Assignments Quizzes Files Discussions Grades Lucid (Whiteboard) Edwards Practice Questions

As an OSC, you understand user permissions must be aligned to the user’s role. You have recently hired anew system administrator, Sam, to help operate the IT for your company. You have been with thecompany for 24 years; however, you started with the finance office and worked there for many yearsbefore moving to IT. In IT, you had permission added to your account to enable you to build and maintainthe IT systems for the company.To ensure Sam has the permissions necessary to help you maintain the IT for the company, should you copythe permissions assigned to your account to Sam’s account (Y/N)?a. Yesb. No

Answer: b

a. The scenarios stated that you ‘had permission added’ to your account when moving from finance to IT.The initial permissions assigned to your account from IT were not removed per the scenario. As a newemployee, Sam only needs permission on IT systems and not the finance systems. In this scenario,AC.L2-3.1.5 would also require that your access to financial systems be removed once the permissionswere no longer required to perform your duties.b. Correct: Per AC.L1-3.1.2, the new employee’s system access should be limited to only those types oftransactions and functions that the new employee is authorized to perform. Additionally, AC.L2-3.1.5requires the concept of least privilege be implemented. Your permissions include permissions fromroles outside IT. The new user does not require those permissions to perform their duties within IT.

As a CCA, you are supporting an assessment team performing an L2 assessment on an OSC. The OSC hasa small IT team with seven staff. The OSC has an authorized and up to date access control policy statingthat the concept of least privilege is used throughout the company when assigning permissions. Whenassessing the access permission on the OSC IT systems, you notice all members have full administrativeaccess on the company’s systems, network devices, and security tools (e.g., firewall, SEIM). Whenassessing AC.L2-3.1.5, how would you record your observations?a. You would note that the small team trusts each other and work closely together to ensure tasksare properly performed.b. You would note that the company’s access control policy correctly limits permissions for staff toonly those permissions required to perform their assigned duties.c. You would ask additional questions of the IT Director to understand why the access control policyand the permission assigned to the IT staff are not aligned.d. You would note the permissions assigned to the IT team and the information provided by theaccess control policy to bring the information to the attention of the assessment lead.

Answer: d

a. Having a good working relationship with your colleagues built on trust can make a job easier; however, itdoesn’t restrict any one person from performing a malicious act or accidently modifying the secureoperation of systems.b. Within small teams it may be difficult to limit permissions and implement the principle of least privileges;however, some activities including being able to modify audit logs and system configurations shouldalways be segregated among team members.c. Understand why all users have full permissions does not change the fact that the company has notimplemented the principles of least privilege.d. Correct: AC.L2-3.1.5 requires OSC to implement the principle of least privileges. As a seven-personteam, the IT team should segregate security functions from IT functions at a minimum.

As an OSC, you know that your Access Control Policy requires separation of duties. Select which of thebelow examples demonstrates separation of duties in your organization.a. Different team members from your infrastructure team are responsible for managing differenttypes of devices (e.g., network equipment, workstations, servers).b. An audit team from your compliance department conducts annual assessments of the securitycapabilities you have implemented.c. Two people from your risk management team are responsible for identifying and managing risksto your organization.d. You are responsible for reporting the audit findings that you manage to the Security Director.

Answer: b

a. While the duties are separated based on component functionality, this separation does not prevent onemalicious user from modifying a system under their care and removing the audit trail to hide their tracks,which is how the separation of duties concept protects assets.b. Correct: AC.L2-3.1.4 requires separation of duties as defined in the Access Control Policy. Separatingthe assessment function from the IT and security teams ensures an unbiased assessment is conducted.c. No separation of duties is described within this response. Two people responsible for the same tasksdoes not ensure that checks and balances are in place.d. This response demonstrates a management hierarchy and not a separation of duties

As an OSC, you work in the IT department for your company and are responsible for documenting howsessions terminate for admin portals for your organization to satisfy AC.L2-3.1.11. Which of the followingresponses accurately depicts effective session termination?a. An IT admin connects to an administrative session to the server using RDP. After working forawhile, the IT admin locks his computer before leaving for lunch.b. An IT admin connects to an administrative session to the server using RDP. While working on theassigned task, the IT admin got an urgent help desk ticket and quickly closed the admin session sothey can work the new ticket.c. An IT admin connects to an administrative session to the server using RDP. After completing theassigned task, the IT admin manually signed off the session.d. An IT admin connects to an administrative session to the server using RDP. The IT admin switchesto his browser to access SharePoint files.

Answer: c

a. This answer portrays session lock (AC.L2-3.1.10) rather than session termination (AC.L2-3.1.11). Theadmin locked their screen, but they are still connected to the session over the network and it is activeand can be re-accessed by re-authenticating.b. This answer portrays network session disconnect (SC.L2-3.13.9) rather than session termination (AC.L2-3.1.11). The admin closed the RDP session, meaning the session is no longer connected to the networkbut it still is active and can be re-accessed by authenticating to the server again.c. Correct: This correctly depicts session termination. The IT admin successfully signed out of the sessionfully terminating it and disconnecting from the network. If the admin wished to sign in to the serveragain, a completely new session will have to be created.d. This answer does not portray any initiation of session termination implying the session is still active.

Joe at Handy Flight has chosen to include the following criteria for when to review and update theirlogged events to meet AU.L2-3.3.3. Which of the process criteria pertains to the assessment objective[a]:“[a] a process for determining when to review logged events is defined;”a. When a CVE of 7 or higher is announced and the vulnerability matches an organizational assetb. Quarterly IS/IT team review meetingsc. When log storage is running lowd. All of the above

Answer: da. Correct: Adding new events to identify known vulnerabilities meets this objective as well as IR.L2-3.6.1 Incident Handling, RA.L2-3.11.3 Vulnerability Remediation and CA.L2-3.12.3 Security ControlMonitoringb. Correct: Each member of the audit team depends on accurate and efficient logging. A quarterly reviewto determine which events no longer need to be captured will help with this objective as well as manyothersc. Correct: Including log storage capacity in the process will meet this objective as well as AU.L2-3.3.6Provide audit record reduction and report generation to support on-demand analysis and reportingd. Correct Each of the above responses are correct.

Shared accounts are allowed to be used as long as the names of the people using the account aredocumented.a. Trueb. False

False: Even with documentation of which employees are authorized to use the shared account, non-
repudiation cannot be guaranteed when nefarious actions are performed on that account. Another
means of identification must be available to confirm the specific user on those accounts at all times.

