While implementation validation of most CMMC requirements can be done virtually, the CMMC Assessment Process (CAP) identifies 15 CMMC practice objectives whose implementation must be observed by the Assessment Team in person and on the premises of the OSC. PE.L2-3.10.2 [c] and [d] are among these objectives. Both assessment objectives deal with monitoring the OSC's physical facilities and support infrastructure. Which assessment procedure or method can a CCA use to determine how well the OSC has implemented PE.L2-3.10.2 [c] and [d]?
A. Interview personnel with information security responsibilitiesDuring a readiness assessment for CoolPlanes Inc., Liz, a CCA, discovers a folder of technical drawings and illustrations of the aircraft that CoolPlanes produces. Liz has a younger brother, J.D., who loves airplanes. She thinks a large printed copy of one of the illustrations would make an excellent gift for J.D.'s birthday next month. She copies the drawing and sends it to be printed on a large canvas when she gets home. Which of the following principles of the CMMC Code of Professional Conduct did Liz most likely violate?
A. ObjectivityYou are the Lead Assessor for a CMMC Level 2 assessment. The OSC has provided a list of assets in scope, but during a site visit, you discover additional systems handling CUI that were not included in the initial scope. What should you do?
A. Proceed with the assessment based on the original scope provided by the OSC.An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1 ?System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet. What is the Assessment Team's initial finding regarding the OSC's implementation of CM.L2-3.4.1 ?System Baselining, and how should it be scored?
A. NOT MET (Deduct 3 points)You are a CCA reviewing evidence for a CMMC practice. The OSC provides a training record showing that only 70% of relevant staff have completed required security training. The practice requires all staff to be trained. How should you score this practice?
A. Score it as "MET" since the majority of staff are trained.A CCA is conducting a CMMC assessment and notices that the OSC's evidence includes a policy document that is outdated by two years. The OSC insists that the policy is still in effect, but staff interviews indicate that newer, undocumented procedures are being followed. How should the CCA handle this situation?
A. Accept the outdated policy as evidence since the OSC claims it is still in effect.An OSC is undergoing a CMMC Level 2 assessment, and the C3PAO Assessment Team has identified several practices that the organization has not yet fully implemented. During the assessment, the CCA notes significant progress by the OSC towards implementing control MP.L2-3.8.4 ?Media Markings, but acknowledges that not all required steps have been completed. The CCA explains to the OSC that this partially implemented practice will need to be tracked in the Limited Practice Deficiency Correction Program. How should CMMC practices tracked under the Limited Practice Deficiency Correction Program be scored?
A. Not MetYou are part of the team conducting a CMMC assessment for an OSC. Because of the sensitive nature of the OSC's technologies, your team signed an NDA. However, you observe one of the Assessment Team members copying something from the OSC's computer systems. You know they don't have permission because the NDA states that the OSC PoC will provide any required material. What should you do in this case?
A. Inform the OSC of the incident.As a Certified CMMC Assessor (CCA), you evaluate an OSC's implementation of the AC.L2-3.1.11 ?Session Termination requirement during a CMMC Level 2 assessment. This requirement mandates the organization to automatically terminate a user session after defined conditions are met. During your assessment, you want to determine whether the OSC has properly defined theconditions that would trigger the automatic termination of a user session, as required by assessment objective [a]. Which of the following assessment objects would you most likely examine to make this determination?
A. The organization's system audit logs and recordsAn aerospace company has requested a CMMC assessment for an enclave only. Your team has verified that the company has a valid CAGE code and is registered with SAM.gov. However, the enclave has no separate CAGE code or SAM registration. Can the assessor proceed with the CMMC assessment solely for the enclave, or is an assessment of the entire aerospace company's network required?
A. The assessor can proceed with the enclave assessment for CMMC Level 2 compliance.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cyber AB exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CMMC-CCA exam preparations and Cyber AB certification application, do not hesitate to visit our Vcedump.com to find your solutions here.