CMMC-CCA Exam Dumps - Certified CMMC Assessor (CCA) Exam

Go to page:

Question # 4

While scoring the evidence for a particular CMMC practice, the Certified Assessor notes that one of the practice objectives is NOT MET, thereby scoring the entire practice as NOT MET. The OSC Assessment Official disagrees with the Certified Assessorâ€™s decision, and they both take the dispute to the Lead Assessor, who is unable to resolve the issue to the OSCâ€™s satisfaction.

How will this dispute be settled?

The Lead Assessor is the final arbiter of the dispute.

The OSC can supply adequate proof to the Cyber-AB to overturn the decision.

The Certified Assessor is certified and, as such, the decision will stand.

The Lead Assessor will present the dispute to the C3PAO Official, who will make a ruling.

Full Access

Question # 5

When a CCA is assessing a control through Examine, what MUST they meet?

Documents utilized for review must be in their mailed form

Documents must be policy, process, and procedure documents

Training materials reviewed can be in-process as they are for educational purposes

System-level, network, and data flow diagrams must be completed in draft format

Full Access

Question # 6

An OSC has built an enclave for its production environment. The enclave sits behind a firewall, with all equipment connected through a switch. There is a shipping workstation and physically connected label printer (used for the sales system, which does not process CUI) that the OSC claims are Contractor Risk Managed Assets (CRMA). Other than showing that the shipping workstation and label printer are not intended to store or transmit CUI, and documenting them in the SSP,

how BEST would the OSC show that the shipping workstation and label printer are Contractor Risk Managed Assets?

Document in the asset inventory and include them in the network diagram to facilitate scoping discussions during the pre-assessment.

Document the shipping workstation and label printer in the asset inventory; show that they are managed using vendor-recommended risk-based security practices; and include them in the network diagram.

Document the shipping workstation and label printer in the asset inventory; show that they are managed using the organizationâ€™s risk-based security policies and procedures; and include them in the network diagram.

Document the shipping workstation and label printer in the asset inventory; show that they are managed using industry risk-based security best practices; and include them in the network diagram to facilitate scoping discussions during the pre-assessment.

Full Access

Question # 7

An Assessor is evaluating controls put in place by an OSC to restrict the use of privileged accounts. The Assessor interviews privileged users and confirms that the OSC has both a policy and specific procedures governing the use of privileged accounts for security functions. What else could the Assessor evaluate to validate the assertions made by the interviewed OSC staff?

Examine the system architecture of the OSC to identify privileged accounts

Test the processes for non-privileged accounts to perform privileged functions

Examine the procedure assigning privileged roles to non-privileged functions

Test the processes for privileged accounts with privileged users

Full Access

Answer:

Explanation:

For AC.L2-3.1.7 (Restrict Use of Privileged Accounts), it is not enough to rely on interviews or documented procedures. The assessor must also Examine technical evidence to ensure that privileged accounts exist as described and are properly controlled. Reviewing system architecture, account listings, and role assignments validates that privileged access aligns with policy and that inappropriate assignments do not exist.

Exact extracts:

â€œAssessment Objectives â€¦ Determine if: privileged accounts are identified; privileged functions are restricted to privileged accounts; and use of privileged accounts is monitored.â€

â€œAssessment Methods â€“ Examine: account management policy; system architecture documentation; system security plan; privileged account listings.â€

â€œAssessment Methods â€“ Test: attempt to use non-privileged accounts to execute privileged functions.â€

Expanded explanation:

Assessors typically proceed in layers:

Interview: Confirm staff knowledge of policy and practice.

Examine: Verify account structures in system architecture or AD group membership lists. This ensures the number and type of privileged accounts match staff descriptions.

Test (if required): Confirm that non-privileged users cannot perform privileged actions.

Why other options are incorrect:

B: Testing non-privileged accounts is useful but is not the next immediate validation step after confirming policy/procedures. Examination comes first.

C: This phrasing implies giving privileged roles to non-privileged functions, which would itself be a finding.

D: Testing with privileged users verifies activity monitoring, but not whether privileged accounts are properly scoped.

[References:, CMMC Assessment Guide â€“ Level 2, AC.L2-3.1.7 â€œRestrict Use of Privileged Accounts.â€, NIST SP 800-171 Rev. 2, 3.1.7., ===========]

Question # 8

FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the OSCâ€™s CMMC enclave. What source does the CCA use to verify that the cryptography the OSC has implemented is FIPS-validated?

Cryptographic section of the OSCâ€™s SSP

Vendor cryptographic module documentation

NIST Module Validation Program

Cryptographic section of the Shared Responsibility Matrix

Full Access