A CMMC Assessment Team is evaluating an OSC's implementation of RA.L2-3.11.1 - Risk Assessments.
Upon examining the OSC's Risk Assessment policy, the team learns that the OSC has specified frequencies for assessing risks to organizational operations, assets, and personnel. The results and reviews of risk assessments indicated that assessments are conducted at these defined frequencies.
For the OSC's risk assessment to be accurate, it must consider all of the following except which factor?
A. Threats to organizational assets, operations, and personnel that arise from the operation and use of organizational systemsDuring a CMMC assessment, the Lead Assessor requests evidence from the OSC to support their claim that several access control and authentication practices are inherited from their enterprise-level Identity and Access Management (IAM) system. The OSC claims that their parent company manages the IAM system.
Which of the following types of evidence would be the most appropriate for the OSC to demonstrate these inherited practices?
A. Documented policies, procedures, and system configurations from the enterprise IAM system, showing how the assessment objectives for the inherited practices are met.A Lead Assessor is preparing to conduct a Level 2 Assessment for an OSC. The assessor already determined the assessment scope and systems included. In addition, the assessor requests:
1. Results of the most recent OSC self-assessment or any pre-assessments by an RPO
2. The System Security Plan (SSP), and
3. A list of all OSC staff who play a role in in-scope procedures.
Based on this information, which item would the assessor MOST LIKELY request when preparing to conduct a Level 2 Assessment?
A. A list of objectivesAn OSC plans to bid for a DoD contract to supply laser welding services to repair a fleet of unmanned aerial vehicles (UAVs). This requires them to be CMMC Level 2 certified since the information they will receive from the DoD is Controlled Technical Information (CTI). However,their repair and welding services require a Computer Numerical Control (CNC) machine to fabricate some crucial parts. Since the welding is mainly automated using robots, the OSC has intelligently integrated its SCADA system with Programmable Logic Controllers (PLCs) for increased accuracy, improved safety and efficiency, and enhanced flexibility.
As the Lead Assessor for the C3PAO Assessment Team validating the OSC's CMMC assessment scope, you expect the OSC to handle the SCADA system, PLCs, and CNC machines in all the following ways EXCEPT?
A. Categorize them as CUI assets.A company employs an encrypted VPN to enhance confidentiality over remote connections. The CCA reads a document describing the VPN. It states the VPN allows automated monitoring and control of remote access sessions, helps detect cyberattacks, and supports auditing of remote access to ensure compliance with CMMC requirements.
What document is the CCA MOST LIKELY reviewing to see how these VPNs are controlled and monitored?
A. Access Control PolicyCMMC practice SC.L2-3.13.6 assessment objectives [a] and [b] require contractors' systems to deny network communications traffic by default [a] and allow network communications traffic by exception [b] respectively. As a CCA, you assess whether an OSC has segmented its network into different zones. The OSC has implemented Access Control Lists (ACLs) on its network devices to permit or deny traffic based on source and destination IP addresses and ports. Additionally, the OSC uses a Fortinet Next-Generation Firewall (NGFW). To monitor their computing environment, theOSC uses a state-of-the-art SIEM.
Which of the following assessment methods is NOT a method you would use to assess whether the OSC has met assessment objectives [a] and [b]?
A. Examine the ACL configurations on the network devicesWhile examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted.
Which of the following is a potential assessment method for AU.L2- 3.3.1 - System Auditing?
A. Examine procedures addressing audit record generationAn organization's password policy includes these requirements:
1. Passwords must be at least 8 characters in length.
2. Passwords must contain at least one uppercase character, one lowercase character, and one numeric digit.
3. Passwords must be changed at least every 90 days.
4. When a password is changed, none of the previous 3 passwords can be reused.
Per IA.L2-3.5.7: Password Complexity, what requirement is missing from this password policy?
A. It does not require MFA.You are the Lead Assessor of the Assessment Team conducting a CMMC Level 2 assessment for an OSC. You have completed the first phase of the assessment process, which included the assessment kickoff meeting. Now, you are moving into the second phase, which involves collecting and examining evidence to determine the OSC's compliance with the CMMC practices. During the assessment, you find that the OSC has failed to meet the requirements for CMMC practice AU.L2-3.3.4 - Audit Failure Alerting.
According to the CMMC Assessment Process (CAP), which of the following should be your next step?
A. Immediately stop the assessment and report the failure to the C3PAO.After being selected for a C3PAO Assessment Team, you have been chosen as the Lead Assessor for an upcoming project involving an OSC that produces aircraft parts. Your C3PAO has assigned you various responsibilities.
Which of the following is not your responsibility as a Lead Assessor?
A. Validating site access and communicating visitation policies with the Assessment Team.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cyber AB exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CMMC-CCA exam preparations and Cyber AB certification application, do not hesitate to visit our Vcedump.com to find your solutions here.