During your assessment of CA.L2-3.12.3 - Security Control Monitoring, the contractor's CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls. When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented. Can the contractor place practice CA.L2-3.12.3 - Security Control Monitoring under a POA&M if unimplemented or not fully met?
Correct Answer: A
Comprehensive and Detailed In-Depth Explanation: CA.L2-3.12.3 (1-point practice) requires "continuous monitoring of security controls." Per CAP, 1-point practices can use a POA&M, but CA.L2-3.12.3's foundational nature (ongoing monitoring) means it must be fully implemented-no partial deferral is allowed (A). B and D contradict this, and C isn't needed given the practice's clarity. Extract from Official CMMC Documentation: * CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.3: "Continuous monitoring must be fully implemented." * CAP v5.6.1: "Core practices like CA.L2-3.12.3 not deferrable." Resources: * https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2. 0_FINAL_202112016_508.pdf
CMMC-CCA Exam Question 67
During the Planning phase, the C3PAO and Lead Assessor will collect information from the OSC to provide a Rough Order of Magnitude (ROM). This enables the Assessor to approximate the duration, schedule, and cost of the Assessment. To determine the Rough Order of Magnitude (ROM), the Lead Assessor can use the following inputs, EXCEPT?
Correct Answer: B
Comprehensive and Detailed in Depth Explanation: The CAP lists OSC-related inputs for ROM (Options A, C, D), but team education (Option B) is irrelevant to this estimate. Extract from Official Document (CAP v1.0): * Section 1.5 - Assessment Planning (pg. 16):"ROM inputs include OSC location, size, complexity, and readiness." References: CMMC Assessment Process (CAP) v1.0, Section 1.5.
CMMC-CCA Exam Question 68
After numerous discussions and iterations, the OSC and Lead Assessor have finalized the Pre-Assessment Plan, which outlines the key details of how the assessment will be conducted, including the scope, timeline, resource requirements, and other logistical considerations. What is the final step before commencing a CMMC assessment?
Correct Answer: C
Comprehensive and Detailed in Depth Explanation: The CAP mandates uploading the Pre-Assessment Data Form to CMMC eMASS as the final step before Phase 2 (Option C). Options A, B, and D are not the final step. Extract from Official Document (CAP v1.0): * Section 1.6 - Prepare for Assessment (pg. 18):"The final step before commencing the assessment is uploading the Pre-Assessment Data Form into CMMC eMASS." References: CMMC Assessment Process (CAP) v1.0, Section 1.6.
CMMC-CCA Exam Question 69
You are a CCA who is part of an Assessment Team conducting a CMMC assessment on an aerospace company. While analyzing their network architecture, you realize that it includes a Demilitarized Zone (DMZ) to host their public-facing web servers. What is the primary purpose of a DMZ in a network architecture?
Correct Answer: D
Comprehensive and Detailed in Depth Explanation: A Demilitarized Zone (DMZ) is a standard network security construct used to enhance the protection of an organization's internal network. Per NIST SP 800-171 and CMMC Level 2 guidelines (e.g., SC.L2-3.13.6), a DMZ logically separates public-facing services, such as web servers, from the internal network containing sensitive data like CUI. This logical isolation is achieved through firewalls, access control lists (ACLs), or routing configurations, not physical separation, reducing the risk of external threats penetrating the internal network. Option A (physical isolation) misrepresents the DMZ's logical nature. Option B (physical security) pertains to facility controls, not network architecture. Option C (unrestricted access) contradicts the DMZ's purpose of controlled access. Option D correctly identifies the DMZ's role in logical isolation, making it the correct answer. Reference Extract: * NIST SP 800-171, 3.13.6:"Deny network communications traffic by default and allow by exception... achieved through logical segmentation like a DMZ." * CMMC AG Level 2, SC.L2-3.13.6:"A DMZ isolates public-facing services from internal networks logically."Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final;https://dodcio.defense.gov/Portals/0 /Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
CMMC-CCA Exam Question 70
During your on-site assessment, you examine an OSC's network architecture and the components that make up its defined security boundary. You notice various network devices, servers, and endpoints that are considered part of the OSC's information system. Additionally, the design team also uses a 3D printer to produce model prototypes. Which of the following is not a boundary component?
Correct Answer: B
Comprehensive and Detailed Explanation: Boundary components in the CMMC Assessment Scope - Level 2 are network infrastructure elements (e.g., routers, gateways, virtualization systems) that define and protect the security boundary. The 3D printer, while a Specialized Asset if tied to CUI-related prototyping, is a peripheral device, not a core boundary component like Options A, C, and D. It doesn't inherently define or secure the network boundary, making B the correct answer. Reference: CMMC Assessment Scope - Level 2, Section 2.2 (Boundary Definition), p. 4: "Boundary components include network devices and systems, not ancillary equipment."
