CMMC-CCA Certified CMMC Assessor (CCA) Exam Question and Answers

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and operating environments.”

Why D is Correct: Escort requirements are met as long as the visitor’s actions are continuously observed and controlled. The escort does not need to be physically inside the same room if direct observation is possible.

Why Other Options Are Insufficient:

A: Escort posture (sitting/standing) is irrelevant.

B: Same-room presence is not required by CMMC/NIST SP 800-171.

C: A single entry point helps, but observation is the requirement.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

CMMC Assessment Guide – Level 2 — Physical Escort Policy Guidance

===========

For hybrid and cloud environments, the Customer Responsibility Matrix is the critical artifact. It identifies which security responsibilities are handled by the CSP and which remain with the OSC, directly impacting scope.

Extract:

“The OSC must provide responsibility matrices or equivalent documentation that clearly delineates which security controls are the responsibility of the provider and which are retained by the OSC.”

This is necessary for the Lead Assessor to define assessment scope boundaries.

The Examine method is used when the assessor reviews documents, policies, procedures, or system artifacts to validate practices.

Extract:

“Examine: Review, inspect, or analyze assessment objects such as documents, records, and policies to determine compliance with practice requirements.”

Reviewing the incident response plan falls directly under Examine.

CMMC Level 2 requires that audit logs be reviewed and updated at least weekly to detect anomalies and potential security incidents. A vendor providing only monthly summaries does not meet the requirement. The assessor must resolve this issue to confirm compliance.

Exact Extracts (official CMMC Assessor/Study documents):

AU.L2-3.3.7: “Review and update logged events, as well as the audit log, at least weekly.”

AU.L2-3.3.6: “Review and analyze information system audit records for indications of inappropriate or unusual activity and report findings.”

CMMC Level 2 Assessment Guide emphasizes: “Organizations must demonstrate procedures to review audit logs at least weekly, even when external vendors perform this function.”

NIST SP 800-171A states: “The frequency of review must be sufficient to detect anomalies in a timely manner… at least weekly is required.”

Why other options are not correct:

A: Report generation capability is not the compliance issue; frequency of review is.

B: Using a common authoritative time source (AU.L2-3.3.7) is important, but the deficiency here is frequency of log review, not time source.

D: Third-party involvement is permitted if the OSC maintains control and ensures requirements (frequency, integrity, protection of CUI) are met.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices AU.L2-3.3.6 and AU.L2-3.3.7 (pp. 56–60).

NIST SP 800-171A, Audit and Accountability objectives.

The CMMC Scoping Guidance specifies that Contractor Risk Managed Assets must:

Be documented in the asset inventory,

Be governed by the organization’s own risk-based policies and procedures,

Be included in the system boundary/network diagram.

Extract:

“Contractor Risk Managed Assets are those managed according to the OSC’s risk-based policies and procedures. They must be documented in the asset inventory and represented in the system boundary.”

Thus, option C is the best answer.

The Assessment Guide emphasizes that a policy is insufficient unless it is implemented consistently across all applicable assets. Evidence from interviews showing exceptions means the practice is NOT MET.

Extract:

“Policies must not only exist but must also be enforced and implemented consistently. Exceptions indicate non-compliance.”

Thus, the correct answer is B.

When protecting backup data containing CUI, the requirement is to ensure confidentiality through logical or physical security controls appropriate to the sensitivity of CUI. Acceptable implementations include controlling access to CUI (AC family controls), physically securing media (MP family controls), and encrypting files or media (SC family controls). Merely implementing alternative physical controls for site access is insufficient because site access protections do not directly ensure the confidentiality of the backup media itself.

Exact Extracts (from official CMMC Assessor/Study documents and NIST SP 800-171A references):

SC.L2-3.13.16 (Encrypt CUI): “Employ cryptographic mechanisms to prevent unauthorized disclosure of CUI during storage and transmission unless otherwise protected by alternative physical safeguards.”

MP.L2-3.8.9 (Protect backup CUI): “Protect the confidentiality of backup CUI at storage locations.”

AC.L2-3.1.3 (Access enforcement): “Limit access to CUI on the basis of need-to-know to protect confidentiality.”

Physical security references (PE family): “Physical access controls provide general site protection but are not substitutes for encryption or media protection controls when CUI confidentiality is at risk.”

Why the other options are correct (acceptable methods):

B (Managing who has access to the information): Satisfies Access Control (AC) requirements that limit exposure of CUI only to authorized individuals.

C (Physically securing devices and media): Satisfies Media Protection (MP) requirements, ensuring CUI is stored securely and protected against unauthorized access.

D (Encrypting files or media): Directly satisfies System and Communications Protection (SC) requirements for confidentiality, a highly reliable method.

Why option A is least acceptable:

Alternative physical controls for site access protect buildings or rooms, but they do not directly safeguard backup media confidentiality. If backups are removed, lost, or accessed internally, site access controls alone cannot ensure confidentiality.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices SC.L2-3.13.16, MP.L2-3.8.9, AC.L2-3.1.3, and PE family discussion (pp. 93–96, 108–110, 125–127).

NIST SP 800-171A, Assessing Security Requirements for CUI: Related assessment objectives for protecting CUI backup confidentiality.

Applicable Requirement: AC.L2-3.1.7 — “Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.”

Correct Interpretation:

A non-privileged (standard) user should be prevented from performing privileged functions (e.g., uninstalling security software).

The attempt must be logged to provide traceability and support accountability.

Why C is Correct: It demonstrates both prevention (software not uninstalled) and auditing (attempt captured in a log), exactly matching the practice.

Why Other Options Are Insufficient:

A: Prevention is shown, but there is no evidence of logging.

B: Function was not prevented, so requirement not met.

D: Logging exists, but privileged action was not prevented.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.7

NIST SP 800-171A — AC.L2-3.1.7 Assessment Objectives

CMMC Assessment Guide – Level 2, AC.L2-3.1.7

===========

To validate least functionality, the assessor must evaluate implementation (via security staff, admins, developers). Interviewing the policy author provides limited value since it does not confirm whether the policy is implemented in practice.

Extract:

“Assessors should confirm least functionality through interviews with individuals responsible for system configuration, security, and implementation. Policy documentation authors alone are not sufficient evidence.”

Thus, interviewing the policy writer is least useful.

The Access Control (AC) domain governs remote access, privileged access, and VPN controls. Documents describing how VPNs are controlled, monitored, and restricted fall under the Access Control Policy.

Extract:

“Access Control practices include the management of remote connections, monitoring of sessions, and enforcement of VPN controls.”

Thus, the correct document is the Access Control Policy.

Applicable Requirement: AC.L2-3.1.12 and AC.L2-3.1.14 — “Monitor and control remote access sessions” and “Route remote access through managed access control points.”

Why A is Correct: For a single centralized access point, the most critical control is that remote access sessions are properly secured and monitored to prevent unauthorized access to CUI systems. This ensures both confidentiality and integrity of remote connections.

Why Other Options Are Insufficient:

B: Physical access controls protect on-site systems but do not address remote connection security.

C: Documentation alone is not sufficient; actual monitoring and security enforcement are required.

D: Notification procedures relate to incident handling, not adequacy of access point security.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.12, AC.L2-3.1.14

NIST SP 800-171A — Remote Access Assessment Objectives

CMMC Assessment Guide – Level 2, Remote Access Guidance

The assessor must first confirm facts with the OSC before making a determination. It is possible the technician has been granted temporary authorized access, in which case the situation may not be a violation. Therefore, the correct next step is to ask the OSC about the technician’s authorization.

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Assessors should confirm with the OSC whether individuals observed are classified as visitors or authorized personnel before determining compliance.”

“Findings must be validated with OSC-provided evidence or clarification.”

Why other options are not correct:

A: Cannot mark as MET without verifying the technician’s status.

B: Inappropriate — assessors do not direct OSC personnel or vendors.

C: Cannot mark as NOT MET without first confirming authorization.

Under AC.L2-3.1.12: Remote Access, assessors must verify that all remote access sessions are identified, authorized, controlled, and monitored. Whether remote access is “necessary” is a business decision, not an assessment concern. The assessor is concerned with whether it is properly controlled and implemented, not with the business justification for its existence.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled;• remote access sessions are monitored.”

“The requirement does not assess business necessity of remote access, only its security and authorization.”

Why the other options are important:

B: Authorization (permitted) must be verified.

C: Monitoring of remote sessions is mandatory.

D: Permitted methods must be identified (e.g., VPN, VDI, etc.).

Applicable Requirement: PE.L2-3.10.1 — “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Why D is Correct: Documented procedures describing physical access restrictions (badge policies, visitor management, locked server rooms, guard post orders) serve as primary evidence that access is managed and enforced. Assessors can then corroborate via interviews and observation.

Why Other Options Are Insufficient:

A (VPN configuration): Relates to remote logical access, not physical security.

B (Switch configs): Technical network controls, not physical access.

C (Architecture drawings): Show logical/system design, not physical entry restrictions.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.1

NIST SP 800-171A — PE.L2-3.10.1 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Protection Evidence Guidance

CMMC Level 2 requires that wireless access be formally authorized based on management-approved policy and criteria. The Assessment Guide specifies that “management guidelines form the basis for the requirements that must be met prior to authorizing a wireless connection.” Therefore, a written policy executed by the CEO, which defines pre-authorization requirements, constitutes proper evidence of authorization. Informal emails or IT connection instructions do not meet this requirement.

Exact extracts:

“Authorize wireless access prior to allowing such connections.”

“Assessment Objectives … Determine if: [a] wireless access points are identified; and [b] wireless access is authorized prior to allowing such connections.”

“Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following: • types of devices, such as corporate or privately owned equipment; • configuration requirements of the devices; and • authorization requirements before granting such connections.”

Assessment method – Examine: “Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless access authorizations …”

Why the other options are unacceptable:

A and C are ad-hoc instructions from the CEO, not a formal management policy establishing authorization criteria.

D is an IT-authored instruction document, not a management-level authorization policy.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.16 “Wireless Access Authorization” (Assessment Objectives; Discussion; Further Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.16 (mapped within the CMMC Level 2 Assessment Guide).

Both the CSP’s cloud environment and the OSC’s on-premises network/workstations are in-scope because CUI is stored in the cloud but also accessed and transmitted by OSC assets. The cloud vendor’s internal employee network is not in-scope because only the customer-facing FedRAMP environment is within the assessment boundary.

Exact extracts:

“CUI Assets include any OSC asset that stores, processes, or transmits CUI.”

“External service providers are in-scope if their services process, store, or transmit CUI on behalf of the OSC.”

“The OSC’s endpoints and local infrastructure that access CUI are also in-scope.”

Why the other options are incorrect:

A: Cloud environment only is incomplete; OSC workstations also access and transmit CUI.

B: OSC network only ignores the fact that CUI is stored in the cloud.

D: The cloud vendor’s internal employee network is not in-scope.

The CMMC Assessment Process (CAP) requires the Lead Assessor to develop an Assessment Plan that specifies anticipated evidence to be provided by the OSC. This preliminary evidence list ensures that OSC staff understand what policies, procedures, logs, and technical configurations must be available during the assessment. Without this, the assessment may stall due to missing documentation.

Exact extracts:

“The Lead Assessor coordinates with the OSC to develop an evidence list of artifacts anticipated for review.”

“The assessment plan must include a schedule of interviews, site visits, and anticipated evidence.”

“Preliminary evidence identification is critical to reduce assessment delays and ensure assessor readiness.”

Expanded explanation:

This step bridges planning and execution:

Scope has already been set.

Now, the evidence (SSPs, policies, audit logs, diagrams, etc.) must be identified.

Out-of-scope assets are part of scoping, not this planning stage.

System manuals are not required by CMMC, and “list of objectives” refers to assessor methodology, not OSC preparation.

Why other options are incorrect:

A: Objectives come from the practice requirements themselves, not something requested from the OSC.

B: System manuals are not required artifacts for CMMC.

D: Out-of-scope assets were already determined during scoping.

Applicable CMMC/NIST Requirement: AC.L2-3.1.20 — “Verify and control/limit connections to and use of external systems.”

Isolation Not Required (refutes B): The requirement acknowledges that individuals using external systems (e.g., contractors, partners) may need to access organizational systems. In such cases, organizations must ensure those connections do not compromise or harm organizational systems. Therefore, complete isolation from all external systems is not mandated.

Policy Alone is Insufficient (refutes A): Assessment guidance requires mechanisms that technically enforce terms and conditions for use of external systems. A written employee policy by itself does not satisfy the requirement unless paired with technical enforcement (e.g., firewalls, connection rules).

Allow-lists & Firewalls are Best Practice (supports C): Assessment considerations specify that organizations should restrict external systems to an approved list, such as by using firewalls, VPNs, IP restrictions, or certificates. The company’s use of firewalls and a connection allow-list directly addresses this requirement.

