Free Access CyberAB.CMMC-CCA.v2025-11-28.q157 Practice Test (Page 10)

Question 41

When assessing a contractor's implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised.
Why should all traffic be routed through a managed Access Control point?

A.It simplifies network architecture and reduces complexity

B.Reduces the susceptibility to unauthorized access to organizational systems

C.It enables easier troubleshooting and monitoring of network traffic

D.It provides better performance and lower latency for remote users

Question 42

A C3PAO and OSC have agreed to proceed with CMMC assessment planning. The OSC assessment official and the C3PAO are working to determine the planning details and purview of the Assessment, which includes scoping. When should the C3PAO and OSC conduct the high-level contract framing?

A.After the C3PAO has assigned the Lead Assessor and Assessment Team.

B.At the beginning of their engagement for the CMMC assessment.

C.During Phase 2 of the CMMC assessment process.

D.After the OSC has determined the CMMC Assessment Scope.

Question 43

An OSC undergoing a CMMC Level 2 assessment provides evidence that includes a third-party audit report from a previous year. The report indicates compliance with several CMMC practices, but it does not address the current state of the OSC's systems. How should the Lead Assessor treat this evidence?

A.Accept the audit report as sufficient evidence for the practices it covers.

B.Reject the audit report as outdated and request current evidence.

C.Use the audit report as partial evidence and request additional current evidence to verify ongoing compliance.

D.Mark all practices covered by the report as "NOT MET" due to the lack of current data.

Question 44

In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256)to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Where can you find information about a cryptographic module's current status with FIPS?

A.NIST CMVP

B.FedRAMP Marketplace

C.NIST CSRC

D.FIPS 140-2 documentation

Question 45

During scoping discussions with a Lead Assessor, the OSC mentions that there are several connected systems within the organization's network. How should the Lead Assessor consider connected systems in the scoping of the CMMC assessment?

A.Connected systems are never in scope unless specifically requested by the OSC.

B.Connected systems are only in scope if they directly transmit FCI and/or CUI.

C.Only internally connected systems directly handling FCI and/or CUI are in scope.

D.Connected systems would be considered in scope for the assessment if the systems could impact the security of the CUI (or FCI) environment or if they store, process, or transmit CUI (or FCI) within the organization's network.

Latest Upload: 115Talend.Talend-Core-Developer.v2026-01-15.q20; 140Salesforce.Marketing-Cloud-Administrator.v2026-01-15.q146; 192Salesforce.ADX-211.v2026-01-14.q223; 110Salesforce.B2B-Solution-Architect.v2026-01-14.q111; 117BICSI.RCDD.v2026-01-14.q121; 112NBMTM.BCMTMS.v2026-01-14.q33; 126Microsoft.GH-200.v2026-01-13.q64; 145SAP.C_C4HCX_2405.v2026-01-13.q80; 154Microsoft.GH-300.v2026-01-13.q69; 140Microsoft.GH-100.v2026-01-12.q22

Question 41

Question 42

Question 43

Question 44

Question 45

Download PDF File