リリースCyber AB CMMC-CCA更新された問題PDF [Q91-Q114]

Share

リリースCyber AB CMMC-CCA更新された問題PDF

CMMC-CCA問題集と練習テスト(152試験問題)


Cyber AB CMMC-CCA 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Assessing CMMC Level 2 Practices: This section of the exam measures skills of cybersecurity assessors in evaluating whether organizations meet the required practices of CMMC Level 2. It emphasizes applying CMMC model constructs, understanding model levels, domains, and implementation, and using evidence to determine compliance with established cybersecurity practices.
トピック 2
  • Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 Requirements: This section of the exam measures skills of cybersecurity assessors and focuses on evaluating the environments of organizations seeking certification at CMMC Level 2. It covers understanding differences between logical and physical settings, recognizing constraints in cloud, hybrid, on-premises, single, and multi-site environments, and knowing what environmental exclusions apply for Level 2 assessments.
トピック 3
  • CMMC Assessment Process (CAP): This section of the exam measures skills of compliance professionals and tests knowledge of the full assessment lifecycle. It covers the steps needed to plan, prepare, conduct, and report on a CMMC Level 2 assessment, including the phases of execution and how to document and follow up on findings in alignment with DoD and CMMC-AB expectations.
トピック 4
  • CMMC Level 2 Assessment Scoping: This section of the exam measures skills of cybersecurity assessors and revolves around determining the proper scope of a CMMC assessment. It involves analyzing and categorizing Controlled Unclassified Information (CUI) assets, interpreting the Level 2 scoping guidelines, and making accurate judgments in scenario-based exercises to define what assets and systems fall within assessment boundaries.

 

質問 # 91
An OSC has a hardware and software list used to manage company assets. Which is the BEST evidence to show the OSC is managing the system baseline?

  • A. Configuration management
  • B. Identification and authentication policy
  • C. Media protection
  • D. Physical protection

正解:A

解説:
System baselines are part of Configuration Management (CM). Maintaining an inventory of hardware and software is important, but the evidence of managing baselines lies in the configuration management process, which establishes and documents standard system configurations, approved software, and change control
. The CMMC practice CM.L2-3.4.1 requires the OSC to establish and maintain baseline configurations.
Exact extracts:
* "Baseline configurations are documented, formally reviewed, and maintained as part of configuration management."
* "Assessment Objectives ... Determine if: baseline configurations are established; baseline configurations are maintained."
* "Potential Assessment Methods - Examine: configuration management policy; documented baseline configuration; inventory of system components." Expanded explanation:
* Hardware/software lists show what exists, but without baseline control they do not demonstrate effective management.
* Configuration management evidence includes: CM policies, baselines for operating systems, software versions, patch levels, and configuration checklists.
* This ensures that unauthorized changes or unapproved software do not deviate from the security posture.
Why the other options are incorrect:
* A (Media protection): Relates to storage devices and handling, not baselines.
* B (Physical protection): Relates to facility and hardware security, not configuration.
* D (Identification and authentication policy): Addresses user access, not baseline configuration.
References:
CMMC Assessment Guide - Level 2, CM.L2-3.4.1 "Establish and Maintain Baseline Configurations." NIST SP 800-171 Rev. 2, 3.4.1.


質問 # 92
The Lead Assessor is reviewing the Assessment Plan to identify people for interviews regarding a specific Level 2 practice. Some OSC personnel previously interviewed provided only brief answers without meaningful verification. What can the Lead Assessor do to improve this situation going forward?

  • A. Ensure the respondents sign a non-disclosure agreement for the OSC
  • B. Ensure the people from the training matrix are made available
  • C. Ensure and verify confidentiality and non-attribution of responses
  • D. Ensure and verify the responses map to the documented artifacts

正解:C

解説:
The CMMC Assessment Process emphasizes the importance of confidentiality and non-attribution in interviews to ensure OSC personnel provide candid, accurate information. Interviewees may give shallow or evasive answers if they fear attribution. Assuring confidentiality and non-attribution improves the quality and reliability of responses.
Exact extracts:
* "The assessment team must ensure confidentiality and non-attribution during interviews."
* "Responses should be validated against evidence, but the quality of input depends on establishing a safe environment for candor."
* "Non-attribution is critical to elicit detailed and honest responses." Why the other options are incorrect:
* A: Training matrices identify who is trained, not who should be interviewed.
* C: NDAs are not a CCA responsibility - they are contractual, not assessment requirements.
* D: Mapping to artifacts is part of correlation after interviews, but does not solve the problem of poor interview responses.
References:
CMMC Assessment Process (CAP), interview methodology.
CCA Exam Study Guide, section on interviews.


質問 # 93
Dwayne is the Lead Assessor for a C3PAO Assessment Team conducting an assessment for an OSC. During the evaluation, he learns that the OSC recently won a lucrative contract with the Department of Defense, a significant milestone for the organization. Impressed by the OSC's accomplishment, Dwayne begins to view the organization more favorably and is inclined to interpret the evidence gathered during the assessment in a way that would enable the OSC to achieve the desired CMMC certification level. What is the primary reason Dwayne's assessment of the OSC may be influenced?

  • A. Time constraints
  • B. Bias
  • C. Incomplete understanding of the CMMC requirements
  • D. Lack of experience

正解:B

解説:
Comprehensive and Detailed in Depth Explanation:
Dwayne's favorable view of the OSC due to its recent DoD contract success exemplifies positive bias, a key concern in the CMMC Assessment Process (CAP). Bias influences how evidence is interpreted, potentially leading to overly favorable assessments that overlook noncompliances. The CAP requires assessors to evaluate practices objectively within the OSC's context, free from external factors like contract wins, to maintain assessment integrity.
Option A (incomplete understanding) assumes a knowledge gap not indicated here. Option B (time constraints) and Option C (lack of experience) are unrelated to Dwayne's described behavior. Option D (bias) directly addresses the influence of his positive perception, making it the correct answer per CAP guidelines.
Reference Extract:
* CMMC Assessment Process (CAP) v1.0, Section 2.3:"Personal biases, whether positive or negative, can shape evidence interpretation, leading to potential inaccuracies."Resources:https://cyberab.org/Portals/0
/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf


質問 # 94
A CCA is assessing the implementation of the Incident Reporting practice. To validate the control, what MUST the CCA ensure about the OSC?

  • A. Forensic investigations are performed to determine the impact of the incident
  • B. Incident sources are configured and tuned
  • C. Incidents are tracked and documented
  • D. Law enforcement officials are automatically notified during an incident

正解:C

解説:
* Applicable Requirement: IR.L2-3.6.1 - "Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities."
* Validation Expectation: For this practice, the CCA must confirm that the OSC:
* Tracks incidents consistently,
* Documents incident details (who, what, when, where, and how), and
* Maintains incident records to support analysis and corrective action.
* Why A is Correct: Tracking and documenting incidents demonstrates that the OSC has an operational incident-handling capability and provides objective evidence of detection, response, and lessons learned.
Why Other Options Are Insufficient:
* B (Sources configured/tuned): Helpful for detection, but not sufficient by itself.
* C (Law enforcement notified): This may occur in certain cases, but it is not required by CMMC Level 2.
* D (Forensics): Deep forensic investigation may be useful, but CMMC requires incident response capability, not mandatory forensic-level activities.
References (CCA Official Sources):
* NIST SP 800-171 Rev. 2 - IR.L2-3.6.1
* NIST SP 800-171A - IR.L2-3.6.1 Assessment Objectives (tracking, documenting, handling incidents)
* CMMC Assessment Guide - Level 2 - Incident Reporting


質問 # 95
When interviewing a contractor's CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates that the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that after every four months, the contractor tests its incident response plan and regularly updates its monitoring tools. Impressed by the contractor's policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited their security systems in over two years. How many points would you score the contractor's implementation of the practice CA.L2-3.12.1 - Security Control Assessment?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

正解:B

解説:
Comprehensive and Detailed In-Depth Explanation:
CA.L2-3.12.1 requires "periodically assessing security controls to determine effectiveness." The policy defines a 10-month cycle, but no audits have occurred in over two years, failing the implementation objective.
Per the DoD Scoring Methodology, this 5-point practice scores -5 (Not Met) when not fully implemented, as partial compliance isn't recognized. The CMMC guide stresses actual execution over documented intent.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.1: "Assess controls at defined frequency."
* DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf


質問 # 96
During a CMMC assessment of an OSC, you discover that they rely heavily on a reputable CSP for their email services. As you delve deeper into the assessment, you suspect the OSC is incorrectly assuming that the CSP's security measures are sufficient to meet all the CMMC requirements related to email security. Given the critical nature of email communications and the potential exposure of sensitive information, you recognize the importance of clearly understanding the division of responsibilities between the OSC and the CSP for email security controls. To effectively assess how email security responsibilities are divided between the OSC and the CSP, which document should you prioritize reviewing?

  • A. The Shared Responsibility Matrix (SRM) between the OSC and the CSP
  • B. The Service Level Agreement (SLA) between the OSC and the CSP
  • C. The CSP's publicly available security documentation
  • D. The OSC's overall security policy

正解:A

解説:
Comprehensive and Detailed in Depth Explanation:
The Shared Responsibility Matrix (SRM), per CMMC and FedRAMP guidance, delineates security control responsibilities between the OSC and CSP, critical for assessing email security (e.g., AC.L2-3.1.13). Option A (security policy) lacks CSP-specific detail. Option C (public documentation) is generic, not contractual.
Option D (SLA) focuses on service levels, not control specifics. Option B is the correct answer, providing the clearest division per CAP.
Reference Extract:
* CMMC Assessment Process (CAP) v1.0, Section 4.3:"The SRM clarifies CSP and OSC responsibilities for cloud services."Resources:https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC- Assessment-Process-CAP-v1.0.pdf


質問 # 97
During a CMMC assessment, you review the OSC's documented procedures for access control.These procedures detail a user access request and approval process for the organization's Human Resources (HR) information system. You then interview IT personnel responsible for access control, who confirm the documented procedures accurately reflect how access is managed for the HR system. However, the OSC's network diagram reveals the presence of other in-scope systems critical to their operations, such as their Engineering Design Database and Manufacturing Control System. Neither the documented procedures nor the interview addressed access control practices for these additional systems. Based on the CMMC Assessment Process guidelines on evidence sufficiency, how would you characterize the evidence collected so far regarding access control?

  • A. Valid but incomplete
  • B. Insufficient
  • C. Inconclusive
  • D. Sufficient

正解:B

解説:
Comprehensive and Detailed in Depth Explanation:
The CMMC Assessment Process (CAP) requires evidence to be sufficient and complete across all in-scope systems handling CUI to validate compliance with practices like AC.L2-3.1.1 (Authorized Access Control).
While the evidence for the HR system (documents and interviews) is valid, it does not cover the Engineering Design Database and Manufacturing Control System, which are critical and in-scope per the network diagram.
CAP guidelines state that partial evidence covering only some systems is insufficient for a full assessment, as all CUI-related systems must be evaluated.
Option A (valid but incomplete) is close but not a CAP-defined category-evidence is either sufficient or insufficient. Option B (sufficient) overstates the evidence's scope. Option D (inconclusive) implies uncertainty, whereas the gap is clear. Option C (insufficient) aligns with CAP's requirement for comprehensive coverage, making it the correct answer.
Reference Extract:
* CMMC Assessment Process (CAP) v1.0, Section 4.2:"Evidence is insufficient if it does not address all in-scope systems and processes required by the CMMC practice."Resources:https://cyberab.org/Portals
/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf


質問 # 98
You are performing an on-site assessment for a defense contractor that develops and manufactures embedded control systems for military drones. During your documentation review, you discover they have a System Security Plan (SSP) outlining a configuration management process. The SSP mentions the creation of baseline configurations for their drone control systems, but details are limited. You interview the IT manager responsible for configuration management. They explain they use a commercial configuration management tool to capture hardware and software configurations for the drone systems. They confirm that the baseline configurations include initial software versions but do not track firmware or network configurations.
Additionally, while they update software versions through the tool, they do not have a documented process for reviewing and updating baseline configurations in response to security vulnerabilities or system modifications. Which of the following actions would be the MOST appropriate recommendation for the contractor to improve their compliance with CM.L2-3.4.1 - System Baselining?

  • A. Developing and documenting a process for reviewing baseline configurations periodically and updating them to reflect changes in firmware versions, network topology, and security risks
  • B. Increase the frequency of software updates for the drone control systems
  • C. Instruct IT personnel to update baseline configurations whenever a new software version is deployed
  • D. Replace their commercial configuration management tool with a different solution

正解:A

解説:
Comprehensive and Detailed In-Depth Explanation:
CM.L2-3.4.1 requires "establishing and documenting baseline configurations, reviewed and updated as needed." The lack of firmware/network inclusion and a review process fails objective [c]. A documented review process addressing all components and security risks (A) directly corrects this, aligning with CMMC intent. Ad-hoc updates (B) lack structure, tool replacement (C) isn't justified, and update frequency (D) is unrelated. The guide emphasizes periodic review.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.1: "Review and update baselines for all components as needed."
* NIST SP 800-171A, 3.4.1: "Examine process for baseline updates."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf


質問 # 99
During an assessment, it is uncovered that a CCA worked as a consultant for the OSC through their RPO.
Unfortunately, the CCA didn't disclose this when their C3PAO appointed them to participate in the assessment. Did the CCA behave professionally? If not, what issues are likely to arise?

  • A. No, breach of confidentiality.
  • B. No, assessor bias.
  • C. No, lack of objectivity.
  • D. Yes, the CCA behaved professionally.

正解:B

解説:
Comprehensive and Detailed in Depth Explanation:
The CoPC prohibits CCAs from assessing an OSC they consulted for, due to potential bias, not objectivity (Option B) or confidentiality (Option D). Option A is incorrect as this is unprofessional. Option C (assessor bias) is the precise issue.
Extract from Official Document (CoPC):
* Paragraph 3.1 - Professionalism (pg. 6):"Under no circumstances shall credentialed individuals conduct a certified assessment if they have served as a consultant to prepare the organization, due to assessor bias." References:
CMMC Code of Professional Conduct, Paragraph 3.1.


質問 # 100
Examining an OSC password policy, you learn that a password should have a minimum of 15 characters. It also should have 3 uppercase, 2 special characters, and other alphanumeric characters. Passwords have to be changed every 45 days and cannot be easily tied to the account owner. Passwords cannot be reused until 30 cycles are complete. The OSC's systems send a temporary password to the user's email or authentication app, which is one of the events described in their password usage policy. However, a recent penetration test report shows that the generated temporary passwords did not have sufficient entropy, and an attacker may guess a temporary password through brute force attacks. Which CMMC practice has the contractor successfully implemented? Select all that apply.

  • A. IA.L2-3.5.7 - Password Complexity and IA.L2-3.5.8 - Password Reuse
  • B. IA.L2-3.5.9 - Temporary Passwords
  • C. IA.L2-3.5.6 - Identifier Handling
  • D. IA.L2-3.5.3 - Multifactor Authentication

正解:A

解説:
Comprehensive and Detailed In-Depth Explanation:
* IA.L2-3.5.7: Requires "enforcing minimum password complexity." The policy's 15-character minimum with specific requirements meets this.
* IA.L2-3.5.8: Requires "prohibiting password reuse for a specified number of generations." The 30- cycle rule satisfies this.
* IA.L2-3.5.9: Requires "changing temporary passwords at first logon and ensuring sufficient entropy." Low entropy fails this practice.
* IA.L2-3.5.3: No evidence of MFA implementation.
* IA.L2-3.5.6: Identifier handling isn't addressed.Thus, only B applies fully.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), IA.L2-3.5.7: "Define complexity rules."
* IA.L2-3.5.8: "Prohibit reuse for specified cycles."
* IA.L2-3.5.9: "Ensure temporary password entropy."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf


質問 # 101
During an assessment, the Lead Assessor determines certain assets to be in-scope which the OSC had considered out-of-scope.
The CCA should reply that for assets to be considered out-of-scope they:

  • A. Can, but are not intended to, process, store, or transmit CUI.
  • B. Do not provide security protections for CUI assets.
  • C. Are not required to be physically or logically separated from CUI assets.
  • D. Provide security protections to CUI assets.

正解:B

解説:
The CMMC Scoping Guidance specifies that Out-of-Scope Assets are those that neither process, store, nor transmit CUI, and do not provide security protections for CUI assets.
Extract:
"Out-of-Scope assets are those that cannot process, store, or transmit CUI, and do not provide security protections for CUI assets." Thus, the correct answer is B.
Reference: CMMC Scoping Guidance, Asset Categories.


質問 # 102
A company is undergoing a CMMC Level 2 Assessment. The Assessment Team is planning and preparing the assessment. Who is responsible for identifying methods, techniques, and responsibilities for collecting, managing, and reviewing evidence?

  • A. Lead Assessor
  • B. Assessment Team Member
  • C. C3PAO Quality Oversight Manager
  • D. CMMC Quality Assurance Professional

正解:A

解説:
The Lead Assessor is responsible for managing the assessment team and planning the assessment, including defining the methods, techniques, and responsibilities for collecting, managing, and reviewing evidence.
Team members execute assigned tasks, but the Lead Assessor provides direction and oversight.
Exact Extracts:
* CMMC Assessment Guide: "The Lead Assessor is responsible for the management of the assessment, including defining evidence collection methods, techniques, and responsibilities."
* "The assessment team members carry out activities as directed by the Lead Assessor."
* "The C3PAO Quality Oversight and CMMC Quality Assurance are post-assessment quality functions, not evidence planning functions." Why other options are not correct:
* B: Team members execute tasks but do not define methods and responsibilities.
* C: Quality Oversight Managers review assessments after completion, not during planning.
* D: CMMC Quality Assurance Professionals conduct QA on assessments, not evidence planning.
References:
CMMC Assessment Guide - Level 2, Version 2.13: Assessment planning roles and responsibilities (pp. 4-6).


質問 # 103
During discussions with an OSC, the assessment team learned that many employees often need to work from remote locations and, as a result, are permitted to access the organization's internal networks from those remote locations. To ensure secure remote access requirements are being met, remote access sessions need NOT be:

  • A. Controlled
  • B. Permitted
  • C. Identified
  • D. Validated

正解:D

解説:
CMMC Level 2 control AC.L2-3.1.12: Remote Access requires that all methods of remote access be authorized, monitored, and controlled to protect CUI when accessed from external locations. The assessment guide specifies that assessors must verify that remote sessions are identified, permitted, and controlled. There is no requirement for remote access sessions to be "validated" - this is not part of the assessment objectives for this practice.
Exact extracts:
* "Assessment Objectives ... Determine if:* remote access methods are identified;* remote access is authorized prior to allowing such connections;* remote access sessions are controlled; and* cryptographic mechanisms are employed to protect confidentiality and integrity of remote access sessions."
* "Remote access to organizational systems is accomplished through the use of managed access control points. A detailed record of all remote access sessions is maintained, and the sessions are subject to monitoring and control." Why the other options are required:
* Identified (B): OSCs must identify all remote access methods in use.
* Permitted (C): Remote access must be explicitly authorized before it is allowed.
* Controlled (D): Sessions must be controlled (e.g., via encryption, multifactor authentication, and monitoring).
* Validated (A): Not a required assessment objective; it is a distractor option.
References (CCA documents / Study Guide):
* CMMC Assessment Guide - Level 2, Version 2.13, AC.L2-3.1.12 "Remote Access" (Assessment Objectives; Discussion; Potential Assessment Methods and Objects).
* NIST SP 800-171 Rev. 2, 3.1.12 (remote access).


