CMMC-CCA Practice Questions
Certified CMMC Assessor (CCA) Exam
Last Update 3 days ago
Total Questions : 150
Dive into our fully updated and stable CMMC-CCA practice test platform, featuring all the latest CMMC exam questions added this week. Our preparation tool is more than just a Cyber AB study aid; it's a strategic advantage.
Our free CMMC practice questions crafted to reflect the domains and difficulty of the actual exam. The detailed rationales explain the 'why' behind each answer, reinforcing key concepts about CMMC-CCA. Use this test to pinpoint which areas you need to focus your study on.
A company is seeking Level 2 CMMC certification. During the Limited Practice Deficiency Correction Evaluation, the Lead Assessor must decide whether the company can move to a POA&M review. Which condition will result in the Lead Assessor recommending that the OSC’s practice deficiencies move to a POA&M review?
The assessor begins the assessment by meeting with the client’s stakeholders and learns that multiple subsidiaries exist. In order to perform a complete assessment, the assessor must review documents from multiple entities as multiple, corresponding Commercial and Government Entity (CAGE) codes were provided. Which of the following entities may receive certification as a result of this?
A company has a CUI enclave for handling all CUI processed, stored, and transmitted through the organization. While interviewing the IT manager, the CCA asks how assets that can, but are not intended to, handle CUI are identified. The IT manager refers to the CUI system’s network diagram (which includes these assets) as well as the asset inventory (which lists these assets as Contractor Risk Managed Assets). Which other artifact MUST also mention these assets?
During a company’s assessment, the CCA notices that the server room door is kept open with a fan in the entryway because the cooling system is inadequate and the machines are overheating. According to the physical protection policy, the server room’s keypad is the mechanism for managing and controlling access to this equipment, and only the IT team should have access to the server room. However, with the door open, the keypad is not necessary, and anyone can enter the room.
The CCA asks the IT manager how access to this room is protected while the door is open. Which response would allow the company to still meet the physical security requirement?
An OSC seeking Level 2 certification wants to develop and launch a website for customers to purchase items online and submit contact forms. The OSC plans to host the web server in their own data center while also maintaining the security of their internal IT environment. Based on this information, what would be the BEST approach?
Testing is one assessment method the Lead Assessor may choose depending on the assessment scope and evidence provided by the OS
C.
During the Plan Phase, the Lead Assessor and OSC POC agree on who the people are that are involved in a particular practice so that it could be tested if determined appropriate. During the discussion, the OSC POC tells the Lead Assessor that the production system is in use and cannot be stopped for the testing to take place but offers a mirrored system for testing. The Lead Assessor decides:An OSC seeking Level 2 certification is working with an ESP. The organization is trying to determine if the ESP is considered within the assessment and is reviewing the Service Level Agreement (SLA) between the organization and the ESP. Which SLA component should be taken into consideration to determine if the ESP is within the assessment scope?
An Assessor is evaluating whether an OSC has implemented adequate controls to meet A
C.
L2-3.1.7: Privileged Functions. The OSC has procedures that define privileged vs. non-privileged account provisioning and an access control policy that restricts execution of certain functions only to privileged users.What might the Assessor do to further evaluate the implementation of this practice?
The OSC has assembled its documentation relating to how it controls remote access for assessment. The Lead Assessor compared this documentation to the provided topology map and noted several indications of external connections with External Service Providers (ESPs). Which document is MOST LIKELY to show acceptable evidence of the security controls related to the interface between the OSC and the ESP?
An OSC is presenting evidence of its fulfillment of CM.L2-3.4.1: System Baselining. It provides:
System inventory records showing additions/removals of machines,
Software inventory showing installations/removals, and
A system component installation plan with software needs and user specifications.
What other documentation MUST the company present to illustrate compliance with CM.L2-3.4.1?
