CMMC-CCA Certified CMMC Assessor (CCA) Exam Questions and Answers

Practice AC.L2-3.1.3 requires that users are presented with privacy and security notices (system use notifications) at the point of system log-in to ensure that they are aware of authorized usage and monitoring.

Extract:

“Display privacy and security notices (system use notifications) before granting system access.”

Posters, alerts, or general awareness messages do not satisfy this practice because they are not tied directly to system access.

Wireless access to systems transmitting, processing, or storing CUI must be protected with FIPS 140-validated cryptography and access must be limited to authenticated users. This ensures confidentiality and integrity of CUI while preventing unauthorized wireless access.

Exact Extracts (official CMMC Assessor/Study documents):

SC.L2-3.13.13: “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.”

AC.L2-3.1.1 / 3.1.2: “Limit system access to authorized users… and authenticate the identities of those users.”

SC.L2-3.13.17: “Protect wireless access to the system using authentication and encryption.”

Assessment Guide clarifies: “Wireless access must use FIPS 140 validated cryptographic modules and must be restricted to authenticated users.”

Why other options are not correct:

A: Only requires encryption; does not address authenticated access, which is mandatory.

B: Vetting and access lists may be useful, but they are not sufficient substitutes for cryptographic and authentication requirements.

D: Identifying users in diagrams is good documentation practice but not a CMMC requirement for wireless protection.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices SC.L2-3.13.13 and SC.L2-3.13.17 (pp. 134–136).

NIST SP 800-171A, Assessment Objectives for wireless access and cryptographic requirements.

To validate least functionality, the assessor must evaluate implementation (via security staff, admins, developers). Interviewing the policy author provides limited value since it does not confirm whether the policy is implemented in practice.

Extract:

“Assessors should confirm least functionality through interviews with individuals responsible for system configuration, security, and implementation. Policy documentation authors alone are not sufficient evidence.”

Thus, interviewing the policy writer is least useful.

When an OSC leverages cloud providers in a CMMC Level 2 assessment, the provider should have FedRAMP Moderate or higher authorization to align with NIST SP 800-171 requirements. SOC 2, HIPAA, or CCPA compliance do not demonstrate federal-level assurance for protecting CUI. Thus, CSP B is the most appropriate choice.

Exact extracts:

“Cloud service providers that process, store, or transmit CUI should be FedRAMP Moderate Authorized or equivalent.”

“Assessors must verify evidence of FedRAMP authorization or comparable assurance before determining that OSC reliance on the provider is acceptable.”

Why the other options are incorrect:

A: SOC 2, HIPAA, and CCPA compliance do not equate to CMMC-required federal assurance.

C: Only FedRAMP-authorized providers meet the requirement, so both are not acceptable.

D: CSP B does meet the criteria.

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and operating environments.”

Why D is Correct: Escort requirements are met as long as the visitor’s actions are continuously observed and controlled. The escort does not need to be physically inside the same room if direct observation is possible.

Why Other Options Are Insufficient:

A: Escort posture (sitting/standing) is irrelevant.

B: Same-room presence is not required by CMMC/NIST SP 800-171.

C: A single entry point helps, but observation is the requirement.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

CMMC Assessment Guide – Level 2 — Physical Escort Policy Guidance

===========

To verify scanning (such as anti-virus and file integrity functions), the strongest evidence includes system configurations, AV alerts/logs, and interviews with technical staff. A policy document (System Information and Integrity Policy) provides intent but not actual implementation proof, making it the least helpful.

Extract:

“Policies provide documented intent, but assessors must validate actual implementation through configuration reviews, alerts/logs, and personnel interviews.”

Thus, the policy alone is the least useful evidence for confirming scans are actually performed.

Under AC.L2-3.1.12: Remote Access, assessors must verify that all remote access sessions are identified, authorized, controlled, and monitored. Whether remote access is “necessary” is a business decision, not an assessment concern. The assessor is concerned with whether it is properly controlled and implemented, not with the business justification for its existence.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled;• remote access sessions are monitored.”

