Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Cyber AB
  3. CMMC-CCA

Cyber AB CMMC-CCA Exam (page: 6)
Cyber AB Certified CMMC Assessor (CCA)
Updated on: 13-Dec-2025

Viewing Page 6 of 42
CMMC-CCA PDF 325 Questions

You are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows that the contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. The following evidence would help determine if the contractor is properly authorizing and enforcing controls on CUI data flow across their environment, EXCEPT?

  1. Reviewing firewall and ExpressRoute connections
  2. Reviewing audit logs related to the VPN connections
  3. Analyzing policies, records, and configurations related to data center connections
  4. Analyzing CCTV footage

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.3 ­ Control CUI Flow requires "controlling CUI flow per approved authorizations." Evidence like firewall configs (A), VPN logs (B), and data center policies (C) directly assess technical controls and enforcement. CCTV footage (D) is a physical security measure unrelated to data flow control, per the CMMC guide's focus on system artifacts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.3: "Examine configs, logs, and policies for CUI flow."
NIST SP 800-171A, 3.1.3: "Focus on system evidence, not physical monitoring."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are on-site with an Assessment Team at a medium-sized organization.
When discussing how they protect their company's information from malware, spyware, etc., the administrator you are interviewing offers to show you the entire process from start to finish since she had that on her to-do list for the day. She opens the machine, turns it on, and installs what she says is anti-malware software. She also demonstrates how their deployed Next Generation Firewall (NGFW) works. You have never heard of this software, so you ask her where it was purchased. You later learn it is an open-source solution. Based on the scenario and the requirements of CMMC practice SI.L2-3.14.6 ­ Monitor Communications for Attacks, what is your likely determination?

  1. Find the OSC's implementation as partially Met as they are achieving several objectives required of this practice
  2. Fail the OSC's implementation of the practice
  3. Find the OSC's implementation of the practice as Met
  4. Request for more information

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
SI.L2-3.14.6 requires "monitoring organizational communications for attacks or indicators of potential attacks." The NGFW supports this, but the unvetted open-source anti-malware raises concerns about reliability and effectiveness, which could impact overall monitoring. Without further details on vetting, configuration, and monitoring processes, a definitive score isn't possible. "Request more information" (D) is appropriate to assess compliance fully, per the CMMC guide's emphasis on evidence sufficiency.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SI.L2-3.14.6: "Examine tools and processes for monitoring; assess reliability of solutions."
NIST SP 800-171A, 3.14.6: "Interview and examine to verify monitoring effectiveness."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 ­ Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 ­ System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, why is time synchronization with the NTP server necessary, and what is the recommended synchronization time?

  1. To ensure that all systems record the audit logs using the same time source, with a recommended synchronization time of 1 second
  2. To allow users to set their preferred time zones on individual systems, with a recommended synchronization time of 24 hours
  3. To reduce the network bandwidth used by system clocks, with a recommended synchronization time of once a month
  4. To increase the accuracy of digital clocks on devices, with a recommended synchronization time of 1 week

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.7 requires synchronization with an authoritative time source to "generate consistent timestamps for audit records," critical for correlating events across systems. The 30-second threshold causes inconsistencies, failing this requirement. The CMMC guide doesn't specify an exact time, but best practices (e.g., NIST) recommend 1 second for audit log accuracy, ensuring precise event sequencing. Options B, C, and D undermine audit integrity or practicality--user time zones aren't relevant, monthly syncs are too infrequent, and weekly syncs lack precision.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.7: "Synchronization provides uniformity of timestamps for systems with multiple clocks."
NIST SP 800-171A, 3.3.7: "Best practice recommends synchronization within 1 second for audit accuracy."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



A Defense Contractor is preparing for their upcoming CMMC Level 2 assessment. One of the key controls they need to address is CMMC practice MP.L2-3.8.5 ­ Media Accountability, which deals with maintaining accountability for media containing CUI during transport outside of controlled areas. The organization regularly needs to transport physical media, such as hard drives and backup tapes, between their primary data center and an off-site storage facility. In the past, they have simply used standard packaging and commercial shipping services to move this media.
Which of the following is NOT an assessment method for MP.L2-3.8.5 ­ Media Accountability?

