Free Cyber AB CMMC-CCA Exam Questions
Absolute Free CMMC-CCA Exam Practice for Comprehensive Preparation
-
Cyber AB CMMC-CCA Exam Questions
-
Provided By: Cyber AB
- Exam: Certified CMMC Assessor (CCA) Level 2
- Certification: CMMC
-
Total Questions: 536
-
Updated On: Apr 16, 2026
-
Rated: 4.9 |
-
Online Users: 1072
-
Question 1
-
A contractor has recently allowed their employees to work remotely. The employees can access CUI remotely through VPN with encrypted tunnels for remote access into their VDIs. The company has a variety of system components (servers, workstations, notebook computers, smartphones, and tablets) that employees can access remotely. In your assessment, you also realize that some employees are using SSH to access information stored in cloud instances and server infrastructures that contain CUI. Which of the following is a reason why the contractor?s use of SSH should concern you?
Answer: D
-
A contractor has recently allowed their employees to work remotely. The employees can access CUI remotely through VPN with encrypted tunnels for remote access into their VDIs. The company has a variety of system components (servers, workstations, notebook computers, smartphones, and tablets) that employees can access remotely. In your assessment, you also realize that some employees are using SSH to access information stored in cloud instances and server infrastructures that contain CUI. Which of the following is a reason why the contractor?s use of SSH should concern you?
-
Question 2
-
You are the Lead Assessor assigned by your C3PAO to conduct a CMMC Assessment for a small manufacturing company, Precision Parts Inc. (PPI). During the initial coordination call with PPI's management team, you learn that PPI is a wholly-owned subsidiary of a larger corporation, Acme Manufacturing Holdings (AMH). PPI operates as an independent business unit within AMH and has its own IT infrastructure and cybersecurity policies. You need to determine the appropriate corporate entity to be assessed as the "Organization Seeking Certification" (OSC). If PPI outsources its payroll and human resources functions to an external service provider, HR Solutions, LLC, how would HR Solutions, LLC be categorized in the context of a CMMC assessment?
Answer: A
-
You are the Lead Assessor assigned by your C3PAO to conduct a CMMC Assessment for a small manufacturing company, Precision Parts Inc. (PPI). During the initial coordination call with PPI's management team, you learn that PPI is a wholly-owned subsidiary of a larger corporation, Acme Manufacturing Holdings (AMH). PPI operates as an independent business unit within AMH and has its own IT infrastructure and cybersecurity policies. You need to determine the appropriate corporate entity to be assessed as the "Organization Seeking Certification" (OSC). If PPI outsources its payroll and human resources functions to an external service provider, HR Solutions, LLC, how would HR Solutions, LLC be categorized in the context of a CMMC assessment?
-
Question 3
-
While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has a defined a technical and documented policy where identifiers can only be reused after 12 months. How is the OSC likely to consider CMMC practice IA.L2-3.5.5-Identifier Reuse if you find issues with its implementation?
Answer: B
-
While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has a defined a technical and documented policy where identifiers can only be reused after 12 months. How is the OSC likely to consider CMMC practice IA.L2-3.5.5-Identifier Reuse if you find issues with its implementation?
-
Question 4
-
An OSC uses a third party in all system repairs and has hired an MSP for penetration testing. The third party comes for either adaptive, preventative, perfective, or corrective system maintenance every three months, and the penetration tester does so continuously. Whenever the third party comes for maintenance, there's no documentation of the issues they tackled. On the other hand, the penetration tester delivers meticulously detailed documentation per their contract with the OSC. Based on this scenario, how would you score contractor?s implementation of MA.L2-3.7.1-Perform Maintenance?
Answer: A
-
An OSC uses a third party in all system repairs and has hired an MSP for penetration testing. The third party comes for either adaptive, preventative, perfective, or corrective system maintenance every three months, and the penetration tester does so continuously. Whenever the third party comes for maintenance, there's no documentation of the issues they tackled. On the other hand, the penetration tester delivers meticulously detailed documentation per their contract with the OSC. Based on this scenario, how would you score contractor?s implementation of MA.L2-3.7.1-Perform Maintenance?
-
Question 5
-
As a CCA, you are conducting an assessment of an OSC's implementation of AC.L2-3.1.7 – Privileged Functions. This requirement mandates that the organization prevent non-privileged users from executing privileged functions and capture the execution of such tasks in audit logs. During your assessment, you want to determine whether the OSC has properly defined privileged functions, as assessment objective [a] requires. Which Assessment Objects would you most likely examine to make this determination?
Answer: C
-
As a CCA, you are conducting an assessment of an OSC's implementation of AC.L2-3.1.7 – Privileged Functions. This requirement mandates that the organization prevent non-privileged users from executing privileged functions and capture the execution of such tasks in audit logs. During your assessment, you want to determine whether the OSC has properly defined privileged functions, as assessment objective [a] requires. Which Assessment Objects would you most likely examine to make this determination?