You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. What would you recommend the contractor do to avert the risk?
Answer(s): B
Comprehensive and Detailed In-Depth AC.L2-3.1.4 Separation of Duties aims to "reduce unauthorized activity risk by separating duties." A single engineer handling all tasks concentrates privileges, increasing error or malice risks. Assigning separate roles and adding peer reviews (B) mitigates this, aligning with CMMC intent. Overtime (A), hardware (C), and salary (D) don't address duty separation or risk reduction.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separate duties to reduce risk; implement peer reviews."NIST SP 800-171A, 3.1.4: "Recommend role distribution."
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score theOSC's implementation of CMMC practice AU.L2-3.3.7 Authoritative Time Source?
Comprehensive and Detailed In-Depth AU.L2-3.3.7 requires organizations to "synchronize system clocks with an authoritative time source" to ensure consistent timestamps for audit records. The contractor has an NTP server, but the 30- second synchronization threshold on new systems leads to inconsistent timestamps, failing the practice's intent. Per the DoD Assessment Scoring Methodology, AU.L2-3.3.7 is a 1-point practice. If not fully met, it scores -1 (Not Met). The partial implementation (NTP server exists but not effectively applied) doesn't qualify as Met, so no positive points are awarded. The CMMC guide stresses uniformity in timestamps, which this configuration undermines.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.7: "Synchronize clocks to ensure uniformity of timestamps for audit records."DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."
While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has defined a technical and documented policy where identifiers can only be reused after 12 months. How is the OSC likely to consider CMMC practice IA.L2-3.5.5 Identifier Reuse if you find issues with its implementation?
Comprehensive and Detailed In-Depth IA.L2-3.5.5 (1-point practice) requires "preventing identifier reuse for a defined period." If issues are found (e.g., reuse before 12 months), the OSC can track them in a POA&M for limited deficiency correction within 180 days, per CAP (B). Listing in the SSP (A) is for planning, not fixing; hiring another C3PAO (C) isn't standard; and N/A (D) doesn't apply. The CMMC guide allows POA&Ms for 1- point practices.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.5: "Deficiencies may be tracked in a POA&M for correction."CAP v5.6.1, p. 25: "1-point practices eligible for POA&M within 180 days."
During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI) handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Which of the following is NOT a feature Defcon's updated privacy and security notices should have?
Answer(s): C
Comprehensive and Detailed In-Depth AC.L2-3.1.9 Privacy & Security Notices requires "displaying system use notifications consistent with applicable CUI rules." Notices must inform users of CUI handling obligations (D), warn ofpenalties for unauthorized use (A), and note monitoring (B), ensuring awareness and compliance. A display duration of less than 5 seconds (C) is inadequate, as it prevents users from reading and acknowledging the content, contradicting the practice's intent. The CMMC guide stresses sufficient visibility and comprehension time.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.9: "Notices must be displayed long enough for users to read and understand."NIST SP 800-171A, 3.1.9: "Examine notices for adequate display duration."
In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256)to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Where can you find information about a cryptographic module's current status with FIPS?
Answer(s): A
Comprehensive and Detailed In-Depth SC.L2-3.13.11 CUI Encryption requires "FIPS-validated cryptography for CUI." TheNIST Cryptographic Module Validation Program (CMVP)(A) provides current validation status for modules, per the CMMC guide. FedRAMP (B) is for cloud services, CSRC (C) is a general resource, and FIPS 140- 2 docs (D) are static, not live statuses.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.11: "Verify FIPS status via NIST CMVP." NIST SP 800-171A, 3.13.11: "Refer to CMVP for validation."
During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9 Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. Based on the scenario, what is the MOST concerning aspect from a CMMC compliance perspective regarding CMMC practice SC.L2-3.13.9 Connections Termination?
Comprehensive and Detailed In-Depth SC.L2-3.13.9 requires "terminating connections after a defined period of inactivity." The absence of a documented policy and defined inactivity period (C) is most concerning, as it fails the practice's core requirement, leaving termination inconsistent and user-dependent. Hosting location (A) is neutral, MFA (B) relates to AC.L2-3.1.3, and default timeouts (D) are a symptom of the policy gap. The CMMC guide prioritizes defined inactivity controls.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.9: "Define and document inactivity period for termination; lack thereof is non-compliant."NIST SP 800-171A, 3.13.9: "Examine policy for defined inactivity period."
