During the assessment of a company, the CCA learns that 50% of employees work from home using remote access. After reviewing the Access Control policy and audit logs, the CCA is unsure how the system ensures only employees with correct privileges can access CUI. The CCA decides a Test of functionality is required. Which question is of the LEAST concern to the CCA?
The Lead Assessor is conducting an assessment for an OSC. The Lead Assessor has finished collecting and examining evidence from the assessment.
Based on this information, what is the NEXT logical step?
The OSC prints out documents it receives via email that are marked as CUI. According to MP.L2-3.8.4: Media Markings,
what should the Assessor expect to see on the printouts?
The OSC’s network consists of a single network switch that connects all devices. This includes the OSC’s OT equipment, which processes CUI. The OT controller requires an unsupported operating system.
What can the Lead Assessor BEST conclude about the overall compliance with MA.L2-3.7.1: Perform Maintenance?
An OSC seeking Level 2 certification is migrating to a fully cloud-based environment. The organization wants to select a Cloud Service Provider (CSP) that can share responsibilities for CMMC Level 2 requirements. Assume both CSPs can equally provide the technical capabilities and business value required.
CSP A has SOC 2 certification and is California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA) compliant.
CSP B has SOC 2 and FedRAMP Moderate certifications.
Based on this information, which CSP is MOST LIKELY to be acceptable?
In completing the assessment of practices in the Access Control (AC) domain, a CCA scored AC.L2-3.1.15: Privileged Remote Access as NOT MET. The OSC was notified of this deficiency at the end of day two of the assessment. On day five of the assessment, the OSC’s Assessment Official contacted the CCA to provide evidence that the deficiencies have been corrected.
What is the CCA’s NEXT step?
The Assessment Team is meeting with the OSC team and experiences a situation where some members of the OSC team describe the IT infrastructure differently from others. In some discussions, one person identifies a series of ESPs, while another describes the infrastructure as on-premises. What should the Lead Assessor do to clarify the actual operational environment?
A company has multiple sites with employees at each site that must access the company’s CUI network from their remote locations. The company has set up a single access point for all employees to access the network. What is the MOST significant factor in determining whether the security on this single access point is adequate?
A company mirrors its FCI/CUI data storage in a cloud environment. Data is managed across multiple virtual machines (VMs). To satisfy requirements for data security of the LOCAL copy using physical controls, what should the OSC do?
An OSC is undergoing CMMC Assessment on an enterprise-wide basis. While walking to the conference room, the Assessor notices a printer repair technician in the hallway, unescorted, repairing a printer marked “Authorized for CUI printing.” What is the NEXT step the Lead Assessor should take regarding PE.L2-3.10.3: Escort Visitors?
While conducting a CMMC Level 2 assessment at a 100-person manufacturing company, the assessor receives a yellow badge labeled “SPECIAL ACCESS.” The assessor observes multiple badge types used by staff and visitors. The client explains that only three badge colors correspond to controlled access (with electronic access), while the rest are identifiers for seniority. How can the assessor BEST verify that the three colors are the only badges capable of accessing controlled areas for CUI-related activities?
The Lead Assessor is reviewing the Assessment Plan to identify people for interviews regarding a specific Level 2 practice. Some OSC personnel previously interviewed provided only brief answers without meaningful verification. What can the Lead Assessor do to improve this situation going forward?
ESPs are exceptionally common today, given that many organizations are turning to secure cloud offerings to establish and maintain compliance. Integral to these relationships is a responsibility matrix, which defines who is responsible for specific items such as security. This can be a very complex assortment of taskings associated with federal compliance, but what is the MOST important thing to remember?
An OSC is preparing for an assessment and wants to gather evidence that will be used by the Lead Assessor to determine the scope of the assessment. The OSC currently operates a hybrid network, with part of their infrastructure at their physical location and part of their infrastructure in a cloud environment.
What evidence should the OSC collect that would assist the Lead Assessor in determining cloud and hybrid environment constraints?
A CCA is asked to validate if an OSC has separated their systems containing CUI from other departments’ systems on their local network. Which of the following MUST the CCA assess?
A CCA is assessing the implementation of SC.L2-3.13.7: Split Tunneling control via the examine method. Which scenario MUST be correct to determine if the practice is MET?
A CCA is conducting an interview with an OSC team member about an offering from a well-known Cloud Service Provider (CSP). The offering is known to be secure, but the OSC has not provided evidence and the person being interviewed is unsure how the offering works. Will this offering be accepted by the Assessment Team?
An Assessor is evaluating whether an OSC has implemented adequate controls to meet AC.L2-3.1.7: Privileged Functions. The OSC has procedures that define privileged vs. non-privileged account provisioning and an access control policy that restricts execution of certain functions only to privileged users.
What might the Assessor do to further evaluate the implementation of this practice?
An OSC processes data in its owned data center. The data center includes a very early smoke detection apparatus (VESDA). The apparatus only captures log information from its sensors around the data center. It is not intended, nor capable of, processing CUI. The VESDA is on a separate VLAN and is in a separate locked room in the data center.
Should the assessor agree that the VESDA is out-of-scope?
An assessor is trying to determine if an OSC performs scans of their information system and real-time scans of files from external sources as files are downloaded or executed.
Which evidence is LEAST LIKELY to help this assessor?
An OSC is presenting evidence of its fulfillment of CM.L2-3.4.1: System Baselining. It provides:
System inventory records showing additions/removals of machines,
Software inventory showing installations/removals, and
A system component installation plan with software needs and user specifications.
