You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified
government networks. In reviewing their network architecture documents, you see they have
implemented role-based access controls on their workstations using Active Directory group policies.
Software developers are assigned to the "Dev_Roles" group which grants access to compile and test
code modules. The "Admin_Roles" group with elevated privileges for system administration activities
is restricted to the IT staff. However, when you examine the event logs on a developer workstation,
you find evidence that a developer was able to enable debugging permissions to access protected
kernel memory – a privileged function. How should execution of the debugging permission be
handled to align with AC.L2-3.1.7 – Privileged Functions?
D
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
AC.L2-3.1.7 requires "preventing non-privileged users from executing privileged functions and
logging such attempts." The developer’s access to kernel memory (a privileged function) violates
least privilege, and logging to a SIEM (D) ensures visibility and auditability, aligning with the practice.
Alerts (A) are supplementary, termination (B) isn’t required, and geo-IP blocking (C) is unrelated. The
CMMC guide emphasizes logging for accountability.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.7: "Log attempts by non-privileged users to
execute privileged functions."
NIST SP 800-171A, 3.1.7: "Examine logs for privileged function attempts."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
While reviewing a contractor's Microsoft Active Directory authentication policies, you observe that
the account lockout threshold is configured to allow 5 consecutive invalid login attempts before
locking the account for 15 minutes. Additionally, the reset account lockout counter is set to 30
seconds after each unsuccessful login attempt. Based on this scenario, which of the following
statements are TRUE about the contractor's implementation of CMMC practice AC.L2-3.1.8 –
Unsuccessful Logon Attempts?
A
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
AC.L2-3.1.8 requires "limiting unsuccessful logon attempts" by defining: [a] a threshold, and [b] a
lockout duration or delay. The contractor’s settings (5 attempts, 15-minute lockout, 30-second reset)
meet these objectives, providing reasonable protection against brute-force attacks. While stricter
settings (e.g., fewer attempts) could enhance security, CMMC doesn’t mandate specific values, only
that limits are enforced. This 1-point practice scores Met (+1), making A true. B, C, and D assume
inadequacy without evidence of failure.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.8: "Define and enforce [a] number of attempts,
[b] lockout duration or delay."
DoD Scoring Methodology: "1-point practice: Met = +1."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
While examining a contractor's audit and accountability policy, you realize they have documented
types of events to be logged and defined content of audit records needed to support monitoring,
analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are
analyzed, the results are fed into a system that automatically generates audit records stored for 30
days. However, mechanisms implementing system audit logging are lacking after several tests
because they produce audit logs that are too limited. You find that generated logs cannot be
independently used to identify the event they resulted from because the defined content specified
therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are
automatically deleted. Which of the following is a potential assessment method for AU.L2-3.3.1 –
System Auditing?
A
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
AU.L2-3.3.1 requires "creating and retaining audit records with sufficient content." Examining
procedures (A) verifies if defined content meets requirements, addressing the scenario’s deficiency
(limited logs). Testing procedures (B) isn’t standard, testing configs (C) is secondary, and examining
mechanisms (D) isn’t a method—testing them is. The CMMC guide lists procedural examination as
key.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.1: "Examine procedures addressing audit record
generation."
NIST SP 800-171A, 3.3.1: "Examine documented processes for content sufficiency."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
You are assessing a contractor’s implementation for CMMC practice MA.L2-3.7.4 – MediaInspection
by examining their maintenance records. You realize the maintenance logs identify a repeating
problem. A recently installed central server has been experiencing issues affecting the performance
of the contractor’s information systems. This is confirmed by your interview with the contractor’s IT
team. You requested to investigate the server, and the IT team agreed. On the server, there is a file
named conf.zip that gets your attention. You decide to open the file in an isolated computer for
further review. To your surprise, the file is a .exe used when testing the server for data exfiltration.
How should this incident be handled?
C
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
CMMC practice MA.L2-3.7.4 – Media Inspection requires organizations to "inspect media containing
diagnostic and test programs prior to maintenance to ensure no malicious code is present and handle
incidents appropriately." The discovery of a .exe file used for data exfiltration testing on a production
server indicates a potential security incident (malicious or unauthorized code). The practice’s intent
is to identify and manage such risks, and the CMMC framework mandates handling incidents per the
organization’s incident response plan (IR.L2-3.6.1), which should include steps like verification,
containment, eradication, and reporting.
