Question 1

CMMC MA.L2-3.7.6 – Maintenance Personnel requires that maintenance personnel without required
access authorization be supervised during maintenance activities. One of the ways organizations can
achieve this is to develop a documented procedure for supervised maintenance activities. Which of
the following elements should be excluded from the documented procedure?

Accepted Answer

A

Explanation: A documented procedure for supervised maintenance should focus on the process and controls for the activity itself. It must define the scope of authorized actions for the maintenance personnel (B), provide emergency contacts for incident response (C), and detail how the supervision will be conducted and monitored (D). Including a detailed list of all CUI assets (A) is inappropriate for a procedural document. This information is an asset inventory, not a process step. Including it would create an unnecessary security risk by aggregating sensitive location information into a document that may have wider distribution than the asset inventory itself.

Question 2

A defense contractor retains your services to assess their information systems for CMMC compliance,
particularly configuration management. The contractor uses CFEngine 3 for automated configuration
and maintenance of its computer systems and networks. While chatting with the network’s system
admins, you realize they have deployed a modern compliance checking and monitoring tool.
However, when examining their configuration management policy, you notice the contractor uses
different security configurations than those recommended by product vendors. The system
administrator informs you they do this to meet the minimum configuration baselines required to
achieve compliance and align with organizational policy. Based on your understanding of the CMMC
Assessment Process, how would you score CM.L2-3.4.2 – Security Configuration Enforcement if the
contractor is tracking it in a POA&M?

Accepted Answer

A

Explanation: According to the CMMC Assessment Process (CAP), a practice is scored based on its implementation status at the time of the assessment. A Plan of Action & Milestones (POA&M) is a document used to track planned measures to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. The very existence of a POA&M for a specific practice, such as CM.L2-3.4.2, is an explicit acknowledgment by the organization that the practice is not currently fulfilled. Therefore, during a CMMC assessment, any practice being tracked in a POA&M must be scored as "NOT MET." The organization has a plan to fix it, but it is not fixed at the time of evaluation.

Question 3

The Certification Assessment Readiness Review (CA-RR) aims to determine whether the OSC and the
Assessment Team are ready to conduct the assessment as planned and within the allocated time. It
addresses all of the following aspects of readiness to conduct the assessment except which one?

Accepted Answer

A

Explanation: The Certification Assessment Readiness Review (CA-RR) is a procedural milestone focused on the operational readiness to conduct the CMMC assessment. Its purpose is to confirm that both the Organization Seeking Certification (OSC) and the Assessment Team have all necessary resources, schedules, and logistical arrangements in place. It also addresses any risks that could impede the assessment process itself. The CA-RR is not the assessment; it does not involve evaluating the OSC's implementation of security controls or determining their actual cybersecurity posture. That evaluation is the objective of the assessment that follows the CA-RR.

Question 4

When conducting a CMMC assessment, the CCA must follow the steps outlined in the CMMC
Assessment Process (CAP). This document is organized into several phases, each requiring the CCA to
complete specific documents. The CAP also provides templates, some of which the Assessor must
use and complete during specific phases. A CCA must complete all the following documents in Phase
1 of the CAP, EXCEPT?

Accepted Answer

A

Explanation: The CMMC Assessment Process (CAP) is structured into four distinct phases. Phase 1, "Plan and Prepare for the Assessment," involves initial scoping, readiness reviews, and logistical planning. During this phase, the Assessor uses the CMMC Pre-Assessment Form Data Template, the CMMC Assessment Readiness Review (CA-RR) Checklist, and, if applicable, the Virtual Assessment Evidence Preparation Template. The CMMC Assessment Quality Review Checklist, however, is not used until Phase 4, "Assessment Closeout." This final phase requires the C3PAO to conduct a thorough quality review of the entire assessment package before submission, ensuring all documentation is complete and accurate.

Question 5

In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a
robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data.
After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a
battery life indicator is displayed. How is Session Lock typically initiated?

Accepted Answer

A

Explanation: The scenario describes a session lock activating after a specific period of user inactivity (5 minutes). This aligns directly with CMMC requirements, which are based on NIST SP 800-171. The primary purpose of this control is to automatically prevent unauthorized access to an unattended system after a defined period has elapsed without user interaction. The automatic, time-based initiation is the key mechanism for enforcing this security policy consistently, as described in the question's details.

Question 6

During the planning and preparation discussions, a key member of the C3PAO Assessment Team falls
ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as
planned and has expressed willingness to accommodate a smaller assessment team. Can the Lead
Assessor proceed with the assessment using a reduced assessment team size?

