What should the Lead Assessor do to BEST ensure the evidence supplied effectively meets the intent of the standard for a practice?

During a CMMC Level 2 Assessment, a CCA interviewed a system administrator on the OSC’s procedures around configuration management and endpoint security. The system administrator described how they build and deploy new systems, and noted that some users require specialized applications for their jobs. Users have been asked to email IT when they install and run an additional application so IT can add it to their list of allowed software.

What must the CCA conclude?

A Lead Assessor is conducting an assessment for an OSC. The OSC is currently using doors and badge access to limit access to private areas of their campus to only authorized personnel. Which item is another means of controlling physical access to areas that contain CUI?

The assessment team is discussing the pre-assessment scope with an OSC. The OSC would like to limit the scope of the security requirements in environments that contain FCI and/or CUI. In this case, the OSC should:

An OSC has an established password policy. The OSC wants to improve its password protection security by implementing a single change. Which of the following is an acceptable element to add to the OSC’s password policy?

An Assessor is evaluating whether an OSC has implemented adequate controls to meet AC.L2-3.1.7: Privileged Functions. The OSC has procedures that define privileged vs. non-privileged account provisioning and an access control policy that restricts execution of certain functions only to privileged users.

What might the Assessor do to further evaluate the implementation of this practice?

The OSC has changed its manner of operations in the past year to isolate its manufacturing division (which handles CUI) from its managerial team (which does not). Upon review of the provided information, the Lead Assessor was unable to identify this isolation in the environment. Which step should the Assessor take NEXT to understand how the current documentation isolates the operational components?

A company mirrors its FCI/CUI data storage in a cloud environment. Data is managed across multiple virtual machines (VMs). To satisfy requirements for data security of the LOCAL copy using physical controls, what should the OSC do?

An Assessment Team is holding a discussion with the system administrator at the OSC to understand their process for ensuring unauthorized users are not able to access CUI.

Which assessment method is being utilized?

An OSC creates standard user accounts with limited capabilities and administrator accounts with full system access. A standard user initiates the uninstall of the anti-virus software, which is organizationally defined as a privileged function. Which of the following would indicate AC.L2-3.1.7: Privileged Functions is properly implemented?

While scoping the assessment, the assessor learns that the OSC uses various cloud-based solutions sporadically as part of its normal course of business. The OSC states that most business is conducted on-premises and that only a small amount of business uses the cloud. The OSC thinks the cloud is only used for system backups, but there are isolated exceptions.

Are the data provided sufficient to determine that the OSC limits connection to external information systems?

An OSC seeking Level 2 certification has recently configured system auditing capabilities for all systems within the assessment scope. The audit logs are generated based on the required events and contain the correct content that the organization has defined.

Which of the following BEST describes the next system auditing objective that the organization should define?

An assessor is reviewing whether an organization appropriately analyzed the security impact of a new release of an application. Which of the following documents is MOST useful for the assessor to review?

While onsite conducting a CMMC Level 2 assessment at a small architecture firm that handles DoD construction contracts, the client offers a list of personnel for interviews. To answer questions regarding visitor access controls, which personnel would be MOST appropriate for interviewing?

During an assessment, the OSC person being interviewed explains the process for escorting visitors. The individual states that while all visitors are escorted, occasionally a vendor may need access to a small room with only one door and limited standing room. In these cases, the escort sits outside the room and observes the vendor completing the work. Is this practice in line with the escort policy?

During the Planning Phase of the Assessment Plan, the assessor determines that the Client will likely include sensitive and proprietary CUI. What should the assessor consider as part of their virtual data collection techniques for this information?

While conducting a CMMC Level 2 assessment at a 100-person manufacturing company, the assessor receives a yellow badge labeled “SPECIAL ACCESS.” The assessor observes multiple badge types used by staff and visitors. The client explains that only three badge colors correspond to controlled access (with electronic access), while the rest are identifiers for seniority. How can the assessor BEST verify that the three colors are the only badges capable of accessing controlled areas for CUI-related activities?

A cloud-native OSC uses a vendor’s FedRAMP MODERATE authorized cloud environment for all aspects of their CUI needs (identity, email, file storage, office suite, etc.) as well as the vendor’s locally installable applications. The OSC properly configured the vendor’s cloud-based SIEM system to monitor all aspects of the cloud environment. The OSC’s SSP documents SI.L2-3.14.7: Identify Unauthorized Use, defining authorized use and referencing procedures for identifying unauthorized use.

How should the Certified Assessor score this practice?

An OSC seeking Level 2 certification is migrating to a fully cloud-based environment. The organization wants to select a Cloud Service Provider (CSP) that can share responsibilities for CMMC Level 2 requirements. Assume both CSPs can equally provide the technical capabilities and business value required.

CSP A has SOC 2 certification and is California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA) compliant.

CSP B has SOC 2 and FedRAMP Moderate certifications.

Based on this information, which CSP is MOST LIKELY to be acceptable?

While conducting a CMMC Level 2 Third-Party Assessment of a small defense contractor, an assessor discovers that the contractor’s Information Security Policy has no documented change records demonstrating executive approval. The IT director states that they will add change records in the future, but that other evidence exists. Which documentation is MOST able to demonstrate persistent and habitual adherence to CMMC requirements?

An OSC is preparing for an assessment and wants to gather evidence that will be used by the Lead Assessor to determine the scope of the assessment. The OSC currently operates a hybrid network, with part of their infrastructure at their physical location and part of their infrastructure in a cloud environment.

What evidence should the OSC collect that would assist the Lead Assessor in determining cloud and hybrid environment constraints?

During a CMMC Assessment, the assessor is determining if the Escort Visitors practice is MET. Personnel with which of the following responsibilities would be MOST appropriate to interview?

