Free Access CyberAB.CMMC-CCA.v2025-11-28.q157 Practice Test (Page 6)

Question 21

While onsite conducting a CMMC Level 2 assessment at a small architecture firm that handles DoD construction contracts, the client offers a list of personnel for interviews. To answer questions regarding visitor access controls, which personnel would be MOST appropriate for interviewing?

A.System Administrator

B.Front-desk Receptionist

C.Administrative Assistant

D.Senior Architecture Partner

Question 22

During a CMMC Level 2 assessment, the OSC's Assessment Official asks the Lead Assessor if they can exclude a small subsidiary from the assessment scope because it only handles a minimal amount of CUI. The subsidiary's systems are networked with the main OSC environment. What should the Lead Assessor do?

A.Agree to exclude the subsidiary since it handles minimal CUI.

B.Request the OSC to include the subsidiary in the scope due to its networked connection and CUI handling, and adjust the assessment accordingly.

C.Proceed with the original scope and ignore the subsidiary's systems.

D.Terminate the assessment until the OSC resolves the subsidiary's inclusion internally.

Question 23

An OSC submits to the C3PAO Assessment Team for validation a CMMC assessment scope that includes an enclave. During validation, you learn that while CUI is stored on a single physical server, authorized employees can access it through virtual instances, thanks to VMware. You also determine that the OSC has deployed a DFARS-compliant firewall to protect network connections to the enclave and a VLAN to restrict communication between different portions of the network. Which method can the OSC be said to have used to secure its enclave?

A.Physical separation

B.Segmentation

C.Decentralization

D.Virtualization

Question 24

Implementation of and compliance with CMMC practices is not just a one-time effort but a sustained and habitual practice within the organization. As a CCA, you are part of an Assessment Team conducting a CMMC assessment for an OSC. As part of the assessment process, the CCA must confirm that the OSC has persistently implemented the CMMC policies and practices across all levels of the organization. To validate the persistent implementation of CMMC policies and practices, which of the following sources of evidence should you primarily focus on?

A.The OSC's training programs and resource allocation for CMMC implementation

B.Interviews with personnel to gauge their awareness and understanding of CMMC practices

C.The OSC's policy documents and executive-level communications

D.A combination of policies, plans, resourcing, communications, and training that are elements of the organization's cybersecurity program

Question 25

A Lead Assessor and the OSC have been reviewing the scope. In preparing the final assessment scope, they disagree on some areas. After several days of attempting various solutions, they cannot find common ground.
What should the CCA recommend to the C3PAO?

A.The C3PAO formally writes to the OSC to start CMMC scoping afresh.

B.Halt the assessment until the assessment scope is verified.

C.The assessment continues as they address the areas of contention.

D.Inform the C3PAO that the OSC has failed the assessment.

Latest Upload: 115Talend.Talend-Core-Developer.v2026-01-15.q20; 140Salesforce.Marketing-Cloud-Administrator.v2026-01-15.q146; 192Salesforce.ADX-211.v2026-01-14.q223; 110Salesforce.B2B-Solution-Architect.v2026-01-14.q111; 117BICSI.RCDD.v2026-01-14.q121; 112NBMTM.BCMTMS.v2026-01-14.q33; 126Microsoft.GH-200.v2026-01-13.q64; 145SAP.C_C4HCX_2405.v2026-01-13.q80; 154Microsoft.GH-300.v2026-01-13.q69; 140Microsoft.GH-100.v2026-01-12.q22

Question 21

Question 22

Question 23

Question 24

Question 25

Download PDF File