CMMC-CCA Certified CMMC Assessor (CCA) Exam Questions and Answers

Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC’s Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.

Exact Extracts:

CMMC Assessor Code of Professional Conduct: “No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC’s designated Assessment Official.”

“Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization.”

Why the other options are not correct:

A: Too absolute — proprietary data can leave if AO provides written consent.

B: IT staff cannot authorize release of proprietary data.

C: POC is not the authority for data release — only the Assessment Official is.

AC.L2-3.1.21 requires that the use of portable storage devices be restricted and explicitly authorized. The described process covers labeling and limiting use but does not include documented management authorization.

Extract:

“Restrict the use of portable storage devices on external systems. Authorization for use must be formally documented and approved by management.”

Thus, the missing element is recorded management authorization.

The requirement for CA.L2-3.12.3 – Security Control Monitoring mandates monitoring to be performed on an ongoing basis to ensure the continued effectiveness of the controls. This is not satisfied by a yearly review alone.

CA.L2-3.12.3 Security Control Monitoring – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The OSC’s statement in their SSP that monitoring occurs on a one-year periodic basis fails to meet this requirement, because the term "ongoing basis" implies continual or recurring monitoring activities that occur throughout the system’s lifecycle—not a single annual review.

Therefore, the assessor must determine that the OSC’s implementation is not acceptable.

When protecting backup data containing CUI, the requirement is to ensure confidentiality through logical or physical security controls appropriate to the sensitivity of CUI. Acceptable implementations include controlling access to CUI (AC family controls), physically securing media (MP family controls), and encrypting files or media (SC family controls). Merely implementing alternative physical controls for site access is insufficient because site access protections do not directly ensure the confidentiality of the backup media itself.

Exact Extracts (from official CMMC Assessor/Study documents and NIST SP 800-171A references):

SC.L2-3.13.16 (Encrypt CUI): “Employ cryptographic mechanisms to prevent unauthorized disclosure of CUI during storage and transmission unless otherwise protected by alternative physical safeguards.”

MP.L2-3.8.9 (Protect backup CUI): “Protect the confidentiality of backup CUI at storage locations.”

AC.L2-3.1.3 (Access enforcement): “Limit access to CUI on the basis of need-to-know to protect confidentiality.”

Physical security references (PE family): “Physical access controls provide general site protection but are not substitutes for encryption or media protection controls when CUI confidentiality is at risk.”

Why the other options are correct (acceptable methods):

B (Managing who has access to the information): Satisfies Access Control (AC) requirements that limit exposure of CUI only to authorized individuals.

C (Physically securing devices and media): Satisfies Media Protection (MP) requirements, ensuring CUI is stored securely and protected against unauthorized access.

D (Encrypting files or media): Directly satisfies System and Communications Protection (SC) requirements for confidentiality, a highly reliable method.

Why option A is least acceptable:

Alternative physical controls for site access protect buildings or rooms, but they do not directly safeguard backup media confidentiality. If backups are removed, lost, or accessed internally, site access controls alone cannot ensure confidentiality.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices SC.L2-3.13.16, MP.L2-3.8.9, AC.L2-3.1.3, and PE family discussion (pp. 93–96, 108–110, 125–127).

NIST SP 800-171A, Assessing Security Requirements for CUI: Related assessment objectives for protecting CUI backup confidentiality.

System baselines are part of Configuration Management (CM). Maintaining an inventory of hardware and software is important, but the evidence of managing baselines lies in the configuration management process, which establishes and documents standard system configurations, approved software, and change control. The CMMC practice CM.L2-3.4.1 requires the OSC to establish and maintain baseline configurations.

Exact extracts:

“Baseline configurations are documented, formally reviewed, and maintained as part of configuration management.”

“Assessment Objectives … Determine if: baseline configurations are established; baseline configurations are maintained.”

“Potential Assessment Methods – Examine: configuration management policy; documented baseline configuration; inventory of system components.”

Expanded explanation:

Hardware/software lists show what exists, but without baseline control they do not demonstrate effective management.

Configuration management evidence includes: CM policies, baselines for operating systems, software versions, patch levels, and configuration checklists.

This ensures that unauthorized changes or unapproved software do not deviate from the security posture.

Why the other options are incorrect:

A (Media protection): Relates to storage devices and handling, not baselines.

B (Physical protection): Relates to facility and hardware security, not configuration.

D (Identification and authentication policy): Addresses user access, not baseline configuration.

The OSC is responsible for providing the scoping documentation before the assessment begins. The assessor validates the scoping documentation but does not create it on behalf of the OSC. If the OSC cannot provide scope documentation, the assessment cannot proceed.

Exact Extracts:

CMMC Scoping Guide: “The OSC must prepare and provide scoping documentation, including network diagrams, asset inventories, and SSP, prior to assessment.”

CMMC Assessment Guide: “The assessment team validates scoping documentation; it is not the responsibility of the C3PAO or assessor to create the OSC’s scope.”

Why other options are not correct:

A: Incorrect — assessment teams validate but do not generate scoping documents.

C: Joint creation is not allowed; OSC must own and prepare documentation.

D: Lead Assessor cannot create scope; must rely on OSC’s provided documentation.

CMMC Levels and Scope:

Level 1: Protects Federal Contract Information (FCI) under FAR 52.204-21 (17 basic safeguarding requirements).

Level 2: Protects Controlled Unclassified Information (CUI) under NIST SP 800-171 (110 practices).

Why C is Correct: The Level 1 self-assessment covers FCI-related practices. Since Level 2 focuses exclusively on CUI environments, FCI-only requirements from the Level 1 self-assessment fall outside the scope of the Level 2 assessment.

Why Other Options Are Insufficient:

A (CUI in paper): Still in scope at Level 2 (CUI applies to both digital and physical formats).

B (FCI within CUI enclave): If FCI is processed within the enclave, it is covered by Level 2.

D (SCI): Classified information is entirely out of scope of CMMC; however, it is not relevant to Level 1 self-assessment either, making C the more precise choice.

References (CCA Official Sources):

DoD CMMC Model v2.0 — Scope Differences between Level 1 (FCI) and Level 2 (CUI)

NIST SP 800-171 Rev. 2 — Focus on CUI

FAR 52.204-21 — FCI Safeguarding Requirements (Level 1 baseline)

Applicable Requirement: AC.L2-3.1.17 — “Authorize wireless access prior to allowing such connections.”

Correct Interpretation: Strong authentication and encryption methods (e.g., WPA2-Enterprise, WPA3-Enterprise) are required to protect wireless communications and enforce authorization.

Why C is Correct: WPA2-Enterprise uses 802.1X authentication (often with RADIUS), ensuring that only authorized users/devices can connect. This directly supports AC.L2-3.1.17.

Why Other Options Are Insufficient:

A (Layer 3 switch): Network hardware but not specifically a wireless access control mechanism.

B (IDS): Detects intrusions but does not prevent or authorize wireless access.

D (Frequency-hopping): Obsolete method, not aligned with modern encryption/authentication requirements.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.17

NIST SP 800-171A — AC.L2-3.1.17 Assessment Objectives

CMMC Assessment Guide – Level 2, AC.L2-3.1.17

===========

Applicable Requirement: CAP – Interview Guidance.

Why C is Correct: Interviews must be directed to personnel responsible for implementing, performing, or supporting practices to ensure accurate and objective evidence is collected.

Why Other Options Are Insufficient:

A: Yes/no questions do not provide sufficient evidence detail.

B: OSC personnel cannot ask themselves assessment questions; only assessors may conduct interviews.

D: Group interviews may be used in some cases, but CAP stresses targeted interviews for evidence reliability.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Interview Requirements

NIST SP 800-171A — Use of Interview as an Assessment Method

The Physical Protection (PE) Domain requires implementation of physical access controls to prevent unauthorized access to CUI systems. Simply trusting employees or sending communications is not sufficient. However, if the server is located inside a secondary restricted room that only the IT team can access, then adequate physical protection controls are still in place.

Extract from PE.L2-3.10.x (Physical Protection Practices):

“Organizations must limit physical access to systems, equipment, and environments that process, store, or transmit CUI to authorized individuals only.”

