Cyber AB Certified CMMC Assessor (CCA) - CMMC-CCA FREE EXAM DUMPS QUESTIONS & ANSWERS
A company has a CUI enclave for handling all CUI processed, stored, and transmitted through the organization. While interviewing the IT manager, the CCA asks how assets that can, but are not intended to, handle CUI are identified. The IT manager refers to the CUI system's network diagram (which includes these assets) as well as the asset inventory (which lists these assets as Contractor Risk Managed Assets). Which other artifact MUST also mention these assets?
Correct Answer: C
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
A company is seeking Level 2 CMMC certification. During the Limited Practice Deficiency Correction Evaluation, the Lead Assessor is deciding whether the company can be moved to a POA&M Close-Out. What condition will result if a POA&M Close-Out option cannot be utilized?
Correct Answer: C
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
Both the SSP and network diagrams presented to the Lead Assessor by the OSC indicate managed service providers (MSPs) within the assessment boundary. In order to BEST understand the impact of the MSPs, what should the Lead Assessor do?
Correct Answer: C
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
An Assessor is examining documents provided by the OSC POC. While reviewing them, the Assessor notes that several of the procedures have very current dates while the bulk do not. What should the Assessor do in order to decide if these new documents are acceptable as evidence?
Correct Answer: D
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
During an assessment, the IT security engineers responsible for password policy for the OSC provided documentation that all passwords are protected using a one-way hashing methodology. As a result, which statement is true?
Correct Answer: D
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
An Assessor is evaluating controls put in place by an OSC to restrict the use of privileged accounts. The Assessor interviews privileged users and confirms that the OSC has both a policy and specific procedures governing the use of privileged accounts for security functions. What else could the Assessor evaluate to validate the assertions made by the interviewed OSC staff?
Correct Answer: B
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
In order to perform an interview, the Lead Assessor MUST ensure interview questions are:
Correct Answer: A
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
An OSC is undergoing CMMC Assessment on an enterprise-wide basis. While walking to the conference room, the Assessor notices a printer repair technician in the hallway, unescorted, repairing a printer marked
"Authorized for CUI printing." What is the NEXT step the Lead Assessor should take regarding PE.L2-
3.10.3: Escort Visitors?
"Authorized for CUI printing." What is the NEXT step the Lead Assessor should take regarding PE.L2-
3.10.3: Escort Visitors?
Correct Answer: A
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
A CCA is assessing the concept of least functionality in accordance with CM.L2-3.4.6: Least Functionality.
Which method is the LEAST LIKELY to be useful as an assessment technique?
Which method is the LEAST LIKELY to be useful as an assessment technique?
Correct Answer: A
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
During an assessment, the Lead Assessor determines certain assets to be in-scope which the OSC had considered out-of-scope.
The CCA should reply that for assets to be considered out-of-scope they:
The CCA should reply that for assets to be considered out-of-scope they:
Correct Answer: C
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
While conducting a CMMC Level 2 assessment at a 100-person manufacturing company, the assessor receives a yellow badge labeled "SPECIAL ACCESS." The assessor observes multiple badge types used by staff and visitors. The client explains that only three badge colors correspond to controlled access (with electronic access), while the rest are identifiers for seniority. How can the assessor BEST verify that the three colors are the only badges capable of accessing controlled areas for CUI-related activities?
Correct Answer: A
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
An OSC has a hardware and software list used to manage company assets. Which is the BEST evidence to show the OSC is managing the system baseline?
Correct Answer: D
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
While examining controls on the use of portable storage devices, an assessor conducts an interview with a mid-level internal system administrator. The administrator describes the process to check out portable storage devices, which includes a user emailing IT staff directly, verifying that the media classification label matches the data classification, and limiting use of the device to a specified external system.
What is a MISSING element for the assessment of AC.L2-3.1.21: Portable Storage Use?
What is a MISSING element for the assessment of AC.L2-3.1.21: Portable Storage Use?
Correct Answer: B
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
While scoping the assessment, the assessor learns that the OSC uses various cloud-based solutions sporadically as part of its normal course of business. The OSC states that most business is conducted on- premises and that only a small amount of business uses the cloud. The OSC thinks the cloud is only used for system backups, but there are isolated exceptions.
Are the data provided sufficient to determine that the OSC limits connection to external information systems?
Are the data provided sufficient to determine that the OSC limits connection to external information systems?
Correct Answer: B
Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).