CMMC-CCA 試験問題を無料オンラインアクセス

A C3PAO is conducting a Level 2 assessment of a midsized construction contractor that does both private (commercial) and federal work. The contractor's documentation states that all CUI flows through a single building on their office campus and is logically, physically, and administratively isolated from the rest of the environment. Why might an assessor request access to assess controls within a building or area not listed as in- scope in the documentation?

• A.If the OSC has an underground passageway connecting the CUI building to a non-CUI building
• B.If the assessor sees personnel carrying locked cases into the other building or area
• C.If Human Resources that supports both commercial and federal sectors sits in the other building or area
• D.If network diagrams indicate the commercial and federal sectors share a single Internet connection

A midsized professional services organization that frequently contracts with government entities is undergoing a CMMC Level 2 assessment. The CCA interviews IT leadership about their audit logging capabilities and determines that a third-party vendor is responsible for correlating and reviewing audit logs.
During the interview, they discuss the process that has been implemented by the vendor to provide a monthly summary of their audit log review to the organization. What issue should the CCA resolve during the interview?

• A.The vendor has the ability to provide report generation.
• B.The vendor may not use the same authoritative time source.
• C.Audit logs must be reviewed on at least a weekly basis for CMMC requirements.
• D.Audit logs should not be correlated and reviewed by a third party as they may contain CUI.

The Lead Assessor is reviewing the Assessment Plan to identify people for interviews regarding a specific Level 2 practice. Some OSC personnel previously interviewed provided only brief answers without meaningful verification. What can the Lead Assessor do to improve this situation going forward?

• A.Ensure and verify confidentiality and non-attribution of responses
• B.Ensure the people from the training matrix are made available
• C.Ensure the respondents sign a non-disclosure agreement for the OSC
• D.Ensure and verify the responses map to the documented artifacts

The Assessment Team is meeting with the OSC team and experiences a situation where some members of the OSC team describe the IT infrastructure differently from others. In some discussions, one person identifies a series of ESPs, while another describes the infrastructure as on-premises. What should the Lead Assessor do to clarify the actual operational environment?

• A.Review the network diagrams
• B.Interview an authoritative OSC representative
• C.Review the system interconnection agreements
• D.Ask for the contact information of the identified ESPs

An OSC is undergoing CMMC Assessment on an enterprise-wide basis. While walking to the conference room, the Assessor notices a printer repair technician in the hallway, unescorted, repairing a printer marked
"Authorized for CUI printing." What is the NEXT step the Lead Assessor should take regarding PE.L2-
3.10.3: Escort Visitors?

• A.Ask the OSC if the printer technician has authorized access
• B.Make a note and score the practice as MET
• C.Ask the printer technician to leave immediately
• D.Make a note and score the practice as NOT MET