Exam CMMC-CCA Topic 4 Question 133 Discussion
Actual exam question for Cyber AB's CMMC-CCA exam
Question #: 133
Topic #: 4
Question #: 133
Topic #: 4
A midsized professional services organization that frequently contracts with government entities is undergoing a CMMC Level 2 assessment. The CCA interviews IT leadership about their audit logging capabilities and determines that a third-party vendor is responsible for correlating and reviewing audit logs.
During the interview, they discuss the process that has been implemented by the vendor to provide a monthly summary of their audit log review to the organization. What issue should the CCA resolve during the interview?
During the interview, they discuss the process that has been implemented by the vendor to provide a monthly summary of their audit log review to the organization. What issue should the CCA resolve during the interview?
Suggested Answer: C Vote an answer
CMMC Level 2 requires that audit logs be reviewed and updated at least weekly to detect anomalies and potential security incidents. A vendor providing only monthly summaries does not meet the requirement. The assessor must resolve this issue to confirm compliance.
Exact Extracts (official CMMC Assessor/Study documents):
* AU.L2-3.3.7: "Review and update logged events, as well as the audit log, at least weekly."
* AU.L2-3.3.6: "Review and analyze information system audit records for indications of inappropriate or unusual activity and report findings."
* CMMC Level 2 Assessment Guide emphasizes: "Organizations must demonstrate procedures to review audit logs at least weekly, even when external vendors perform this function."
* NIST SP 800-171A states: "The frequency of review must be sufficient to detect anomalies in a timely manner... at least weekly is required." Why other options are not correct:
* A: Report generation capability is not the compliance issue; frequency of review is.
* B: Using a common authoritative time source (AU.L2-3.3.7) is important, but the deficiency here is frequency of log review, not time source.
* D: Third-party involvement is permitted if the OSC maintains control and ensures requirements (frequency, integrity, protection of CUI) are met.
References (official CCA/CMMC documents):
* CMMC Assessment Guide - Level 2, Version 2.13: Practices AU.L2-3.3.6 and AU.L2-3.3.7 (pp. 56-
60).
* NIST SP 800-171A, Audit and Accountability objectives.
Exact Extracts (official CMMC Assessor/Study documents):
* AU.L2-3.3.7: "Review and update logged events, as well as the audit log, at least weekly."
* AU.L2-3.3.6: "Review and analyze information system audit records for indications of inappropriate or unusual activity and report findings."
* CMMC Level 2 Assessment Guide emphasizes: "Organizations must demonstrate procedures to review audit logs at least weekly, even when external vendors perform this function."
* NIST SP 800-171A states: "The frequency of review must be sufficient to detect anomalies in a timely manner... at least weekly is required." Why other options are not correct:
* A: Report generation capability is not the compliance issue; frequency of review is.
* B: Using a common authoritative time source (AU.L2-3.3.7) is important, but the deficiency here is frequency of log review, not time source.
* D: Third-party involvement is permitted if the OSC maintains control and ensures requirements (frequency, integrity, protection of CUI) are met.
References (official CCA/CMMC documents):
* CMMC Assessment Guide - Level 2, Version 2.13: Practices AU.L2-3.3.6 and AU.L2-3.3.7 (pp. 56-
60).
* NIST SP 800-171A, Audit and Accountability objectives.
by cmmcguy2 at May 07, 2026, 11:28 AM
0
0
0
10
Comments
cmmcguy2
2026-05-07 11:28:29Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).