Thus, placing the server within an additional restricted access-controlled room ensures compliance, even if the outer door is propped open for cooling.

The Physical Protection (PE) practices require that unmanned access points to areas containing CUI be restricted with technical controls that only allow entry to authorized personnel. While cameras, signage, and turnstiles support security, they do not actually prevent access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

The strongest measure listed is one-way gates requiring credentials or intercom authorization, which directly enforces access control.

CMMC Level 2 requires that wireless access be formally authorized based on management-approved policy and criteria. The Assessment Guide specifies that “management guidelines form the basis for the requirements that must be met prior to authorizing a wireless connection.” Therefore, a written policy executed by the CEO, which defines pre-authorization requirements, constitutes proper evidence of authorization. Informal emails or IT connection instructions do not meet this requirement.

Exact extracts:

“Authorize wireless access prior to allowing such connections.”

“Assessment Objectives … Determine if: [a] wireless access points are identified; and [b] wireless access is authorized prior to allowing such connections.”

“Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following: • types of devices, such as corporate or privately owned equipment; • configuration requirements of the devices; and • authorization requirements before granting such connections.”

Assessment method – Examine: “Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless access authorizations …”

Why the other options are unacceptable:

A and C are ad-hoc instructions from the CEO, not a formal management policy establishing authorization criteria.

D is an IT-authored instruction document, not a management-level authorization policy.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.16 “Wireless Access Authorization” (Assessment Objectives; Discussion; Further Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.16 (mapped within the CMMC Level 2 Assessment Guide).

Contractor Risk Managed Assets (CRMA) are required to be identified in the System Security Plan (SSP) because the SSP must describe how each in-scope asset category is managed, including risk-based policies, procedures, and practices. Network diagrams and inventories alone are insufficient without documentation in the SSP.

Exact Extracts:

CMMC Scoping Guide: “Contractor Risk Managed Assets are part of the CMMC Assessment Scope and must be identified in the OSC’s SSP and supporting documentation.”

“The SSP must describe how the contractor manages risk for Contractor Risk Managed Assets.”

“The asset categories (CUI assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets) must be included in the SSP with supporting evidence.”

Why the other options are not correct:

A: Identification/authentication policy does not specifically require mention of CRMAs.

B: Physical protection policies address facility controls, not risk-managed assets.

C: Awareness training covers employees, not technical classification of assets.

D: Correct, because the SSP must explicitly document how CRMAs are managed using risk-based approaches.

Applicable Requirement: CA.L2-3.12.4 — “Develop, document, periodically review/update, and disseminate system security plans.” Policies require executive approval and evidence of regular review.

Why B is Correct: Multiple years of emails from executives approving policies provide a pattern of consistent executive involvement, demonstrating habitual compliance with review and approval requirements. This is stronger evidence than one-time or informal attestations.

Why Other Options Are Insufficient:

A: Handwritten notes are informal and lack authenticity controls.

C: A notarized letter from a previous CEO is a one-time attestation, not evidence of recurring review.

D: Employee interviews may demonstrate awareness but do not show executive approval.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CA.L2-3.12.4

NIST SP 800-171A — CA.L2-3.12.4 Assessment Objectives (evidence of policy review/approval)

CMMC Assessment Guide – Level 2 — Policy and Approval Evidence Requirements

===========

A shared Internet connection indicates that Security Protection Assets (SPAs) are present and serving both the CUI environment and other parts of the enterprise. SPAs are always in-scope regardless of where they are located, because they provide security protections for CUI. Therefore, if documentation or diagrams show that the commercial and federal environments share a single Internet connection, the assessor must request access to the other building to confirm proper implementation and isolation.

Exact Extracts (from CMMC Assessor/Study documents):

“Security Protection Assets provide security functions or capabilities within the OSA’s CMMC Assessment Scope. Security Protection Assets are part of the CMMC Assessment Scope and are assessed against Level 2 security requirements that are relevant to the capabilities provided.”

“Contractor Risk Managed Assets are not required to be physically or logically separated from CUI Assets… If documentation or other findings raise questions about these assets, the assessor can conduct a limited check to identify deficiencies.”

“Separation… is required only for Out-of-Scope Assets. Isolation can be achieved… by implementing subnetworks with firewalls or other boundary protection devices.”

