Cyber AB CMMC-CCA Exam Practice Test Instant Access

Question 1

You decide to interview the IT security team to understand if and how a contractor has implemented audit failure alerting. You learn they have deployed AlienVault OSSIM, a feature-rich security information and event management (SIEM) tool. The SIEM tool has been configured to send automatic alerts to system and network administrators if an event affects the audit logging process. Alerts are generated for the defined events that lead to failure in audit logging and can be found in the notification section of the SIEM portal. However, the alerts are sent to the specified personnel 24 hours after the occurrence of an event. As an assessor evaluating the implementation of AU.L2-3.3.4 -- Audit Failure Alerting, which of the following would be a key consideration regarding theevidence provided by the contractor?

AEnsuring the defined alert notification methods (e.g., email, SMS) are secure and encrypted

BVerifying that the types of audit logging failures defined cover a comprehensive range of potential scenarios

CDetermining if the documented personnel roles for alert notification align with the organization's hierarchy

DChecking if the alert notification process integrates with third-party monitoring services

Answer : B

Comprehensive and Detailed In-Depth Explanatio n:

AU.L2-3.3.4 requires 'alerting personnel when audit logging fails.' A 24-hour delay is concerning for timeliness, but the key evidence consideration is whether defined failure types (B) are comprehensive (e.g., software, hardware, capacity issues), ensuring effective detection. Notification security (A), role alignment (C), and third-party integration (D) are secondary, per CMMC focus on failure coverage.

Extract from Official CMMC Documentation:

CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.4: 'Verify that defined failure types cover a comprehensive range.'

NIST SP 800-171A, 3.3.4: 'Examine failure scenarios for completeness.'

Resources:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

Question 2

In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256)to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Where can you find information about a cryptographic module's current status with FIPS?

ANIST CMVP

BFedRAMP Marketplace

CNIST CSRC

DFIPS 140-2 documentation

Answer : A

Comprehensive and Detailed In-Depth Explanatio n:

SC.L2-3.13.11 -- CUI Encryption requires 'FIPS-validated cryptography for CUI.' TheNIST Cryptographic Module Validation Program (CMVP)(A) provides current validation status for modules, per the CMMC guide. FedRAMP (B) is for cloud services, CSRC (C) is a general resource, and FIPS 140-2 docs (D) are static, not live statuses.

Extract from Official CMMC Documentation:

CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.11: 'Verify FIPS status via NIST CMVP.'

NIST SP 800-171A, 3.13.11: 'Refer to CMVP for validation.'

Resources:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

Question 3

A CCA receives a notification from the Cyber AB that they are being investigated for a potential violation of the CoPC. They are concerned about the potential consequences and want to understand the process better. Who has the final authority to determine the corrective action taken against a CCA, if any?

AThe investigator assigned to the CCA's case.

BThe CMMC Accreditation Body (the Cyber AB).

CThe C3PAO.

DThe Lead Assessor.

Answer : B

Comprehensive and Detailed in Depth

The CoPC grants Cyber AB final authority over corrective actions, though Industry Working Groups may decide in some cases. Options A, C, and D lack this authority.

Extract from Official Document (CoPC):

Paragraph 4.1(4)(a) -- Violation Resolution (pg. 10):'The CMMC Accreditation Body has sole authority to determine corrective action.'

CMMC Code of Professional Conduct, Paragraph 4.1(4)(a).

Question 4

Steve is a Certified CMMC Assessor (CCA) who works for ACME Inc., which is both an RPO and a C3PAO. His aunt Mary works for ABC Holdings, and based on this connection, Steve convinces her boss to hire ACME Inc. to help prepare for a CMMC assessment. Steve leads the team and successfully completes the engagement with ABC Holdings. Six months later, Mary informs Steve that ABC Holdings is ready to perform its CMMC Level 2 assessment. Steve jumps at the opportunity and convinces his management at ACME Inc. to assign him as the lead CCA along with two other employees. Which of the following is true about Steve's involvement in ABC Holdings' CMMC assessment?

ASteve has a conflict of interest and should not be involved in officially assessing ABC Holdings.

BSteve can participate in the CMMC assessment for ABC Holdings if they were bound by an NDA during the initial engagement.

CSince enough time has passed, Steve can remain objective and impartial in the assessment.

DSteve can participate in the assessment if he did not directly implement any security controls during the preparatory engagement.

