Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Cyber AB
  3. CMMC-CCA

Cyber AB CMMC-CCA Exam (page: 8)
Cyber AB Certified CMMC Assessor (CCA)
Updated on: 09-Feb-2026

Viewing Page 8 of 42
CMMC-CCA PDF 325 Questions

You are assessing an OSC that utilizes containerization technology for deploying microservices within a Kubernetes cluster. These microservices leverage various JavaScript frameworks for functionality.
While a mobile device management (MDM) solution secures company phones, access to these microservices is primarily through web interfaces. From a mobile code control perspective, what is the primary concern in this scenario?

  1. The lack of mobile device management (MDM) for access through web interfaces
  2. Containerization technology itself might introduce security vulnerabilities
  3. The use of JavaScript in containerized microservices
  4. The potential execution of unauthorized mobile code through web interfaces

Answer(s): D

Explanation:

Comprehensive and Detailed In-Depth
SC.L2-3.13.13 ­ Mobile Code requires "controlling and monitoring mobile code use to prevent unacceptable risk." Mobile code (e.g., scripts executed in browsers) is a concern via web interfaces accessing microservices. Unauthorized code execution (D) is the primary risk, as it could exploit users or systems. MDM (A) secures devices, not web code; container vulnerabilities (B) are separate; and JavaScript use (C) isn't inherently mobile code unless executed client-side without control. The CMMC guide focuses on execution risks.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.13: "Control mobile code to prevent unauthorized execution via web interfaces."
NIST SP 800-171A, 3.13.13: "Assess risks of mobile code in user-accessible systems."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory ­ a privileged function.
Which of the following controls could have prevented the developer from executing this privileged function?

  1. Removing internet access
  2. Prohibiting inheritance of privileged permissions
  3. Enforcing dual authorization
  4. Implementing time of day restrictions

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth

AC.L2-3.1.7 ­ Privileged Functions requires "preventing non-privileged users from executing privileged functions." The developer's access to kernel memory suggests inherited or misconfiguredpermissions from the Admin_Roles group. Prohibiting inheritance (B) ensures Dev_Roles don't gain elevated privileges, enforcing least privilege. Internet removal (A), dual authorization (C), and time restrictions (D) don't directly address role-based privilege creep, per the CMMC guide's focus on RBAC configuration.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.7: "Prevent privilege inheritance in role-based access controls to limit non-privileged users."
NIST SP 800-171A, 3.1.7: "Examine RBAC settings to ensure no unintended privilege escalation."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You have been hired to assess an OSC's implementation of secure password storage and transmission mechanisms. The OSC uses a popular identity and access management (IAM) solution from a reputable vendor to manage user authentication across their systems. During the assessment, you examine the IAM solution's configuration and documentation, which indicate that passwords are hashed using industry-standard algorithms like SHA-256 or bcrypt before being stored in the system's database. Additionally, the IAM solution leverages TLS encryption for all communications, ensuring that passwords are transmitted securely over the network. Based on the information provided, how would you assess the OSC's compliance with CMMC practice IA.L2-3.5.10 ­ Cryptographically- Protected Passwords, which requires organizations to store and transmit only cryptographically protected passwords?

  1. Not Met (-5 points)
  2. Met (+5 points)
  3. Met (+1 point)
  4. Not Met (-1 point)

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
IA.L2-3.5.10 mandates that passwords be "cryptographically protected in storage and transit." Hashing with SHA-256 or bcrypt (one-way functions) secures storage, and TLS encryption protects transmission--both meeting the practice's objectives. Per the DoD Scoring Methodology, IA.L2- 3.5.10 is a 5-point practice, scoring +5 when fully met. The OSC's implementation aligns with industry standards and CMMC requirements, warranting a "Met (+5 points)" score. Partial compliance isn't an option here, as both storage and transit are addressed.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.10: "Passwords must be hashed (e.g., bcrypt) for storage and encrypted (e.g., TLS) in transit."
DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Upon examining a contractor's security and awareness training policy for compliance with AT.L2-3.2.2 ­ Role-Based Training, you determine that they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices. How would you assess the contractor's implementation of CMMC practice AT.L2-3.2.2 ­ Role-Based Training?

  1. Not Met
  2. Partially Met
  3. Not Applicable
  4. Met

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
AT.L2-3.2.2 requires "role-based training for personnel with assigned security roles before authorizing system access." Generic biannual training on CUI and best practices doesn't meet the practice's requirement for tailored, role-specific training (e.g., auditors need audit-specific training, not just CUI handling). The lack of specialization fails the intent, scoring Not Met (-1 point per DoD methodology for this 1-point practice). Partial compliance (B) isn't an option under CMMC scoring.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AT.L2-3.2.2: "Training must be specific to security roles." DoD Scoring Methodology: "1-point practice: Met = +1, Not Met = -1."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Examining an OSC password policy, you learn that a password should have a minimum of 15 characters. It also should have 3 uppercase, 2 special characters, and other alphanumeric characters. Passwords have to be changed every 45 days and cannot be easily tied to the account owner. Passwords cannot be reused until 30 cycles are complete. The OSC's systems send a temporary password to the user's email or authentication app, which is one of the events described in their password usage policy. However, a recent penetration test report shows that the generated temporary passwords did not have sufficient entropy, and an attacker may guess a temporary password through brute force attacks.
Which CMMC practice has the contractor successfully implemented? Select all that apply.

