Cyber AB Updated CMMC-CCA Exam Questions and Answers by sabrina

To verify compliance with AC.L2-3.1.5 (Least Privilege), the assessor must confirm that privileged accounts are not used for routine or non-privileged tasks. Asking if a user uses their privileged account for tasks like researching vulnerabilities on the Internet directly tests whether the principle of least privilege is being followed.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

CMMC Assessment Guide: “Interviews should confirm that privileged accounts are used exclusively for privileged functions, and that standard accounts are used for general tasks.”

NIST SP 800-171A Objective: “Determine through interviews whether users employ privileged accounts for non-privileged tasks.”

Why other options are not correct:

A: Awareness of other privileged users is not the issue being assessed.

B: Knowledge of RBAC is useful but does not confirm account usage practices.

D: Provisioning procedures are an IT staff responsibility, not a user behavior check.

Applicable Requirement: AC.L2-3.1.5 — “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Why A is Correct: Audit logs document when privileged functions (such as account creation, privilege changes, or configuration changes) occur, who performed them, and whether access control restrictions are enforced. Reviewing logs is the only way to confirm the IT manager alone has the capability.

Why Other Options Are Insufficient:

B (Inventory records): Shows ownership, not privilege changes.

C (Acceptable use): Policy guidance, not enforcement evidence.

D (Remote access): Deals with remote connections, not privilege management.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.5

NIST SP 800-171A — AC.L2-3.1.5 Assessment Methods

CMMC Assessment Guide – Level 2

===========

CMMC Level 2 requires that audit logs be reviewed and updated at least weekly to detect anomalies and potential security incidents. A vendor providing only monthly summaries does not meet the requirement. The assessor must resolve this issue to confirm compliance.

Exact Extracts (official CMMC Assessor/Study documents):

AU.L2-3.3.7: “Review and update logged events, as well as the audit log, at least weekly.”

AU.L2-3.3.6: “Review and analyze information system audit records for indications of inappropriate or unusual activity and report findings.”

CMMC Level 2 Assessment Guide emphasizes: “Organizations must demonstrate procedures to review audit logs at least weekly, even when external vendors perform this function.”

NIST SP 800-171A states: “The frequency of review must be sufficient to detect anomalies in a timely manner… at least weekly is required.”

Why other options are not correct:

A: Report generation capability is not the compliance issue; frequency of review is.

B: Using a common authoritative time source (AU.L2-3.3.7) is important, but the deficiency here is frequency of log review, not time source.

D: Third-party involvement is permitted if the OSC maintains control and ensures requirements (frequency, integrity, protection of CUI) are met.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices AU.L2-3.3.6 and AU.L2-3.3.7 (pp. 56–60).

NIST SP 800-171A, Audit and Accountability objectives.

The requirement of least privilege mandates that users be granted only the access necessary to perform their duties. Assessors confirm compliance by reviewing user access lists, ensuring privileged access is limited, documented, and assigned only where required.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Assessment Guide: “Evidence includes user access lists, role-based access assignments, and documentation of privileged accounts.”

NIST SP 800-171A Objective: “Examine system access lists, rights, and permissions for least privilege.”

Why other options are not correct:

A (Authentication policy): Pertains to verifying identity, not enforcing least privilege.

B (System configurations): Provide technical settings, but access lists are the primary evidence for least privilege.

D (Terminated employees list): Tied to AC.L2-3.1.2 (Access enforcement) and AC.L2-3.1.7 (Account management), not least privilege.