최신 CMMC-CCA 무료덤프 - Cyber AB Certified CMMC Assessor (CCA)
A C3PAO and OSC have agreed to proceed with CMMC assessment planning. The OSC assessment official and the C3PAO are working to determine the planning details and purview of the Assessment, which includes scoping. When should the C3PAO and OSC conduct the high-level contract framing?
정답: B
설명: (DumpTOP 회원만 볼 수 있음)
A mid-sized defense supplier has been working to achieve CMMC Level 2 certification. You are part of the Assessment Team contracted to review their documentation and assess their implementation of CMMC practices. During your review, you notice that the OSC has produced documentation for their contractor risk- managed assets. Which of the following is NOT required documentation for contractor risk-managed assets under the CMMC model?
정답: A
설명: (DumpTOP 회원만 볼 수 있음)
When validating an OSC's assessment scope, an Assessment Team learns that the proposed scope is too narrow and their asset categorization is mixed up. What should the Assessment Team do?
정답: B
설명: (DumpTOP 회원만 볼 수 있음)
In your assessment of an OSC's information systems, you realize that the OSC has been having issues determining what is and isn't CUI. One of the employees asks for your help identifying CUI so that they can take measures to protect it. They also request that you recommend a resource where they can understand the national CUI policy. Which of the following is the BEST resource they should visit to understand what CUI is and the national CUI policy?
정답: A
설명: (DumpTOP 회원만 볼 수 있음)
You are conducting a CMMC assessment for a contractor that handles sensitive defense project data.
Reviewing their documentation shows that the contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. Which of the following components of the contractor's environment should NOT be in scope when assessing practice AC.L2-3.1.3 - Control CUI Flow?
Reviewing their documentation shows that the contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. Which of the following components of the contractor's environment should NOT be in scope when assessing practice AC.L2-3.1.3 - Control CUI Flow?
정답: D
설명: (DumpTOP 회원만 볼 수 있음)
In assessing the security boundaries, you determine that an OSC processes, stores, and transmits CUI and FCI within the same assessment scope. To what maturity level will you at a minimum assess and certify the OSC?
정답: B
설명: (DumpTOP 회원만 볼 수 있음)
During an assessment, you learn that a cybersecurity firm helped the OSC prepare for the assessment. In an attempt to learn more about this firm, the OSC POC gives you their name. Performing a quick search, you learn they aren't listed in the Cyber AB marketplace. What should you do as the Lead Assessor?
정답: C
설명: (DumpTOP 회원만 볼 수 있음)
An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1 - System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet. The following conditions hold true for CMMC practices ineligible for deficiency corrections EXCEPT?
정답: D
설명: (DumpTOP 회원만 볼 수 있음)
You are part of the Assessment Team evaluating an OSC's implementation of AC.L2-3.1.13 - Remote Access Confidentiality. This requirement mandates the organization to employ cryptographic mechanisms to protect the confidentiality of remote access sessions. During your assessment, you want to determine whether these cryptographic mechanisms have been properly identified as required by assessment objective [a]. What specification can you use to make this determination?
정답: B
설명: (DumpTOP 회원만 볼 수 있음)
During a readiness assessment for CoolPlanes Inc., Liz, a CCA, discovers a folder of technical drawings and illustrations of the aircraft that CoolPlanes produces. Liz has a younger brother, J.D., who loves airplanes. She thinks a large printed copy of one of the illustrations would make an excellent gift for J.D.'s birthday next month. She copies the drawing and sends it to be printed on a large canvas when she gets home. Which of the following principles of the CMMC Code of Professional Conduct did Liz most likely violate?
정답: D
설명: (DumpTOP 회원만 볼 수 있음)
An OSC submits to the C3PAO Assessment Team for validation a CMMC assessment scope that includes an enclave. During validation, you learn that while CUI is stored on a single physical server, authorized employees can access it through virtual instances, thanks to VMware. You also determine that the OSC has deployed a DFARS-compliant firewall to protect network connections to the enclave and a VLAN to restrict communication between different portions of the network. Which method can the OSC be said to have used to secure its enclave?
정답: D
설명: (DumpTOP 회원만 볼 수 있음)
The CMMC Assessment Process (CAP) requires the Lead Assessor to validate the CMMC Assessment Scope proposed by the OSC. What is the main task that the Lead Assessor must conduct in validating the CMMC Assessment Scope?
정답: D
설명: (DumpTOP 회원만 볼 수 있음)
An OSC receives a POA&M during their CMMC L2 assessment. 170 days later, they submit an updated POA&M with evidence of all corrective actions. Can the C3PAO still conduct a close-out assessment?
정답: C
설명: (DumpTOP 회원만 볼 수 있음)
A CCA is conducting a CMMC assessment and discovers that the OSC's evidence includes a policy that contradicts a practice's objectives (e.g., allowing unrestricted access when restricted access is required). The OSC claims it's a typo and the practice is followed correctly. How should the CCA proceed?
정답: D
설명: (DumpTOP 회원만 볼 수 있음)
While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has defined a technical and documented policy where identifiers can only be reused after 12 months. How is the OSC likely to consider CMMC practice IA.L2-3.5.5 - Identifier Reuse if you find issues with its implementation?
정답: D
설명: (DumpTOP 회원만 볼 수 있음)
An aerospace company bids on a DoD contract that requires CMMC Level 2 compliance. The company has multiple divisions, but only the Manufacturing Division will work on the project. The Manufacturing Division has its own IT infrastructure and security policies, but it relies on thecompany's centralized IT department for some administrative tasks. Which unit will be assessed for CMMC Level 2 compliance?
정답: A
설명: (DumpTOP 회원만 볼 수 있음)
You are a CCA reviewing evidence for a CMMC practice. The OSC provides a training record showing that only 70% of relevant staff have completed required security training. The practice requires all staff to be trained. How should you score this practice?
정답: A
설명: (DumpTOP 회원만 볼 수 있음)