Answer : A

Comprehensive and Detailed in Depth

The CoPC prohibits CCAs from assessing an OSC they previously consulted for, due to objectivity risks, regardless of NDAs (Option B), time elapsed (Option C), or specific tasks (Option D). Steve's prior role with ABC Holdings creates a COI, making Option A correct.

Extract from Official Document (CoPC):

Paragraph 2.2 -- Objectivity (pg. 5):'Credentialed individuals shall not conduct a certified assessment if they have served as a consultant to prepare the organization for that assessment.'

CMMC Code of Professional Conduct, Paragraph 2.2.

Question 5

Certified CMMC Assessors must follow assessment procedures when conducting CMMC assessments. These procedures include a series of steps and tools that the CCA will use in the course of their duties. Which of the following is not part of an assessment procedure?

AAssessment Method

BAssessment Objects

CAssessment procedure depth and coverage

DAssessment Objective

Answer : C

Comprehensive and Detailed in Depth

The CMMC Assessment Process (CAP) and NIST SP 800-171A define assessment procedures asconsisting of Assessment Methods (examine, interview, test), Assessment Objects (e.g., policies, personnel), and Assessment Objectives (specific determinations). Depth and coverage (Option C) are attributes that guide the rigor of the assessment approach but are not components of the procedure itself. They influence how methods are applied, not the procedure's structure. Options A, B, and D are explicit parts of the procedure per NIST SP 800-171A, making Option C the correct answer as it is not a direct component.

Reference Extract:

NIST SP 800-171A, Introduction:''Assessment procedures include objectives, methods, and objects; depth and coverage are attributes applied to these.''

CMMC Assessment Process (CAP) v1.0, Section 4.1:''Procedures consist of methods, objects, and objectives.''Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final;https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf

Question 6

Risks are inherent in any organization. As a CCA working within an Assessment Team, you are assessing an OSC's implementation of RA practices. When evaluating RA.L2-3.11.3[b], you want to determine whether vulnerabilities are remediated in accordance with risk assessments. What Assessment Object would you likely examine to make this determination?

APatch and vulnerability management records

BVulnerability scanning tools and associated configuration documentation

CVulnerability scanning results

DSecurity Assessment Report

Answer : A

Comprehensive and Detailed in Depth

RA.L2-3.11.3[b] requires remediation aligned with risk assessments, per NIST SP 800-171A. Patch and vulnerability management records (Option A) document vulnerabilities, risk assessments, andremediation actions, making them the key Assessment Object. Option B (tools) and Option C (results) provide raw data, not remediation evidence. Option D (report) is broader and less specific. Option A is the correct answer.

Reference Extract:

NIST SP 800-171A, RA-3.11.3[b]:''Examine patch and vulnerability management records for remediation per risk assessments.''Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final

Question 7

You are a CCA working with an OSC that outsources some of its IT operations to a third-party service provider. The service provider has access to the OSC's networks and systems that handle FCI and CUI. During the scoping process, you need to determine if the OSC should flow down CMMC requirements to this third-party service provider. In this scenario, when should the OSCflow down CMMC requirements to the third-party service provider?

AThe OSC should only flow down CMMC requirements if explicitly stated in the contract with the third-party service provider.

BThe OSC should flow down CMMC requirements to the third-party service provider since they have access to the FCI/CUI environment and can directly or indirectly influence it.

CThe OSC should never flow down CMMC requirements to third-party service providers.

DThe OSC should flow down CMMC requirements to the third-party service provider only if they handle CUI but not FCI.

Answer : B

Comprehensive and Detailed

The CMMC Assessment Scope - Level 2 requires that third-party service providers (e.g., ESPs) with access to FCI/CUI environments be subject to applicable CMMC requirements if they can influence security, directly or indirectly. This ensures the entire CUI protection chain is compliant. Option A limits flow-down to contract terms, which is insufficient per CMMC guidance. Option C contradicts the framework's inclusion of ESPs. Option D excludes FCI, which is incorrect as both FCI and CUI trigger requirements. B aligns with the scoping guide.

CMMC Assessment Scope - Level 2, Section 2.3.3 (ESPs), p. 6: 'ESPs influencing the FCI/CUI environment must meet CMMC requirements.'

Cyber AB Certified CMMC Assessor (CCA) CMMC-CCA Exam Practice Test