CMMC-CCA Practice Questions
Certified CMMC Assessor (CCA) Exam
Last Update 3 days ago
Total Questions : 150
Dive into our fully updated and stable CMMC-CCA practice test platform, featuring all the latest CMMC exam questions added this week. Our preparation tool is more than just a Cyber AB study aid; it's a strategic advantage.
Our free CMMC practice questions crafted to reflect the domains and difficulty of the actual exam. The detailed rationales explain the 'why' behind each answer, reinforcing key concepts about CMMC-CCA. Use this test to pinpoint which areas you need to focus your study on.
A company employs an encrypted VPN to enhance confidentiality over remote connections. The CCA reads a document describing the VPN. It states the VPN allows automated monitoring and control of remote access sessions, helps detect cyberattacks, and supports auditing of remote access to ensure compliance with CMMC requirements.
What document is the CCA MOST LIKELY reviewing to see how these VPNs are controlled and monitored?
Both the SSP and network diagrams presented to the Lead Assessor by the OSC indicate managed service providers (MSPs) within the assessment boundary. In order to BEST understand the impact of the MSPs, what should the Lead Assessor do?
While examining the customer responsibility matrix submitted by the OSC for one of its Cloud Service Providers (CSPs), the Assessor notes that the matrix was substantially completed by the OSC’s RPO. In fact, there is a statement from the RPO that the CSP has met the requirements for FedRAMP MODERAT
E.
In order to accept that this CSP is qualified to perform some of the practices on behalf of the OSC, what should occur?
While conducting a CMMC Level 2 Assessment for a small waveguide manufacturer, the client provides a copy of their CMMC Level 1 Self-Assessment that their senior official has recently approved and uploaded to the Supplier Performance Risk System (SPRS). What type of information may be covered within the Level 1 Self-Assessment that is OUTSIDE the scope of a Level 2 assessment?
An OSC creates standard user accounts with limited capabilities and administrator accounts with full system access. A standard user initiates the uninstall of the anti-virus software, which is organizationally defined as a privileged function. Which of the following would indicate A
C.
L2-3.1.7: Privileged Functions is properly implemented?An OSC has built an enclave for its production environment. The enclave sits behind a firewall, with all equipment connected through a switch. There is a shipping workstation and physically connected label printer (used for the sales system, which does not process CUI) that the OSC claims are Contractor Risk Managed Assets (CRMA). Other than showing that the shipping workstation and label printer are not intended to store or transmit CUI, and documenting them in the SSP,
how BEST would the OSC show that the shipping workstation and label printer are Contractor Risk Managed Assets?
The Lead Assessor is compiling the assessment results, which must contain the status for each of the applicable practices. Some practices have been placed in the limited practice deficiency correction program. Multiple areas have been reviewed, including HQ, host units, and a specific enclave.
In order to properly report the findings, the Lead Assessor MUST:
An OSC seeking Level 2 certification is reviewing the physical security of their building. Currently, the building manager unlocks and locks the doors for business operations. The OSC would like the ability to automatically unlock the door for authorized personnel, track access individually, and maintain access history for all personnel. The BEST approach is for the OSC to:
While reviewing C
A.
L2-3.12.3: Security Control Monitoring, the CCA notices that the assessment period is defined as one year. An OSC's SSP states that under CA.
L2-3.12.3, security controls are monitored using the same one-year periodicity to ensure the continued effectiveness of the controls. The assessor understands that some CMMC practices can reference other practices for the entirety of their implementation. Is the OSC’s implementation under CA.
L2-3.12.3: Security Control Monitoring acceptable?An OSC uses a colocation facility to house its CUI assets. The colocation restricts access to the data center via keycard and requires all entrants to sign in and out. The OSC’s cage and cabinets are further secured with keys accessible only to OSC-authorized personnel.
In order to assess physical controls, the CCA should:
