Certified CMMC Assessor (CCA) Exam (CMMC-CCA) Free Practice Test

Question 1

An assessor is reviewing whether an organization appropriately analyzed the security impact of a new release of an application. Which of the following documents is MOST useful for the assessor to review?

A. System audit logs showing that the change occurred, when, and by whom

B. Change Control Board (CCB) meeting minutes and supporting documents

C. A description of the change from the software vendor

D. A log of security incidents/issues after the change was implemented

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

When a new employee is issued a laptop, only the user's credentials need to be set up. According to the IT department, the IT manager is the only person who can change laptop setup and user privileges. What documentation should be examined to determine if this is the case?

A. Remote access procedures

B. Inventory records

C. System audit logs

D. Acceptable use policy

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

An organization's password policy includes these requirements:
* Passwords must be at least 8 characters in length.
* Passwords must contain at least one uppercase character, one lowercase character, and one numeric digit.
* Passwords must be changed at least every 90 days.
* When a password is changed, none of the previous 3 passwords can be reused.
Per IA.L2-3.5.7: Password Complexity, what requirement is missing from this password policy?

A. It does not require MFA.

B. It does not include a list of prohibited passwords.

C. It does not specify a minimum change of character requirement.

D. It does not require the password to contain at least one special character.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

In completing the assessment of practices in the Access Control (AC) domain, a CCA scored AC.L2-3.1.15:
Privileged Remote Access as NOT MET. The OSC was notified of this deficiency at the end of day two of the assessment. On day five of the assessment, the OSC's Assessment Official contacted the CCA to provide evidence that the deficiencies have been corrected.
What is the CCA's NEXT step?

A. This practice is eligible for deficiency correction and should be scored as MET but must be reevaluated during a POA&M Close-Out Assessment.

B. This practice is eligible for deficiency correction, should be scored as NOT MET, and evaluated during the Limited Deficiency Correction evaluation.

C. This practice is not eligible for deficiency correction, should be scored as NOT MET, and reevaluated during a POA&M Close-Out Assessment.

D. This practice is not eligible for deficiency correction and should be scored as NOT MET.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

An assessor reviews the OSC's data protection policy, which requires full disk encryption on company laptops. While interviewing employees, the assessor learns that employees sometimes access data while teleworking on laptops that do not have full disk encryption.
How should the assessor view the implementation of the OSC's policy?

A. Acceptable as long as an equivalent technical safeguard is implemented for all teleworking scenarios.

B. Acceptable because it requires full disk encryption of company laptops.

C. Insufficient because full disk encryption is not required for laptops to comply with CMMC requirements.

D. Insufficient because there are teleworking instances where the policy is not followed.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

While examining the customer responsibility matrix submitted by the OSC for one of its Cloud Service Providers (CSPs), the Assessor notes that the matrix was substantially completed by the OSC's RPO. In fact, there is a statement from the RPO that the CSP has met the requirements for FedRAMP MODERATE.
In order to accept that this CSP is qualified to perform some of the practices on behalf of the OSC, what should occur?

A. The OSC must be able to demonstrate that the CSP is providing its services in a manner that complies with CMMC Level 2.

B. The CSP must have its service certified for FedRAMP by a certified C3PAO.

C. The OSC should provide the contract documents for the CSP specifying that it must meet NIST SP 800-
171 practices.

D. There must be other evidence that an independent firm has confirmed the security controls meeting FedRAMP MODERATE are in place.

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

ESPs are exceptionally common today, given that many organizations are turning to secure cloud offerings to establish and maintain compliance. Integral to these relationships is a responsibility matrix, which defines who is responsible for specific items such as security. This can be a very complex assortment of taskings associated with federal compliance, but what is the MOST important thing to remember?

A. Only the OSC is being assessed for compliance, and while the ESP may have a lot of responsibilities in the matrix, the OSC is ultimately responsible for meeting the requirements as specified by government mandates.

B. The CMMC Assessment Team will factor in any documentation provided by the ESP when evaluating the OSC for compliance.

C. The relationship of an OSC with an ESP is a partnership and the CMMC Assessment will evaluate the ESP at the same time as the OSC.

D. The ESP is technically not part of the DIB and has no responsibility to be CMMC compliant in its own right.

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 8

During a CMMC Level 2 Assessment, a CCA interviewed a system administrator on the OSC's procedures around configuration management and endpoint security. The system administrator described how they build and deploy new systems, and noted that some users require specialized applications for their jobs. Users have been asked to email IT when they install and run an additional application so IT can add it to their list of allowed software.
What must the CCA conclude?

A. IT must deploy an application to report newly installed software.

B. The OSC has properly implemented application deny listing.

C. IT does not have a policy that users notify IT when they install new applications.

D. The OSC has not properly implemented application allow listing.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 9

The OSC's network consists of a single unmanaged switch that connects all devices, including OT equipment which cannot run a vendor-supported operating system. The OSC correctly scoped the OT equipment as a Specialized Asset, listed it in their inventory and SSP, and provided a network diagram showing plans to isolate the OT and apply additional security measures. What information does the Lead Assessor still require to ensure compliance?

A. Installation and configuration documentation for the OT to ensure it was correctly built

B. Wording in the SSP detailing how the OT is managed using the OSC's risk-based security policies, procedures, and practices

C. Evidence that the network isolation is completed by the end of the assessment as well as supporting evidence for all other applicable CMMC practices

D. Wording in the scoping document detailing how the OT adheres to all other applicable CMMC practices

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 10

An OSC has a hardware and software list used to manage company assets. Which is the BEST evidence to show the OSC is managing the system baseline?

A. Physical protection

B. Media protection

C. Configuration management

D. Identification and authentication policy

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 11

An OSC is a wholly owned subsidiary of a large conglomerate (parent organization). The OSC and the parent organization use ID badges (PKI cards) that contain a PKI certificate and a radio frequency identification (RFID) tag used for building and system access (including systems that process, transmit, or store CUI). The parent organization does not make any decisions on how the OSC runs its security program or other matters of significance. The large conglomerate operates a machine that is used to activate the badges for both itself and the OSC. This machine is isolated in a locked room and has no network connectivity to the OSC.
The badge activation system is:

A. In-scope because the parent organization acts as an External Service Provider to the OSC by providing PKI cards.

B. Out-of-scope because the badge activation machine is physically and logically isolated from the OSC and it is under the control of the parent organization.

C. Out-of-scope because the OSC is the one that assigns the appropriate access to a particular PKI card.

D. In-scope because the OSC is part of the large conglomerate and thus any CMMC requirements of the OSC are imputed onto the large conglomerate.

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 12

While reviewing CA.L2-3.12.3: Security Control Monitoring, the CCA notices that the assessment period is defined as one year. An OSC's SSP states that under CA.L2-3.12.3, security controls are monitored using the same one-year periodicity to ensure the continued effectiveness of the controls. The assessor understands that some CMMC practices can reference other practices for the entirety of their implementation. Is the OSC's implementation under CA.L2-3.12.3: Security Control Monitoring acceptable?

A. No, even when referencing other practices more description is always needed.

B. Yes, a one-year period for security control monitoring is acceptable.

C. Yes, as long as CA.L2-3.12.1 has been scored as MET, they do need to be monitored.

D. No, monitoring must be conducted on an ongoing basis to ensure continued effectiveness.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

Cyber AB Certified CMMC Assessor (CCA) (CMMC-CCA) Free Practice Test