Accepted Answer

A

Explanation: The C3PAO and its designated Lead Assessor are responsible for determining the appropriate size and composition of the assessment team based on the assessment's scope. The primary requirement is that the team collectively possesses the necessary competence and qualifications to assess all CMMC practices and objectives within that scope. If a team member becomes unavailable, the Lead Assessor must re-evaluate if the remaining members can still provide full and adequate coverage. If they can, and the OSC agrees to proceed, the assessment can continue. The decision is based on the team's capability, not a fixed roster, ensuring the integrity and validity of the assessment are maintained.

Question 7

During a CMMC assessment, an OSC employee asks the CCA if their current security measures are
“good enough” to pass the assessment. The CCA responds by saying, “I can’t tell you that, but here’s
what the CMMC requires for this practice.” What principle of the CoPC does this response uphold?

Accepted Answer

C

Explanation: The Certified CMMC Assessor (CCA) upholds the principle of objectivity by refusing to provide a subjective opinion ("good enough") or engage in consulting. Instead, the CCA directs the Organization Seeking Certification (OSC) back to the objective, verifiable requirements of the CMMC standard. This action ensures that the assessor's judgment remains impartial, free from bias, and is based solely on the evidence presented against the established criteria, which is the core tenet of objectivity in an assessment context.

Question 8

An OSC receives a POA&M during their CMMC L2 assessment. 170 days later, they submit an updated POA&M with evidence of all corrective actions. Can the C3PAO still conduct a close-out assessment?

Accepted Answer

C

Explanation: Under the CMMC 2.0 program, an Organization Seeking Certification (OSC) that receives a "CMMC Level 2 Conditional Certification" is permitted to have a Plan of Action & Milestones (POA&M) for certain non-critical, unmet practices. The OSC is granted a 180-day period, starting from the assessment's completion date, to remediate these items. Since the OSC submitted evidence of corrective actions at 170 days, they are within the allowed timeframe. The C3PAO is therefore able to proceed with a POA&M close-out assessment to verify that the remediation actions are complete and effective.

Question 9

Regarding virtual data collection, which of the following actions is the highest priority?

Accepted Answer

B

Explanation: The highest priority in a formal assessment context, such as CMMC, is the comprehensive planning, risk management, and documentation of the methodology. This foundational step ensures that all aspects of the virtual data collection process are considered, structured, and defensible. It involves identifying the specific techniques to be used, proactively assessing the associated risks, defining appropriate mitigations (which include training and encryption), and establishing clear protocols for the management and protection of all sensitive information (CUI, FCI, and OSC proprietary data). This documented plan governs all subsequent activities, ensuring they are performed securely and consistently.

Question 10

When assessing an OSC’s compliance with IR requirements, you realize they have deployed a system
that tracks incidents, documents details, and updates the status throughout the incident response
process. Personnel to whom incidents must be reported are identified and designated. While
examining their documentation, you come across an incident response template that they use to
capture all relevant information and ensure consistency in reporting to the identified authorities and
organizational officials. Interviewing the IR team, you learn there is an escalation process that the
contractor’s cybersecurity team can use to address more serious incidents. From the scenario, the
contractor has met all the required objectives for CMMC practice IR.L2-3.6.2 – Incident Reporting,
meaning its implementation of the said practice will be scored MET with a total of 5 points. For how
long must the OSC retain the incident records?

Accepted Answer

B

Explanation: The question addresses the retention period for incident records for a Department of Defense (DoD) contractor, which is governed by the Defense Federal Acquisition Regulation Supplement (DFARS). While the scenario describes the implementation of CMMC practice IR.L2-3.6.2, the specific retention requirement flows down from DFARS Clause 252.204-7012. This clause mandates that when a contractor discovers a cyber incident, they must preserve and protect images of affected systems and all relevant monitoring data for at least 90 days from the submission of the incident report. This allows the DoD the opportunity to request the media for forensic analysis or to decline interest.

Question 11

Any user that accesses CUI on system media should be authorized and have a lawful business
purpose. While assessing a contractor’s implementation of MP.L2-3.8.2 – Media Access, youexamine
the CUI access logs and the role of employees. Something catches your eye where an ID of an
employee listed as terminated regularly accesses CUI remotely. Walking into the contractor’s
facilities, you observe the janitor cleaning an office where documents marked CUI are visible on the
table. Interviewing the organization’s data custodian, they informed you that a media storage
procedure is augmented by a physical protection and access control policy. Based on the scenario
and the requirements of CMMC practice MP.L2-3.8.2 – Media Access, which of the following actions
would be the highest priority recommendation for the contractor?

Accepted Answer

B

Explanation: The most critical vulnerability identified is a terminated employee's continued remote access to Controlled Unclassified Information (CUI). This is a direct and severe failure to implement MP.L2-3.8.2, which requires controlling access to media containing CUI. An individual whose employment has been terminated is, by definition, no longer authorized. This situation represents an active, ongoing security breach. Therefore, the highest priority is to establish and enforce a process that ensures access is immediately revoked upon an employee's termination. This action directly mitigates the most significant risk and addresses the root cause of the access control failure.