  1. IL2-3.5.9 ­ Temporary Passwords
  2. IA.L2-3.5.7 ­ Password Complexity and IA.L2-3.5.8 ­ Password Reuse
  3. IA.L2-3.5.3 ­ Multifactor Authentication
  4. IA.L2-3.5.6 ­ Identifier Handling

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth

IA.L2-3.5.7: Requires "enforcing minimum password complexity." The policy's 15-character minimum with specific requirements meets this.
IA.L2-3.5.8: Requires "prohibiting password reuse for a specified number of generations." The 30- cycle rule satisfies this.
IA.L2-3.5.9: Requires "changing temporary passwords at first logon and ensuring sufficient entropy." Low entropy fails this practice.
IA.L2-3.5.3: No evidence of MFA implementation.
IA.L2-3.5.6: Identifier handling isn't addressed.Thus, only B applies fully.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.7: "Define complexity rules." IA.L2-3.5.8: "Prohibit reuse for specified cycles."
IA.L2-3.5.9: "Ensure temporary password entropy."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



When assessing a contractor's implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised.
Why should all traffic be routed through a managed Access Control point?

  1. It simplifies network architecture and reduces complexity
  2. Reduces the susceptibility to unauthorized access to organizational systems
  3. It enables easier troubleshooting and monitoring of network traffic
  4. It provides better performance and lower latency for remote users

Answer(s): B

Explanation:

Comprehensive and Detailed In-Depth
AC.L2-3.1.14 ­ Remote Access Routing requires "routing remote access through managed access control points." This reduces unauthorized access risk (B) by centralizing control and security, per CMMC intent. Simplification (A), troubleshooting (C), and performance (D) are secondary benefits, not the primary purpose.

Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.14: "Route traffic to reduce unauthorized access risk."
NIST SP 800-171A, 3.1.14: "Examine routing to enhance security."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You are performing an on-site assessment for a defense contractor that develops and manufactures embedded control systems for military drones. During your documentation review, you discover they have a System Security Plan (SSP) outlining a configuration management process. The SSP mentions the creation of baseline configurations for their drone control systems, but details are limited. You interview the IT manager responsible for configuration management. They explain they use a commercial configuration management tool to capture hardware and software configurations for the drone systems. They confirm that the baseline configurations include initial software versions but do not track firmware or network configurations. Additionally, while they update software versions through the tool, they do not have a documented process for reviewing and updating baseline configurations in response to security vulnerabilities or system modifications.
Which of the following actions would be the MOST appropriate recommendation for the contractor to improve their compliance with CM.L2-3.4.1 ­ System Baselining?

  1. Developing and documenting a process for reviewing baseline configurations periodically and updating them to reflect changes in firmware versions, network topology, and security risks
  2. Instruct IT personnel to update baseline configurations whenever a new software version is deployed
  3. Replace their commercial configuration management tool with a different solution
  4. Increase the frequency of software updates for the drone control systems

Answer(s): A

Explanation:

Comprehensive and Detailed In-Depth
CM.L2-3.4.1 requires "establishing and documenting baseline configurations, reviewed and updated as needed." The lack of firmware/network inclusion and a review process fails objective [c]. A documented review process addressing all components and security risks (A) directly corrects this, aligning with CMMC intent. Ad-hoc updates (B) lack structure, tool replacement (C) isn't justified, and update frequency (D) is unrelated. The guide emphasizes periodic review.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.1: "Review and update baselines for all components as needed."
NIST SP 800-171A, 3.4.1: "Examine process for baseline updates."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



You have been sent to assess an OSC's implementation of CMMC practices, one of which is AC.L2-

3.1.11 ­ Session Termination. You expect to find the following items when examining the contractor's list of conditions or trigger events requiring session termination, EXCEPT?

  1. Time-of-day restrictions on system use
  2. Organization-defined periods of user inactivity
  3. Pre-approved user activity for specific functionalities
  4. Targeted responses to certain types of incidents

Answer(s): C

Explanation:

Comprehensive and Detailed In-Depth

AC.L2-3.1.11 requires organizations to "terminate (automatically) a user session after a defined condition." The intent is to protect systems by ending sessions based on specific trigger events that indicate potential security risks or operational policies. Conditions like time-of-day restrictions, periods of inactivity, and responses to incidents (e.g., detected malicious activity) align with this intent, as they are objective triggers for session termination. However, "pre-approved user activity for specific functionalities" does not fit, as it implies authorized actions that should not trigger termination--contradicting the practice's focus on ending sessions under defined risk conditions. The CMMC Assessment Guide lists examples of termination triggers, none of which include approved user activities as a reason to terminate.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.11: "Examples of conditions or trigger events include organization-defined periods of inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."
NIST SP 800-171A, 3.1.11: "Examine documentation for conditions or trigger events requiring session disconnect, such as inactivity or incident responses."


