You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. What would you recommend the contractor do to avert the risk?
Answer(s): B
Comprehensive and Detailed In-Depth AC.L2-3.1.4 Separation of Duties aims to "reduce unauthorized activity risk by separating duties." A single engineer handling all tasks concentrates privileges, increasing error or malice risks. Assigning separate roles and adding peer reviews (B) mitigates this, aligning with CMMC intent. Overtime (A), hardware (C), and salary (D) don't address duty separation or risk reduction.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separate duties to reduce risk; implement peer reviews."NIST SP 800-171A, 3.1.4: "Recommend role distribution."
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score theOSC's implementation of CMMC practice AU.L2-3.3.7 Authoritative Time Source?
Comprehensive and Detailed In-Depth AU.L2-3.3.7 requires organizations to "synchronize system clocks with an authoritative time source" to ensure consistent timestamps for audit records. The contractor has an NTP server, but the 30- second synchronization threshold on new systems leads to inconsistent timestamps, failing the practice's intent. Per the DoD Assessment Scoring Methodology, AU.L2-3.3.7 is a 1-point practice. If not fully met, it scores -1 (Not Met). The partial implementation (NTP server exists but not effectively applied) doesn't qualify as Met, so no positive points are awarded. The CMMC guide stresses uniformity in timestamps, which this configuration undermines.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.7: "Synchronize clocks to ensure uniformity of timestamps for audit records."DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."
While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has defined a technical and documented policy where identifiers can only be reused after 12 months. How is the OSC likely to consider CMMC practice IA.L2-3.5.5 Identifier Reuse if you find issues with its implementation?
Comprehensive and Detailed In-Depth IA.L2-3.5.5 (1-point practice) requires "preventing identifier reuse for a defined period." If issues are found (e.g., reuse before 12 months), the OSC can track them in a POA&M for limited deficiency correction within 180 days, per CAP (B). Listing in the SSP (A) is for planning, not fixing; hiring another C3PAO (C) isn't standard; and N/A (D) doesn't apply. The CMMC guide allows POA&Ms for 1- point practices.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.5: "Deficiencies may be tracked in a POA&M for correction."CAP v5.6.1, p. 25: "1-point practices eligible for POA&M within 180 days."
During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI) handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Which of the following is NOT a feature Defcon's updated privacy and security notices should have?
Answer(s): C
Comprehensive and Detailed In-Depth AC.L2-3.1.9 Privacy & Security Notices requires "displaying system use notifications consistent with applicable CUI rules." Notices must inform users of CUI handling obligations (D), warn ofpenalties for unauthorized use (A), and note monitoring (B), ensuring awareness and compliance. A display duration of less than 5 seconds (C) is inadequate, as it prevents users from reading and acknowledging the content, contradicting the practice's intent. The CMMC guide stresses sufficient visibility and comprehension time.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.9: "Notices must be displayed long enough for users to read and understand."NIST SP 800-171A, 3.1.9: "Examine notices for adequate display duration."
In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256)to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Where can you find information about a cryptographic module's current status with FIPS?
Answer(s): A
Comprehensive and Detailed In-Depth SC.L2-3.13.11 CUI Encryption requires "FIPS-validated cryptography for CUI." TheNIST Cryptographic Module Validation Program (CMVP)(A) provides current validation status for modules, per the CMMC guide. FedRAMP (B) is for cloud services, CSRC (C) is a general resource, and FIPS 140- 2 docs (D) are static, not live statuses.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.11: "Verify FIPS status via NIST CMVP." NIST SP 800-171A, 3.13.11: "Refer to CMVP for validation."
During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9 Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. Based on the scenario, what is the MOST concerning aspect from a CMMC compliance perspective regarding CMMC practice SC.L2-3.13.9 Connections Termination?
Comprehensive and Detailed In-Depth SC.L2-3.13.9 requires "terminating connections after a defined period of inactivity." The absence of a documented policy and defined inactivity period (C) is most concerning, as it fails the practice's core requirement, leaving termination inconsistent and user-dependent. Hosting location (A) is neutral, MFA (B) relates to AC.L2-3.1.3, and default timeouts (D) are a symptom of the policy gap. The CMMC guide prioritizes defined inactivity controls.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.9: "Define and document inactivity period for termination; lack thereof is non-compliant."NIST SP 800-171A, 3.13.9: "Examine policy for defined inactivity period."
You are evaluating an OSC for compliance with CMMC Level 2 practices. During your assessment of SC controls, you use a series of assessment methods to understand how effectively the OSC has implemented them. The OSC has a documented security policy outlining user roles and responsibilities. The OSC's system and communications protection policy states that basic user and privileged functionalities are separated. They have deployed Azure AD to help enforce this requirement through identity management. Interviews with system administrators reveal they have elevated privileges for system management tasks. A review of system configuration settings shows separate user accounts for standard users and administrators. However, you notice that some employees use personal cloud storage services for storing work documents. Considering CMMC practice SC.L2-3.13.4 Shared Resource Control, which of the following actions would be most effective in addressing the identified risk?
Answer(s): D
Comprehensive and Detailed In-Depth SC.L2-3.13.4 aims to "prevent unauthorized and unintended information transfer via shared system resources." Employees using personal cloud storage for work documents (including CUI) risks unauthorized transfer outside organizational control, violating this practice. Prohibiting such use via policy directly addresses the root cause, aligning with the practice's intent to control shared resource risks. Stricter passwords (A) don't prevent data transfer, vulnerability assessments (B) identify issues but don't fix behavior, and training (C) supports awareness but lacks enforcement. The CMMC guide emphasizes policy enforcement for resource control.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.4: "Develop policies to prevent unauthorized information transfer via shared resources."NIST SP 800-171A, 3.13.4: "Examine policies prohibiting use of unapproved shared resources for CUI."
When assessing an OSC for CMMC compliance, you examine its risk assessment policy and procedures addressing organizational risk assessments. According to their policy, comprehensive risk assessments on all systems processing, storing, or transmitting CUI and facilities are performed annually. However, reviewing past risk assessment reports, you find that a risk assessment was conducted in January 2022 covering all CUI systems. The next risk assessment was not conducted until November 2023, over 21 months later. There are no records of any other risk assessments in the intervening period between January 2022 and November 2023. Interviewing the OSC's personnel with risk assessment responsibilities, you learn they have slated the next risk assessment within the year. Based on the scenario, which of the following would you determine regarding OSC's adherence to CMMC practice RA.L2-3.11.1 Risk Assessments?
Comprehensive and Detailed In-Depth RA.L2-3.11.1 requires "periodically assessing risks to operations, assets, and individuals from system use." The OSC's policy defines annual assessments, but a 21-month gap (Jan 2022Nov 2023) violates this frequency, failing the practice's intent. This 5-point practice scores Not Met (-5), as partial compliance (C) isn't recognized, and more info (D) isn't needed given the clear lapse. Full compliance (A) requires adherence to the defined period.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.1: "Assess risks at defined intervals; non- compliance if periodicity unmet."DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."
Share your comments for Cyber AB CMMC-CCA exam with other users:
great material
could you please upload sap c_arsor_2302 questions? it will be very much helpful.
vraag 20c: rsa veilig voor symmtrische cryptografie? antwoord c is toch fout. rsa is voor asymmetrische cryptogafie??
so far good
question 31 has obviously wrong answers. tls and ssl are used to encrypt data at transit, not at rest.
pls provide dump for 1z0-1080-23 planning exams
could you please upload the exam?
please upload this
good material
lets see if this is good stuff...
useful information
intéressant
thank you for making the interactive questions
questions are accurate
i need questions/dumps for this exam.
i need this exam, when will it be uploaded
i need the dumps !
very helpful
good source
my 3rd test and passed on first try. hats off to this brain dumps site.
please upload it
does anybody know if are these real exam questions?
are these questions similar to actual questions in the exam? because they seem to be too easy
i have a lot of experience but what comes in the exam is totally different from the practical day to day tasks. so i thought i would rather rely on these brain dumps rather failing the exam.
good questions
valied exam dumps. they were very helpful and i got a pretty good score. i am very grateful for this service and exam questions
will it help?
very useful to verify knowledge before exam
good stuffs
question 17 : responses arent b and c ?
just passed the exam on my first try using these dumps.
these questions look good.
this is very helpful content