Full Control of External Systems Not Required (refutes D): The definition of “external systems” clarifies that organizations typically do not have direct supervision or authority over those systems. The requirement is to limit and control connections to such systems, not to own or fully manage them.

Assessment Objectives for AC.L2-3.1.20 (from NIST SP 800-171A):

Connections to external systems are identified.

Use of external systems is identified.

Connections to external systems are verified.

Use of external systems is verified.

Connections to external systems are controlled/limited.

Use of external systems is controlled/limited.

Firewalls and allow-lists satisfy these verification and limitation requirements, enabling a CCA to mark the practice MET if evidence is present.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — §3.1.20 (Discussion)

NIST SP 800-171A — §3.1.20 (Assessment Objectives & Methods)

CMMC Assessment Guide – Level 2, Version 2.13 — AC.L2-3.1.20 (External Connections [CUI Data], including “Potential Assessment Considerations”)

The Assessment Plan (planning agreement) must be signed by both the Lead Assessor and the OSC Assessment Official. This formalizes agreement on scope, resources, and methodology. The C3PAO is responsible for overall oversight but does not co-sign the plan.

Exact extracts:

“The Lead Assessor is responsible for developing the Assessment Plan in collaboration with the OSC Assessment Official.”

“Both the Lead Assessor and the OSC Assessment Official must sign the Assessment Plan to proceed.”

“The C3PAO maintains responsibility for quality assurance and submission, but not signing.”

Why other options are incorrect:

A/B: Both signatures are required, not one alone.

D: The C3PAO does not sign the planning agreement.

Printers are a concern because they can produce hard copies of CUI, which must be safeguarded like digital CUI. CUI handling requirements extend to both electronic and printed media.

Extract from MP.L2-3.8.4:

“Protect the confidentiality of CUI at rest and in use, including hardcopy outputs such as printed material.”

Thus, the concern is that printed CUI must be protected, making printers relevant to maintenance and safeguarding practices.

The control SC.L2-3.13.5: Boundary Protection requires that organizations monitor and control communications at the external boundary and at key internal boundaries. The CMMC Assessment Guide states that assessors should examine boundary protection procedures to verify logging, monitoring, and alerting are defined and implemented. Physical access logs, account management documents, and configuration management policies do not provide details of how network boundaries are monitored and protected.

Exact extracts:

“Assessment Objectives … Determine if: • external boundary and key internal boundaries are defined; • communications are monitored and controlled at boundaries; • traffic is checked for unauthorized transfer of information; and • boundary protection devices are configured and managed.”

“Potential Assessment Methods: Examine … boundary protection policy; boundary protection procedures; system security plan; configuration settings for boundary protection devices; logs of boundary protection devices.”

Why the other options are incorrect:

A (Physical access logs): Relates to facility entry, not network boundary protection.

C (Account management document): Addresses user account lifecycle, not firewall and traffic control.

D (Configuration management policy): Governs system changes, not firewall logging/alerting controls.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.5 “Boundary Protection.”

NIST SP 800-171 Rev. 2, 3.13.5.

===========

The OSC is responsible for providing the scoping documentation before the assessment begins. The assessor validates the scoping documentation but does not create it on behalf of the OSC. If the OSC cannot provide scope documentation, the assessment cannot proceed.

Exact Extracts:

CMMC Scoping Guide: “The OSC must prepare and provide scoping documentation, including network diagrams, asset inventories, and SSP, prior to assessment.”

CMMC Assessment Guide: “The assessment team validates scoping documentation; it is not the responsibility of the C3PAO or assessor to create the OSC’s scope.”

Why other options are not correct:

A: Incorrect — assessment teams validate but do not generate scoping documents.

C: Joint creation is not allowed; OSC must own and prepare documentation.

D: Lead Assessor cannot create scope; must rely on OSC’s provided documentation.

A one-way hash function is a cryptographic method used to store passwords securely. It is not reversible; hashed values cannot be converted back into the original password.

Extract from SC.L2-3.13.10:

“Store and transmit authentication information in a protected form by using one-way cryptographic transformations (e.g., hashing). One-way transformations cannot be reversed to reveal the original authentication secret.”

Thus, the correct statement is that the transformation makes it impossible to re-convert the hashed password.

