Assessing a DoD contractor, you observe they have implemented physical security measures to protect their facility housing organizational systems that process or store CUI. The facility has secure locks on all entrances, exits, and windows. Additionally, video surveillance cameras are installed at entry/exit points, and their feeds are monitored by security personnel. Feeds from areas where CUI is processed or stored and meeting rooms where executives meet to discuss things that have to do with CUI and other sensitive matters are segregated and stored on a designated server after monitoring. Walking around the facility, you notice network cables are hanging from the walls. To pass through a door, personnel must swipe their access cards. However, you observe an employee holding the door for others to enter. Although power cables are placed in wiring closets, they aren't locked, and the cabling conduits are damaged. Which of the following is NOT a concern regarding the contractor's implementation of CMMC practice PE.L2-3.10.2 – Monitor Facility?
You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory – a privileged function. Which of the following controls could have prevented the developer from executing this privileged function?
During your assessment of CA.L2-3.12.3 – Security Control Monitoring, the contractor’s CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls. When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented. You would rely on all of the below evidence to assess the contractor’s implementation of CA.L2-3.12.3 – Security Control Monitoring, EXCEPT?
You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory – a privileged function. How should execution of the debugging permission be handled to align with AC.L2-3.1.7 – Privileged Functions?
You have been sent to assess an OSC’s implementation of CMMC practices, one of which is AC.L2-3.1.11 – Session Termination. In assessing the contractor's implementation of AC.L2-3.1.11, you’ll likely need to examine the following specifications, EXCEPT?
While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. Which of the following is a potential assessment method for AU.L2-3.3.1 – System Auditing?
A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 – Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 – System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score theOSC's implementation of CMMC practice AU.L2-3.3.7 – Authoritative Time Source?
During your review of an OSC’s system security control, you focus on CMMC practice SC.L2-3.13.9 – Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company’s internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9 – Connections Termination, for the remote access application?
Upon examining a contractor's security and awareness training policy for compliance with AT.L2-3.2.2 – Role-Based Training, you determine that they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices. How would you assess the contractor's implementation of CMMC practice AT.L2-3.2.2 – Role-Based Training?
A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 – Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 – Encrypt CUI on Mobile requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted. Which of the following is a reason why would you recommend container-based over full-device-based encryption?
