Exam CMMC-CCA Topic 2 Question 128 Discussion

Actual exam question for Cyber AB's CMMC-CCA exam
Question #: 128
Topic #: 2
An organization has contracted with a third party for system maintenance and support. The third-party personnel all work remotely. Which of the following should an assessor assure is in place?

Suggested Answer: D Vote an answer

CMMC requires that remote maintenance sessions be terminated after use or after a defined period of inactivity. This ensures third-party maintenance access does not remain open and uncontrolled, preventing unauthorized persistence.
Exact Extracts:
* MA.L2-3.7.5: "Require multifactor authentication and terminate remote maintenance sessions after each session or after a defined period of inactivity."
* Assessment Guide clarifies: "Assessors should confirm remote maintenance sessions are automatically terminated using technical means."
* NIST SP 800-171A Objective: "Test maintenance session termination after a set time of inactivity or completion of task." Why other options are not correct:
* A: Limiting maintenance to third parties only is not a requirement. Internal staff may also perform maintenance.
* B: Identification and monitoring are important, but the specific control required here is termination of remote sessions.
* C: Limiting the number of personnel is not mandated by CMMC.
References:
CMMC Assessment Guide - Level 2, Version 2.13: MA.L2-3.7.5 (pp. 147-149).
NIST SP 800-171A: Maintenance domain assessment procedures.

by Tina at Feb 11, 2026, 08:26 PM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10