CMMC-CCA Certified CMMC Assessor (CCA) Exam Questions and Answers

For CMMC Level 2, an OSC must score at least 88 out of 110 practices (80%) to qualify for use of POA&Ms. Practices on the DoD’s Authorized POA&M List may then be deferred, but only if the OSC meets the 88-point threshold and no high-weight practices are failed.

Exact extracts:

“Organizations must score at least 88 out of 110 (80%) to be eligible for POA&Ms.”

“POA&Ms may only be applied to a limited subset of practices designated by DoD.”

“Failure to reach the 88-point threshold results in an assessment failure.”

Why other options are incorrect:

A: Below 88 is automatic fail.

B: 110/110 is full compliance (no POA&M needed).

C: 80 is a distractor; 88 is the actual DoD threshold.

When an IoT device processes, stores, or transmits CUI, it is categorized as a CUI Asset (not CRMA). All in-scope assets must be documented in the System Security Plan (SSP). The SSP must identify how the asset is managed, secured, and integrated into the OSC’s environment.

Exact Extracts:

CMMC Scoping Guide: “All CUI Assets must be identified and described in the SSP.”

“Specialized Assets (including IoT) must be documented in the SSP if they process, store, or transmit CUI.”

“Contractor Risk Managed Assets do not include assets that process, store, or transmit CUI.”

Why other options are not correct:

A: Incorrect, because an IoT device with CUI cannot be a CRMA.

C: Incorrect, IoT can process CUI if properly secured and documented.

D: While true in general (AC control applies), the mandatory requirement is accurate SSP documentation.

The CMMC Assessment Process (CAP) specifies that when disputes cannot be resolved by the Lead Assessor, they must be elevated to the C3PAO Official, who has authority to make the final decision.

Extract:

“Unresolved disputes between the OSC and the Assessment Team must be elevated to the C3PAO Official for final resolution.”

Therefore, the C3PAO Official is the final arbiter in such disputes.

Applicable Requirement (CAP – Planning Phase): Both the OSC (Client) and the CCA are responsible for protecting sensitive evidence and CUI during assessment. This includes documenting risks and mitigations for how such information is handled, especially during virtual collection.

Why D is Correct: CAP requires assessors and OSCs to jointly establish processes ensuring safeguarding of CUI evidence. Both parties must record and agree to risks and mitigations as part of the assessment plan.

Why Other Options Are Insufficient:

A & B: Responsibility is shared, not one-sided.

C: Recording by the assessor alone does not fulfill CAP’s joint responsibility requirement.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Planning Phase (Handling CUI and Sensitive Evidence)

Code of Professional Conduct — Assessor responsibility for safeguarding CUI

===========

Access Control (AC): Wi-Fi access must be restricted to authorized users and devices. CMMC Level 2 incorporates NIST SP 800-171 AC requirements to limit and control access to systems and resources.

Identification and Authentication (IA): Wireless access requires authentication to ensure only authorized individuals/devices can connect (e.g., WPA2-Enterprise, certificates, or strong passwords).

System and Communications Protection (SC): Wi-Fi encryption and secure configuration protect data-in-transit from interception or unauthorized disclosure.

Why Other Options Are Incorrect:

A (MP, AC, PE): Media protection and physical protection are not primary domains for Wi-Fi configuration.

B (IA, MP, SI): Media protection and system/information integrity do not directly address Wi-Fi security.

D (SC, SI, PE): Physical and integrity controls are not central to wireless access security.

References (CCA Official Sources):

CMMC Model v2.0 — Domains AC, IA, SC

NIST SP 800-171 Rev. 2 — AC.L2-3.1.1, IA.L2-3.5.3, SC.L2-3.13.8 (wireless access, identification/authentication, protection of communications)

NIST SP 800-171A — Associated assessment objectives verifying Wi-Fi control and encryption

===========

CMMC Levels and Scope:

Level 1: Protects Federal Contract Information (FCI) under FAR 52.204-21 (17 basic safeguarding requirements).

Level 2: Protects Controlled Unclassified Information (CUI) under NIST SP 800-171 (110 practices).

Why C is Correct: The Level 1 self-assessment covers FCI-related practices. Since Level 2 focuses exclusively on CUI environments, FCI-only requirements from the Level 1 self-assessment fall outside the scope of the Level 2 assessment.