  1. Testing mechanisms supporting or implementing media storage and media protection
  2. Examining designated controlled areas
  3. Interviewing organizational processes for storing media
  4. Examining procedures addressing media storage and access control policy

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth
MP.L2-3.8.5 requires "maintaining accountability for CUI media during transport." Valid methods include testing mechanisms (A), examining areas (B), and procedures (D), per NIST SP 800-171A. Interviewing processes (C) is incorrect--only individuals can be interviewed, not processes. The CMMC guide specifies appropriate methods.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.5: "Test mechanisms, examine areas and procedures; interview personnel, not processes."
NIST SP 800-171A, 3.8.5: "Interview method applies to individuals only."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal websites.
What CMMC practice does this violate?

  1. AC.L2-3.1.7
  2. AC.L2-3.1.6
  3. AL2-3.1.4
  4. AC.L2-3.1.2

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
CMMC practice AC.L2-3.1.6 ­ Non-Privileged Account Use requires organizations to "use non- privileged accounts or roles when performing non-security functions." Using privileged accounts for routine tasks like email and browsing violates this practice, increasing the risk of privilege misuse or compromise. AC.L2-3.1.7 (A) restricts privileged functions, AC.L2-3.1.4 (C) addresses separation of duties, and AC.L2-3.1.2 (D) limits access--none specifically target non-security use of privileged accounts. The CMMC guide emphasizes least privilege for non-security activities.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.6: "Require non-privileged accounts for non- security functions such as email and web browsing."
NIST SP 800-171A, 3.1.6: "Examine account usage to ensure privileged accounts are not used for non- security tasks."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineeringcompany has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. Basing your answer on the scenario, how would you score the contractor's implementation of CMMC practice MP.L2-3.8.1 ­ Media Protection?

  1. Partially Met
  2. Not Applicable
  3. Not Met
  4. Met

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
MP.L2-3.8.1 requires "protecting CUI on media with physical and logical controls." The contractor's biometric storage, MFA, access lists, and inventory meet these objectives, showing robust protection. This 1-point practice scores Met (+1) with no gaps, per DoD methodology. Partial (A) and Not Met (C) require deficiencies, and N/A (B) doesn't apply.

Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.1: "Protect media with physical (e.g., locked storage) and logical (e.g., MFA) controls."
DoD Scoring Methodology: "1-point practice: Met = +1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When assessing a contractor's implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. How would you score the contractor's implementation of AU.L2-3.3.6 ­ Reduction & Reporting?

  1. Partially Met
  2. Not Applicable
  3. Not Met
  4. Met

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
AU.L2-3.3.6 requires "providing audit reduction and report generation capabilities." The SSP documents measures, and Splunk (a SIEM) supports reduction and reporting, meeting both objectives. With no gaps noted, this 1-point practice scores Met (+1) per DoD methodology. Partial (A) and Not Met (C) require deficiencies, and N/A (B) doesn't apply.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.6: "Examine tools like SIEM for reduction and reporting."
DoD Scoring Methodology: "1-point practice: Met = +1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing an organization's implementation of the System and Information Integrity (SI) practices. During your assessment, you find that the organization has subscribed to security alert and advisory services from reputable sources, such as US-CERT and relevant industry-specific organizations. In interviews with their network and system administrators, you learn that they have deployed an intrusion detection system (IDS) to monitor network traffic for known threats and suspicious activities. They also have a Security Information and Event Management (SIEM) system in place to aggregate and analyze logs from various sources for potential security incidents. Additionally, the network administrator informs you that they have established a Security Operations Center (SOC) to monitor and analyze activity on networks, servers, databases, applications, and other systems. However, you notice that while the organization receives these alerts and advisories,

there is no documented process or assigned personnel responsible for reviewing and acting upon them. After reviewing the organization's implementation, which of the following would be the most appropriate next step for the assessor to validate compliance with CMMC practice SI.L2-3.14.3 ­ Security Alerts & Advisories?

  1. Test the organization's processes for defining, receiving, and disseminating security alerts and advisories
  2. Examine the organization's system and information integrity policies and procedures
  3. Review system audit logs and records for evidence of actions taken in response to security alerts and advisories
  4. Interview the personnel responsible for the Security Operations Center (SOC) to determine whether they take actions in response to security alerts and advisories

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
SI.L2-3.14.3 requires organizations to "monitor security alerts and advisories and take appropriate actions in response." While the organization has tools (IDS, SIEM, SOC) and subscriptions to alerts, the lack of a documented process or assigned personnel to act on them raises a compliance gap. Interviewing SOC personnel is the most direct next step to determine if actions are taken, as they are operationally positioned to respond to alerts. Testing processes (A) assumes a process exists, which isn't evident. Examining policies (B) won't reveal operational actions, and reviewing logs (C) requires prior knowledge of actions to look for. The CMMC guide prioritizes interviews to validate operational implementation.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SI.L2-3.14.3: "Interview: Personnel with security responsibilities; SOC personnel to determine actions taken in response to alerts." NIST SP 800-171A, 3.14.3: "Interview personnel to verify that alerts and advisories are reviewed and acted upon."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Viewing Page 6 of 42



