1. Home
  2. Cyber AB
  3. CMMC-CCA

Cyber AB CMMC-CCA Online Practice Questions and Exam Preparation

CMMC-CCA Exam Details

  • Exam Code
    :CMMC-CCA
  • Exam Name
    :Certified CMMC Assessor (CCA)
  • Certification
    :Cyber AB Certifications
  • Vendor
    :Cyber AB
  • Total Questions
    :378 Q&As
  • Last Updated
    :May 30, 2026

Cyber AB CMMC-CCA Online Questions & Answers

  • Question 261:

    During an assessment, the OSC was found to have implemented 68% of CMMC practice SC.L2-3.13.11 ?CUI Encryption. However, the OSC Assessment Official cited issues with the vendor for not fully implementing the practice. Nonetheless, it has been listed in their POAandM. Which of the following is true regarding the use of a POAandM during a CMMC assessment?

    A. A POAandM addressing unimplemented security requirements is not a substitute for a completed CMMC practice
    B. A POAandM can be used as evidence of full implementation for any unimplemented CMMC practices
    C. If a practice is listed in the POAandM, it is considered fully implemented during the assessment
    D. Assessors are required to accept any POAandM as evidence of implementation for partially implemented practices

  • Question 262:

    An OSC receives a POAandM during their CMMC L2 assessment. 170 days later, they submit an updated POAandM with evidence of all corrective actions. Can the C3PAO still conduct a close-out assessment?

    A. No, the 180-day window has closed.
    B. No, the OSC must wait for the next assessment cycle.
    C. Yes, as long as all corrective actions are verified.
    D. Yes, but the OSC must re-perform the entire CMMC L2 assessment.

  • Question 263:

    You have been hired to assess an OSC's implementation of secure password storage and transmission mechanisms. The OSC uses a popular identity and access management (IAM) solution from a reputable vendor to manage user authentication across their systems. During the assessment, you examine the IAM solution's configuration and documentation, which indicate that passwords are hashed using industry-standard algorithms like SHA-256 or bcrypt before being stored in the system's database. Additionally, the IAM solution leverages TLS encryption for all communications, ensuring that passwords are transmitted securely over the network. Based on the information provided, how would you assess the OSC's compliance with CMMC practice IA.L2-3.5.10 ?Cryptographically-Protected Passwords, which requires organizations to store and transmit only cryptographically protected passwords?

    A. Not Met (-5 points)
    B. Met (+5 points)
    C. Met (+1 point)
    D. Not Met (-1 point)

  • Question 264:

    You are part of the Assessment Team assessing a small defense contractor. You learn that the contractor (ABC Manufacturing) outsources parts of its IT infrastructure and cybersecurity services to a reputable Managed Services Provider (MSP). During a CMMC assessment, the contractor's Assessment Official claims that several CMMC practices related to system security and monitoring are inherited from the MSP. Which of the following actions should the Lead Assessor take?

    A. Automatically accept the contractor's claim and score the inherited practices as `MET' without further evaluation.
    B. Recommend that the OSC implement the inherited practices internally, as inheriting from external providers is not allowed.
    C. Score the inherited practices as `NOT MET' and require ABC Manufacturing to implement them internally.
    D. Request evidence from the MSP to verify that their services meet the assessment objectives for the inherited practices and are applicable to ABC Manufacturing's in-scope assets.

  • Question 265:

    Documentation is a key aspect of the CMMC assessment. When preparing for a prospective assessment and during the actual CMMC assessment, you will reference various documents and document various findings. Fortunately, you can download some of these documents from the DoD CIO's CMMC website, and other templates can be found in the CAP Appendices. You are part of the team assessing an OSC's preparedness and readiness for a CMMC assessment. Where would you document the OSC's readiness to proceed to the second phase of the CMMC Assessment Process (CAP)?

    A. In the CMMC Assessment Results.
    B. In the CMMC Assessment Quality Review Checklist.
    C. In the CMMC Assessment Readiness Review (CA-RR) Checklist.
    D. In the CMMC Assessment Findings Briefing.

  • Question 266:

    Implementation of and compliance with CMMC practices is not just a one-time effort but a sustained and habitual practice within the organization. As a CCA, you are part of an Assessment Team conducting a CMMC assessment for an OSC. As part of the assessment process, the CCA must confirm that the OSC has persistently implemented the CMMC policies and practices across all levels of the organization. To validate the persistent implementation of CMMC policies and practices, which of the following sources of evidence should you primarily focus on?

    A. The OSC's training programs and resource allocation for CMMC implementation
    B. Interviews with personnel to gauge their awareness and understanding of CMMC practices
    C. The OSC's policy documents and executive-level communications
    D. A combination of policies, plans, resourcing, communications, and training that are elements of the organization's cybersecurity program

  • Question 267:

    You are a CCA participating in an assessment exercise for an OSC. You have completed the exercise, and the OSC has hashed the evidence artifacts in accordance with the CMMC Artifact Hashing Tool User Guide. What is the next step for your Assessment Team with respect to the Evidence Artifact Hashes?

    A. Tell the OSC to encrypt the hash.
    B. Upload the Hashes to the OSC's CMMC eMASS.
    C. Upload them to your C3PAO's cloud instance.
    D. Nothing, the assessment is complete.

  • Question 268:

    During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI)handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Once the inconsistencies are addressed, when should the contractor's privacy and security notice be displayed?

    A. Only during the initial system logon
    B. During the initial system logon and when accessing specific CUI-related applications and data
    C. Only when handling or processing export-controlled technical data
    D. Continuously on all systems and workstations, regardless of user activity

  • Question 269:

    You are assessing an OSC that uses various collaborative computing devices, such as video conferencing systems, networked whiteboards, and webcams, for remote meetings and presentations. During your assessment, you examine the OSC's collaborative device inventory and find that they have identified and documented all collaborative computing devices. Most of the identified devices have indicators (e.g., LED lights) that notify users when the devices are in use. The OSC has also implemented a policy prohibiting the remote activation of collaborative computing devices without user consent. However, you find that the web cameras can be activated remotely by authorized IT personnel for troubleshooting purposes. In addition to interviewing personnel, what other evidence would be helpful to assess the OSC's compliance with CMMC practice SC.L2-3.13.12 ?Collaborative Device Control regarding the remote activation of web cameras? Choose all that apply.

    A. A documented risk assessment that identifies the potential risks associated with remote camera activation and outlines mitigation strategies
    B. Network traffic logs showing no instances of remote activation attempts on the web cameras
    C. User training records indicating that employees are aware of the policy and understand thepotential consequences of unauthorized remote camera activation
    D. System configuration settings for the web cameras, verifying that remote activation is enabled

  • Question 270:

    As a CCA, John feels he can make some extra cash by aggregating and rewriting CMMC materials into a book titledAcing Your CMMC Assessment: A Complete Guide. You ask him about potential issues, such as the failure to get permission from the Cyber Accreditation Body. John tells you that since he is a CCA, this is not a requirement, and in any case, the information is already publicly available. Has John broken any CoPC guiding principles or practices? If so, which one?

    A. No, he has not.
    B. Yes, information integrity.
    C. Yes, respect for intellectual property.
    D. Yes, adherence to materials and methods.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cyber AB exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CMMC-CCA exam preparations and Cyber AB certification application, do not hesitate to visit our Vcedump.com to find your solutions here.