“The CMMC Assessment Scope includes all assets in the OSA’s environment that will be assessed… OSAs will be required to provide a network diagram of the CMMC Assessment Scope to facilitate scoping discussions during pre-assessment.”

“An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for a specific enclave(s), depending upon how the CMMC Assessment Scope is defined…”

Why the other options are not correct:

A (locked cases): Physical movement of materials does not establish scope. Scoping is determined by CUI flow and security protection assets, not incidental observation of personnel activities.

B (underground passageway): Physical tunnels or building connections do not affect scope unless they result in shared IT/security functions.

D (HR location): HR is not a SPA because it does not provide security functions to protect CUI. Unless HR systems process or store CUI directly, they remain out of scope.

References (official CCA/CMMC documents):

CMMC Assessment Scope – Level 2, Version 2.13 (Scoping Guide): Asset Categories, SPA definitions and examples; CRMA limited-check language; Separation requirements; network diagram requirements (pp. 3–13).

CMMC Assessment Guide – Level 2, Version 2.13: Assessment scope, enclave validation, and assessor methods (pp. 1–4, 8–10).

The Shared Responsibility Matrix (Customer Responsibility Matrix) is a key artifact in CMMC assessments involving MSPs or cloud service providers. It defines what security responsibilities belong to the OSC and which belong to the service provider. To evaluate the MSP’s impact, the assessor must review this matrix to understand boundaries of responsibility for CUI protection.

Exact extracts:

“When external service providers are included in the assessment boundary, organizations must provide documentation that specifies security responsibilities.”

“A Shared Responsibility Matrix (or Customer Responsibility Matrix) defines which controls are implemented by the OSC versus the external provider.”

“Assessors should request and review this matrix to understand division of responsibilities.”

Why the other options are incorrect:

A: Onsite MSP staff presence does not clarify responsibility for security controls.

C: Reviewing classification helps, but it does not explain responsibility allocation.

D: Policies/org charts do not establish shared control responsibilities.

The OSC is responsible for identifying and declaring where CUI is processed, stored, or transmitted. A Certified CMMC Assessor (CCA) may verify boundaries, examine evidence, and confirm monitoring or control practices, but cannot independently determine if a physically separated asset contains CUI. That determination is the responsibility of the OSC, not the assessor.

Exact extracts:

“The OSC is responsible for identifying CUI assets.”

“Assessors verify and validate the OSC’s identification, but do not independently declare or determine the presence of CUI.”

“Assessors are permitted to examine boundary protections, monitoring mechanisms, and internal boundary controls.”

Why the other options are allowed:

A: Assessors are required to verify internal system boundaries.

C: Assessors must confirm that external system boundaries are clearly defined.

D: Assessors must examine evidence of communication monitoring.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Assessor Roles and Responsibilities.

CMMC Code of Professional Conduct (OSC retains CUI ownership; assessors validate but cannot declare CUI).

Applicable Requirement (CAP – Pre-Assessment Activities): Before the assessment, the team must confirm the assessment scope (systems, assets, CUI boundaries, and relevant environments). Without scoping, evidence identification and collection cannot be validated.

Why A is Correct: Identifying scope is the foundational requirement in the pre-assessment stage, as defined in the CMMC Assessment Process. Scope determines what systems, people, and assets are included in evidence collection.

Why Other Options Are Insufficient:

B: Verification of evidence occurs during assessment, not pre-assessment readiness.

C: Observations are recorded during on-site assessment, not beforehand.

D: Interview selection happens during evidence collection, after scope confirmation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Pre-Assessment Phase

CMMC Assessment Guide – Level 2, Pre-Assessment Readiness Activities

Applicable Requirement (CAP – Evidence Validity): Evidence must be relevant, reliable, and timely. Artifacts from separate entities or outdated sources require extra scrutiny.

Why D is Correct: The least reliable evidence is old (18 months) and produced by individuals not part of the OSC entity being assessed. Such artifacts require the most verification to determine applicability.

Why Other Options Are Insufficient:

A: Strongest evidence (current and from OSC staff).

B: Outdated, but still from OSC staff (more reliable than outside entity).

C: Current, but external (still stronger than outdated + external).

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Evidence Collection and Reliability Criteria

CMMC Assessment Guide – Level 2 — Acceptable Evidence

===========

The Identification and Authentication (IA) practices require that passwords be protected using strong methods. Storing passwords with salted one-way hashes ensures they cannot be reversed, providing strong protection.

Extract from IA.L2-3.5.10:

“Passwords must be stored and transmitted in a form that is resistant to compromise, typically using salted one-way cryptographic hashes.”

Options A and B do not align with modern password guidance, and option C (two-way cryptographic hashing) is insecure because it allows reversal.

The determining factor for whether an ESP is in scope is the services provided. If the ESP provides services that process, store, or transmit CUI or provide security protection functions, then the ESP is within scope. Other SLA components (intervals, penalties, measurements) are irrelevant to scope determination.

Exact Extracts:

CMMC Scoping Guide: “External Service Providers that provide services involving the storage, processing, or transmission of CUI or provide Security Protection Assets are considered in scope.”

“The OSC must identify in the SSP which services are provided by ESPs and how compliance is achieved.”

Why other options are not correct:

B (Intervals): Refers to timing of services, not scope relevance.

C (Penalties): Contract penalties are unrelated to CMMC scope.

D (Measurements): SLAs metrics do not determine scope.

Applicable CMMC/NIST Requirement: AC.L2-3.1.20 — “Verify and control/limit connections to and use of external systems.”

Isolation Not Required (refutes B): The requirement acknowledges that individuals using external systems (e.g., contractors, partners) may need to access organizational systems. In such cases, organizations must ensure those connections do not compromise or harm organizational systems. Therefore, complete isolation from all external systems is not mandated.

Policy Alone is Insufficient (refutes A): Assessment guidance requires mechanisms that technically enforce terms and conditions for use of external systems. A written employee policy by itself does not satisfy the requirement unless paired with technical enforcement (e.g., firewalls, connection rules).

Allow-lists & Firewalls are Best Practice (supports C): Assessment considerations specify that organizations should restrict external systems to an approved list, such as by using firewalls, VPNs, IP restrictions, or certificates. The company’s use of firewalls and a connection allow-list directly addresses this requirement.

Full Control of External Systems Not Required (refutes D): The definition of “external systems” clarifies that organizations typically do not have direct supervision or authority over those systems. The requirement is to limit and control connections to such systems, not to own or fully manage them.

Assessment Objectives for AC.L2-3.1.20 (from NIST SP 800-171A):

Connections to external systems are identified.

Use of external systems is identified.

Connections to external systems are verified.

Use of external systems is verified.

Connections to external systems are controlled/limited.

Use of external systems is controlled/limited.

Firewalls and allow-lists satisfy these verification and limitation requirements, enabling a CCA to mark the practice MET if evidence is present.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — §3.1.20 (Discussion)

NIST SP 800-171A — §3.1.20 (Assessment Objectives & Methods)

CMMC Assessment Guide – Level 2, Version 2.13 — AC.L2-3.1.20 (External Connections [CUI Data], including “Potential Assessment Considerations”)

In CMMC scoping, only assets that process, store, or transmit CUI (CUI Assets) or that can access them (Security Protection, Contractor Risk Managed, Specialized Assets) are in-scope. Since the SCADA system is firewalled off and does not handle CUI, it does not fall under CUI Asset classification and is considered Out-of-Scope.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Assets that do not process, store, or transmit CUI and have no connectivity to CUI Assets are considered Out-of-Scope.”

“Specialized Assets… are only in-scope if they process, store, or transmit CUI.”

Why the other options are incorrect:

A: Inclusion requires processing/storing/transmitting CUI.

C: OSC cannot arbitrarily bring unrelated systems into scope; CUI relevance governs scope.

D: Not all Specialized Assets are in-scope; only those with CUI interaction are.

The assessor must first confirm facts with the OSC before making a determination. It is possible the technician has been granted temporary authorized access, in which case the situation may not be a violation. Therefore, the correct next step is to ask the OSC about the technician’s authorization.

