Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Cyber AB
  3. CMMC-CCA

Cyber AB CMMC-CCA Exam (page: 2)
Cyber AB Certified CMMC Assessor (CCA)
Updated on: 11-Dec-2025

Viewing Page 2 of 42
CMMC-CCA PDF 325 Questions

When interviewing a contractor's CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates that the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that after every four months, the contractor tests its incident response plan and regularly updates its monitoring tools. Impressed by the contractor's policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited their security systems in over two years. How many points would you score the contractor's implementation of the practice CA.L2-3.12.1 ­ Security Control Assessment?

  1. -5
  2. -3
  3. -1
  4. 5

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CA.L2-3.12.1 requires "periodically assessing security controls to determine effectiveness." The policy defines a 10-month cycle, but no audits have occurred in over two years, failing the implementation objective. Per the DoD Scoring Methodology, this 5-point practice scores -5 (Not Met) when not fully implemented, as partial compliance isn't recognized. The CMMC guide stresses actual execution over documented intent.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.1: "Assess controls at defined frequency." DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Change is a part of any production process and must be meticulously managed. System Change Management is a CMMC requirement, and you have been called in to assess the implementation of CMMC requirements.
When examining the contractor's change management policy, you realize there is a defined change advisory board that has a review and approval mandate for any proposed changes. The change advisory board maintains a change request system where all the changes are submitted and documented for easy tracking and review. The contractor also has a defined rollback plan defining what to do in case the approved changes result in unexpected issues or vulnerabilities.
What evidence artifacts can the contractor also cite as evidence to show their compliance with CM.L2-3.4.3 ­ System Change Management besides their change management policy?

  1. Employee satisfaction surveys regarding the change management process
  2. System uptime statistics showing improved stability after change management implementation
  3. Organizational procedures addressing system configuration change control and change control/audit review reports
  4. Antivirus scan reports detailing detected and quarantined threats

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
CM.L2-3.4.3 requires organizations to "track, review, approve/disapprove, and log changes to organizational systems." Beyond the policy, evidence like procedures for change control and review reports directly demonstrates implementation, tracking, and oversight--aligning with the practice's objectives. Surveys (A) and uptime stats (B) are indirect and not specific to change management processes, while antivirus reports (D) are unrelated. The CMMC guide lists procedural documents and logs as key artifacts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.3: "Examine procedures addressing change control and audit review reports."
NIST SP 800-171A, 3.4.3: "Artifacts include change control procedures and logs."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. How is Session Lock typically initiated?

  1. Automatically, after a predefined period of inactivity
  2. By the system administrator manually
  3. Through user authentication processes
  4. Only when manually triggered by the user before leaving their workstation

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice AC.L2-3.1.10 ­ Session Lock mandates that organizations "initiate a session lock after a defined period of inactivity" to prevent unauthorized access to systems handling CUI. The typical and required initiation method is automatic, triggered by a predefined inactivity threshold (e.g., 5 minutes in this case), ensuring consistent protection without relying on user or admin intervention. Manual initiation by a system administrator or user is less effective and not scalable, while user authentication processes relate to unlocking, not initiating the lock. The CMMC guide emphasizes automation to enforce this control uniformly across systems.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Initiate session lock after an organization- defined time period of inactivity (e.g., 15 minutes or less)." NIST SP 800-171A, 3.1.10: "Test mechanisms to ensure session lock occurs automatically after a specified period of inactivity."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



During your assessment of CA.L2-3.12.3 ­ Security Control Monitoring, the contractor's CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls.
When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented. You would rely on all of the below evidence to assess the contractor's implementation of CA.L2-3.12.3 ­ Security Control Monitoring, EXCEPT?

  1. Records/logs of monitoring activities over time
  2. Customer feedback on the contractor's security measures
  3. Reports or dashboards from the monitoring activities
  4. The contractor's security monitoring policies and procedures

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth

CA.L2-3.12.3 requires "continuous monitoring of security controls." Evidence like logs (A), reports (C), and policies (D) directly demonstrate the program's operation and effectiveness. Customer feedback (B) is external and unrelated to internal monitoring processes, per the CMMC guide's focus on operational artifacts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.3: "Examine logs, reports, and monitoring policies."
NIST SP 800-171A, 3.12.3: "Focus on internal monitoring evidence."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. As a CCA, you will potentially use the following assessment methods to examine the contractor's implementation of session lock EXCEPT?

