CMMC-CCA Certified CMMC Assessor (CCA) Exam Questions and Answers

The CMMC Assessment Process emphasizes the importance of confidentiality and non-attribution in interviews to ensure OSC personnel provide candid, accurate information. Interviewees may give shallow or evasive answers if they fear attribution. Assuring confidentiality and non-attribution improves the quality and reliability of responses.

Exact extracts:

“The assessment team must ensure confidentiality and non-attribution during interviews.”

“Responses should be validated against evidence, but the quality of input depends on establishing a safe environment for candor.”

“Non-attribution is critical to elicit detailed and honest responses.”

Why the other options are incorrect:

A: Training matrices identify who is trained, not who should be interviewed.

C: NDAs are not a CCA responsibility — they are contractual, not assessment requirements.

D: Mapping to artifacts is part of correlation after interviews, but does not solve the problem of poor interview responses.

The Identification and Authentication (IA) practices require that passwords be protected using strong methods. Storing passwords with salted one-way hashes ensures they cannot be reversed, providing strong protection.

Extract from IA.L2-3.5.10:

“Passwords must be stored and transmitted in a form that is resistant to compromise, typically using salted one-way cryptographic hashes.”

Options A and B do not align with modern password guidance, and option C (two-way cryptographic hashing) is insecure because it allows reversal.

When an IoT device processes, stores, or transmits CUI, it is categorized as a CUI Asset (not CRMA). All in-scope assets must be documented in the System Security Plan (SSP) . The SSP must identify how the asset is managed, secured, and integrated into the OSC’s environment.

Exact Extracts:

CMMC Scoping Guide: “All CUI Assets must be identified and described in the SSP.”

“Specialized Assets (including IoT) must be documented in the SSP if they process, store, or transmit CUI.”

“Contractor Risk Managed Assets do not include assets that process, store, or transmit CUI.”

Why other options are not correct:

A: Incorrect, because an IoT device with CUI cannot be a CRMA.

C: Incorrect, IoT can process CUI if properly secured and documented.

D: While true in general (AC control applies), the mandatory requirement is accurate SSP documentation.

The Scoping Guidance defines Security Protection Assets as systems, tools, or services that provide security functions protecting CUI assets , even if outsourced to third parties.

Extract:

“Security Protection Assets are tools, systems, or services that provide security functionality (e.g., SOC, antivirus, logging) to protect CUI assets. These must be included in scope.”

Therefore, SOC and AV must be categorized as Security Protection Assets .

The CAP defines evidence evaluation requirements. Evidence must not only exist but must also be:

Complete (addresses all assessment objectives for the practice)

Validated (verified by the assessor)

Mapped to the practice requirements (traceable to objectives)

Extract:

“The assessor must confirm that the evidence is complete, validated, and mapped directly to the practice requirements in order to conclude that a practice is MET.”

Malicious code protection is typically implemented and managed by system or network administrators , who configure, deploy, and monitor anti-malware solutions. Interviews with these administrators provide direct evidence of control implementation.

Exact Extracts:

SI.L2-3.14.2: “Provide protection from malicious code at appropriate locations within organizational information systems.”

CMMC Assessment Guide: “Interviews should be conducted with administrators responsible for deployment and monitoring of malicious code protection.”

NIST SP 800-171A (SI.L2-3.14.2): “Interview system or network administrators to determine how malicious code protection is implemented.”

Why other options are not correct:

A (developers): Developers do not typically manage system-wide malicious code protections.

C (audit personnel): They review logs, not deploy/manage protections.

D (security advisory staff): They track alerts but don’t operate malicious code defenses.

The Escort Visitors practice falls under Physical and Environmental Protection (PE.L2-3.10.3) , which requires organizations to escort visitors and monitor visitor activity . To validate this, the assessor should interview personnel responsible for physical access control (security guards, facility access managers) and information security (to confirm integration with CUI protection requirements).

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Interview personnel responsible for physical access control and security monitoring to confirm escort and visitor activity tracking.”

Assessment Objectives: Require evidence of visitor escorts, visitor logs, and monitoring practices.

Why the other options are not correct:

A (Repair/maintenance): Not responsible for escort procedures.

B (Local access control only): Missing the information security link , which ensures visitors cannot access CUI assets.

D (IT management): IT is not responsible for escorting visitors in physical spaces.

The control PS.L2-3.9.1: Screen Individuals requires that individuals be screened before authorizing access to organizational systems and CUI . Since employees are assigned to work immediately upon hire, before screenings are complete, this practice is NOT MET . Completing screenings within the first week does not satisfy the requirement.

Exact extracts:

“Screen individuals prior to authorizing access to organizational systems containing CUI.”

“Assessment Objectives … Determine if: [a] individuals requiring access to CUI are screened before access is granted.”

“It is not sufficient for screening to occur after access has been authorized.”

Why the other options are incorrect:

A: Remediation may be possible, but scoring must be NOT MET .

B: A single practice being NOT MET does not automatically cause assessment failure (depends on aggregate score).

C: HR responsibility does not excuse failure to complete screening before granting access.

For AC.L2-3.1.7 (Restrict Use of Privileged Accounts) , it is not enough to rely on interviews or documented procedures. The assessor must also Examine technical evidence to ensure that privileged accounts exist as described and are properly controlled. Reviewing system architecture, account listings, and role assignments validates that privileged access aligns with policy and that inappropriate assignments do not exist.

Exact extracts:

“Assessment Objectives … Determine if: privileged accounts are identified; privileged functions are restricted to privileged accounts; and use of privileged accounts is monitored.”

“Assessment Methods – Examine: account management policy; system architecture documentation; system security plan; privileged account listings.”

“Assessment Methods – Test: attempt to use non-privileged accounts to execute privileged functions.”

Expanded explanation:

Assessors typically proceed in layers:

Interview : Confirm staff knowledge of policy and practice.

Examine : Verify account structures in system architecture or AD group membership lists. This ensures the number and type of privileged accounts match staff descriptions.

Test (if required): Confirm that non-privileged users cannot perform privileged actions.

Why other options are incorrect:

B: Testing non-privileged accounts is useful but is not the next immediate validation step after confirming policy/procedures. Examination comes first.

C: This phrasing implies giving privileged roles to non-privileged functions, which would itself be a finding.

D: Testing with privileged users verifies activity monitoring, but not whether privileged accounts are properly scoped.

For hybrid and cloud environments, the Customer Responsibility Matrix is the critical artifact. It identifies which security responsibilities are handled by the CSP and which remain with the OSC, directly impacting scope .

Extract:

“The OSC must provide responsibility matrices or equivalent documentation that clearly delineates which security controls are the responsibility of the provider and which are retained by the OSC.”

This is necessary for the Lead Assessor to define assessment scope boundaries.

The assessor must first confirm facts with the OSC before making a determination. It is possible the technician has been granted temporary authorized access , in which case the situation may not be a violation. Therefore, the correct next step is to ask the OSC about the technician’s authorization.

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Assessors should confirm with the OSC whether individuals observed are classified as visitors or authorized personnel before determining compliance.”

“Findings must be validated with OSC-provided evidence or clarification.”

Why other options are not correct:

A: Cannot mark as MET without verifying the technician’s status.

B: Inappropriate — assessors do not direct OSC personnel or vendors.

C: Cannot mark as NOT MET without first confirming authorization.

Risk Managed Assets are not assessed against CMMC practices, but OSCs must demonstrate that they are identified and that the risk they pose to CUI is managed in accordance with organizational policies. The Scoping Guide specifies that these assets must be addressed in pre-assessment discussions and described in the scope diagram, but they are explicitly excluded from practice-by-practice assessment.

Exact extracts:

“Risk Managed Assets do not process, store, or transmit CUI but can access CUI Assets. These assets are not assessed against CMMC practices but must be discussed with the assessor.”

“Organizations must identify how these assets are managed by organizational policies.”

