CMMC-CCA Exam Question 36
A contractor has retained you to assess compliance with CMMC practices as part of their triennial review.
During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 - Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 - System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score theOSC's implementation of CMMC practice AU.L2-3.3.7 - Authoritative Time Source?
During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 - Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 - System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score theOSC's implementation of CMMC practice AU.L2-3.3.7 - Authoritative Time Source?
CMMC-CCA Exam Question 37
During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI) handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Which of the following is NOT a feature Defcon's updated privacy and security notices should have?
CMMC-CCA Exam Question 38
The Assessment Kickoff meeting is one of the most important sessions of any CMMC Assessment engagement. All the following are participants in this meeting, EXCEPT?
CMMC-CCA Exam Question 39
You are evaluating an OSC for compliance with CMMC Level 2 practices. During your assessment of SC controls, you use a series of assessment methods to understand how effectively the OSC has implemented them. The OSC has a documented security policy outlining user roles and responsibilities. The OSC's system and communications protection policy states that basic user and privileged functionalities are separated. They have deployed Azure AD to help enforce this requirement through identity management. Interviews with system administrators reveal they have elevated privileges for system management tasks. A review of system configuration settings shows separate user accounts for standard users and administrators. However, you notice that some employees use personal cloud storage services for storing work documents. Considering CMMC practice SC.L2-3.13.4 - Shared Resource Control, which of the following actions would be most effective in addressing the identified risk?
CMMC-CCA Exam Question 40
When conducting a CMMC assessment, the CCA must follow the steps outlined in the CMMC Assessment Process (CAP). This document is organized into several phases, each requiring the CCA to complete specific documents. The CAP also provides templates, some of which the Assessor must use and complete during specific phases. A CCA must complete all the following documents in Phase 1 of the CAP, EXCEPT?