CMMC-CCA Exam Question 131
During a CMMC assessment, the Lead Assessor requests evidence from the OSC to support their claim that several access control and authentication practices are inherited from their enterprise-level Identity and Access Management (IAM) system. The OSC claims that their parent company manages the IAM system.
Which of the following types of evidence would be the most appropriate for the OSC to demonstrate these inherited practices?
Which of the following types of evidence would be the most appropriate for the OSC to demonstrate these inherited practices?
CMMC-CCA Exam Question 132
A software development company wins a DoD contract requiring CMMC Level 2. The company is small and has one main office. However, it outsources some data storage requirements to a cloud service provider (CSP). What type of organization would the cloud service provider be considered in the CMMC assessment scope?
CMMC-CCA Exam Question 133
You are conducting a CMMC assessment for a contractor that handles sensitive defense project data.
Reviewing their documentation shows that the contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. Which of the following components of the contractor's environment should NOT be in scope when assessing practice AC.L2-3.1.3 - Control CUI Flow?
Reviewing their documentation shows that the contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. Which of the following components of the contractor's environment should NOT be in scope when assessing practice AC.L2-3.1.3 - Control CUI Flow?
CMMC-CCA Exam Question 134
As a CCA on a C3PAO Assessment Team, you have determined that the assessment scope provided by an OSC indicates plans to subcontract some elements of their contract to DelTech Inc. The OSC plans to bid on a DoD contract to develop guidance and targeting software. However, the software needs testing after installing a new surface-to-air defense system. Unfortunately, the OSC lacks themeans to test the software, which is where DelTech comes in. As a CCA, what must you do in this scenario?
CMMC-CCA Exam Question 135
SecureLogic Inc. is a cybersecurity consulting firm that provides managed security services to various defense contractors. During a CMMC assessment of one of their clients, the Lead Assessor finds that SecureLogic Inc.
has provided evidence supporting several inherited practices related to incident response and vulnerability management. Which of the following actions should the Lead Assessor take?
has provided evidence supporting several inherited practices related to incident response and vulnerability management. Which of the following actions should the Lead Assessor take?