Free Cyber AB CMMC-CCA Exam Questions
Absolute Free CMMC-CCA Exam Practice for Comprehensive Preparation
-
Cyber AB CMMC-CCA Exam Questions
-
Provided By: Cyber AB
- Exam: Certified CMMC Assessor (CCA) Level 2
- Certification: CMMC
-
Total Questions: 536
-
Updated On: Jan 15, 2026
-
Rated: 4.9 |
-
Online Users: 1072
-
Question 1
-
You are a CCA working for a C3PAO that has entered into a contractual agreement to provide CMMC assessment services for an OSC. After validating the evidence, the C3PAO feels that the task is beyond its capabilities and informs the OSC that it cannot continue with the assessment. The C3PAO cites "insufficient workforce" as the reason. What principle of the CMMC CoPC has the C3PAO broken?
Answer: C
-
You are a CCA working for a C3PAO that has entered into a contractual agreement to provide CMMC assessment services for an OSC. After validating the evidence, the C3PAO feels that the task is beyond its capabilities and informs the OSC that it cannot continue with the assessment. The C3PAO cites "insufficient workforce" as the reason. What principle of the CMMC CoPC has the C3PAO broken?
-
Question 2
-
While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. When assessing the contractor's information systems, how would you mark their implementation of AU.L2-3.3.1-System Auditing?
Answer: D
-
-
Question 3
-
A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 ? Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2.3.1.19 ? Encrypt CUI on Mobile, requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted. Which of the following is a reason why would you recommend container-based over full-device-based encryption?
Answer: A
-
A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 ? Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2.3.1.19 ? Encrypt CUI on Mobile, requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted. Which of the following is a reason why would you recommend container-based over full-device-based encryption?
-
Question 4
-
An aerospace company stores backups of their design schematics (containing CUI) on a cloud service provider (CSP). The company enforces access controls through the CSP's interface, restricting access to authorized personnel only. However, the company has no formal policy requiring data encryption at rest within the CSP environment. Data stored on the CSP's infrastructure is segregated, with CUI stored on a separate cluster from other data types. The CSP is authorized at a FedRAMP Moderate baseline, and the OSC regularly monitors access to backups. The CSP provides alerts for any suspicious activity that is detected. Has the OSC taken sufficient measures to meet the requirements of CMMC practice MP.L2.3.8.9-Protect Backups? If not, what measures can they take to address the weaknesses?
Answer: B
-
An aerospace company stores backups of their design schematics (containing CUI) on a cloud service provider (CSP). The company enforces access controls through the CSP's interface, restricting access to authorized personnel only. However, the company has no formal policy requiring data encryption at rest within the CSP environment. Data stored on the CSP's infrastructure is segregated, with CUI stored on a separate cluster from other data types. The CSP is authorized at a FedRAMP Moderate baseline, and the OSC regularly monitors access to backups. The CSP provides alerts for any suspicious activity that is detected. Has the OSC taken sufficient measures to meet the requirements of CMMC practice MP.L2.3.8.9-Protect Backups? If not, what measures can they take to address the weaknesses?
-
Question 5
-
A contractor plans to bid for a DoD contract and has installed new network file servers to separate their commercial and DoD work. When examining the server documentation, you realize the server has some open ports. Upon further testing, you know that the server has some default features that are not essential for file storage or transfer. The server has a default remote desktop functionality that allows users remote access to the server's desktop environment. Files are transferred by default using FTP which is less secure than Server Message Block (SMB) protocol. However, the contractor's operations do not require remote access capabilities. Although the roles of each system are defined in their configuration management policy, a user can install any application or service they need. After some interviews, you learn that this ensures every employee is comfortable using a system or software they are most conversant with, despite having defined services or software for carrying out specific functions. From this scenario, how has the contractor failed to meet the requirements of CM.L2.3.4.6-Least Functionality?
Answer: A
-
A contractor plans to bid for a DoD contract and has installed new network file servers to separate their commercial and DoD work. When examining the server documentation, you realize the server has some open ports. Upon further testing, you know that the server has some default features that are not essential for file storage or transfer. The server has a default remote desktop functionality that allows users remote access to the server's desktop environment. Files are transferred by default using FTP which is less secure than Server Message Block (SMB) protocol. However, the contractor's operations do not require remote access capabilities. Although the roles of each system are defined in their configuration management policy, a user can install any application or service they need. After some interviews, you learn that this ensures every employee is comfortable using a system or software they are most conversant with, despite having defined services or software for carrying out specific functions. From this scenario, how has the contractor failed to meet the requirements of CM.L2.3.4.6-Least Functionality?