL appears to include most user accounts, but you notice it lacks entries for several newly hired employees. You also realize that some parts of the OSC's access control policy haven't been signed and endorsed by senior management. Additionally, you notice multiple attestations from employees who are not the proper system owners.

How should you handle an attestation (affirmation) from an employee who is not the proper owner/operator/supervisor of the system or information being examined?

60. An OSC uses a third party in all system repairs and has hired an MSP for penetration testing. The third party comes for adaptive, preventive, perfective, or corrective system maintenance every three months, and the penetration tester does so continuously. Whenever the third party comes for maintenance, there's no documentation of the issues they tackled. On the other hand, the penetration tester delivers meticulously detailed documentation per their contract with the OSC.

To comply with CMMC practice MA.L2-3.7.1-Perform Maintenance, what should the OSC implement for the maintenance activities performed by the third-party vendor?

61. An OSC has recently obtained an ISO 27001 certification and a FedRAMP Authorization to Operate (ATO) for its information systems. During the initial stages of the CMMC Assessment Process, the OSC claims these certifications should grant them automatic credit or exemption from certain CMMC requirements.

As the Lead Assessor, what should be your response?

62. You are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows the Contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network.

However, the Contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks.

Which components of the Contractor's environment should NOT be in scope when assessing practice AC.L2-3.1.3, Control CUI Flow?

63. Documentation is a key aspect of the CMMC assessment. When preparing for a prospective assessment and during the actual CMMC assessment, you will reference various documents and document various findings. Fortunately, you can download some of these documents from the DoD CIO's CMMC website, and other templates can be found in the CAP Appendices.

You are part of the team assessing an OSC's preparedness and readiness for a CMMC assessment. Before commencing the assessment phase, the C3PAO and its assessment team members should declare that they have not provided advisory, consulting, or CMMC implementation support.

Where should this declaration be documented?

64. Understanding that changes are critical in any production environment, a DoD contractor has instituted measures to manage them. All software changes can only be implemented by defined individuals. These changes must go through a rigorous change approval process and must be implemented from a secure server located in the company's headquarters.

The personnel affecting the changes access the server room using access cards and an iris scan. To log into the server, they must enter their passwords to receive a one-time password (OTP), which must be keyed in within 2 minutes. After any changes are made, the chairperson of the contractor's Change Review Board and the CISO get a notification to approve the changes before they take effect.

To demonstrate their compliance with CM.L2-3.4.5-Access Restrictions for Change, what can the contractor NOT cite as evidence?

65. Part of effective CUI protection involves knowing which assets process, transmit, or store CUI. This understanding is crucial for defining CUI boundaries within an OSC's systems. To achieve this, an OSC can prepare a logical data flow diagram for their information systems.

Which of the following questions does a logical data flow diagram NOT answer?

66. A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks.

While chatting with the network’s system admins, you realize they have deployed a modern compliance checking and monitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy.

Based on the scenario above and CMMC scoring methodology, how would you assess the contractor's implementation of CM.L2-3.4.2-Security Configuration Enforcement?

67. During a POA&M Close -Out Assessment, the Lead Assessor notes the organization has updated its Risk Assessment to remove the previous CMMC practices listed on the POA&M.

Which of the following statements accurately describes the Lead Assessor's responsibility in this scenario?

68. During the planning and preparation discussions, a key member of the C3PAO Assessment team falls ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as planned and has expressed willingness to accommodate a smaller assessment team.

Can the Lead Assessor proceed with the assessment using a reduced assessment team size?

69. Before starting an assessment, an OSC must develop a data flow diagram. This diagram can then be used as a tool to help establish the context and boundaries of the CMMC assessment activities.

What is critical to capture while developing the data flow diagram?

70. When assessing an OSC for CMMC compliance, you examine its risk assessment policy and procedures addressing organizational risk assessments. According to their policy, comprehensive risk assessments on all systems processing, storing or transmitting CUI and facilities are performed annually. However, reviewing past risk assessment reports, you find that a risk assessment was conducted in January 2022 covering all CUI systems. The next risk assessment was not conducted until November 2023, over 21 months later. There are no records of any other risk assessments in the intervening period between January 2022 and November 2023. After interviewing the OSC's personnel with risk assessment responsibilities, you learn they have slated the next risk assessment within the year.

Based on the scenario, which of the following would you determine regarding OSC's adherence to CMMC practice RA.L2-3.11.1-Risk Assessments?

71. An OSC has documented HR and personnel security policies, which are well integrated. A key requirement is that credentials and systems are revoked upon a transfer or termination. Their personnel security policy includes procedures for transfer and termination, a list of system accounts tied to each employee, and management of revoked or terminated credentials and authenticators. Examining the procedures addressing personnel transfer and termination, you learn that besides revoking or terminating system access, authenticators, and credentials, the OSC recovers all company IT equipment, access/identification cards, and keys from the transferred or terminated employee. They also interview the employee to remind them of their CUI handling obligations even after transfer and require them to sign an NDA. After every termination, they also change the password and other access control mechanisms and notify all the stakeholders that the employee has been terminated or transferred.

After personnel termination or transfer, what should the OSC NOT do? Choose all that apply.

72. During the planning and preparation discussions, a key member of the C3PAO Assessment team falls ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as planned and has expressed willingness to accommodate a smaller assessment team.

According to the CAP, if the decision is made to replan or reschedule the assessment, what is the C3PAO's required action?

73. When assessing a contractor’s implementation of CMMC requirements, you realize it has multiple data centers and regional offices, each with access control mechanisms and a security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure that the remote access to CUI is not compromised.

In assessing the contractor's implementation of AC.L2-3.1.14- Remote Access Routing, what must you determine?

74. During the Planning phase, the C3PAO and Lead Assessor will collect information from the OSC to provide a Rough Order of Magnitude (ROM). This enables the Assessor to approximate the duration, schedule, and cost of the Assessment.

To determine the Rough Order of Magnitude (ROM), the Lead Assessor can use the following inputs, EXCEPT which one?

75. You are a CCA reviewing the security measures for a defense contractor seeking CMMC Level 2 compliance. CMMC practice PE.L2-3.10.6-Alternative Work Sites requires the organization to safeguard CUI at alternate work sites, like employee home offices. You are examining their list of safeguards and the system security plan to assess their compliance.

When assessing a contractor's implementation of CMMC practice PE.L2-3.10.6-Alternative Work Sites, which would be the least effective method for gathering information?

76. An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper and microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineering company has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets.

To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms.

You also learn the contractor maintains a comprehensive inventory of all CUI media. The scenario describes a multifactor authentication (MFA) solution being used to access digital media containing CUI. However, the access control procedures for non-digital media require authorized personnel to sign three separate forms.

While both methods aim to verify user identity, which of the following is the MOST significant security concern associated with the reliance on a paper-based form process?

77. An organization utilizes a cloud-based single sign-on (SSO) solution (OpenID Connect) for user authentication across various internal applications. The SSO solution offers two options for password masking during login:

Masking: Characters are replaced with asterisks (*) as the user types.

Invisible Input: The password field appears blank as the user types, but characters are still captured.

During a CMMC assessment focusing on practice IA.L2-3.5.11-Obscure Feedback (of Authentication Information), which of the following approaches would be the MOST favorable for the organization to implement?

78. You are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows the Contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network.

However, the Contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks.

What risks does the hybrid infrastructure with cloud storage and remote access introduce regarding CUI data flow?

79. CMMC practice CM.L2-3.4.9- User-Installed Software, requires OSCs to establish a policy controlling software installation, to ensure any software installations by any user follow the established policy, and to monitor user software installation.

Which of the following is NOT something the OSC can cite as evidence to demonstrate their efforts to meet the requirements of CM.L2-3.4.9-User-Installed Software?

80. You have been sent to assess an OSC?s implementation of CMMC practices, one of which is AC.L2-3.1.11-Session Termination.

In assessing the contractor's implementation of AC.L2-3.1.11, you'll likely NOT need to examine which of the following specifications?

81. You are part of an Assessment Team tasked with conducting a CMMC Assessment for an OSC. When assessing the contractor's implementation of SC.L2-3.13.6-Network Communication by Exception, objectives [a] and [b], the OSC's system admin informs you that they use Fortinet Next-Generation Firewall (NGFW). Fortinet NGFWs are hardcoded to deny all traffic by default, and traffic is only allowed on an exception basis. While this is factual, the Lead Assessor asks you to test the NGFW to ascertain whether it meets the intent of Assessment Objectives in SC.L2-3.13.6- Network Communication by Exception.

What is the benefit of testing as an assessment method?

82. You are part of the Assessment Team assessing a small defense contractor. You learn the contractor (ABC Manufacturing) outsources parts of its IT infrastructure and cybersecurity services to a reputable Managed Services Provider (MSP). During a CMMC assessment, the contractor's Assessment Official claims that several CMMC practices related to system security and monitoring are inherited from the MSP.

Which of the following actions should the Lead Assessor take?

83. During a CMMC assessment, the Lead Assessor requests evidence from the OSC to support their claim that several access control and authentication practices are inherited from their enterprise-level Identity and Access Management (IAM) system. The OSC claims their parent company manages the IAM system.

Which of the following types of evidence would be the most appropriate for the OSC to demonstrate these inherited practices?

84. David, a Certified CMMC Assessor (CCA), is conducting a CMMC assessment for a defense contractor. During the assessment, he observed the organization's CEO making several statements to the Assessment Team about the company’s security practices that turned out to be false.

How should David respond to the CEO's behavior according to the CMMC CoPC?