CMMC Level 2 control AC.L2-3.1.12: Remote Access requires that all methods of remote access be authorized, monitored, and controlled to protect CUI when accessed from external locations. The assessment guide specifies that assessors must verify that remote sessions are identified, permitted, and controlled. There is no requirement for remote access sessions to be “validated” — this is not part of the assessment objectives for this practice.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled; and• cryptographic mechanisms are employed to protect confidentiality and integrity of remote access sessions.”

“Remote access to organizational systems is accomplished through the use of managed access control points. A detailed record of all remote access sessions is maintained, and the sessions are subject to monitoring and control.”

Why the other options are required:

Identified (B): OSCs must identify all remote access methods in use.

Permitted (C): Remote access must be explicitly authorized before it is allowed.

Controlled (D): Sessions must be controlled (e.g., via encryption, multifactor authentication, and monitoring).

Validated (A): Not a required assessment objective; it is a distractor option.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.12 “Remote Access” (Assessment Objectives; Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.12 (remote access).

Applicable Requirement: CM.L2-3.4.3 — “Track, review, approve/disapprove, and audit changes to organizational systems.”

Why CCB Minutes Are Correct (supports B):

Change Control Board (CCB) documentation includes impact analyses, approvals, disapprovals, and justification for system changes.

The CMMC Assessment Guide explicitly identifies CCB minutes and supporting records as primary evidence of compliance with change management practices.

Why Other Options Are Insufficient:

A (Vendor description): Provides information on the update, but does not show organizational review or approval.

C (Audit logs): Show when a change occurred, but not whether it was analyzed and approved beforehand.

D (Incident logs): Reflects results after implementation, but not the review/approval process.

Assessment Guidance Extract (NIST SP 800-171A, CM.L2-3.4.3):

Objectives include verifying that system changes are:

Documented,

Reviewed,

Approved/disapproved, and

Audited.

Evidence such as CCB minutes and approval records directly satisfies these objectives.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CM.L2-3.4.3 (Change Management)

NIST SP 800-171A — Assessment Objectives for CM.L2-3.4.3

CMMC Assessment Guide – Level 2, Version 2.13 — Change Management evidence expectations

The Escort Visitors practice falls under Physical and Environmental Protection (PE.L2-3.10.3), which requires organizations to escort visitors and monitor visitor activity. To validate this, the assessor should interview personnel responsible for physical access control (security guards, facility access managers) and information security (to confirm integration with CUI protection requirements).

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Interview personnel responsible for physical access control and security monitoring to confirm escort and visitor activity tracking.”

Assessment Objectives: Require evidence of visitor escorts, visitor logs, and monitoring practices.

Why the other options are not correct:

A (Repair/maintenance): Not responsible for escort procedures.

B (Local access control only): Missing the information security link, which ensures visitors cannot access CUI assets.

D (IT management): IT is not responsible for escorting visitors in physical spaces.

Applicable Requirement: CA.L2-3.12.4 — “Develop, document, periodically review/update, and disseminate system security plans.” Policies require executive approval and evidence of regular review.

Why B is Correct: Multiple years of emails from executives approving policies provide a pattern of consistent executive involvement, demonstrating habitual compliance with review and approval requirements. This is stronger evidence than one-time or informal attestations.

Why Other Options Are Insufficient:

A: Handwritten notes are informal and lack authenticity controls.

C: A notarized letter from a previous CEO is a one-time attestation, not evidence of recurring review.

D: Employee interviews may demonstrate awareness but do not show executive approval.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CA.L2-3.12.4

NIST SP 800-171A — CA.L2-3.12.4 Assessment Objectives (evidence of policy review/approval)

CMMC Assessment Guide – Level 2 — Policy and Approval Evidence Requirements

===========

The Scoping Guidance defines Security Protection Assets as systems, tools, or services that provide security functions protecting CUI assets, even if outsourced to third parties.

Extract:

“Security Protection Assets are tools, systems, or services that provide security functionality (e.g., SOC, antivirus, logging) to protect CUI assets. These must be included in scope.”

Therefore, SOC and AV must be categorized as Security Protection Assets.

According to the CMMC Scoping Guidance, assets are categorized based on whether they can process, store, or transmit Controlled Unclassified Information (CUI), or if they are physically/logically separated or inherently unable to interact with CUI systems. Assets that cannot process, store, or transmit CUI and are properly segregated are considered Out-of-Scope.

Extract from CMMC Scoping Guidance:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.”