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Assessors should confirm with the OSC whether individuals observed are classified as visitors or authorized personnel before determining compliance.”

“Findings must be validated with OSC-provided evidence or clarification.”

Why other options are not correct:

A: Cannot mark as MET without verifying the technician’s status.

B: Inappropriate — assessors do not direct OSC personnel or vendors.

C: Cannot mark as NOT MET without first confirming authorization.

MA.L2-3.7.1 (Perform Maintenance) requires that maintenance activities and risks associated with outdated or unsupported systems be managed. Unsupported systems create a security risk if not mitigated, particularly when they process CUI.

Extract:

“Maintenance must be performed and documented to ensure continued secure operation. When systems cannot be updated or patched due to technical limitations, the OSC must implement and document risk mitigation strategies.”

Because the OSC has not demonstrated risk management for the outdated OT system, the practice is NOT MET.

The CMMC practices for cryptographic protection (SC.L2-3.13.11, SC.L2-3.13.8, etc.) require that cryptography protecting CUI must be FIPS-validated. The authoritative source for validation is the NIST Cryptographic Module Validation Program (CMVP).

Extract:

“To use cryptography in compliance with CMMC requirements, organizations must use modules validated under the NIST Cryptographic Module Validation Program (CMVP). The CMVP is the authoritative source to verify whether a cryptographic implementation is FIPS-validated.”

Vendor documentation or SSP claims alone cannot serve as authoritative proof. The CCA must consult the NIST CMVP validation list.

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why D is Correct: A gate with a badge system represents preventive perimeter control that ensures only authorized personnel can access sensitive areas (e.g., loading docks). This directly aligns with Level 2 physical protection requirements.

Why Other Options Are Insufficient:

A (Turnstiles): More relevant for internal building entry, not loading docks.

B (Visitor log): Supports accountability, but does not prevent unauthorized entry.

C (Cameras): Provides monitoring but not control — surveillance alone does not restrict access.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2, Physical Protection

===========

To scope connections to external systems, the OSC must fully define all external connections — not just general statements about "small use" or "backups." Incomplete or vague descriptions are not sufficient for scoping.

Extract:

“The OSC must identify and define the extent of all external connections that support processing, storage, or transmission of CUI to determine scope.”

Thus, the data provided are not sufficient, because the OSC has not fully defined external connections.

The control SC.L2-3.13.5: Boundary Protection requires that organizations monitor and control communications at the external boundary and at key internal boundaries. The CMMC Assessment Guide states that assessors should examine boundary protection procedures to verify logging, monitoring, and alerting are defined and implemented. Physical access logs, account management documents, and configuration management policies do not provide details of how network boundaries are monitored and protected.

Exact extracts:

“Assessment Objectives … Determine if: • external boundary and key internal boundaries are defined; • communications are monitored and controlled at boundaries; • traffic is checked for unauthorized transfer of information; and • boundary protection devices are configured and managed.”

“Potential Assessment Methods: Examine … boundary protection policy; boundary protection procedures; system security plan; configuration settings for boundary protection devices; logs of boundary protection devices.”

Why the other options are incorrect:

A (Physical access logs): Relates to facility entry, not network boundary protection.

C (Account management document): Addresses user account lifecycle, not firewall and traffic control.

D (Configuration management policy): Governs system changes, not firewall logging/alerting controls.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.5 “Boundary Protection.”

NIST SP 800-171 Rev. 2, 3.13.5.

===========

The Scoping Guidance defines Security Protection Assets as systems, tools, or services that provide security functions protecting CUI assets, even if outsourced to third parties.

Extract:

“Security Protection Assets are tools, systems, or services that provide security functionality (e.g., SOC, antivirus, logging) to protect CUI assets. These must be included in scope.”

Therefore, SOC and AV must be categorized as Security Protection Assets.

The OSC (Organization Seeking Certification) is always responsible for meeting CMMC requirements, regardless of what responsibilities are shared or outsourced to an ESP. ESPs can provide inherited practices (e.g., FedRAMP Moderate for cloud CUI), but the OSC remains accountable for compliance under government mandates.

Exact Extracts:

CMMC Assessment Guide: “The OSC is the entity being assessed. While an ESP may provide inherited practices, the OSC retains ultimate responsibility for compliance.”

