What should the Lead Assessor do to BEST ensure the evidence supplied effectively meets the intent of the standard for a practice?
Correct Answer: C
The CAP defines evidence evaluation requirements. Evidence must not only exist but must also be: * Complete (addresses all assessment objectives for the practice) * Validated (verified by the assessor) * Mapped to the practice requirements (traceable to objectives) Extract: "The assessor must confirm that the evidence is complete, validated, and mapped directly to the practice requirements in order to conclude that a practice is MET." Reference: CMMC Assessment Guide - Level 2; CAP, Evidence Review Guidance.
Question 2
An Assessment Team is reviewing the scope of a CMMC assessment for an OSC. The OSC has defined a narrow security boundary for their assessment, which the Assessment Team believes may not adequately protect all sensitive information. The OSC gives reasons for this, including financial constraints, and claims that CUI is only contained within an enclave defined by the boundary. However, after inspecting the facility and interviewing employees, you determine that some assets that may process CUI are outside the enclave. What is the risk of the OSC defining a security boundary that is too narrow in scope for the CMMC assessment?
Correct Answer: B
Comprehensive and Detailed Explanation: A narrow security boundary that excludes assets processing CUI poses a significant risk to the OSC's compliance with CMMC requirements. The CMMC Assessment Scope - Level 2 emphasizes that the scope must include all assets that process, store, or transmit CUI, and failure to do so indicates a lack of due diligence in identifying and protecting sensitive information. If assets outside the enclave handle CUI, they must be included in the scope to ensure comprehensive protection, as per NIST SP 800-171 and CMMC guidelines. A too-narrow scope could leave CUI vulnerable, undermining the OSC's security posture and potentially leading to non-compliance. Option A is a consequence, not the primary risk. Options C and D focus on cost and time, which are secondary to the security risk identified in B. The CMMC CAP reinforces that proper scoping is critical to safeguarding CUI, making B the correct answer. Reference: CMMC Assessment Scope - Level 2, Section 2.1 (Scoping Guidance), p. 3: "A scope that is too narrow may fail to protect all sensitive information, indicating insufficient due diligence." CMMC Assessment Process (CAP) v1.0, Section 2.2 (Scope Validation)
Question 3
While reviewing a contractor's Microsoft Active Directory authentication policies, you observe that the account lockout threshold is configured to allow 5 consecutive invalid login attempts before locking the account for 15 minutes. Additionally, the reset account lockout counter is set to 30 seconds after each unsuccessful login attempt. Based on this scenario, which of the following statements are TRUE about the contractor's implementation of CMMC practice AC.L2-3.1.8 - Unsuccessful Logon Attempts?
Correct Answer: A
Comprehensive and Detailed In-Depth Explanation: AC.L2-3.1.8 requires "limiting unsuccessful logon attempts" by defining: [a] a threshold, and [b] a lockout duration or delay. The contractor's settings (5 attempts, 15-minute lockout, 30-second reset) meet these objectives, providing reasonable protection against brute-force attacks. While stricter settings (e.g., fewer attempts) could enhance security, CMMC doesn't mandate specific values, only that limits are enforced. This 1-point practice scores Met (+1), making A true. B, C, and D assume inadequacy without evidence of failure. Extract from Official CMMC Documentation: * CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.8: "Define and enforce [a] number of attempts, [b] lockout duration or delay." * DoD Scoring Methodology: "1-point practice: Met = +1." Resources: * https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2. 0_FINAL_202112016_508.pdf
Question 4
An OSC has an established password policy. The OSC wants to improve its password protection security by implementing a single change. Which of the following is an acceptable element to add to the OSC's password policy?
Correct Answer: D
The Identification and Authentication (IA) practices require that passwords be protected using strong methods. Storing passwords with salted one-way hashes ensures they cannot be reversed, providing strong protection. Extract from IA.L2-3.5.10: "Passwords must be stored and transmitted in a form that is resistant to compromise, typically using salted one-way cryptographic hashes." Options A and B do not align with modern password guidance, and option C (two-way cryptographic hashing) is insecure because it allows reversal. Reference: CMMC Assessment Guide - Level 2, IA.L2-3.5.10.
Question 5
The Lead Assessor is planning to conduct an assessment for an OSC. The Assessor has been given a preliminary asset inventory list by the OSC. How would the Lead Assessor determine if any assets are out- of-scope for the assessment?
Correct Answer: C
According to the CMMC Scoping Guidance, assets are categorized based on whether they can process, store, or transmit Controlled Unclassified Information (CUI), or if they are physically/logically separated or inherently unable to interact with CUI systems. Assets that cannot process, store, or transmit CUI and are properly segregated are considered Out-of-Scope. Extract from CMMC Scoping Guidance: "Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so." Thus, the Lead Assessor determines out-of-scope assets by confirming that they are either segregated from CUI systems or technically incapable of handling CUI. Reference: CMMC 2.0 Scoping Guidance for Level 2 Assessments (Official CCA documentation).