Thus, the Lead Assessor determines out-of-scope assets by confirming that they are either segregated from CUI systems or technically incapable of handling CUI.

System baselines are part of Configuration Management (CM). Maintaining an inventory of hardware and software is important, but the evidence of managing baselines lies in the configuration management process, which establishes and documents standard system configurations, approved software, and change control. The CMMC practice CM.L2-3.4.1 requires the OSC to establish and maintain baseline configurations.

Exact extracts:

“Baseline configurations are documented, formally reviewed, and maintained as part of configuration management.”

“Assessment Objectives … Determine if: baseline configurations are established; baseline configurations are maintained.”

“Potential Assessment Methods – Examine: configuration management policy; documented baseline configuration; inventory of system components.”

Expanded explanation:

Hardware/software lists show what exists, but without baseline control they do not demonstrate effective management.

Configuration management evidence includes: CM policies, baselines for operating systems, software versions, patch levels, and configuration checklists.

This ensures that unauthorized changes or unapproved software do not deviate from the security posture.

Why the other options are incorrect:

A (Media protection): Relates to storage devices and handling, not baselines.

B (Physical protection): Relates to facility and hardware security, not configuration.

D (Identification and authentication policy): Addresses user access, not baseline configuration.

The Scoping Guidance for Specialized Assets allows exclusion of assets when they are physically and logically isolated from the CMMC assessment boundary and do not process, store, or transmit CUI.

Extract from CMMC Scoping Guidance:

“Specialized Assets may be designated as out-of-scope if they are physically or logically separated from CUI assets, or if they are inherently unable to process, store, or transmit CUI.”

The camera system in this case does not interact with CUI and is fully isolated, making exclusion appropriate.

The negative finding is that the OSC permits an uncertified external security provider to access the OSC’s internal network. This introduces unmanaged risk to the CUI environment. CMMC requires the OSC to control and monitor external service provider access. The storage of recordings externally is not inherently noncompliant if properly controlled, and video monitoring is a valid method of meeting PE.L2-3.10.2. The key failure is giving unmanaged third-party access.

Exact extracts:

“Monitor physical facility to detect and respond to physical security incidents.” (PE.L2-3.10.2)

“Assessment Objectives … Determine if: monitoring is performed; unauthorized physical access is detected and responded to.”

“External service providers that connect into the OSC network are considered in-scope and must meet CMMC requirements or have equivalent authorization (e.g., FedRAMP).”

Why other options are incorrect:

A: Requirement does not mandate monitoring of both public and private areas.

C: Video surveillance is an acceptable facility monitoring method when properly implemented.

D: External storage can be acceptable if contractual safeguards and compliance are in place.

The next step after configuring audit logs and ensuring event content is correct is to periodically review and update the logged events to maintain alignment with evolving security requirements and risks.

Extract from AU.L2-3.3.2 & AU.L2-3.3.7:

“Organizations must review and update audit log events periodically to ensure they continue to support accountability and monitoring objectives.”

While centralized collection and retention are important, the next required objective per progression is review and update of logged events.

Applicable Requirement: SC.L2-3.13.8 (Cryptographic protection of communications) and IA.L2-3.5.x (Identification and authentication).

Why D is Correct: Encryption must be validated as FIPS 140-2/3 compliant but is never “authenticated as a prerequisite to access.” Authentication applies to users, devices, and processes, not cryptographic modules themselves.

Why A, B, C are Correct Considerations:

Devices must be authorized before connecting.

Processes acting on behalf of a user must be authenticated.

Users must be authorized prior to access. These are all directly mapped to AC and IA domains.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IA and SC requirements

NIST SP 800-171A — Assessment Objectives for AC/IA wireless and cloud access

CMMC Assessment Guide – Level 2, Cloud/ESP Considerations

===========

Both the OSC’s on-premise LAN room and the leased colocation data center are in-scope because they contain systems that process, store, or transmit CUI. Assessors must physically examine visitor and access controls at both locations to confirm compliance with PE practices.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

CMMC Assessment Guide: “Assessors must validate physical protections at all in-scope facilities where CUI assets reside.”

CMMC Scoping Guide: “Physical protection applies to all facilities within the CMMC Assessment Scope, including colocation facilities.”

Why the other options are not correct:

A/B: Reviewing only one facility is insufficient; both are in scope.