Scoping Guide: “External Service Providers may meet requirements on behalf of the OSC; however, it is the OSC that is assessed and must demonstrate sufficiency of evidence.”

Why other options are not correct:

A: Incorrect — ESPs that process CUI must meet FedRAMP Moderate equivalency, even if not directly assessed for CMMC.

B: While true, factoring documentation does not override that OSC remains accountable.

C: ESPs are not assessed at the same time as the OSC; only the OSC receives certification.

The CAP defines evidence evaluation requirements. Evidence must not only exist but must also be:

Complete (addresses all assessment objectives for the practice)

Validated (verified by the assessor)

Mapped to the practice requirements (traceable to objectives)

Extract:

“The assessor must confirm that the evidence is complete, validated, and mapped directly to the practice requirements in order to conclude that a practice is MET.”

AC.L2-3.1.7 (Privileged Functions) requires that execution of privileged functions be restricted to authorized privileged accounts. The best evidence is an access list demonstrating who is allowed privileged access.

Extract:

“Limit the use of privileged functions to authorized users. Assessors should review access control lists or equivalent evidence to verify only privileged accounts have privileged permissions.”

Thus, the best next step is to examine a user access list for authorized privileged users.

The CMMC Assessment Process (CAP) requires the Lead Assessor to develop an Assessment Plan that specifies anticipated evidence to be provided by the OSC. This preliminary evidence list ensures that OSC staff understand what policies, procedures, logs, and technical configurations must be available during the assessment. Without this, the assessment may stall due to missing documentation.

Exact extracts:

“The Lead Assessor coordinates with the OSC to develop an evidence list of artifacts anticipated for review.”

“The assessment plan must include a schedule of interviews, site visits, and anticipated evidence.”

“Preliminary evidence identification is critical to reduce assessment delays and ensure assessor readiness.”

Expanded explanation:

This step bridges planning and execution:

Scope has already been set.

Now, the evidence (SSPs, policies, audit logs, diagrams, etc.) must be identified.

Out-of-scope assets are part of scoping, not this planning stage.

System manuals are not required by CMMC, and “list of objectives” refers to assessor methodology, not OSC preparation.

Why other options are incorrect:

A: Objectives come from the practice requirements themselves, not something requested from the OSC.

B: System manuals are not required artifacts for CMMC.

D: Out-of-scope assets were already determined during scoping.

Certification can only be granted to the legal entities that own the CAGE codes under assessment. If multiple CAGE codes are in play (HQ, host, and supporting units), and they are all included in scope, then all entities with corresponding CAGE codes that were assessed can be certified.

Exact Extracts:

CMMC Assessment Guide: “The CMMC certificate is issued to the legal entity (as identified by the CAGE code(s)) that was assessed.”

“When multiple CAGE codes are presented, all in-scope entities must provide documentation and may be certified if assessed.”

“Certification applies to the OSC legal entity (or entities) within scope, including HQ, host, and supporting units, as applicable.”

Why other options are not correct:

A/B/C: Limit scope to only HQ or subsets, but the requirement is that all entities with provided and in-scope CAGE codes are eligible.

To validate least functionality, the assessor must evaluate implementation (via security staff, admins, developers). Interviewing the policy author provides limited value since it does not confirm whether the policy is implemented in practice.

Extract:

“Assessors should confirm least functionality through interviews with individuals responsible for system configuration, security, and implementation. Policy documentation authors alone are not sufficient evidence.”

Thus, interviewing the policy writer is least useful.

CMMC scoping focuses on assets that process, store, transmit, or protect CUI. A smoke detector connected to the OSC network is an IoT device with no impact on CUI, so it is considered Out-of-Scope. The other items (data centers used by the OSC, MSP SIEM tools, and MSP offices handling OSC management) all directly affect the OSC’s CUI environment and therefore fall within scope.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Security Protection Assets are those that provide security functions for CUI Assets.”

“External Service Providers (e.g., MSPs, data centers, SIEMs) that support CUI Assets are in-scope.”

“Assets that cannot affect the confidentiality of CUI (e.g., unrelated IoT devices) are considered Out-of-Scope.”

