Question 1

In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. In your assessment of the contractor?s implementation of AC.L2-3.1.10-Session Lock, do you find that they have adequately addressed the practice requirements? When assessing the contractors implementation of practice AC.L2-3.1.10, which of the following objectives will NOT be considered as part of your review?

Options :

A : Determine if the system logs, within the SIEM tool, the exact time when a user is automatically logged off and the Session Lock is activated.

B : Determine if access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity.

C : Determine if the period of inactivity after which the system initiates a session lock is defined.

D : Determine if previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.

Answer: A

Question 2

An OSC submits to the C3PAO assessment team for validation, a CMMC assessment scope that includes an enclave. During validation, you learn that while CUI is stored on a single physical server, authorized employees can access it through virtual instances, thanks to VMWare. You also determine that the OSC has deployed a DFARS-compliant firewall to protect network connections to the Enclave. The OSC has deployed a VLAN to restrict communication between different portions of the network. Which method can the OSC be said to have used to secure its Enclave?

Options :

A : Physical separation

B : Segmentation

C : Decentralization

D : Virtualization

Answer: B

Question 3

Members of the CMMC ecosystem take due care to ensure that privileged information gathered during assessments or consulting remains private, even after the work engagement has ended. Which CoPC practice is described in this scenario?

Options :

A : Lawful and ethical practices

B : Information integrity

C : Confidentiality

D : Adherence to materials and methods

Answer: C

Question 4

A contractor has recently allowed their employees to work remotely. The employees can access CUI remotely through VPN with encrypted tunnels for remote access into their VDIs. The company has a variety of system components (servers, workstations, notebook computers, smartphones, and tablets) that employees can access remotely. In your assessment, you also realize that some employees are using SSH to access information stored in cloud instances and server infrastructures that contain CUI. Which of the following is a reason why the contractor?s use of SSH should concern you?

Options :

A : It does not utilize encryption.

B : It consumes excessive bandwidth

C : It is difficult to configure

D : SSH doesn?t encrypt the entire traffic tunnel, it secures the communication session between a client and a server for specific applications

Answer: D

Question 5

While implementation validation of most CMMC requirements can be done virtually, the CMMC Assessment Process (CAP) identifies 15 CMMC practice objectives whose implementation must be observed by the Assessment Team in person and on the premises of the OSC. PE.L2-3.10.2 [c] and [d] are among these objectives. Both assessment objectives deal with monitoring the OSC's physical facilities and support infrastructure. Which assessment procedure or method can a CCA use to determine how well the OSC has implemented PE.L2-3.10.2 [c] and [d]?

Options :

A : Interview personnel with information security responsibilities

B : Test the OSC-s Incident Response Plan

C : Examine the System Security Plan

D : Test or examine mechanisms supporting or implementing physical access monitoring

Answer: D