85. A mid-sized company specializing in machining is preparing to bid for an upcoming DoD contract to provide machined components crucial for defense systems. As CMMC compliance will be required, the company’s top executives have invited you to assess their implementation of CMMC Level 2 requirements.

During your visit to their environment of operations, you discover the production floor has several Computer Numerical Control (CNC) machines for precision machining, all connected to a local network for data transfer and control. The CNC machines receive design files from a central server in the company's data center and communicate with a SCADA quality control system that monitors production metrics and performance.

The central server hosts the design files, which are only accessible to authorized engineers and operators and backed up in an Amazon EBS cloud instance to ensure availability across the company's multiple machining shops in different states. Furthermore, the company allows employees to upload designs to the server remotely using VPNs and virtual desktop instances.

Which of the following virtual locations is NOT In-scope for the CMMC Assessment?

86. Your organization has informed you that an OSC has contacted them for a prospective CMMC assessment. Your C3PAO has a specified number of days to acknowledge the request and proposes a date for the initial coordination call.

Who is responsible for overseeing and managing a dedicated CMMC Assessment Team for a specific OSC?

87. A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on devices like tablets and smartphones.

After assessing AC.L2-3.1.18-Mobile Device Connection, you find the contractor maintains a meticulous record of mobile devices that connect to its information systems.

AC.L2.3.1.19-Encrypt CUI on Mobile requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted.

Which of the following is the key requirement for encryption of data on mobile devices?

88. When validating an OSC's assessment scope, an Assessment Team learns that the proposed scope is too narrow. You also determine their asset categorization is mixed up.

What should the Assessment Team do?

89. Angela, a CCA, is conducting a CMMC assessment for Obsidian Technologies, the OSC. During the assessment, Angela learns her spouse owns a significant amount of stock in Obsidian Technologies, and she has not disclosed this information to Obsidian Technologies or the C3PAO.

Which CMMC CoPC guiding principle has Angela violated in this scenario?

90. During a social event after work, a CCA from your C3PAO team brags about providing "consulting advice" to an OSC they recently assessed for CMMC compliance. You know this directly violates the CoPC's restrictions on CCAs offering such services during an assessment.

What is your ethical obligation in this situation?

91. An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1- System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet.

Which of the following is NOT true about the handling of the OSC's implementation of CM.L2-3.4.1-System Baselining?

92. Patrick has taken the CCP examination and registered with a Licensed Training Provider for a CCA course. After he completes the CCA training, the LTP recommends he go to the Cyber AB for the examination. However, knowing the exam will be challenging, Patrick pays John a certified CCA fee to take it on his behalf.

Has John violated any CoPC guiding principles? If so, which one(s)?

93. You are assessing an OSC that uses containerization technology for deploying microservices within a Kubernetes cluster. These microservices leverage various JavaScript frameworks for functionality. While a mobile device management (MDM) solution secures company phones, access to these microservices is primarily through web interfaces.

From a mobile code control perspective, what is the primary concern in this scenario?

94. John, a Certified CMMC Assessor (CCA), reports to the Cyber AB that he has observed his colleague, Jane, also a CCA, providing inaccurate guidance to a client during a CMMC assessment. The Cyber AB acknowledges the report and begins an investigation.

What should the Cyber AB do in response to John's report?

95. During scoping discussions with a Lead Assessor, the OSC mentions there are several connected systems within the organization's network.

How should the Lead Assessor consider connected systems in the scoping of the CMMC assessment?

96. An OSC is in the early stages of preparing for its CMMC assessment. They have identified their OSC Point of Contact (PoC), who is highly involved in the process and has significant knowledge about the company's operations. The team is now considering whether the OSC PoC, given their deep involvement and understanding of the company, could also serve as the OSC Assessment Official.

Which of the following will the OSC and C3PAO NOT discuss and agree on during the assessment framing?

97. You are a Lead Assessor working with your C3PAO to conduct a CMMC Assessment for an OSC. During the preparation and planning phase, you meet with the OSC's Assessment Official to identify the resources and schedule for the upcoming assessment. Together, you review the OSC's pre-assessment information to estimate the level of effort required. You then collaborate to determine the specific resources needed, including the Assessment Team members, facilities, and any support personnel from the OSC. You also discuss scheduling factors like duration, key activities, and potential constraints. Based on these discussions, you develop a Rough Order of Magnitude (ROM) cost estimate and a proposed daily schedule for the assessment activities.

What is your primary responsibility in identifying resources and the schedule during Phase 1?

98. As a CCA on a C3PAO Assessment Team, you have determined the assessment scope provided by an OSC indicates plans to subcontract some elements of their contract to DelTech Inc. The OSC plans to bid on a DoD contract to develop guidance and targeting software. However, the software needs testing after installing a new surface-to-air defense system. Unfortunately, the OSC lacks the means to test the software, which is where DelTech comes in.

As a CCA, what must you do in this scenario?

99. You are a Lead Assessor tasked with conducting a CMMC Assessment for an OSC seeking to secure its CMMC Level 2 certification. The OSC has previously conducted a self-assessment and engaged a Registered Practitioner Organization (RPO) for a preliminary evaluation.

As part of the CMMC Assessment process, you begin by determining the necessary evidence for each practice or process across the OSC's organizational functional areas. You consider both the adequacy and sufficiency of the evidence in relation to the CMMC's requirements. After initial preparations, you and the OSC's POC schedule a joint review session to agree on the scope and expectations for the upcoming assessment.

Why is it important for the Lead Assessor and the OSC's POC to review the OSC's self-assessment findings before the formal CMMC assessment begins?

100. A contractor has been supplying the US military with Advanced Combat Helmets (ACH) over the years. To continue supplying the tactical helmet, the contractor must pass a mandatory CMMC assessment by a C3PAO. Your organization sends you to assess the contractor's implementation of the required CMMC controls. One of the main things you must do is determine the OSC's context.

When framing the assessment, you should consider the following company location factors, EXCEPT which one?

101. You are assessing an OSC that uses various collaborative computing devices such as video conferencing systems, networked whiteboards, and webcams for remote meetings and presentations. During your assessment, you examine the OSC's collaborative device inventory and find they have identified and documented all collaborative computing devices. Most of the identified devices have indicators (e.g., LED lights) that notify users when the devices are in use.

The OSC has also implemented a policy prohibiting the remote activation of collaborative computing devices without user consent. However, you find that the web cameras can be activated remotely by authorized IT personnel for troubleshooting purposes.

In addition to interviewing personnel, what other evidence would be helpful to assess the OSC's compliance with CMMC practice SC.L2 -3.13.12-Collaborative Device Control regarding the remote activation of web cameras? Choose all that apply.

102. After a security audit, a contractor documents specific vulnerabilities and deficiencies in an audit report. After examining its POA&M, you realize it has a clearly defined policy on addressing these deficiencies and by when. However, after interviewing the contractor’s security and compliance team, you learn that while an audit is regularly conducted, the remediation measures are not always taken, and when taken, they are not always practical. The security and compliance team informs you they have tried reaching the system administrator to explain the repercussions of this without success.

Based on the scenario, how would you rate the contractor's implementation of CA.L2-3.12.2-Plan of Action?

103. After the Assessment Team has been formed and the OSC Point Of Contact (POC) and assessment official have been identified, your C3PAO appoints John as the Lead Assessor. During the kickoff meeting, John reassures the OSC assessment official not to worry; they are guaranteed to pass the CMMC assessment. If they don't, John has agreed to refund 40% of the assessment fee.

Which of the following is true about John's behavior as a Certified CMMC Assessor?

104. Mobile devices are increasingly becoming important in many contractors' day-to-day activities. Thus, the contractors must institute measures to ensure they are correctly identified, and that any connections are authorized, monitored, and logged, especially if the devices or their connections process, store, or transmit CUI.

You have been hired to assess a contractor's implementation of CMMC practices, one of which is AC. L2.3.1.18 (Mobile Device Connections). To successfully test the access control capabilities authorizing mobile device connections to organizational systems, you must first identify what a mobile device is.

Which of the following options does NOT describe a mobile device?

105. You are a Lead Assessor, and an OSC has engaged your C3PAO firm to conduct a CMMC assessment. As the Lead Assessor, you are responsible for identifying, documenting, and communicating any potential risks that could impact the successful completion of the planned assessment. You need to evaluate various risk categories and develop mitigation plans to ensure a smooth assessment process.

If a member of the Assessment Team is at risk of being delayed and is unable to start the assessment on time, which of the following would be an appropriate mitigation plan?

106. Understanding that changes are critical in any production environment, a DoD contractor has instituted measures to manage them. All software changes can only be implemented by defined individuals. These changes must go through a rigorous change approval process and must be implemented from a secure server located in the company's headquarters.

The personnel affecting the changes access the server room using access cards and an iris scan. To log into the server, they must enter their passwords to receive a one-time password (OTP), which must be keyed in within 2 minutes. After any changes are made, the chairperson of the contractor's Change Review Board and the CISO get a notification to approve the changes before they take effect.

Based on the contractor's current implementation how would you score their effort to address CM.L2-3.4.5-Access Restrictions for Change?

107. An OSC is planning a CMMC Level 2 assessment that your C3PAO will conduct. In Phase 1.6.1 -Access and Verify Evidence, as the Lead Assessor, you are verifying the existence and accessibility of the evidence provided by the OSC. While reviewing the list of evidence mapped against the CMMC practices, you discover the OSC cannot locate several critical system security policies for key IT systems supporting their DoD contracts. These missing policies are essential for demonstrating compliance with various CMMC practices related to access control, incident response, and system maintenance.

What is the most appropriate course of action for you as the Lead Assessor in this scenario?

108. Pre-assessment information must be uploaded to CMMC eMASS by the end of the planning phase (Phase 1).

Who uploads this information, and what happens if the pre-assessment information changes after the upload?

109. While assessing a DoD contractor, you observe they have implemented physical security measures to protect their facility housing organizational systems that process or store CUI. The facility has secure locks on all entrances, exits, and windows. Additionally, video surveillance cameras are installed at entry/exit points, and their feeds are monitored by security personnel. Feeds from areas where CUI is processed or stored and meeting rooms where executives meet to discuss things that have to do with CUI and other sensitive matters are segregated and stored on a designated server after monitoring. Walking around the facility, you notice network cables are hanging from the walls. To pass through a door, personnel must swipe their access cards. However, you observe an employee holding the door for others to enter. Although power cables are placed in wiring closets, they aren't locked, and the cabling conduits are damaged.

Which of the following is NOT a concern regarding the contractor's implementation of CMMC practice PE.L2-3.10.2-Monitor Facility?

110. An OSC has submitted an assessment scope that includes some CUI and Special Protection Assets. As the Lead Assessor, you are validating the CMMC assessment scope in preparation for starting the CMMC assessment for the OSC.

How should you handle CUI and Special Protection Assets during the CMMC Assessment?

111. You are the Lead Assessor for an upcoming CMMC assessment with an OSC. You meet with the OSC's Assessment Official to identify and manage any potential conflicts of interest (COIs) that may arise. You explain the importance of avoiding or mitigating COIs to maintain objectivity and impartiality throughout the assessment process. Together, you review the CMMC Code of Professional Conduct and discuss any circumstances that could create a real or perceived COI for you or the assessment team members.

What is the primary responsibility of the Lead Assessor regarding conflicts of interest?

112. Your organization has informed you that an OSC has contacted them for a prospective CMMC assessment. Your C3PAO has a specified number of days to acknowledge the request and proposes a date for the initial coordination call.

How many days does the C3PAO have to respond to the OSC's request?

113. A contractor's system maintenance policy allows for non-local maintenance. It has implemented a strict access control policy, allowing only authorized personnel to initiate non-local maintenance sessions. The Access control policy is supported by using Common Access Cards (CACs) with automatic session timeouts to ensure maintenance connections are terminated when complete or inactive.

The non-local maintenance team must use a secure VPN to establish connections with the contractor's facilities. However, people's identities or processes initiating the non-local maintenance sessions must be verified before authorization. The contractor also continually monitors active sessions to ensure they are legitimate and terminated after completion.

Based on this scenario, how can you score the contractor's implementation of CMMC practice MA.L2-3.7.5-Non-local Maintenance?

114. As part of the CMMC Level 2 assessment for an OSC, the C3PAO's Lead Assessor has been closely observing various live demonstrations and tests conducted by the organization's personnel. During these observations, the Lead Assessor carefully documents the actions and behaviors of the OSC team as they execute the CMMC-related security practices. This includes noting the specific steps taken, the tools and technologies used, and the overall effectiveness of the implementation.

How does the Lead Assessor use information gathered during test or demonstration observations?

115. In preparation for a CMMC Level 2 assessment, an OSC must ensure their CUI handling practices are fully compliant with the laws, regulations, and government-wide policies.

Which of the following Laws, Regulations, or Government-wide Policies does the OSC employee NOT have to acquaint themselves with?

116. During a CMMC assessment, a CCA took home some documents from the OSC's facility without their knowledge. The documents contained confidential, proprietary information (jet engine designs). After a few days, the OSC realized the documents were missing. Upon realizing the mistake, the CCA returned the documents and informed the Lead Assessor. One year later, the information appeared online. The OSC believes the CCA duplicated the information and kept a copy for themselves. Angered by the situation, the OSC sues the CCA for IP theft.

Under the CoPC, what action should the CCA take?

117. As a CCA, you were the Lead Assessor for a C3PAO Assessment Team that has just completed a CMMC assessment for an OSC. However, an individual has requested under the FOIA that your C3PAO release the assessment results. As the Lead Assessor, your C3PAO wants to hear your views on this request.

What should your recommendation be?

118. When examining procedures addressing system security plan development and implementation, you realize the contractor has developed an SSP that defines and documents system boundaries. The SSP also contains the non-applicable security requirements approved by designated authorities. It also outlines other essential aspects, such as relationships with or connection to other systems, how security requirements will be implemented, etc. Upon interviewing personnel with information security responsibilities, you realize the contractor has not reviewed or updated the SSP and has no defined timelines.

As a CCA, how would you score the contractor's implementation of CA.L2-3.12.4-System Security Plan?

119. A remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from deciphering session information.

To demonstrate compliance with AC.L2-3.1.13-Remote Access Confidentiality, what can't the contractor provide as evidence?

120. An aerospace company bids on a DoD contract that requires CMMC Level 2 compliance. The Company has multiple divisions, but only the Manufacturing Division will work on the project. The Manufacturing Division has its own IT infrastructure and security policies, but it relies on the Company's centralized IT department for some administrative tasks.

