Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Cyber AB
  3. CMMC-CCA

Cyber AB CMMC-CCA Exam (page: 8)
Cyber AB Certified CMMC Assessor (CCA)
Updated on: 15-Dec-2025

Viewing Page 8 of 42
CMMC-CCA PDF 325 Questions

You are assessing an OSC that utilizes containerization technology for deploying microservices within a Kubernetes cluster. These microservices leverage various JavaScript frameworks for functionality.
While a mobile device management (MDM) solution secures company phones, access to these microservices is primarily through web interfaces. From a mobile code control perspective, what is the primary concern in this scenario?

  1. The lack of mobile device management (MDM) for access through web interfaces
  2. Containerization technology itself might introduce security vulnerabilities
  3. The use of JavaScript in containerized microservices
  4. The potential execution of unauthorized mobile code through web interfaces

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.13 ­ Mobile Code requires "controlling and monitoring mobile code use to prevent unacceptable risk." Mobile code (e.g., scripts executed in browsers) is a concern via web interfaces accessing microservices. Unauthorized code execution (D) is the primary risk, as it could exploit users or systems. MDM (A) secures devices, not web code; container vulnerabilities (B) are separate; and JavaScript use (C) isn't inherently mobile code unless executed client-side without control. The CMMC guide focuses on execution risks.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.13: "Control mobile code to prevent unauthorized execution via web interfaces."
NIST SP 800-171A, 3.13.13: "Assess risks of mobile code in user-accessible systems."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory ­ a privileged function.
Which of the following controls could have prevented the developer from executing this privileged function?

  1. Removing internet access
  2. Prohibiting inheritance of privileged permissions
  3. Enforcing dual authorization
  4. Implementing time of day restrictions

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth

AC.L2-3.1.7 ­ Privileged Functions requires "preventing non-privileged users from executing privileged functions." The developer's access to kernel memory suggests inherited or misconfiguredpermissions from the Admin_Roles group. Prohibiting inheritance (B) ensures Dev_Roles don't gain elevated privileges, enforcing least privilege. Internet removal (A), dual authorization (C), and time restrictions (D) don't directly address role-based privilege creep, per the CMMC guide's focus on RBAC configuration.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.7: "Prevent privilege inheritance in role-based access controls to limit non-privileged users."
NIST SP 800-171A, 3.1.7: "Examine RBAC settings to ensure no unintended privilege escalation."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You have been hired to assess an OSC's implementation of secure password storage and transmission mechanisms. The OSC uses a popular identity and access management (IAM) solution from a reputable vendor to manage user authentication across their systems. During the assessment, you examine the IAM solution's configuration and documentation, which indicate that passwords are hashed using industry-standard algorithms like SHA-256 or bcrypt before being stored in the system's database. Additionally, the IAM solution leverages TLS encryption for all communications, ensuring that passwords are transmitted securely over the network. Based on the information provided, how would you assess the OSC's compliance with CMMC practice IA.L2-3.5.10 ­ Cryptographically- Protected Passwords, which requires organizations to store and transmit only cryptographically protected passwords?

  1. Not Met (-5 points)
  2. Met (+5 points)
  3. Met (+1 point)
  4. Not Met (-1 point)

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
IA.L2-3.5.10 mandates that passwords be "cryptographically protected in storage and transit." Hashing with SHA-256 or bcrypt (one-way functions) secures storage, and TLS encryption protects transmission--both meeting the practice's objectives. Per the DoD Scoring Methodology, IA.L2- 3.5.10 is a 5-point practice, scoring +5 when fully met. The OSC's implementation aligns with industry standards and CMMC requirements, warranting a "Met (+5 points)" score. Partial compliance isn't an option here, as both storage and transit are addressed.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.10: "Passwords must be hashed (e.g., bcrypt) for storage and encrypted (e.g., TLS) in transit."
DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Upon examining a contractor's security and awareness training policy for compliance with AT.L2-3.2.2 ­ Role-Based Training, you determine that they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices. How would you assess the contractor's implementation of CMMC practice AT.L2-3.2.2 ­ Role-Based Training?

  1. Not Met
  2. Partially Met
  3. Not Applicable
  4. Met

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
AT.L2-3.2.2 requires "role-based training for personnel with assigned security roles before authorizing system access." Generic biannual training on CUI and best practices doesn't meet the practice's requirement for tailored, role-specific training (e.g., auditors need audit-specific training, not just CUI handling). The lack of specialization fails the intent, scoring Not Met (-1 point per DoD methodology for this 1-point practice). Partial compliance (B) isn't an option under CMMC scoring.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AT.L2-3.2.2: "Training must be specific to security roles." DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Examining an OSC password policy, you learn that a password should have a minimum of 15 characters. It also should have 3 uppercase, 2 special characters, and other alphanumeric characters. Passwords have to be changed every 45 days and cannot be easily tied to the account owner. Passwords cannot be reused until 30 cycles are complete. The OSC's systems send a temporary password to the user's email or authentication app, which is one of the events described in their password usage policy. However, a recent penetration test report shows that the generated temporary passwords did not have sufficient entropy, and an attacker may guess a temporary password through brute force attacks.
Which CMMC practice has the contractor successfully implemented? Select all that apply.

  1. IL2-3.5.9 ­ Temporary Passwords
  2. IA.L2-3.5.7 ­ Password Complexity and IA.L2-3.5.8 ­ Password Reuse
  3. IA.L2-3.5.3 ­ Multifactor Authentication
  4. IA.L2-3.5.6 ­ Identifier Handling

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth

IA.L2-3.5.7: Requires "enforcing minimum password complexity." The policy's 15-character minimum with specific requirements meets this.
IA.L2-3.5.8: Requires "prohibiting password reuse for a specified number of generations." The 30- cycle rule satisfies this.
IA.L2-3.5.9: Requires "changing temporary passwords at first logon and ensuring sufficient entropy." Low entropy fails this practice.
IA.L2-3.5.3: No evidence of MFA implementation.
IA.L2-3.5.6: Identifier handling isn't addressed.Thus, only B applies fully.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.7: "Define complexity rules." IA.L2-3.5.8: "Prohibit reuse for specified cycles."
IA.L2-3.5.9: "Ensure temporary password entropy."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When assessing a contractor's implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised.
Why should all traffic be routed through a managed Access Control point?

  1. It simplifies network architecture and reduces complexity
  2. Reduces the susceptibility to unauthorized access to organizational systems
  3. It enables easier troubleshooting and monitoring of network traffic
  4. It provides better performance and lower latency for remote users

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.14 ­ Remote Access Routing requires "routing remote access through managed access control points." This reduces unauthorized access risk (B) by centralizing control and security, per CMMC intent. Simplification (A), troubleshooting (C), and performance (D) are secondary benefits, not the primary purpose.

Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.14: "Route traffic to reduce unauthorized access risk."
NIST SP 800-171A, 3.1.14: "Examine routing to enhance security."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are performing an on-site assessment for a defense contractor that develops and manufactures embedded control systems for military drones. During your documentation review, you discover they have a System Security Plan (SSP) outlining a configuration management process. The SSP mentions the creation of baseline configurations for their drone control systems, but details are limited. You interview the IT manager responsible for configuration management. They explain they use a commercial configuration management tool to capture hardware and software configurations for the drone systems. They confirm that the baseline configurations include initial software versions but do not track firmware or network configurations. Additionally, while they update software versions through the tool, they do not have a documented process for reviewing and updating baseline configurations in response to security vulnerabilities or system modifications.
Which of the following actions would be the MOST appropriate recommendation for the contractor to improve their compliance with CM.L2-3.4.1 ­ System Baselining?

  1. Developing and documenting a process for reviewing baseline configurations periodically and updating them to reflect changes in firmware versions, network topology, and security risks
  2. Instruct IT personnel to update baseline configurations whenever a new software version is deployed
  3. Replace their commercial configuration management tool with a different solution
  4. Increase the frequency of software updates for the drone control systems

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CM.L2-3.4.1 requires "establishing and documenting baseline configurations, reviewed and updated as needed." The lack of firmware/network inclusion and a review process fails objective [c]. A documented review process addressing all components and security risks (A) directly corrects this, aligning with CMMC intent. Ad-hoc updates (B) lack structure, tool replacement (C) isn't justified, and update frequency (D) is unrelated. The guide emphasizes periodic review.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.1: "Review and update baselines for all components as needed."
NIST SP 800-171A, 3.4.1: "Examine process for baseline updates."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You have been sent to assess an OSC's implementation of CMMC practices, one of which is AC.L2-

3.1.11 ­ Session Termination. You expect to find the following items when examining the contractor's list of conditions or trigger events requiring session termination, EXCEPT?

  1. Time-of-day restrictions on system use
  2. Organization-defined periods of user inactivity
  3. Pre-approved user activity for specific functionalities
  4. Targeted responses to certain types of incidents

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth

AC.L2-3.1.11 requires organizations to "terminate (automatically) a user session after a defined condition." The intent is to protect systems by ending sessions based on specific trigger events that indicate potential security risks or operational policies. Conditions like time-of-day restrictions, periods of inactivity, and responses to incidents (e.g., detected malicious activity) align with this intent, as they are objective triggers for session termination. However, "pre-approved user activity for specific functionalities" does not fit, as it implies authorized actions that should not trigger termination--contradicting the practice's focus on ending sessions under defined risk conditions. The CMMC Assessment Guide lists examples of termination triggers, none of which include approved user activities as a reason to terminate.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.11: "Examples of conditions or trigger events include organization-defined periods of inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."
NIST SP 800-171A, 3.1.11: "Examine documentation for conditions or trigger events requiring session disconnect, such as inactivity or incident responses."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Viewing Page 8 of 42



Share your comments for Cyber AB CMMC-CCA exam with other users:

Kudu hgeur 9/21/2023 5:58:00 PM

nice create dewey stefen
CZECH REPUBLIC


Anorag 9/6/2023 9:24:00 AM

i just wrote this exam and it is still valid. the questions are exactly the same but there are about 4 or 5 questions that are answered incorrectly. so watch out for those. best of luck with your exam.
CANADA


Nathan 1/10/2023 3:54:00 PM

passed my exam today. this is a good start to 2023.
UNITED STATES


1 10/28/2023 7:32:00 AM

great sharing
Anonymous


Anand 1/20/2024 10:36:00 AM

very helpful
UNITED STATES


Kumar 6/23/2023 1:07:00 PM

thanks.. very helpful
FRANCE


User random 11/15/2023 3:01:00 AM

i registered for 1z0-1047-23 but dumps qre available for 1z0-1047-22. help me with this...
UNITED STATES


kk 1/17/2024 3:00:00 PM

very helpful
UNITED STATES


Raj 7/24/2023 10:20:00 AM

please upload oracle 1z0-1110-22 exam pdf
INDIA


Blessious Phiri 8/13/2023 11:58:00 AM

becoming interesting on the logical part of the cdbs and pdbs
Anonymous


LOL what a joke 9/10/2023 9:09:00 AM

some of the answers are incorrect, i would be wary of using this until an admin goes back and reviews all the answers
UNITED STATES


Muhammad Rawish Siddiqui 12/9/2023 7:40:00 AM

question # 267: federated operating model is also correct.
SAUDI ARABIA


Mayar 9/22/2023 4:58:00 AM

its helpful alot.
Anonymous


Sandeep 7/25/2022 11:58:00 PM

the questiosn from this braindumps are same as in the real exam. my passing mark was 84%.
INDIA


Eman Sawalha 6/10/2023 6:09:00 AM

it is an exam that measures your understanding of cloud computing resources provided by aws. these resources are aligned under 6 categories: storage, compute, database, infrastructure, pricing and network. with all of the services and typees of services under each category
GREECE


Mars 11/16/2023 1:53:00 AM

good and very useful
TAIWAN PROVINCE OF CHINA


ronaldo7 10/24/2023 5:34:00 AM

i cleared the az-104 exam by scoring 930/1000 on the exam. it was all possible due to this platform as it provides premium quality service. thank you!
UNITED STATES


Palash Ghosh 9/11/2023 8:30:00 AM

easy questions
Anonymous


Noor 10/2/2023 7:48:00 AM

could you please upload ad0-127 dumps
INDIA


Kotesh 7/27/2023 2:30:00 AM

good content
Anonymous


Biswa 11/20/2023 9:07:00 AM

understanding about joins
Anonymous


Jimmy Lopez 8/25/2023 10:19:00 AM

please upload oracle cloud infrastructure 2023 foundations associate exam braindumps. thank you.
Anonymous


Lily 4/24/2023 10:50:00 PM

questions made studying easy and enjoyable, passed on the first try!
UNITED STATES


John 8/7/2023 12:12:00 AM

has anyone recently attended safe 6.0 exam? did you see any questions from here?
Anonymous


Big Dog 6/24/2023 4:47:00 PM

question 13 should be dhcp option 43, right?
UNITED STATES


B.Khan 4/19/2022 9:43:00 PM

the buy 1 get 1 is a great deal. so far i have only gone over exam. it looks promissing. i report back once i write my exam.
INDIA


Ganesh 12/24/2023 11:56:00 PM

is this dump good
Anonymous


Albin 10/13/2023 12:37:00 AM

good ................
EUROPEAN UNION


Passed 1/16/2022 9:40:00 AM

passed
GERMANY


Harsh 6/12/2023 1:43:00 PM

yes going good
Anonymous


Salesforce consultant 1/2/2024 1:32:00 PM

good questions for practice
FRANCE


Ridima 9/12/2023 4:18:00 AM

need dump and sap notes for c_s4cpr_2308 - sap certified application associate - sap s/4hana cloud, public edition - sourcing and procurement
Anonymous


Tanvi Rajput 10/6/2023 6:50:00 AM

question 11: d i personally feel some answers are wrong.
UNITED KINGDOM


Anil 7/18/2023 9:38:00 AM

nice questions
Anonymous