Cyber AB CMMC-CCA Exam Practice Test Instant Access

Question 1

After the OSC and the Assessment Team scheduled the initial meeting, they agreed that the initial discussions would be held in the OSC's facilities. Walking into the conference room, the Lead Assessor notices multiple laptops and printers tagged ''U.S. Government Owned.'' How should the OSC have categorized these assets in their proposed assessment scope?

AGovernment Property

BGovernment Furnished Equipment (GFE)

CSpecialized Assets

DCUI Assets

Answer : C

Comprehensive and Detailed

The CMMC Assessment Scope - Level 2 categorizes government-owned assets, such as laptops and printers tagged ''U.S. Government Owned,'' as Specialized Assets. These include operational technology, IoT devices, and government-furnished equipment (GFE) or property (GFP) used in contract performance. While ''GFE'' (Option B) is a common term, the CMMC framework uses ''Specialized Assets'' as the formal category for assessment scoping. These assets must be documented in the SSP and Asset Inventory but are not assessed against all 110 practices unless they process CUI (not indicated here). Option A is too vague, and Option D applies only to assets directly handling CUI.

CMMC Assessment Scope - Level 2, Section 2.3.4 (Specialized Assets), p. 6: 'Government-owned property is categorized as Specialized Assets.'

Question 2

An OSC is undergoing a CMMC assessment by a C3PAO. The assessment team has been on-site for several days, reviewing the OSC's systems, policies, and procedures against the CMMC requirements. Each day, the assessment team holds a "daily checkpoint" meeting with the OSC's security team and representatives. This checkpoint serves an important purpose in the overall assessment process. What is the significance of the Daily Checkpoint meeting in the CMMC assessment process?

AIt allows the Lead Assessor to finalize the assessment findings independently.

BIt is optional and not necessary for the assessment process.

CIt is solely for updating the OSC on the assessment progress.

DIt provides an opportunity for the Assessment Team to review and verify additional evidence.

Answer : D

Comprehensive and Detailed in Depth

The CAP mandates Daily Checkpoint meetings to review additional evidence and ensure assessment progress, not to finalize findings (Option A), as optional (Option B), or solely for updates (Option C). Option D reflects its core purpose.

Extract from Official Document (CAP v1.0):

Section 2.3 -- Daily Checkpoint Meetings (pg. 27):'The Daily Checkpoint meeting provides an opportunity to review and verify additional evidence presented by the OSC.'

CMMC Assessment Process (CAP) v1.0, Section 2.3.

Question 3

During a CMMC Level 2 assessment, the Assessment Team discovers that the OSC has implemented a practice using a tool that is not listed in their System Security Plan (SSP). The tool appears to meet the assessment objectives for the practice, but its absence from the SSP raises concerns about documentation accuracy. How should the Lead Assessor proceed?

AAccept the tool's use as evidence of compliance and proceed without further action, as it meets the objectives.

BRequest the OSC to update the SSP to include the tool and provide the revised document before continuing the assessment.

CDocument the discrepancy as an evidence gap and assess the practice based on the tool's effectiveness, continuing the assessment.

DMark the practice as 'NOT MET' due to the inaccurate SSP, regardless of the tool'seffectiveness.

Answer : C

Comprehensive and Detailed in Depth

The CAP instructs documenting discrepancies as evidence gaps and assessing based on available evidence (Option C). Option A ignores documentation issues, Option B delays unnecessarily, and Option D is premature without full assessment.

Extract from Official Document (CAP v1.0):

Section 2.2 -- Conduct Assessment (pg. 25):'Incomplete or inaccurate documents should be recorded as evidence gaps, with the practice assessed based on available evidence.'

CMMC Assessment Process (CAP) v1.0, Section 2.2.

Question 4

You are a CCA who is part of an Assessment Team conducting a CMMC assessment on an aerospace company. While analyzing their network architecture, you realize that it includes a Demilitarized Zone (DMZ) to host their public-facing web servers. What is the primary purpose of a DMZ in a network architecture?