JetPack Corporation has 25 employees mainly working on a government contract and has the FixITMSP to support the company with IT configuration and monitoring. JetPack has one employee, Bob,who splits time between consulting and performing minor internal IT tasks. Bob was asked to reviewaudit logs for a recent login failure for his manager. Bob noticed audit logs had errors and were notcapturing data for the last 2 days. What answer best describes how JetPack Corporation is able to meetAU.L2-3.3.4?a. Bob urgently sends an email to the FixIT MSP to let them know of the audit logging issue.b. Bob submits a help desk ticket to the technology vendor to let them know of the issue.c. FixIT received an email 2 days ago when issue occurred alerting them that audit logging hadtemporarily been down and the technology vendor was working on the issue.d. FixIT noticed there were errors in the logs the day after the incident and was eventually going tosubmit a ticket to the vendor to resolve the incident.

Answer: ca. Although Bob emailed the MSP to alert them of the issue, the audit failure was not alerted in a timelymanner or to the main company IT personnel (MSP).b. Although Bob submitted a help desk ticket to the vendor, the audit failure was not alerted in a timelymanner or to the main company IT personnel (MSP).c. Correct: Since FixIT conducts IT for JetPack Corporation, they should be the ones to receiveimmediate alerts when audit logging has failed.d. Although FixIT found the audit logging failure, they were not alerted of the issue in a timely manner.

Billy is an IT admin for ABC company. Billy does daily checkpoints to review logs of any suspiciousactivity. He noticed that a specific remote user on the west coast was logging in at 3:00 AM PST welloutside normal business hours. Changes were made to files on the SharePoint system hosted on the eastcoast logged at 11:57 PM EST. Both of these systems rely on only internal system clocks. Which of thefollowing would create unintended issues with log analysis and correlation?a. Billy is dealing with time stamps from multiple time zones when trying to correlate whenevents occurred.b. There is no authoritative source that the internal system clocks are being synchronized with toguarantee accuracy.c. According to the event logs time stamps, the user appears to have edited SharePoint filesbefore logging onto the system suggesting event logs may be out of sync and inaccurate.d. All of the above

Answer: da. Event logs from multiple systems originate in different time zones and a standard such as UTCshould be implemented and synchronized to internal system clocks.b. Internal system clocks must be synchronized to an authoritative time source such as time.gov ortime.windows.com.c. It is important to that internal system clocks are synced regularly to ensure accurate review andcorrelation of events.d. Correct: All answers are correct.

As a CCA supporting an assessment for an organization seeking L2 certification, you review the OSC’straining policy and associated standards. You notice that staff, inclusive of managers, systemsadministrators, and users, are required to participate in security awareness training during orientation asthey are on-boarded to the company.You review the training material provided during the security awareness training and interview thesecurity awareness instructor to learn that the training includes an overview of CUI, the risks associatedwith CUI, company policy overview on the protection requirements for CUI, and specific role-basedtraining to ensure users in a specific role (e.g., managers) receive additional training specifically aligned tothe responsibilities of their role. You also examine training logs for the staff to confirm their files contain arecord what training was received and when it was received. When assessing AT.L2-3.2.1, what are yournext actions?a. You would record the information noted from the training policy and standards, and that securityawareness training is provided during orientation.b. You would record the information noted from the training policy and standard, note that securityawareness training is provided during orientation, and that training records are maintained torecord what training was received and the date training was performed.c. You would record the information noted from the training policy and standards and record thatsecurity awareness training is provided during orientation. You would then thank the securityawareness instructor for providing such robust training.d. You would record the information noted from the training policy and standards and note thatsecurity awareness training is provided during orientation. You would then interview someonewho recently attended the training and assess their knowledge of the material presented duringthe orientation training to ensure they understand how to protect CUI.

Answer: ba. An objective of practice CA.L2-3.12.1 Security Control Assessment which requires an OSC toPeriodically assess the security controls in organizational systems to determine if the controls areeffective in their application was not observed. This would cause a NOT MET due to lack of refreshertraining.b. Correct: AT.L2-3.2.1 recording of evidence is best represented in this response, capturing the policy andstandard, the onboarding requirement for training, and training records being maintained with date andtype of training provided.c. An objective of practice AT.L2-3.2.1 was not observed. AT.L2-3.2.1 requires refresher training to beprovided to staff handling CUI. The company policy currently does not include a requirement forrefresher training, nor was refresher training demonstrated in the scenario. Regardless of how robustthe training provided during orientation is, without refresher training staff may not be aware of evolvingthreats or changes in technologies.d. As an assessor, you are not required to evaluate staff to determine if they retained the informationprovided during the orientation training.

(True/False): CUI protections are the same for all organizations; therefore, the best role-based securityawareness training describing a company’s policies and standards is something that can be downloadedfrom the Internet and shared with staff accessing CUI without any customization.a. Trueb. False

Answer: ba. All companies are different. They have different business priorities, capabilities, and sizes. Generictemplates may help an organization get started on establishing a cybersecurity program; however, thetemplates would need to be customized to meet the needs of the company.b. Correct: Companies need to implement the CMMC Practices as appropriate for their business. CMMCdoes not prescribe a specific implementation approach for any of the Practices and so the training wouldneed to be tailored based on an OSC’s approach.

(True/False): As an OSC seeking L2 certification, you are tasked with creating security awareness trainingon insider threats. All members of your organization, regardless of whether they handle CUI, are requiredto take this training to meet CMMC requirements.a. Trueb. False

Answer: ba. Staff that are not authorized access to CUI are not required by any CMMC Practice to complete insiderthreat training. Those staff members would likely be considered out of scope.b. Correct: As a good business practice, companies may want to train all employees on the warning signsand issues raised by insider threats; however, the scope of CMMC is limited to the resources processingFCI or CUI.

As a CCA supporting an assessment for an organization seeking L2 certification, you review the OSC’sconfiguration management policy and associated standards. During your review you note that the policyrequires an inventory be maintained for all system components processing, storing, or transmitting CUI.When interviewing the IT Director, you learn the company only adds items to the inventory list as theyare purchased to ensure all required system components are included in the inventory. You furtherreview the inventory and notice that the following information is recorded for each system component:owners, tracking ID, type of component (e.g., Windows Server, Palo Alto Firewall, Cisco Router), make &model, hostname & IP address, location information including whether the component is virtual, and thedate the component was purchased. When assessing CM.L2-3.4.1, what are your next actions?a. You would record the information noted from the configuration management policy and standardand note the type of information captured within the inventory.b. You perform a floor audit to ensure all the inventoried items are present in the location asidentified in the inventory list.c. You record the information noted from the configuration management policy and standard andnote the type of information captured within the inventory. You then perform a floor audit toensure all the inventoried items are present in the location as identified in the inventory list.d. You would record the information noted from the configuration management policy and standardand note the type of information captured within the inventory. You then inform the assessmentlead that the inventory is not routinely reviewed to ensure it is properly maintained in accordancewith the configuration management policy.

Answer: da. As an assessor you would record the information noted from the policy and standard as well as thecapabilities implemented; however, you would also need to note that the inventory is not maintained andthat items are not removed when they are no longer required for operations.b. As and assessor you are responsible for ensuring that the company has implemented capabilities foraddressing the CMMC practices.c. As and assessor you are responsible for ensuring that the company has implemented capabilities foraddressing the CMMC practices. Therefore, once you confirm a policy and standard is in place for conductinginventories, as well as confirm that the inventories are performed, there is no need to verify the accuracy ofthe inventory. The inventory should be verified through the company’s internal procedures to ensureaccuracy. However, because the company in this scenario does not remove items from the inventory list, thelack of managing the inventory list should be recorded for the assessment report.d. Correct: CM.L2-3.4.1 requires baseline configurations and inventories to be maintained. Upon finding theinventory is not maintained, you would need to record the information collected and ensure the finding isrecorded in the assessment report.

Configuration baselines assist organizations by establishing an approved foundation for the systemdevelopment lifecycle. Configuration baselines, at a minimum, should include:a. Default software, applications, and configurations as recommended by the vendor.b. Only software and applications required for the system to operate. Additional software (e.g.,services) will be installed, as required, during development or integration. The baselines shouldalso include organizationally approved configuration settings (e.g., password complexityrequirements, audit events, NTP server, DNS).c. All software, applications, and configurations as required by the Cybersecurity and InfrastructureSecurity Agency (CISA) based on the component baseline being established.d. A record of the data flows and interconnections for the device defining the approved transmissionprotocols and anticipated amount of traffic expected for the component baseline beingestablished.

Answer: ba. Vendor recommendations are important to ensure core services and functionality is incorporated in theconfiguration baseline; however, the baseline must be customized to remove any unnecessary softwareor services.b. Correct: CM.L2-3.4.1 requires baseline configurations to be established and maintained. Baselineconfigurations are created to capture hardware, software, and firmware to establish the minimum set ofcapabilities required for the baseline system to operate as expected.c. CISA provides informational alerts and notices on threats and vulnerabilities. CISA does not provideconfiguration baselines.d. A network baseline defines data flows and interconnections for components within a system. Aconfiguration baseline establishes the minimum set of functionalities required for a component tooperate as intended within the business environment.

(True/False): Users handling CUI should be permitted to install any software they determine will helpthem complete their job responsibilities.a. Trueb. False

Answer: ba. CM.L2-3.4.9 requires user-installed software to be controlled and monitored.b. Correct: CM.L2-3.4.9 requires user-installed software to be controlled and monitored. Only authorizedindividuals should install approved software for users with a valid authorized business purpose for thesoftware.

(True/False): An OSC has determined that they will leave a specific set of ports open as a precaution toensure the availability of their services as they evaluate an opportunity for potential expansion. The OSChas appropriately implemented the principle of least functionality due to their potential future need forthe services.a. Trueb. False

Answer: ba. CM.L2-3.4.7 requires that ports are restricted or disabled if not required for a valid business purpose.b. Correct: CM.L2-3.4.7 requires systems to restrict, disable, or prevent the use of nonessential ports. If theports are not required for a valid business purpose they must be disabled. If additional ports are requiredto support authorized business functions in the future, the ports can be enabled to meet the new businessrequirements.

Your organization has just received a request to establish a new system in support of a DoD contract. Thesystem will process CUI on behalf of the DOD. Therefore, you understand the system must be deployedand configured within your organization’s protected data enclave. You’ll need to install a web server, adatabase server, and networking appliances (e.g., routers, firewalls) to support the new system.Additionally, you know the systems will need to send log files to your SIEM for monitoring. The SIEMresides on the corporate network separate from the protected enclave where you are setting up the newsystem. How should hostnames be created on the new systems?a. Hostnames are set to identify the primary functionality of the component (e.g., Webserver).Because the new system is on a separate enclave within your organization, you are not concernedwith the hostnames of previously configured components.b. Hostnames follow your organizationally approved procedures for establishing a unique name foreach component within your organization.c. The default hostname provided by the component is sufficient and does not require modification.d. You name the new system components after your family (e.g., Aunt Jane as the webserver, UncleBob as the database server)

Answer: ba. IA.L2-3.5.1 requires all devices to be identified. To ensure devices can be uniquely identified duplicatehostnames should not be permitted. Duplicate hostnames within a company can cause confusion and leadto other conflicts.b. Correct: Organizational approved procedures are established to ensure the continual and secureoperation of the environment. Following the approved procedures will ensure all devices within thecompany are uniquely identified.c. Using default configurations could lead to confusion and duplicate devices within the environment.d. While the new devices would have unique names, they do not meet the approved internal procedures andcould lead to confusion when others are required to identify the devices.

In accordance with your organizational policy and CMMC requirements, you understand multifactorauthentication (MFA) is required for privileged access to systems within the CUI environment. You havebeen asked by the IT Director to select the most appropriate MFA capability for the new system beingdeployed. Which option below represents the best approach to ensure privileged users of the new systemimplement MFA when performing privileged actions on the system?a. Your organization requires usernames and passwords to authenticate to corporate networks and thenew system requires all users to sign in using their username and password to authenticate to thesystem using a different username and password from their organizationally assigned username.Therefore, no further authentication requirements are necessary.b. You recently learned of a new retinal scanner that can be installed on privileged users’ workstations.The retinal scanner, in addition to the current simple authentication (e.g., username and password)would be sufficient to meet the requirement.c. Your organization currently uses an industry recommended standard for MFA. Users are required toinstall an application on their smartphone that provides a unique passkey to be used in conjunctionwith their username and password to authenticate to organizational systems. Therefore, yourecommend the IT Director extend the organization’s MFA process into the new environment.d. Privileged users will only access the new system locally. Therefore, MFA is not required.

Answer: ca. Requiring users to authenticate using two separate username and password combinations is two-stepverification as both authentication approaches use a single factor.b. Implementing a retinal scanner would be appropriate for addressing the requirement established by thepractice; however, this is not the best answer available. Installing new retinal scanners would incuradditional costs for procuring and maintaining the scanner. Because the organization has the option (seeoption c) to leverage existing capabilities, the implementation, maintenance, and management of thecapability is already in place.c. Correct: IA.L2-3.5.3 requires MFA be implemented. CMMC does not specify which MFA solution is requiredand companies are encouraged to seek the most appropriate solution for them. Therefore, leveraging anexisting capability is the preferred approach for addressing practices.d. IA.L2-3.5.3 requires privileged users to use MFA whether connecting locally or remotely, therefore MFAwould still be required.

As a member of a security team for a company that has a CMMC L2 certification, you are responsible formaintaining your company’s cybersecurity incident response (IR) handling procedures, or IR plan, for theL2 environment. You are performing your annual review of the IR plan and realize that over the course ofthe past year several employees have transferred positions and that IT reporting processes have migratedto a new third party managed service provider (MSP). The MSP is responsible for corelating audit eventsfrom your company systems. Which are the most appropriate courses of action when updating the IRPlan? (select all that apply)a. You retire the IR Plan because the MSP is responsible for correlating audit information and allincident response activities fall to them.b. You update the role assignments within the IR Plan to align with current staff and theirresponsibilities. Additionally, you update call tree information to align to the new staff identifiedas members of the incident response team.c. You work with the IT team to ensure the MSP is aware of the type of cybersecurity events thatneed to be forwarded to the security team for review and analysis to determine if an incident hasoccurred.d. You update annual tabletop exercise requirements to include the MSP

Answer: b, c, da. The scenario states the MSP was hired to correlate audit events. The scenario did not specificallymention the role of the MSP in incident response; therefore, we cannot assume the MSP hasresponsibility for IR.b. Correct: The IR plan should be routinely updated to ensure it is available and accurate when an incidentoccurs. Updating the staff and their responsibilities ensures the correct POCs are notified during anincident.c. Correct: The MSP is responsible for corelating audit events. Therefore, it is important that the MSPunderstand your company’s risk threshold levels and is able to alert once an event is identified thatexceeds that threshold.d. Correct: Because the MSP is responsible for corelating and alerting on events, it is important to ensurethey are included in tabletop exercises to confirm they are able to notify the correct POCs in a timelymanner if they detect an event that could represent an incident.

Lamar at JetPack Corporation is on the incident response team. It has been almost a year since theIncident Response capability was updated and tested. What is the best answer for how Lamar can conductan Incident Response test to meet IR.L2-3.6.3.a. Lamar plans and carries out a tabletop exercise on a ransomware scenario including all ITmembers and senior leadership. Lessons learned are incorporated into the review and update ofthe IR plan.b. Lamar hires a Penetration Test firm to perform red team exercises against the externalboundaries.c. An actual incident was detected and recovered from last month and Lamar documented thesummary notes using the current version of the IR plan.d. Lamar reviewed and updated the Incident Response plan with senior leadership

Answer: aa. Correct: In this scenario, a specific tabletop exercise was determined and conducted with the appropriatepersonnel involved. Summary notes allowed lessons learned to be captured and incorporated into the nextversion of the IR plan.b. Although performing a penetration test on a routine basis is important to harden security, this does nottest the organizations full incident response capabilities.c. This practice requires the incident response capability to be tested on a routine basis and cannot besubstituted because an actual incident occurred.d. In this scenario the Incident Response Plan was merely updated and an actual test of the incident responsecapabilities did not occur.

HopTech Consulting has recently hired FixIT MSP to handle all of their IT operations for the organization.HopTech Consulting expects the Incident Handling capabilities to be 100% responsibility of FixIT MSP.True or False that this is an acceptable responsibility scenario?a. Trueb. False

Answer: ba. True: Even though the majority of the Incident Response capabilities are the responsibility of the MSP,HopTech Consulting still needs senior leadership to be involved in the process for reporting andcommunication flow to stakeholders and customers if necessary.b. False: HopTech Consulting needs to be involved in the process in case other entities need to get involvedsuch as legal, insurance, financial and other senior leadership. Companies cannot outsource the entireIncident Response process to their MSP.

Your company has a certified CMMC L2 CUI environment where your company performs DoD research.The CUI environment contains several servers, a dozen workstations, a multifunction printer, andsupporting infrastructure equipment (e.g., router, firewall). One of the researchers reported that themultifunctional printer has stopped working and requires maintenance. You have been asked by the ITDirector to oversee maintenance of the printer. As the repair company is working on the printer, theydetermine it cannot be repaired at your location and needs to be taken back to their facility where theyhave more advanced tools to perform the repairs. As the person responsible for overseeing maintenanceon the printer, what are your next steps?a. Inform the maintenance team that the printer is used to process sensitive DoD information andtherefore cannot be removed from your facility. You instruct them to bring the advanced tools tothe printer and complete the repair.b. You record the asset tag from the printer, the name of the maintenance staff requesting to takethe printer, an estimate for when the printer will be returned to the company and allow them totake the printer for repairs.c. In accordance with your company policy, you follow the approved procedures for sanitizing thememory within the printer prior to authorizing the maintenance company to take the printer forrepairs.d. You inform the IT Director the printer cannot be repaired and begin the process for purchasing anew multifunction printer.

Answer: ca. In many cases it may not be appropriate or possible to bring advanced tools into a company to performmaintenance.b. This response does not include the sanitization of the memory and other components of themultifunction printer prior to authorizing its release from the controlled environment.c. Correct: Ensuring your company’s approved policy and procedures are followed prior to allowing therelease of the multifunction printer ensures all residual CUI is cleared and sanitized from the machineand that the removal of the equipment is properly captured.d. While this may be an appropriate response if the equipment cannot be properly sanitized withoutdestroying it, this isn’t the most appropriate option and can lead to undue expense and burden on yourcompany.

