To transfer CUI between a government client and its internal systems, a defense contractor uses a Secure File-Sharing Application provided by the DoD. However, all data traversing this boundary must pass through a next-generation firewall (NGFW) managed by the contractor's Network Admin. All CUI is stored on a Solid State Drive (SSD) and accessed through a laptop. What type of asset is the Network Admin?
A. Contractor Risk Managed Asset (CRMA)When interviewing a contractor's CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates that the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that after every four months, the contractor tests its incident response plan and regularly updates its monitoring tools. Impressed by the contractor's policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited their security systems in over two years. How many points would you score the contractor's implementation of the practice CA.L2-3.12.1 ?Security Control Assessment?
A. -5Removable media can pose significant cybersecurity risks to an organization if not adequately controlled and secured. Understanding the dangers of this, an OSC has crafted a meticulous removable media policy. It defines removable media, types of removable media, examples of removable media, etc. The policy limits the use of removable media unless authorized; even then, the media must be scanned for malware. Organizational removable media has specific signatures unique to organizational systems and provided to a defined group of personnel. Any data stored on such media is encrypted, and the OSC has disabled autorun and closed some ports on their computer systems. The contractor also has deployed an endpoint protection solution for every employee searched while entering or leaving the facility. Users must also pass through a walk-in metal detector to ensure they do not sneak in thumb drives and SD cards. Based on the OSC's effort, how would you score their implementation of CMMC practice MP.L2-3.8.7 ?Removable Media?
A. Not ApplicableDuring the planning and preparation discussions, a key member of the C3PAO Assessment Team falls ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as planned and has expressed willingness to accommodate a smaller assessment team. If the decision is made to replan or reschedule the assessment, what is the C3PAO's required action, according to the CAP?
A. Inform the OSC of the potential consequences of delaying the assessment.You are part of the team conducting a CMMC assessment for an OSC. Because of the sensitive nature of the OSC's technologies, your team signed an NDA. However, you observe one of the Assessment Team members copying something from the OSC's computer systems. You know they don't have permission because the NDA states that the OSC POC will provide any required material. What should you do in this case?
A. Inform the OSC of the incident.You are the Lead Assessor for a CMMC assessment of an OSC that has previously obtained ISO 27001 certification for its information security management system. During the initial discussions, the OSC requests that you consider their ISO 27001 certification and grant them credit toward their CMMC certification. They believe there is a significant overlap between CMMC and ISO 27001. What should your response to the OSC be?
A. Defer the decision on non-duplication credit until the DoD publishes official non- duplication policies.During a CMMC assessment, the Lead Assessor requests evidence from the OSC to support their claim that several access control and authentication practices are inherited from their enterprise-level Identity and Access Management (IAM) system. The OSC claims that their parent company manages the IAM system. Which of the following types of evidence would be the most appropriate for the OSC to demonstrate these inherited practices?
A. Documented policies, procedures, and system configurations from the enterprise IAM system, showing how the assessment objectives for the inherited practices are met.As part of a C3PAO Assessment Team, you are reviewing an OSC's security practices and documentation. During your review, you notice that the OSC has presented the same evidence artifacts to support its implementation of several CMMC practices and objectives. Based on the scenario above and your understanding of the CMMC Assessment process, which of the following is true?
A. The same evidence artifacts can be used for practices across multiple CMMC domains, but not for assessment objectives.As a Lead Assessor, you are in contact with the OSC Assessment Official. The Assessment Official has submitted a document that outlines the scope of your assessment engagement. You expect to find all the following elements on the Assessment Scope document, EXCEPT?
A. Assessment boundaries based on FCI/CUI locations and data flowYou are assessing a contractor's implementation for CMMC practice MA.L2-3.7.4 ?Media Inspection by examining their maintenance records. You realize the maintenance logs identify a repeating problem. A recently installed central server has been experiencing issues affecting the performance of the contractor's information systems. This is confirmed by your interview with the contractor's IT team. You requested to investigate the server, and the IT team agreed. On the server, there is a file named conf.zip that gets your attention. You decide to open the file in an isolated computer for further review. To your surprise, the file is a .exe used when testing the server for data exfiltration. How should this incident be handled?
A. By immediately reporting it to the FBI's Cyber DivisionNowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cyber AB exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CMMC-CCA exam preparations and Cyber AB certification application, do not hesitate to visit our Vcedump.com to find your solutions here.