What other documentation MUST the company present to illustrate compliance with CM.L2-3.4.1?
While conducting a CMMC Level 2 self-assessment, an organization’s Chief Information Security Officer asks the system administrator for evidence that remote access is routed through fully managed access control points. Which documentation would BEST demonstrate that all remote access is routed through managed access control points?
The Lead Assessor is compiling the assessment results, which must contain the status for each of the applicable practices. Some practices have been placed in the limited practice deficiency correction program. Multiple areas have been reviewed, including HQ, host units, and a specific enclave.
In order to properly report the findings, the Lead Assessor MUST:
AC.L2-3.1.6: Non-Privileged Account Use is being assessed. Which procedure BEST meets all of the standards for non-privileged account use?
The Lead Assessor has conducted an assessment for an OSC. The OSC’s practices have been scored and preliminary results validated. Based on this information, what is the NEXT logical step?
Testing is one assessment method the Lead Assessor may choose depending on the assessment scope and evidence provided by the OSC. During the Plan Phase, the Lead Assessor and OSC POC agree on who the people are that are involved in a particular practice so that it could be tested if determined appropriate. During the discussion, the OSC POC tells the Lead Assessor that the production system is in use and cannot be stopped for the testing to take place but offers a mirrored system for testing. The Lead Assessor decides:
During an assessment, the OSC IT security team provided documentation on how they use replay-resistant authentication to protect CUI. What can be used as a replay-resistant mechanism?
During a CMMC Assessment, the assessor is determining if the Escort Visitors practice is MET. Personnel with which of the following responsibilities would be MOST appropriate to interview?
A company is undergoing a CMMC Level 2 Assessment. The Assessment Team is planning and preparing the assessment. Who is responsible for identifying methods, techniques, and responsibilities for collecting, managing, and reviewing evidence?
What is NOT required for the Lead Assessor to confirm when verifying readiness to conduct an assessment?
What should the Lead Assessor do to BEST ensure the evidence supplied effectively meets the intent of the standard for a practice?
While completing the Level 2 Assessment, the Lead Assessor found that the OSC was deficient on a number of CMMC practices. Forty practices were scored as NOT MET, all on the Authorized Deficiency Corrections list. The OSC remediated 17 of those during closeout, leaving 23 practices still NOT MET. What should the Lead Assessor recommend?
While conducting a CMMC Level 2 gap analysis with a large defense contractor, a CMMC RP confirms that the organization uses a RADIUS server for authentication. What additional method could be used to comply with AC.L2-3.1.17: Wireless Access Protection?
The Lead Assessor concludes that the OSC is not ready for the assessment. After the Readiness Assessment Review, the OSC and the Lead Assessor could choose to:
An OSC is preparing for assessment. Which item of evidence would show the OSC’s efforts to restrict physical access within the OSC’s environment?
An OSC seeking Level 2 certification is working with an ESP. The organization is trying to determine if the ESP is considered within the assessment and is reviewing the Service Level Agreement (SLA) between the organization and the ESP. Which SLA component should be taken into consideration to determine if the ESP is within the assessment scope?
FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the OSC’s CMMC enclave. What source does the CCA use to verify that the cryptography the OSC has implemented is FIPS-validated?
An OSC has a large multi-building facility. One building is used as the OSC’s data center. A guard is stationed at the entrance to the data center. A vendor engineer comes onsite to perform maintenance on the storage array in the data center. The guard knows the engineer well and has the engineer fill out the visitor log with the contact person’s name and phone number, the reason for the visit, and the date and time. Since the guard has known the engineer for many years, what is the BEST step the guard should take?
While conducting a CMMC Level 2 Assessment for a small waveguide manufacturer, the client provides a copy of their CMMC Level 1 Self-Assessment that their senior official has recently approved and uploaded to the Supplier Performance Risk System (SPRS). What type of information may be covered within the Level 1 Self-Assessment that is OUTSIDE the scope of a Level 2 assessment?
During a company’s assessment, the CCA notices that the server room door is kept open with a fan in the entryway because the cooling system is inadequate and the machines are overheating. According to the physical protection policy, the server room’s keypad is the mechanism for managing and controlling access to this equipment, and only the IT team should have access to the server room. However, with the door open, the keypad is not necessary, and anyone can enter the room.
The CCA asks the IT manager how access to this room is protected while the door is open. Which response would allow the company to still meet the physical security requirement?
When a CCA is assessing a control through Examine, what MUST they meet?
The client has a Supervisory Control and Data Acquisition (SCADA) system as OT to be evaluated as part of its assessment. In reviewing network architecture and conducting interviews, the assessor determines that a firewall separates the SCADA system from the client’s enterprise network and that CUI is not processed by the SCADA system. Based on this information, what is an appropriate outcome?
Some OSCs share real estate with other companies. To protect FCI/CUI behind unmanned entrances to buildings, floors, or other areas where FCI/CUI is created, used, stored, or transmitted, which of the following is the BEST method?
While scoping the assessment, the assessor learns that the OSC uses various cloud-based solutions sporadically as part of its normal course of business. The OSC states that most business is conducted on-premises and that only a small amount of business uses the cloud. The OSC thinks the cloud is only used for system backups, but there are isolated exceptions.
Are the data provided sufficient to determine that the OSC limits connection to external information systems?
The assessment team is discussing the pre-assessment scope with an OSC. The OSC would like to limit the scope of the security requirements in environments that contain FCI and/or CUI. In this case, the OSC should: