Free CMMC-CCA Mock Exam – Practice Online Confidently

A defense contractor has implemented a secure wireless network infrastructure to support their operations and client engagements. They use the WPA2-Enterprise encryption protocol with AES-CCMP ciphers and the 802.1X port-based authentication framework to secure their wireless network. The wireless network infrastructure includes a Remote Authentication Dial-In User Service (RADIUS) server for centralized authentication and authorization of wireless clients. The contractor has deployed multiple Wireless Access Points (WAPs) throughout their office premises, each with its own Service Set Identifier (SSID) and VLAN configuration. Before granting wireless access, the contractor?s IT team verifies the device's compliance with their security standards and validates the user's credentials against the RADIUS server using EAP-TLS authentication. Which of the following actions would NOT be considered a best practice for the contractor to further strengthen their compliance with CMMC AC.L2-3.1.16-Wireless Access Authorization?

During your assessment of CA.L2-3.12.3-Security Control Monitoring, the contractor?s CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls. When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in insecurity controls implemented. Which of the following best describes the contractor's compliance with CA.L2-3.12.3-Security Control Monitoring based on the scenario?

During a CMMC assessment, the Lead Assessor discovers that the OSC has outsourced its incident response to a third-party provider. The OSC provides a contract with the provider but no detailed evidence of the providers processes. What should the Lead Assessor do?

While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has a defined a technical and documented policy where identifiers can only be reused after 12 months. How is the OSC likely to consider CMMC practice IA.L2-3.5.5-Identifier Reuse if you find issues with its implementation?

Examining an OSC?s system design documentation, you notice they have implemented a CUI enclave and have a documented procedure addressing boundary protection. They have segmented their network into different zones, each having its own rules to allow or deny traffic. The OSC has implemented strict firewall rules that deny all incoming and outgoing traffic by default, only allowing specific traffic as required. To automatically block unrecognized traffic patterns, the OSC has provisioned a state-of-the-art Intrusion Detection and Prevention System (IDPS). During an interview with the network administrator, you realize that OSC uses a whitelisting approach to explicitly allow only certain IP addresses, domains, or services to communicate with their system. Their IT security team monitors network traffic to detect any unauthorized attempts to connect or communicate with their system. The scenario states that network traffic is monitored to detect unauthorized connection attempts. Which of the following best describes the purpose of monitoring network traffic in the context of CMMC practice SC.L2-3.13.6-Network Communication by Exception?