D: Customer relationship management reviews are not substitutes for physical examination by assessors.

The CMMC practice CM.L2-3.4.8 – Application Allow Listing requires that only specifically authorized software is permitted to execute, while all other software is automatically denied.

Extract:

“Application allow listing requires that only approved, explicitly identified applications are authorized to execute on a system. Reliance on users to notify IT after the fact does not meet the requirement.”

Because the OSC’s process depends on users self-reporting rather than enforcing automated allow listing, it is not properly implemented.

When an OSC leverages cloud providers in a CMMC Level 2 assessment, the provider should have FedRAMP Moderate or higher authorization to align with NIST SP 800-171 requirements. SOC 2, HIPAA, or CCPA compliance do not demonstrate federal-level assurance for protecting CUI. Thus, CSP B is the most appropriate choice.

Exact extracts:

“Cloud service providers that process, store, or transmit CUI should be FedRAMP Moderate Authorized or equivalent.”

“Assessors must verify evidence of FedRAMP authorization or comparable assurance before determining that OSC reliance on the provider is acceptable.”

Why the other options are incorrect:

A: SOC 2, HIPAA, and CCPA compliance do not equate to CMMC-required federal assurance.

C: Only FedRAMP-authorized providers meet the requirement, so both are not acceptable.

D: CSP B does meet the criteria.

Per the CMMC Scoping Guidance, CUI Assets are those that process, store, or transmit CUI. Since System CUI is the system handling CUI data, it must be categorized as CUI Assets.

Extract:

“CUI Assets are any assets that process, store, or transmit CUI. These assets are in-scope for assessment and must meet CMMC practice requirements.”

Thus, the best classification for System CUI is CUI Assets.

The Lead Assessor’s readiness checks focus on logistics, scope, evidence availability, and risk awareness to ensure the assessment can proceed. It is not the assessor’s role to advise or determine if the OSC could achieve a higher certification level — the OSC selects its target level.

Exact extracts:

“Lead Assessors must confirm readiness by verifying logistics, scope boundaries, risks, and evidence availability.”

“Assessors do not advise OSCs on selecting certification levels or alternative approaches; this is outside the assessment scope.”

Why the other options are required:

A: OSC risks must be identified and discussed as part of scoping.

B: Logistics (scheduling, facilities, communications) must be confirmed.

D: Evidence must be available and accessible to avoid delays.

Contractor Risk Managed Assets (CRMA) are required to be identified in the System Security Plan (SSP) because the SSP must describe how each in-scope asset category is managed, including risk-based policies, procedures, and practices. Network diagrams and inventories alone are insufficient without documentation in the SSP.

Exact Extracts:

CMMC Scoping Guide: “Contractor Risk Managed Assets are part of the CMMC Assessment Scope and must be identified in the OSC’s SSP and supporting documentation.”

“The SSP must describe how the contractor manages risk for Contractor Risk Managed Assets.”

“The asset categories (CUI assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets) must be included in the SSP with supporting evidence.”

Why the other options are not correct:

A: Identification/authentication policy does not specifically require mention of CRMAs.

B: Physical protection policies address facility controls, not risk-managed assets.

C: Awareness training covers employees, not technical classification of assets.

D: Correct, because the SSP must explicitly document how CRMAs are managed using risk-based approaches.

The CMMC Assessment Process (CAP) specifies that when disputes cannot be resolved by the Lead Assessor, they must be elevated to the C3PAO Official, who has authority to make the final decision.

Extract:

“Unresolved disputes between the OSC and the Assessment Team must be elevated to the C3PAO Official for final resolution.”

Therefore, the C3PAO Official is the final arbiter in such disputes.

Certification can only be granted to the legal entities that own the CAGE codes under assessment. If multiple CAGE codes are in play (HQ, host, and supporting units), and they are all included in scope, then all entities with corresponding CAGE codes that were assessed can be certified.

Exact Extracts:

CMMC Assessment Guide: “The CMMC certificate is issued to the legal entity (as identified by the CAGE code(s)) that was assessed.”

“When multiple CAGE codes are presented, all in-scope entities must provide documentation and may be certified if assessed.”

“Certification applies to the OSC legal entity (or entities) within scope, including HQ, host, and supporting units, as applicable.”

Why other options are not correct:

A/B/C: Limit scope to only HQ or subsets, but the requirement is that all entities with provided and in-scope CAGE codes are eligible.