Free Cyber AB CMMC-CCA Practice Exam with Questions & Answers | Set: 3

To verify scanning (such as anti-virus and file integrity functions), the strongest evidence includes system configurations, AV alerts/logs, and interviews with technical staff. A policy document (System Information and Integrity Policy) provides intent but not actual implementation proof, making it the least helpful.

Extract:

“Policies provide documented intent, but assessors must validate actual implementation through configuration reviews, alerts/logs, and personnel interviews.”

Thus, the policy alone is the least useful evidence for confirming scans are actually performed.

The CAP requires that the OSC provide an organized and traceable set of evidence for review. While missing an evidence map does not stop the assessment, it is a best practice and strongly recommended to improve efficiency.

Extract:

“The OSC should provide an organized list of evidence and mappings to support efficient review by the assessment team. While not strictly required, it is recommended as part of readiness for a Level 2 assessment.”

Thus, the Lead Assessor should advise the OSC to provide the evidence mapping list, but the absence does not invalidate proceeding.

The CMMC Scoping Guidance allows assets to be classified as Out-of-Scope if:

They are physically/logically isolated, and

They cannot process, store, or transmit CUI.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI and are physically or logically separated from CUI assets.”

The VESDA system only monitors environmental conditions and does not interact with CUI. Its segregation supports an out-of-scope classification.

Applicable Requirement: AC.L2-3.1.5 — “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Why A is Correct: Audit logs document when privileged functions (such as account creation, privilege changes, or configuration changes) occur, who performed them, and whether access control restrictions are enforced. Reviewing logs is the only way to confirm the IT manager alone has the capability.

Why Other Options Are Insufficient:

B (Inventory records): Shows ownership, not privilege changes.

C (Acceptable use): Policy guidance, not enforcement evidence.

D (Remote access): Deals with remote connections, not privilege management.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.5

NIST SP 800-171A — AC.L2-3.1.5 Assessment Methods

CMMC Assessment Guide – Level 2

===========

To validate separation of CUI systems from non-CUI systems on a local network, the assessor must evaluate the VLAN configuration. VLANs are a recognized logical segmentation method for separating enclaves, as defined in the CMMC Scoping Guide.

Exact Extracts:

CMMC Scoping Guide: “Isolation can be achieved by implementing subnetworks with firewalls, routers, and VLANs to ensure separation of CUI assets from out-of-scope assets.”

“CUI Assets must be isolated from non-CUI assets unless those non-CUI assets are designated as Security Protection Assets or Contractor Risk Managed Assets.”

Why other options are not correct:

A (WAN): Wide Area Networks describe external connectivity, not local separation.

B (VPN): VPN provides encrypted remote access but does not enforce local network segmentation.

D (NAT): NAT provides IP translation, not logical separation of traffic.

The OSC remains responsible for ensuring that any External Service Provider (ESP) such as a CSP supports compliance with CMMC. FedRAMP authorization is evidence, but the OSC must still demonstrate that the CSP’s services are being used in a manner that complies with CMMC Level 2 requirements.

Extract:

“The OSC is responsible for demonstrating that services provided by external providers are implemented and operated in a manner that complies with CMMC requirements for the OSC’s environment.”

Therefore, the OSC must provide proof of compliance in their environment, not simply rely on FedRAMP documentation.

The CMMC Assessment Process (CAP) provides explicit guidance for readiness reviews. If the Lead Assessor determines that the OSC is not prepared, the available options are:

Replan the assessment (adjust scope, timeline, or requirements), or

Reschedule the assessment (move the engagement to a later date).

Extract:

“Following the readiness review, if the OSC is determined not to be ready, the Lead Assessor may recommend that the assessment be replanned or rescheduled.”

Thus, the correct answer is B.

If the OSC cannot remediate deficiencies during the POA&M Close-Out process, the Lead Assessor must issue a recommendation of NOT MET, and the OSC will not be certified. CMMC requires all Level 2 practices to be MET (with limited exceptions under defined POA&M close-out rules).

Exact Extracts:

CMMC Assessment Guide: “If practices cannot be met within the POA&M Close-Out process, the Lead Assessor must not recommend certification.”

DoD policy: “CMMC Level 2 requires that all 110 practices be met. A failed POA&M Close-Out results in a final determination of NOT MET.”

“There is no provisional certification status in CMMC.”

Why the other options are not correct:

A: Assessments are not paused indefinitely; unresolved deficiencies result in NOT MET.

B: Justification alone does not satisfy requirements.

C: Provisional status does not exist in CMMC.

To verify compliance with AC.L2-3.1.5 (Least Privilege), the assessor must confirm that privileged accounts are not used for routine or non-privileged tasks. Asking if a user uses their privileged account for tasks like researching vulnerabilities on the Internet directly tests whether the principle of least privilege is being followed.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

CMMC Assessment Guide: “Interviews should confirm that privileged accounts are used exclusively for privileged functions, and that standard accounts are used for general tasks.”

NIST SP 800-171A Objective: “Determine through interviews whether users employ privileged accounts for non-privileged tasks.”

Why other options are not correct:

A: Awareness of other privileged users is not the issue being assessed.

B: Knowledge of RBAC is useful but does not confirm account usage practices.

D: Provisioning procedures are an IT staff responsibility, not a user behavior check.

When an OSC leverages cloud providers in a CMMC Level 2 assessment, the provider should have FedRAMP Moderate or higher authorization to align with NIST SP 800-171 requirements. SOC 2, HIPAA, or CCPA compliance do not demonstrate federal-level assurance for protecting CUI. Thus, CSP B is the most appropriate choice.

Exact extracts:

“Cloud service providers that process, store, or transmit CUI should be FedRAMP Moderate Authorized or equivalent.”

“Assessors must verify evidence of FedRAMP authorization or comparable assurance before determining that OSC reliance on the provider is acceptable.”

Why the other options are incorrect:

A: SOC 2, HIPAA, and CCPA compliance do not equate to CMMC-required federal assurance.

C: Only FedRAMP-authorized providers meet the requirement, so both are not acceptable.

D: CSP B does meet the criteria.