Which unit will be assessed for CMMC Level 2 compliance?

121. A contractor has recently allowed its employees to work remotely. The employees can access CUI remotely through VPN with encrypted tunnels for remote access into their VDIs. The company has a variety of system components (servers, workstations, notebook computers, smartphones, and tablets)

that employees can access remotely. In your assessment, you also realize that some employees are using SSH to access information stored in cloud instances and server infrastructures that contain CUI.

Which of the following would be the MOST effective way to ensure that only authorized users and devices are connecting to the remote access system?

122. An OSC has provided its System Security Plan (SSP) as evidence for several CMMC practices related to system security. During your examination of the SSP, you discover a section outlining procedures for user access controls. However, upon further review, you find no mention of procedures for managing privileged accounts, which is a critical aspect of secure system access.

If the OSC provides a separate document outlining privileged account management procedures, and upon review, these procedures appear sufficient, how should the Lead Assessor proceed with the SSP as evidence?

123. A defense contractor has implemented a secure wireless network infrastructure to support their operations and client engagements. They use the WPA2-Enterprise encryption protocol with AES-CCMP ciphers and the 802.1X port-based authentication framework to secure their wireless network.

The wireless network infrastructure includes a Remote Authentication Dial-In User Service (RADIUS) server for centralized authentication and authorization of wireless clients. The contractor has deployed multiple Wireless Access Points (WAPs) throughout their office premises, each with its own Service Set Identifier (SSID) and VLAN configuration. Before granting wireless access, the contractor's IT team verifies the device's compliance with their security standards and validates the user's credentials against the RADIUS server using EAP-TLS authentication.

Based on the scenario, which of the following statements BEST describes the contractor's compliance with CMMC AC.L2-3.1.16-Wireless Access Authorization?

124. An OSC is preparing for a CMMC assessment. It has multiple information systems, some of which process CUI and others that do not. The OSC has identified a specific system that processes CUI and defined this as its System Boundary. However, this system is connected to other systems within the OSC that are separately authorized and do not process CUI.

As a Certified CMMC Assessor, which of the following best describes your approach to defining the CMMC Certification Boundary and Assessment Scope for the OSC?

125. The Cyber AB has completed an investigation into a report submitted by a Certified CMMC Assessor (CCA) about a potential violation by another CCA. The Cyber AB has determined the violation is outside the scope of their purview and involves potential criminal activity.

How would the Cyber AB likely proceed in this situation?

126. Steve is a Certified CMMC Assessor (CCA) who works for ACME Inc., which is both an RPO and a C3PAO. His aunt Mary works for ABC Holdings, and based on this connection, Steve convinces her boss to hire ACME Inc. to help prepare for a CMMC assessment. Steve leads the team and successfully completes the engagement with ABC Holdings. Six months later, Mary informs Steve that ABC Holdings is ready to perform its CMMC Level 2 assessment. Steve jumps at the opportunity and convinces his management at ACME Inc. to assign him as the lead CCA along with two other employees.

Which of the following is true about Steve’s involvement in ABC Holdings’ CMMC assessment?

127. After you ask to examine some audit records, the contractor's system administrator informs you that there is a process to follow before accessing them. The logs are hashed using SHA-512 algorithms, and the system administrator has to run an algorithm to recalculate the hashes for the audit records to verify their integrity before running a decryption algorithm to decrypt the data.

Since this might take some time, you tour the facility while interviewing personnel with audit and accountability roles. You see an employee holding the door for another without using their physical access card. While interviewing the contractor's employees, you find they can access all audit logging tools and tweak the settings according to their needs or requirements. Upon examining the contractor's access control policy, you realize they have not defined the measures to protect audit logging tools.

How can the contractor improve their access control for audit logging tools?

128. CMMC MA.L2-3.7.6-Maintenance Personnel, requires that maintenance personnel without the required access authorization be supervised during maintenance activities. One of the ways organizations can achieve this is to develop a documented procedure for supervised maintenance activities.

Which of the following elements should be excluded from the documented procedure?

129. During a CMMC assessment for an OSC, the CCA needs to assess their implementation of CMMC practice MP.L2-3.8.4-Media Markings, which requires proper marking and labeling of CUI. The interview with the information security personnel reveals a well-defined policy, but you need concrete evidence to verify its effectiveness.

Which of the following would provide sufficient evidence to assess a contractor's implementation of CMMC practice MP.L2-3.8.4-Media Markings?

130. Upon examining a contractor's Security and awareness training policy for compliance with AT.L2-3.2.2-Role-Based Training, you determine they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are provided biannual training on CUI handling and cybersecurity best practices. During your assessment, you reviewed their training materials and curriculum for network engineers. You found the training covers basic networking concepts and doesn't delve into secure network configuration practices or identify potential network security risks.

Which of the following best describes the likely outcome of this finding in your assessment report?