“The requirement does not assess business necessity of remote access, only its security and authorization.”

Why the other options are important:

B: Authorization (permitted) must be verified.

C: Monitoring of remote sessions is mandatory.

D: Permitted methods must be identified (e.g., VPN, VDI, etc.).

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why A is Correct: Security guards are a recognized preventive and detective physical control to limit access to only authorized individuals. Guards can verify credentials, monitor behavior, and provide real-time deterrence.

Why Other Options Are Insufficient:

B (Cameras): Provide monitoring and evidence, but not direct access control.

C (Firewalls): A network control, not a physical access measure.

D (Partition walls): Barriers may help physically separate areas but do not control who enters.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Security Controls

===========

The CAP requires that the OSC provide an organized and traceable set of evidence for review. While missing an evidence map does not stop the assessment, it is a best practice and strongly recommended to improve efficiency.

Extract:

“The OSC should provide an organized list of evidence and mappings to support efficient review by the assessment team. While not strictly required, it is recommended as part of readiness for a Level 2 assessment.”

Thus, the Lead Assessor should advise the OSC to provide the evidence mapping list, but the absence does not invalidate proceeding.

Applicable Requirement: IR.L2-3.6.1 — “Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”

Validation Expectation: For this practice, the CCA must confirm that the OSC:

Tracks incidents consistently,

Documents incident details (who, what, when, where, and how), and

Maintains incident records to support analysis and corrective action.

Why A is Correct: Tracking and documenting incidents demonstrates that the OSC has an operational incident-handling capability and provides objective evidence of detection, response, and lessons learned.

Why Other Options Are Insufficient:

B (Sources configured/tuned): Helpful for detection, but not sufficient by itself.

C (Law enforcement notified): This may occur in certain cases, but it is not required by CMMC Level 2.

D (Forensics): Deep forensic investigation may be useful, but CMMC requires incident response capability, not mandatory forensic-level activities.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IR.L2-3.6.1

NIST SP 800-171A — IR.L2-3.6.1 Assessment Objectives (tracking, documenting, handling incidents)

CMMC Assessment Guide – Level 2 — Incident Reporting

===========

Under AT.L2-3.2.3 (Security Awareness Training) and AT.L2-3.2.2 (Insider Threat Training), insider threat awareness training must equip personnel to recognize and report indicators of insider threat activity. Training must focus on organizational processes for reporting suspicious behavior, not just awareness of famous cases or punitive systems. The ability to act and report appropriately is the most critical element.

Exact extracts:

“Training includes recognition of potential indicators of insider threat activity and the organizational processes for reporting suspicious activity.”

“Assessment Objectives … Determine if: insider threat training includes reporting mechanisms.”

“Case studies may be used for context, but training must include clear reporting procedures.”

Expanded explanation:

Insider threat programs under DoD guidance (e.g., NISPOM, CMMC) emphasize:

Awareness of behaviors that may indicate insider threat activity.

Reporting mechanisms — employees must know exactly how to act if they identify an issue.

Procedures for escalation and protection of CUI.

Without reporting procedures, insider threat training is incomplete.

Why other options are incorrect:

A: Bounty systems are not sanctioned practices and could create a hostile work environment.

B: Risk-ranking individuals could be discriminatory and is not a CMMC requirement.

C: Case studies may supplement training but are not sufficient by themselves.

When an IoT device processes, stores, or transmits CUI, it is categorized as a CUI Asset (not CRMA). All in-scope assets must be documented in the System Security Plan (SSP). The SSP must identify how the asset is managed, secured, and integrated into the OSC’s environment.

Exact Extracts:

CMMC Scoping Guide: “All CUI Assets must be identified and described in the SSP.”

“Specialized Assets (including IoT) must be documented in the SSP if they process, store, or transmit CUI.”