Question 12

An aerospace company has requested a CMMC assessment for an enclave only. Your team has
verified that the company has a valid CAGE code and is registered with SAM.gov. However, the
enclave has no separate CAGE code or SAM registration. Can the assessor proceed with the CMMC
assessment solely for the enclave, or is an assessment of the entire aerospace company’s network
required?

Accepted Answer

A

Explanation: The assessor can and should proceed with the assessment scoped to the enclave. The CAGE code and SAM.gov registration identify the legal entity, the Organization Seeking Certification (OSC), not the specific assessment boundary. The CMMC framework explicitly allows an OSC to define the assessment scope, such as an enclave, which contains the systems that process, store, or transmit Controlled Unclassified Information (CUI). The assessor's role is to validate that this defined scope is appropriate and that all CUI assets are included within the boundary. The absence of a separate CAGE code for the enclave is irrelevant as it is part of the larger, registered organization.

Question 13

A representative of a CMMC Level 2 certified DoD contractor has reached out to you as a CCA for an
explanation of FedRAMP equivalency. They want to use a Cloud Service Offering (CSO) from a
renowned CSP, but in light of the DoD FedRAMP equivalency memo, they are reluctant. In your
conversation, you learn that although the CSO has impressive features, the assessment by a
FedRAMP 3PAO resulted in a Plan of Action and Milestones (POA&M) that the CSP is remedying.
What is the main reason the contractor shouldn’t use the CSP’s services?

Accepted Answer

D

Explanation: The Department of Defense (DoD) CIO memo on FedRAMP equivalency, dated June 8, 2022, mandates that for a Cloud Service Offering (CSO) to be considered "FedRAMP Moderate equivalent," it must achieve 100% compliance with the FedRAMP Moderate security control baseline. The existence of an open Plan of Action and Milestones (POA&M) signifies that there are unresolved security findings. Therefore, the CSO has not met the mandatory 100% compliance threshold. This failure to meet the baseline is the primary regulatory reason the contractor is prohibited from using the service for Covered Defense Information (CDI) under DFARS 252.204-7012.

Question 14

An OSC is undergoing a CMMC assessment by a C3PAO. The assessment team has been on-site for
several days, reviewing the OSC’s systems, policies, and procedures against the CMMC requirements.
Each day, the assessment team holds a "daily checkpoint" meeting with the OSC’s security team and
representatives. This checkpoint serves an important purpose in the overall assessment process.
What is the significance of the Daily Checkpoint meeting in the CMMC assessment process?

Accepted Answer

D

Explanation: The Daily Checkpoint meeting is a critical, interactive component of the CMMC assessment. Its primary significance is to facilitate transparent communication between the Assessment Team and the Organization Seeking Certification (OSC). During these meetings, the team discusses preliminary observations and identifies any potential gaps or areas needing further clarification. This provides the OSC an immediate opportunity to present additional or clarifying evidence to address these points. This iterative process ensures the assessment is thorough and that findings are based on the most complete information available, preventing misunderstandings and streamlining the overall process.

Question 15

After you ask to examine some audit records, the contractor's system administrator informs you that
there is a process to follow before accessing them. The logs are hashed using SHA-512 algorithms,
and the system administrator has to run an algorithm to recalculate the hashes for the audit records
to verify their integrity before running a decryption algorithm to decrypt the data. Since this might
take some time, you tour the facility while interviewing personnel with audit and accountability
roles. You see an employee holding the door for another without using their physical access card.
While interviewing the contractor's employees, you find that they can access all audit logging tools
and tweak the settings according to their needs or requirements. Upon examining the contractor's
access control policy, you realize they have not defined the measures to protect audit logging tools.
Which of the following statements accurately describes the contractor's compliance with protecting
audit logging tools from unauthorized access, modification, and deletion, as required by AU.L2-3.3.8
– Audit Protection?

Accepted Answer

D

Explanation: The contractor is not compliant with AU.L2-3.3.8. This CMMC practice requires the protection of both audit information and audit logging tools from unauthorized access, modification, and deletion. The scenario explicitly states two key findings that demonstrate non-compliance: 1. The contractor's access control policy has not defined the required protection measures for audit logging tools. 2. Employees can access all audit logging tools and "tweak the settings," which constitutes unauthorized access and modification, as such permissions should be restricted based on the principle of least privilege. The presence of integrity checks (hashing) for audit records addresses a different control (e.g., AU.L2-3.3.4) but does not satisfy the requirement to protect the tools themselves.

Free Cyber AB CMMC-CCA Actual Exam Questions