  1. Interview the system administrator
  2. Examine the system design documentation
  3. Test the strength of the user's password
  4. Test the mechanisms implementing the access control policy for session lock

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.10 ­ Session Lock requires "initiating a session lock after inactivity." Interviewing admins (A), examining docs (B), and testing mechanisms (D) assess implementation. Password strength (C) relates to IA.L2-3.5.7, not session lock, per the CMMC guide's focus on lock-specific methods.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Interview, examine docs, test lock mechanisms."
NIST SP 800-171A, 3.1.10: "Exclude password strength from lock assessment."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. How will proper separation of duties help the contractor meet the intent of AC.L2-3.1.4 ­ Separation of Duties?

  1. It allows the engineers to specialize in specific areas
  2. It reduces concentrated privileges and power and improves checks & balances. Errors and malicious actions are more likely to be caught. Risk is reduced without relying solely on one individual
  3. It reduces the overall cost of software development
  4. It simplifies the development process

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.4 requires "separating duties to reduce risk of unauthorized activity." A single engineer handling all tasks concentrates privileges, increasing error or malice risks. Separation (B) distributes responsibilities, enhancing oversight and reducing reliance on one person, per CMMC intent. Specialization (A), cost (C), and simplicity (D) are secondary or irrelevant.

Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separation reduces risk via checks and balances."
NIST SP 800-171A, 3.1.4: "Distribute duties to mitigate insider threats."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineering company has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. The scenario describes a multi-factor authentication (MFA) solution being used to access digital media containing CUI. However, the access control procedures for non-digital media require authorized personnel to sign three separate forms.
While both methods aim to verify user identity, which of the following is the MOST significant security concern associated with the reliance on a paper-based form process?

  1. The paper forms cannot be easily integrated with other security systems
  2. It can be time-consuming to complete the forms for frequent access
  3. It requires users to memorize more information for access
  4. The forms are susceptible to forgery, resulting in unauthorized access

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
MP.L2-3.8.2 requires "restricting access to CUI on system media to authorized users." The paper- based form process for non-digital media, while aiming to verify identity, is vulnerable to forgery (D), which could allow unauthorized access to CUI--a direct security threat. Integration issues (A) and time consumption (B) are operational concerns, not immediate risks, and memorization (C) isn't relevant. The CMMC guide prioritizes robust, tamper-resistant access controls, and paper forms lack the security of MFA.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.2: "Ensure access controls prevent unauthorized access; paper processes should be secure."
NIST SP 800-171A, 3.8.2: "Assess risks of forgery in manual access methods."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A vulnerability scan on a defense contractor's system identifies a critical security flaw in a legacy database application that stores CUI. Remediating the flaw would require a complete overhaul of the application, causing significant downtime and potentially disrupting critical business functions. Given the potential consequences of remediation, the contractor is considering deferring the fix.
Which course of action best aligns with the guidance of CMMC practice RA.L2-3.11.3 ­ Vulnerability Remediation?

  1. Immediately contract a third party to assist with remediation
  2. Document the risk acceptance rationale and continue monitoring the risk from the vulnerability
  3. Permanently disregard the vulnerability and take no further action
  4. Implement compensating controls to reduce the associated risk

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
RA.L2-3.11.3 requires "remediating vulnerabilities in accordance with risk assessments." If remediation isn't feasible, the practice allows risk acceptance with documentation and ongoing monitoring, balancing operational needs and security. Ignoring the vulnerability (C) violates the practice, while third-party help (A) or compensating controls (D) may not be immediately practical. The CMMC guide supports risk-based decisions with proper documentation.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.3: "Document risk acceptance and monitor unremediated vulnerabilities."
NIST SP 800-171A, 3.11.3: "Examine risk acceptance rationale and monitoring plans."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Viewing Page 2 of 42



Share your comments for Cyber AB CMMC-CCA exam with other users:

Gamerrr420 5/25/2022 9:38:00 PM

i just passed my first exam. i got 2 exam dumps as part of the 50% sale. my second exam is under work. once i write that exam i report my result. but so far i am confident.
AUSTRALIA