The OSC has assembled its documentation relating to how it controls remote access for assessment. The Lead Assessor compared this documentation to the provided topology map and noted several indications of external connections with External Service Providers (ESPs). Which document is MOST LIKELY to show acceptable evidence of the security controls related to the interface between the OSC and the ESP?

An OSC has a minimal physical footprint consisting only of network equipment, workstations, and a centralized domain environment. File storage is centralized in a third-party vendor’s FedRAMP Moderate authorized cloud environment, and employees access files using the cloud integration with their workstations. Since CUI is stored in the FedRAMP Moderate authorized environment, the OSC should prepare to have which environment(s) assessed?

While conducting a CMMC Level 2 gap analysis with a large defense contractor, a CMMC RP confirms that the organization uses a RADIUS server for authentication. What additional method could be used to comply with AC.L2-3.1.17: Wireless Access Protection?

The OSC POC has supplied all of the procedures, policies, and plans at the start of the assessment. One of the assessors notes that some of the documents have very recent approval dates, while others have been in place for several years based on the document history.

In order to ensure the review of this evidence is sufficient, what is the BEST step to validate the sufficiency of these documents?

An OSC has a large multi-building facility. One building is used as the OSC’s data center. A guard is stationed at the entrance to the data center. A vendor engineer comes onsite to perform maintenance on the storage array in the data center. The guard knows the engineer well and has the engineer fill out the visitor log with the contact person’s name and phone number, the reason for the visit, and the date and time. Since the guard has known the engineer for many years, what is the BEST step the guard should take?

When a CCA is assessing a control through Examine, what MUST they meet?

The team is assessing an OSC that uses the cloud for hosting its online services. Which of the following is NOT important for the assessor to consider?

During an assessment, the Assessment Team has identified, according to the SSP and network diagram, that there is a mission system that cannot be altered but that has privileged accounts which should have MFA applied. As it is not possible to deploy a typical type of MFA on the mission system, which of the following constitutes a sufficient second factor?

An organization’s password policy includes these requirements:

Passwords must be at least 8 characters in length.

Passwords must contain at least one uppercase character, one lowercase character, and one numeric digit.

Passwords must be changed at least every 90 days.

When a password is changed, none of the previous 3 passwords can be reused.

Per IA.L2-3.5.7: Password Complexity, what requirement is missing from this password policy?

An assessor is assigned by the Lead Assessor to the pre-assessment template regarding evidence. There are several entries that include how the Assessment Team will identify, obtain, and inventory evidence. What else is required to determine readiness to conduct the assessment?

A Lead Assessor is preparing to conduct a Level 2 Assessment for an OSC. The assessor already determined the assessment scope and systems included. In addition, the assessor requests:

Results of the most recent OSC self-assessment or any pre-assessments by an RPO,

The System Security Plan (SSP), and

A list of all OSC staff who play a role in in-scope procedures.

Based on this information, which item would the assessor MOST LIKELY request when preparing to conduct a Level 2 Assessment?

Different mechanisms can be used to protect information at rest. Which mechanism is MOST LIKELY to afford protection for information at rest?

An OSC has contracted a C3PAO to perform a Level 2 Assessment. As the Lead Assessor is analyzing the assessment requirements, it is found that the OSC does not have a document detailing the assessment scope. How can this problem BEST be fixed?

During preparations for a CMMC Level 2 Assessment, a client submits a request to their consulting RP to learn more about Specialized Asset requirements. The client is unsure if their camera system, used for safety data collection purposes within their machining shop, should be documented within the SSP. Which reason is a satisfactory reason to exclude the camera system from the SSP, and thus the assessment scope?

AC.L2-3.1.6: Non-Privileged Account Use is being assessed. Which procedure BEST meets all of the standards for non-privileged account use?

The Lead Assessor concludes that the OSC is not ready for the assessment. After the Readiness Assessment Review, the OSC and the Lead Assessor could choose to:

In order to assess whether an OSC meets AC.L2-3.1.5: Least Privilege, what should be examined by the Assessor?

An Assessor is evaluating controls put in place by an OSC to restrict the use of privileged accounts. The Assessor interviews privileged users and confirms that the OSC has both a policy and specific procedures governing the use of privileged accounts for security functions. What else could the Assessor evaluate to validate the assertions made by the interviewed OSC staff?

While assessing a company, the CCA is determining whether the company controls and manages connections between its corporate network and all external networks. The company has: (1) a strict employee policy prohibiting personal Internet use and personal email on company computers, and (2) firewalls plus a connection allow-list so only authorized external networks can connect to the company network. Are these safeguards sufficient to meet the applicable CMMC requirement?

An OSC has a headquarters (HQ) site and satellite offices A and B. The two satellite offices are connected to the HQ through a VPN. CUI is stored within the HQ LAN room and used by staff at HQ and Site A. When categorizing assets for this assessment, assets at the HQ:

During an assessment, the team is interviewing the IT staff to understand the ways in which the organization protects backup data. Because the company’s backups contain CUI, the Lead Assessor asks the IT engineer which method is used to ensure that the confidentiality of the backup data is being protected. Which implementation is LEAST LIKELY to be acceptable?

An OSC is presenting evidence of its fulfillment of CM.L2-3.4.1: System Baselining. It provides:

System inventory records showing additions/removals of machines,

Software inventory showing installations/removals, and

A system component installation plan with software needs and user specifications.

What other documentation MUST the company present to illustrate compliance with CM.L2-3.4.1?

While completing the Level 2 Assessment, the Lead Assessor found that the OSC was deficient on a number of CMMC practices. Forty practices were scored as NOT MET, all on the Authorized Deficiency Corrections list. The OSC remediated 17 of those during closeout, leaving 23 practices still NOT MET. What should the Lead Assessor recommend?