You are conducting a CMMC assessment for a contractor that develops software applications for the DoD. During the assessment of the AU domain, you request to examine the contractor's audit and accountability policies, access control procedures, and system configuration documentation related to the management of audit logging functionality. Upon reviewing the documentation, the contractor has implemented a Role-Based Access Control (RBAC) model, where privileged users are assigned different roles based on their responsibilities. One of these roles is the "Audit Administrator" role, which is granted the necessary privileges to manage audit logging functionality across the contractor's systems. However, during interviews with the system administrators, you learn that besides the Audit Administrator role, several other privileged roles, such as the "System Administrator" and "Network Administrator" roles, can also manage audit logging functionality. When you inquire about the rationale behind granting multiple privileged roles access to audit management functions, the contractor's security team explains that this approach allows for better operational flexibility and ensures that different teams can perform audit logging tasks based on their areas of responsibility. Based on the information provided in the scenario, how would you assess the contractor's compliance with CMMC practice AU.L2-3.3.9 Audit Management?
Answer(s): D
Comprehensive and Detailed In-Depth AU.L2-3.3.9 requires "limiting management of audit logging functionality to a subset of privileged users." Granting access to multiple roles beyond the Audit Administrator (e.g., System and Network Admins) exceeds this subset, violating the practice's intent for tight control. This 1-point practice scores Not Met (-1) due to unrestricted access, per DoD methodology. Partial Met (A) isn't an option under CMMC scoring.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.9: "Limit audit management to a defined subset of privileged users."DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
In your assessment of an OSC's information systems, you realize that the OSC has been having issues determining what is and isn't CUI. One of the employees asks for your help identifying CUI so that they can take measures to protect it. They also request that you recommend a resource where they can understand the national CUI policy. Which of the following is the BEST resource they should visit to understand what CUI is and the national CUI policy?
Answer(s): C
Comprehensive and Detailed In-Depth 32 CFR Part 2002defines CUI and establishes the national policy, while theISOO CUI Registrycategorizes CUI types--together providing the authoritative resource for understanding CUI. Other options (A, B) are contract-specific or implementation-focused, and 22 CFR (D) relates to ITAR, not CUI policy. The CMMC guide references these sources.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0): "Refer to 32 CFR Part 2002 and ISOO Registry for CUI definition."32 CFR 2002.4(h): "CUI defined."
A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks. While chatting with the network's system admins, you realize they have deployed a modern compliance checking andmonitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy. When examining the contractor's security configuration checklists, which of the following parameters are you not likely to find?
Answer(s): A
Comprehensive and Detailed In-Depth CM.L2-3.4.2 involves "enforcing security configuration settings." Checklists typically include technical parameters like permissions (B), protocols (C), and network settings (D), per CMMC guidance. Assessment readiness status (A) is an administrative metric, not a config setting, and belongs in a CA- RR checklist, not security configs.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.2: "Checklists include permissions, protocols, network settings; readiness status separate."NIST SP 800-171A, 3.4.2: "Examine technical config parameters."
During your assessment of CA.L2-3.12.3 Security Control Monitoring, the contractor's CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls. When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented. Can the contractor place practice CA.L2-3.12.3 Security Control Monitoring under a POA&M if unimplemented or not fully met?
Comprehensive and Detailed In-Depth CA.L2-3.12.3 (1-point practice) requires "continuous monitoring of security controls." Per CAP, 1- point practices can use a POA&M, but CA.L2-3.12.3's foundational nature (ongoing monitoring) means it must be fully implemented--no partial deferral is allowed (A). B and D contradict this, and C isn't needed given the practice's clarity.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.3: "Continuous monitoring must be fully implemented."CAP v5.6.1: "Core practices like CA.L2-3.12.3 not deferrable."
You are a CCA reviewing the security measures for a defense contractor seeking CMMC Level 2 compliance. CMMC practice PE.L2-3.10.6 Alternative Work Sites requires the organization to safeguard CUI at alternate work sites, like employee home offices. You are examining their list of safeguards and the system security plan to assess their compliance. When assessing a contractor's implementation of CMMC practice PE.L2-3.10.6 Alternative Work Sites, which of the following would be the least effective method for gathering information?
Answer(s): B
Comprehensive and Detailed In-Depth PE.L2-3.10.6 requires "safeguarding CUI at alternate work sites." Effective methods focus on technical controls like encryption (A), patch management (C), and secure VPNs (D), which directly protect CUI data and systems. Employing guards (B) is a physical security measure suited for controlled facilities, not distributed alternate sites like homes, making it least effective for gathering information on CUI protection in this context. The CMMC guide emphasizes technical safeguards over physical presence at remote locations.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), PE.L2-3.10.6: "Implement technical safeguards (e.g., encryption, VPN) for CUI at alternate work sites."NIST SP 800-171A, 3.10.6: "Examine technical controls, not physical guarding, for remote site compliance."