“Risk Managed Assets must be included in scope diagrams.”

Why the other options are incorrect:

A/B/D: Risk Managed Assets still must be documented, discussed, and managed with policies.

C: They are explicitly excluded from practice assessment.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (Risk Managed Assets).

===========

When External Service Providers are used, the OSC can inherit practices from the ESP if sufficient evidence is provided (such as FedRAMP authorization or equivalent). The Lead Assessor must verify which controls are noted as inherited , as these are assessed differently from controls implemented directly by the OSC.

Exact Extracts:

CMMC Assessment Guide: “An OSC may inherit practices from External Service Providers when those providers demonstrate equivalent compliance (e.g., FedRAMP Moderate for CUI).”

“Assessors must review documentation that identifies which practices are inherited, partially implemented, or implemented internally.”

CMMC Scoping Guide: “Inherited controls must be clearly documented by the OSC in the SSP.”

Why the other options are not correct:

B: Waivers are not part of CMMC assessments.

C: “Not Applicable” does not apply to ESP involvement; they either provide inherited practices or not.

D: “Partially implemented” indicates deficiencies, not proper inheritance.

Applicable Requirement (CAP Evidence Standards): Evidence must be objective and demonstrate implementation. Newly created documentation may exist only for assessment purposes, so the assessor must validate whether the documented procedures are actually in practice.

Why D is Correct: Observation sessions confirm that personnel are knowledgeable about and actively following the documented procedures. This ensures the documents reflect actual implementation rather than being created solely for assessment.

Why Other Options Are Insufficient:

A: Approval shows authority but does not prove procedures are implemented.

B: Subjective determination of “reasonableness” is not an approved assessment method.

C: Identifying authors does not validate implementation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Evidence Collection and Triangulation

CMMC Assessment Guide – Level 2, Section on Evidence Requirements

NIST SP 800-171A — Assessment Methods: examine, interview, observe

Applicable Requirement: CAP – Assessment Execution Phase.

Why D is Correct: After scoring and validating preliminary results, the next step is to finalize and record recommended final findings for submission. This closes the assessment process and supports certification decisions.

Why Other Options Are Insufficient:

A: Scope determination occurs in planning, not after validation.

B: Results are delivered after finalization, not immediately after validation.

C: Considering additional evidence occurs during data collection, before validation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Reporting Phase

CMMC Assessment Guide – Level 2 — Assessment Closure

===========

The CMMC Scoping Guidance specifies that Out-of-Scope Assets are those that neither process, store, nor transmit CUI, and do not provide security protections for CUI assets .

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI, and do not provide security protections for CUI assets.”

Thus, the correct answer is B .

Applicable Requirement: SC.L2-3.13.16 — “Protect the confidentiality of CUI at rest.”

Why D is Correct: Cryptographic mechanisms (e.g., full-disk encryption, database encryption, file encryption) provide the strongest protection for information at rest by preventing unauthorized disclosure if systems or media are accessed.

Why Other Options Are Insufficient:

A (Patching): Protects against vulnerabilities, but not specific to data-at-rest confidentiality.

B (File share): Provides a storage method, not protection.

C (Secure offline storage): Helps physically, but not sufficient for digital confidentiality without encryption.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — SC.L2-3.13.16

NIST SP 800-171A — SC.L2-3.13.16 Assessment Objectives

CMMC Assessment Guide – Level 2, Data at Rest Protection

===========

The CMMC Assessment Process (CAP) states that deficiency correction is not permitted during the assessment . Practices must be evaluated based on their implementation at the time of assessment . If the OSC corrects deficiencies after assessment activities have begun, the changes cannot be considered in the scoring.

Extract:

“Deficiency correction during the assessment is not permitted. Practices are scored based on evidence available at the time of assessment activities.”

Thus, the correct next step is to score the practice as NOT MET .

The CMMC Assessment Process (CAP) requires the Lead Assessor to develop an Assessment Plan that specifies anticipated evidence to be provided by the OSC. This preliminary evidence list ensures that OSC staff understand what policies, procedures, logs, and technical configurations must be available during the assessment. Without this, the assessment may stall due to missing documentation.

Exact extracts:

“The Lead Assessor coordinates with the OSC to develop an evidence list of artifacts anticipated for review.”

“The assessment plan must include a schedule of interviews, site visits, and anticipated evidence.”

“Preliminary evidence identification is critical to reduce assessment delays and ensure assessor readiness.”

Expanded explanation:

This step bridges planning and execution :

Scope has already been set.

Now, the evidence (SSPs, policies, audit logs, diagrams, etc.) must be identified.

Out-of-scope assets are part of scoping, not this planning stage.

System manuals are not required by CMMC, and “list of objectives” refers to assessor methodology, not OSC preparation.

Why other options are incorrect:

A: Objectives come from the practice requirements themselves, not something requested from the OSC.

B: System manuals are not required artifacts for CMMC.

D: Out-of-scope assets were already determined during scoping.

The CMMC Assessment Process (CAP), Phase 2 – Conduct the Assessment defines the subphases for generating final recommended results. The steps are:

Determine final practice MET/NOT MET/NA results

Create, finalize, and record recommended final findings

Resolve assessment findings disputes

Extract:

“The assessment team determines the final practice status, records recommended findings, and resolves disputes with the OSC prior to finalizing recommended results.”

For CMMC Level 2, an OSC must score at least 88 out of 110 practices (80%) to qualify for use of POA & Ms. Practices on the DoD’s Authorized POA & M List may then be deferred, but only if the OSC meets the 88-point threshold and no high-weight practices are failed.

Exact extracts:

“Organizations must score at least 88 out of 110 (80%) to be eligible for POA & Ms.”

“POA & Ms may only be applied to a limited subset of practices designated by DoD.”

“Failure to reach the 88-point threshold results in an assessment failure.”

Why other options are incorrect:

A: Below 88 is automatic fail.

B: 110/110 is full compliance (no POA & M needed).

C: 80 is a distractor; 88 is the actual DoD threshold.

The Assessment Guide emphasizes that a policy is insufficient unless it is implemented consistently across all applicable assets . Evidence from interviews showing exceptions means the practice is NOT MET .

Extract:

“Policies must not only exist but must also be enforced and implemented consistently. Exceptions indicate non-compliance.”

Thus, the correct answer is B .

When CUI and FCI reside on the same network, the entire environment is considered a CUI environment . The presence of CUI drives the assessment requirement to CMMC Level 2 , regardless of whether FCI also exists. Assets cannot be assessed separately under Level 1 vs. Level 2 within the same network boundary.

Exact extracts:

“If CUI is processed, stored, or transmitted within an environment, the environment is in scope for CMMC Level 2.”

“The presence of CUI dictates the assessment level, regardless of whether FCI is also present.”

“Segmentation may reduce scope, but if assets remain within the same environment, all assets fall under Level 2.”

Why other options are incorrect:

B: Level 1 cannot be applied to Server A while Server B undergoes Level 2 in the same network.

C: Presence of CUI means Level 2 is required, not Level 1.

D: Segmentation can reduce scope but is not required before assessment; it is an OSC design choice.

The Physical Protection (PE) practices require both direct assessor observation of security controls and verification of how the OSC manages access to its cages/cabinets.

Extract:

“Assessors should observe and verify the effectiveness of physical access controls and confirm the OSC’s processes for maintaining control over restricted areas and assets.”

Thus, the best option is to physically visit the facility and review OSC’s key access management process.

The CMMC Scoping Guidance defines Specialized Assets (e.g., OT, IoT, test equipment, manufacturing machines) that may process CUI but do not always meet traditional IT security requirements. These assets are still within scope and must be documented and assessed as Specialized Assets.

Extract:

“Specialized Assets are defined as operational technology, IoT, test equipment, and similar devices that may process CUI but cannot be secured in the same manner as standard assets. They remain in-scope for the assessment.”

Thus, waterjet machines are Specialized Assets in scope .

Applicable Requirement (CAP – Evidence Validity): Evidence must be relevant, reliable, and timely. Artifacts from separate entities or outdated sources require extra scrutiny.

Why D is Correct: The least reliable evidence is old (18 months) and produced by individuals not part of the OSC entity being assessed. Such artifacts require the most verification to determine applicability.

Why Other Options Are Insufficient:

A: Strongest evidence (current and from OSC staff).

B: Outdated, but still from OSC staff (more reliable than outside entity).

C: Current, but external (still stronger than outdated + external).

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Evidence Collection and Reliability Criteria

CMMC Assessment Guide – Level 2 — Acceptable Evidence

===========

When protecting backup data containing CUI, the requirement is to ensure confidentiality through logical or physical security controls appropriate to the sensitivity of CUI . Acceptable implementations include controlling access to CUI (AC family controls), physically securing media (MP family controls), and encrypting files or media (SC family controls) . Merely implementing alternative physical controls for site access is insufficient because site access protections do not directly ensure the confidentiality of the backup media itself.

Exact Extracts (from official CMMC Assessor/Study documents and NIST SP 800-171A references):

SC.L2-3.13.16 (Encrypt CUI): “Employ cryptographic mechanisms to prevent unauthorized disclosure of CUI during storage and transmission unless otherwise protected by alternative physical safeguards.”

MP.L2-3.8.9 (Protect backup CUI): “Protect the confidentiality of backup CUI at storage locations.”

AC.L2-3.1.3 (Access enforcement): “Limit access to CUI on the basis of need-to-know to protect confidentiality.”

Physical security references (PE family): “Physical access controls provide general site protection but are not substitutes for encryption or media protection controls when CUI confidentiality is at risk.”

Why the other options are correct (acceptable methods):

B (Managing who has access to the information): Satisfies Access Control (AC) requirements that limit exposure of CUI only to authorized individuals.

C (Physically securing devices and media): Satisfies Media Protection (MP) requirements , ensuring CUI is stored securely and protected against unauthorized access.

D (Encrypting files or media): Directly satisfies System and Communications Protection (SC) requirements for confidentiality, a highly reliable method.

Why option A is least acceptable:

Alternative physical controls for site access protect buildings or rooms, but they do not directly safeguard backup media confidentiality . If backups are removed, lost, or accessed internally, site access controls alone cannot ensure confidentiality.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices SC.L2-3.13.16, MP.L2-3.8.9, AC.L2-3.1.3, and PE family discussion (pp. 93–96, 108–110, 125–127).

NIST SP 800-171A, Assessing Security Requirements for CUI: Related assessment objectives for protecting CUI backup confidentiality.

In CMMC scoping, assets are categorized based on where CUI is processed, stored, or transmitted . According to the CMMC Scoping Guide for Level 2, if CUI is only stored and used in HQ and Site A, those locations contain CUI Assets . Since Site B neither stores, processes, nor transmits CUI, its assets are considered Out of Scope .

Exact extracts:

“CUI Assets are those that store, process, or transmit CUI.”

“Assets that do not process, store, or transmit CUI, and cannot provide access to CUI, are considered Out-of-Scope. ”

“Only those assets in the scope of CMMC assessment will be evaluated against practices.”

Why the other options are incorrect:

B: Site B has VPN connectivity, but if it does not use or process CUI, its assets remain out of scope. Connectivity alone does not bring it into scope.

C/D: The terms “Certification in Risk Management Assurance” are not valid CMMC asset categories.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (CUI Assets, Out-of-Scope Assets).

===========

The CMMC practices for cryptographic protection (SC.L2-3.13.11, SC.L2-3.13.8, etc.) require that cryptography protecting CUI must be FIPS-validated . The authoritative source for validation is the NIST Cryptographic Module Validation Program (CMVP) .

Extract:

“To use cryptography in compliance with CMMC requirements, organizations must use modules validated under the NIST Cryptographic Module Validation Program (CMVP). The CMVP is the authoritative source to verify whether a cryptographic implementation is FIPS-validated.”