Option C: In accordance with the incident response plan– This is the correct approach, as it ensures a
structured response (e.g., isolate the server, investigate the .exe’s origin, remove it, and report if
needed), aligning with CMMC’s integrated security processes.
Option A: Reporting to the FBI immediately– Premature without internal verification and escalation
per the IR plan; external reporting may follow but isn’t the first step.
Option B: Decommissioning the server– Drastic and potentially unnecessary without analysis; it
disrupts operations and skips investigation.
Option D: Sandboxing and continuing– Sandboxing is part of analysis, but continuing business as
usual ignores the risk of active compromise.
Why C?The CMMC guide ties media inspection incidents to the IR process, ensuring a systematic
response that balances security and operational needs. The assessor’s role is to verify compliance,
not dictate actions, but C reflects the required process.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MA.L2-3.7.4: "Handle identified malicious code in
accordance with organizational incident response procedures."
CMMC Assessment Guide Level 2 (v2.0), IR.L2-3.6.1: "Establish an operational incident-handling
capability to investigate, contain, and recover from incidents."
NIST SP 800-171A, 3.7.4: "Examine incident response plans for handling malicious code found during
media inspection."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
A contractor allows for the use of mobile devices in contract performance. Some employees access
designs and specifications classified as CUI on such devices like tablets and smartphones. After
assessing AC.L2-3.1.18 – Mobile Device Connection, you find that the contractor maintains a
meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 – Encrypt
CUI on Mobile requires that the contractor implements measures to encrypt CUI on mobile devices
and mobile computing platforms. The contractor uses device-based encryption where all the data on
a mobile device is encrypted. Which of the following is a reason why would you recommend
container-based over full-device-based encryption?
A
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
AC.L2-3.1.19 requires "encrypting CUI on mobile devices." Full-device encryption secures all data,
but container-based encryption (A) offers granularity (protecting only CUI), performance (less
overhead), and BYOD compatibility (separating work/personal data), enhancing security and
usability. Cost (B) and ease (C) aren’t primary drivers, and full-device encryption (D) is compatible
with modern OSes, per CMMC discussion.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.19: "Container-based encryption provides
granular control, performance, and BYOD support."
NIST SP 800-171A, 3.1.19: "Assess encryption methods for effectiveness."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
During your review of an OSC’s system security control, you focus on CMMC practice SC.L2-3.13.9 –
Connections Termination. The OSC uses a custom web application for authorized personnel to access
CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated
server within the company’s internal network. The server operating system utilizes default settings
for connection timeouts. Network security is managed through a central firewall, but no specific
rules are configured for terminating inactive connections associated with the CUI access application.
Additionally, there is no documented policy or procedure outlining a defined period of inactivity for
terminating remote access connections. Interviews with IT personnel reveal that they rely solely on
users to remember to log out of the application after completing their work. The scenario mentions
that the server utilizes default settings for connection timeouts. What additional approach, besides
relying solely on user awareness, could be implemented to achieve connection termination based on
inactivity and comply with CMMC practice SC.L2-3.13.9 – Connections Termination?
A
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
SC.L2-3.13.9 requires "terminating connections after a defined inactivity period." Modifying
application settings to auto-terminate sessions (A) directly enforces this, replacing user reliance with
a technical control, per CMMC intent. Monitoring with manual action (B) isn’t automatic, OS
upgrades (C) don’t guarantee compliance, and education (D) supplements, not
replaces,enforcement.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.9: "Implement auto-termination at application
level for inactivity."
NIST SP 800-171A, 3.13.9: "Test application settings for timeout enforcement."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
Mobile devices are increasingly becoming important in many contractors’ day-to-day activities. Thus,
the contractors must institute measures to ensure they are correctly identified and any connections
are authorized, monitored, and logged, especially if the devices or their connections process, store,
or transmit CUI. You have been hired to assess a contractor’s implementation of CMMC practices,
one of which is AC.L2-3.1.18 – Mobile Device Connections. To successfully test the access control
capabilities authorizing mobile device connections to organizational systems, you must first identify
what a mobile device is. Mobile devices connecting to organizational systems must have a device-
specific identifier. Which of the following is the main consideration for a contractor when choosing
an identifier?
A
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
AC.L2-3.1.18 requires "controlling mobile device connections with device-specific identifiers." The
main consideration is consistency and scalability across all devices (A), ensuring uniform
management and authorization, per CMMC guidance. User-friendliness (B) is secondary,
differentiation (C) is a byproduct of uniqueness, and randomness (D) lacks organizational coherence.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.18: "Use consistent, scalable identifiers for all
mobile devices."
NIST SP 800-171A, 3.1.18: "Examine identifier consistency across devices."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
Assessing a DoD contractor, you observe they have implemented physical security measures to
protect their facility housing organizational systems that process or store CUI. The facility has secure
locks on all entrances, exits, and windows. Additionally, video surveillance cameras are installed at
entry/exit points, and their feeds are monitored by security personnel. Feeds from areas where CUI
is processed or stored and meeting rooms where executives meet to discuss things that have to do
with CUI and other sensitive matters are segregated and stored on a designated server after
monitoring. Walking around the facility, you notice network cables are hanging from the walls. To
pass through a door, personnel must swipe their access cards. However, you observe an employee
holding the door for others to enter. Although power cables are placed in wiring closets, they aren't
locked, and the cabling conduits are damaged. Which of the following is NOT a concern regarding the
contractor's implementation of CMMC practice PE.L2-3.10.2 – Monitor Facility?
A
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
PE.L2-3.10.2 requires "protecting and monitoring the physical facility and support infrastructure."
Video surveillance at entry/exit points (A) is a strength, not a concern, fulfilling monitoring
requirements. Unlocked wiring closets (B), exposed network cables (C), and damaged conduits (D)
are vulnerabilities risking tampering or unauthorized access to infrastructure supporting CUIsystems,
per the CMMC guide.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), PE.L2-3.10.2: "Monitor facility with cameras; protect
infrastructure from tampering."
NIST SP 800-171A, 3.10.2: "Examine monitoring and protection of physical assets."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
When interviewing a contractor’s CISO, they inform you that they have documented procedures
addressing security assessment planning in their security assessment and authorization policy. The
policy indicates that the contractor undergoes regular security audits and penetration testing to
assess the posture of its security controls every ten months. The policy also states that after every
four months, the contractor tests its incident response plan and regularly updates its monitoring
tools. Impressed by the contractor’s policy implementation, you decide to chat with various
personnel involved in security functionalities. You realize that although it is documented in the
policy, the contractor has not audited their security systems in over two years. How many points
would you score the contractor’s implementation of the practice CA.L2-3.12.1 – Security Control
Assessment?
A
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
CA.L2-3.12.1 requires "periodically assessing security controls to determine effectiveness." The
policy defines a 10-month cycle, but no audits have occurred in over two years, failing the
implementation objective. Per the DoD Scoring Methodology, this 5-point practice scores -5 (Not
Met) when not fully implemented, as partial compliance isn’t recognized. The CMMC guide stresses
actual execution over documented intent.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.1: "Assess controls at defined frequency."
DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
Change is a part of any production process and must be meticulously managed. System Change
Management is a CMMC requirement, and you have been called in to assess the implementation of
CMMC requirements. When examining the contractor’s change management policy, you realize
there is a defined change advisory board that has a review and approval mandate for any proposed
changes. The change advisory board maintains a change request system where all the changes are
submitted and documented for easy tracking and review. The contractor also has a defined rollback
plan defining what to do in case the approved changes result in unexpected issues or vulnerabilities.
What evidence artifacts can the contractor also cite as evidence to show their compliance with
CM.L2-3.4.3 – System Change Management besides their change management policy?
C
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
CM.L2-3.4.3 requires organizations to "track, review, approve/disapprove, and log changes to
organizational systems." Beyond the policy, evidence like procedures for change control and review
reports directly demonstrates implementation, tracking, and oversight—aligning with the practice’s
objectives. Surveys (A) and uptime stats (B) are indirect and not specific to change management
processes, while antivirus reports (D) are unrelated. The CMMC guide lists procedural documents
and logs as key artifacts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.3: "Examine procedures addressing change
control and audit review reports."
NIST SP 800-171A, 3.4.3: "Artifacts include change control procedures and logs."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a
robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data.
After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a
battery life indicator is displayed. How is Session Lock typically initiated?
A
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
CMMC practice AC.L2-3.1.10 – Session Lock mandates that organizations "initiate a session lock after
a defined period of inactivity" to prevent unauthorized access to systems handling CUI. The typical
and required initiation method is automatic, triggered by a predefined inactivity threshold (e.g., 5
minutes in this case), ensuring consistent protection without relying on user or admin intervention.
Manual initiation by a system administrator or user is less effective and not scalable, while user
authentication processes relate to unlocking, not initiating the lock. The CMMC guide emphasizes
automation to enforce this control uniformly across systems.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Initiate session lock after an organization-
defined time period of inactivity (e.g., 15 minutes or less)."
NIST SP 800-171A, 3.1.10: "Test mechanisms to ensure session lock occurs automatically after a
specified period of inactivity."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
During your assessment of CA.L2-3.12.3 – Security Control Monitoring, the contractor’s CISO informs
you that they have established a continuous monitoring program to assess the effectiveness of their
implemented security controls. When examining their security planning policy, you determine they
have a list of automated tools they use to track and report weekly changes in the security controls.
The contractor has also established a feedback mechanism that helps them identify areas of
improvement in their security controls. Chatting with employees, you understand the contractor
regularly invites resource persons to train them on the secure handling of information and
identifying gaps in security controls implemented. You would rely on all of the below evidence to
assess the contractor’s implementation of CA.L2-3.12.3 – Security Control Monitoring, EXCEPT?
B
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
CA.L2-3.12.3 requires "continuous monitoring of security controls." Evidence like logs (A), reports
(C), and policies (D) directly demonstrate the program’s operation and effectiveness. Customer
feedback (B) is external and unrelated to internal monitoring processes, per the CMMC guide’s focus
on operational artifacts.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.3: "Examine logs, reports, and monitoring
policies."
NIST SP 800-171A, 3.12.3: "Focus on internal monitoring evidence."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a
robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data.
After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a
battery life indicator is displayed. As a CCA, you will potentially use the following assessment
methods to examine the contractor’s implementation of session lock EXCEPT?
C
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
AC.L2-3.1.10 – Session Lock requires "initiating a session lock after inactivity." Interviewing admins
(A), examining docs (B), and testing mechanisms (D) assess implementation. Password strength (C)
relates to IA.L2-3.5.7, not session lock, per the CMMC guide’s focus on lock-specific methods.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.10: "Interview, examine docs, test lock
mechanisms."
NIST SP 800-171A, 3.1.10: "Exclude password strength from lock assessment."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
You are assessing a contractor that develops software for air traffic control systems. In reviewing
their documentation, you find that a single engineer is responsible for designing new ATC system
features, coding the software updates, testing the changes on the development network, and
deploying the updates to the production ATC system for customer delivery. How will proper
separation of duties help the contractor meet the intent of AC.L2-3.1.4 – Separation of Duties?
B
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
AC.L2-3.1.4 requires "separating duties to reduce risk of unauthorized activity." A single engineer
handling all tasks concentrates privileges, increasing error or malice risks. Separation (B) distributes
responsibilities, enhancing oversight and reducing reliance on one person, per CMMC intent.
Specialization (A), cost (C), and simplicity (D) are secondary or irrelevant.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separation reduces risk via checks and
balances."
NIST SP 800-171A, 3.1.4: "Distribute duties to mitigate insider threats."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf
An engineering company works on DoD contracts that involve handling CUI. They use hardcopy
media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and
internal and external hard drives. During a CMMC assessment, you discover the engineering
company has defined procedures addressing media storage and access governed by an access control
policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI
on digital media, an authorized user must be identified using their biometrics or authenticated using
an integrated MFA solution. To access non-digital media, the user must be on a defined list of
authorized personnel and sign three forms. You also learn that the contractor maintains a
comprehensive inventory of all CUI media. The scenario describes a multi-factor authentication
(MFA) solution being used to access digital media containing CUI. However, the access control
procedures for non-digital media require authorized personnel to sign three separate forms. While
both methods aim to verify user identity, which of the following is the MOST significant security
concern associated with the reliance on a paper-based form process?
D
Explanation:
Comprehensive and Detailed In-Depth Explanatio n:
MP.L2-3.8.2 requires "restricting access to CUI on system media to authorized users." The paper-
based form process for non-digital media, while aiming to verify identity, is vulnerable to forgery (D),
which could allow unauthorized access to CUI—a direct security threat. Integration issues (A) and
time consumption (B) are operational concerns, not immediate risks, and memorization (C) isn’t
relevant. The CMMC guide prioritizes robust, tamper-resistant access controls, and paper forms lack
the security of MFA.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), MP.L2-3.8.2: "Ensure access controls prevent unauthorized
access; paper processes should be secure."
NIST SP 800-171A, 3.8.2: "Assess risks of forgery in manual access methods."
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_20211201
6_508.pdf