Confidently Practice Online with Free CMMC-CCA Exam Cram

An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1-System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet. What is the Assessment Team's initial finding regarding the OSC's implementation of CM.L2-3.4.1-System Baselining, and how should it be scored?

John, a CCA, has been assigned by his C3PAO to conduct a CMMC assessment for an OSC. During the assessment, John notices that the OSCs security practices leave much to be desired. After speaking with the OSCs IT staff, John offers to connect them with a vendor he knows who sells a vulnerability management tool that could address some of their weaknesses. According to the CMMC CoPC, which of the following best describes Johns actions?

Angela, a CCA, is conducting a CMMC assessment for Obsidian Technologies, the OSC. During the assessment, Angela learns that her spouse owns a significant amount of stock in Obsidian Technologies, and she has not disclosed this information to Obsidian Technologies or the C3PAO. Which CMMC CoPC guiding principle has Angela violated in this scenario?

During your assessment of CA.L2-3.12.3-Security Control Monitoring, the contractor?s CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls. When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in insecurity controls implemented. You would rely on all of the below evidence to assess the contractor?s implementation of CA.L2-3.12.3-Security Control Monitoring, EXCEPT?

You are assessing a contractor that develops missile guidance software containing CUI data. The software developers have administrative privileges on their workstations to be able to install tools and edit configuration files needed for their jobs. However, you have noted that many of the developers have access to modify components critical to system security, which is beyond what is needed for their specific roles. Which of the following would be a way to implement AC.L2-3.1.5, Least Privilege in this situation?