Question 1

Steve is a Certified CMMC Assessor (CCA) who works for ACME Inc., which is both an RPO and a C3PAO. His aunt Mary works for ABC Holdings, and based on this connection, Steve convinces her boss to hire ACME Inc. to help prepare for a CMMC assessment. Steve leads the team and successfully completes the engagement with ABC Holdings. Six months later, Mary informs Steve that ABC Holdings is ready to perform its CMMC Level 2 assessment. Steve jumps at the opportunity and convinces his management at ACME Inc. to assign him as the lead CCA along with two other employees.Which of the following is true about Steve’s involvement in ABC Holdings’ CMMC assessment?

Options :

A : Steve has a conflict of interest and should not be involved in officially assessing ABC Holdings

B : Steve can participate in the CMMC assessment for ABC Holdings if they were bound by an NDA during the initial engagement

C : Since enough time has passed, Steve can remain objective and impartial in the assessment

D : Steve can participate in the assessment if he did not directly implement any security controls during the preparatory engagement

Answer: A

Question 2

While implementation validation of most CMMC requirements can be done virtually, the CMMC Assessment Process (CAP) identifies 15 CMMC practice objectives whose implementation must be observed by the Assessment Team in person and on the premises of the OSC. PE.L2-3.10.2 [c] and [d] are among these objectives. Both assessment objectives deal with monitoring the OSC's physical facilities and support infrastructure. Which assessment procedure or method can a CCA use to determine how well the OSC has implemented PE.L2-3.10.2 [c] and [d]?

Options :

A : Interview personnel with information security responsibilities

B : Test the OSC-s Incident Response Plan

C : Examine the System Security Plan

D : Test or examine mechanisms supporting or implementing physical access monitoring

Answer: D

Question 3

An OSC submits to the C3PAO assessment team for validation, a CMMC assessment scope that includes an enclave. During validation, you learn that while CUI is stored on a single physical server, authorized employees can access it through virtual instances, thanks to VMWare. You also determine that the OSC has deployed a DFARS-compliant firewall to protect network connections to the Enclave. The OSC has deployed a VLAN to restrict communication between different portions of the network. Which method can the OSC be said to have used to secure its Enclave?

Options :

A : Physical separation

B : Segmentation

C : Decentralization

D : Virtualization

Answer: B

Question 4

A CCA receives a notification from the Cyber AB that they are being investigated for a potential violation of the CoPC. They are concerned about the potential consequences and want to understand the process better. Who has the final authority to determine the corrective action taken against a CCA, if any?

Options :

A : The investigator assigned to the CCA-s case

B : The CMMC Accreditation Body (the Cyber AB)

C : The C3PAO

D : The Lead Assessor

Answer: B

Question 5

During a CMMC Level 2 assessment, a CCA is evaluating whether the organization meets the requirement to "Employ FIPS-validated cryptography when used to protect the confidentiality of CUI." According to the CMMC requirement, the CCA must determine whether FIPS-validated cryptography is employed to protect the confidentiality of CUI. Which assessment procedure would the CCA most likely use to evaluate this requirement?

Options :

A : Examine the cryptographic modules

B : Interview personnel responsible for implementing cryptographic controls and review documentation of the organization-s cryptographic policies and procedures

C : Observe the organization-s use of cryptographic controls in practice

D : Examine validation certificates of the cryptographic modules used by the OSC

Answer: D