CMMC-CCA Exam Question 121
When assessing an OSC for CMMC compliance, you examine its risk assessment policy and procedures addressing organizational risk assessments. According to their policy, comprehensive risk assessments on all systems processing, storing, or transmitting CUI and facilities are performed annually. However, reviewing past risk assessment reports, you find that a risk assessment was conducted in January 2022 covering all CUI systems. The next risk assessment was not conducted until November 2023, over 21 months later. There are no records of any other risk assessments in the intervening period between January 2022 and November 2023.
Interviewing the OSC's personnel with risk assessment responsibilities, you learn they have slated the next risk assessment within the year. Based on the scenario, which of the following would you determine regarding OSC's adherence to CMMC practice RA.L2-3.11.1 - Risk Assessments?
Interviewing the OSC's personnel with risk assessment responsibilities, you learn they have slated the next risk assessment within the year. Based on the scenario, which of the following would you determine regarding OSC's adherence to CMMC practice RA.L2-3.11.1 - Risk Assessments?
CMMC-CCA Exam Question 122
You are a CCA participating in an assessment exercise for an OSC. You have completed the exercise, and the OSC has hashed the evidence artifacts in accordance with the CMMC Artifact Hashing Tool User Guide.
What is the next step for your Assessment Team with respect to the Evidence Artifact Hashes?
What is the next step for your Assessment Team with respect to the Evidence Artifact Hashes?
CMMC-CCA Exam Question 123
Examining an OSC password policy, you learn that a password should have a minimum of 15 characters. It also should have 3 uppercase, 2 special characters, and other alphanumeric characters. Passwords have to be changed every 45 days and cannot be easily tied to the account owner. Passwords cannot be reused until 30 cycles are complete. The OSC's systems send a temporary password to the user's email or authentication app, which is one of the events described in their password usage policy. However, a recent penetration test report shows that the generated temporary passwords did not have sufficient entropy, and an attacker may guess a temporary password through brute force attacks. Which CMMC practice has the contractor successfully implemented? Select all that apply.
CMMC-CCA Exam Question 124
A leading technology solutions provider that works with various government agencies and commercial clients has implemented a dedicated CUI enclave within its network infrastructure to ensure the secure handling of CUI. As a Certified CMMC Assessor, you are tasked with assessing the scope of the solutions provider's CMMC requirements. Which statement best describes the appropriate approach for scoping the assessment within the context of the CUI enclave?
CMMC-CCA Exam Question 125
During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9 - Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts.
Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9 - Connections Termination, for the remote access application?
Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9 - Connections Termination, for the remote access application?