You are assessing an OSC that utilizes containerization technology for deploying microservices within a Kubernetes cluster. These microservices leverage various JavaScript frameworks for functionality. While a mobile device management (MDM) solution secures company phones, access to these microservices is primarily through web interfaces. From a mobile code control perspective, what is the primary concern in this scenario?
Answer(s): D
Comprehensive and Detailed In-Depth SC.L2-3.13.13 Mobile Code requires "controlling and monitoring mobile code use to prevent unacceptable risk." Mobile code (e.g., scripts executed in browsers) is a concern via web interfaces accessing microservices. Unauthorized code execution (D) is the primary risk, as it could exploit users or systems. MDM (A) secures devices, not web code; container vulnerabilities (B) are separate; and JavaScript use (C) isn't inherently mobile code unless executed client-side without control. The CMMC guide focuses on execution risks.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.13: "Control mobile code to prevent unauthorized execution via web interfaces."NIST SP 800-171A, 3.13.13: "Assess risks of mobile code in user-accessible systems."
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory a privileged function. Which of the following controls could have prevented the developer from executing this privileged function?
Answer(s): B
Comprehensive and Detailed In-Depth AC.L2-3.1.7 Privileged Functions requires "preventing non-privileged users from executing privileged functions." The developer's access to kernel memory suggests inherited or misconfiguredpermissions from the Admin_Roles group. Prohibiting inheritance (B) ensures Dev_Roles don't gain elevated privileges, enforcing least privilege. Internet removal (A), dual authorization (C), and time restrictions (D) don't directly address role-based privilege creep, per the CMMC guide's focus on RBAC configuration.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.7: "Prevent privilege inheritance in role-based access controls to limit non-privileged users."NIST SP 800-171A, 3.1.7: "Examine RBAC settings to ensure no unintended privilege escalation."
You have been hired to assess an OSC's implementation of secure password storage and transmission mechanisms. The OSC uses a popular identity and access management (IAM) solution from a reputable vendor to manage user authentication across their systems. During the assessment, you examine the IAM solution's configuration and documentation, which indicate that passwords are hashed using industry-standard algorithms like SHA-256 or bcrypt before being stored in the system's database. Additionally, the IAM solution leverages TLS encryption for all communications, ensuring that passwords are transmitted securely over the network. Based on the information provided, how would you assess the OSC's compliance with CMMC practice IA.L2-3.5.10 Cryptographically- Protected Passwords, which requires organizations to store and transmit only cryptographically protected passwords?
Comprehensive and Detailed In-Depth IA.L2-3.5.10 mandates that passwords be "cryptographically protected in storage and transit." Hashing with SHA-256 or bcrypt (one-way functions) secures storage, and TLS encryption protects transmission--both meeting the practice's objectives. Per the DoD Scoring Methodology, IA.L2- 3.5.10 is a 5-point practice, scoring +5 when fully met. The OSC's implementation aligns with industry standards and CMMC requirements, warranting a "Met (+5 points)" score. Partial compliance isn't an option here, as both storage and transit are addressed.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.10: "Passwords must be hashed (e.g., bcrypt) for storage and encrypted (e.g., TLS) in transit."DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."
Upon examining a contractor's security and awareness training policy for compliance with AT.L2-3.2.2 Role-Based Training, you determine that they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices. How would you assess the contractor's implementation of CMMC practice AT.L2-3.2.2 Role-Based Training?
Answer(s): A
Comprehensive and Detailed In-Depth AT.L2-3.2.2 requires "role-based training for personnel with assigned security roles before authorizing system access." Generic biannual training on CUI and best practices doesn't meet the practice's requirement for tailored, role-specific training (e.g., auditors need audit-specific training, not just CUI handling). The lack of specialization fails the intent, scoring Not Met (-1 point per DoD methodology for this 1-point practice). Partial compliance (B) isn't an option under CMMC scoring.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AT.L2-3.2.2: "Training must be specific to security roles." DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."
Examining an OSC password policy, you learn that a password should have a minimum of 15 characters. It also should have 3 uppercase, 2 special characters, and other alphanumeric characters. Passwords have to be changed every 45 days and cannot be easily tied to the account owner. Passwords cannot be reused until 30 cycles are complete. The OSC's systems send a temporary password to the user's email or authentication app, which is one of the events described in their password usage policy. However, a recent penetration test report shows that the generated temporary passwords did not have sufficient entropy, and an attacker may guess a temporary password through brute force attacks. Which CMMC practice has the contractor successfully implemented? Select all that apply.
Comprehensive and Detailed In-Depth IA.L2-3.5.7: Requires "enforcing minimum password complexity." The policy's 15-character minimum with specific requirements meets this.IA.L2-3.5.8: Requires "prohibiting password reuse for a specified number of generations." The 30- cycle rule satisfies this.IA.L2-3.5.9: Requires "changing temporary passwords at first logon and ensuring sufficient entropy." Low entropy fails this practice.IA.L2-3.5.3: No evidence of MFA implementation.IA.L2-3.5.6: Identifier handling isn't addressed.Thus, only B applies fully.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.7: "Define complexity rules." IA.L2-3.5.8: "Prohibit reuse for specified cycles."IA.L2-3.5.9: "Ensure temporary password entropy."
