Higher Test Marks with Free Online CMMC-CCA Exam Practice

Proper authentication is a key requirement of a secure system. To this end, you are assessing an OSC's implementation of IA.L2-3.5.3-Multifactor Authentication. The contractor has deployed Okta in their systems, integrated it into Active Directory (AD), and set up multifactor authentication (MFA). The OSC has documented all the privileged accounts, which must be authenticated through the MFA solution for any network or local access. Their procedures addressing user identification and authentication require everyone, privileged or nonprivileged, to be authenticated using multifactor authentication. The OSC (Organization Seeking Certification) can produce the following evidence to show their compliance with IA.L2-3.5.3-Multifactor Authentication, EXCEPT?

Angela, a CCA, is conducting a CMMC assessment for Obsidian Technologies, the OSC. During the assessment, Angela learns that her spouse owns a significant amount of stock in Obsidian Technologies, and she has not disclosed this information to Obsidian Technologies or the C3PAO. Which CMMC CoPC guiding principle has Angela violated in this scenario?

When assessing an OSC?s compliance with IR requirements, you realize they have deployed a system that tracks incidents, documents details, and updates the status throughout the incident response process. Personnel to whom incidents must be reported are identified and designated. While examining their documentation, you come across an incident response template that they use to capture all relevant information and ensure consistency in reporting to the identified authorities and organizational officials. Interviewing the IR team, you learn there is an escalation process that the contractor?s cybersecurity team can use to address more serious incidents. How would you score the contractor?s implementation of IR.L2-3.6.2-Incident Reporting?

Before an OSC categorizes its assets into different categories, it must determine the Scope of applicability. However, after discussing with the OSC� PoC, you learn that although they follow CUI and FCI in all forms and stages, they are mostly considered technical components. What is the issue with the OSC?s approach to determining scope of applicability?

While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. When assessing the contractor's information systems, how would you mark their implementation of AU.L2-3.3.1-System Auditing?