Free CMMC-CCA Mock Exam – Practice Online Confidently

You are the lead CMMC assessor evaluating a defense contractor that develops advanced surveillance equipment and software for intelligence agencies. Given the sensitive nature of their work, the contractor has implemented robust insider threat monitoring. During your assessment, you find out that the contractor's insider threat program tracks indicators like unauthorized data access attempts, unexplained wealth changes, workplace disputes, and disruptive behavior changes. The contractor also has regular security awareness training covering reporting potential insider threats via an anonymous hotline and web portal. High-risk roles like developers with classified codebase access receive additional insider threat vector training and are closely monitored. To verify all this, you interview the CISO, who confirms their implementation of CMMC practice AT.L2-3.2.3-Insider Threat Awareness. The contractor uses an anonymous hotline and web portal for reporting potential insider threats. However, some employees might hesitate to use anonymous reporting due to fear of retaliation. Which of the following is the best way to encourage anonymous reporting within the contractor's organization?

John, a CCA, has been assigned by his C3PAO to conduct a CMMC assessment for an OSC. During the assessment, John notices that the OSCs security practices leave much to be desired. After speaking with the OSCs IT staff, John offers to connect them with a vendor he knows who sells a vulnerability management tool that could address some of their weaknesses. According to the CMMC CoPC, which of the following best describes Johns actions?

An OSC submits to the C3PAO assessment team for validation, a CMMC assessment scope that includes an enclave. During validation, you learn that while CUI is stored on a single physical server, authorized employees can access it through virtual instances, thanks to VMWare. You also determine that the OSC has deployed a DFARS-compliant firewall to protect network connections to the Enclave. The OSC has deployed a VLAN to restrict communication between different portions of the network. Which method can the OSC be said to have used to secure its Enclave?

During an interview with network administrators responsible for managing remote access, they mentioned using a next-generation firewall (NGFW) to secure the VPN connection, which can inspect remote device configurations and identify signs of potential split tunneling. How can the functionality of this NGFW contribute to achieving the objectives of CMMC practice SC.L2-3.13.7-Split Tunneling?

Documentation is a key aspect of the CMMC assessment. When preparing for a prospective assessment and during the actual CMMC assessment, you will reference various documents and document various findings. Fortunately, you can download some of these documents from the DoD CIO's CMMC website, and other templates can be found in the CAP Appendices. You are part of the team assessing an OSC?s preparedness and readiness for a CMMC assessment.Where would you document the OSC's readiness to proceed to the second phase of the CMMC Assessment Process (CAP)?