Expanded explanation:

Data centers (A): If OSC CUI is stored or processed there, they are in-scope.

SIEM tools (C): Provide security monitoring of OSC networks — a clear Security Protection Asset.

MSP office (D): MSPs providing services that affect CUI are in-scope, including their management locations.

Smoke detector (B): Despite being network-connected, it does not interact with CUI or provide protective functions; it is explicitly out-of-scope.

Why the other options are in scope:

They either process, protect, or manage CUI directly.

Excluding them would improperly narrow the assessment boundary.

Verification of physical access controls under PE.L2-3.10.3: Physical Access Control requires evidence from records, logs, and audit trails. Reviewing access logs provides direct confirmation of which badge types grant entry into controlled areas. SOPs or interviews may support the claim but are indirect; testing physical entry is not an approved method for CCAs.

Exact extracts:

“Assessment Methods – Examine: access control policy; physical access control system records; physical access audit logs.”

“Assessment Methods – Interview: staff may be interviewed, but interviews must be supported by documentary evidence.”

“Testing physical entry by assessors is not an authorized assessment method.”

Why the other options are incorrect:

A/B: Interviews or SOP reviews may provide supporting context, but they do not prove operational badge restrictions.

D: Assessors are prohibited from attempting physical bypass or entry tests.

For hybrid and cloud environments, the Customer Responsibility Matrix is the critical artifact. It identifies which security responsibilities are handled by the CSP and which remain with the OSC, directly impacting scope.

Extract:

“The OSC must provide responsibility matrices or equivalent documentation that clearly delineates which security controls are the responsibility of the provider and which are retained by the OSC.”

This is necessary for the Lead Assessor to define assessment scope boundaries.

The Lead Assessor is responsible for managing the assessment team and planning the assessment, including defining the methods, techniques, and responsibilities for collecting, managing, and reviewing evidence. Team members execute assigned tasks, but the Lead Assessor provides direction and oversight.

Exact Extracts:

CMMC Assessment Guide: “The Lead Assessor is responsible for the management of the assessment, including defining evidence collection methods, techniques, and responsibilities.”

“The assessment team members carry out activities as directed by the Lead Assessor.”

“The C3PAO Quality Oversight and CMMC Quality Assurance are post-assessment quality functions, not evidence planning functions.”

Why other options are not correct:

B: Team members execute tasks but do not define methods and responsibilities.

C: Quality Oversight Managers review assessments after completion, not during planning.

D: CMMC Quality Assurance Professionals conduct QA on assessments, not evidence planning.

Logical separation refers to the use of technical and access control mechanisms (e.g., role-based access, IAM tools, VLANs) to enforce boundaries between different users, roles, or networks. In contrast, physical separation relies on distinct hardware or physical barriers. Role-based access control within an IAM solution is a textbook example of logical separation, and it is specifically called out in the CMMC/NIST context.

Exact extracts:

“Logical separation may be achieved through the use of virtualization, encryption, or access control mechanisms such as role-based access controls.”

“Assessment Objectives … Determine if: • separation of users and information types is enforced by physical or logical means.”

“Logical separation is implemented using technical solutions such as access control lists, firewalls configured by policy, or identity and access management solutions.”

Why the other options are incorrect:

A (Data loss alerting): This is monitoring, not separation.

B (Badge access): This is a physical access control, not logical separation.

D (Proxy-configured firewall): This is boundary protection/traffic control; depending on setup it may be physical or logical, but the scenario points to role-based IAM as the logical example.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.6 “Network Separation.”

NIST SP 800-171 Rev. 2, 3.13.6.

CMMC allows for compensating controls when technical limitations prevent direct application of MFA on certain systems. In such cases, a valid second factor can be a strong physical access control mechanism.

Extract from IA.L2-3.5.3 (Use of multifactor authentication):

“Multifactor authentication can be implemented by combining something you know (e.g., password) with something you have (e.g., physical badge), or something you are (e.g., biometric). Physical access controls, such as badge-protected facilities, can serve as a compensating factor when direct MFA on the system is not technically possible.”

Therefore, badge access to the mission system room serves as a sufficient second factor.