As a CCA, supporting an assessment for an organization seeking L2 certification, you review the OSC’sinformation security maintenance policy, standard and associated procedures. During your review, younote that all nonlocal maintenance sessions via external network connections must be monitored. Uponreviewing the procedures for monitoring maintenance, you notice that the company uses screensharingtechnologies (e.g., WebEx) to watch maintenance personnel actions. The procedures state that anauthorized user from the company first establishes an online meeting with the maintenance staff. Next,the authorized user connects to the system component being maintained through the company’sauthorized process for remotely managing system components. Then, the authorized user from thecompany gives control through the screensharing technology to the maintenance personnel. Themaintenance personnel complete the maintenance activities through the screensharing technology withthe company’s authorized user monitoring all activities performed by the maintenance personnel. Whenassessing MA.L2-3.7.6, what would be the most appropriate observation to record?a. You observe the screensharing technology in the software inventory.b. You demand the company perform maintenance while you are on site for the assessment.c. You captured the relevant information from the maintenance policy, standard and associatedprocedures as well as interview notes with maintenance staff confirming the accuracy of thedocumentation.d. You captured the relevant information from the maintenance policy, standard and associatedprocedures.

Answer: ca. While observing that the screensharing technology exists for the company is an appropriate observation,this is not the best possible answer to ensure MA.L2-3.7.6 is met.b. An assessor cannot force an OSC to perform out of cycle maintenance for the purpose of an assessment.c. Correct: This answer is the most appropriate because it includes a documentation review as well asinterviews with personnel to confirm that the procedures are being followed as defined.d. While capturing the relevant maintenance documentation, this defines what the company expects butdoes not confirm it in action.

As a CCP supporting a self-assessment for a company attesting to CMMC L1, you attempt to review thecompany’s media protection policy and learn that the company does not have a media protection policy ora policy that would cover information typically addressed in a media protection policy. You also noticethat the company has a recycling program and staff are encouraged to recycle when possible rather thansimply using trash receptacles. You interview a general user within the company that has access to FCIinformation to understand how FCI media is protected. During the interview you learn that the userfollows the company’s recycling policy and that paper, including pages with FCI, is placed in the recycle binwhen it is no longer required. When assessing MP.L1-3.8.3, what are your next activities in response tothe information learned in the interview?a. You continue the interview to learn how recycling bins are cleared to confirm that the FCIinformation is shredded or otherwise sanitized before being sent to the recycling center.b. You note that the organization does not have a media protection policy and report the fact to theassessment lead.c. You commend the company on their recycling initiatives.d. You record a finding stating the organization does not have a media protection policy and reportthe fact to the assessment lead. Then, you continue the interview to learn how recycling bins arecleared to confirm that the FCI information is shredded or otherwise sanitized before being sentto the recycling center.

Answer: aa. Correct: If paper collected in the recycle bin is properly sanitized (e.g., shredded) prior to being sent forrecycling, the company has met the objectives for MP.L1-3.8.3. As a L1 OSC, formal policies for mediaprotection are not required to meet the objectives as defined within the Media Protection Domain.b. As a L1 OSC, formal policies for media protections are not required to meet the objectives as definedwithin the Media Protection Domain.c. While recycling is considered a good practice, the recycled material must be sanitized of all FCI data by theOSC prior to being sent to a recycling center for processing.d. As a L1 OSC, formal policies for media protections are not required to meet the objectives as definedwithin the Media Protection Domain.

As a CCA, supporting an assessment for a company seeking L2 certification, you review the company’smedia protection policy, standard, and associated procedures. You notice that the company has a policyto ensure all CUI is labeled in accordance with the National Archives and Records Administration (NARA),CUI notice 2019-01: Controlled Unclassified Information Coversheets and Labels.You interview staff within the company that are authorized access to CUI and learn that the company hasother data classification policies that identify four categories of data processed by the company that arenot aligned to CUI: Restricted, Sensitive, Internal, and Public. When discussing how media containing CUIis labeled, you learn that the staff member marks all CUI using the company’s “Restricted” category becausethey believe CUI aligns to that the “Restricted” category. When assessing, MP.L2-3.8.4, how would yourecord your observations?a. You would ask the staff member being interviewed to show you several types of media (e.g., CD,paper, USB drive) to confirm how the company labels media containing CUI.b. You would record the information found in the organizations media protection policy as well asthe information provided in the company’s data classification policy. You would then report thediscrepancy between the two policies to the assessment lead.c. You would capture the information from the media protection policy and discard the informationregarding the company’s data classification policy because the scope of the assessment is limitedto those systems and processes handling and processing CUI and not the full company.d. You would collect various types of media (e.g., CD, paper, USB drive) containing CUI and show themedia to the assessment lead to demonstrate how the company is labeling media containing CUI.

Answer: ba. As an assessor for an OSC, you are not required to review CUI. You are responsible for ensuring theorganization has the appropriate policies, standards, and procedures in place to ensure the companyproperly handles CUI. Therefore, reviewing CUI is not appropriate for assessing MP.L2-3.8.4.b. Correct: Companies may have separate policies for handling business sensitive information and CUI.However, the CUI policies must be followed within CUI environments. If the CUI policy had aligned thecompany’s ‘Restricted’ category to CUI protections and confirmed the ‘Restricted’ media protectionrequirements were equal to or greater than the requirements imposed on CUI, the company would havemet the objectives of MP.L2-3.8.4.c. While the scope of the assessment is limited to the CUI environment and the company’s policy is out ofscope, the individual referenced the company policy when handing CUI. Due to the individual beinginterviewed stating that they use the company policy instead of the CUI policy, a finding must be noted inthe assessment report.d. As an assessor you are not authorized or required to review CUI.

As a CCP supporting a self-assessment for a company attesting to CMMC L1, the assessment lead asksyou to speak to the company’s hiring manager to learn how the company screens staff. You learn that thecompany uses a third-party background screening provider that performs a criminal records search,employment history verification, and a credit report verification to determine the trustworthiness,loyalty, reliability, and stability of staff that will be granted access to CUI. During the interview, you notethat the hiring manager does not determine who the candidate associates with by performing a socialmedia check. When assessing, PS.L2-3.9.1, how would you record your observations?a. You note the information collected from interviewing the hiring manager on how the companyscreens personnel. Then, you report to the assessment lead that the company does not performsocial media checks.b. You note the information collected from interviewing the hiring manager on how the companyscreens personnel. While you believe social media checks important, social media checks are notspecifically required by CMMC; therefore, you do not need to report that information.c. When assigned the task of interviewing the hiring manager, you ask for clarification from theassessment lead regarding the intended goals from conducting the interview as you are onlyperforming a L1 assessment for the company.d. You advise the hiring manager of a third-party screening company that will perform the samescreening activities they require today as well as include social media checks and verification onthe degrees for the same price the company is paying today.

Answer: ca. There is no requirement within PS.L2-3.9.1 that companies perform social media screening of newemployees. Additionally, the organization is seeking L1 certification. PS.L2-3.9.1 is a L2 Practice andtherefore out of scope for the assessment.b. This is an appropriate response for assessing PS.L2-3.9.1; however, because the organization is seekingL1 certification, PS.L2-3.9.1 is out of scope for the assessment.c. Correct: The organization is seeking L1 certification. PS.L2-3.9.1 is a L2 Practice and therefore out ofscope for the assessment.d. The organization is seeking L1 certification. PS.L2-3.9.1 is a L2 Practice and therefore out of scope forthe assessment. Additionally, assessors are not permitted to instruct OSCs on how to meet CMMCpractices.

As a member of the security team for an OSC at L2, you understand CUI must be protected fromunauthorized access. You notice the IT team is not informed or aware of personnel actions (e.g., transfers,terminations) until after the action is complete. Understanding the requirements for CMMC practicePS.L2-3.9.2, what is the most appropriate action for you to take?a. You convene a meeting with the human resources (HR) team and IT to determine the bestapproach for notifying IT of personnel actions. You update the company personnel security policy,standard, and associate procedures to enable HR and IT to communicate proactively on personnelactions.b. You update the company personnel security policy to require HR and IT to communicate onpersonnel actions of staff that have access to CUI.c. You implement a process for meeting daily with the HR team to learn of pending personnel actionsand take action to remove access to CUI from staff that will no longer require the access.d. You routinely review access control lists and remove staff that no longer require access to CUI.

Answer: aa. Correct: PS.L2-3.9.2 requires, in part, that companies protect CUI during personnel actions.Implementing policies, standards, and procedures requires users’ access to CUI is reviewed andappropriate action is taken prior to, and during, personnel actions.b. The scenario states you are a member of a security team. As a member of a security team, you are likelynot authorized to unilaterally make changes to the organization’s personnel security policy. Additionally,once the policy is updated, corresponding updates to procedures, responsibilities, and training mustcoincide with the updated policy.c. While this approach meets the objective of PS.L2-3.9.2, meeting daily with HR is not practical. Option “a”presents the best option for meeting the objectives of PS.L2-3.9.2 from the options presented.d. Removing access from users after a personnel action addresses a portion of PS.L2-3.9.2; however, it doesnot address how CUI is protected during personnel actions.

(True/False) Companies processing CUI in the cloud do not have any physical protection requirementsbecause the cloud service provider (CSP) is responsible for the proper implementation of all physicalprotections.a. Trueb. False

Answer: ba. In this scenario, the OSC will still have responsibility for a subset of physical protection requirements.b. Correct: Workstations, at a minimum, will access and process CUI from CSPs. Therefore, the physicalprotections of the workstations should be included within the scope of the assessment.

As a member of an assessment team, you are assessing an OSC seeking L2 certification and have beensupporting an assessment of the company’s CUI environment for the past two days. During yourassessment, you have reviewed the company’s physical environment protection policy, standard, andassociated procedures. You learned through your review, and personal experience while being onsite forthe assessment, that all visitors to restricted areas housing CUI are required to sign in and out, wear avisitor badge that is clearly visible, and be escorted. After completing the assessment for the PhysicalEnvironment domain and recording any findings, you notice visitors in the cafeteria located within thefacility that are not being escorted or wearing visitor badges. What is the most appropriate action for youto take when finding the unescorted visitor?a. Report to the assessment team lead that you need to update your notes and recommendationsregarding the Physical Environment domain.b. Notify your POC within the company so that they may sign in the visitors and ensure they areescorted within the cafeteria.c. You have already completed the assessment on the Physical Environment domain, therefore thereis nothing you can do about the current situation.d. You take no action because the visitors are only in the cafeteria and not within the designated andprotected CUI areas of the facility.

Answer: da. The scenario states the company’s policy is to identify and monitor visitors within restricted areas. Thecafeteria is not a restricted area within the company and therefore the company’s physical environmentpolicy for CUI does not apply to the cafeteria.b. The scenario states the company’s policy is to identify and monitor visitors within restricted areas. Thecafeteria is not a restricted area within the company and therefore the company’s physical environmentpolicy for CUI does not apply to is the cafeteria. Additionally, as an assessor you are not permitted to offerimplementation advice to OSCs.c. Findings noted during the assessment are relevant and must be reported regardless of whether or not youhave completed your assessment of a specific domain.d. Correct: The scenario states the company’s policy is to identify and monitor visitors within restricted areas.The cafeteria is not a restricted area within the company and therefore the company’s physical environmentpolicy for CUI does not apply to the cafeteria.

You are a facilities manager at AFF Solutions during that is currently undergoing a CMMC L2 assessment.Employees at AFF Solutions are on a hybrid work schedule and work 3 days per week at home. What isthe most appropriate solution to meet PE.L2-3.10.6 for alternate work sites when employees are workingfrom home?a. Install badge readers in home offices to secure company systems.b. Document a Telework Policy for employees working at home and ensure they sign the policy thatincludes CUI safeguarding measures.c. Tell employees to ensure their home offices meet the same physical security safeguards as thecompany offices.d. Ensure all company devices are encrypted and provide a locked drawer for employees to takehome to store company assets in.

Answer: ba. Although physical audit logs are required to be maintained per PE.L2-3.10.4, they are not required toextend to employee residences.b. Correct: Documenting a Telework Policy and requiring employees to sign off on agreeing to the policy isthe best way to implement PE.L2-3.10.6 when employees are allowed to work from home. Requiringemployees to sign off on the policy provides security best practice expectations when working at hometo secure CUI.c. Simply telling employees is not a measurable solution as the safeguards cannot be enforced for privacyand liability purposes.d. Although encrypting CUI at rest and securing CUI in physical forms is a requirement, this does not fullycover PE.L2-3.10.6 by enforcing safeguards for employees working at home.

(True/False) Risk assessments must be conducted quarterly by company’s processing CUI.a. Trueb. False

Answer: ba. RA.L2-3.11.1 requires periodic risk assessments but does not define that “periodic” assessments mustoccur quarterly.b. Correct: RA.:2-3.11.1 requires periodic risk assessments. The Practice allows flexibility for organizationsto determine the appropriate frequency based on their business requirements.

Jack works for a small OSC that has only a handful of laptops and all of their data is in an CSPenvironment. Jack is tasked with implementing RA.L2-3.11.2. What is the best approach to satisfy thispractice given the OSC environment?a. This control is N/A as it is the responsibility of the CSP.b. Jack must hire a firm to perform a pen test against the CSP infrastructure.c. Jack downloads a FedRAMP certification from the CSP as its objective evidence.d. Jack ensures there is a cloud responsibility matrix for the CSP, and the CSP provided proof ofvulnerability testing for their environment. Jack also runs monthly scans against the laptops andensures they are up to date.

Answer: da. Despite the data residing within a CSP infrastructure, proof must be obtained that there is some form ofvulnerability scanning being performed on the cloud environment. The company is also responsible forscanning the devices in scope for the L2 assessment.b. It is very unlikely companies will be authorized to conduct independent penetration tests against CSPs.This would be an expensive and inefficient endeavor.c. Although FedRAMP certification evidence helps prove the CSP is performing regular vulnerability scans,Jack did not take into account the companies devices that are required to connect into the environment.d. Correct: Jack has found evidence that the CSP performs routine vulnerability scans of their environmentand a responsibility matrix with the CSP confirming that they take responsibility for this practice. Jack hasalso ensured that the devices accessing the data are scanned for vulnerabilities, which is solely theresponsibly of his company.

(True/False) Risk assessments and vulnerability scans can be conducted every 18 months since it is up tothe organization to define the frequency of them.a. Trueb. False

Answer: ba. Although the organization has correctly defined an interval, per the CMMC Glossary assessmentobjectives that require “periodic” intervals must be performed at least annually.b. Correct: An organization can define the frequency to conduct risk and vulnerability scans that isappropriate for their organization. However security best practice must be taken into account for at leastannual evaluation. (Example: An OSC cannot perform these once every 3 years right before the C3PAOcomes in for formal assessment.)

As a member of the security team for an OSC at L2, you review the company’s security assessment policyand standard. You notice the organization’s system security plan (SSP) defines the boundaries, systemenvironments of operation, how security requirements are implemented, the relationships withinterconnected systems, and an asset inventory. You also notice that the SSP was drafted three years ago,reviewed annually in accordance with the company’s policy, and last updated two months ago to describethe new approach implemented by the company for incident response that leverages a third-party;however, there have not been any other updates to the SSP since the last review. When assessing CA.L2-3.12.4, what is your next course of action based on your observations regarding the SSP?a. You record that the SSP defines the system boundaries, operating environment, implementationapproach for the CMMC Practices, interconnected systems, and an asset inventory. You alsorecord that the SSP is reviewed annually for inclusion in the assessment report.b. You inform the assessment lead that the SSP has only been updated once in the past year andrecord the deficiency for inclusion in the assessment report.c. You interview the company’s POC for the SSP to gain an understanding for how changes to thesystem are conveyed throughout the organization. During your discussion you learn that the POCis a member of the system change control board and is part of the decision-making process forapproving changes to the system and its operational environment. You record this newinformation and that the SSP defines the system boundaries, operating environment,implementation approach for the CMMC Practices, interconnected systems, and an assetinventory. You also record that the SSP is reviewed annually for inclusion in the assessmentreport.d. You inform the assessment lead that the SSP does not include the approach for implementing eachof the required CMMC Practices and that instead the SSP simply references the company’sapproved policy. You then record the deficiency for inclusion in the assessment report.

Answer: ca. While the SSP is reviewed annually per the company’s policy and the updated information is included in theSSP, this is only one form of objective evidence for CA.L2-3.12.4. In order to collect a minimum of two formsof objective evidence to ensure the SSP is updated as security relevant or significant changes are made to thesystem, you would need to interview the lead responsible for the SSP to determine if the SSP is updated torecord system changes.b. If only one security relevant or significant change was made to the system since the last review, onlyincluding one update would be appropriate.c. Correct: The assessor correctly recorded that required information was presented in the SSP, the SSP reviewprocess, and confirmed that changes were made to the system. Additionally, the assessor confirmed throughinterview that all changes are reviewed to determine if a change to the SSP is required.d. There is no requirement that the SSP fully define the policy, standard, and procedures for meeting practices.Referencing policies, standards, and procedures in most cases is appropriate for maintaining the SSP.

(True/False) As a member of an OSC preparing your company’s CUI environment for an L2 assessment,you are assigned the responsibility for addressing Practice CA.2.158, Periodically assess the securitycontrols in the organizational systems to determine if the controls are effective in their application.You review the operations logs for the system for the past year and learn that the system has beenoperating as expected and no security incidents have occurred within that time. Therefore, you determinethe security controls must be working as expected and that you are not required to perform a separateassessment of the system’s security controls. Is this the appropriate action to address practice CA.L2-3.12.3?a. Trueb. False

Answer: ba. The objective of practice CA.L2-3.12.3 is to confirm security capabilities are working as expected.Therefore, security capabilities must be exercised to confirm they are performing as expected.b. Correct: Companies are required to periodically assess the effectiveness of security controls regardlessof whether an incident occurs.

(True / False): You assisted your department in configuring MFA for users to be able to access the CUIenvironment remotely and worked with other members of your team to ensure all interconnections aswell as the boundary for the CUI environment were correctly documented in your company’s SSP. Sixmonths after implementation you realize that a different MFA tool is being used across the rest of theorganization and you decide to update the tool your department is using to be the same tool as theorganization. Due to the change in the tool you are using, you need to update your SSP even though it isbefore your annual update requirement.a. Trueb. False

Answer: aa. Correct: The SSP is a living document. SSP’s must be reviewed and updated regularly to address securityrelevant or significant changes made to the system.b. The SSP is a living document that must be maintained throughout the lifecycle of the system.

(True / False) As the member of a security team for an OSC that has achieved L2 certification, youunderstand the importance of protecting the network boundaries of the CUI environment. After severalmonths of daily service calls to troubleshoot your intrusion prevention system (IPS) and MFAconfigurations, the interruptions are beginning to harm your ability to perform your other responsibilities.Most of the calls are easily addressed; however, they require you to return to your CUI workstation,authenticate to the CUI environment, and pull records from the SIEM to understand why the user ishaving problems. Therefore, you determine that installing a small wireless access point on the SIEM thatwill allow you to bypass the other boundary protection devices and quickly access to the SIEM will bemore efficient to resolve user issues within the CUI environment. Is installing the wireless access point anappropriate way to address the concern of not being able to complete your other assigned task due to allthe service calls?a. Trueb. False

Answer: ba. All changes to the system must be reviewed and approved. Because the access point will bypass securitycapabilities of the system, it should not be connected.b. Correct: Installing any capability to circumvent or bypass approved security features is never appropriate.

As a member of the security team for an OSC preparing for L2, you understand the importance ofmonitoring, controlling, and protecting organizational communications. Your manager has asked that youhelp with updates to the company’s SSP to adequately describe and illustrate the system boundaries forthe CUI environment. As you begin to make the updates you refresh yourself with the CMMC Securityand Communications Protection Domain, specifically SC.L1-3.13.1. You then begin reviewing theappropriate sections of the SSP to identify all external connections and their purpose. After completingyour review, you confirm your understanding of the CUI environments external boundaries by speakingto the network team and reviewing logs within the SIEM. You confirm the SSP correctly reflects allexternal boundaries and external system interconnections including the business purpose supporting theconnection. You then begin reviewing the section of the SSP that describes the internal connections. Yourealize that two key internal network boundaries are properly defined; however, you also discover that inthe past three months another internal network connection was added to the CUI environment. Thisenvironment is currently not listed in the SSP nor does it include the same boundary protections as theother two internal connections. This new internal network is much smaller than the two previouslydefined interconnected systems. When updating the SSP in accordance with SC.L1-3.13.1, what is themost appropriate action?a. The new network is smaller than the previous two internal networks therefore you are notrequired to take any additional actions.b. Meet with the management team of the new internal network that was added three months ago aswell as the management team of the CUI environment to determine why the interconnection wasnot added to the SSP.c. Meet with the management team of the new internal network that was added three months ago aswell as the management team of the CUI environment and explain to them the connection is notdocumented in the SSP and therefore must be taken down.d. Meet with the management team of the new internal network that was added three months ago aswell as the management team of the CUI environment to understand why the interconnection wasadded. You then ensure the boundary protections for the new internal network are properlyimplemented and update the SSP to properly document the new internal network.

Answer: da. Changes to system interconnections must be reflected in the SSP regardless of the size of the interconnectednetwork or system. Additionally, the boundary protection devices must be sufficient to protect the CUIenvironment.b. Understanding why the new interconnection was added may assist in collecting information to facilitateupdating the SSP; however, simply understanding why the connection was added doesn’t sufficiently addressSC.L1-3.13.1.c. In some cases, removing the interconnected system may be appropriate; however, if there is a valid businesspurpose for the new interconnected network, the SSP should be updated and the appropriate boundaryprotections applied.d. Correct: As the system evolves, the SSP must be updated to reflect changes to the system including newinterconnected systems. This option ensured proper network boundary protections were in place and theSSP was updated to meet the objectives of SC.L1-3.13.1.

As a system administrator for an OSC that has received a L2 certification, you understand that identifying,reporting, and correcting information system flaws in a timely manner is important to the secureoperations of your FCI environment. As such, you follow your company’s policy for reviewing vendor’spatches as they are made available. During your review you understand whether any of the patchesaddress security flaws identified in systems under your responsibility. In reviewing the last release notes,you see that a critical patch was released for a component you administer. You understand that yourcompany policy requires critical patches to be tested within the test environment within two days withthe goal to push the patch to production no later than three days after passing test. However, you havevacation plans with your family for the remainder of the week and had previously received approval fromyour manager to be out of the office for two weeks starting in an hour. What is the most appropriatecourse of action for you to take?a. You update the SSP for the CUI environment to reflect that critical patches must be tested andmoved to production within 30 days of notification of the patch. This ensures you have time tospend with your family on your preapproved vacation without concern of violating your companypolicy.b. Because your vacation was already approved and ready to start in an hour, you add a calendarreminder to your schedule so you can begin testing the patch as soon as you return from vacation.c. You notify your manager and your team of the critical patch and inform them of the affectedsystems. Before leaving for vacation, you confirm your team will ensure the patch is properlytested and deployed to the production environment in accordance with your company’s policy.d. You believe your company is not that critical to the protection of CUI data and set the patch asideto address next month when the vendor is expected to release the next round of security patches.

Answer: ca. While the SSP is a living document and should be updated as changes to the system or operatingenvironment are implemented, making changes to the SSP to meet personal commitments is likely notappropriate. All changes to the SSP should be reviewed and approved.b. Critical patches typically address serious flaws. Additionally, the company has an approved policy andprocedures for ensuring security flaws are addressed in a timely manner. Ignoring the policy is notappropriate.c. Correct: Your company policy for addressing security flaws must be followed regardless of whether or notvacation plans were previously approved. Therefore, working with your management team to ensure thecompany’s policy is followed is the most appropriate course of action.d. Regardless of whether or not you believe the security flaw will be exploited, the company policy must befollowed to maintain the secure operation of the system.

As a member of the Security Operation Center (SOC) for an OSC that has received a L2 certification, youunderstand the importance of monitoring the CUI environment for unauthorized users. You have workedin the SOC for nearly three years and are very familiar with the SOC as well as the typical activities withinthe CUI environment. One evening while on the midnight shift you receive an alert from the IntrusionDetection System (IDS). Upon reviewing the alert, you notice that a user has accessed a popular filesharing site in a high-risk domain. As you continue your analysis you see that the user that accessed thefile sharing site is Bob. Bob is the night shift lead responsible for the oversight of the CUI environment’soperations. You have known Bob for several years and also know that he is into rare types of music andalways looking for more unusual, in your mind, types of music to add to his collection. Upon learning thatBob is downloading music from the file sharing site, what is the most appropriate course of action?a. Meet with Bob and ask him to play the new song for you so you can gain a better appreciation forthe type of music Bob collects.b. Contact your local FBI office to report the improper use from within the CUI environment.c. Report the incident to your manager and create an incident ticket in your company’s incidentreporting system. Then, with the approval of your manager, add the high-risk domain to theblocked domain list to stop future connections to the file sharing site and update the ticket. Yourmanager then ensures the ticket is resolved to include confirming Bob receives additional securityawareness training on the dangers of connecting to unauthorized sites as well as a reminder ofyour company’s acceptable use policy.d. Inform Bob that he violated the company’s policy by accessing unauthorized sites from within theCUI environment. Let him know that if it occurs again you will have no choice but to report hisactions to senior leadership.

Answer: ca. Unauthorized use of the CUI environment is not appropriate and should not be encouraged.b. While violation of the company’s policy is a serious offense, it is unlikely that the FBI would need to be the firstcontact for this scenario.c. Correct: Violations of the company’s policy should be reported to management. The management teamappropriately addressed the situation to prevent future issues.d. As your friend, you may be tempted to simply warn Bob of his violation; however, not taking appropriateaction to block the unauthorized site may lead others to believing it is appropriate to use.