To comply with CMMC requirement IR.L2-3.6.3 Incident Response Testing, organizations seeking certification (OSCs) must have a plan to regularly test their ability to respond to cyber incidents. This testing ensures that OSCs can effectively identify, contain, and recover from security breaches. An OSC can cite the following evidence artifacts to show compliance with the practice, EXCEPT?
Comprehensive and Detailed In-Depth IR.L2-3.6.3 requires "testing the incident response capability annually." Artifacts like drills (A), tabletop exercises (C), and test documentation (D) demonstrate testing execution and outcomes, aligning with the practice. Media sanitization plans (B) relate to MP.L2-3.8.3, not incident response testing, making it irrelevant. The CMMC guide lists response-focused evidence.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), IR.L2-3.6.3: "Examine test records, drills, and tabletop exercise outcomes."NIST SP 800-171A, 3.6.3: "Artifacts focus on response testing, not sanitization."
In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Which of the following would be the most appropriate next step for the assessor?
Comprehensive and Detailed In-Depth SC.L2-3.13.11 requires "FIPS-validated cryptography for CUI." AES-256 alone isn't sufficient without FIPS validation. Interviewing personnel (A) gathers evidence on broader cryptographic practices, informing compliance status. Testing decryption (B) is impractical and unnecessary, switching algorithms (C) misses the validation issue, and accepting (D) ignores FIPS requirements. The CMMC guide prioritizes interviews for clarification.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.11: "Interview to verify FIPS validation." NIST SP 800-171A, 3.13.11: "Assess cryptographic implementation via interviews."
A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 Encrypt CUI on Mobile, requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted. Which of the following personnel should you interview to determine how well the contractor has implemented AC.L2-3.1.19 Encrypt CUI on Mobile?
Comprehensive and Detailed In-Depth CMMC practice AC.L2-3.1.19 requires that organizations "encrypt CUI on mobile devices and mobile computing platforms" to protect sensitive data from unauthorized access. To assess the implementation effectively, you need to interview personnel who have direct knowledge of and responsibility for the encryption measures on mobile devices. Personnel with access control responsibilities for mobile devices are best suited for this, as they are likely involved in configuring, managing, and enforcing encryption policies specific to mobile devices handling CUI. Executives may have a high-level overview but lack technical details. IT helpdesk staff typically handle basic troubleshooting and may not have insight into encryption implementation. HR staff focus on personnel management, not technical security controls. The CMMC Assessment Guide emphasizes interviewing individuals with operational responsibility for the specific control to verify implementation details.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.19: "Interview: Personnel with information security responsibilities; personnel with mobile device responsibilities; network and system administrators."NIST SP 800-171A, 3.1.19: "Interview personnel with responsibilities for encrypting CUI on mobile devices to determine the processes and mechanisms in place."
Share your comments for Cyber AB CMMC-CCA exam with other users:
please upload the dump
i found some questions answers mismatch with explanation answers. please properly update
nothing to mention
knowable questions
very helpfull
good questions
its helpful
i just took my oracle exam and let me tell you, this exam dumps was a lifesaver! without them, iam not sure i would have passed. the questions were tricky and the answers were obscure, but the exam dumps had everything i needed. i would recommend to anyone looking to pass their oracle exams with flying colors (and a little bit of cheating) lol.
22. if you need to make sure that one computer in your hot-spot network can access the internet without hot-spot authentication, which menu allows you to do this? answer is ip binding and not wall garden. wall garden allows specified websites to be accessed with users authentication to the hotspot
is question 1 correct?
good content
manged to pass the exam with this exam dumps.
can we please have the latest exam questions?
please help with jn0-649 latest dumps
please i need this dump. thanks
i have to take the aws certified developer - associate dva-c02 in the next few weeks and i wanted to know if the questions on your website are the same as the official exam.
all questions are more important
ques 4 answer should be c ie automatically recover from failure
very very useful page
the exams are giving me an eye opener
3rd so far, need to cover more
aligns with the pecd notes
question 4: b securityadmin is the correct answer. https://docs.snowflake.com/en/user-guide/security-access-control-overview#access-control-framework
kindly please share dumps
it is very useful, thank you
need safe rte dumps
can you upload the cis - cpg dumps
q6 = 1. download odt application 2. create a configuration file (xml) 3. setup.exe /download to download the installation files 4. setup.exe /configure to deploy the application
great material
could you please upload sap c_arsor_2302 questions? it will be very much helpful.
vraag 20c: rsa veilig voor symmtrische cryptografie? antwoord c is toch fout. rsa is voor asymmetrische cryptogafie??
so far good
question 31 has obviously wrong answers. tls and ssl are used to encrypt data at transit, not at rest.