CMMC-CCA Exam Question 1
After the Assessment Team has been formed and the OSC Point of Contact (PoC) and Assessment Official have been identified, your C3PAO appoints John as the Lead Assessor. During the kickoff meeting, John reassures the OSC Assessment Official not to worry; they are guaranteed to pass the CMMC assessment. If they don't, John has agreed to refund 40% of the assessment fee. Which of the following is true about John's behavior as a Certified CMMC Assessor?
CMMC-CCA Exam Question 2
While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for
24 hours before they are automatically deleted. Which of the following is a potential assessment method for AU.L2-3.3.1 - System Auditing?
24 hours before they are automatically deleted. Which of the following is a potential assessment method for AU.L2-3.3.1 - System Auditing?
CMMC-CCA Exam Question 3
You are a CCA conducting a CMMC Level 2 assessment for an OSC. During the assessment, you discover that the OSC has implemented a practice using a temporary workaround due to a recent system failure. The workaround meets the practice's objectives, but it is not documented in their System Security Plan (SSP).
How should you evaluate this evidence?
How should you evaluate this evidence?
CMMC-CCA Exam Question 4
In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Which of the following would be the most appropriate next step for the assessor?
CMMC-CCA Exam Question 5
A CCA is assessing an OSC that uses a complex multi-cloud architecture with resources distributed across multiple Cloud Service Providers (CSPs). During the evaluation, the CCA encounters challenges in verifying the authorization methods used for external connections to the various cloud resources (AC.L1-3.1.20).
Additionally, the assessor finds limited documentation of the cryptographic mechanisms implemented to protect the confidentiality of remote access sessions (AC.L2-3.1.13) to cloud-based data. While the OSC has network monitoring tools in place, the sheer volume of data makes it difficult to identify and track specific remote access activities. What challenges might the CCA face while assessing the OSC's cloud and hybrid environment for compliance with CMMC remote access requirements?
Additionally, the assessor finds limited documentation of the cryptographic mechanisms implemented to protect the confidentiality of remote access sessions (AC.L2-3.1.13) to cloud-based data. While the OSC has network monitoring tools in place, the sheer volume of data makes it difficult to identify and track specific remote access activities. What challenges might the CCA face while assessing the OSC's cloud and hybrid environment for compliance with CMMC remote access requirements?