Online Access Free CMMC-CCA Exam Questions

While assessing a company, the CCA is determining whether the company controls and manages connections between its corporate network and all external networks. The company has: (1) a strict employee policy prohibiting personal Internet use and personal email on company computers, and (2) firewalls plus a connection allow-list so only authorized external networks can connect to the company network. Are these safeguards sufficient to meet the applicable CMMC requirement?

• A.Yes. The company's strict employee policy is the best practice for meeting the requirement.
• B.No. The company must isolate its system from all external connections to meet the requirement.
• C.No. The company needs full control over all external systems it interfaces with to meet the requirement.
• D.Yes. The company's firewalls and connection allow-lists are appropriate technical controls to meet the requirement.

An OSC seeking Level 2 certification wants to develop and launch a website for customers to purchase items online and submit contact forms. The OSC plans to host the web server in their own data center while also maintaining the security of their internal IT environment. Based on this information, what would be the BEST approach?

• A.Configure a firewall rule to only allow internal traffic to communicate with the server for an additional layer of security to the OSC's LAN
• B.Configure the server to protect against object reuse and residual information via shared system resources for an additional layer of security to the OSC's LAN
• C.Configure a DMZ for an additional layer of security to the OSC's LAN to host the publicly accessible server
• D.Relocate the server to a different office location to protect the OSC's LAN

An OSC is undergoing CMMC Assessment on an enterprise-wide basis. While walking to the conference room, the Assessor notices a printer repair technician in the hallway, unescorted, repairing a printer marked
"Authorized for CUI printing." What is the NEXT step the Lead Assessor should take regarding PE.L2-
3.10.3: Escort Visitors?

• A.Ask the printer technician to leave immediately
• B.Make a note and score the practice as NOT MET
• C.Ask the OSC if the printer technician has authorized access
• D.Make a note and score the practice as MET

The OSC's network consists of a single unmanaged switch that connects all devices, including OT equipment which cannot run a vendor-supported operating system. The OSC correctly scoped the OT equipment as a Specialized Asset, listed it in their inventory and SSP, and provided a network diagram showing plans to isolate the OT and apply additional security measures. What information does the Lead Assessor still require to ensure compliance?

• A.Evidence that the network isolation is completed by the end of the assessment as well as supporting evidence for all other applicable CMMC practices
• B.Installation and configuration documentation for the OT to ensure it was correctly built
• C.Wording in the SSP detailing how the OT is managed using the OSC's risk-based security policies, procedures, and practices
• D.Wording in the scoping document detailing how the OT adheres to all other applicable CMMC practices

An OSC is preparing for assessment. Which item of evidence would show the OSC's efforts to restrict physical access within the OSC's environment?

• A.VPN configuration
• B.Documented OSC procedures
• C.Network architecture drawings
• D.Switch configuration files