During a CMMC assessment, the Assessment Team observes that the OSC is not enforcing practice objective CM.L2-3.4.5[d] - physical access restrictions associated with changes to the system are enforced. Understanding the deficiency, the OSC has requested to track the practice in the Limited Practice Deficiency Correction program, as it is part of their on-premises work.
As a CCA, what should you do with respect to the OSC's implementation of this practice?
A. Agree with the OSC and track the practice under the Limited Practice Deficiency Correction program.During a readiness assessment for CoolPlanes Inc., Liz, a CCA, discovers a folder of technical drawings and illustrations of the aircraft that CoolPlanes produces. Liz has a younger brother, J.D.,who loves airplanes. She thinks a large printed copy of one of the illustrations would make an excellent gift for J.D.'s birthday next month. She copies the drawing and sends it to be printed on a large canvas when she gets home.
Which of the following principles of the CMMC Code of Professional Conduct did Liz most likely violate?
A. ObjectivityDuring the planning and preparation discussions, a key member of the C3PAO Assessment Team falls ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as planned and has expressed willingness to accommodate a smaller assessment team.
If the decision is made to replan or reschedule the assessment, what is the C3PAO's required action, according to the CAP?
A. Inform the OSC of the potential consequences of delaying the assessment.You are a CCA working for a well-known C3PAO. You have been selected for an Assessment Team tasked with conducting a CMMC assessment on a C3PAO. While you are reviewing the presented evidence, one of the Assessment Team members informs you that they weren't trained for the job and that a friend helped them get the position.
By employing non-credentialed individuals and assigning them assessment tasks, which requirement of the CoPC has the C3PAO violated?
A. IntegrityThe Assessment Team is meeting with the OSC team and experiences a situation where some members of the OSC team describe the IT infrastructure differently from others. In some discussions, one person identifies a series of ESPs, while another describes the infrastructure as on-premises.
What should the Lead Assessor do to clarify the actual operational environment?
A. Review the network diagramsYou are a CCA working for a C3PAO that has entered into a contractual agreement to provide CMMC assessment services for an OSC. After validating the evidence, the C3PAO feels that thetask is beyond its capabilities and informs the OSC that it cannot continue with the assessment. The C3PAO cites "insufficient workforce" as the reason.
What principle of the CMMC CoPC has the C3PAO broken?
A. Adherence to Materials and MethodsWhen examining an OSC's procedures for addressing transmission integrity and confidentiality, you interview their system administrator and learn that they use Secure File Transfer Protocol (SFTP) for secure CUI transmission. The OSC employs AES-256 to encrypt data before transmitting it. Any external connections to their internal servers or systems can only occur via a VPN. All emails containing CUI are encrypted and sent using Secure/Multipurpose Internet Mail Extensions (S/MIME). Internal CUI transfers are conducted over WPA3 secure Wi-Fi. All areas of the OSC's facilities where CUI is stored or processed are secured with biometrics. To prevent unauthorized CUI exfiltration or transfer, the OSC has deployed a data loss prevention solution. During employee interviews, you learn they receive regular awareness training on the importance of data encryption during transmission. Additionally, they conduct regular audits of transmission protocols and encryption measures to ensure their effectiveness.
While AES-256 is a strong encryption algorithm, according to CMMC practice SC.L2-3.13.8 - Data in Transit, what additional factor is crucial for ensuring FIPS compliance with cryptographic modules used for protecting CUI in transit?
A. The encryption algorithm must be open-source and publicly available for scrutinyAn OSC seeking Level 2 certification has recently configured system auditing capabilities for all systems within the assessment scope. The audit logs are generated based on the required events and contain the correct content that the organization has defined.
Which of the following BEST describes the next system auditing objective that the organization should define?
A. Centralized audit log collectionJohn, a CCA, is attending a CMMC industry conference. During a networking event, he makes several inappropriate comments with sexual undertones to a female attendee.
According to the CoPC's Lawful and Ethical Practices, how should John's behavior be evaluated?
A. John's comments are acceptable as long as the female attendee does not report them to the Cyber AB.While scoring the evidence for a particular CMMC practice, the Certified Assessor notes that one of the practice objectives is NOT MET, thereby scoring the entire practice as NOT MET. The OSC Assessment Official disagrees with the Certified Assessor's decision, and they both take the dispute to the Lead Assessor, who is unable to resolve the issue to the OSC's satisfaction.
How will this dispute be settled?
A. The Lead Assessor is the final arbiter of the dispute.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cyber AB exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CMMC-CCA exam preparations and Cyber AB certification application, do not hesitate to visit our Vcedump.com to find your solutions here.