131. A C3PAO Assessment Team has completed assessing an OSC's implementation of the CMMC practices. They are now in the process of archiving the assessment artifacts as per the CAP. However, the OSC informed the Assessment Team they could not take the artifacts offsite even after completing the assessment. The Assessment Team is concerned the OSC may change the assessment artifacts, compromising their integrity.

What should the Assessment Team recommend the OSC do to protect the confidentiality and integrity of the Assessment Artifacts?

132. When examining a contractor's security configuration settings, you find they have thoroughly documented the essential ports, protocols, services, and programs required for their business operations. They follow industry security configuration standards, such as CIS Benchmarks, to ensure systems are securely configured and hardened.

After interviewing the network administrator and reviewing their processes, you learn the contractor has implemented a rigorous whitelisting approach to control the execution of programs on their

systems. Only applications and services that are deemed necessary for the system's function are explicitly allowed to run and are tightly controlled.

They use Secure File Transfer Protocol (SFTP) services on port 22, Simple Mail Transfer Protocol (SMTP) on port 25, and DNS services on port 53, while restricting all other unnecessary ports and services using robust firewall configurations. The contractor conducts regular reviews of system services and functionalities to identify and disable any nonessential components that may have been inadvertently enabled or introduced through software updates or changes. They maintain a comprehensive inventory of all approved software, ports, protocols, and services, which is regularly audited and reconciled against the actual system configurations.

Which other Configuration Management practice does CM.L2-3.4.7-Nonessential Functionality extend?

133. While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted.

When assessing the contractor's information systems, how would you mark their implementation of AU.L2-3.3.1-System Auditing?

134. While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has a defined a technical and documented policy where identifiers can only be reused after 12 months.

How would you score the contractor’s implementation of CMMC practice IA.L2-3.5.5-Identifier Reuse?

135. An OSC has documented HR and personnel security policies, which are well integrated. A key requirement is that credentials and systems are revoked upon a transfer or termination. Their personnel security policy includes procedures for transfer and termination, a list of system accounts tied to each employee, and management of revoked or terminated credentials and authenticators.

Examining the procedures addressing personnel transfer and termination, you learn that besides revoking or terminating system access, authenticators, and credentials, the OSC recovers all company IT equipment, access/identification cards, and keys from the transferred or terminated employee. They also interview the employee to remind them of their CUI handling obligations even after transfer and require them to sign an NDA. After every termination, they also change the password and other access control mechanisms and notify all the stakeholders that the employee has been terminated or transferred.

Based on the scenario how would you score the OSC's implementation of CMMC practice PS.L2-3.9.2-Personnel Actions on the Supplier Performance Risk System (SPRS)?

136. You are evaluating an OSC for compliance with CMMC Level 2 practices. During your assessment of SC controls, you use a series of assessment methods to understand how effectively the OSC has implemented them. The OSC has a documented security policy outlining user roles and responsibilities. The OSC's system and communications protection policy states that basic user and privileged functionalities are separated. They have deployed Azure AD to help enforce this requirement through identity management.

Interviews with system administrators reveal they have elevated privileges for system management tasks. A review of system configuration settings shows separate user accounts for standard users and administrators. However, you notice some employees use personal cloud storage services for storing work documents.

Considering CMMC practice SC.L2-3.13.4-Shared Resource Control, which of the following actions would be most effective in addressing the identified risk?

137. You are assessing an OSC that develops applications handling Controlled Unclassified Information (CUI). As part of the assessment, you review their vulnerability scanning process. According to their risk

assessment policy, the OSC conducts system vulnerability scans every three months. However, they also use a centralized, automated vulnerability scanning tool that performs daily scans. Upon discovering any vulnerabilities, the OSC's team applies patches and rescans their systems.

Their environment includes backend database servers, web applications with custom Java code, virtual machine hosts running containerized applications, network firewalls, routers, switches, and developer workstations. During the assessment, you find their scanning solution integrates the latest vulnerability feeds from the National Vulnerability Database (NVD), Open Vulnerability and Assessment Language (OVAL), and vendor sources. The tool generates reports using Common Vulnerability Scoring System (CVSS) metrics, and even remotely connected developer laptops are included in the scans.

However, upon reviewing the vulnerability reports, you observe the same high/critical vulnerabilities persist month after month without evidence of remediation. Furthermore, there is no record of source code scanning for their custom applications, and virtual machine hosts running the containerized applications are not included in the scans.

Which of the following would be an appropriate compensating control or mitigation for the lack of source code scanning?

138. A DoD contractor developing guidance and targeting systems has subcontracted a data analytics company to analyze their data accuracy.

How should the DoD contractor handle the analytics company when preparing a CMMC assessment scope?

139. Tom, a CCA, is part of a team conducting a CMMC assessment of an OSC. During the assessment, Tom observes his colleague Jackie, also a CCA, asking leading questions to the OSC staff to steer their responses in a way that makes the company's compliance appear better. Understanding the situation, Tom calls Jackie aside and discreetly tells her that she is leading the OSC staff and that this could jeopardize the assessment. Unfortunately, Jackie does not change her approach.

