dumpstool logo
A company is undergoing a CMMC Level 2 Assessment. During the Conduct Assessment phase, an Assessment Team member is reviewing the policies and procedures in the incident response plan.
Which assessment method is being utilized?
An OSC is preparing for assessment. Which item of evidence would show the OSC’s efforts to restrict physical access within the OSC’s environment?
While scoping the assessment, the assessor learns that the OSC uses various cloud-based solutions sporadically as part of its normal course of business. The OSC states that most business is conducted on-premises and that only a small amount of business uses the cloud. The OSC thinks the cloud is only used for system backups, but there are isolated exceptions.
Are the data provided sufficient to determine that the OSC limits connection to external information systems?
An OSC has a hardware and software list used to manage company assets. Which is the BEST evidence to show the OSC is managing the system baseline?
What is NOT required for the Lead Assessor to confirm when verifying readiness to conduct an assessment?
While reviewing CA.L2-3.12.3: Security Control Monitoring, the CCA notices that the assessment period is defined as one year. An OSC's SSP states that under CA.L2-3.12.3, security controls are monitored using the same one-year periodicity to ensure the continued effectiveness of the controls. The assessor understands that some CMMC practices can reference other practices for the entirety of their implementation. Is the OSC’s implementation under CA.L2-3.12.3: Security Control Monitoring acceptable?
Different mechanisms can be used to protect information at rest. Which mechanism is MOST LIKELY to afford protection for information at rest?
ESPs are exceptionally common today, given that many organizations are turning to secure cloud offerings to establish and maintain compliance. Integral to these relationships is a responsibility matrix, which defines who is responsible for specific items such as security. This can be a very complex assortment of taskings associated with federal compliance, but what is the MOST important thing to remember?
A C3PAO is conducting a Level 2 assessment of a midsized construction contractor that does both private (commercial) and federal work. The contractor’s documentation states that all CUI flows through a single building on their office campus and is logically, physically, and administratively isolated from the rest of the environment. Why might an assessor request access to assess controls within a building or area not listed as in-scope in the documentation?
The Lead Assessor is compiling the assessment results, which must contain the status for each of the applicable practices. Some practices have been placed in the limited practice deficiency correction program. Multiple areas have been reviewed, including HQ, host units, and a specific enclave.
In order to properly report the findings, the Lead Assessor MUST:
The OSC’s network consists of a single network switch that connects all devices. This includes the OSC’s OT equipment, which processes CUI. The OT controller requires an unsupported operating system.
What can the Lead Assessor BEST conclude about the overall compliance with MA.L2-3.7.1: Perform Maintenance?
An organization has contracted with a third party for system maintenance and support. The third-party personnel all work remotely. Which of the following should an assessor assure is in place?
While conducting a Level 2 Assessment, the Assessment Team begins reviewing assessment objects. The team identifies concerns with several of the objects presented. Which artifacts would require the MOST verification?
AC.L2-3.1.6: Non-Privileged Account Use is being assessed. Which procedure BEST meets all of the standards for non-privileged account use?
An assessor reviews the OSC’s data protection policy, which requires full disk encryption on company laptops. While interviewing employees, the assessor learns that employees sometimes access data while teleworking on laptops that do not have full disk encryption.
How should the assessor view the implementation of the OSC’s policy?
An organization’s password policy includes these requirements:
Passwords must be at least 8 characters in length.
Passwords must contain at least one uppercase character, one lowercase character, and one numeric digit.
Passwords must be changed at least every 90 days.
When a password is changed, none of the previous 3 passwords can be reused.
Per IA.L2-3.5.7: Password Complexity, what requirement is missing from this password policy?
In completing the assessment of practices in the Access Control (AC) domain, a CCA scored AC.L2-3.1.15: Privileged Remote Access as NOT MET. The OSC was notified of this deficiency at the end of day two of the assessment. On day five of the assessment, the OSC’s Assessment Official contacted the CCA to provide evidence that the deficiencies have been corrected.
What is the CCA’s NEXT step?
Some OSCs share real estate with other companies. To protect FCI/CUI behind unmanned entrances to buildings, floors, or other areas where FCI/CUI is created, used, stored, or transmitted, which of the following is the BEST method?
An OSC seeking Level 2 certification is reviewing the physical security of their building. Currently, the building manager unlocks and locks the doors for business operations. The OSC would like the ability to automatically unlock the door for authorized personnel, track access individually, and maintain access history for all personnel. The BEST approach is for the OSC to:
An OSC uses an External Service Provider (ESP) to support part of its CUI processing scope. The OSC has selected an accredited ESP with FedRAMP MODERATE authorization. The OSC has a contract requiring the ESP to meet its security requirements. The ESP has provided a Shared Responsibility Matrix (SRM) consistent with the contract terms.
