In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a
robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data.
After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a
battery life indicator is displayed. How is Session Lock typically initiated?
A
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
CMMC practice AC.L2-3.1.10 – Session Lock mandates that organizations "initiate a session lock after
a defined period of inactivity" to prevent unauthorized access to systems handling CUI. The typical
and required initiation method is automatic, triggered by a predefined inactivity threshold (e.g., 5
minutes in this case), ensuring consistent protection without relying on user or admin intervention.
Manual initiation by a system administrator or user is less effective and not scalable, while user
authentication processes relate to unlocking, not initiating the lock. The CMMC guide emphasizes
automation to enforce this control uniformly across systems.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Initiate session lock after an organization-
defined time period of inactivity (e.g., 15 minutes or less)."
NIST SP 800-171A, 3.1.10: "Test mechanisms to ensure session lock occurs automatically after a
specified period of inactivity."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
During your assessment of CA.L2-3.12.3 – Security Control Monitoring, the contractor’s CISO informs
you that they have established a continuous monitoring program to assess the effectiveness of their
implemented security controls. When examining their security planning policy, you determine they
have a list of automated tools they use to track and report weekly changes in the security controls.
The contractor has also established a feedback mechanism that helps them identify areas of
improvement in their security controls. Chatting with employees, you understand the contractor
regularly invites resource persons to train them on the secure handling of information and
identifying gaps in security controls implemented. You would rely on all of the below evidence to
assess the contractor’s implementation of CA.L2-3.12.3 – Security Control Monitoring, EXCEPT?
B
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
CA.L2-3.12.3 requires "continuous monitoring of security controls." Evidence like logs (A), reports
(C), and policies (D) directly demonstrate the program’s operation and effectiveness. Customer
feedback (B) is external and unrelated to internal monitoring processes, per the CMMC guide’s focus
on operational artifacts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.3: "Examine logs, reports, and monitoring
policies."
NIST SP 800-171A, 3.12.3: "Focus on internal monitoring evidence."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a
robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data.
After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a
battery life indicator is displayed. As a CCA, you will potentially use the following assessment
methods to examine the contractor’s implementation of session lock EXCEPT?
C
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
AC.L2-3.1.10 – Session Lock requires "initiating a session lock after inactivity." Interviewing admins
(A), examining docs (B), and testing mechanisms (D) assess implementation. Password strength (C)
relates to IA.L2-3.5.7, not session lock, per the CMMC guide’s focus on lock-specific methods.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Interview, examine docs, test lock
mechanisms."
NIST SP 800-171A, 3.1.10: "Exclude password strength from lock assessment."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
You are assessing a contractor that develops software for air traffic control systems. In reviewing
their documentation, you find that a single engineer is responsible for designing new ATC system
features, coding the software updates, testing the changes on the development network, and
deploying the updates to the production ATC system for customer delivery. How will proper
separation of duties help the contractor meet the intent of AC.L2-3.1.4 – Separation of Duties?
B
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
AC.L2-3.1.4 requires "separating duties to reduce risk of unauthorized activity." A single engineer
handling all tasks concentrates privileges, increasing error or malice risks. Separation (B) distributes
responsibilities, enhancing oversight and reducing reliance on one person, per CMMC intent.
Specialization (A), cost (C), and simplicity (D) are secondary or irrelevant.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separation reduces risk via checks and
balances."
NIST SP 800-171A, 3.1.4: "Distribute duties to mitigate insider threats."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
An engineering company works on DoD contracts that involve handling CUI. They use hardcopy
media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and
internal and external hard drives. During a CMMC assessment, you discover the engineering
company has defined procedures addressing media storage and access governed by an access control
policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI
on digital media, an authorized user must be identified using their biometrics or authenticated using
an integrated MFA solution. To access non-digital media, the user must be on a defined list of
authorized personnel and sign three forms. You also learn that the contractor maintains a
comprehensive inventory of all CUI media. The scenario describes a multi-factor authentication
(MFA) solution being used to access digital media containing CUI. However, the access control
procedures for non-digital media require authorized personnel to sign three separate forms. While
both methods aim to verify user identity, which of the following is the MOST significant security
concern associated with the reliance on a paper-based form process?
D
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
MP.L2-3.8.2 requires "restricting access to CUI on system media to authorized users." The paper-
based form process for non-digital media, while aiming to verify identity, is vulnerable to forgery (D),
which could allow unauthorized access to CUI—a direct security threat. Integration issues (A) and
time consumption (B) are operational concerns, not immediate risks, and memorization (C) isn’t
relevant. The CMMC guide prioritizes robust, tamper-resistant access controls, and paper forms lack
the security of MFA.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.2: "Ensure access controls prevent unauthorized
access; paper processes should be secure."
NIST SP 800-171A, 3.8.2: "Assess risks of forgery in manual access methods."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
A vulnerability scan on a defense contractor's system identifies a critical security flaw in a legacy
database application that stores CUI. Remediating the flaw would require a complete overhaul of the
application, causing significant downtime and potentially disrupting critical business functions. Given
the potential consequences of remediation, the contractor is considering deferring the fix. Which
course of action best aligns with the guidance of CMMC practice RA.L2-3.11.3 – Vulnerability
Remediation?