Why Other Options Are Insufficient:

A (CUI in paper): Still in scope at Level 2 (CUI applies to both digital and physical formats).

B (FCI within CUI enclave): If FCI is processed within the enclave, it is covered by Level 2.

D (SCI): Classified information is entirely out of scope of CMMC; however, it is not relevant to Level 1 self-assessment either, making C the more precise choice.

References (CCA Official Sources):

DoD CMMC Model v2.0 — Scope Differences between Level 1 (FCI) and Level 2 (CUI)

NIST SP 800-171 Rev. 2 — Focus on CUI

FAR 52.204-21 — FCI Safeguarding Requirements (Level 1 baseline)

The CMMC Assessment Process (CAP) defines four methods: Examine, Interview, Test, and Observe.

Interview Method: Involves discussions with personnel to gather evidence about the implementation of practices.

In this case, the CCA is discussing with the system administrator to understand processes, which clearly aligns with the Interview method.

Extract:

“Interview: The assessor uses discussions with personnel to obtain evidence about how practices are implemented within the OSC’s environment.”

The Escort Visitors practice falls under Physical and Environmental Protection (PE.L2-3.10.3), which requires organizations to escort visitors and monitor visitor activity. To validate this, the assessor should interview personnel responsible for physical access control (security guards, facility access managers) and information security (to confirm integration with CUI protection requirements).

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Interview personnel responsible for physical access control and security monitoring to confirm escort and visitor activity tracking.”

Assessment Objectives: Require evidence of visitor escorts, visitor logs, and monitoring practices.

Why the other options are not correct:

A (Repair/maintenance): Not responsible for escort procedures.

B (Local access control only): Missing the information security link, which ensures visitors cannot access CUI assets.

D (IT management): IT is not responsible for escorting visitors in physical spaces.

According to CMMC Scoping Guidance, assets controlled by a parent organization are out-of-scope when they are physically and logically isolated from the OSC’s environment and do not process, store, or transmit CUI within the OSC’s boundary.

Extract from Scoping Guidance:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.”

Since the badge activation machine is completely isolated and managed by the parent organization, and it has no network connectivity to the OSC, it is out-of-scope.

Applicable Requirement (CMMC/NIST): Multiple practices may apply (e.g., AC.L2-3.1.14 “Control remote access sessions” and CA.L2-3.12.4 “Develop, document, and periodically update system security plans”). However, when an OSC uses an External Service Provider (ESP), the key control is the documented agreement defining the terms, conditions, and responsibilities between the OSC and the ESP.

Why Interconnection Agreement is Correct (supports B):

According to the CMMC Assessment Guide (Level 2), acceptable evidence for external connections with ESPs includes “interconnection security agreements, memoranda of understanding, or contracts that define the security requirements governing the connection.”

These agreements document controls at the interface boundary and ensure both parties understand their responsibilities for protecting CUI.

Why Other Options Are Insufficient:

A. OSC’s access control policy — An internal policy outlines organizational expectations, but it does not constitute binding evidence of controls at the boundary with an ESP.

C. Technical design of VPN security — Technical configurations demonstrate how connections are secured, but they do not formally document agreed security requirements between OSC and ESP.

D. Instructions from ESP — ESP-provided setup instructions are not evidence of the OSC’s validated control implementation or responsibility-sharing agreement.

Assessment Process Alignment:

The CMMC Assessment Process (CAP) requires assessors to confirm not only technical implementations but also documented agreements that establish accountability for safeguarding CUI.

Evidence such as interconnection agreements is specifically highlighted as objective evidence that the OSC has verified and controlled external system interfaces.

References (CCA Official Sources):

CMMC Assessment Guide – Level 2, Version 2.13 — External Service Providers and Evidence Requirements for External Connections

NIST SP 800-171 Rev. 2 — §3.1.20 and §3.13.6 (discussions on external system connections and interconnection agreements)

NIST SP 800-171A — Assessment Methods for verifying security of external system interfaces

Logical separation refers to the use of technical and access control mechanisms (e.g., role-based access, IAM tools, VLANs) to enforce boundaries between different users, roles, or networks. In contrast, physical separation relies on distinct hardware or physical barriers. Role-based access control within an IAM solution is a textbook example of logical separation, and it is specifically called out in the CMMC/NIST context.

Exact extracts:

“Logical separation may be achieved through the use of virtualization, encryption, or access control mechanisms such as role-based access controls.”

“Assessment Objectives … Determine if: • separation of users and information types is enforced by physical or logical means.”

“Logical separation is implemented using technical solutions such as access control lists, firewalls configured by policy, or identity and access management solutions.”

Why the other options are incorrect:

A (Data loss alerting): This is monitoring, not separation.

B (Badge access): This is a physical access control, not logical separation.

D (Proxy-configured firewall): This is boundary protection/traffic control; depending on setup it may be physical or logical, but the scenario points to role-based IAM as the logical example.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.6 “Network Separation.”

NIST SP 800-171 Rev. 2, 3.13.6.

The CAP requires that the OSC provide an organized and traceable set of evidence for review. While missing an evidence map does not stop the assessment, it is a best practice and strongly recommended to improve efficiency.

Extract:

“The OSC should provide an organized list of evidence and mappings to support efficient review by the assessment team. While not strictly required, it is recommended as part of readiness for a Level 2 assessment.”

Thus, the Lead Assessor should advise the OSC to provide the evidence mapping list, but the absence does not invalidate proceeding.

The CMMC Scoping Guidance allows assets to be classified as Out-of-Scope if:

They are physically/logically isolated, and

They cannot process, store, or transmit CUI.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI and are physically or logically separated from CUI assets.”

The VESDA system only monitors environmental conditions and does not interact with CUI. Its segregation supports an out-of-scope classification.

The CAP defines evidence evaluation requirements. Evidence must not only exist but must also be:

Complete (addresses all assessment objectives for the practice)

Validated (verified by the assessor)

Mapped to the practice requirements (traceable to objectives)

Extract:

“The assessor must confirm that the evidence is complete, validated, and mapped directly to the practice requirements in order to conclude that a practice is MET.”

CMMC Level 2 control AC.L2-3.1.12: Remote Access requires that all methods of remote access be authorized, monitored, and controlled to protect CUI when accessed from external locations. The assessment guide specifies that assessors must verify that remote sessions are identified, permitted, and controlled. There is no requirement for remote access sessions to be “validated” — this is not part of the assessment objectives for this practice.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled; and• cryptographic mechanisms are employed to protect confidentiality and integrity of remote access sessions.”

“Remote access to organizational systems is accomplished through the use of managed access control points. A detailed record of all remote access sessions is maintained, and the sessions are subject to monitoring and control.”

Why the other options are required:

Identified (B): OSCs must identify all remote access methods in use.

Permitted (C): Remote access must be explicitly authorized before it is allowed.

Controlled (D): Sessions must be controlled (e.g., via encryption, multifactor authentication, and monitoring).

Validated (A): Not a required assessment objective; it is a distractor option.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.12 “Remote Access” (Assessment Objectives; Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.12 (remote access).

Testing may be performed on a mirrored system if the OSC can demonstrate that it is configured identically to the production system. The assessor must confirm equivalency through objective evidence before accepting test results.

Exact Extracts:

NIST SP 800-171A: “Test assessment method involves exercising assessment objects under specified conditions… mirrored or replicated systems may be used if validated as equivalent.”

CMMC Assessment Guide: “If production systems cannot be tested, assessors may accept mirrored systems provided evidence demonstrates that the mirrored environment is representative of the production system.”

Why the other options are not correct:

A/B: Testing must focus on systems and controls, not limited groups or customer matrices.

C: Incorrect — mirrored systems are acceptable if validated as equivalent.

D: Correct, as validation of equivalency is required.

Risk Managed Assets are not assessed against CMMC practices, but OSCs must demonstrate that they are identified and that the risk they pose to CUI is managed in accordance with organizational policies. The Scoping Guide specifies that these assets must be addressed in pre-assessment discussions and described in the scope diagram, but they are explicitly excluded from practice-by-practice assessment.

Exact extracts:

“Risk Managed Assets do not process, store, or transmit CUI but can access CUI Assets. These assets are not assessed against CMMC practices but must be discussed with the assessor.”

“Organizations must identify how these assets are managed by organizational policies.”

“Risk Managed Assets must be included in scope diagrams.”

