You are assessing an OSC that utilizes containerization technology for deploying microservices within a Kubernetes cluster. These microservices leverage various JavaScript frameworks for functionality. While a mobile device management (MDM) solution secures company phones, access to these microservices is primarily through web interfaces. From a mobile code control perspective, what is the primary concern in this scenario?
Answer(s): D
Comprehensive and Detailed In-Depth SC.L2-3.13.13 Mobile Code requires "controlling and monitoring mobile code use to prevent unacceptable risk." Mobile code (e.g., scripts executed in browsers) is a concern via web interfaces accessing microservices. Unauthorized code execution (D) is the primary risk, as it could exploit users or systems. MDM (A) secures devices, not web code; container vulnerabilities (B) are separate; and JavaScript use (C) isn't inherently mobile code unless executed client-side without control. The CMMC guide focuses on execution risks.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.13: "Control mobile code to prevent unauthorized execution via web interfaces."NIST SP 800-171A, 3.13.13: "Assess risks of mobile code in user-accessible systems."
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory a privileged function. Which of the following controls could have prevented the developer from executing this privileged function?
Answer(s): B
Comprehensive and Detailed In-Depth AC.L2-3.1.7 Privileged Functions requires "preventing non-privileged users from executing privileged functions." The developer's access to kernel memory suggests inherited or misconfiguredpermissions from the Admin_Roles group. Prohibiting inheritance (B) ensures Dev_Roles don't gain elevated privileges, enforcing least privilege. Internet removal (A), dual authorization (C), and time restrictions (D) don't directly address role-based privilege creep, per the CMMC guide's focus on RBAC configuration.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.7: "Prevent privilege inheritance in role-based access controls to limit non-privileged users."NIST SP 800-171A, 3.1.7: "Examine RBAC settings to ensure no unintended privilege escalation."
You have been hired to assess an OSC's implementation of secure password storage and transmission mechanisms. The OSC uses a popular identity and access management (IAM) solution from a reputable vendor to manage user authentication across their systems. During the assessment, you examine the IAM solution's configuration and documentation, which indicate that passwords are hashed using industry-standard algorithms like SHA-256 or bcrypt before being stored in the system's database. Additionally, the IAM solution leverages TLS encryption for all communications, ensuring that passwords are transmitted securely over the network. Based on the information provided, how would you assess the OSC's compliance with CMMC practice IA.L2-3.5.10 Cryptographically- Protected Passwords, which requires organizations to store and transmit only cryptographically protected passwords?
Comprehensive and Detailed In-Depth IA.L2-3.5.10 mandates that passwords be "cryptographically protected in storage and transit." Hashing with SHA-256 or bcrypt (one-way functions) secures storage, and TLS encryption protects transmission--both meeting the practice's objectives. Per the DoD Scoring Methodology, IA.L2- 3.5.10 is a 5-point practice, scoring +5 when fully met. The OSC's implementation aligns with industry standards and CMMC requirements, warranting a "Met (+5 points)" score. Partial compliance isn't an option here, as both storage and transit are addressed.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.10: "Passwords must be hashed (e.g., bcrypt) for storage and encrypted (e.g., TLS) in transit."DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."
Upon examining a contractor's security and awareness training policy for compliance with AT.L2-3.2.2 Role-Based Training, you determine that they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices. How would you assess the contractor's implementation of CMMC practice AT.L2-3.2.2 Role-Based Training?
Answer(s): A
Comprehensive and Detailed In-Depth AT.L2-3.2.2 requires "role-based training for personnel with assigned security roles before authorizing system access." Generic biannual training on CUI and best practices doesn't meet the practice's requirement for tailored, role-specific training (e.g., auditors need audit-specific training, not just CUI handling). The lack of specialization fails the intent, scoring Not Met (-1 point per DoD methodology for this 1-point practice). Partial compliance (B) isn't an option under CMMC scoring.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AT.L2-3.2.2: "Training must be specific to security roles." DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."
Examining an OSC password policy, you learn that a password should have a minimum of 15 characters. It also should have 3 uppercase, 2 special characters, and other alphanumeric characters. Passwords have to be changed every 45 days and cannot be easily tied to the account owner. Passwords cannot be reused until 30 cycles are complete. The OSC's systems send a temporary password to the user's email or authentication app, which is one of the events described in their password usage policy. However, a recent penetration test report shows that the generated temporary passwords did not have sufficient entropy, and an attacker may guess a temporary password through brute force attacks. Which CMMC practice has the contractor successfully implemented? Select all that apply.
Comprehensive and Detailed In-Depth IA.L2-3.5.7: Requires "enforcing minimum password complexity." The policy's 15-character minimum with specific requirements meets this.IA.L2-3.5.8: Requires "prohibiting password reuse for a specified number of generations." The 30- cycle rule satisfies this.IA.L2-3.5.9: Requires "changing temporary passwords at first logon and ensuring sufficient entropy." Low entropy fails this practice.IA.L2-3.5.3: No evidence of MFA implementation.IA.L2-3.5.6: Identifier handling isn't addressed.Thus, only B applies fully.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.7: "Define complexity rules." IA.L2-3.5.8: "Prohibit reuse for specified cycles."IA.L2-3.5.9: "Ensure temporary password entropy."
When assessing a contractor's implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised. Why should all traffic be routed through a managed Access Control point?
Comprehensive and Detailed In-Depth AC.L2-3.1.14 Remote Access Routing requires "routing remote access through managed access control points." This reduces unauthorized access risk (B) by centralizing control and security, per CMMC intent. Simplification (A), troubleshooting (C), and performance (D) are secondary benefits, not the primary purpose.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.14: "Route traffic to reduce unauthorized access risk."NIST SP 800-171A, 3.1.14: "Examine routing to enhance security."
You are performing an on-site assessment for a defense contractor that develops and manufactures embedded control systems for military drones. During your documentation review, you discover they have a System Security Plan (SSP) outlining a configuration management process. The SSP mentions the creation of baseline configurations for their drone control systems, but details are limited. You interview the IT manager responsible for configuration management. They explain they use a commercial configuration management tool to capture hardware and software configurations for the drone systems. They confirm that the baseline configurations include initial software versions but do not track firmware or network configurations. Additionally, while they update software versions through the tool, they do not have a documented process for reviewing and updating baseline configurations in response to security vulnerabilities or system modifications. Which of the following actions would be the MOST appropriate recommendation for the contractor to improve their compliance with CM.L2-3.4.1 System Baselining?
Comprehensive and Detailed In-Depth CM.L2-3.4.1 requires "establishing and documenting baseline configurations, reviewed and updated as needed." The lack of firmware/network inclusion and a review process fails objective [c]. A documented review process addressing all components and security risks (A) directly corrects this, aligning with CMMC intent. Ad-hoc updates (B) lack structure, tool replacement (C) isn't justified, and update frequency (D) is unrelated. The guide emphasizes periodic review.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.1: "Review and update baselines for all components as needed."NIST SP 800-171A, 3.4.1: "Examine process for baseline updates."
You have been sent to assess an OSC's implementation of CMMC practices, one of which is AC.L2-3.1.11 Session Termination. You expect to find the following items when examining the contractor's list of conditions or trigger events requiring session termination, EXCEPT?
Answer(s): C
Comprehensive and Detailed In-Depth AC.L2-3.1.11 requires organizations to "terminate (automatically) a user session after a defined condition." The intent is to protect systems by ending sessions based on specific trigger events that indicate potential security risks or operational policies. Conditions like time-of-day restrictions, periods of inactivity, and responses to incidents (e.g., detected malicious activity) align with this intent, as they are objective triggers for session termination. However, "pre-approved user activity for specific functionalities" does not fit, as it implies authorized actions that should not trigger termination--contradicting the practice's focus on ending sessions under defined risk conditions. The CMMC Assessment Guide lists examples of termination triggers, none of which include approved user activities as a reason to terminate.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.11: "Examples of conditions or trigger events include organization-defined periods of inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."NIST SP 800-171A, 3.1.11: "Examine documentation for conditions or trigger events requiring session disconnect, such as inactivity or incident responses."
Share your comments for Cyber AB CMMC-CCA exam with other users:
totally not correct answers. 21. you have one gcp account running in your default region and zone and another account running in a non-default region and zone. you want to start a new compute engine instance in these two google cloud platform accounts using the command line interface. what should you do? correct: create two configurations using gcloud config configurations create [name]. run gcloud config configurations activate [name] to switch between accounts when running the commands to start the compute engine instances.
kindly upload the dumps
still learning
excellent way to learn
help so much
understand sql col.
i would give 5 stars to this website as i studied for az-800 exam from here. it has all the relevant material available for preparation. i got 890/1000 on the test.
this is nice.
q55- the ridac workflow can be modified using flow designer, correct answer is d not a
by far this is the most accurate exam dumps i have ever purchased. all questions are in the exam. i saw almost 90% of the questions word by word.
i cleared the az-104 exam by scoring 930/1000 on the exam. it was all possible due to this platform as it provides premium quality service. thank you!
question # 232: accessibility, privacy, and innovation are not data quality dimensions.
looks wrong answer for 443 question, please check and update
great question
question: a user wants to start a recruiting posting job posting. what must occur before the posting process can begin? 3 ans: comment- option e is incorrect reason: as part of enablement steps, sap recommends that to be able to post jobs to a job board, a user need to have the correct permission and secondly, be associated with one posting profile at minimum
answer to question 72 is d [sys_user_role]
please provide the pdf
hey guys, just to let you all know that i cleared my 312-38 today within 1 hr with 100 questions and passed. thank you so much brain-dumps.net all the questions that ive studied in this dump came out exactly the same word for word "verbatim". you rock brain-dumps.net!!! section name total score gained score network perimeter protection 16 11 incident response 10 8 enterprise virtual, cloud, and wireless network protection 12 8 application and data protection 13 10 network défense management 10 9 endpoint protection 15 12 incident d
very helpful
useful questions
page :20 https://exam-dumps.com/snowflake/free-cof-c02-braindumps.html?p=20#collapse_453 q 74: true or false: pipes can be suspended and resumed. true. desc.: pausing or resuming pipes in addition to the pipe owner, a role that has the following minimum permissions can pause or resume the pipe https://docs.snowflake.com/en/user-guide/data-load-snowpipe-intro
i want hcia exam dumps
good training
very useful
yes need this exam dumps
these questions are a great eye opener
thank you for providing these questions and answers. they helped me pass my exam. you guys are great.
good knowledge
answer 10 should be a because only a new project will be created & the organization is the same.
can you please upload the dump again
is it legit questions from sap certifications ?
question 16 should be b (changing the connector settings on the monitor) pc and monitor were powered on. the lights on the pc are on indicating power. the monitor is showing an error text indicating that it is receiving power too. this is a clear sign of having the wrong input selected on the monitor. thus, the "connector setting" needs to be switched from hdmi to display port on the monitor so it receives the signal from the pc, or the other way around (display port to hdmi).
q 10. ans is d (in the target org: open deployment settings, click edit next to the source org. select allow inbound changes and save
Keeping this site free takes real effort. We constantly battle automated scraping and unauthorized content copying. A quick account helps us protect the community and keep the site free.
To continue studying for your CMMC-CCA, please sign in or create a free account.