Reference:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf



Viewing Page 8 of 42



Share your comments for Cyber AB CMMC-CCA exam with other users:

Vinit N. 8/28/2023 2:33:00 AM

hi, please make the dumps available for my upcoming examination.
UNITED STATES


Sanyog Deshpande 9/14/2023 7:05:00 AM

good practice
UNITED STATES


Tyron 9/8/2023 12:12:00 AM

so far it is really informative
Anonymous


beast 7/30/2023 2:22:00 PM

hi i want it please please upload it
Anonymous


Mirex 5/26/2023 3:45:00 AM

am preparing for exam ,just nice questions
Anonymous


exampei 8/7/2023 8:05:00 AM

please upload c_tadm_23 exam
TURKEY


Anonymous 9/12/2023 12:50:00 PM

can we get tdvan4 vantage data engineering pdf?
UNITED STATES


Aish 10/11/2023 5:51:00 AM

want to clear the exam.
INDIA


Smaranika 6/22/2023 8:42:00 AM

could you please upload the dumps of sap c_sac_2302
INDIA


Blessious Phiri 8/15/2023 1:56:00 PM

asm management configuration is about storage
Anonymous


Lewis 7/6/2023 8:49:00 PM

kool thumb up
UNITED STATES


Moreece 5/15/2023 8:44:00 AM

just passed the az-500 exam this last friday. most of the questions in this exam dumps are in the exam. i bought the full version and noticed some of the questions which were answered wrong in the free version are all corrected in the full version. this site is good but i wish the had it in an interactive version like a test engine simulator.
Anonymous


Terry 5/24/2023 4:41:00 PM

i can practice for exam
Anonymous


Emerys 7/29/2023 6:55:00 AM

please i need this exam.
Anonymous


Goni Mala 9/2/2023 12:27:00 PM

i need the dump
Anonymous


Lenny 9/29/2023 11:30:00 AM

i want it bad, even if cs6 maybe retired, i want to learn cs6
HONG KONG


MilfSlayer 12/28/2023 8:32:00 PM

i hate comptia with all my heart with their "choose the best" answer format as an argument could be made on every question. they say "the "comptia way", lmao no this right here boys is the comptia way 100%. take it from someone whos failed this exam twice but can configure an entire complex network that these are the questions that are on the test 100% no questions asked. the pbqs are dead on! nice work
Anonymous


Swati Raj 11/14/2023 6:28:00 AM

very good materials
UNITED STATES


Ko Htet 10/17/2023 1:28:00 AM

thanks for your support.
Anonymous


Philippe 1/22/2023 10:24:00 AM

iam impressed with the quality of these dumps. they questions and answers were easy to understand and the xengine app was very helpful to use.
CANADA


Sam 8/31/2023 10:32:00 AM

not bad but you question database from isaca
MALAYSIA


Brijesh kr 6/29/2023 4:07:00 AM

awesome contents
INDIA


JM 12/19/2023 1:22:00 PM

answer to 134 is casb. while data loss prevention is the goal, in order to implement dlp in cloud applications you need to deploy a casb.
UNITED STATES


Neo 7/26/2023 9:36:00 AM

are these brain dumps sufficient enough to go write exam after practicing them? or does one need more material this wont be enough?
SOUTH AFRICA


Bilal 8/22/2023 6:33:00 AM

i did attend the required cources and i need to be sure that i am ready to take the exam, i would ask you please to share the questions, to be sure that i am fit to proceed with taking the exam.
Anonymous


John 11/12/2023 8:48:00 PM

why only give explanations on some, and not all questions and their respective answers?
UNITED STATES


Biswa 11/20/2023 8:50:00 AM

refresh db knowledge
Anonymous


Shalini Sharma 10/17/2023 8:29:00 AM

interested for sap certification
JAPAN


ethan 9/24/2023 12:38:00 PM

could you please upload practice questions for scr exam ?
HONG KONG


vijay joshi 8/19/2023 3:15:00 AM

please upload free oracle cloud infrastructure 2023 foundations associate exam braindumps
Anonymous


Ayodele Talabi 8/25/2023 9:25:00 PM

sweating! they are tricky
CANADA


Romero 3/23/2022 4:20:00 PM

i never use these dumps sites but i had to do it for this exam as it is impossible to pass without using these question dumps.
UNITED STATES


John Kennedy 9/20/2023 3:33:00 AM

good practice and well sites.
Anonymous


Nenad 7/12/2022 11:05:00 PM

passed my first exam last week and pass the second exam this morning. thank you sir for all the help and these brian dumps.
INDIA