Vendor documentation or SSP claims alone cannot serve as authoritative proof. The CCA must consult the NIST CMVP validation list .

During the planning phase , the Lead Assessor must ensure that evidence gaps are identified and documented before assessment execution. This ensures that the OSC is aware of missing or insufficient evidence and can address them prior to final scoring.

Exact Extracts:

CMMC Assessment Guide: “During planning, assessors and OSC should confirm sufficiency of evidence and identify/document any evidence gaps.”

“The planning phase ensures readiness to proceed with the assessment, including identifying gaps and establishing how they will be addressed.”

Why the other options are not correct:

B: Appeals are addressed post-assessment, not in planning.

C: Assessment costs are agreed upon contractually, not part of the assessment planning phase.

D: FedRAMP equivalency determination is part of scope validation , not general planning.

CMMC assessments are evidence-based . An offering cannot be accepted solely on reputation or assumptions of security. The OSC must provide adequate and sufficient evidence that the CSP offering meets CMMC requirements. Without evidence, the assessor cannot mark the practice as MET.

Exact Extracts:

CMMC Assessment Guide: “Assessment determinations must be based on objective evidence ; absence of evidence results in a finding of NOT MET.”

“Evidence may include documentation, interviews, and tests but must be sufficient to confirm implementation.”

“Reciprocity is not granted for external offerings unless evidence is provided.”

Why other options are not correct:

A (reciprocity): CMMC does not allow blanket reciprocity for cloud offerings without validation.

B (training issue): Training is separate; the core issue is lack of evidence .

D (well-known CSP): Reputation alone is not evidence; objective evidence is required.

Applicable Requirement: AC.L2-3.1.12 and AC.L2-3.1.14 — “Monitor and control remote access sessions” and “Route remote access through managed access control points.”

Why A is Correct: For a single centralized access point, the most critical control is that remote access sessions are properly secured and monitored to prevent unauthorized access to CUI systems. This ensures both confidentiality and integrity of remote connections.

Why Other Options Are Insufficient:

B: Physical access controls protect on-site systems but do not address remote connection security.

C: Documentation alone is not sufficient; actual monitoring and security enforcement are required.

D: Notification procedures relate to incident handling, not adequacy of access point security.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.12, AC.L2-3.1.14

NIST SP 800-171A — Remote Access Assessment Objectives

CMMC Assessment Guide – Level 2, Remote Access Guidance

The negative finding is that the OSC permits an uncertified external security provider to access the OSC’s internal network . This introduces unmanaged risk to the CUI environment. CMMC requires the OSC to control and monitor external service provider access. The storage of recordings externally is not inherently noncompliant if properly controlled, and video monitoring is a valid method of meeting PE.L2-3.10.2. The key failure is giving unmanaged third-party access.

Exact extracts:

“Monitor physical facility to detect and respond to physical security incidents.” (PE.L2-3.10.2)

“Assessment Objectives … Determine if: monitoring is performed; unauthorized physical access is detected and responded to.”

“External service providers that connect into the OSC network are considered in-scope and must meet CMMC requirements or have equivalent authorization (e.g., FedRAMP).”

Why other options are incorrect:

A: Requirement does not mandate monitoring of both public and private areas.

C: Video surveillance is an acceptable facility monitoring method when properly implemented.

D: External storage can be acceptable if contractual safeguards and compliance are in place.

Applicable Requirement: AC.L2-3.1.5 — “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Why A is Correct: Audit logs document when privileged functions (such as account creation, privilege changes, or configuration changes) occur, who performed them, and whether access control restrictions are enforced. Reviewing logs is the only way to confirm the IT manager alone has the capability.

Why Other Options Are Insufficient:

B (Inventory records): Shows ownership, not privilege changes.

C (Acceptable use): Policy guidance, not enforcement evidence.