“Contractor Risk Managed Assets do not include assets that process, store, or transmit CUI.”

Why other options are not correct:

A: Incorrect, because an IoT device with CUI cannot be a CRMA.

C: Incorrect, IoT can process CUI if properly secured and documented.

D: While true in general (AC control applies), the mandatory requirement is accurate SSP documentation.

AC.L2-3.1.6 requires that non-privileged accounts are used for normal tasks and privileged accounts are only used when necessary for privileged functions.

Extract:

“Require that users employ the least privilege principle by using non-privileged accounts for general tasks. Privileged accounts must only be used when elevated privileges are required.”

Thus, the correct procedure is:

All employees have non-privileged accounts.

Admins also have separate privileged accounts.

Admins perform normal duties with their non-privileged accounts, using privileged accounts only when required.

The Physical Protection (PE) practices require both direct assessor observation of security controls and verification of how the OSC manages access to its cages/cabinets.

Extract:

“Assessors should observe and verify the effectiveness of physical access controls and confirm the OSC’s processes for maintaining control over restricted areas and assets.”

Thus, the best option is to physically visit the facility and review OSC’s key access management process.

The CMMC Assessment Process (CAP) requires the Lead Assessor to develop an Assessment Plan that specifies anticipated evidence to be provided by the OSC. This preliminary evidence list ensures that OSC staff understand what policies, procedures, logs, and technical configurations must be available during the assessment. Without this, the assessment may stall due to missing documentation.

Exact extracts:

“The Lead Assessor coordinates with the OSC to develop an evidence list of artifacts anticipated for review.”

“The assessment plan must include a schedule of interviews, site visits, and anticipated evidence.”

“Preliminary evidence identification is critical to reduce assessment delays and ensure assessor readiness.”

Expanded explanation:

This step bridges planning and execution:

Scope has already been set.

Now, the evidence (SSPs, policies, audit logs, diagrams, etc.) must be identified.

Out-of-scope assets are part of scoping, not this planning stage.

System manuals are not required by CMMC, and “list of objectives” refers to assessor methodology, not OSC preparation.

Why other options are incorrect:

A: Objectives come from the practice requirements themselves, not something requested from the OSC.

B: System manuals are not required artifacts for CMMC.

D: Out-of-scope assets were already determined during scoping.

The CMMC Scoping Guidance allows assets to be classified as Out-of-Scope if:

They are physically/logically isolated, and

They cannot process, store, or transmit CUI.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI and are physically or logically separated from CUI assets.”

The VESDA system only monitors environmental conditions and does not interact with CUI. Its segregation supports an out-of-scope classification.

To validate that remote access is routed through managed access control points, the assessor requires technical evidence, not just policy. The network diagram shows the design and routing of remote access through controlled points (e.g., VPN gateways), and VPN logs provide operational evidence that remote sessions are enforced through those points.

Exact Extracts:

AC.L2-3.1.14: “Route remote access through managed access control points.”

Assessment Objective (AC.L2-3.1.14[a]): “Remote access is routed through managed access control points.”

Assessment Method (Examine/Interview/Test): Requires network diagrams and remote access logs as evidence.

CMMC Assessment Guide specifies: “Network diagrams and supporting logs are required to demonstrate implementation of remote access routing.”

Why the other options are not correct:

B (policy/procedures): Policies describe intent, not proof of implementation.

C (SSP/vendor mgmt): SSPs provide system description but not direct evidence of enforcement.

D (cloud logs/hardware inventory): These do not specifically demonstrate remote access routing through managed points.

The CMMC Assessment Process (CAP) requires that when sensitive or proprietary materials are exchanged during an assessment, the OSC and the C3PAO should establish confidentiality protections through a Non-Disclosure Agreement (NDA).

Extract:

“OSC and C3PAOs are expected to execute a Non-Disclosure Agreement (NDA) to protect sensitive information such as proprietary, attorney-client privileged, or pre-patent materials shared during the assessment process.”