How should Tom proceed under the CoPC?

140. Your C3PAO has selected you as the lead assessor for the Assessment Team assessing an OSC's implementation of CMMC practices. Part of this assessment includes validating the OSC's CMMC assessment scope.

Which of the following is NOT a factor to consider when determining which assets are in Scope?

141. Upon examining a contractor's Security and awareness training policy for compliance with AT.L2-3.2.2-Role-Based Training, you determine they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices.

How would you assess the contractor's implementation of CMMC practice AT.L2-3.2.2-Role-Based Training?

142. After numerous discussions and iterations, the OSC and Lead Assessor have finalized the Pre-Assessment Plan, which outlines the key details of how the assessment will be conducted, including the scope, timeline, resource requirements, and other logistical considerations.

What is the final step before commencing a CMMC assessment?

143. You are testing a contractor’s mechanisms for implementing wireless access protection to their information systems. AC.L2-3.1.17-Wireless Access Protection mandates the contractor to implement measures to protect the WAPs, which after interviews, tests, and examination of some documents, you realize the contractor has done a fair job to achieve compliance.

Which of the following is an option for what the contractor must have addressed to obtain a score of MET in this practice?

144. An OSC and a C3PAO Assessment Team are in the early stages of preparing for their CMMC assessment. During the process of confirming the corporate identity for the assessment, the Assessment Team discovers the OSC does not have a valid Commercial and Government Entity (CAGE) code issued by the Department of Defense. The team is now considering the implications of this finding and the next steps they should take.

When confirming the corporate identity to be assessed, what can happen if you determine the HQ organization doesn't have a valid CAGE code?

145. When interviewing a contractor’s CISO, they inform you that they have documented procedures addressing security assessment planning in their Security Assessment and Authorization policy. The policy indicates the contractor performs regular security assessments and penetration testing to assess the posture of its security controls every ten months. The policy also states that the contractor tests its incident response plan every four months and regularly updates its monitoring tools.

Impressed by the contractor's documented procedures, you decide to chat with various personnel involved in security operations. During these discussions, you discover that the contractor has not performed any security assessments in over two years, despite what is documented.

How would you score the contractor's implementation of CMMC Practice CA.L2-3.12.1 (Security Control Assessment), considering what is documented and actually implemented?

146. Removable media can pose significant cybersecurity risks to an organization if not adequately controlled and secured. Understanding the dangers of this, an OSC has crafted a meticulous removable media policy. It defines removable media, types of removable media, examples of removable media, etc. The policy limits the use of removable media unless authorized; even then, the media must be scanned for malware.

Organizational removable media has specific signatures unique to organizational systems and provided to a defined group of personnel. Any data stored on such media is encrypted, and the OSC has disabled autorun and closed some ports on their computer systems.

The contractor also has deployed an endpoint protection solution for every employee searched while entering or leaving the facility. Users must also pass through a walk-in metal detector to ensure they do not sneak in thumb drives and SD cards.

Based on the OSC's effort, how would you score their implementation of CMMC practice MP.L2-3.8.7-Removeable Media?

147. During an assessment, the OSC was found to have implemented 68% of CMMC practice SC.L2-3.13.11-CUI Encryption. However, the OSC Assessment Official cited issues with the vendor for not fully implementing the practice. Nonetheless, it has been listed in their POA&M.

Which of the following is true regarding using a POA&M during a CMMC assessment?

148. Tina is working on a team conducting a Level 2 assessment for Humvees -R-Us (HRU). While gathering evidence, Tina notices that HRU has not updated several critical policies in years. Knowing that HRU is investing a significant amount of money in the assessment, she tells Bob, the CEO of HRU, that she will date the policies to make them appear as if they have been regularly revised. She explains that this will help HRU pass their assessment and save them the cost of a reassessment. Tina believes changing the dates isn’t a big deal since HRU has policies written but has not revised them as frequently as required. Was it right for Tina to adjust the dates during the assessment?

If not, which principle of the CMMC Code of Professional Conduct did she violate?

149. A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on devices like tablets and smartphones. After assessing AC.L2-3.1.18-Mobile Device Connection, you find the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2.3.1.19-Encrypt CUI on Mobile, requires the contractor to implement measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all data on a mobile device is encrypted.

Which of the following personnel should you interview to determine how well the contractor has implemented AC.L2-3.1.19-Encrypt CUI on Mobile?

150. You are the Lead Assessor of the Assessment Team conducting a CMMC Level 2 assessment for an OSC. You have completed the first phase of the assessment process, which included the assessment kickoff meeting. Now, you are moving into the second phase, which involves collecting and examining evidence to determine the OSC's compliance with the CMMC practices.

Which of the following is not one of the recommended methods for collecting evidence during a CMMC assessment?