An OSC allows some employees to use their personal devices (laptops, tablets) for work purposes. The OSC enforces a Bring Your Own Device (BYOD) policy that requires employees to install Mobile Device Management (MDM) software on their devices. The MDM allows for remotewiping of lost or stolen devices and enforces access control policies. Employees use VPNs to remotely access the OSC network from their personal devices. What challenges might a CCA face when collecting evidence to assess the OSC’s compliance with AC.L2-3.1.12 – Control Remote Access?
A representative of a CMMC Level 2 certified DoD contractor has reached out to you as a CCA for an explanation of FedRAMP equivalency. They want to use a Cloud Service Offering (CSO) from a renowned CSP, but in light of the DoD FedRAMP equivalency memo, they are reluctant. In your conversation, you learn that although the CSO has impressive features, the assessment by a FedRAMP 3PAO resulted in a Plan of Action and Milestones (POA&M) that the CSP is remedying. What is the main reason the contractor shouldn’t use the CSP’s services?
Prior to starting an assessment, an OSC must develop a data flow diagram. This diagram can then be used as a tool to help establish the context and boundaries of the CMMC assessment activities. What is critical to capture while developing the data flow diagram?
An OSC’s network diagram shows a separate network segment (192.168.50.0/24) designated for its engineering department. This segment restricts access to specific engineering resources. While the servers are physically located in a shared data center, the network configuration isolates them logically. Through which of the following does the network segmentation create isolation for the engineering department’s resources?
CMMC practice SC.L2-3.13.6 assessment objectives [a] and [b] require contractors’ systems to deny network communications traffic by default [a] and allow network communications traffic by exception [b] respectively. As a CCA, you assess whether an OSC has segmented its network into different zones. The OSC has implemented Access Control Lists (ACLs) on its network devices to permit or deny traffic based on source and destination IP addresses and ports. Additionally, the OSC uses a Fortinet Next-Generation Firewall (NGFW). To monitor their computing environment, theOSC uses a state-of-the-art SIEM. Which of the following assessment methods is NOT a method you would use to assess whether the OSC has met assessment objectives [a] and [b]?
The DoD has awarded a defense contractor a contract to deliver next-gen jet engine parts. The order requires the contractor to submit the blueprints/CAD files within six months, and once they are validated, the contractor submits a production schedule. The contractor indicates that they should be able to deliver the components in three years. Which of the following is true about the dates and schedule of the engine components?
A CCA is assessing an OSC that uses a complex multi-cloud architecture with resources distributed across multiple Cloud Service Providers (CSPs). During the evaluation, the CCA encounters challenges in verifying the authorization methods used for external connections to the various cloud resources (AC.L1-3.1.20). Additionally, the assessor finds limited documentation of the cryptographic mechanisms implemented to protect the confidentiality of remote access sessions (AC.L2-3.1.13) to cloud-based data. While the OSC has network monitoring tools in place, the sheer volume of data makes it difficult to identify and track specific remote access activities. What challenges might the CCA face while assessing the OSC’s cloud and hybrid environment for compliance with CMMC remote access requirements?
During a CMMC assessment, the CCAs, CCPs, and Lead Assessor validate the assessment scope provided by the OSC. They must review documents and records specific to the agreed-upon scope and boundaries of the assessment. There are several documents the Assessment Team may review or analyze; some are required, and others not. Which of the following documents is NOT required when scoping a CMMC Assessment for Level 2 maturity?
As a CCA on a C3PAO Assessment Team, you have determined that the assessment scope provided by an OSC indicates plans to subcontract some elements of their contract to DelTech Inc. The OSC plans to bid on a DoD contract to develop guidance and targeting software. However, the software needs testing after installing a new surface-to-air defense system. Unfortunately, the OSC lacks themeans to test the software, which is where DelTech comes in. As a CCA, what must you do in this scenario?
The Cyber AB has completed an investigation into a report submitted by a CCA regarding a potential violation by another CCA. They have determined that the violation falls within the scope of the relevant Industry Working Group’s authority. What is the likely course of action for the Cyber AB in this scenario?
