A CMMC Level 2 certified DoD contractor plans to use a Cloud Service Provider (CSP) to support data storage and application hosting for their business operations. The contractor is aware of the CMMC requirements and wants to ensure compliance before engaging with the cloud service provider. After discussing this with them, you learn that most of the hosted applications aren’t used for any activities related to the DoD contract. However, the stored data may contain Controlled Unclassified Information (CUI). What requirement must the CSP have met before the DoD contractor can hire them?
A CMMC Assessment Team is evaluating an OSC’s implementation of RA.L2-3.11.1 – Risk Assessments. Upon examining the OSC’s Risk Assessment policy, the team learns that the OSC has specified frequencies for assessing risks to organizational operations, assets, and personnel. The results and reviews of risk assessments indicated that assessments are conducted at these defined frequencies. For the OSC’s risk assessment to be accurate, it must consider all of the following except which factor?
During a CMMC Level 2 assessment, a CCA is evaluating whether the organization meets the requirement to “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.” According to the CMMC requirement, the CCA must determine whether FIPS-validated cryptography is employed to protect the confidentiality of CUI. Which assessment procedure would the CCA most likely use to evaluate this requirement?
A representative of a CMMC Level 2 certified DoD contractor has reached out to you as a CCA for an explanation of FedRAMP equivalency. They want to use a Cloud Service Offering (CSO) from a renowned CSP, but in light of the DoD FedRAMP equivalency memo, they are reluctant. In your conversation, you learn that although the CSO has impressive features, the assessment by a FedRAMP 3PAO resulted in a Plan of Action and Milestones (POA&M) that the CSP is remedying. What is the main reason the contractor shouldn’t use the CSP’s services?
Conducting a CMMC assessment for an OSC includes interviewing, testing, or examining various Assessment Objects. As a CCA, you are part of an Assessment Team tasked with evaluating how an OSC has implemented AC.L2-3.1.4 – Separation of Duties. Which of the following is not an Assessment Object you would use to validate the OSC’s implementation of AC.L2-3.1.4[a], “the duties of individuals requiring separation to reduce the risk of malevolent activity are defined”?
A CMMC assessment involves testing, examining, and interviewing various assessment objects. The definition of an assessment object is provided in NIST SP 800-171A. Which of the following can an Assessment Object NOT be?
You are part of the Assessment Team evaluating an OSC’s implementation of AC.L2-3.1.13 – Remote Access Confidentiality. This requirement mandates the organization to employ cryptographic mechanisms to protect the confidentiality of remote access sessions. During your assessment, you want to determine whether these cryptographic mechanisms have been properly identified as required by assessment objective [a]. What specification can you use to make this determination?
Part of effective CUI protection involves knowing which assets process, transmit, or store CUI. This understanding is crucial for defining CUI boundaries within an OSC’s systems. To achieve this, an OSC can prepare a logical data flow diagram for their information systems. Which of the following questions does a logical data flow diagram not answer?
An Assessment Team is reviewing the network diagram provided by an OSC. The diagram will help the team understand how the OSC has set up assets across its network and determine whether it has implemented network separation and enclaves to protect its CUI. During the review, the team notices that the network diagram does not clearly delineate the boundaries between the enterprise and CUI environments, raising concerns about the assessment scope. What should the AssessmentTeam do in this situation?
CMMC practice SC.L2-3.13.6 assessment objectives [a] and [b] require contractors’ systems to deny network communications traffic by default [a] and allow network communications traffic by exception [b] respectively. As a CCA, you assess whether an OSC has segmented its network into different zones. The OSC has implemented Access Control Lists (ACLs) on its network devices to permit or deny traffic based on source and destination IP addresses and ports. Additionally, the OSC uses a Fortinet Next-Generation Firewall (NGFW). To monitor their computing environment, theOSC uses a state-of-the-art SIEM. Which of the following assessment methods is NOT a method you would use to assess whether the OSC has met assessment objectives [a] and [b]?
