An OSC seeking Level 2 certification has a fully cloud-based environment. The assessor must evaluate fulfillment of Level 2 requirements the OSC implements versus those handled by the cloud service provider. Which document would be BEST to identify the Level 2 requirements handled by the OSC’s cloud provider?
An OSC is presenting evidence of its fulfillment of CM.L2-3.4.1: System Baselining. It provides:
System inventory records showing additions/removals of machines,
Software inventory showing installations/removals, and
A system component installation plan with software needs and user specifications.
What other documentation MUST the company present to illustrate compliance with CM.L2-3.4.1?
An OSC processes data in its owned data center. The data center includes a very early smoke detection apparatus (VESDA). The apparatus only captures log information from its sensors around the data center. It is not intended, nor capable of, processing CUI. The VESDA is on a separate VLAN and is in a separate locked room in the data center.
Should the assessor agree that the VESDA is out-of-scope?
The client has a Supervisory Control and Data Acquisition (SCADA) system as OT to be evaluated as part of its assessment. In reviewing network architecture and conducting interviews, the assessor determines that a firewall separates the SCADA system from the client’s enterprise network and that CUI is not processed by the SCADA system. Based on this information, what is an appropriate outcome?
During an assessment, the OSC person being interviewed explains the process for escorting visitors. The individual states that while all visitors are escorted, occasionally a vendor may need access to a small room with only one door and limited standing room. In these cases, the escort sits outside the room and observes the vendor completing the work. Is this practice in line with the escort policy?
To meet AC.L2-3.1.5: Least Privilege, the following procedure is established:
All employees are given a basic (non-privileged) user account.
System Administrators are given a separate System Administrator account.
Database Administrators are given a separate Database Administrator account.
Which steps should be added to BEST meet all of the standards for least privilege?
Different mechanisms can be used to protect information at rest. Which mechanism is MOST LIKELY to afford protection for information at rest?
An OSC outsources all of its security incident and event monitoring work to a third-party SOC. Additionally, the OSC utilizes a cloud-hosted antivirus (AV) system to fulfill the requirement of having virus protection without hosting additional servers on-site.
During the scoping discussion, both the SOC and AV should be listed as what type of asset?
An OSC has built an enclave for its production environment. The enclave sits behind a firewall, with all equipment connected through a switch. There is a shipping workstation and physically connected label printer (used for the sales system, which does not process CUI) that the OSC claims are Contractor Risk Managed Assets (CRMA). Other than showing that the shipping workstation and label printer are not intended to store or transmit CUI, and documenting them in the SSP,
how BEST would the OSC show that the shipping workstation and label printer are Contractor Risk Managed Assets?
NIST SP 800-171A specifies the assessment methods for defining the nature and the extent of a CCA’s actions. What is the purpose of the test assessment method?
An OSC has a hardware and software list used to manage company assets. Which is the BEST evidence to show the OSC is managing the system baseline?
A company seeking Level 2 certification has several telecommunications closets throughout its office building. The closets contain network systems and devices that are used to transmit CUI. Which method would be BEST to ensure that only authorized personnel can access the network systems and devices housed within the closets?
A Lead Assessor is preparing to conduct a Level 2 Assessment for an OSC. During the planning phase, the Lead Assessor and OSC have:
Developed evidence collection approach;
Identified the team members, resources, schedules, and logistics;
Identified and managed conflicts of interest;
Gained access to the OSC’s relevant documentation.
Based on the information provided, which would be an additional element to be discussed during the planning phase of the assessment?
A Lead Assessor is conducting an assessment for an OSC. The Lead Assessor is collecting evidence regarding the OSC’s network separation techniques. Which technique would be considered a logical separation technique and would fall within the scope of the assessment?
During a CMMC Assessment, the assessor is determining if the Escort Visitors practice is MET. Personnel with which of the following responsibilities would be MOST appropriate to interview?
A company mirrors its FCI/CUI data storage in a cloud environment. Data is managed across multiple virtual machines (VMs). To satisfy requirements for data security of the LOCAL copy using physical controls, what should the OSC do?
While conducting a Level 2 Assessment, the Assessment Team begins reviewing assessment objects. The team identifies concerns with several of the objects presented. Which artifacts would require the MOST verification?
A CCA is asked to validate if an OSC has separated their systems containing CUI from other departments’ systems on their local network. Which of the following MUST the CCA assess?
While conducting an assessment, an assessor is determining if privileged accounts are used for non-privileged functions. While interviewing a user with a privileged account, the assessor should ask if the person interviewed:
What is NOT required for the Lead Assessor to confirm when verifying readiness to conduct an assessment?
A CCA is assessing the implementation of the Incident Reporting practice. To validate the control, what MUST the CCA ensure about the OSC?
The Assessment Team is meeting with the OSC team and experiences a situation where some members of the OSC team describe the IT infrastructure differently from others. In some discussions, one person identifies a series of ESPs, while another describes the infrastructure as on-premises. What should the Lead Assessor do to clarify the actual operational environment?
During an assessment, the IT security engineers responsible for password policy for the OSC provided documentation that all passwords are protected using a one-way hashing methodology. As a result, which statement is true?
When a new employee is issued a laptop, only the user’s credentials need to be set up. According to the IT department, the IT manager is the only person who can change laptop setup and user privileges. What documentation should be examined to determine if this is the case?
A company is undergoing a CMMC Level 2 Assessment. During the Conduct Assessment phase, an Assessment Team member is reviewing the policies and procedures in the incident response plan.
Which assessment method is being utilized?
