You are the Lead Assessor of the Assessment Team conducting a CMMC Level 2 assessment for an OSC. You have completed the first phase of the assessment process, which included the assessment kickoff meeting. Now, you are moving into the second phase, which involves collecting and examining evidence to determine the OSC's compliance with the CMMC practices. During the evidence collection phase, you need to examine the OSC's policies and procedures related to the CMMC practice AC.L2-3.1.5
- Least Privilege.
Which of the following would be an appropriatesource of evidence for this practice?
A. Testing the OSC's Role-Based Access Control (RBAC) and Privilege Access Management (PAM) tools.Different mechanisms can be used to protect information at rest.
Which mechanism is MOST LIKELY to afford protection for information at rest?
A. PatchingThe Assessment Kickoff meeting is one of the most important sessions of any CMMC Assessment engagement.
All the following are participants in this meeting, EXCEPT?
A. Members of the OSC that will be providing evidence.The assessment team is discussing the pre-assessment scope with an OSC. The OSC would like to limit the scope of the security requirements in environments that contain FCI and/or CUI.
In this case, the OSC should:
A. Request a single CMMC certification for both activitiesYou are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules.
The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory - a privileged function.
Which of the following controls could have prevented the developer from executing this privileged function?
A. Removing internet accessDavid, a Certified CMMC Assessor (CCA), is conducting a CMMC assessment for a defense contractor.
During the assessment, he observes the organization's CEO making several statements to the Assessment Team about the company's security practices that turn out to be false.
How should David respond to the CEO's behavior according to the CMMC CoPC?
A. Document the CEO's false statements in the assessment report and continue the assessment objectively.During a social event after work, a CCA from your C3PAO team brags about providing "consulting advice" to an OSC they recently assessed for CMMC compliance. You know this directly violates the CoPC's restrictions on CCAs offering such services during an assessment.
What is your ethical obligation in this situation?
A. Publicly confront the CCA and remind them of the CoPC violation.You are performing an on-site assessment for a defense contractor that develops and manufactures embedded control systems for military drones. During your documentation review, you discover they have a System Security Plan (SSP) outlining a configuration management process. The SSP mentions the creation of baseline configurations for their drone control systems, but details are limited. You interview the IT manager responsible for configuration management. They explain they use a commercial configuration management tool to capture hardware and software configurations for the drone systems. They confirm that the baseline configurations include initial software versions but do not track firmware or network configurations. Additionally, while they update software versions through the tool, they do not have a documented process for reviewing and updating baseline configurations in response to security vulnerabilities or system modifications.
Which of the following actions would be the MOST appropriate recommendation for the contractor to improve their compliance with CM.L2-3.4.1 - System Baselining?
A. Developing and documenting a process for reviewing baseline configurations periodically and updating them to reflect changes in firmware versions, network topology, and security risksYou are part of an Assessment Team tasked with conducting a CMMC Assessment for an OSC. When assessing the contractor's implementation of SC.L2-3.13.6 - Network Communication by Exception, objectives [a] and [b], the OSC's system admin informs you that they use Fortinet Next-Generation Firewall (NGFW). Fortinet NGFWs are hardcoded to deny all traffic by default, and traffic is only allowed on an exception basis. While this is factual, the Lead Assessor asks you to test the NGFW to ascertain whether it meets the intent of Assessment Objectives in SC.L2-3.13.6 - Network Communication by Exception.
What is the benefit of testing as an assessment method?
A. Testing helps determine if CMMC practices are implemented and whether adequate resources were provided to the individuals performing the practices.The OSC has contracted a C3PAO to perform a CMMC assessment. During Phase 1, the C3PAO discovers that the OSC does not have a Commercial and Government Entity (CAGE) code. The OSC's Assessment Official argues that they have never needed one before and asks what they should do.
What should the Lead Assessor tell the OSC Assessment Official?
A. The OSC must obtain a CAGE code before the assessment can proceed; the C3PAO cannot assist with this process.Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cyber AB exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CMMC-CCA exam preparations and Cyber AB certification application, do not hesitate to visit our Vcedump.com to find your solutions here.