You are conducting a CMMC assessment for a contractor that develops software applications for the DoD. During the assessment of the AU domain, you request to examine the contractor's audit and accountability policies, access control procedures, and system configuration documentation related to the management of audit logging functionality. Upon reviewing the documentation, the contractor has implemented a Role-Based Access Control (RBAC) model, where privileged users are assigned different roles based on their responsibilities. One of these roles is the "Audit Administrator" role, which is granted the necessary privileges to manage audit logging functionality across the contractor's systems. However, during interviews with the system administrators, you learn that besides the Audit Administrator role, several other privileged roles, such as the "System Administrator" and "Network Administrator" roles, can also manage audit logging functionality. When you inquire about the rationale behind granting multiple privileged roles access to audit management functions, the contractor's security team explains that this approach allows for better operational flexibility and ensures that different teams can perform audit logging tasks based on their areas of responsibility. Based on the information provided in the scenario, how would you assess the contractor's compliance with CMMC practice AU.L2- 3.3.9 ? Audit Management?
A. Partially Met - The contractor has limited audit management privileges to a subset of privileged users, but the roles may not be appropriately definedCMMC practice SC.L2-3.13.6 assessment objectives [a] and [b] require contractors' systems to deny network communications traffic by default [a] and allow network communications traffic by exception [b] respectively. As a CCA, you assess whether an OSC has segmented its network into different zones. The OSC has implemented Access Control Lists (ACLs) on its network devices to permit or deny traffic based on source and destination IP addresses and ports. Additionally, the OSC uses a Fortinet Next-Generation Firewall (NGFW). To monitor their computing environment, theOSC uses a state-of-the-art SIEM. Which of the following assessment methods is NOT a method you would use to assess whether the OSC has met assessment objectives [a] and [b]?
A. Examine the ACL configurations on the network devicesWhen examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal websites. Why is it critical to implement practice AC.L2-3.1.6 ?Non- Privileged Account Use?
A. Enables easier auditing and logging of privileged activitiesAs the Lead Assessor for an OSC, John admires their advanced security solutions during the assessment. However, his admiration distracts him from the assessment's focus. Instead, he engages in conversation about the OSC's robust security, becoming swayed by their capabilities. Consequently, John becomes hesitant to identify deficiencies or noncompliances, displaying a positive bias toward the OSC. What is the impact of this positive bias on the CMMC assessment of the OSC?
A. It is not a concern in CMMC assessmentsAny user that accesses CUI on system media should be authorized and have a lawful business purpose. While assessing a contractor's implementation of MP.L2-3.8.2 ?Media Access, youexamine the CUI access logs and the role of employees. Something catches your eye where an ID of an employee listed as terminated regularly accesses CUI remotely. Walking into the contractor's facilities, you observe the janitor cleaning an office where documents marked CUI are visible on the table. Interviewing the organization's data custodian, they informed you that a media storage procedure is augmented by a physical protection and access control policy. Based on the scenario and the requirements of CMMC practice MP.L2-3.8.2 ?Media Access, which of the following actions would be the highest priority recommendation for the contractor?
A. Conduct additional training for employees on handling CUI materialsDuring the initial assessment framing discussions, the OSC POC attempts to sign off on the agreed-upon terms and scope of the assessment, asserting that they have the authority to enter into a legally binding contract with the C3PAO. Which of the following must the C3PAO ascertain before the OSC POC signs off on the agreed terms and scope of the assessment?
A. That the C3PAO has provided the POC with all necessary training to make binding decisions.During a CMMC Level 2 assessment, the OSC's Assessment Official asks the Lead Assessor if they can provide a list of recommended vendors to improve their security practices after the assessment. What should the Lead Assessor do?
A. Provide the list after the assessment is complete to assist the OSC.In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Which of the following would be the most appropriate next step for the assessor?
A. Interview personnel responsible for cryptographic protection to determine if FIPS- validated cryptography is used elsewhere in the organizationAssessing a DoD contractor, you observe they have implemented physical security measures to protect their facility housing organizational systems that process or store CUI. The facility has secure locks on all entrances, exits, and windows. Additionally, video surveillance cameras are installed at entry/exit points, and their feeds are monitored by security personnel. Feeds from areas where CUI is processed or stored and meeting rooms where executives meet to discuss things that have to do with CUI and other sensitive matters are segregated and stored on a designated server after monitoring. Walking around the facility, you notice network cables are hanging from the walls. To pass through a door, personnel must swipe their access cards. However, you observe an employee holding the door for others to enter. Although power cables are placed in wiring closets, they aren't locked, and the cabling conduits are damaged. Which of the following is NOT a concern regarding the contractor's implementation of CMMC practice PE.L2-3.10.2 ?Monitor Facility?
A. Video surveillance monitoring at entry/exit pointsYou are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows that the contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. Which of the following components of the contractor's environment should NOT be in scope when assessing practice AC.L2-3.1.3 ?Control CUI Flow?
A. Azure cloud storageNowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cyber AB exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CMMC-CCA exam preparations and Cyber AB certification application, do not hesitate to visit our Vcedump.com to find your solutions here.