Smartly Prepare Exam with Free Online CMMC-CCA Practice Test

A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 ? Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2.3.1.19 ? Encrypt CUI on Mobile, requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted. Which of the following is a reason why would you recommend container-based over full-device-based encryption?

Any user that accesses CUI on system media should be authorized and have a lawful business purpose. While assessing a contractor?s implementation of MP.L2-3.8.2-Media Access, you examine the CUI access logs and the role of employees. Something catches your eye where an ID of an employee listed as terminated regularly accesses CUI remotely. Walking into the contractor?s facilities, you observe the janitor cleaning an office where documents marked CUI are visible on the table. Interviewing the organization?s data custodian, they informed me that a media storage procedure is augmented by a physical protection and access control policy. Based on the scenario and the requirements of CMMC practice MP.L2-3.8.2-Media Access, which of the following actions would be the highest priority recommendation for the contractor?

A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7-Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1-System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the time stamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score the OSC's implementation of CMMC practice AU.L2-3.3.7-Authoritative Time Source?

A software development company is applying for a CMMC Level 2 assessment. As the Lead Assessor, you request access to the company?s System Security Plan (SSP) as part of the initial objective evidence for validating the scope. Which of the following is true about the software development companys obligations in honoring the request?

As a Lead Assessor, you are in contact with the OSC Assessment Official. The Assessment Official has submitted a document that outlines the scope of your assessment engagement. You expect to find all the following elements on the Assessment Scope document, EXCEPT?