Confidently Practice Online with Free CMMC-CCA Exam Cram

Removable media can pose significant cybersecurity risks to an organization if not adequately controlled and secured. Understanding the dangers of this, an OSC has crafted a meticulous removable media policy. It defines removable media, types of removable media, examples of removable media, etc. The policy limits the use of removable media unless authorized; even then, the media must be scanned for malware. Organizational removable media has specific signatures unique to organizational systems and provided to a defined group of personnel. Any data stored on such media is encrypted, and the OSC has disabled autorun and closed some ports on their computer systems. The contractor also has deployed an endpoint protection solution for every employee searched while entering or leaving the facility. Users must also pass through a walk-in metal detector to ensure they do not sneak in thumb drives and SD cards. An OSC must define the following in their Removable media use policy, EXCEPT?

A contractor has recently allowed their employees to work remotely. The employees can access CUI remotely through VPN with encrypted tunnels for remote access into their VDIs. The company has a variety of system components (servers, workstations, notebook computers, smartphones, and tablets) that employees can access remotely. In your assessment, you also realize that some employees are using SSH to access information stored in cloud instances and server infrastructures that contain CUI. Which of the following is a reason why the contractor?s use of SSH should concern you?

An OSC is planning a CMMC Level 2 assessment that your C3PAO will conduct. In Phase 1.6.1-Access and Verify Evidence, as the Lead Assessor, you are verifying the existence and accessibility of the evidence provided by the OSC. While reviewing the list of evidence mapped against the CMMC practices, you discover that the OSC cannot locate several critical system security policies for key IT systems supporting their DoD contracts. These missing policies are essential for demonstrating compliance with various CMMC practices related to access control, incident response, and system maintenance. According to the CMMC Assessment Process (CAP), which of the following is not permitted for the Lead Assessor to do during the evidence verification stage?

To transfer CUI between a government client and its internal systems, a defence contractor uses a Secure File-Sharing Application provided by the DoD. However, all the data traversing this boundary MUST pass through a next generation firewall (NGFW) managed by the contractor?s Network Admin. All CUI is stored on an Solid State Drive (SSD) and accessed through a laptop. What type of asset is the Secure File-Sharing Application?

Two CCAs, John and Stella, are part of an Assessment Team conducting a CMMC assessment for an OSC, Blue Widgets Inc. During the assessment, John observes Stella interacting with key personnel from Blue Widgets Inc. He notices Stella appearing overly friendly and enthusiastic about other services their organization offers. What should Stella have done when approached by the key personnel from the OSC about other services they offer?