Share your comments for Cyber AB CMMC-CCA exam with other users:

Isak 7/6/2023 3:21:00 AM

i need it very much please share it in the fastest time.
Anonymous


Maria 6/23/2023 11:40:00 AM

correct answer is d for student.java program
IRELAND


Nagendra Pedipina 7/12/2023 9:10:00 AM

q:37 c is correct
INDIA


John 9/16/2023 9:37:00 PM

q6 exam topic: terramearth, c: correct answer: copy 1petabyte to encrypted usb device ???
GERMANY


SAM 12/4/2023 12:56:00 AM

explained answers
INDIA


Andy 12/26/2023 9:35:00 PM

plan to take theaws certified developer - associate dva-c02 in the next few weeks
SINGAPORE


siva 5/17/2023 12:32:00 AM

very helpfull
Anonymous


mouna 9/27/2023 8:53:00 AM

good questions
Anonymous


Bhavya 9/12/2023 7:18:00 AM

help to practice csa exam
Anonymous


Malik 9/28/2023 1:09:00 PM

nice tip and well documented
Anonymous


rodrigo 6/22/2023 7:55:00 AM

i need the exam
Anonymous


Dan 6/29/2023 1:53:00 PM

please upload
Anonymous


Ale M 11/22/2023 6:38:00 PM

prepping for fsc exam
AUSTRALIA


ahmad hassan 9/6/2023 3:26:00 AM

pd1 with great experience
Anonymous


Žarko 9/5/2023 3:35:00 AM

@t it seems like azure service bus message quesues could be the best solution
UNITED KINGDOM


Shiji 10/15/2023 1:08:00 PM

helpful to check your understanding.
INDIA


Da Costa 8/27/2023 11:43:00 AM

question 128 the answer should be static not auto
Anonymous


bot 7/26/2023 6:45:00 PM

more comments here
UNITED STATES


Kaleemullah 12/31/2023 1:35:00 AM

great support to appear for exams
Anonymous


Bsmaind 8/20/2023 9:26:00 AM

useful dumps
Anonymous


Blessious Phiri 8/13/2023 8:37:00 AM

making progress
Anonymous


Nabla 9/17/2023 10:20:00 AM

q31 answer should be d i think
FRANCE


vladputin 7/20/2023 5:00:00 AM

is this real?
UNITED STATES


Nick W 9/29/2023 7:32:00 AM

q10: c and f are also true. q11: this is outdated. you no longer need ownership on a pipe to operate it
Anonymous


Naveed 8/28/2023 2:48:00 AM

good questions with simple explanation
UNITED STATES


cert 9/24/2023 4:53:00 PM

admin guide (windows) respond to malicious causality chains. when the cortex xdr agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the ip address to close all existing communication and block new connections from this ip address to the endpoint. when cortex xdrblocks an ip address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. you can view the list of all blocked ip addresses per endpoint from the action center, as well as unblock them to re-enable communication as appropriate. this module is supported with cortex xdr agent 7.3.0 and later. select the action mode to take when the cortex xdr agent detects remote malicious causality chains: enabled (default)—terminate connection and block ip address of the remote connection. disabled—do not block remote ip addresses. to allow specific and known s
Anonymous


Yves 8/29/2023 8:46:00 PM

very inciting
Anonymous


Miguel 10/16/2023 11:18:00 AM

question 5, it seems a instead of d, because: - care plan = case - patient = person account - product = product2;
SPAIN


Byset 9/25/2023 12:49:00 AM

it look like real one
Anonymous


Debabrata Das 8/28/2023 8:42:00 AM

i am taking oracle fcc certification test next two days, pls share question dumps
Anonymous


nITA KALE 8/22/2023 1:57:00 AM

i need dumps
Anonymous


CV 9/9/2023 1:54:00 PM

its time to comptia sec+
GREECE


SkepticReader 8/1/2023 8:51:00 AM

question 35 has an answer for a different question. i believe the answer is "a" because it shut off the firewall. "0" in registry data means that its false (aka off).
UNITED STATES


Nabin 10/16/2023 4:58:00 AM

helpful content
MALAYSIA