CMMC-CCA Exam Question 96
An OSC has documented HR and personnel security policies, which are well integrated. A key requirement is that credentials and systems are revoked upon a transfer or termination. Their personnel security policy includes procedures for transfer and termination, a list of system accounts tied to each employee, and management of revoked or terminated credentials and authenticators. Examining the procedures addressing personnel transfer and termination, you learn that besides revoking or terminating system access, authenticators, and credentials, the OSC recovers all company IT equipment, access/identification cards, and keys from the transferred or terminated employee. They also interview the employee to remind them of their CUI handling obligations even after transfer and require them to sign an NDA. After every termination, they also change the password and other access control mechanisms and notify all the stakeholders that the employee has been terminated or transferred. Based on the scenario, the OSC can cite the following as evidence of collaborating on their implementation of CMMC practice PS.L2-3.9.2 - Personnel Actions, EXCEPT?
CMMC-CCA Exam Question 97
When assessing a contractor's implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised.
Why should all traffic be routed through a managed Access Control point?
Why should all traffic be routed through a managed Access Control point?
CMMC-CCA Exam Question 98
Implementation of and compliance with CMMC practices is not just a one-time effort but a sustained and habitual practice within the organization. As a CCA, you are part of an Assessment Team conducting a CMMC assessment for an OSC. As part of the assessment process, the CCA must confirm that the OSC has persistently implemented the CMMC policies and practices across all levels of the organization. To validate the persistent implementation of CMMC policies and practices, which of the following sources of evidence should you primarily focus on?
CMMC-CCA Exam Question 99
The Cyber AB is the sole authorized certification and accreditation partner for the DoD in its CMMC program. It is responsible for overseeing and establishing a trained, qualified, and high-fidelity community of assessors, including C3PAOs and CCAs. What is the main requirement before The Cyber AB can accredit an Assessor?
CMMC-CCA Exam Question 100
A contractor has retained you to assess compliance with CMMC practices as part of their triennial review.
During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 - Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 - System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, why is time synchronization with the NTP server necessary, and what is the recommended synchronization time?
During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 - Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 - System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, why is time synchronization with the NTP server necessary, and what is the recommended synchronization time?