당신은 온라인 연습 문제를 통해 Cyber AB CMMC-CCA 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 CMMC-CCA 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 500개의 시험 문제와 답을 포함하십시오.
/ 8
Question No : 1
A leading technology solutions provider works with various government agencies and commercial clients. To ensure the secure handling of CUI, the solutions provider has implemented a dedicated CUI enclave within its network infrastructure. As a Certified CMMC Assessor, you are tasked with assessing the scope of the solutions provider's CMMC requirements.
Which separation technique can the technology solutions provider use to isolate the network assets in its CUI enclave?
정답: Explanation:
Logical isolation is the most suitable technique for isolating network assets within an enclave. It leverages software and network configurations (firewalls, VLANs) to create separate logical segments within the same physical infrastructure.
Question No : 2
A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks. While chatting with the network’s system admins, you realize they have deployed a modern compliance checking and monitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy.
Based on your understanding of the CMMC Assessment Process, how would you score CM.L2-3.4.2-Security Configuration Enforcement if the contractor is tracking it in a POA&M?
정답: Explanation:
According to the CMMC Assessment Process (CAP), any practice being tracked or placed in a POA&M should be scored as Not Met. This status can only be changed during the POA&M Closeout Assessment and if the requirements of the POA&M Closeout Assessment are fully met. Regardless, however, CM.L2- 3.4.2-Security Configuration Enforcement cannot be placed in a POA&M as it does not meet the criteria set out in the Limited Practice Deficiencies section of the CAP.
Question No : 3
During a social event after work, a CCA from your C3PAO team brags about providing "consulting advice" to an OSC they recently assessed for CMMC compliance. You know this directly violates the CoPC's restrictions on CCAs offering such services during an assessment.
What is your ethical obligation in this situation?
정답: Explanation:
Helping the CCA understand their obligations aligns with the CoPC requirement to first attempt to rectify the violation internally. A private conversation provides clarification and encourages the colleague to uphold ethical standards.
Question No : 4
The Cyber AB has completed an investigation into a report submitted by a CCA regarding a potential violation by another CCA. They have determined the violation falls within the scope of the relevant Industry Working Group's authority.
What is the likely course of action for the Cyber AB in this scenario?
A. Continue the investigation and make a final determination on the violation
B. Refer the incident to the relevant Industry Working Group for resolution, which may include remediation, coaching, or termination, with a right of appeal
C. Dismiss the report and take no further action
D. Immediately suspend the CCA's certification pending the working group's resolution of the incident
정답: B Explanation:
In this scenario, the Cyber AB has determined that the potential violation is within the scope of the relevant Industry Working Group's authority. Therefore, the Cyber AB should refer the incident to the
working group for resolution, which may include remediation, coaching, or termination of the CCA's certification, with the right to appeal the decision.
Question No : 5
An aerospace company stores backups of their design schematics (containing CUI) on a cloud service provider (CSP). The company enforces access controls through the CSP's interface, restricting access to authorized personnel only. However, the company has no formal policy requiring data encryption at rest within the CSP environment.
Data stored on the CSP's infrastructure is segregated, with CUI stored on a separate cluster from other data types. The CSP is authorized at a FedRAMP Moderate baseline, and the OSC regularly monitors access to backups. The CSP provides alerts for any suspicious activity that is detected.
In the context of CMMC practice MP.L2.3.8.9-Protect Backups, which of the following controls best addresses the confidentiality risk in the scenario, considering the existing measures?
정답: Explanation:
While segregation and access controls are valuable, encryption directly addresses the confidentiality of data at rest as required by CMMC practice MP.L2.3.8.9-Protect Backups. CUI must be encrypted both at rest and in transit, whether between clouds, sent through emails, or carried using USB drives.
Question No : 6
In preparation for a CMMC Level 2 assessment, an OSC must ensure their CUI handling practices are fully compliant with the laws, regulations, and government-wide policies.
Which of the following Laws, Regulations, or Government-wide Policies does the OSC employee NOT have to acquaint themselves with?
