Cyber AB CMMC-CCA Exam Questions Instant Access

Question 1

The OSC has not implemented cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission, citing the use of alternative physical safeguards.

Which of the following is NOT an alternative physical safeguard in this scenario?

ATrusted couriers

BLockable casings

CPhysical access site monitoring

DTamper protections technologies

Answer : D

Acceptable physical safeguards in lieu of encryption (in limited cases) include trusted couriers, locked containers, and monitored physical transport. ''Tamper protection technologies'' are not recognized as an acceptable alternative safeguard for protecting CUI in transit.

Extract:

''Physical safeguards such as trusted couriers, locked containers, and controlled site monitoring may substitute for cryptographic protections when encryption is not feasible. Other measures not defined (e.g., tamper protection) do not satisfy the requirement.''

Thus, D is NOT an acceptable safeguard.

Question 2

A cloud-native OSC uses a vendor's FedRAMP MODERATE authorized cloud environment for all aspects of their CUI needs (identity, email, file storage, office suite, etc.) as well as the vendor's locally installable applications. The OSC properly configured the vendor's cloud-based SIEM system to monitor all aspects of the cloud environment. The OSC's SSP documents SI.L2-3.14.7: Identify Unauthorized Use, defining authorized use and referencing procedures for identifying unauthorized use.

How should the Certified Assessor score this practice?

ANOT MET because logs from physical infrastructure are not captured by the SIEM.

BNOT MET because locally installable applications from a cloud-native environment are not allowed.

CMET because being cloud-native is a great way to contain risk to a vendor's environment.

DMET because the cloud SIEM is configured to monitor all of the vendor's cloud environment.

Answer : D

SI.L2-3.14.7 requires the OSC to identify unauthorized use of organizational systems. The OSC meets this requirement by configuring the FedRAMP MODERATE provider's SIEM to monitor their entire cloud environment where CUI is processed.

Extract:

''Organizations must employ monitoring mechanisms to detect unauthorized use of information systems. Cloud-native environments with FedRAMP authorized monitoring meet the requirement when properly configured and documented.''

Thus, the practice is MET because the SIEM covers the cloud environment.

Question 3

While examining evidence, a CCA is trying to confirm the claim that the OSC has identified all information system users, processes acting on behalf of users, and all devices.

Which of the following provides the STRONGEST evidence of this practice?

ALists of system accounts and devices and system audit logs and records

BSystem design documentation and other relevant documents or records

CProcedures addressing user and system identification and authentication and SSP

DIdentification and authentication policy and system configuration settings and associated documentation

Answer : A

For IA.L2-3.5.1 (Identify system users, processes, and devices), the strongest evidence is direct lists of accounts, devices, and supporting audit logs/records that show users and devices are actively identified and managed. Policies and procedures are supporting evidence but not as strong as system-generated, real evidence.

Extract:

''Strong evidence includes account listings, device inventories, and audit logs demonstrating that all users, processes, and devices are identified and uniquely associated.''

Question 4

A company has multiple sites with employees at each site that must access the company's CUI network from their remote locations. The company has set up a single access point for all employees to access the network. What is the MOST significant factor in determining whether the security on this single access point is adequate?

ARemote access is secured and monitored.

BPhysical access is monitored and controlled.

CThe security requirements for CUI and FCI are documented.

DThe remote personnel have notification procedures regarding connection issues.

Answer : A

Applicable Requirement: AC.L2-3.1.12 and AC.L2-3.1.14 --- ''Monitor and control remote access sessions'' and ''Route remote access through managed access control points.''

Why A is Correct: For a single centralized access point, the most critical control is that remote access sessions are properly secured and monitored to prevent unauthorized access to CUI systems. This ensures both confidentiality and integrity of remote connections.

Why Other Options Are Insufficient:

B: Physical access controls protect on-site systems but do not address remote connection security.

C: Documentation alone is not sufficient; actual monitoring and security enforcement are required.

D: Notification procedures relate to incident handling, not adequacy of access point security.

Reference (CCA Official Sources):

NIST SP 800-171 Rev. 2 --- AC.L2-3.1.12, AC.L2-3.1.14

NIST SP 800-171A --- Remote Access Assessment Objectives

CMMC Assessment Guide -- Level 2, Remote Access Guidance

Question 5

An Assessor is examining documents provided by the OSC POC. While reviewing them, the Assessor notes that several of the procedures have very current dates while the bulk do not. What should the Assessor do in order to decide if these new documents are acceptable as evidence?

AEnsure the documents were approved by a senior-level manager.

BDetermine the outlined reasonableness of the procedures.

CDetermine if the people involved in writing the procedures are on the list of those who can be interviewed.

DSet up an observation session to determine if the procedures are in use and people are knowledgeable of their deployment and use.

Answer : D

Applicable Requirement (CAP Evidence Standards): Evidence must be objective and demonstrate implementation. Newly created documentation may exist only for assessment purposes, so the assessor must validate whether the documented procedures are actually in practice.

Why D is Correct: Observation sessions confirm that personnel are knowledgeable about and actively following the documented procedures. This ensures the documents reflect actual implementation rather than being created solely for assessment.

Why Other Options Are Insufficient:

A: Approval shows authority but does not prove procedures are implemented.

B: Subjective determination of ''reasonableness'' is not an approved assessment method.

C: Identifying authors does not validate implementation.

Reference (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 --- Evidence Collection and Triangulation

CMMC Assessment Guide -- Level 2, Section on Evidence Requirements

NIST SP 800-171A --- Assessment Methods: examine, interview, observe

Question 6

The OSC's network consists of a single network switch that connects all devices. This includes the OSC's OT equipment, which processes CUI. The OT controller requires an unsupported operating system.

What can the Lead Assessor BEST conclude about the overall compliance with MA.L2-3.7.1: Perform Maintenance?

AIt is MET only if every asset that is not a Specialized Asset is maintained.

BIt is MET only if the environments are demarcated on the baseline diagram.

CIt is NOT MET because industrial equipment should not be processing CUI.

DIt is NOT MET because the OSC has not managed the risk of a CUI system being outdated.

Answer : D

MA.L2-3.7.1 (Perform Maintenance) requires that maintenance activities and risks associated with outdated or unsupported systems be managed. Unsupported systems create a security risk if not mitigated, particularly when they process CUI.

Extract:

''Maintenance must be performed and documented to ensure continued secure operation. When systems cannot be updated or patched due to technical limitations, the OSC must implement and document risk mitigation strategies.''

Because the OSC has not demonstrated risk management for the outdated OT system, the practice is NOT MET.

Question 7

A company describes its organization as having two systems. One system, System Org, covers the entire organization and allows instant messaging, email, and Internet activity. The other system, System CUI, is used for processing, storing, and transmitting CUI dat

a. System CUI interfaces with System Org through security mechanisms and a firewall.

The CMMC Assessment is being done on System CUI only.

What is the BEST way to describe System CUI?

ACUI Assets

BIn-Scope Assets

COut-of-Scope Assets

DCUI Assets and Security Protection Assets

Answer : A

Per the CMMC Scoping Guidance, CUI Assets are those that process, store, or transmit CUI. Since System CUI is the system handling CUI data, it must be categorized as CUI Assets.

Extract:

''CUI Assets are any assets that process, store, or transmit CUI. These assets are in-scope for assessment and must meet CMMC practice requirements.''

Thus, the best classification for System CUI is CUI Assets.

Cyber AB Certified CMMC Assessor (CCA) CMMC-CCA Exam Questions