Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Cyber AB
  3. CMMC-CCA

Cyber AB CMMC-CCA Exam (page: 4)
Cyber AB Certified CMMC Assessor (CCA)
Updated on: 13-Dec-2025

Viewing Page 4 of 42
CMMC-CCA PDF 325 Questions

A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks.
While chatting with the network's system admins, you realize they have deployed a modern compliance checking and monitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy. Based on your understanding of the CMMC Assessment Process, how would you score CM.L2-3.4.2 ­ Security Configuration Enforcement if the contractor is tracking it in a POA&M?

  1. Not Met
  2. Need more information to score this practice
  3. Met
  4. Not Applicable

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice CM.L2-3.4.2 ­ Security Configuration Enforcement requires organizations to "enforce security configuration settings for information technology products employed in organizational systems." The contractor uses CFEngine 3 and a monitoring tool, but deviates from vendor- recommended configs, claiming alignment with organizational baselines. However, the practice being tracked in a POA&M indicates it's not fully implemented. Per the CMMC Assessment Process (CAP), any practice in a POA&M is scored as Not Met until a closeout assessment verifies full implementation. For CM.L2-3.4.2, a 5-point practice, partial implementation isn't accepted, and POA&M status confirms non-compliance at assessment time, scoring Not Met (-5). More info (B) isn't needed given the POA&M, Met (C) contradicts CAP, and N/A (D) doesn't apply.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.2: "Enforce security configs; full implementation required."
CAP v5.6.1, p. 24: "Practices tracked in a POA&M are scored as Not Met until closeout." DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal websites.
Why is it critical to implement practice AC.L2-3.1.6 ­ Non-Privileged Account Use?

  1. Enables easier auditing and logging of privileged activities
  2. Mitigates the consequences of a security breach by safeguarding against data loss
  3. Prevents unauthorized modification of security functions
  4. Reduces exposure to threats that might exploit the misuse of privileges

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.6 requires "non-privileged accounts for non-security functions." Using privileged accounts for routine tasks increases exposure to threats (e.g., malware) that could exploit those privileges (D), per CMMC intent. Auditing (A), breach mitigation (B), and function modification (C) are related but not the primary criticality.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.6: "Reduces threat exposure by limiting privileged account use."
NIST SP 800-171A, 3.1.6: "Minimize risk from privilege misuse."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



After a security audit, a contractor documents specific vulnerabilities and deficiencies in an audit report. After examining its POA&M, you realize it has a clearly defined policy on addressing these deficiencies and by when. However, after interviewing the contractor's security and compliance team, you learn that while an audit is regularly conducted, the remediating measures are not always taken, and when taken, they are not always practical. The security and compliance team informs you they have tried reaching the system administrator to explain the repercussions of this without success.
What assessment objective has the contractor failed to implement from CMMC practice
CA.L2-3.12.2 ­ Plan of Action?

  1. The contractor has implemented all the assessment objectives in CL2-3.12.2 ­ Plan of Action
  2. Develop a change management plan that describes how to implement the remediation actions
  3. Implement a plan of action to correct the identified deficiencies and reduce or eliminate identified vulnerabilities that are ineffective
  4. Identify the vulnerabilities and deficiencies that the plan of action will address

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
CA.L2-3.12.2 requires "developing and implementing plans of action to correct deficiencies." Objectives include: [a] identifying deficiencies, and [c] implementing the POA&M to correct them. The contractor identifies issues (objective [a]), but fails to consistently implement remediation (C), per interview evidence, violating the practice's intent. A (all met) is false, B isn't an objective, and D is met.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.2: "[c] Implement POA&M to correct deficiencies; failure to act is non-compliant."
NIST SP 800-171A, 3.12.2: "Verify implementation of remediation actions."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When assessing an OSC's compliance with IR requirements, you realize they have deployed a system that tracks incidents, documents details, and updates the status throughout the incident response process. Personnel to whom incidents must be reported are identified and designated.
While examining their documentation, you come across an incident response template that they use to capture all relevant information and ensure consistency in reporting to the identified authorities and organizational officials. Interviewing the IR team, you learn there is an escalation process that the contractor's cybersecurity team can use to address more serious incidents. From the scenario, the contractor has met all the required objectives for CMMC practice IR.L2-3.6.2 ­ Incident Reporting, meaning its implementation of the said practice will be scored MET with a total of 5 points. For how long must the OSC retain the incident records?

  1. 72 hours
  2. 90 days
  3. 90 hours
  4. 72 days

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
IR.L2-3.6.2 requires "tracking and documenting security incidents." While CMMC doesn't specify a retention period, DFARS 252.204-7012 mandates retaining incident records for 90 days (B) to support DoD investigations, serving as a practical baseline for CMMC-aligned contractors. Other options (A, C, D) lack regulatory support and are either too short or arbitrary. The CMMC guide references DFARS for operational consistency.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), IR.L2-3.6.2: "Document incidents; retention aligns with applicable regulations like DFARS."
DFARS 252.204-7012: "Retain incident-related information for at least 90 days."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. All of the following are required to satisfy AU.L2-3.3.1 ­ System Auditing assessment objectives [b] and [d], EXCEPT?

  1. Process identifiers
  2. Failure or success indications
  3. Timestamps
  4. File permissions

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.1 requires "creating and retaining system audit records" with content sufficient for monitoring and investigation (objectives [b] and [d]). Required content includes process identifiers, success/failure indications, and timestamps to identify and sequence events. File permissions, while useful for access control, aren't explicitly required for audit record content under this practice. The CMMC guide lists specific elements like those in A, B, and C, but not D.
Extract from Official CMMC Documentation:

CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.1: "Audit records include timestamps, process identifiers, and success/failure indications."
NIST SP 800-171A, 3.3.1: "Content includes event type, time, and outcome, not necessarily file permissions."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



After you ask to examine some audit records, the contractor's system administrator informs you that there is a process to follow before accessing them. The logs are hashed using SHA-512 algorithms, and the system administrator has to run an algorithm to recalculate the hashes for the audit records to verify their integrity before running a decryption algorithm to decrypt the data. Since this might take some time, you tour the facility while interviewing personnel with audit and accountability roles. You see an employee holding the door for another without using their physical access card.
While interviewing the contractor's employees, you find that they can access all audit logging tools and tweak the settings according to their needs or requirements. Upon examining the contractor's access control policy, you realize they have not defined the measures to protect audit logging tools.
Which of the following statements accurately describes the contractor's compliance with protecting audit logging tools from unauthorized access, modification, and deletion, as required by AU.L2-3.3.8 ­ Audit Protection?

  1. The contractor's compliance cannot be determined based on the information provided
  2. The contractor is partially compliant, as audit logging tools are protected by the same measures as audit information
  3. The contractor is fully compliant; employees can access audit logging tools to meet their requirements
  4. The contractor is not compliant, as there are no defined measures to protect audit logging tools from unauthorized access, modification, or deletion

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.8 requires "protecting audit information and tools from unauthorized access, modification, and deletion." The lack of defined measures and unrestricted employee access to tweak settings violate this, scoring Not Met (-1) for this 1-point practice. A is false given clear evidence, B assumes protection not shown, and C misinterprets compliance.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.8: "Protect audit tools with defined access controls; unrestricted access is non-compliant."
DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When assessing an OSC's implementation of the System and Information Integrity (SI) practices, you examine their system and information integrity policy. You find that they have documented procedures addressing system monitoring tools and techniques, along with a monitoring strategy. The OSC has implemented a user behavior analytics tool to detect abnormal behavior anddeviations from normal patterns. To ensure that only authorized users access the system, the OSC uses robust access controls and regularly audits security and system logs for unusual activities. Interviewing the network administration team, you learn they use a network monitoring tool to track inbound and outbound network traffic and identify any distinctive patterns that may suggest unauthorized use. You also learn that they use an IDS to identify suspicious activities, which are aggregated and analyzed using a state-of-the-art SIEM. The scenario mentions that the OSC uses a network monitoring tool to track inbound and outbound traffic and identify unusual patterns. However, it does not provide details on the tool's specific techniques or methods.
Which of the following techniques would be most relevant for the assessor to inquire about during the assessment?

  1. Anomaly-based detection techniques
  2. Signature-based detection techniques
  3. Both signature-based and anomaly-based detection techniques
  4. Deep packet inspection techniques

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice SI.L2-3.14.6 ­ Monitor Communications for Attacks requires organizations to "monitor organizational communications at external boundaries and key internal boundaries for attacks or indicators of potential attacks." Effective monitoring typically employs bothsignature- based detection(identifying known threats via predefined patterns) andanomaly-based detection(flagging deviations from normal behavior), as these complementary techniques provide comprehensive coverage against known and emerging threats. The OSC's use of IDS, SIEM, and user behavior analytics suggests a mix of capabilities, but the specific techniques aren't detailed. Inquiring about both (C) ensures the assessor verifies a robust approach, as recommended by the CMMC guide. Anomaly-based (A) or signature-based (B) alone are insufficient, and while deep packet inspection (D) is useful, it's a narrower method not explicitly required.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SI.L2-3.14.6: "Monitoring includes signature-based and anomaly-based detection to identify attacks."
NIST SP 800-171A, 3.14.6: "Interview personnel to determine monitoring techniques, including signature and anomaly detection."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing an OSC that uses various collaborative computing devices, such as video conferencing systems, networked whiteboards, and webcams, for remote meetings and presentations. During your assessment, you examine the OSC's collaborative device inventory and find that they have identified and documented all collaborative computing devices. Most of the identified devices have indicators (e.g., LED lights) that notify users when the devices are in use. The OSC has also implemented a policy prohibiting the remote activation of collaborative computing devices without user consent. However, you find that the web cameras can be activated remotely by authorized IT personnel for troubleshooting purposes. In addition to interviewing personnel, what other evidence would be helpful to assess the OSC's compliance with CMMC practice SC.L2-3.13.12 ­ Collaborative Device Control regarding the remote activation of web cameras? Choose all that apply.

  1. A documented risk assessment that identifies the potential risks associated with remote camera activation and outlines mitigation strategies
  2. Network traffic logs showing no instances of remote activation attempts on the web cameras
  3. User training records indicating that employees are aware of the policy and understand thepotential consequences of unauthorized remote camera activation
  4. System configuration settings for the web cameras, verifying that remote activation is enabled

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.12 requires "prohibiting remote activation of collaborative devices without user authorization, or controlling it to prevent unacceptable risk." The IT exception for webcams suggests a controlled allowance. A risk assessment (A) justifies this exception, showing risks (e.g., privacy) and mitigations (e.g., IT authorization), aligning with CMMC's risk-based approach. Logs (B) show usage, not policy compliance; training (C) supports awareness, not control; configs (D) confirm capability, not authorization rationale. A is most directly tied to compliance evidence.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.12: "Examine risk assessments for exceptions to remote activation prohibitions."
NIST SP 800-171A, 3.13.12: "Assess documented risk mitigations for controlled exceptions."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Viewing Page 4 of 42



Share your comments for Cyber AB CMMC-CCA exam with other users:

deedee 12/23/2023 5:51:00 PM

great great
UNITED STATES


Asad Khan 11/1/2023 3:10:00 AM

answer 16 should be b your organizational policies require you to use virtual machines directly
Anonymous


Sale Danasabe 10/24/2023 5:21:00 PM

the question are kind of tricky of you didnt get the hnag on it.
Anonymous


Luis 11/16/2023 1:39:00 PM

can anyone tell me if this is for rhel8 or rhel9?
UNITED STATES


hik 1/19/2024 1:47:00 PM

good content
UNITED STATES


Blessious Phiri 8/15/2023 2:18:00 PM

pdb and cdb are critical to the database
Anonymous


Zuned 10/22/2023 4:39:00 AM

till 104 questions are free, lets see how it helps me in my exam today.
UNITED STATES


Muhammad Rawish Siddiqui 12/3/2023 12:11:00 PM

question # 56, answer is true not false.
SAUDI ARABIA


Amaresh Vashishtha 8/27/2023 1:33:00 AM

i would be requiring dumps to prepare for certification exam
Anonymous


Asad 9/8/2023 1:01:00 AM

very helpful
PAKISTAN


Blessious Phiri 8/13/2023 3:10:00 PM

control file is the heart of rman backup
Anonymous


Senthil 9/19/2023 5:47:00 AM

hi could you please upload the ibm c2090-543 dumps
Anonymous


Harry 6/27/2023 7:20:00 AM

appriciate if you could upload this again
AUSTRALIA


Anonymous 7/10/2023 4:10:00 AM

please upload the dump
SWEDEN


Raja 6/20/2023 5:30:00 AM

i found some questions answers mismatch with explanation answers. please properly update
UNITED STATES


Doora 11/30/2023 4:20:00 AM

nothing to mention
Anonymous


deally 1/19/2024 3:41:00 PM

knowable questions
UNITED STATES


Sonia 7/23/2023 4:03:00 PM

very helpfull
UNITED STATES


binEY 10/6/2023 5:15:00 AM

good questions
Anonymous


Neha 9/28/2023 1:58:00 PM

its helpful
Anonymous


Desmond 1/5/2023 9:11:00 PM

i just took my oracle exam and let me tell you, this exam dumps was a lifesaver! without them, iam not sure i would have passed. the questions were tricky and the answers were obscure, but the exam dumps had everything i needed. i would recommend to anyone looking to pass their oracle exams with flying colors (and a little bit of cheating) lol.
SINGAPORE


Davidson OZ 9/9/2023 6:37:00 PM

22. if you need to make sure that one computer in your hot-spot network can access the internet without hot-spot authentication, which menu allows you to do this? answer is ip binding and not wall garden. wall garden allows specified websites to be accessed with users authentication to the hotspot
Anonymous


381 9/2/2023 4:31:00 PM

is question 1 correct?
Anonymous


Laurent 10/6/2023 5:09:00 PM

good content
Anonymous


Sniper69 5/9/2022 11:04:00 PM

manged to pass the exam with this exam dumps.
UNITED STATES


Deepak 12/27/2023 2:37:00 AM

good questions
SINGAPORE


dba 9/23/2023 3:10:00 AM

can we please have the latest exam questions?
Anonymous


Prasad 9/29/2023 7:27:00 AM

please help with jn0-649 latest dumps
HONG KONG


GTI9982 7/31/2023 10:15:00 PM

please i need this dump. thanks
CANADA


Elton Riva 12/12/2023 8:20:00 PM

i have to take the aws certified developer - associate dva-c02 in the next few weeks and i wanted to know if the questions on your website are the same as the official exam.
Anonymous


Berihun Desalegn Wonde 7/13/2023 11:00:00 AM

all questions are more important
Anonymous


gr 7/2/2023 7:03:00 AM

ques 4 answer should be c ie automatically recover from failure
Anonymous


RS 7/27/2023 7:17:00 AM

very very useful page
INDIA


Blessious Phiri 8/12/2023 11:47:00 AM

the exams are giving me an eye opener
Anonymous