CMMC-CCA Practice Questions
Certified CMMC Assessor (CCA) Exam
Last Update 3 days ago
Total Questions : 150
Dive into our fully updated and stable CMMC-CCA practice test platform, featuring all the latest CMMC exam questions added this week. Our preparation tool is more than just a Cyber AB study aid; it's a strategic advantage.
Our free CMMC practice questions crafted to reflect the domains and difficulty of the actual exam. The detailed rationales explain the 'why' behind each answer, reinforcing key concepts about CMMC-CCA. Use this test to pinpoint which areas you need to focus your study on.
A midsized professional services organization that frequently contracts with government entities is undergoing a CMMC Level 2 assessment. The CCA interviews IT leadership about their audit logging capabilities and determines that a third-party vendor is responsible for correlating and reviewing audit logs. During the interview, they discuss the process that has been implemented by the vendor to provide a monthly summary of their audit log review to the organization. What issue should the CCA resolve during the interview?
While assessing a company, the CCA is determining whether the company controls and manages connections between its corporate network and all external networks. The company has: (1) a strict employee policy prohibiting personal Internet use and personal email on company computers, and (2) firewalls plus a connection allow-list so only authorized external networks can connect to the company network. Are these safeguards sufficient to meet the applicable CMMC requirement?
A company describes its organization as having two systems. One system, System Org, covers the entire organization and allows instant messaging, email, and Internet activity. The other system, System CUI, is used for processing, storing, and transmitting CUI data. System CUI interfaces with System Org through security mechanisms and a firewall.
The CMMC Assessment is being done on System CUI only.
What is the BEST way to describe System CUI?
An assessor reviews the OSC’s data protection policy, which requires full disk encryption on company laptops. While interviewing employees, the assessor learns that employees sometimes access data while teleworking on laptops that do not have full disk encryption.
How should the assessor view the implementation of the OSC’s policy?
An OSC has an established password policy. The OSC wants to improve its password protection security by implementing a single change. Which of the following is an acceptable element to add to the OSC’s password policy?
The SSP for an OSC undergoing an assessment categorizes a device in the inventory that wirelessly connects to the network. In order to secure the connection of wireless devices that access a system that transmits, stores, or processes CUI, what are the requirements?
A cloud-native OSC uses a vendor’s FedRAMP MODERATE authorized cloud environment for all aspects of their CUI needs (identity, email, file storage, office suite, etc.) as well as the vendor’s locally installable applications. The OSC properly configured the vendor’s cloud-based SIEM system to monitor all aspects of the cloud environment. The OSC’s SSP documents SI.L2-3.14.7: Identify Unauthorized Use, defining authorized use and referencing procedures for identifying unauthorized use.
How should the Certified Assessor score this practice?
The OSC’s network consists of a single network switch that connects all devices. This includes the OSC’s OT equipment, which processes CUI. The OT controller requires an unsupported operating system.
What can the Lead Assessor BEST conclude about the overall compliance with M
A.
L2-3.7.1: Perform Maintenance?An OSC outsources all of its security incident and event monitoring work to a third-party SO
C.
Additionally, the OSC utilizes a cloud-hosted antivirus (AV) system to fulfill the requirement of having virus protection without hosting additional servers on-site.During the scoping discussion, both the SOC and AV should be listed as what type of asset?
