Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Certified CMMC Assessor (CCA) Exam

Last Update 11 hours ago Total Questions : 150

The Certified CMMC Assessor (CCA) Exam content is now fully updated, with all current exam questions added 11 hours ago. Deciding to include CMMC-CCA practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our CMMC-CCA exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these CMMC-CCA sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any Certified CMMC Assessor (CCA) Exam practice test comfortably within the allotted time.

Question # 21

While examining evidence, a CCA is trying to confirm the claim that the OSC has identified all information system users, processes acting on behalf of users, and all devices.

Which of the following provides the STRONGEST evidence of this practice?

A.

Lists of system accounts and devices and system audit logs and records

B.

System design documentation and other relevant documents or records

C.

Procedures addressing user and system identification and authentication and SSP

D.

Identification and authentication policy and system configuration settings and associated documentation

Question # 22

In validating the OSC’s implementation of AC.L2-3.1.16: Wireless Access Authorization , the CCA observes various personal and non-enterprise devices connected to the OSC’s Wi-Fi. Because organizations handle wireless access differently, the CCA must locate evidence showing who has ultimate authority over wireless access. Which authority is acceptable for authorizing wireless access?

A.

The CEO mandating IT to add their personal phone to the company Wi-Fi

B.

A written policy executed by the CEO listing the pre-authorization requirements for Wi-Fi connectivity

C.

The CEO emailing the company instructing everyone to put personal devices on the company Wi-Fi

D.

A detailed document from the head of IT with instructions on how to connect to the guest Wi-Fi network

Question # 23

An OSC is presenting evidence of its fulfillment of CM.L2-3.4.1: System Baselining. It provides:

    System inventory records showing additions/removals of machines,

    Software inventory showing installations/removals, and

    A system component installation plan with software needs and user specifications.

What other documentation MUST the company present to illustrate compliance with CM.L2-3.4.1?

A.

Documentation of the physical safeguards protecting the “gold” baseline images

B.

Documentation of a formal baseline review integrated with a system development lifecycle

C.

Documentation of any authorized deviations from the system baselines for end-user computers

D.

Documentation of a formal chain of custody for new hardware on which baselines will be installed

Question # 24

The OSC POC has prepared evidence from an internal pre-assessment for the C3PAO in preparation for a third-party assessment. The OSC POC has identified that there are several ESPs (External Service Providers) involved in protecting the security of the infrastructure. While reviewing the pre-assessment documentation regarding ESPs, the Lead Assessor will be looking for items that are:

A.

Noted as inherited

B.

Marked as requiring a waiver

C.

Marked as NOT APPLICABLE

D.

Noted as partially implemented

Question # 25

During an assessment, the OSC person being interviewed explains the process for escorting visitors. The individual states that while all visitors are escorted, occasionally a vendor may need access to a small room with only one door and limited standing room. In these cases, the escort sits outside the room and observes the vendor completing the work. Is this practice in line with the escort policy?

A.

No, the escort is not allowed to sit down

B.

No, the escort must always be in the same room

C.

Yes, since the visitor can only use a single entry

D.

Yes, so long as the visitor’s actions can still be viewed by the escort

Question # 26

The assessor begins the assessment by meeting with the client’s stakeholders and learns that multiple subsidiaries exist. In order to perform a complete assessment, the assessor must review documents from multiple entities as multiple, corresponding Commercial and Government Entity (CAGE) codes were provided. Which of the following entities may receive certification as a result of this?

A.

HQ organization

B.

HQ organization and Host unit

C.

Host unit and Supporting Organizations/Units

D.

HQ organization, Host unit, and Supporting Organizations/Units

Question # 27

A C3PAO is conducting a Level 2 assessment of a midsized construction contractor that does both private (commercial) and federal work. The contractor’s documentation states that all CUI flows through a single building on their office campus and is logically, physically, and administratively isolated from the rest of the environment. Why might an assessor request access to assess controls within a building or area not listed as in-scope in the documentation?

A.

If the assessor sees personnel carrying locked cases into the other building or area

B.

If the OSC has an underground passageway connecting the CUI building to a non-CUI building

C.

If network diagrams indicate the commercial and federal sectors share a single Internet connection

D.

If Human Resources that supports both commercial and federal sectors sits in the other building or area

Question # 28

A CCA is assessing the implementation of the Incident Reporting practice. To validate the control, what MUST the CCA ensure about the OSC?

A.

Incidents are tracked and documented

B.

Incident sources are configured and tuned

C.

Law enforcement officials are automatically notified during an incident

D.

Forensic investigations are performed to determine the impact of the incident

Question # 29

A company has a server in its own Virtual Cloud used as a CUI enclave. There is a point-to-point VPN between the OSC’s office and the cloud environment. Designated users have direct access to the enclave when in the office. When working remotely, those users must establish a VPN connection between their company laptop and the cloud server.

During the assessment, the CCA asks the IT manager about external connections.

How many external connections are within the boundary for this assessment?

A.

The system has one external connection through the VPN when working outside the office.

B.

The system has no external connections since the OSC operates the connections and the enclave.

C.

The system has one external connection through the dedicated VPN between the office and the Cloud.

D.

The system has two external connections: one through the user-initiated VPNs and one to the company’s office.

Question # 30

The Assessment Team is meeting with the OSC team and experiences a situation where some members of the OSC team describe the IT infrastructure differently from others. In some discussions, one person identifies a series of ESPs, while another describes the infrastructure as on-premises. What should the Lead Assessor do to clarify the actual operational environment?

A.

Review the network diagrams

B.

Interview an authoritative OSC representative

C.

Review the system interconnection agreements

D.

Ask for the contact information of the identified ESPs

Go to page: