Smartly Prepare Exam with Free Online CMMC-CCA Practice Test

You are part of an Assessment Team that has just completed a CMMC assessment for an OSC. The assessment is deemed complete after the CMMC results and artifacts are uploaded to the CMMC eMASS system. You overhear one of the CCAs chatting with their friends about how sloppily the OSC categorized their evidence. They even share some information about the assessor's network designs. Based on this scenario, which of the following statements is true?

An OSC has recently obtained an ISO 27001 certification and a FedRAMP Authorization to Operate (ATO) for its information systems. During the initial stages of the CMMC Assessment Process, the OSC claims that these certifications should grant them automatic credit or exemption from certain CMMC requirements. As the Lead Assessor, what should be your response?

While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. When assessing the contractor's information systems, how would you mark their implementation of AU.L2-3.3.1-System Auditing? 

An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1-System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet. What is the Assessment Team's initial finding regarding the OSC's implementation of CM.L2-3.4.1-System Baselining, and how should it be scored?

You were the Lead Assessor on a team that conducted a CMMC assessment for an OSC that passed and earned a CMMC L2 Certification. Meeting this requirement, the OSC bid on and won a DoD contract. However, a rival company disputes the OSC's CMMC certification status in court. As part of the evidence, the court has directed you to release the assessment results and any evidence you might have relied on to arrive at the assessment results.Based on the CoPC, what action should you take in this situation?