Pass4Future also provide interactive practice exam software for preparing Cyber AB Certified CMMC Assessor (CCA) (CMMC-CCA) Exam effectively. You are welcome to explore sample free Cyber AB CMMC-CCA Exam questions below and also try Cyber AB CMMC-CCA Exam practice test software.
Do you know that you can access more real Cyber AB CMMC-CCA exam questions via Premium Access? ()
When validating an OSC's proposed CMMC assessment scope, the Assessment Team finds that the OSC has properly categorized its assets. The OSC has contracted an External Service Provider (ESP) for various cybersecurity functions. The ESP has deployed FortiSIEM and Splunk for real-time security monitoring, threat intelligence, application monitoring, log management, and reporting. They also deployed Microsoft Intune and configured app protection policies blocking proscribed apps and those suspected of data exfiltration. What type of asset is the ESP?
Answer : B
Comprehensive and Detailed
The ESP provides cybersecurity services (e.g., monitoring via FortiSIEM and Splunk, app protection via Intune) that safeguard the OSC's CUI environment. The CMMC Assessment Scope - Level 2 explicitly classifies ESPs providing security functions as Security Protection Assets (SPAs), as they contribute to the security posture regardless of direct CUI handling. Pages 3--4 of the scoping guide confirm this categorization. Option A applies to assets not intended to handle CUI, Option C contradicts the ESP's in-scope role, and Option D requires direct CUI processing, which is not specified. B is correct.
CMMC Assessment Scope - Level 2, Section 2.3.3 (SPAs), p. 6: 'ESPs providing security functions are SPAs.'
CMMC MA.L2-3.7.6 -- Maintenance Personnel requires that maintenance personnel without required access authorization be supervised during maintenance activities. One of the ways organizations can achieve this is to develop a documented procedure for supervised maintenance activities. Which of the following elements should be excluded from the documented procedure?
Answer : A
Comprehensive and Detailed In-Depth Explanatio n:
MA.L2-3.7.6 requires 'supervising maintenance personnel without access authorization.' Procedures should focus on supervision logistics: steps for personnel (B), IT contact (C), and supervisor monitoring (D). A list of CUI assets (A) is unnecessary and impractical, as it may vary per task and isn't required for supervision, per the CMMC guide.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MA.L2-3.7.6: 'Include supervision steps, not asset lists.'
NIST SP 800-171A, 3.7.6: 'Examine supervision procedures.'
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
During a CMMC assessment, the CCAs, CCPs, and Lead Assessor validate the assessment scope provided by the OSC. They must review documents and records specific to the agreed-upon scope and boundaries of the assessment. There are several documents the Assessment Team may review or analyze; some are required, and others not. Which of the following documents is NOT required when scoping a CMMC Assessment for Level 2 maturity?
Answer : D
Comprehensive and Detailed in Depth
The CMMC Assessment Guide Level 2 mandates network diagrams, SSP, and asset inventories (implied in preliminary evidence) to define scope. System design documentation (Option D) is useful but not required for initial scoping, per CAP and Level 2 guidance. Options A, B, and C are essential, making Option D the correct answer.
Reference Extract:
CMMC AG Level 2, Section 1.3:''Required scoping documents include SSP, network diagrams, and asset inventories; system design is optional.''Resources:https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
As a CCA, you are conducting an assessment of an OSC's implementation of AC.L2-3.1.7 -- Privileged Functions. This requirement mandates that the organization prevent non-privileged users from executing privileged functions and capture the execution of such tasks in audit logs. During your assessment, you want to determine whether the OSC has properly defined privileged functions, as assessment objective [a] requires. Which Assessment Objects would you most likely examine to make this determination?
Answer : C
Comprehensive and Detailed in Depth
AC.L2-3.1.7[a] requires defining privileged functions, per NIST SP 800-171A. The OSC's Privacy and Security policies outline what constitutes privileged functions, while System Design documentation specifies their implementation, making Option C the primary Assessment Objects. Option A (interviews) supports but isn't definitive. Options B and D (notifications) relate to user awareness, not definition. Option C aligns with NIST SP 800-171A's examine method, making it the correct answer.
Reference Extract:
NIST SP 800-171A, AC-3.1.7[a]:''Examine security policies and system design documentation to determine if privileged functions are defined.''Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final
A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 -- Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 -- System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score theOSC's implementation of CMMC practice AU.L2-3.3.7 -- Authoritative Time Source?
Answer : B
Comprehensive and Detailed In-Depth Explanatio n:
AU.L2-3.3.7 requires organizations to 'synchronize system clocks with an authoritative time source' to ensure consistent timestamps for audit records. The contractor has an NTP server, but the 30-second synchronization threshold on new systems leads to inconsistent timestamps, failing the practice's intent. Per the DoD Assessment Scoring Methodology, AU.L2-3.3.7 is a 1-point practice. If not fully met, it scores -1 (Not Met). The partial implementation (NTP server exists but not effectively applied) doesn't qualify as Met, so no positive points are awarded. The CMMC guide stresses uniformity in timestamps, which this configuration undermines.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.7: 'Synchronize clocks to ensure uniformity of timestamps for audit records.'
DoD Scoring Methodology: '1-point practice: Met = +1, Not Met = -1.'
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
