Confidently Practice Online with Free CMMC-CCA Exam Cram

An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1-System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet. Which of the following is not true about the handling the OSC's implementation of CM.L2-3.4.1-System Baselining?

An OSC has documented HR and personnel security policies, which are well integrated. A key requirement is that credentials and systems are revoked upon a transfer or termination. Their personnel security policy includes procedures for transfer and termination, a list of system accounts tied to each employee, and management of revoked or terminated credentials and authenticators. Examining the procedures addressing personnel transfer and termination, you learn that besides revoking or terminating system access, authenticators, and credentials, the OSC recovers all company IT equipment, access/identification cards, and keys from the transferred or terminated employee. They also interview the employee to remind them of their CUI handling obligations even after transfer and require them to sign an NDA. After every termination, they also change the password and other access control mechanisms and notify all the stakeholders that the employee has been terminated or transferred. Based on the scenario, the OSC can cite the following as evidence of collaborating on their implementation of CMMC practice PS.L2-3.9.2-Personnel Actions, EXCEPT?

An aerospace company stores backups of their design schematics (containing CUI) on a cloud service provider (CSP). The company enforces access controls through the CSP's interface, restricting access to authorized personnel only. However, the company has no formal policy requiring data encryption at rest within the CSP environment. Data stored on the CSP's infrastructure is segregated, with CUI stored on a separate cluster from other data types. The CSP is authorized at a FedRAMP Moderate baseline, and the OSC regularly monitors access to backups. The CSP provides alerts for any suspicious activity that is detected. Has the OSC taken sufficient measures to meet the requirements of CMMC practice MP.L2.3.8.9-Protect Backups? If not, what measures can they take to address the weaknesses?

Patrick has taken the CCP examination and registered with a Licensed Training Provider for a CCA course. After he completes the CCA training, the LTP recommends that he go to the Cyber AB for the examination. However, knowing that the exam will be challenging, Patrick pays John a certified CCA fee to take it on his behalf.Has John violated any CoPC guiding principles? If so, which one(s)?

While implementation validation of most CMMC requirements can be done virtually, the CMMC Assessment Process (CAP) identifies 15 CMMC practice objectives whose implementation must be observed by the Assessment Team in person and on the premises of the OSC. PE.L2-3.10.2 [c] and [d] are among these objectives. Both assessment objectives deal with monitoring the OSC's physical facilities and support infrastructure. Which assessment procedure or method can a CCA use to determine how well the OSC has implemented PE.L2-3.10.2 [c] and [d]?