質問 # 104
An OSC is looking to bid for a contract to manufacture turboprop engines for an unmanned aerial vehicle (UAV) fleet used by the Army for long-range reconnaissance. To manage production, the OSC will use Industrial Control Systems (ICS) and has documented them in its Operational Technology (OT) inventory.
While validating the OSC's proposed assessment scope, the Assessment Team reviews their SSP. How should the C3PAO Assessment Team handle the OSC's OT during the assessment?

  • A. Assess them against CA.L2-3.12.3 - Security Control Monitoring.
  • B. Accept the OSC's documentation of policies and procedures as they are.
  • C. Review the SSP and not assess the OT against other CMMC practices.
  • D. Assess them against all CMMC practices.

正解:C

解説:
Comprehensive and Detailed Explanation:
Operational Technology (OT), like ICS, is categorized as a Specialized Asset in the CMMC Assessment Scope - Level 2. These assets are in scope but not assessed against the full 110 CMMC practices unless they process, store, or transmit CUI (not specified here). Instead, they must be reviewed in the SSP per CA.L2-
3.12.4 to ensure risk-based management. Option A lacks rigor, Option B limits to one practice incorrectly, and Option C overextends the requirement. D is correct per the scoping guide.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.4 (Specialized Assets), p. 6: "OT is reviewed in the SSP per CA.L2-3.12.4, not assessed against other practices."


質問 # 105
The Cyber AB has completed an investigation into a report submitted by a CCA regarding a potential violation by another CCA. They have determined that the violation falls within the scope of the relevant Industry Working Group's authority. What is the likely course of action for the Cyber AB in this scenario?

  • A. Refer the incident to the relevant Industry Working Group for resolution, which may include remediation, coaching, or termination, with a right of appeal.
  • B. Continue the investigation and make a final determination on the violation.
  • C. Immediately suspend the CCA's certification pending the working group's resolution.
  • D. Dismiss the investigation as it falls outside Cyber AB's direct authority.

正解:A

解説:
Comprehensive and Detailed in Depth Explanation:
The CoPC delegates certain violations to Industry Working Groups, with Cyber AB referring them for resolution. Option A (continuing) oversteps this delegation. Option C (suspension) is premature. Option D (dismissing) ignores process. Option B is correct.
Extract from Official Document (CoPC):
* Paragraph 4.1(4)(a) - Violation Resolution (pg. 10):"Refer incidents to the relevant Industry Working Group for resolution, which may include remediation or termination, with a right of appeal." References:
CMMC Code of Professional Conduct, Paragraph 4.1(4)(a).


質問 # 106
The Lead Assessor is planning to conduct an assessment for an OSC. The Assessor has been given a preliminary asset inventory list by the OSC. How would the Lead Assessor determine if any assets are out- of-scope for the assessment?

  • A. Assets cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.
  • B. All assets in an OSC's inventory fall within the scope of the assessment and, as such, should be assessed against the CMMC practices.
  • C. Out-of-Scope Assets can process, store, or transmit CUI because they do not need to be physically or logically separated.
  • D. None of the assets in an OSC's inventory fall within the scope of the assessment and, as such, should not be assessed against the CMMC practices.

正解:A

解説:
According to the CMMC Scoping Guidance, assets are categorized based on whether they can process, store, or transmit Controlled Unclassified Information (CUI), or if they are physically/logically separated or inherently unable to interact with CUI systems. Assets that cannot process, store, or transmit CUI and are properly segregated are considered Out-of-Scope.
Extract from CMMC Scoping Guidance:
"Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so." Thus, the Lead Assessor determines out-of-scope assets by confirming that they are either segregated from CUI systems or technically incapable of handling CUI.
Reference: CMMC 2.0 Scoping Guidance for Level 2 Assessments (Official CCA documentation).