The Lead Assessor is compiling the assessment results, which must contain the status for each of the applicable practices. Some practices have been placed in the limited practice deficiency correction program. Multiple areas have been reviewed, including HQ, host units, and a specific enclave.
In order to properly report the findings, the Lead Assessor MUST:
An organization’s password policy includes these requirements:
Passwords must be at least 8 characters in length.
Passwords must contain at least one uppercase character, one lowercase character, and one numeric digit.
Passwords must be changed at least every 90 days.
When a password is changed, none of the previous 3 passwords can be reused.
Per IA.L2-3.5.7: Password Complexity, what requirement is missing from this password policy?
The Lead Assessor is conducting an assessment for an OSC. The Lead Assessor has finished collecting and examining evidence from the assessment.
Based on this information, what is the NEXT logical step?
What should the Lead Assessor do to BEST ensure the evidence supplied effectively meets the intent of the standard for a practice?
An OSC is preparing for an assessment and wants to gather evidence that will be used by the Lead Assessor to determine the scope of the assessment. The OSC currently operates a hybrid network, with part of their infrastructure at their physical location and part of their infrastructure in a cloud environment.
What evidence should the OSC collect that would assist the Lead Assessor in determining cloud and hybrid environment constraints?
During the Planning Phase of the Assessment Plan, the assessor determines that the Client will likely include sensitive and proprietary CUI. What should the assessor consider as part of their virtual data collection techniques for this information?
While conducting a CMMC Level 2 self-assessment, an organization’s Chief Information Security Officer asks the system administrator for evidence that remote access is routed through fully managed access control points. Which documentation would BEST demonstrate that all remote access is routed through managed access control points?
ESPs are exceptionally common today, given that many organizations are turning to secure cloud offerings to establish and maintain compliance. Integral to these relationships is a responsibility matrix, which defines who is responsible for specific items such as security. This can be a very complex assortment of taskings associated with federal compliance, but what is the MOST important thing to remember?
An OSC has a testing laboratory. The lab has several pieces of equipment, including a workstation that is used to analyze test information collected from the test equipment. All equipment is on the same VLAN that is part of the certification assessment. The OSC claims that the workstation is part of the test equipment (Specialized Asset) and only needs to be addressed under risk-based security policies. However, the OSC states that the data analysis output is CUI. What is the assessor’s BEST response?
A company has a CUI enclave for handling all CUI processed, stored, and transmitted through the organization. While interviewing the IT manager, the CCA asks how assets that can, but are not intended to, handle CUI are identified. The IT manager refers to the CUI system’s network diagram (which includes these assets) as well as the asset inventory (which lists these assets as Contractor Risk Managed Assets). Which other artifact MUST also mention these assets?
During a CMMC Level 2 Assessment, a CCA interviewed a system administrator on the OSC’s procedures around configuration management and endpoint security. The system administrator described how they build and deploy new systems, and noted that some users require specialized applications for their jobs. Users have been asked to email IT when they install and run an additional application so IT can add it to their list of allowed software.
What must the CCA conclude?
A CCA is assessing the concept of least functionality in accordance with CM.L2-3.4.6: Least Functionality.
Which method is the LEAST LIKELY to be useful as an assessment technique?
An OSC is a wholly owned subsidiary of a large conglomerate (parent organization). The OSC and the parent organization use ID badges (PKI cards) that contain a PKI certificate and a radio frequency identification (RFID) tag used for building and system access (including systems that process, transmit, or store CUI). The parent organization does not make any decisions on how the OSC runs its security program or other matters of significance. The large conglomerate operates a machine that is used to activate the badges for both itself and the OSC. This machine is isolated in a locked room and has no network connectivity to the OSC.
The badge activation system is:
A Lead Assessor is conducting an assessment for an OSC. The OSC is currently using doors and badge access to limit access to private areas of their campus to only authorized personnel. Which item is another means of controlling physical access to areas that contain CUI?
Testing is one assessment method the Lead Assessor may choose depending on the assessment scope and evidence provided by the OSC. During the Plan Phase, the Lead Assessor and OSC POC agree on who the people are that are involved in a particular practice so that it could be tested if determined appropriate. During the discussion, the OSC POC tells the Lead Assessor that the production system is in use and cannot be stopped for the testing to take place but offers a mirrored system for testing. The Lead Assessor decides:
An OSC uses a colocation facility to house its CUI assets. The colocation restricts access to the data center via keycard and requires all entrants to sign in and out. The OSC’s cage and cabinets are further secured with keys accessible only to OSC-authorized personnel.
In order to assess physical controls, the CCA should:
The Lead Assessor has conducted an assessment for an OSC. The OSC’s practices have been scored and preliminary results validated. Based on this information, what is the NEXT logical step?
A company has a server in its own Virtual Cloud used as a CUI enclave. There is a point-to-point VPN between the OSC’s office and the cloud environment. Designated users have direct access to the enclave when in the office. When working remotely, those users must establish a VPN connection between their company laptop and the cloud server.
During the assessment, the CCA asks the IT manager about external connections.
How many external connections are within the boundary for this assessment?
The OSC’s network consists of a single network switch that connects all devices. This includes the OSC’s OT equipment, which processes CUI. The OT controller requires an unsupported operating system.
What can the Lead Assessor BEST conclude about the overall compliance with MA.L2-3.7.1: Perform Maintenance?
An OSC creates standard user accounts with limited capabilities and administrator accounts with full system access. A standard user initiates the uninstall of the anti-virus software, which is organizationally defined as a privileged function. Which of the following would indicate AC.L2-3.1.7: Privileged Functions is properly implemented?