Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Certified CMMC Assessor (CCA) Exam

Last Update 11 hours ago Total Questions : 150

The Certified CMMC Assessor (CCA) Exam content is now fully updated, with all current exam questions added 11 hours ago. Deciding to include CMMC-CCA practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our CMMC-CCA exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these CMMC-CCA sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any Certified CMMC Assessor (CCA) Exam practice test comfortably within the allotted time.

Question # 31

An OSC seeking Level 2 certification is reviewing the physical security of their building. Currently, the building manager unlocks and locks the doors for business operations. The OSC would like the ability to automatically unlock the door for authorized personnel, track access individually, and maintain access history for all personnel. The BEST approach is for the OSC to:

A.

Maintain a list of authorized personnel and assign them a building key.

B.

Maintain security cameras to continuously monitor access to the building.

C.

Install a badge system and require each individual to use their badge to gain entry to the building.

D.

Install a keypad system and require the entry code to be changed when an individual leaves the company.

Question # 32

A company has multiple sites with employees at each site that must access the company’s CUI network from their remote locations. The company has set up a single access point for all employees to access the network. What is the MOST significant factor in determining whether the security on this single access point is adequate?

A.

Remote access is secured and monitored.

B.

Physical access is monitored and controlled.

C.

The security requirements for CUI and FCI are documented.

D.

The remote personnel have notification procedures regarding connection issues.

Question # 33

During discussions with an OSC, the assessment team learned that many employees often need to work from remote locations and, as a result, are permitted to access the organization’s internal networks from those remote locations. To ensure secure remote access requirements are being met, remote access sessions need NOT be:

A.

Validated

B.

Identified

C.

Permitted

D.

Controlled

Question # 34

An OSC seeking Level 2 certification has a fully cloud-based environment. The assessor must evaluate fulfillment of Level 2 requirements the OSC implements versus those handled by the cloud service provider. Which document would be BEST to identify the Level 2 requirements handled by the OSC’s cloud provider?

A.

Zero Trust Architecture

B.

Shared Responsibility Matrix

C.

Cloud Security Baseline White Paper

D.

Identity and Access Management (IAM) Plan

Question # 35

FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the OSC’s CMMC enclave. What source does the CCA use to verify that the cryptography the OSC has implemented is FIPS-validated?

A.

Cryptographic section of the OSC’s SSP

B.

Vendor cryptographic module documentation

C.

NIST Module Validation Program

D.

Cryptographic section of the Shared Responsibility Matrix

Question # 36

A company is seeking Level 2 CMMC certification. During the Limited Practice Deficiency Correction Evaluation, the Lead Assessor is deciding whether the company can be moved to a POA & M Close-Out. What condition will result if a POA & M Close-Out option cannot be utilized?

A.

The assessment will be paused until the OSC can meet all practices.

B.

The Lead Assessor will ask the OSC to justify not meeting all the practices.

C.

The OSC will be granted a provisional status until it can meet all the practices.

D.

The Lead Assessor will not recommend the OSC for CMMC Level 2 certification.

Question # 37

While reviewing CA.L2-3.12.3: Security Control Monitoring , the CCA notices that the assessment period is defined as one year. An OSC ' s SSP states that under CA.L2-3.12.3, security controls are monitored using the same one-year periodicity to ensure the continued effectiveness of the controls. The assessor understands that some CMMC practices can reference other practices for the entirety of their implementation. Is the OSC’s implementation under CA.L2-3.12.3: Security Control Monitoring acceptable?

A.

No, even when referencing other practices more description is always needed.

B.

No, monitoring must be conducted on an ongoing basis to ensure continued effectiveness.

C.

Yes, a one-year period for security control monitoring is acceptable.

D.

Yes, as long as CA.L2-3.12.1 has been scored as MET, they do need to be monitored.

Question # 38

A company is undergoing a CMMC Level 2 Assessment. The Assessment Team is planning and preparing the assessment. Who is responsible for identifying methods, techniques, and responsibilities for collecting, managing, and reviewing evidence?

A.

Lead Assessor

B.

Assessment Team Member

C.

C3PAO Quality Oversight Manager

D.

CMMC Quality Assurance Professional

Question # 39

While examining controls on the use of portable storage devices, an assessor conducts an interview with a mid-level internal system administrator. The administrator describes the process to check out portable storage devices, which includes a user emailing IT staff directly, verifying that the media classification label matches the data classification, and limiting use of the device to a specified external system.

What is a MISSING element for the assessment of AC.L2-3.1.21: Portable Storage Use?

A.

Method of destruction of portable storage devices

B.

Recorded management authorization for the use of portable storage devices

C.

An inventory of portable storage devices provided by the National Security Agency

D.

A directory of personnel background checks to be consulted prior to device checkout

Question # 40

During the Planning Phase of the Assessment Plan, the assessor determines that the Client will likely include sensitive and proprietary CUI. What should the assessor consider as part of their virtual data collection techniques for this information?

A.

The Client is responsible for safeguarding the data during collection, not the assessor.

B.

The assessor is responsible for safeguarding the data during collection, not the client.

C.

The assessor should record the risks and mitigations to protect the CUI categories handled.

D.

The client and assessor should record the risks and mitigations to protect the CUI categories handled.

Go to page: