Free CMMC-CCA Mock Exam – Practice Online Confidently

Before an OSC categorizes its assets into different categories, it must determine the Scope of applicability. However, after discussing with the OSC� PoC, you learn that although they follow CUI and FCI in all forms and stages, they are mostly considered technical components. What is the issue with the OSC?s approach to determining scope of applicability?

A C3PAO and OSC have agreed to proceed with CMMC assessment planning. The OSC assessment official and the C3PAO are working to determine the planning details and purview of the Assessment, which includes scoping. When should the C3PAO and OSC conduct the high-level contract framing?

An OSC submits to the C3PAO assessment team for validation, a CMMC assessment scope that includes an enclave. During validation, you learn that while CUI is stored on a single physical server, authorized employees can access it through virtual instances, thanks to VMWare. You also determine that the OSC has deployed a DFARS-compliant firewall to protect network connections to the Enclave. The OSC has deployed a VLAN to restrict communication between different portions of the network. Which method can the OSC be said to have used to secure its Enclave?

Proper authentication is a key requirement of a secure system. To this end, you are assessing an OSC's implementation of IA.L2-3.5.3-Multifactor Authentication. The contractor has deployed Okta in their systems, integrated it into Active Directory (AD), and set up multifactor authentication (MFA). The OSC has documented all the privileged accounts, which must be authenticated through the MFA solution for any network or local access. Their procedures addressing user identification and authentication require everyone, privileged or nonprivileged, to be authenticated using multifactor authentication. The OSC (Organization Seeking Certification) can produce the following evidence to show their compliance with IA.L2-3.5.3-Multifactor Authentication, EXCEPT?

An OSC has documented HR and personnel security policies, which are well integrated. A key requirement is that credentials and systems are revoked upon a transfer or termination. Their personnel security policy includes procedures for transfer and termination, a list of system accounts tied to each employee, and management of revoked or terminated credentials and authenticators. Examining the procedures addressing personnel transfer and termination, you learn that besides revoking or terminating system access, authenticators, and credentials, the OSC recovers all company IT equipment, access/identification cards, and keys from the transferred or terminated employee. They also interview the employee to remind them of their CUI handling obligations even after transfer and require them to sign an NDA. After every termination, they also change the password and other access control mechanisms and notify all the stakeholders that the employee has been terminated or transferred. Based on the scenario, the OSC can cite the following as evidence of collaborating on their implementation of CMMC practice PS.L2-3.9.2-Personnel Actions, EXCEPT?