Kudu hgeur 9/21/2023 5:58:00 PM

nice create dewey stefen
CZECH REPUBLIC


Anorag 9/6/2023 9:24:00 AM

i just wrote this exam and it is still valid. the questions are exactly the same but there are about 4 or 5 questions that are answered incorrectly. so watch out for those. best of luck with your exam.
CANADA


Nathan 1/10/2023 3:54:00 PM

passed my exam today. this is a good start to 2023.
UNITED STATES


1 10/28/2023 7:32:00 AM

great sharing
Anonymous


Anand 1/20/2024 10:36:00 AM

very helpful
UNITED STATES


Kumar 6/23/2023 1:07:00 PM

thanks.. very helpful
FRANCE


User random 11/15/2023 3:01:00 AM

i registered for 1z0-1047-23 but dumps qre available for 1z0-1047-22. help me with this...
UNITED STATES


kk 1/17/2024 3:00:00 PM

very helpful
UNITED STATES


Raj 7/24/2023 10:20:00 AM

please upload oracle 1z0-1110-22 exam pdf
INDIA


Blessious Phiri 8/13/2023 11:58:00 AM

becoming interesting on the logical part of the cdbs and pdbs
Anonymous


LOL what a joke 9/10/2023 9:09:00 AM

some of the answers are incorrect, i would be wary of using this until an admin goes back and reviews all the answers
UNITED STATES


Muhammad Rawish Siddiqui 12/9/2023 7:40:00 AM

question # 267: federated operating model is also correct.
SAUDI ARABIA


Mayar 9/22/2023 4:58:00 AM

its helpful alot.
Anonymous


Sandeep 7/25/2022 11:58:00 PM

the questiosn from this braindumps are same as in the real exam. my passing mark was 84%.
INDIA


Eman Sawalha 6/10/2023 6:09:00 AM

it is an exam that measures your understanding of cloud computing resources provided by aws. these resources are aligned under 6 categories: storage, compute, database, infrastructure, pricing and network. with all of the services and typees of services under each category
GREECE


Mars 11/16/2023 1:53:00 AM

good and very useful
TAIWAN PROVINCE OF CHINA


ronaldo7 10/24/2023 5:34:00 AM

i cleared the az-104 exam by scoring 930/1000 on the exam. it was all possible due to this platform as it provides premium quality service. thank you!
UNITED STATES


Palash Ghosh 9/11/2023 8:30:00 AM

easy questions
Anonymous


Noor 10/2/2023 7:48:00 AM

could you please upload ad0-127 dumps
INDIA


Kotesh 7/27/2023 2:30:00 AM

good content
Anonymous


Biswa 11/20/2023 9:07:00 AM

understanding about joins
Anonymous


Jimmy Lopez 8/25/2023 10:19:00 AM

please upload oracle cloud infrastructure 2023 foundations associate exam braindumps. thank you.
Anonymous


Lily 4/24/2023 10:50:00 PM

questions made studying easy and enjoyable, passed on the first try!
UNITED STATES


John 8/7/2023 12:12:00 AM

has anyone recently attended safe 6.0 exam? did you see any questions from here?
Anonymous


Big Dog 6/24/2023 4:47:00 PM

question 13 should be dhcp option 43, right?
UNITED STATES


B.Khan 4/19/2022 9:43:00 PM

the buy 1 get 1 is a great deal. so far i have only gone over exam. it looks promissing. i report back once i write my exam.
INDIA


Ganesh 12/24/2023 11:56:00 PM

is this dump good
Anonymous


Albin 10/13/2023 12:37:00 AM

good ................
EUROPEAN UNION


Passed 1/16/2022 9:40:00 AM

passed
GERMANY


Harsh 6/12/2023 1:43:00 PM

yes going good
Anonymous


Salesforce consultant 1/2/2024 1:32:00 PM

good questions for practice
FRANCE


Ridima 9/12/2023 4:18:00 AM

need dump and sap notes for c_s4cpr_2308 - sap certified application associate - sap s/4hana cloud, public edition - sourcing and procurement
Anonymous


Tanvi Rajput 10/6/2023 6:50:00 AM

question 11: d i personally feel some answers are wrong.
UNITED KINGDOM