Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Cyber AB
  3. CMMC-CCA

Cyber AB CMMC-CCA Exam (page: 5)
Cyber AB Certified CMMC Assessor (CCA)
Updated on: 13-Dec-2025

Viewing Page 5 of 42
CMMC-CCA PDF 325 Questions

You are conducting a CMMC assessment for a contractor that develops software applications for the DoD. During the assessment of the AU domain, you request to examine the contractor's audit and accountability policies, access control procedures, and system configuration documentation related to the management of audit logging functionality. Upon reviewing the documentation, the contractor has implemented a Role-Based Access Control (RBAC) model, where privileged users are assigned different roles based on their responsibilities. One of these roles is the "Audit Administrator" role, which is granted the necessary privileges to manage audit logging functionality across the contractor's systems. However, during interviews with the system administrators, you learn that besides the Audit Administrator role, several other privileged roles, such as the "System Administrator" and "Network Administrator" roles, can also manage audit logging functionality.
When you inquire about the rationale behind granting multiple privileged roles access to audit management functions, the contractor's security team explains that this approach allows for better operational flexibility and ensures that different teams can perform audit logging tasks based on their areas of responsibility. Based on the information provided in the scenario, how would you assess the contractor's compliance with CMMC practice AU.L2-3.3.9 ­ Audit Management?

  1. Partially Met ­ The contractor has limited audit management privileges to a subset of privileged users, but the roles may not be appropriately defined
  2. Met ­ The contractor has defined privileged user roles for audit management
  3. Not Applicable ­ The practice is not relevant to the contractor's environment
  4. Not Met ­ The contractor has granted audit management privileges to multiple privileged roles, which goes against the requirement to limit access to a subset of defined privileged users

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.9 requires "limiting management of audit logging functionality to a subset of privileged users." Granting access to multiple roles beyond the Audit Administrator (e.g., System and Network Admins) exceeds this subset, violating the practice's intent for tight control. This 1-point practice scores Not Met (-1) due to unrestricted access, per DoD methodology. Partial Met (A) isn't an option under CMMC scoring.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.9: "Limit audit management to a defined subset of privileged users."
DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



In your assessment of an OSC's information systems, you realize that the OSC has been having issues determining what is and isn't CUI. One of the employees asks for your help identifying CUI so that they can take measures to protect it. They also request that you recommend a resource where they can understand the national CUI policy.
Which of the following is the BEST resource they should visit to understand what CUI is and the national CUI policy?

  1. 48 CFR 52.204-21 and NIST SP 800-171
  2. DFARS 252.204-7012 and ISOO CUI Registry
  3. 32 CFR Part 2002 and ISOO CUI Registry
  4. 22 CFR Part 120-130

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
32 CFR Part 2002defines CUI and establishes the national policy, while theISOO CUI Registrycategorizes CUI types--together providing the authoritative resource for understanding CUI. Other options (A, B) are contract-specific or implementation-focused, and 22 CFR (D) relates to ITAR, not CUI policy. The CMMC guide references these sources.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0): "Refer to 32 CFR Part 2002 and ISOO Registry for CUI definition."
32 CFR 2002.4(h): "CUI defined."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks.
While chatting with the network's system admins, you realize they have deployed a modern compliance checking andmonitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy.
When examining the contractor's security configuration checklists, which of the following parameters are you not likely to find?

  1. The contractor's assessment readiness status
  2. File and directory permissions
  3. Protocol usage and application allowlisting
  4. Network configuration and port management

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CM.L2-3.4.2 involves "enforcing security configuration settings." Checklists typically include technical parameters like permissions (B), protocols (C), and network settings (D), per CMMC guidance. Assessment readiness status (A) is an administrative metric, not a config setting, and belongs in a CA- RR checklist, not security configs.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.2: "Checklists include permissions, protocols, network settings; readiness status separate."
NIST SP 800-171A, 3.4.2: "Examine technical config parameters."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



During your assessment of CA.L2-3.12.3 ­ Security Control Monitoring, the contractor's CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls.
When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented. Can the contractor place practice CA.L2-3.12.3 ­ Security Control Monitoring under a POA&M if unimplemented or not fully met?

  1. No, the practice cannot be placed on a POA&M
  2. Yes, for some aspects
  3. More information is required to make determination
  4. Yes, for all aspects

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CA.L2-3.12.3 (1-point practice) requires "continuous monitoring of security controls." Per CAP, 1- point practices can use a POA&M, but CA.L2-3.12.3's foundational nature (ongoing monitoring) means it must be fully implemented--no partial deferral is allowed (A). B and D contradict this, and C isn't needed given the practice's clarity.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.3: "Continuous monitoring must be fully implemented."
CAP v5.6.1: "Core practices like CA.L2-3.12.3 not deferrable."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are a CCA reviewing the security measures for a defense contractor seeking CMMC Level 2 compliance. CMMC practice PE.L2-3.10.6 ­ Alternative Work Sites requires the organization to safeguard CUI at alternate work sites, like employee home offices. You are examining their list of safeguards and the system security plan to assess their compliance.
When assessing a contractor's implementation of CMMC practice PE.L2-3.10.6 ­ Alternative Work Sites, which of the following would be the least effective method for gathering information?

  1. Using Full Disk Encryption (FDE) or container-based encryption to encrypt CUI when stored or transmitted from or to alternate work sites
  2. Employing technologically savvy guards to man the alternate worksite
  3. Deploying a patch management and anti-malware solution for every laptop or desktop on the alternate worksite
  4. Requiring remote staff connecting to their internal networks to use a VPN that prevents split tunneling and requires multifactor authentication to verify remote users are who they claim to be

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
PE.L2-3.10.6 requires "safeguarding CUI at alternate work sites." Effective methods focus on technical controls like encryption (A), patch management (C), and secure VPNs (D), which directly protect CUI data and systems. Employing guards (B) is a physical security measure suited for controlled facilities, not distributed alternate sites like homes, making it least effective for gathering information on CUI protection in this context. The CMMC guide emphasizes technical safeguards over physical presence at remote locations.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), PE.L2-3.10.6: "Implement technical safeguards (e.g., encryption, VPN) for CUI at alternate work sites."
NIST SP 800-171A, 3.10.6: "Examine technical controls, not physical guarding, for remote site compliance."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



To comply with CMMC requirement IR.L2-3.6.3 ­ Incident Response Testing, organizations seeking certification (OSCs) must have a plan to regularly test their ability to respond to cyber incidents. This testing ensures that OSCs can effectively identify, contain, and recover from security breaches. An OSC can cite the following evidence artifacts to show compliance with the practice, EXCEPT?

  1. Evidence of regular incident response drills and response time management, recovery testing, and post-incident analysis
  2. Media sanitization plans
  3. Documentation of tabletop exercises and their outcomes
  4. Test documentation, including the scenario, response, findings, and any necessary corrective actions

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
IR.L2-3.6.3 requires "testing the incident response capability annually." Artifacts like drills (A), tabletop exercises (C), and test documentation (D) demonstrate testing execution and outcomes, aligning with the practice. Media sanitization plans (B) relate to MP.L2-3.8.3, not incident response testing, making it irrelevant. The CMMC guide lists response-focused evidence.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), IR.L2-3.6.3: "Examine test records, drills, and tabletop exercise outcomes."
NIST SP 800-171A, 3.6.3: "Artifacts focus on response testing, not sanitization."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements.
Which of the following would be the most appropriate next step for the assessor?

  1. Interview personnel responsible for cryptographic protection to determine if FIPS-validated cryptography is used elsewhere in the organization
  2. Test the encryption mechanism by attempting to decrypt the encrypted data without the proper keys
  3. Recommend that the OSC switch to a different, approved algorithm
  4. Accept the OSC's implementation as compliant, given that they are using a strong encryption algorithm

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.11 requires "FIPS-validated cryptography for CUI." AES-256 alone isn't sufficient without FIPS validation. Interviewing personnel (A) gathers evidence on broader cryptographic practices, informing compliance status. Testing decryption (B) is impractical and unnecessary, switching algorithms (C) misses the validation issue, and accepting (D) ignores FIPS requirements. The CMMC guide prioritizes interviews for clarification.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.11: "Interview to verify FIPS validation." NIST SP 800-171A, 3.13.11: "Assess cryptographic implementation via interviews."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 ­ Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 ­ Encrypt CUI on Mobile, requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted.
Which of the following personnel should you interview to determine how well the contractor has implemented AC.L2-3.1.19 ­ Encrypt CUI on Mobile?