Thus, the NDA is the correct document.

The Scoping Guidance defines Security Protection Assets as systems, tools, or services that provide security functions protecting CUI assets, even if outsourced to third parties.

Extract:

“Security Protection Assets are tools, systems, or services that provide security functionality (e.g., SOC, antivirus, logging) to protect CUI assets. These must be included in scope.”

Therefore, SOC and AV must be categorized as Security Protection Assets.

The CMMC Assessment Process (CAP), Phase 2 – Conduct the Assessment defines the subphases for generating final recommended results. The steps are:

Determine final practice MET/NOT MET/NA results

Create, finalize, and record recommended final findings

Resolve assessment findings disputes

Extract:

“The assessment team determines the final practice status, records recommended findings, and resolves disputes with the OSC prior to finalizing recommended results.”

CMMC Level 2 requires the ability to control and monitor physical access to systems and facilities containing CUI. The best practice is a badge-based access control system, which provides individual accountability, access tracking, and historical audit records. Keys and keypads do not provide individual traceability. Cameras alone do not prevent unauthorized entry.

Exact Extracts (official CMMC Assessor/Study documents):

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

PE.L2-3.10.5: “Access records must be maintained.”

CMMC Assessment Guide clarifies that acceptable methods include badging systems with individual accountability for traceability.

Why the other options are not correct:

A (keys): Keys do not provide audit logs or individual accountability.

B (cameras): Monitoring alone is insufficient; prevention and control are required.

D (keypads): Shared codes do not provide unique traceability or access history per user.

Both the OSC’s on-premise LAN room and the leased colocation data center are in-scope because they contain systems that process, store, or transmit CUI. Assessors must physically examine visitor and access controls at both locations to confirm compliance with PE practices.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

CMMC Assessment Guide: “Assessors must validate physical protections at all in-scope facilities where CUI assets reside.”

CMMC Scoping Guide: “Physical protection applies to all facilities within the CMMC Assessment Scope, including colocation facilities.”

Why the other options are not correct:

A/B: Reviewing only one facility is insufficient; both are in scope.

D: Customer relationship management reviews are not substitutes for physical examination by assessors.

Contractor Risk Managed Assets (CRMA) are required to be identified in the System Security Plan (SSP) because the SSP must describe how each in-scope asset category is managed, including risk-based policies, procedures, and practices. Network diagrams and inventories alone are insufficient without documentation in the SSP.

Exact Extracts:

CMMC Scoping Guide: “Contractor Risk Managed Assets are part of the CMMC Assessment Scope and must be identified in the OSC’s SSP and supporting documentation.”

“The SSP must describe how the contractor manages risk for Contractor Risk Managed Assets.”

“The asset categories (CUI assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets) must be included in the SSP with supporting evidence.”

Why the other options are not correct:

A: Identification/authentication policy does not specifically require mention of CRMAs.

B: Physical protection policies address facility controls, not risk-managed assets.

C: Awareness training covers employees, not technical classification of assets.

D: Correct, because the SSP must explicitly document how CRMAs are managed using risk-based approaches.

CMMC Level 2 requires that network access to CUI systems be restricted to authorized users and devices. A guest network without password protection that connects directly into the LAN violates AC.L2-3.1.3 (Access Enforcement) and SC.L2-3.13.16 (Cryptographic protection) because unauthorized users may access OSC systems and CUI indirectly.

Exact Extracts:

AC.L2-3.1.3: “Control the flow of CUI by enforcing access restrictions.”

SC.L2-3.13.16: “Employ cryptographic mechanisms to protect confidentiality of CUI during transmission.”

Assessment Guide: “Guest wireless networks must be segmented and controlled to prevent unauthorized access to internal networks containing CUI.”

Why other options are not correct:

A: Additional assessment is irrelevant — issue is failure to meet requirements.