You are evaluating an OSC for compliance with CMMC Level 2 practices. During your assessment of SC controls, you use a series of assessment methods to understand how effectively the OSC has implemented them. The OSC has a documented security policy outlining user roles and responsibilities. The OSC's system and communications protection policy states that basic user and privileged functionalities are separated. They have deployed Azure AD to help enforce this requirement through identity management. Interviews with system administrators reveal they have elevated privileges for system management tasks. A review of system configuration settings shows separate user accounts for standard users and administrators. However, you notice that some employees use personal cloud storage services for storing work documents. Considering CMMC practice SC.L2-3.13.4 Shared Resource Control, which of the following actions would be most effective in addressing the identified risk?
Answer(s): D
Comprehensive and Detailed In-Depth SC.L2-3.13.4 aims to "prevent unauthorized and unintended information transfer via shared system resources." Employees using personal cloud storage for work documents (including CUI) risks unauthorized transfer outside organizational control, violating this practice. Prohibiting such use via policy directly addresses the root cause, aligning with the practice's intent to control shared resource risks. Stricter passwords (A) don't prevent data transfer, vulnerability assessments (B) identify issues but don't fix behavior, and training (C) supports awareness but lacks enforcement. The CMMC guide emphasizes policy enforcement for resource control.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.4: "Develop policies to prevent unauthorized information transfer via shared resources."NIST SP 800-171A, 3.13.4: "Examine policies prohibiting use of unapproved shared resources for CUI."
When assessing an OSC for CMMC compliance, you examine its risk assessment policy and procedures addressing organizational risk assessments. According to their policy, comprehensive risk assessments on all systems processing, storing, or transmitting CUI and facilities are performed annually. However, reviewing past risk assessment reports, you find that a risk assessment was conducted in January 2022 covering all CUI systems. The next risk assessment was not conducted until November 2023, over 21 months later. There are no records of any other risk assessments in the intervening period between January 2022 and November 2023. Interviewing the OSC's personnel with risk assessment responsibilities, you learn they have slated the next risk assessment within the year. Based on the scenario, which of the following would you determine regarding OSC's adherence to CMMC practice RA.L2-3.11.1 Risk Assessments?
Comprehensive and Detailed In-Depth RA.L2-3.11.1 requires "periodically assessing risks to operations, assets, and individuals from system use." The OSC's policy defines annual assessments, but a 21-month gap (Jan 2022Nov 2023) violates this frequency, failing the practice's intent. This 5-point practice scores Not Met (-5), as partial compliance (C) isn't recognized, and more info (D) isn't needed given the clear lapse. Full compliance (A) requires adherence to the defined period.Extract from Official CMMC Documentation:CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.1: "Assess risks at defined intervals; non- compliance if periodicity unmet."DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."
Share your comments for Cyber AB CMMC-CCA exam with other users:
want to pass the exam
good resource
question 11 : d
only the free dumps will be enough for pass, or have to purchase the premium one. please suggest.
good questions. thanks.
good for practice.
great case study
the questions in this exam dumps is valid. i passed my test last monday. i only whish they had their pricing in inr instead of usd. but it is still worth it.
q40 the answer is not d, why are you giving incorrect answers? snapshot consolidation is used to merge the snapshot delta disk files to the vm base disk
thanks, very relevant
wrong answer. it is true not false.
please i need the mo-100 questions
very good use full
very valid questions
will these question help me to clear pl-300 exam?
please provide me with these dumps questions. thanks
in the pdf downloaded is write google cloud database engineer i think that it isnt the correct exam
i think you have the answers wrong regarding question: "what are three core principles of web content accessibility guidelines (wcag)? answer: robust, operable, understandable
these questions are not valid , they dont come for the exam now
question looks valid
good for practice
need more q&a to go ahead
question 59 - a newly-created role is not assigned to any user, nor granted to any other role. answer is b https://docs.snowflake.com/en/user-guide/security-access-control-overview
just passed my exam today. i saw all of these questions in my text today. so i can confirm this is a valid dump.
needed dumps
very helpful
will post once the exam is finished
relevant questions
just clear exam on 10/06/2202 dumps is valid all questions are came same in dumps only 2 new questions total 46 questions 1 case study with 5 question no lab/simulation in my exam please check the answers best of luck
q.112 - correct answer is c - the event registry is a module that provides event definitions. answer a - not correct as it is the definition of event log
good and useful.
good questions
good content
totally not correct answers. 21. you have one gcp account running in your default region and zone and another account running in a non-default region and zone. you want to start a new compute engine instance in these two google cloud platform accounts using the command line interface. what should you do? correct: create two configurations using gcloud config configurations create [name]. run gcloud config configurations activate [name] to switch between accounts when running the commands to start the compute engine instances.