In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. How is Session Lock typically initiated?
Correct Answer: A
Comprehensive and Detailed In-Depth Explanation: CMMC practice AC.L2-3.1.10 - Session Lock mandates that organizations "initiate a session lock after a defined period of inactivity" to prevent unauthorized access to systems handling CUI. The typical and required initiation method is automatic, triggered by a predefined inactivity threshold (e.g., 5 minutes in this case), ensuring consistent protection without relying on user or admin intervention. Manual initiation by a system administrator or user is less effective and not scalable, while user authentication processes relate to unlocking, not initiating the lock. The CMMC guide emphasizes automation to enforce this control uniformly across systems. Extract from Official CMMC Documentation: * CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Initiate session lock after an organization- defined time period of inactivity (e.g., 15 minutes or less)." * NIST SP 800-171A, 3.1.10: "Test mechanisms to ensure session lock occurs automatically after a specified period of inactivity." Resources: * https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
Question 122
You are performing an on-site assessment for a defense contractor that develops and manufactures embedded control systems for military drones. During your documentation review, you discover they have a System Security Plan (SSP) outlining a configuration management process. The SSP mentions the creation of baseline configurations for their drone control systems, but details are limited. You interview the IT manager responsible for configuration management. They explain they use a commercial configuration management tool to capture hardware and software configurations for the drone systems. They confirm that the baseline configurations include initial software versions but do not track firmware or network configurations. Additionally, while they update software versions through the tool, they do not have a documented process for reviewing and updating baseline configurations in response to security vulnerabilities or system modifications. Which of the following actions would be the MOST appropriate recommendation for the contractor to improve their compliance with CM.L2-3.4.1 - System Baselining?
Correct Answer: A
Comprehensive and Detailed In-Depth Explanation: CM.L2-3.4.1 requires "establishing and documenting baseline configurations, reviewed and updated as needed." The lack of firmware/network inclusion and a review process fails objective [c]. A documented review process addressing all components and security risks (A) directly corrects this, aligning with CMMC intent. Ad-hoc updates (B) lack structure, tool replacement (C) isn't justified, and update frequency (D) is unrelated. The guide emphasizes periodic review. Extract from Official CMMC Documentation: * CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.1: "Review and update baselines for all components as needed." * NIST SP 800-171A, 3.4.1: "Examine process for baseline updates." Resources: * https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2. 0_FINAL_202112016_508.pdf
Question 123
You are the Lead Assessor for a CMMC Level 2 assessment. The OSC has provided a list of assets in scope, but during a site visit, you discover additional systems handling CUI that were not included in the initial scope. What should you do?
Correct Answer: B
Comprehensive and Detailed in Depth Explanation: The CAP requires the Lead Assessor to adjust the scope collaboratively with the OSC when inaccuracies are found (Option B). Options A, C, and D violate CAP procedures. Extract from Official Document (CAP v1.0): * Section 1.4 - Define Assessment Scope (pg. 13):"Request adjustments to the proposed scope to ensure accuracy and validity." References: CMMC Assessment Process (CAP) v1.0, Section 1.4.
Question 124
An OSC seeking Level 2 certification is reviewing the physical security of their building. Currently, the building manager unlocks and locks the doors for business operations. The OSC would like the ability to automatically unlock the door for authorized personnel, track access individually, and maintain access history for all personnel. The BEST approach is for the OSC to:
Correct Answer: C
CMMC Level 2 requires the ability to control and monitor physical access to systems and facilities containing CUI. The best practice is a badge-based access control system, which provides individual accountability, access tracking, and historical audit records. Keys and keypads do not provide individual traceability. Cameras alone do not prevent unauthorized entry. Exact Extracts (official CMMC Assessor/Study documents): * PE.L2-3.10.1: "Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals." * PE.L2-3.10.3: "Escort visitors and monitor visitor activity." * PE.L2-3.10.5: "Access records must be maintained." * CMMC Assessment Guide clarifies that acceptable methods include badging systems with individual accountability for traceability. Why the other options are not correct: * A (keys): Keys do not provide audit logs or individual accountability. * B (cameras): Monitoring alone is insufficient; prevention and control are required. * D (keypads): Shared codes do not provide unique traceability or access history per user. References: CMMC Assessment Guide - Level 2, Version 2.13: PE.L2 practices (pp. 153-159). NIST SP 800-171A, Physical and Environmental Protection (PE) assessment objectives.
Question 125
During an assessment, the IT security engineers responsible for password policy for the OSC provided documentation that all passwords are protected using a one-way hashing methodology. As a result, which statement is true?
Correct Answer: D
A one-way hash function is a cryptographic method used to store passwords securely. It is not reversible; hashed values cannot be converted back into the original password. Extract from SC.L2-3.13.10: "Store and transmit authentication information in a protected form by using one-way cryptographic transformations (e.g., hashing). One-way transformations cannot be reversed to reveal the original authentication secret." Thus, the correct statement is that the transformation makes it impossible to re-convert the hashed password. Reference: CMMC Assessment Guide - Level 2, SC.L2-3.13.10.