D (Remote access): Deals with remote connections, not privilege management.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.5

NIST SP 800-171A — AC.L2-3.1.5 Assessment Methods

CMMC Assessment Guide – Level 2

===========

The OSC is responsible for providing the scoping documentation before the assessment begins. The assessor validates the scoping documentation but does not create it on behalf of the OSC. If the OSC cannot provide scope documentation, the assessment cannot proceed.

Exact Extracts:

CMMC Scoping Guide: “The OSC must prepare and provide scoping documentation, including network diagrams, asset inventories, and SSP, prior to assessment.”

CMMC Assessment Guide: “The assessment team validates scoping documentation; it is not the responsibility of the C3PAO or assessor to create the OSC’s scope.”

Why other options are not correct:

A: Incorrect — assessment teams validate but do not generate scoping documents.

C: Joint creation is not allowed; OSC must own and prepare documentation.

D: Lead Assessor cannot create scope; must rely on OSC’s provided documentation.

Access Control (AC): Wi-Fi access must be restricted to authorized users and devices. CMMC Level 2 incorporates NIST SP 800-171 AC requirements to limit and control access to systems and resources.

Identification and Authentication (IA): Wireless access requires authentication to ensure only authorized individuals/devices can connect (e.g., WPA2-Enterprise, certificates, or strong passwords).

System and Communications Protection (SC): Wi-Fi encryption and secure configuration protect data-in-transit from interception or unauthorized disclosure.

Why Other Options Are Incorrect:

A (MP, AC, PE): Media protection and physical protection are not primary domains for Wi-Fi configuration.

B (IA, MP, SI): Media protection and system/information integrity do not directly address Wi-Fi security.

D (SC, SI, PE): Physical and integrity controls are not central to wireless access security.

References (CCA Official Sources):

CMMC Model v2.0 — Domains AC, IA, SC

NIST SP 800-171 Rev. 2 — AC.L2-3.1.1, IA.L2-3.5.3, SC.L2-3.13.8 (wireless access, identification/authentication, protection of communications)

NIST SP 800-171A — Associated assessment objectives verifying Wi-Fi control and encryption

===========

The requirement for CA.L2-3.12.3 – Security Control Monitoring mandates monitoring to be performed on an ongoing basis to ensure the continued effectiveness of the controls. This is not satisfied by a yearly review alone.

CA.L2-3.12.3 Security Control Monitoring – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The OSC’s statement in their SSP that monitoring occurs on a one-year periodic basis fails to meet this requirement, because the term " ongoing basis " implies continual or recurring monitoring activities that occur throughout the system’s lifecycle—not a single annual review.

Therefore, the assessor must determine that the OSC’s implementation is not acceptable.

CMMC Level 2 requires that wireless access be formally authorized based on management-approved policy and criteria . The Assessment Guide specifies that “management guidelines form the basis for the requirements that must be met prior to authorizing a wireless connection.” Therefore, a written policy executed by the CEO , which defines pre-authorization requirements, constitutes proper evidence of authorization. Informal emails or IT connection instructions do not meet this requirement.

Exact extracts:

“Authorize wireless access prior to allowing such connections.”

“Assessment Objectives … Determine if: [a] wireless access points are identified; and [b] wireless access is authorized prior to allowing such connections.”

“Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following: • types of devices, such as corporate or privately owned equipment; • configuration requirements of the devices; and • authorization requirements before granting such connections.”

Assessment method – Examine: “Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless access authorizations …”

Why the other options are unacceptable:

A and C are ad-hoc instructions from the CEO, not a formal management policy establishing authorization criteria.

D is an IT-authored instruction document, not a management-level authorization policy.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.16 “Wireless Access Authorization” (Assessment Objectives; Discussion; Further Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.16 (mapped within the CMMC Level 2 Assessment Guide).

Applicable Requirement (CAP – Planning Phase): Both the OSC (Client) and the CCA are responsible for protecting sensitive evidence and CUI during assessment. This includes documenting risks and mitigations for how such information is handled, especially during virtual collection.