B
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
RA.L2-3.11.3 requires "remediating vulnerabilities in accordance with risk assessments." If
remediation isn’t feasible, the practice allows risk acceptance with documentation and ongoing
monitoring, balancing operational needs and security. Ignoring the vulnerability (C) violates the
practice, while third-party help (A) or compensating controls (D) may not be immediately practical.
The CMMC guide supports risk-based decisions with proper documentation.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), RA.L2-3.11.3: "Document risk acceptance and monitor
unremediated vulnerabilities."
NIST SP 800-171A, 3.11.3: "Examine risk acceptance rationale and monitoring plans."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
Any user that accesses CUI on system media should be authorized and have a lawful business
purpose. While assessing a contractor’s implementation of MP.L2-3.8.2 – Media Access, youexamine
the CUI access logs and the role of employees. Something catches your eye where an ID of an
employee listed as terminated regularly accesses CUI remotely. Walking into the contractor’s
facilities, you observe the janitor cleaning an office where documents marked CUI are visible on the
table. Interviewing the organization’s data custodian, they informed you that a media storage
procedure is augmented by a physical protection and access control policy. Based on the scenario
and the requirements of CMMC practice MP.L2-3.8.2 – Media Access, which of the following actions
would be the highest priority recommendation for the contractor?
B
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
CMMC practice MP.L2-3.8.2 – Media Access requires organizations to "restrict access to CUI on
system media to authorized users." The scenario reveals a critical failure: a terminated employee’s ID
continues to access CUI remotely, indicating a lack of timely revocation processes. This poses an
immediate security risk, as unauthorized access to CUI violates the practice’s core intent. Developing
and implementing a process to disable access upon termination (B) directly addresses this gap and is
the highest priority to ensure compliance and protect CUI. Training (A) is beneficial but doesn’t fix
the revocation issue, logging (C) is already partially in place and doesn’t address termination, and
new technology (D) is secondary to procedural fixes. The CMMC guide emphasizes timely access
control as critical.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.2: "Restrict media access to authorized users;
ensure processes revoke access when no longer needed."
NIST SP 800-171A, 3.8.2: "Examine processes for removing access upon termination."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
CMMC practice PS.L2-3.9.1 – Screen Individuals requires individuals to be screened before
authorizing access to organizational systems containing CUI. However, in the assessment you are
currently conducting, there is no physical evidence confirming the completion of personnel screens,
such as background checks, only affirmations derived from an interview session. In an interview with
the HR Manager, they informed you that before an individual is hired, they submit their information
through a service that performs criminal and financial checks. How would you score the OSC's
implementation of CMMC practice PS.L2-3.9.1 – Screen Individuals, objective [a]?
A
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
PS.L2-3.9.1, objective [a], requires "screening individuals prior to authorizing access to CUI systems."
The HR Manager’s affirmation suggests a process, but without physical evidence (e.g., screening
records), compliance can’t be confirmed. More information (A) is needed to verify, per CMMC’s
evidence-based assessment. Met (D) requires proof, Not Met (B) assumes failure prematurely, and
N/A (C) doesn’t apply.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), PS.L2-3.9.1: "Examine screening records; interviews support
but don’t replace evidence."
NIST SP 800-171A, 3.9.1: "Verify with documentation."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
When assessing a contractor’s implementation of CMMC practices, you examine its SystemSecurity
Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a
dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to
interview their information security personnel, who informed you that the contractor has a
dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. What
key features regarding the deployment of Splunk for AU.L2-3.3.6 – Reduction & Reporting would you
be interested in assessing?
C
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
AU.L2-3.3.6 requires "audit reduction and report generation capabilities." Key features to assess in
Splunk are filtering to reduce logs and analysis/reporting (C), directly meeting objectives [a] and [b].
RBAC (A) relates to AU.L2-3.3.8, retention (B) to AU.L2-3.3.2, and dashboards (D) aren’t required, per
CMMC focus.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.6: "Assess tools for [a] reducing logs via filters, [b]
generating reports with analysis."
NIST SP 800-171A, 3.3.6: "Examine reduction and reporting functions."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
CMMC practice MA.L2-3.7.3 – Equipment Sanitization requires organizations to sanitize equipment
leaving their facilities for off-site maintenance for CUI. What standard would the OSC use to sanitize
various media?
B
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
MA.L2-3.7.3 mandates "sanitizing equipment for CUI prior to off-site maintenance."NIST SP 800-88 –
Guidelines for Media Sanitization(B) provides specific methods (e.g., clearing, purging, destroying)
tailored to media types, ensuring CUI is irrecoverable—directly supporting this practice. NIST SP 800-
53 (A) is a broader control framework, NIST SP 800-171 (C) defines CMMC requirements without
sanitization details, and NIST SP 800-171A (D) is an assessment guide, not a sanitization standard.
The CMMC guide references NIST SP 800-88 explicitly.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MA.L2-3.7.3: "Sanitize per NIST SP 800-88 guidelines."
NIST SP 800-171A, 3.7.3: "Refer to NIST SP 800-88 for sanitization standards."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf