Online Access Free CMMC-CCA Exam Questions

While conducting a CMMC Level 2 Assessment for a small waveguide manufacturer, the client provides a copy of their CMMC Level 1 Self-Assessment that their senior official has recently approved and uploaded to the Supplier Performance Risk System (SPRS). What type of information may be covered within the Level 1 Self-Assessment that is OUTSIDE the scope of a Level 2 assessment?

• A.FCI within the CUI production enclave
• B.FCI data within the description in the contractor self-assessment
• C.CUI in paper format
• D.Sensitive Compartmented Information (SCI) shredded by an approved vendor

In order to assess whether an OSC meets AC.L2-3.1.5: Least Privilege, what should be examined by the Assessor?

• A.Authentication policy
• B.System configurations for all systems
• C.List of terminated employees over the last three months
• D.User access lists that identify privileged users

While scoping the assessment, the assessor learns that the OSC uses various cloud-based solutions sporadically as part of its normal course of business. The OSC states that most business is conducted on- premises and that only a small amount of business uses the cloud. The OSC thinks the cloud is only used for system backups, but there are isolated exceptions.
Are the data provided sufficient to determine that the OSC limits connection to external information systems?

• A.No, the OSC stated most of its business is on-premises.
• B.Yes, the OSC confirmed that external connections occur.
• C.No, the OSC did not fully define the extent external connections are used.
• D.Yes, the OSC confirmed that external connections occur for system backups.

During a CMMC Level 2 Assessment, a CCA interviewed a system administrator on the OSC's procedures around configuration management and endpoint security. The system administrator described how they build and deploy new systems, and noted that some users require specialized applications for their jobs. Users have been asked to email IT when they install and run an additional application so IT can add it to their list of allowed software.
What must the CCA conclude?

• A.The OSC has properly implemented application deny listing.
• B.IT does not have a policy that users notify IT when they install new applications.
• C.The OSC has not properly implemented application allow listing.
• D.IT must deploy an application to report newly installed software.

An OSC creates standard user accounts with limited capabilities and administrator accounts with full system access. A standard user initiates the uninstall of the anti-virus software, which is organizationally defined as a privileged function. Which of the following would indicate AC.L2-3.1.7: Privileged Functions is properly implemented?

• A.The antivirus software is successfully uninstalled.
• B.The antivirus software is not uninstalled, and the attempt is captured in an application audit log.
• C.The antivirus software is successfully uninstalled, and the event is captured in an application audit log.
• D.The antivirus software is not uninstalled.