You are the Lead Assessor for a C3PAO Assessment Team that has recently completed a CMMC Level 2 assessment for an OSC. You and your Assessment Team have finalized the assessment process and are now in Phase 3 - Report Recommended Assessment Results. You are preparing to deliver the final recommended findings to the OSC Assessment Official and OSC participants during the Final Findings Briefing. After you present the final recommended findings and practice scores, what is the next step in the CMMC Assessment Process?
Correct Answer: A
Comprehensive and Detailed in Depth Explanation: The CAP requires a CQAP quality review before eMASS submission (Option A), not immediate submission (Option C), appeals (Option B, optional), or archiving (Option D, later step). Extract from Official Document (CAP v1.0): * Section 3.2 - Report Assessment Results (pg. 32):"The C3PAO CQAP conducts an internal quality review of the Assessment Results Package post-Final Findings Briefing." References: CMMC Assessment Process (CAP) v1.0, Section 3.2.
Question 72
The Daily Checkpoint meeting is a required component of the CMMC assessment process. It is conducted at the end of every day and includes the Assessment Team, Lead Assessor, OSC PoC, OSC Assessment Official, and other key personnel. This meeting helps ensure all the following, EXCEPT?
Correct Answer: C
Comprehensive and Detailed in Depth Explanation: The CAP outlines the Daily Checkpoint meeting's purpose as ensuring progress, data collection, and issue resolution, not team comfort, which is not a formal objective. Options A, B, and D are explicitly listed goals. Extract from Official Document (CAP v1.0): * Section 2.3 - Daily Checkpoint Meetings (pg. 27):"The meeting ensures data collection needs are met, issues are identified and resolved, and the assessment proceeds as planned." References: CMMC Assessment Process (CAP) v1.0, Section 2.3.
Question 73
After thoroughly evaluating the evidence gathered, the Assessment Team has generated their preliminary findings and recommendations for the OSC's target CMMC level. However, before finalizing the results, they need to validate their findings through a review process. Once the Preliminary Recommended Findings have been generated and validated, the Assessment Team needs to properly record them in the appropriate document or system. Where should the Assessment Team enter or record the preliminary recommended findings after generating and validating them?
Correct Answer: C
Comprehensive and Detailed in Depth Explanation: The CAP specifies that Preliminary Recommended Findings, after validation, are recorded in the CMMC Assessment Findings Brief, which summarizes practice scores and findings. Option A is for final results, Option B is for daily notes, and Option D is for initial planning. Extract from Official Document (CAP v1.0): * Section 2.4 - Generate Preliminary Findings (pg. 29):"The Assessment Team shall enter Preliminary Recommended Findings in the CMMC Assessment Findings Brief after generating and validating them." References: CMMC Assessment Process (CAP) v1.0, Section 2.4.
Question 74
A Lead Assessor is conducting an assessment for an OSC. The Lead Assessor is collecting evidence regarding the OSC's network separation techniques. Which technique would be considered a logical separation technique and would fall within the scope of the assessment?
Correct Answer: C
Logical separation refers to the use of technical and access control mechanisms (e.g., role-based access, IAM tools, VLANs) to enforce boundaries between different users, roles, or networks. In contrast, physical separation relies on distinct hardware or physical barriers. Role-based access control within an IAM solution is a textbook example of logical separation, and it is specifically called out in the CMMC/NIST context. Exact extracts: * "Logical separation may be achieved through the use of virtualization, encryption, or access control mechanisms such as role-based access controls." * "Assessment Objectives ... Determine if: * separation of users and information types is enforced by physical or logical means." * "Logical separation is implemented using technical solutions such as access control lists, firewalls configured by policy, or identity and access management solutions." Why the other options are incorrect: * A (Data loss alerting): This is monitoring, not separation. * B (Badge access): This is a physical access control, not logical separation. * D (Proxy-configured firewall): This is boundary protection/traffic control; depending on setup it may be physical or logical, but the scenario points to role-based IAM as the logical example. References (CCA documents / Study Guide): * CMMC Assessment Guide - Level 2, SC.L2-3.13.6 "Network Separation." * NIST SP 800-171 Rev. 2, 3.13.6.
Question 75
A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks. While chatting with the network's system admins, you realize they have deployed a modern compliance checking and monitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy. Based on your understanding of the CMMC Assessment Process, how would you score CM.L2-3.4.2 - Security Configuration Enforcement if the contractor is tracking it in a POA&M?
Correct Answer: A
Comprehensive and Detailed In-Depth Explanation: CMMC practice CM.L2-3.4.2 - Security Configuration Enforcement requires organizations to "enforce security configuration settings for information technology products employed in organizational systems." The contractor uses CFEngine 3 and a monitoring tool, but deviates from vendor-recommended configs, claiming alignment with organizational baselines. However, the practice being tracked in a POA&M indicates it's not fully implemented. Per the CMMC Assessment Process (CAP), any practice in a POA&M is scored as Not Met until a closeout assessment verifies full implementation. For CM.L2-3.4.2, a 5-point practice, partial implementation isn't accepted, and POA&M status confirms non-compliance at assessment time, scoring Not Met (-5). More info (B) isn't needed given the POA&M, Met (C) contradicts CAP, and N/A (D) doesn't apply. Extract from Official CMMC Documentation: * CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.2: "Enforce security configs; full implementation required." * CAP v5.6.1, p. 24: "Practices tracked in a POA&M are scored as Not Met until closeout." * DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5." Resources: * https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2. 0_FINAL_202112016_508.pdf