정답: Explanation:
FISMA establishes guidelines and security standards to protect sensitive government information and operations. Such information includes CUI and FCI. However, Executive Order 13556 standardized how unclassified information should be protected, leading to the establishment of 32 CFR 2002 as the regulation governing Controlled Unclassified Information (CUI). The regulation established a CUI
Executive Agent (EA), which NARA delegated to the ISOO Director. The EA maintains the CUI registry and issues regular notices considered federal policy.
Question No : 7
During a CMMC assessment, the CCAs, CCPs, and Lead Assessor validate the assessment scope provided by the OSC. They must review documents and records specific to the agreed-upon scope and boundaries of the assessment. There are several documents the Assessment Team may review or analyze; some are required, while others are not.
Which of the following documents is NOT required when scoping a CMMC Assessment for Level 2 maturity?
정답: Explanation:
To determine assessment scope, system design documentation is not required at the initial stages of a Level 2 CMMC assessment. The Assessment Team focuses on reviewing essential documents outlined in the Level 2 Scoping Guide to verify the OSC's assessment scope. Required documents to determine scope include the SSP, network diagram(s), and asset inventory. Although system design documentation may be useful, it is not required for the Assessment Team's review at this stage.
Question No : 8
During a readiness assessment for CoolPlanes Inc., Liz, a CCA, discovers a folder of technical drawings and illustrations of the aircraft that CoolPlanes produces. Liz has a younger brother, J.D., who loves airplanes. She thinks a large printed copy of one of the illustrations would make an excellent gift for J.D.'s birthday next month. She copies the drawing and sends it to be printed on a large canvas when she gets home.
Which principle of the CMMC Code of Professional Conduct did Liz most likely violate?
정답: Explanation:
The drawing is the intellectual property of CoolPlanes Inc. and is confidential. Copying and printing it for a family member is unprofessional and violates confidentiality principles as well as her contract and NDA. It is also unlawful because it constitutes theft of the illustration.
Question No : 9
An OSC uses a third party in all system repairs and has hired an MSP for penetration testing. The third party comes for adaptive, preventive, perfective, or corrective system maintenance every three months, and the penetration tester does so continuously. Whenever the third party comes for maintenance, there's no documentation of the issues they tackled. On the other hand, the penetration tester delivers meticulously detailed documentation per their contract with the OSC.
To comply with CMMC practice MA.L2-3.7.1-Perform Maintenance, what should the OSC implement for the maintenance activities performed by the third-party vendor?
A. Perform all maintenance activities in-house without relying on a third-party vendor
B. Require the third-party vendor to provide detailed maintenance logs and records
C. Discontinue the use of the MSP for penetration testing
D. Increase the frequency of maintenance activities to monthly intervals
정답: B Explanation:
Without documentation, the OSC doesn't have evidence that maintenance was done. This means the contractor will be assessed as Not Met for this practice (CMMC practice MA.L2- 3.7.1-Perform Maintenance) regardless of how well the maintenance team did their job. Thus, the OSC should require the third-party vendor to provide comprehensive maintenance records and logs.
Question No : 10
You are assessing a contractor with a well-defined personnel security policy and procedures for screening individuals before granting access to CUI as part of their CMMC compliance. However, chatting with the security guards, you discover the contractor sometimes grants temporary access to CUI systems before completing the screening process, citing operational urgency.
When examining the contractor's procedures addressing personnel screening, which background checks would you NOT expect to find included?
정답: Explanation:
The practice states that personnel security screening involves evaluating an individual's conduct, integrity, judgment, loyalty, reliability, and stability (trustworthiness) before granting access to CUI systems. While criminal, credit, civil, employment, and educational background checks are relevant for assessing trustworthiness, health background checks are not explicitly mentioned as part of the screening processes for this practice.
Question No : 11
As a CCA, you lead an Assessment Team conducting a CMMC assessment for an OSC. During the assessment, the OSC CEO pulls you aside and offers you a substantial sum of money―$50,000―if you are willing to overlook certain noncompliance issues the company is aware of.
If you accept the money, which Guiding Principle of the Code of Professional Conduct (CoPC) would you be violating?