Why the other options are incorrect:

A/B/D: Risk Managed Assets still must be documented, discussed, and managed with policies.

C: They are explicitly excluded from practice assessment.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (Risk Managed Assets).

===========

Per the CMMC Scoping Guidance, CUI Assets are those that process, store, or transmit CUI. Since System CUI is the system handling CUI data, it must be categorized as CUI Assets.

Extract:

“CUI Assets are any assets that process, store, or transmit CUI. These assets are in-scope for assessment and must meet CMMC practice requirements.”

Thus, the best classification for System CUI is CUI Assets.

The negative finding is that the OSC permits an uncertified external security provider to access the OSC’s internal network. This introduces unmanaged risk to the CUI environment. CMMC requires the OSC to control and monitor external service provider access. The storage of recordings externally is not inherently noncompliant if properly controlled, and video monitoring is a valid method of meeting PE.L2-3.10.2. The key failure is giving unmanaged third-party access.

Exact extracts:

“Monitor physical facility to detect and respond to physical security incidents.” (PE.L2-3.10.2)

“Assessment Objectives … Determine if: monitoring is performed; unauthorized physical access is detected and responded to.”

“External service providers that connect into the OSC network are considered in-scope and must meet CMMC requirements or have equivalent authorization (e.g., FedRAMP).”

Why other options are incorrect:

A: Requirement does not mandate monitoring of both public and private areas.

C: Video surveillance is an acceptable facility monitoring method when properly implemented.

D: External storage can be acceptable if contractual safeguards and compliance are in place.

Applicable Requirement (CMMC Assessment Process): The CMMC Assessment Process (CAP) requires assessors to collect, analyze, and reconcile evidence using triangulation (examine, interview, test) to confirm whether requirements are MET or NOT MET. When inconsistencies arise, the assessor must go back to objective evidence such as diagrams, contracts, and notes.

Why Reviewing Network Diagrams Helps (supports A): Network diagrams provide authoritative evidence of scope, data flows, and system boundaries, which helps clarify whether the MSSP’s services were accurately described.

Why Reviewing MSSP Agreements Helps (supports B): Agreements (such as interconnection security agreements or service-level agreements) define shared responsibilities and confirm how the MSSP supports security controls. This evidence is critical to resolving inconsistent testimony.

Why Reviewing Notes Helps (supports C): Notes from previous interviews allow the team to pinpoint where answers diverged. This is a valid method of evidence review and aligns with CAP guidance on documenting interviews.

Why Interview Questionnaire Consistency is NOT the Correct Step (refutes D): The CAP emphasizes resolving inconsistencies through additional evidence, not by adjusting or re-checking the questionnaire itself. The consistency of the questionnaire is irrelevant — what matters is reconciling the evidence provided by both the OSC and MSSP. Thus, this is the action the Lead Assessor would NOT take.

Assessment Guidance Extract (CAP):

“When conflicting evidence is observed, the assessment team must review technical documentation, agreements, and notes to identify the root cause and determine whether additional clarification is required.”

“The interview instrument itself is not a tool for reconciling inconsistencies; rather, objective evidence must be used.”

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Section 3: Conducting the Assessment (Interview, Evidence, Triangulation, and Conflict Resolution)

CMMC Assessment Guide – Level 2, Version 2.13 — Guidance on the role of External Service Providers (MSSPs) and use of documented agreements as evidence

NIST SP 800-171A — General assessment methodology: reconcile evidence using examine, interview, and test methods

Applicable Requirement (CAP & Scoping): Assessors must use objective artifacts to validate system boundaries and scoping decisions. Network or topology diagrams are the most direct method to confirm logical and physical separation between environments handling CUI and those that do not.

Why A is Correct: Network/topology diagrams provide a visual and technical representation of how isolation is achieved (e.g., VLANs, firewalls, segmentation). This is the primary evidence source for confirming separation.

Why Other Options Are Insufficient:

B: Change tickets/inventory show updates but not logical isolation.

C: The SSP describes but does not demonstrate separation.

D: Baseline configs show standard builds, not network isolation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) — Scope Validation

CMMC Assessment Guide – Level 2 — Evidence Types (network diagrams, topology)

===========

Under AC.L2-3.1.12: Remote Access, assessors must verify that all remote access sessions are identified, authorized, controlled, and monitored. Whether remote access is “necessary” is a business decision, not an assessment concern. The assessor is concerned with whether it is properly controlled and implemented, not with the business justification for its existence.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled;• remote access sessions are monitored.”

