1. Home
  2. Cyber AB
  3. CMMC-CCA

Cyber AB CMMC-CCA Online Practice Questions and Exam Preparation

CMMC-CCA Exam Details

  • Exam Code
    :CMMC-CCA
  • Exam Name
    :Certified CMMC Assessor (CCA)
  • Certification
    :Cyber AB Certifications
  • Vendor
    :Cyber AB
  • Total Questions
    :378 Q&As
  • Last Updated
    :May 30, 2026

Cyber AB CMMC-CCA Online Questions & Answers

  • Question 211:

    During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9 ?Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9 ?Connections Termination, for the remote access application?

    A. Creating firewall rules to identify and terminate connections associated with the CUI access application that have been inactive for a predefined period
    B. Encrypting all traffic between the user device and the server to protect CUI in transit
    C. Implementing intrusion detection and prevention systems (IDS/IPS) to identify and block suspicious activity on the server
    D. Blocking all incoming traffic to the server hosting the CUI access application, except from authorized IP addresses

  • Question 212:

    In assessing the security boundaries, you determine that an OSC processes, stores, and transmits CUI and FCI within the same assessment scope. To what maturity level will you at a minimum assess and certify the OSC?

    A. CMMC Level 2
    B. You should refer the OSC to Cyber AB.
    C. The OSC must separate the scope for assets that process, store, or transmit CUI from those that handle FCI.
    D. CMMC Level 1

  • Question 213:

    To verify the scope accuracy and integrity, a Lead Assessor asks for documents supporting some elements of the scope. However, the OSC states that the information is proprietary and requires that the Lead Assessor sign a Non-Disclosure Agreement (NDA) before granting access. What should the Lead Assessor do?

    A. File a complaint with the CMMC Accreditation Body (the Cyber AB).
    B. File a complaint with the CMMC Accreditation Body (the Cyber AB).
    C. Sign the NDA and handle the proprietary information with utmost care.
    D. Inform the OSC that they have a legitimate right to access that information without signing the NDA.

  • Question 214:

    Documentation is a key aspect of the CMMC assessment. When preparing for a prospective assessment and during the actual CMMC assessment, you will reference various documents and document various findings. Fortunately, you can download some of these documents from the DoD CIO's CMMC website, and other templates can be found in the CAP Appendices. You are part of the team assessing an OSC's preparedness and readiness for a CMMC assessment. Which document/template includes the OSC's evidence, assets, and CMMC assessment scope, among other data?

    A. CMMC Assessment In-Brief
    B. The OSC Data Form
    C. CMMC Assessment Findings Briefing
    D. CMMC Pre-Assessment Form Template

  • Question 215:

    To showcase progress on the performance of their contract, a contractor provides semi- annual demonstrations to their federal client at the client's conference room. The conference room is inside the client's facility, meaning the contractor does not have control over security. All prototypes and documents subject to the contract are guarded by the contractor's staff whenever they are in transit and at the conference room. How should you, the CCA, handle the conference room when validating the OSC's assessment scope?

    A. List it as in scope.
    B. List it as a Contractor Risk Managed Asset (CRMA).
    C. More information is needed.
    D. List it as out of scope.

  • Question 216:

    During a CMMC Level 2 assessment, a CCA is evaluating whether the organization meets the requirement to "Employ FIPS-validated cryptography when used to protect the confidentiality of CUI." According to the CMMC requirement, the CCA must determine whether FIPS-validated cryptography is employed to protect the confidentiality of CUI. Which assessment procedure would the CCA most likely use to evaluate this requirement?

    A. Examine the cryptographic modules
    B. Interview personnel responsible for implementing cryptographic controls and review documentation of the organization's cryptographic policies and procedures
    C. Observe the organization's use of cryptographic controls in practice
    D. Examine validation certificates of the cryptographic modules used by the OSC

  • Question 217:

    You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. What would you recommend the contractor do to avert the risk?

    A. Institute mandatory overtime for the engineer to complete tasks faster
    B. Fully implement AC.L2-3.1.4, Separation of Duties by assigning different engineers responsibility for design, coding, testing, and deployment. Implement peer code reviews and separate test and deployment duties
    C. Invest in more powerful development machines
    D. Increase the engineer's salary to incentivize careful work

  • Question 218:

    You are a CCA conducting a CMMC Level 2 assessment for an OSC. During the assessment, you discover that the OSC has implemented a practice using a temporary workaround due to a recent system failure. The workaround meets the practice's objectives, but it is not documented in their System Security Plan (SSP). How should you evaluate this evidence?

    A. Accept the workaround as sufficient evidence and score the practice as "MET" since it meets the objectives.
    B. Document the lack of SSP inclusion as an evidence gap and assess the practice based on the workaround's effectiveness.
    C. Score the practice as "NOT MET" due to the absence of documentation in the SSP.
    D. Request the OSC to update the SSP to include the workaround before continuing the assessment.

  • Question 219:

    A CCA is conducting a CMMC assessment and discovers that the OSC's evidence includes a policy that contradicts a practice's objectives (e.g., allowing unrestricted access when restricted access is required). The OSC claims it's a typo and the practice is followed correctly. How should the CCA proceed?

    A. Accept the OSC's claim and score the practice as "MET" based on their assurance.
    B. Document the contradiction as an evidence gap and assess based on observed practice implementation.
    C. Score the practice as "NOT MET" due to the contradictory policy.
    D. Request the OSC to correct the policy document during the assessment.

  • Question 220:

    During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9 ?Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a centralfirewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. The scenario describes using a central firewall for network security. How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9 ?Connections Termination, for the remote access application?

    A. Creating firewall rules to identify and terminate connections associated with the CUI access application that have been inactive for a predefined period
    B. Encrypting all traffic between the user device and the server to protect CUI in transit
    C. Implementing intrusion detection and prevention systems (IDS/IPS) to identify and block suspicious activity on the server
    D. Blocking all incoming traffic to the server hosting the CUI access application, except from authorized IP addresses

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cyber AB exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CMMC-CCA exam preparations and Cyber AB certification application, do not hesitate to visit our Vcedump.com to find your solutions here.