정답: Explanation:
This action violates the Code of Professional Conduct (CoPC) in several ways, including professionalism, adherence to materials and methods, and more specifically lawful and ethical practices, which requires assessors to "behave in a manner that is lawful and that upholds accepted ethical standards of professional practice and conduct in all activities that relate to carrying out your role in the CMMC ecosystem."
Receiving or giving a bribe is considered illegal in the United States. By accepting the bribe and agreeing to overlook the known noncompliance issues, you would actively participate in the OSC's illegal scheme and could be held criminally liable.
Question No : 12
An Assessment Team is reviewing the network diagram provided by an OSC. The diagram will help the team understand how the OSC has set up assets across its network and determine whether it has implemented network separation and enclaves to protect its CUI. During the review, the team noticed the network diagram does not clearly delineate the boundaries between the enterprise and CUI environments, raising concerns about the assessment scope.
What should the Assessment Team do in this situation?
정답: Explanation:
The Lead Assessor should ensure the assessment scope is accurately defined, as it directly impacts the evaluation of the OSC's compliance with CMMC requirements. The OSC presents the CMMC Assessment Scope to the Lead Assessor, who then proceeds to verify its accuracy and integrity. In support of understanding and interpreting the CMMC Assessment Scope, the OSC must also provide the Lead Assessor with supporting documentation, such as network schematic diagrams, the System Security Plan (SSP), policies, and organizational charts.
In this scenario, the network diagram does not clearly delineate the separation and enclave implementation, which is essential to understanding the boundaries of the assessment. The Lead Assessor should request additional information and clarification from the OSC to better understand the separation and enclave implementation. The Lead Assessor is required to validate the OSC’s CMMC Assessment Scope. Any disagreements or differences of opinion concerning the CMMC Assessment Scope must be resolved before the actual Assessment can begin. This approach helps ensure the assessment is conducted within the correct context and provides a more accurate evaluation of the OSC's CMMC compliance.
Question No : 13
Removable media can pose significant cybersecurity risks to an organization if not adequately controlled and secured. Understanding the dangers of this, an OSC has crafted a meticulous removable media policy. It defines removable media, types of removable media, examples of removable media, etc.
The policy limits the use of removable media unless authorized; even then, the media must be scanned for malware. Organizational removable media has specific signatures unique to organizational systems and provided to a defined group of personnel. Any data stored on such media is encrypted, and the OSC has disabled autorun and closed some ports on their computer systems.
The contractor also has deployed an endpoint protection solution for every employee searched while entering or leaving the facility. Users must also pass through a walk-in metal detector to ensure they do not sneak in thumb drives or SD cards.
Which of the following does an OSC NOT have to define in their removable media use policy?
정답: Explanation:
CMMC practice MP.L2-3.8.7-Removeable Media mandates that OSCs limit the use of removable media to the smallest number needed and scan all removable media for viruses. While using organizational removable media is a good practice, CUI may be required at an offsite facility, mandating its transport on a removable media. However, transmitting such information over the cloud or network is the best option. Encryption doesn't prevent authorized users from copying or leaking data, especially in cases of insider threats.
Question No : 14
The Cyber AB is the sole authorized certification and accreditation partner for the DoD in its CMMC program. It is responsible for overseeing and establishing a trained, qualified, and high-fidelity community of assessors, including C3PAOs and CCAs.
What is the main requirement before the Cyber AB can accredit an Assessor?
정답: Explanation:
To oversee the certification process and provide necessary accreditations to the trained CMMC ecosystem, the Cyber AB must achieve compliance with the ISO/IEC 17011 Conformity Assessment. This certification ensures the Cyber AB consistently applies its accreditations and provides impartial attestations to those certified, using international consensus-based standards. One condition of ISO 17011 certification is that it prevents the accrediting body from controlling the accreditation training program it designs.
Question No : 15
You are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows the Contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network.
However, the Contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks.
What risks does the hybrid infrastructure with cloud storage and remote access introduce regarding CUI data flow?
정답: Explanation:
By introducing cloud storage and remote access, there are more entry points for potential breaches. This wider access also makes it harder to track and control CUI data movement, increasing the risk of unauthorized access and making it more difficult to ensure compliance with data security regulations.