C/D: False — requirements clearly exist, and the OSC’s current setup fails them.

Per the CMMC Scoping Guidance, CUI Assets are those that process, store, or transmit CUI. Since System CUI is the system handling CUI data, it must be categorized as CUI Assets.

Extract:

“CUI Assets are any assets that process, store, or transmit CUI. These assets are in-scope for assessment and must meet CMMC practice requirements.”

Thus, the best classification for System CUI is CUI Assets.

The Shared Responsibility Matrix (Customer Responsibility Matrix) is a key artifact in CMMC assessments involving MSPs or cloud service providers. It defines what security responsibilities belong to the OSC and which belong to the service provider. To evaluate the MSP’s impact, the assessor must review this matrix to understand boundaries of responsibility for CUI protection.

Exact extracts:

“When external service providers are included in the assessment boundary, organizations must provide documentation that specifies security responsibilities.”

“A Shared Responsibility Matrix (or Customer Responsibility Matrix) defines which controls are implemented by the OSC versus the external provider.”

“Assessors should request and review this matrix to understand division of responsibilities.”

Why the other options are incorrect:

A: Onsite MSP staff presence does not clarify responsibility for security controls.

C: Reviewing classification helps, but it does not explain responsibility allocation.

D: Policies/org charts do not establish shared control responsibilities.

The CAP and Scoping Guidance specify that the assessor must review both:

The contract — to confirm that the OSC’s CMMC requirements are flowed down to the ESP, and

The Shared Responsibility Matrix — to confirm responsibilities are clearly assigned between OSC and ESP.

Extract:

“Assessors must review contracts and shared responsibility matrices to ensure that OSC responsibilities and provider responsibilities are clearly defined, and that requirements are flowed down appropriately.”

Thus, option A is the most complete.

CMMC scoping focuses on assets that process, store, transmit, or protect CUI. A smoke detector connected to the OSC network is an IoT device with no impact on CUI, so it is considered Out-of-Scope. The other items (data centers used by the OSC, MSP SIEM tools, and MSP offices handling OSC management) all directly affect the OSC’s CUI environment and therefore fall within scope.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Security Protection Assets are those that provide security functions for CUI Assets.”

“External Service Providers (e.g., MSPs, data centers, SIEMs) that support CUI Assets are in-scope.”

“Assets that cannot affect the confidentiality of CUI (e.g., unrelated IoT devices) are considered Out-of-Scope.”

Expanded explanation:

Data centers (A): If OSC CUI is stored or processed there, they are in-scope.

SIEM tools (C): Provide security monitoring of OSC networks — a clear Security Protection Asset.

MSP office (D): MSPs providing services that affect CUI are in-scope, including their management locations.

Smoke detector (B): Despite being network-connected, it does not interact with CUI or provide protective functions; it is explicitly out-of-scope.

Why the other options are in scope:

They either process, protect, or manage CUI directly.

Excluding them would improperly narrow the assessment boundary.

The Examine method is used when the assessor reviews documents, policies, procedures, or system artifacts to validate practices.

Extract:

“Examine: Review, inspect, or analyze assessment objects such as documents, records, and policies to determine compliance with practice requirements.”

Reviewing the incident response plan falls directly under Examine.

Applicable Requirement: CM.L2-3.4.3 — “Track, review, approve/disapprove, and audit changes to organizational systems.”

Why CCB Minutes Are Correct (supports B):

Change Control Board (CCB) documentation includes impact analyses, approvals, disapprovals, and justification for system changes.

The CMMC Assessment Guide explicitly identifies CCB minutes and supporting records as primary evidence of compliance with change management practices.

Why Other Options Are Insufficient:

A (Vendor description): Provides information on the update, but does not show organizational review or approval.

C (Audit logs): Show when a change occurred, but not whether it was analyzed and approved beforehand.

D (Incident logs): Reflects results after implementation, but not the review/approval process.