ATo physically isolate the organization's internal network from the internet

BTo provide physical security for the organization's public-facing web servers

CTo allow unrestricted access between the internal network and the internet

DTo logically isolate the organization's public-facing web servers from the internal network

Answer : D

Comprehensive and Detailed in Depth

A Demilitarized Zone (DMZ) is a standard network security construct used to enhance the protection of an organization's internal network. Per NIST SP 800-171 and CMMC Level 2 guidelines (e.g., SC.L2-3.13.6), a DMZ logically separates public-facing services, such as web servers, from the internal network containing sensitive data like CUI. This logical isolation is achieved through firewalls, access control lists (ACLs), or routing configurations, not physical separation, reducing the risk of external threats penetrating the internal network.

Option A (physical isolation) misrepresents the DMZ's logical nature. Option B (physical security) pertains to facility controls, not network architecture. Option C (unrestricted access) contradicts the DMZ's purpose of controlled access. Option D correctly identifies the DMZ's role in logical isolation, making it the correct answer.

Reference Extract:

NIST SP 800-171, 3.13.6:''Deny network communications traffic by default and allow by exception... achieved through logical segmentation like a DMZ.''

CMMC AG Level 2, SC.L2-3.13.6:''A DMZ isolates public-facing services from internal networks logically.''Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final;https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

Question 5

When interviewing a contractor's CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates that the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that after every four months, the contractor tests its incident response plan and regularly updates its monitoring tools. Impressed by the contractor's policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited their security systems in over two years. How many points would you score the contractor's implementation of the practice CA.L2-3.12.1 -- Security Control Assessment?

A-5

B-3

C-1

Answer : A

Comprehensive and Detailed In-Depth Explanatio n:

CA.L2-3.12.1 requires 'periodically assessing security controls to determine effectiveness.' The policy defines a 10-month cycle, but no audits have occurred in over two years, failing the implementation objective. Per the DoD Scoring Methodology, this 5-point practice scores -5 (Not Met) when not fully implemented, as partial compliance isn't recognized. The CMMC guide stresses actual execution over documented intent.

Extract from Official CMMC Documentation:

CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.1: 'Assess controls at defined frequency.'

DoD Scoring Methodology: '5-point practice: Met = +5, Not Met = -5.'

Resources:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

Question 6

An OSC receives a POA&M during their CMMC L2 assessment. 170 days later, they submit an updated POA&M with evidence of all corrective actions. Can the C3PAO still conduct a close-out assessment?

ANo, the 180-day window has closed.

BNo, the OSC must wait for the next assessment cycle.

CYes, as long as all corrective actions are verified.

DYes, but the OSC must re-perform the entire CMMC L2 assessment.

Answer : C

Comprehensive and Detailed in Depth

The CAP's 180-day window is a guideline for scheduling, not a strict deadline barring closeout if submitted within reason (170 days here). Option A and B misinterpret this flexibility. Option D (full reassessment) is unnecessary if corrections are verified. Option C is correct.

Extract from Official Document (CAP v1.0):

Section 3.4 -- POA&M Closeout (pg. 35):'Within 180 days from the Final Findings Briefing, conduct a POA&M Closeout Assessment to verify corrective actions, focusing on successful implementation.'

CMMC Assessment Process (CAP) v1.0, Section 3.4.

Question 7

An aerospace company bids on a DoD contract that requires CMMC Level 2 compliance. The company has multiple divisions, but only the Manufacturing Division will work on the project. The Manufacturing Division has its own IT infrastructure and security policies, but it relies on the company's centralized IT department for some administrative tasks. Which of the following is the Host Unit in this scenario?

AThe Manufacturing Division

BThe office environment

CThe entire aerospace company

DThe company's centralized IT department

Answer : A

Comprehensive and Detailed

The CMMC Assessment Scope - Level 2 defines the Host Unit as the specific organizational unit (people, processes, technology) directly tied to the DoD contract and subject to the CMMC assessment. Here, the Manufacturing Division performs the contract work and has its own IT infrastructure, making it the Host Unit (OSC). The centralized IT department is a Supporting Organization, not the Host Unit, as it provides ancillary services. Option C is too broad, and Option B is vague and incorrect. A is correct per the scoping guide.

CMMC Assessment Scope - Level 2, Section 2.1 (Host Unit Definition), p. 3: 'The Host Unit is the unit performing the contract work.'

Cyber AB Certified CMMC Assessor (CCA) CMMC-CCA Exam Practice Test