  1. Executives in the company
  2. Personnel with access control responsibilities for mobile devices
  3. IT helpdesk staff who troubleshoot basic mobile device issues
  4. Staff in the Human Resources department

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice AC.L2-3.1.19 requires that organizations "encrypt CUI on mobile devices and mobile computing platforms" to protect sensitive data from unauthorized access. To assess the implementation effectively, you need to interview personnel who have direct knowledge of and responsibility for the encryption measures on mobile devices. Personnel with access control responsibilities for mobile devices are best suited for this, as they are likely involved in configuring, managing, and enforcing encryption policies specific to mobile devices handling CUI. Executives may have a high-level overview but lack technical details. IT helpdesk staff typically handle basic troubleshooting and may not have insight into encryption implementation. HR staff focus on personnel management, not technical security controls. The CMMC Assessment Guide emphasizes interviewing individuals with operational responsibility for the specific control to verify implementation details.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.19: "Interview: Personnel with information security responsibilities; personnel with mobile device responsibilities; network and system administrators."
NIST SP 800-171A, 3.1.19: "Interview personnel with responsibilities for encrypting CUI on mobile devices to determine the processes and mechanisms in place."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Viewing Page 5 of 42



Share your comments for Cyber AB CMMC-CCA exam with other users:

Phil 12/8/2022 11:16:00 PM

i have a lot of experience but what comes in the exam is totally different from the practical day to day tasks. so i thought i would rather rely on these brain dumps rather failing the exam.
GERMANY


BV 6/8/2023 4:35:00 AM

good questions
NETHERLANDS


krishna 12/19/2023 2:05:00 AM

valied exam dumps. they were very helpful and i got a pretty good score. i am very grateful for this service and exam questions
Anonymous


Pie 9/3/2023 4:56:00 AM

will it help?
INDIA


Lucio 10/6/2023 1:45:00 PM

very useful to verify knowledge before exam
POLAND


Ajay 5/17/2023 4:54:00 AM

good stuffs
Anonymous


TestPD1 8/10/2023 12:19:00 PM

question 17 : responses arent b and c ?
EUROPEAN UNION


Nhlanhla 12/13/2023 5:26:00 AM

just passed the exam on my first try using these dumps.
Anonymous


Rizwan 1/6/2024 2:18:00 AM

very helpful
INDIA


Yady 5/24/2023 10:40:00 PM

these questions look good.
SINGAPORE


Kettie 10/12/2023 1:18:00 AM

this is very helpful content
Anonymous


SB 7/21/2023 3:18:00 AM

please provide the dumps
UNITED STATES


David 8/2/2023 8:20:00 AM

it is amazing
Anonymous


User 8/3/2023 3:32:00 AM

quesion 178 about "a banking system that predicts whether a loan will be repaid is an example of the" the answer is classification. not regresion, you should fix it.
EUROPEAN UNION


quen 7/26/2023 10:39:00 AM

please upload apache spark dumps
Anonymous


Erineo 11/2/2023 5:34:00 PM

q14 is b&c to reduce you will switch off mail for every single alert and you will switch on daily digest to get a mail once per day, you might even skip the empty digest mail but i see this as a part of the daily digest adjustment
Anonymous


Paul 10/21/2023 8:25:00 AM

i think it is good question
Anonymous


Unknown 8/15/2023 5:09:00 AM

good for students who wish to give certification.
INDIA


Ch 11/20/2023 10:56:00 PM

is there a google drive link to the images? the links in questions are not working.
AUSTRALIA


Joey 5/16/2023 5:25:00 AM

very promising, looks great, so much wow!
Anonymous


alaska 10/24/2023 5:48:00 AM

i scored 87% on the az-204 exam. thanks! i always trust
GERMANY


nnn 7/9/2023 11:09:00 PM

good need more
Anonymous


User-sfdc 12/29/2023 7:21:00 AM

sample questions seems good
Anonymous


Tamer dam 8/4/2023 10:21:00 AM

huawei is ok
UNITED STATES


YK 12/11/2023 1:10:00 AM

good one nice
JAPAN


de 8/28/2023 2:38:00 AM

please continue
GERMANY


DMZ 6/25/2023 11:56:00 PM

this exam dumps just did the job. i donot want to ruffle your feathers but your exam dumps and mock test engine is amazing.
UNITED KINGDOM


Jose 8/30/2023 6:14:00 AM

nice questions
PORTUGAL


Tar01 7/24/2023 7:07:00 PM

the explanation are really helpful
Anonymous


DaveG 12/15/2023 4:50:00 PM

just passed my exam yesterday on my first attempt. these dumps were extremely helpful in passing first time. the questions were very, very similar to these questions!
Anonymous


A.K. 6/30/2023 6:34:00 AM

cosmos db is paas not saas
Anonymous


S Roychowdhury 6/26/2023 5:27:00 PM

what is the percentage of common questions in gcp exam compared to 197 dump questions? are they 100% matching with real gcp exam?
Anonymous


Bella 7/22/2023 2:05:00 AM

not able to see questions
Anonymous


Scott 9/8/2023 7:19:00 AM

by far one of the best sites for free questions. i have pass 2 exams with the help of this website.
CANADA