Question 1

An OSC allows some employees to use their personal devices (laptops, tablets) for work purposes. The OSC enforces a BYOD policy that requires employees to install Mobile Device Management (MDM) software on their devices. The MDM allows for remote wiping of lost or stolen devices and enforces access control policies. Employees use VPNs to remotely access the OSC network from their personal devices. What challenges might a CCA face when collecting evidence to assess the OSC's compliance with AC.L2-3.1.12 – Control Remote Access?

Options :

A : The use of MDM software simplifies evidence collection on mobile device security configurations

B : The use of VPNs ensures a secure connection regardless of the device used for remote access

C : Privacy concerns arise due to the personal nature of BYOD devices

D : The CCA can rely solely on employee attestation to verify compliance with the BYOD policy

Answer: C

Question 2

As a Lead Assessor working with an OSC in preparation for an upcoming assessment, you request they appoint an Assessment Official. This is the individual you will be collaborating with and has the OSC's decision-making authority regarding the CMMC Assessment. The OSC Assessment Official will lead and manage the OSC's engagement in the assessment. As the Lead Assessor, you expect the OSC Assessment Official to have the following responsibilities, EXEPT?

Options :

A : Identify Assessment funding and authorize payment.

B : Sign off on the Assessment scope and boundaries.

C : Approve Assessment Plan and Review Assessment results with the Lead Assessor

D : Handle facility access and daily visitor escort.

Answer: D

Question 3

Before an OSC categorizes its assets into different categories, it must determine the Scope of applicability. However, after discussing with the OSC� PoC, you learn that although they follow CUI and FCI in all forms and stages, they are mostly considered technical components. What is the issue with the OSC?s approach to determining scope of applicability?

Options :

A : The OSC?s approach might result in too many CUI assets.

B : The OSC-s approach focuses on saving money by narrowing the scope.

C : The OSC?s approach may result in a scope that is too broad for the assessment.

D : They have fallen into the 'technical system' trap.

Answer: D

Question 4

A software development company is applying for a CMMC Level 2 assessment. As the Lead Assessor, you request access to the company?s System Security Plan (SSP) as part of the initial objective evidence for validating the scope. Which of the following is true about the software development companys obligations in honoring the request?

Options :

A : The software development company can refuse to provide the SSP if they deem it contains proprietary information.

B : The software development company is not obligated to provide the SSP until after the assessment has begun.

C : The software development company can choose to provide a redacted version of the SSP, omitting sensitive information.

D : The software development company must furnish the Lead Assessor with the SSP.

Answer: D

Question 5

You are the Lead Assessor for a CMMC assessment of an OSC that has previously obtained ISO 27001 certification for its information security management system. During the initial discussions, the OSC requests that you consider their ISO 27001 certification and grant them credit toward their CMMC certification. They believe there is a significant overlap between CMMC and ISO 27001. What should your response to the OSC be?

Options :

A : Defer the decision on non-duplication credit until the DoD publishes official non-duplication policies.

B : Verify the validity and authenticity of the OSC?s ISO 27001 certification against the requirements outlined in the CMMC Assessment Process (CAP) before considering granting any non-duplication credit.

C : Inform the OSC that alternative cybersecurity certifications like ISO 27001 do not automatically bestow any status or credit towards CMMC certification.

D : Grant the OSC credit towards their CMMC certification based on their ISO 27001 certification, as both standards cover similar cybersecurity requirements.

Answer: B

Confidently Practice Online with Free CMMC-CCA Exam Cram

Buying Options: