When interviewing a contractor's CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates that the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that after every four months, the contractor tests its incident response plan and regularly updates its monitoring tools. Impressed by the contractor's policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited their security systems in over two years. How many points would you score the contractor's implementation of the practice CA.L2-3.12.1 Security Control Assessment?
Answer(s): A
Comprehensive and Detailed In-Depth CA.L2-3.12.1 requires "periodically assessing security controls to determine effectiveness." The policy defines a 10-month cycle, but no audits have occurred in over two years, failing the implementation objective. Per the DoD Scoring Methodology, this 5-point practice scores -5 (Not Met) when not fully implemented, as partial compliance isn't recognized. The CMMC guide stresses actual execution over documented intent.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.1: "Assess controls at defined frequency." DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
Change is a part of any production process and must be meticulously managed. System Change Management is a CMMC requirement, and you have been called in to assess the implementation of CMMC requirements. When examining the contractor's change management policy, you realize there is a defined change advisory board that has a review and approval mandate for any proposed changes. The change advisory board maintains a change request system where all the changes are submitted and documented for easy tracking and review. The contractor also has a defined rollback plan defining what to do in case the approved changes result in unexpected issues or vulnerabilities. What evidence artifacts can the contractor also cite as evidence to show their compliance with CM.L2-3.4.3 System Change Management besides their change management policy?
Answer(s): C
Comprehensive and Detailed In-Depth CM.L2-3.4.3 requires organizations to "track, review, approve/disapprove, and log changes to organizational systems." Beyond the policy, evidence like procedures for change control and review reports directly demonstrates implementation, tracking, and oversight--aligning with the practice's objectives. Surveys (A) and uptime stats (B) are indirect and not specific to change management processes, while antivirus reports (D) are unrelated. The CMMC guide lists procedural documents and logs as key artifacts.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.3: "Examine procedures addressing change control and audit review reports."NIST SP 800-171A, 3.4.3: "Artifacts include change control procedures and logs."
In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. How is Session Lock typically initiated?
Comprehensive and Detailed In-Depth CMMC practice AC.L2-3.1.10 Session Lock mandates that organizations "initiate a session lock after a defined period of inactivity" to prevent unauthorized access to systems handling CUI. The typical and required initiation method is automatic, triggered by a predefined inactivity threshold (e.g., 5 minutes in this case), ensuring consistent protection without relying on user or admin intervention. Manual initiation by a system administrator or user is less effective and not scalable, while user authentication processes relate to unlocking, not initiating the lock. The CMMC guide emphasizes automation to enforce this control uniformly across systems.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Initiate session lock after an organization- defined time period of inactivity (e.g., 15 minutes or less)." NIST SP 800-171A, 3.1.10: "Test mechanisms to ensure session lock occurs automatically after a specified period of inactivity."
During your assessment of CA.L2-3.12.3 Security Control Monitoring, the contractor's CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls. When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented. You would rely on all of the below evidence to assess the contractor's implementation of CA.L2-3.12.3 Security Control Monitoring, EXCEPT?
Answer(s): B
Comprehensive and Detailed In-Depth CA.L2-3.12.3 requires "continuous monitoring of security controls." Evidence like logs (A), reports (C), and policies (D) directly demonstrate the program's operation and effectiveness. Customer feedback (B) is external and unrelated to internal monitoring processes, per the CMMC guide's focus on operational artifacts.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.3: "Examine logs, reports, and monitoring policies."NIST SP 800-171A, 3.12.3: "Focus on internal monitoring evidence."
In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. As a CCA, you will potentially use the following assessment methods to examine the contractor's implementation of session lock EXCEPT?
Comprehensive and Detailed In-Depth AC.L2-3.1.10 Session Lock requires "initiating a session lock after inactivity." Interviewing admins (A), examining docs (B), and testing mechanisms (D) assess implementation. Password strength (C) relates to IA.L2-3.5.7, not session lock, per the CMMC guide's focus on lock-specific methods.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Interview, examine docs, test lock mechanisms."NIST SP 800-171A, 3.1.10: "Exclude password strength from lock assessment."
You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. How will proper separation of duties help the contractor meet the intent of AC.L2-3.1.4 Separation of Duties?
Comprehensive and Detailed In-Depth AC.L2-3.1.4 requires "separating duties to reduce risk of unauthorized activity." A single engineer handling all tasks concentrates privileges, increasing error or malice risks. Separation (B) distributes responsibilities, enhancing oversight and reducing reliance on one person, per CMMC intent. Specialization (A), cost (C), and simplicity (D) are secondary or irrelevant.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separation reduces risk via checks and balances."NIST SP 800-171A, 3.1.4: "Distribute duties to mitigate insider threats."
An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineering company has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. The scenario describes a multi-factor authentication (MFA) solution being used to access digital media containing CUI. However, the access control procedures for non-digital media require authorized personnel to sign three separate forms. While both methods aim to verify user identity, which of the following is the MOST significant security concern associated with the reliance on a paper-based form process?
Answer(s): D
Comprehensive and Detailed In-Depth MP.L2-3.8.2 requires "restricting access to CUI on system media to authorized users." The paper- based form process for non-digital media, while aiming to verify identity, is vulnerable to forgery (D), which could allow unauthorized access to CUI--a direct security threat. Integration issues (A) and time consumption (B) are operational concerns, not immediate risks, and memorization (C) isn't relevant. The CMMC guide prioritizes robust, tamper-resistant access controls, and paper forms lack the security of MFA.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.2: "Ensure access controls prevent unauthorized access; paper processes should be secure."NIST SP 800-171A, 3.8.2: "Assess risks of forgery in manual access methods."
A vulnerability scan on a defense contractor's system identifies a critical security flaw in a legacy database application that stores CUI. Remediating the flaw would require a complete overhaul of the application, causing significant downtime and potentially disrupting critical business functions. Given the potential consequences of remediation, the contractor is considering deferring the fix. Which course of action best aligns with the guidance of CMMC practice RA.L2-3.11.3 Vulnerability Remediation?
Comprehensive and Detailed In-Depth RA.L2-3.11.3 requires "remediating vulnerabilities in accordance with risk assessments." If remediation isn't feasible, the practice allows risk acceptance with documentation and ongoing monitoring, balancing operational needs and security. Ignoring the vulnerability (C) violates the practice, while third-party help (A) or compensating controls (D) may not be immediately practical. The CMMC guide supports risk-based decisions with proper documentation.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.3: "Document risk acceptance and monitor unremediated vulnerabilities."NIST SP 800-171A, 3.11.3: "Examine risk acceptance rationale and monitoring plans."
Share your comments for Cyber AB CMMC-CCA exam with other users:
how do i get the h12-724 dumps
nice data dumps
answers are correct
good explanation
hi team just want to know if there is any update version of the exam 350-401
helpful on 2017 scrum guide
planning to attempt for the exam.
pleaseee upload
thanks ly so i have information cia
hello team, i need sap qm dumps for practice
it’s good but not senatios based
q.119 - the correct answer is b - they are not captured in an update set as theyre data.
good matter
please upload c_sacp_2308
please upload the dump. thanks very much !!
good questions
hi, could you please update the latest dump version
this question is keep repeat : you are developing a sales application that will contain several azure cloud services and handle different components of a transaction. different cloud services will process customer orders, billing, payment, inventory, and shipping. you need to recommend a solution to enable the cloud services to asynchronously communicate transaction information by using xml messages. what should you include in the recommendation?
great questions
its realy good
oracle 1z0-1059-22 dumps
please share me the pdf..
q50: which two functions can be used by an end user when pivoting an interactive report? the correct answer is a, c because we do not have rank in the function pivoting you can check in the apex app
best to practice
so far it is good
please provide me the dump
i failed the cisa exam today. but i have found all the questions that were on the exam to be on this site.
in question 272 the right answer states that an autonomous acces point is "configured and managed by the wlc" but this is not what i have learned in my ccna course. is this a mistake? i understand that lightweight aps are managed by wlc while autonomous work as standalones on the wlan.
it was helpful
good question
really nice
please i need dumps for isc2 cybersecuity
ans is coldline i think
very helpful