When assessing these assets, what should the assessor MOST carefully review?
An OSC is undergoing CMMC Assessment on an enterprise-wide basis. While walking to the conference room, the Assessor notices a printer repair technician in the hallway, unescorted, repairing a printer marked “Authorized for CUI printing.” What is the NEXT step the Lead Assessor should take regarding PE.L2-3.10.3: Escort Visitors?
In validating the OSC’s implementation of AC.L2-3.1.16: Wireless Access Authorization, the CCA observes various personal and non-enterprise devices connected to the OSC’s Wi-Fi. Because organizations handle wireless access differently, the CCA must locate evidence showing who has ultimate authority over wireless access. Which authority is acceptable for authorizing wireless access?
The Lead Assessor is ready to complete planning by developing the assessment schedule. The Lead Assessor and the OSC Assessment Official discuss the Assessment Team members.
What MUST be submitted to the Cyber-AB before the assessment?
A company has a CUI enclave for handling all CUI processed, stored, and transmitted through the organization. While interviewing the IT manager, the CCA asks how assets that can, but are not intended to, handle CUI are identified. The IT manager refers to the CUI system’s network diagram (which includes these assets) as well as the asset inventory (which lists these assets as Contractor Risk Managed Assets). Which other artifact MUST also mention these assets?
During an assessment, the OSC IT security team provided documentation on how they use replay-resistant authentication to protect CUI. What can be used as a replay-resistant mechanism?
An in-house compliance expert for a large defense contractor is reviewing the organization’s training materials for personnel handling CUI. After a widely publicized insider threat incident, management requires that training address insider threat risks. What is a critical component of insider threat awareness training?
During a CMMC Level 2 Assessment, a CCA interviewed a system administrator on the OSC’s procedures around configuration management and endpoint security. The system administrator described how they build and deploy new systems, and noted that some users require specialized applications for their jobs. Users have been asked to email IT when they install and run an additional application so IT can add it to their list of allowed software.
What must the CCA conclude?
What should the Lead Assessor do to BEST ensure the evidence supplied effectively meets the intent of the standard for a practice?
An OSC assigns new hires to work on their hire date. Human Resources ensures that all screening activities are completed before the end of the employees’ first week. How should the CCA score PS.L2-3.9.1: Screen Individuals?
The audit team is discussing the OSC’s Risk Managed Assets. For these types of assets, the contractor need NOT:
An OSC leases several servers and rack space in a FedRAMP MODERATE authorized colocation data center. Additional servers operate in a LAN room within the company’s facility. Both facilities are within the OSC’s assessment boundary. In order to assess the physical protection of the environment, the Assessor MUST physically examine the visitor and access controls in place in the:
An OSC uses a colocation facility to house its CUI assets. The colocation restricts access to the data center via keycard and requires all entrants to sign in and out. The OSC’s cage and cabinets are further secured with keys accessible only to OSC-authorized personnel.
In order to assess physical controls, the CCA should:
A company has multiple sites with employees at each site that must access the company’s CUI network from their remote locations. The company has set up a single access point for all employees to access the network. What is the MOST significant factor in determining whether the security on this single access point is adequate?
A CCA is assessing the implementation of the Incident Reporting practice. To validate the control, what MUST the CCA ensure about the OSC?
FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the OSC’s CMMC enclave. What source does the CCA use to verify that the cryptography the OSC has implemented is FIPS-validated?
A CCA is assessing the implementation of SC.L2-3.13.7: Split Tunneling control via the examine method. Which scenario MUST be correct to determine if the practice is MET?
A CCA is conducting an interview with an OSC team member about an offering from a well-known Cloud Service Provider (CSP). The offering is known to be secure, but the OSC has not provided evidence and the person being interviewed is unsure how the offering works. Will this offering be accepted by the Assessment Team?
The OSC has not implemented cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission, citing the use of alternative physical safeguards.
Which of the following is NOT an alternative physical safeguard in this scenario?
A Lead Assessor is conducting an assessment for an OSC. The Lead Assessor is collecting evidence regarding the OSC’s network separation techniques. Which technique would be considered a logical separation technique and would fall within the scope of the assessment?
While conducting a CMMC Level 2 self-assessment, an organization’s Chief Information Security Officer asks the system administrator for evidence that remote access is routed through fully managed access control points. Which documentation would BEST demonstrate that all remote access is routed through managed access control points?
TESTED 22 Sep 2025