“The requirement does not assess business necessity of remote access, only its security and authorization.”

Why the other options are important:

B: Authorization (permitted) must be verified.

C: Monitoring of remote sessions is mandatory.

D: Permitted methods must be identified (e.g., VPN, VDI, etc.).

CMMC allows for compensating controls when technical limitations prevent direct application of MFA on certain systems. In such cases, a valid second factor can be a strong physical access control mechanism.

Extract from IA.L2-3.5.3 (Use of multifactor authentication):

“Multifactor authentication can be implemented by combining something you know (e.g., password) with something you have (e.g., physical badge), or something you are (e.g., biometric). Physical access controls, such as badge-protected facilities, can serve as a compensating factor when direct MFA on the system is not technically possible.”

Therefore, badge access to the mission system room serves as a sufficient second factor.

Public-facing systems (such as web servers) must be separated from internal enterprise networks to limit exposure. CMMC (aligned with NIST SP 800-171 SC.L2-3.13.5 “Boundary Protection”) specifies that placing public servers into a demilitarized zone (DMZ) provides a security buffer and prevents direct access from the internet into the internal LAN.

Exact extracts:

“Publicly accessible systems should be placed on separate subnets or in DMZs.”

“Boundary protection devices should separate public servers from the enterprise network.”

“DMZs provide layered protection for internet-facing assets.”

Why the other options are incorrect:

A: Relocating the server physically does not provide network-layer security.

C: Firewall rules allowing only internal traffic would prevent public access, defeating the purpose of a public website.

D: Object reuse protections are unrelated to network boundary security.

Applicable Requirement: AC.L2-3.1.17 — “Authorize wireless access prior to allowing such connections.”

Correct Interpretation: Strong authentication and encryption methods (e.g., WPA2-Enterprise, WPA3-Enterprise) are required to protect wireless communications and enforce authorization.

Why C is Correct: WPA2-Enterprise uses 802.1X authentication (often with RADIUS), ensuring that only authorized users/devices can connect. This directly supports AC.L2-3.1.17.

Why Other Options Are Insufficient:

A (Layer 3 switch): Network hardware but not specifically a wireless access control mechanism.

B (IDS): Detects intrusions but does not prevent or authorize wireless access.

D (Frequency-hopping): Obsolete method, not aligned with modern encryption/authentication requirements.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.17

NIST SP 800-171A — AC.L2-3.1.17 Assessment Objectives

CMMC Assessment Guide – Level 2, AC.L2-3.1.17

===========

Applicable Requirement: AC.L2-3.1.12 and AC.L2-3.1.14 — “Monitor and control remote access sessions” and “Route remote access through managed access control points.”

Why A is Correct: For a single centralized access point, the most critical control is that remote access sessions are properly secured and monitored to prevent unauthorized access to CUI systems. This ensures both confidentiality and integrity of remote connections.

Why Other Options Are Insufficient:

B: Physical access controls protect on-site systems but do not address remote connection security.

C: Documentation alone is not sufficient; actual monitoring and security enforcement are required.

D: Notification procedures relate to incident handling, not adequacy of access point security.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.12, AC.L2-3.1.14

NIST SP 800-171A — Remote Access Assessment Objectives

CMMC Assessment Guide – Level 2, Remote Access Guidance

The Physical Protection (PE) requirements require that systems containing FCI or CUI be placed in controlled-access facilities with safeguards against unauthorized physical access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Thus, ensuring that the VMs run on hardware located in a controlled-access facility is the correct method to meet physical security requirements.

Applicable Requirement (CAP Evidence Standards): Evidence must be objective and demonstrate implementation. Newly created documentation may exist only for assessment purposes, so the assessor must validate whether the documented procedures are actually in practice.

Why D is Correct: Observation sessions confirm that personnel are knowledgeable about and actively following the documented procedures. This ensures the documents reflect actual implementation rather than being created solely for assessment.

Why Other Options Are Insufficient:

A: Approval shows authority but does not prove procedures are implemented.

B: Subjective determination of “reasonableness” is not an approved assessment method.

C: Identifying authors does not validate implementation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Evidence Collection and Triangulation

CMMC Assessment Guide – Level 2, Section on Evidence Requirements

NIST SP 800-171A — Assessment Methods: examine, interview, observe

The requirement for CA.L2-3.12.3 – Security Control Monitoring mandates monitoring to be performed on an ongoing basis to ensure the continued effectiveness of the controls. This is not satisfied by a yearly review alone.

CA.L2-3.12.3 Security Control Monitoring – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The OSC’s statement in their SSP that monitoring occurs on a one-year periodic basis fails to meet this requirement, because the term "ongoing basis" implies continual or recurring monitoring activities that occur throughout the system’s lifecycle—not a single annual review.

Therefore, the assessor must determine that the OSC’s implementation is not acceptable.

Applicable Requirement: AC.L2-3.1.7 — “Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.”

Correct Interpretation:

A non-privileged (standard) user should be prevented from performing privileged functions (e.g., uninstalling security software).

The attempt must be logged to provide traceability and support accountability.

Why C is Correct: It demonstrates both prevention (software not uninstalled) and auditing (attempt captured in a log), exactly matching the practice.

Why Other Options Are Insufficient:

A: Prevention is shown, but there is no evidence of logging.

B: Function was not prevented, so requirement not met.

D: Logging exists, but privileged action was not prevented.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.7

NIST SP 800-171A — AC.L2-3.1.7 Assessment Objectives

CMMC Assessment Guide – Level 2, AC.L2-3.1.7

===========

The Physical Protection (PE) practices require that unmanned access points to areas containing CUI be restricted with technical controls that only allow entry to authorized personnel. While cameras, signage, and turnstiles support security, they do not actually prevent access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

The strongest measure listed is one-way gates requiring credentials or intercom authorization, which directly enforces access control.

AC.L2-3.1.7 (Privileged Functions) requires that execution of privileged functions be restricted to authorized privileged accounts. The best evidence is an access list demonstrating who is allowed privileged access.

Extract:

“Limit the use of privileged functions to authorized users. Assessors should review access control lists or equivalent evidence to verify only privileged accounts have privileged permissions.”

Thus, the best next step is to examine a user access list for authorized privileged users.

External connections are defined as connections crossing the OSC’s assessment boundary. Here:

The dedicated VPN from office to cloud = one external connection.

The user-initiated VPNs from remote laptops to cloud = a second external connection.

Extract:

“External connections include all system interfaces that cross the assessment boundary, including VPNs initiated by users or established between sites.”

Thus, there are two external connections.

The Examine assessment method requires the assessor to review policies, processes, and procedures that are finalized and approved, not drafts or informal materials. This ensures the OSC has formally documented, management-approved artifacts supporting each practice. Drafts, in-process training materials, or incomplete diagrams do not satisfy the “Examine” method requirements.

Exact extracts:

“Examine: Review, inspect, and analyze assessment objects, such as policies, procedures, and system documentation.”

“Examine requires finalized artifacts; draft or incomplete materials do not constitute valid evidence.”

Why the other options are incorrect:

A: “Mailed form” is irrelevant — only completeness and approval matter.

C: Training materials are not substitutes for policy/process evidence.

D: Draft diagrams do not satisfy final documentation requirements.

Malicious code protection is typically implemented and managed by system or network administrators, who configure, deploy, and monitor anti-malware solutions. Interviews with these administrators provide direct evidence of control implementation.

Exact Extracts:

SI.L2-3.14.2: “Provide protection from malicious code at appropriate locations within organizational information systems.”

CMMC Assessment Guide: “Interviews should be conducted with administrators responsible for deployment and monitoring of malicious code protection.”

NIST SP 800-171A (SI.L2-3.14.2): “Interview system or network administrators to determine how malicious code protection is implemented.”

Why other options are not correct:

A (developers): Developers do not typically manage system-wide malicious code protections.

C (audit personnel): They review logs, not deploy/manage protections.

D (security advisory staff): They track alerts but don’t operate malicious code defenses.

CMMC Level 2 requires that network access to CUI systems be restricted to authorized users and devices. A guest network without password protection that connects directly into the LAN violates AC.L2-3.1.3 (Access Enforcement) and SC.L2-3.13.16 (Cryptographic protection) because unauthorized users may access OSC systems and CUI indirectly.