When assessing a contractor's implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised. Why should all traffic be routed through a managed Access Control point?
Comprehensive and Detailed In-Depth AC.L2-3.1.14 Remote Access Routing requires "routing remote access through managed access control points." This reduces unauthorized access risk (B) by centralizing control and security, per CMMC intent. Simplification (A), troubleshooting (C), and performance (D) are secondary benefits, not the primary purpose.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.14: "Route traffic to reduce unauthorized access risk."NIST SP 800-171A, 3.1.14: "Examine routing to enhance security."
You are performing an on-site assessment for a defense contractor that develops and manufactures embedded control systems for military drones. During your documentation review, you discover they have a System Security Plan (SSP) outlining a configuration management process. The SSP mentions the creation of baseline configurations for their drone control systems, but details are limited. You interview the IT manager responsible for configuration management. They explain they use a commercial configuration management tool to capture hardware and software configurations for the drone systems. They confirm that the baseline configurations include initial software versions but do not track firmware or network configurations. Additionally, while they update software versions through the tool, they do not have a documented process for reviewing and updating baseline configurations in response to security vulnerabilities or system modifications. Which of the following actions would be the MOST appropriate recommendation for the contractor to improve their compliance with CM.L2-3.4.1 System Baselining?
Comprehensive and Detailed In-Depth CM.L2-3.4.1 requires "establishing and documenting baseline configurations, reviewed and updated as needed." The lack of firmware/network inclusion and a review process fails objective [c]. A documented review process addressing all components and security risks (A) directly corrects this, aligning with CMMC intent. Ad-hoc updates (B) lack structure, tool replacement (C) isn't justified, and update frequency (D) is unrelated. The guide emphasizes periodic review.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.1: "Review and update baselines for all components as needed."NIST SP 800-171A, 3.4.1: "Examine process for baseline updates."
You have been sent to assess an OSC's implementation of CMMC practices, one of which is AC.L2-3.1.11 Session Termination. You expect to find the following items when examining the contractor's list of conditions or trigger events requiring session termination, EXCEPT?
Answer(s): C
Comprehensive and Detailed In-Depth AC.L2-3.1.11 requires organizations to "terminate (automatically) a user session after a defined condition." The intent is to protect systems by ending sessions based on specific trigger events that indicate potential security risks or operational policies. Conditions like time-of-day restrictions, periods of inactivity, and responses to incidents (e.g., detected malicious activity) align with this intent, as they are objective triggers for session termination. However, "pre-approved user activity for specific functionalities" does not fit, as it implies authorized actions that should not trigger termination--contradicting the practice's focus on ending sessions under defined risk conditions. The CMMC Assessment Guide lists examples of termination triggers, none of which include approved user activities as a reason to terminate.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.11: "Examples of conditions or trigger events include organization-defined periods of inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."NIST SP 800-171A, 3.1.11: "Examine documentation for conditions or trigger events requiring session disconnect, such as inactivity or incident responses."
Share your comments for Cyber AB CMMC-CCA exam with other users:
a good contemporary exam review
q23, its an array, isnt it? starts with [ and end with ]. its an array of objects, not object.
cool very helpfull
i just passed. this exam dumps is the same one from prepaway and examcollection. it has all the real test questions.
is this a valid prince2 practitioner dumps?
all are relatable questions
might help me to prepare for the exam
just paid and downlaod the 2 exams using the 50% sale discount. so far i was able to download the pdf and the test engine. all looks good.
i think it should be a,c. option d goes against the principle of building anything custom unless there are no work arounds available
very legible
is this exam accurate or helpful?
please upload dump, i have exam in 2 days
this is useful
question 232 answer should be perimeter not netowrk layer. wrong answer selected
nice questions
hi team, could you please provide this dump ?
very helpful to clear the exam and understand the concept.
i think it is great that you are helping people when they need it. thanks.
cannot evaluate yet
a laptops wireless antenna is most likely located in the bezel of the lid
good examplae to learn basic
this is useful information
looks usefull
question 81 should be c.
question 18 : response isnt a ?
plaese add questions
is dumps still valid ?
thanks for this
please upload questions
please upload the question dump for professional machinelearning
question 4 answer is c. this site shows the correct answer as b. "adopt a consumption model" is clearly a cost optimization design principle. looks like im done using this site to study!!!
number 52 answer is d
just started preparing for my exam , and this site is so much help
question 35 is incorrect, the correct answer is c, it even states so: explanation: when a vm is infected with ransomware, you should not restore the vm to the infected vm. this is because the ransomware will still be present on the vm, and it will encrypt the files again. you should also not restore the vm to any vm within the companys subscription. this is because the ransomware could spread to other vms in the subscription. the best way to restore a vm that is infected with ransomware is to restore it to a new azure vm. this will ensure that the ransomware is not present on the new vm.
Keeping this site free takes real effort. We constantly battle automated scraping and unauthorized content copying. A quick account helps us protect the community and keep the site free.
To continue studying for your CMMC-CCA, please sign in or create a free account.