質問 # 107
As the Lead Assessor for your Assessment Team, you are validating an OSC's scope in readiness to start the assessment. You learn that the OSC provides its employees with laptops to work on DoD projects. These laptops have an antivirus solution that connects to a management console to receive updates, send alerts, and control settings. However, the server does not process, store, or transmit CUI but implements several CMMC controls. Which of the following is NOT part of the OSC's requirements regarding the antivirus solution?

  • A. The OSC should document it in the System Security Plan (SSP).
  • B. They should document the specifics of the antivirus solution in the asset inventory.
  • C. Itemize the solution in the CMMC Assessment Scope's network diagram and prepare it to be assessed against CMMC practices.
  • D. Logically separate the antivirus solution from other CUI assets.

正解:D

解説:
Comprehensive and Detailed Explanation:
The antivirus solution is a Security Protection Asset (SPA), per the CMMC Assessment Scope - Level 2, requiring documentation in the network diagram (Option A), asset inventory (Option B), and SSP (Option C), and assessment against CMMC practices. Logical separation (Option D) is not required for SPAs, which must integrate with the CUI environment to function. D is not a requirement.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.3 (SPAs), p. 6: "SPAs are documented and assessed, not separated from CUI assets."


質問 # 108
A software development company uses a cloud-based source code repository and continuous integration
/continuous deployment (CI/CD) platform to manage its software development lifecycle. The cloud service provider hosts and manages the source code repository and CI/CD platform. Which of the following statements accurately describes how the OSC should handle the cloud service provider's assets in the CMMC Assessment Scope?

  • A. Include the cloud provider's assets in the Assessment Scope as they handle sensitive code.
  • B. It depends on the contract between the company and the cloud provider.
  • C. Include the cloud service provider's assets in the certification boundary but exclude them from the assessment scope.
  • D. Exclude the cloud provider's assets from the Assessment Scope since they are not owned or managed by the company.

正解:A

解説:
Comprehensive and Detailed Explanation:
The CMMC Assessment Scope - Level 2 requires that External Service Provider (ESP) assets, like the cloud- based repository and CI/CD platform, be included in the scope if they process, store, or transmit CUI/FCI (e.
g., sensitive code under a DoD contract). Ownership is irrelevant; function dictates inclusion. Option A contradicts this, Option C misaligns boundary and scope definitions, and Option D introduces unnecessary ambiguity. B is correct.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.3 (ESPs), p. 6: "ESP assets handling CUI/FCI are in scope."


質問 # 109
The Lead Assessor concludes that the OSC is not ready for the assessment. After the Readiness Assessment Review, the OSC and the Lead Assessor could choose to:

  • A. Proceed as planned or cancel the assessment.
  • B. Replan or cancel the assessment.
  • C. Replan or reschedule the assessment.
  • D. Proceed as planned or reschedule the assessment.

正解:C

解説:
The CMMC Assessment Process (CAP) provides explicit guidance for readiness reviews. If the Lead Assessor determines that the OSC is not prepared, the available options are:
* Replan the assessment (adjust scope, timeline, or requirements), or
* Reschedule the assessment (move the engagement to a later date).
Extract:
"Following the readiness review, if the OSC is determined not to be ready, the Lead Assessor may recommend that the assessment be replanned or rescheduled." Thus, the correct answer is B.
Reference: CMMC Assessment Process (CAP), Readiness Review section.


質問 # 110
When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal websites. Why is it critical to implement practice AC.L2-3.1.6 - Non-Privileged Account Use?

  • A. Enables easier auditing and logging of privileged activities
  • B. Prevents unauthorized modification of security functions
  • C. Reduces exposure to threats that might exploit the misuse of privileges
  • D. Mitigates the consequences of a security breach by safeguarding against data loss

正解:C

解説:
Comprehensive and Detailed In-Depth Explanation:
AC.L2-3.1.6 requires "non-privileged accounts for non-security functions." Using privileged accounts for routine tasks increases exposure to threats (e.g., malware) that could exploit those privileges (D), per CMMC intent. Auditing (A), breach mitigation (B), and function modification (C) are related but not the primary criticality.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.6: "Reduces threat exposure by limiting privileged account use."
* NIST SP 800-171A, 3.1.6: "Minimize risk from privilege misuse."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf


質問 # 111
The audit team is discussing the OSC's Risk Managed Assets. For these types of assets, the contractor need NOT:

  • A. Provide a network diagram of the assessment scope.
  • B. Ensure they are included in the pre-assessment discussion.
  • C. Show how they are being managed using organizational security policies.
  • D. Prepare for the assets to be assessed against CMMC practices.

正解:D

解説:
Risk Managed Assets are not assessed against CMMC practices, but OSCs must demonstrate that they are identified and that the risk they pose to CUI is managed in accordance with organizational policies. The Scoping Guide specifies that these assets must be addressed in pre-assessment discussions and described in the scope diagram, but they are explicitly excluded from practice-by-practice assessment.
Exact extracts:
* "Risk Managed Assets do not process, store, or transmit CUI but can access CUI Assets. These assets are not assessed against CMMC practices but must be discussed with the assessor."
* "Organizations must identify how these assets are managed by organizational policies."
* "Risk Managed Assets must be included in scope diagrams."
Why the other options are incorrect:
* A/B/D: Risk Managed Assets still must be documented, discussed, and managed with policies.
* C: They are explicitly excluded from practice assessment.
References (CCA documents / Study Guide):
* CMMC Assessment Scope - Level 2 Scoping Guide (Risk Managed Assets).


質問 # 112
During an assessment, the OSC person being interviewed explains the process for escorting visitors. The individual states that while all visitors are escorted, occasionally a vendor may need access to a small room with only one door and limited standing room. In these cases, the escort sits outside the room and observes the vendor completing the work. Is this practice in line with the escort policy?

  • A. Yes, so long as the visitor's actions can still be viewed by the escort
  • B. No, the escort is not allowed to sit down
  • C. No, the escort must always be in the same room
  • D. Yes, since the visitor can only use a single entry

正解:A

解説:
* Applicable Requirement: PE.L2-3.10.3 - "Control physical access to organizational systems, equipment, and operating environments."
* Why D is Correct: Escort requirements are met as long as the visitor's actions are continuously observed and controlled. The escort does not need to be physically inside the same room if direct observation is possible.
* Why Other Options Are Insufficient:
* A: Escort posture (sitting/standing) is irrelevant.
* B: Same-room presence is not required by CMMC/NIST SP 800-171.
* C: A single entry point helps, but observation is the requirement.
References (CCA Official Sources):
* NIST SP 800-171 Rev. 2 - PE.L2-3.10.3
* CMMC Assessment Guide - Level 2 - Physical Escort Policy Guidance


質問 # 113
You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. What would you recommend the contractor do to avert the risk?

  • A. Invest in more powerful development machines
  • B. Fully implement AC.L2-3.1.4, Separation of Duties by assigning different engineers responsibility for design, coding, testing, and deployment. Implement peer code reviews and separate test and deployment duties
  • C. Increase the engineer's salary to incentivize careful work
  • D. Institute mandatory overtime for the engineer to complete tasks faster

正解:B

解説:
Comprehensive and Detailed In-Depth Explanation:
AC.L2-3.1.4 - Separation of Duties aims to "reduce unauthorized activity risk by separating duties." A single engineer handling all tasks concentrates privileges, increasing error or malice risks. Assigning separate roles and adding peer reviews (B) mitigates this, aligning with CMMC intent. Overtime (A), hardware (C), and salary (D) don't address duty separation or risk reduction.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separate duties to reduce risk; implement peer reviews."
* NIST SP 800-171A, 3.1.4: "Recommend role distribution."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf


質問 # 114
......

CMMC-CCA試験問題集合格させるのは更新されたのは2026年年最新の認証済み試験問題:https://www.passtest.jp/Cyber-AB/CMMC-CCA-shiken.html

ガイド(2026年最新)実際のCyber AB CMMC-CCA試験問題:https://drive.google.com/open?id=1cYvdcT-chKzVdo3qESiTX4IXtFFPbRZO