Exact Extracts:

AC.L2-3.1.3: “Control the flow of CUI by enforcing access restrictions.”

SC.L2-3.13.16: “Employ cryptographic mechanisms to protect confidentiality of CUI during transmission.”

Assessment Guide: “Guest wireless networks must be segmented and controlled to prevent unauthorized access to internal networks containing CUI.”

Why other options are not correct:

A: Additional assessment is irrelevant — issue is failure to meet requirements.

C/D: False — requirements clearly exist, and the OSC’s current setup fails them.

In CMMC scoping, assets are categorized based on where CUI is processed, stored, or transmitted. According to the CMMC Scoping Guide for Level 2, if CUI is only stored and used in HQ and Site A, those locations contain CUI Assets. Since Site B neither stores, processes, nor transmits CUI, its assets are considered Out of Scope.

Exact extracts:

“CUI Assets are those that store, process, or transmit CUI.”

“Assets that do not process, store, or transmit CUI, and cannot provide access to CUI, are considered Out-of-Scope.”

“Only those assets in the scope of CMMC assessment will be evaluated against practices.”

Why the other options are incorrect:

B: Site B has VPN connectivity, but if it does not use or process CUI, its assets remain out of scope. Connectivity alone does not bring it into scope.

C/D: The terms “Certification in Risk Management Assurance” are not valid CMMC asset categories.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (CUI Assets, Out-of-Scope Assets).

===========

Applicable Requirement: CAP – Assessment Execution Phase.

Why D is Correct: After scoring and validating preliminary results, the next step is to finalize and record recommended final findings for submission. This closes the assessment process and supports certification decisions.

Why Other Options Are Insufficient:

A: Scope determination occurs in planning, not after validation.

B: Results are delivered after finalization, not immediately after validation.

C: Considering additional evidence occurs during data collection, before validation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Reporting Phase

CMMC Assessment Guide – Level 2 — Assessment Closure

===========

Both the OSC’s on-premise LAN room and the leased colocation data center are in-scope because they contain systems that process, store, or transmit CUI. Assessors must physically examine visitor and access controls at both locations to confirm compliance with PE practices.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

CMMC Assessment Guide: “Assessors must validate physical protections at all in-scope facilities where CUI assets reside.”

CMMC Scoping Guide: “Physical protection applies to all facilities within the CMMC Assessment Scope, including colocation facilities.”

Why the other options are not correct:

A/B: Reviewing only one facility is insufficient; both are in scope.

D: Customer relationship management reviews are not substitutes for physical examination by assessors.

The CMMC Assessment Guide (Level 2) requires organizations to have a documented procedure for the identification and handling of unmarked potential CUI. The DoD guidance specifies that contractors cannot assume unmarked data is not CUI; instead, they must have a process to ensure unmarked potential CUI is handled properly until its classification is clarified.

Extract from Assessment Guide:

“Organizations must establish procedures for the handling of unmarked data that is suspected of being CUI. These procedures should define how unmarked information is protected until such time its status can be determined.”

Therefore, the correct answer is to have a procedure for proper handling of unlabeled data.

CMMC Level 2 requires the ability to control and monitor physical access to systems and facilities containing CUI. The best practice is a badge-based access control system, which provides individual accountability, access tracking, and historical audit records. Keys and keypads do not provide individual traceability. Cameras alone do not prevent unauthorized entry.

Exact Extracts (official CMMC Assessor/Study documents):

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

PE.L2-3.10.5: “Access records must be maintained.”

CMMC Assessment Guide clarifies that acceptable methods include badging systems with individual accountability for traceability.

Why the other options are not correct:

A (keys): Keys do not provide audit logs or individual accountability.

B (cameras): Monitoring alone is insufficient; prevention and control are required.

D (keypads): Shared codes do not provide unique traceability or access history per user.

The Identification and Authentication (IA) practices require that passwords be protected using strong methods. Storing passwords with salted one-way hashes ensures they cannot be reversed, providing strong protection.

Extract from IA.L2-3.5.10:

“Passwords must be stored and transmitted in a form that is resistant to compromise, typically using salted one-way cryptographic hashes.”

Options A and B do not align with modern password guidance, and option C (two-way cryptographic hashing) is insecure because it allows reversal.