Master Cyber AB CMMC-CCA Exam with Reliable Practice Questions
Upgrade to PremiumA vulnerability scan on a defense contractor's system identifies a critical security flaw in a legacy database application that stores CUI. Remediating the flaw would require a complete overhaul of the application, causing significant downtime and potentially disrupting critical business functions. Given the potential consequences of remediation, the contractor is considering deferring the fix. Which course of action best aligns with the guidance of CMMC practice RA.L2-3.11.3 -- Vulnerability Remediation?
Correct : B
Comprehensive and Detailed In-Depth Explanatio n:
RA.L2-3.11.3 requires 'remediating vulnerabilities in accordance with risk assessments.' If remediation isn't feasible, the practice allows risk acceptance with documentation and ongoing monitoring, balancing operational needs and security. Ignoring the vulnerability (C) violates the practice, while third-party help (A) or compensating controls (D) may not be immediately practical. The CMMC guide supports risk-based decisions with proper documentation.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.3: 'Document risk acceptance and monitor unremediated vulnerabilities.'
NIST SP 800-171A, 3.11.3: 'Examine risk acceptance rationale and monitoring plans.'
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
Start a Discussions
When conducting a CMMC assessment, the CCA must follow the steps outlined in the CMMC Assessment Process (CAP). This document is organized into several phases, each requiring the CCA to complete specific documents. The CAP also provides templates, some of which the Assessor must use and complete during specific phases. A CCA must complete all the following documents in Phase 1 of the CAP, EXCEPT?
Correct : A
Comprehensive and Detailed in Depth
The Quality Review Checklist is a Phase 3 document, not Phase 1, unlike Options B, C, and D (Option A).
Extract from Official Document (CAP v1.0):
Section 1.6 -- Prepare for Assessment (pg. 18):'Phase 1 requires completion of the CA-RR Checklist, Virtual Evidence Template, and Pre-Assessment Form.'
CMMC Assessment Process (CAP) v1.0, Section 1.6.
Start a Discussions
An OSC's network diagram shows a separate network segment (192.168.50.0/24) designated for its engineering department. This segment restricts access to specific engineering resources. While the servers are physically located in a shared data center, the network configuration isolates them logically. Through which of the following does the network segmentation create isolation for the engineering department's resources?
Correct : A
Comprehensive and Detailed in Depth
Network segmentation, as described in NIST SP 800-171 (SC-3.13.6) and CMMC Level 2, isolates resources logically using configurations like subnets (e.g., 192.168.50.0/24), firewalls, or ACLs, not physical means. This protects engineering resources containing CUI by restricting access, despite their physical location in a shared data center. Option B (physical barriers) applies to facility security, not network isolation. Option C (encryption at rest) protects data, not network access. Option D (security badges) is irrelevant to network segmentation. Option A is the correct answer per CMMC guidelines.
Reference Extract:
NIST SP 800-171, 3.13.6:''Deny traffic by default and allow by exception through logical segmentation.''
CMMC AG Level 2, SC.L2-3.13.6:''Logical separation via network configuration isolates sensitive resources.''Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final;https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
Start a Discussions
Assessing a DoD contractor, you observe they have implemented physical security measures to protect their facility housing organizational systems that process or store CUI. The facility has secure locks on all entrances, exits, and windows. Additionally, video surveillance cameras are installed at entry/exit points, and their feeds are monitored by security personnel. Feeds from areas where CUI is processed or stored and meeting rooms where executives meet to discuss things that have to do with CUI and other sensitive matters are segregated and stored on a designated server after monitoring. Walking around the facility, you notice network cables are hanging from the walls. To pass through a door, personnel must swipe their access cards. However, you observe an employee holding the door for others to enter. Although power cables are placed in wiring closets, they aren't locked, and the cabling conduits are damaged. Which of the following is NOT a concern regarding the contractor's implementation of CMMC practice PE.L2-3.10.2 -- Monitor Facility?
Correct : A
Comprehensive and Detailed In-Depth Explanatio n:
PE.L2-3.10.2 requires 'protecting and monitoring the physical facility and support infrastructure.' Video surveillance at entry/exit points (A) is a strength, not a concern, fulfilling monitoring requirements. Unlocked wiring closets (B), exposed network cables (C), and damaged conduits (D) are vulnerabilities risking tampering or unauthorized access to infrastructure supporting CUIsystems, per the CMMC guide.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), PE.L2-3.10.2: 'Monitor facility with cameras; protect infrastructure from tampering.'
NIST SP 800-171A, 3.10.2: 'Examine monitoring and protection of physical assets.'
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
Start a Discussions
When discussing the OSC's proposed assessment scope, the Lead Assessor learned that some laptops and workstations share a network with CUI assets, but their users do not work with CUI. These assets do not store CUI or run applications that process CUI. Reviewing the OSC's SSP, the implemented risk-based security policies, procedures, and practices raised questions and were found to be deficient. What can the Lead Assessor do in this scenario?
Correct : C
Comprehensive and Detailed
These laptops and workstations are Contractor Risk Managed Assets (CRMAs), as they can but are not intended to handle CUI due to policies. The CMMC Assessment Scope - Level 2 allows limited spot checks for CRMAs if SSP deficiencies raise concerns, ensuring risks are identified without expanding the assessment's scope significantly. Option A delays action, Option B shifts responsibility prematurely, and Option D ignores the deficiencies. C is correct.
CMMC Assessment Scope - Level 2, Section 2.3.2 (CRMAs), p. 5: 'Limited spot checks may be conducted for CRMAs if deficiencies are noted.'
Start a Discussions