CMMC-CCA 試験問題を無料オンラインアクセス

While conducting a CMMC Level 2 Third-Party Assessment of a small defense contractor, an assessor discovers that the contractor's Information Security Policy has no documented change records demonstrating executive approval. The IT director states that they will add change records in the future, but that other evidence exists. Which documentation is MOST able to demonstrate persistent and habitual adherence to CMMC requirements?

• A.Several years' worth of saved emails from the executive team approving policies and directing adherence
• B.Handwritten notes from executive committee meetings discussing implementation
• C.Transcribed interviews with new employees discussing their understanding of information security policies
• D.A notarized letter from the previous CEO stating that they approved information security policies annually

During an assessment, an assessor is trying to determine if the organization provides protection from malicious code at appropriate locations within organizational information systems. The assessor has decided to use the Interview method to gather evidence. It is BEST to interview:

• A.Personnel with security alert and advisory responsibilities
• B.System or network administrators
• C.System developers
• D.Personnel with audit and accountability responsibilities

An OSC has an established password policy. The OSC wants to improve its password protection security by implementing a single change. Which of the following is an acceptable element to add to the OSC's password policy?

• A.Require passwords to be 5 to 7 characters long.
• B.Add the use of salted one-way cryptographic hashes of passwords, where possible.
• C.Require passwords to be changed every 18 months.
• D.Add the use of salted two-way cryptographic hashes of passwords.

During an assessment, the OSC person being interviewed explains the process for escorting visitors. The individual states that while all visitors are escorted, occasionally a vendor may need access to a small room with only one door and limited standing room. In these cases, the escort sits outside the room and observes the vendor completing the work. Is this practice in line with the escort policy?

• A.Yes, so long as the visitor's actions can still be viewed by the escort
• B.Yes, since the visitor can only use a single entry
• C.No, the escort must always be in the same room
• D.No, the escort is not allowed to sit down

The OSC prints out documents it receives via email that are marked as CUI. According to MP.L2-3.8.4:
Media Markings,
what should the Assessor expect to see on the printouts?

• A.The original markings from the document and a distribution list with limitations
• B.A red stamp that states the document contains CUI
• C.The original markings that were on the document emailed to the OSC
• D.Written limitations to the distribution of the CUI within the OSC