Why D is Correct: CAP requires assessors and OSCs to jointly establish processes ensuring safeguarding of CUI evidence. Both parties must record and agree to risks and mitigations as part of the assessment plan.

Why Other Options Are Insufficient:

A & B: Responsibility is shared, not one-sided.

C: Recording by the assessor alone does not fulfill CAP’s joint responsibility requirement.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Planning Phase (Handling CUI and Sensitive Evidence)

Code of Professional Conduct — Assessor responsibility for safeguarding CUI

===========

Applicable Requirement: PE.L2-3.10.1 — “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Why D is Correct: Documented procedures describing physical access restrictions (badge policies, visitor management, locked server rooms, guard post orders) serve as primary evidence that access is managed and enforced. Assessors can then corroborate via interviews and observation.

Why Other Options Are Insufficient:

A (VPN configuration): Relates to remote logical access, not physical security.

B (Switch configs): Technical network controls, not physical access.

C (Architecture drawings): Show logical/system design, not physical entry restrictions.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.1

NIST SP 800-171A — PE.L2-3.10.1 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Protection Evidence Guidance

CMMC Level 2 control AC.L2-3.1.12: Remote Access requires that all methods of remote access be authorized, monitored, and controlled to protect CUI when accessed from external locations. The assessment guide specifies that assessors must verify that remote sessions are identified, permitted, and controlled . There is no requirement for remote access sessions to be “validated” — this is not part of the assessment objectives for this practice.

Exact extracts:

“Assessment Objectives … Determine if: • remote access methods are identified; • remote access is authorized prior to allowing such connections; • remote access sessions are controlled; and • cryptographic mechanisms are employed to protect confidentiality and integrity of remote access sessions.”

“Remote access to organizational systems is accomplished through the use of managed access control points. A detailed record of all remote access sessions is maintained, and the sessions are subject to monitoring and control.”

Why the other options are required:

Identified (B): OSCs must identify all remote access methods in use.

Permitted (C): Remote access must be explicitly authorized before it is allowed.

Controlled (D): Sessions must be controlled (e.g., via encryption, multifactor authentication, and monitoring).

Validated (A): Not a required assessment objective; it is a distractor option.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.12 “Remote Access” (Assessment Objectives; Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.12 (remote access).

Applicable Requirement (CMMC/NIST): Multiple practices may apply (e.g., AC.L2-3.1.14 “Control remote access sessions” and CA.L2-3.12.4 “Develop, document, and periodically update system security plans” ). However, when an OSC uses an External Service Provider (ESP) , the key control is the documented agreement defining the terms, conditions, and responsibilities between the OSC and the ESP.

Why Interconnection Agreement is Correct (supports B):

According to the CMMC Assessment Guide (Level 2), acceptable evidence for external connections with ESPs includes “interconnection security agreements, memoranda of understanding, or contracts that define the security requirements governing the connection.”

These agreements document controls at the interface boundary and ensure both parties understand their responsibilities for protecting CUI.

Why Other Options Are Insufficient:

A. OSC’s access control policy — An internal policy outlines organizational expectations, but it does not constitute binding evidence of controls at the boundary with an ESP.

C. Technical design of VPN security — Technical configurations demonstrate how connections are secured, but they do not formally document agreed security requirements between OSC and ESP.

D. Instructions from ESP — ESP-provided setup instructions are not evidence of the OSC’s validated control implementation or responsibility-sharing agreement.

Assessment Process Alignment:

The CMMC Assessment Process (CAP) requires assessors to confirm not only technical implementations but also documented agreements that establish accountability for safeguarding CUI.

Evidence such as interconnection agreements is specifically highlighted as objective evidence that the OSC has verified and controlled external system interfaces.

References (CCA Official Sources):

CMMC Assessment Guide – Level 2, Version 2.13 — External Service Providers and Evidence Requirements for External Connections

NIST SP 800-171 Rev. 2 — §3.1.20 and §3.13.6 (discussions on external system connections and interconnection agreements)

NIST SP 800-171A — Assessment Methods for verifying security of external system interfaces