Assessment Guidance Extract (NIST SP 800-171A, CM.L2-3.4.3):

Objectives include verifying that system changes are:

Documented,

Reviewed,

Approved/disapproved, and

Audited.

Evidence such as CCB minutes and approval records directly satisfies these objectives.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CM.L2-3.4.3 (Change Management)

NIST SP 800-171A — Assessment Objectives for CM.L2-3.4.3

CMMC Assessment Guide – Level 2, Version 2.13 — Change Management evidence expectations

CMMC Level 2 requires that audit logs be reviewed and updated at least weekly to detect anomalies and potential security incidents. A vendor providing only monthly summaries does not meet the requirement. The assessor must resolve this issue to confirm compliance.

Exact Extracts (official CMMC Assessor/Study documents):

AU.L2-3.3.7: “Review and update logged events, as well as the audit log, at least weekly.”

AU.L2-3.3.6: “Review and analyze information system audit records for indications of inappropriate or unusual activity and report findings.”

CMMC Level 2 Assessment Guide emphasizes: “Organizations must demonstrate procedures to review audit logs at least weekly, even when external vendors perform this function.”

NIST SP 800-171A states: “The frequency of review must be sufficient to detect anomalies in a timely manner… at least weekly is required.”

Why other options are not correct:

A: Report generation capability is not the compliance issue; frequency of review is.

B: Using a common authoritative time source (AU.L2-3.3.7) is important, but the deficiency here is frequency of log review, not time source.

D: Third-party involvement is permitted if the OSC maintains control and ensures requirements (frequency, integrity, protection of CUI) are met.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices AU.L2-3.3.6 and AU.L2-3.3.7 (pp. 56–60).

NIST SP 800-171A, Audit and Accountability objectives.

Both the CSP’s cloud environment and the OSC’s on-premises network/workstations are in-scope because CUI is stored in the cloud but also accessed and transmitted by OSC assets. The cloud vendor’s internal employee network is not in-scope because only the customer-facing FedRAMP environment is within the assessment boundary.

Exact extracts:

“CUI Assets include any OSC asset that stores, processes, or transmits CUI.”

“External service providers are in-scope if their services process, store, or transmit CUI on behalf of the OSC.”

“The OSC’s endpoints and local infrastructure that access CUI are also in-scope.”

Why the other options are incorrect:

A: Cloud environment only is incomplete; OSC workstations also access and transmit CUI.

B: OSC network only ignores the fact that CUI is stored in the cloud.

D: The cloud vendor’s internal employee network is not in-scope.

The Shared Responsibility Matrix (Customer Responsibility Matrix) is the authoritative document that specifies which security responsibilities are owned by the OSC versus the Cloud Service Provider (CSP). This enables assessors to determine which CMMC practices apply to the OSC and which are inherited from the provider.

Exact extracts:

“External Service Providers (ESPs), including CSPs, must provide a Shared Responsibility Matrix that delineates customer versus provider responsibilities.”

“Assessors should request and review this matrix to determine practice applicability.”

Why other options are incorrect:

A: Zero Trust Architecture is a design framework, not a responsibility breakdown.

C: White papers are marketing/technical resources, not binding assignments of responsibility.

D: IAM Plans address access management, not overall shared responsibilities.

The CMMC Assessment Process emphasizes the importance of confidentiality and non-attribution in interviews to ensure OSC personnel provide candid, accurate information. Interviewees may give shallow or evasive answers if they fear attribution. Assuring confidentiality and non-attribution improves the quality and reliability of responses.

Exact extracts:

“The assessment team must ensure confidentiality and non-attribution during interviews.”

“Responses should be validated against evidence, but the quality of input depends on establishing a safe environment for candor.”

“Non-attribution is critical to elicit detailed and honest responses.”

Why the other options are incorrect:

A: Training matrices identify who is trained, not who should be interviewed.

C: NDAs are not a CCA responsibility — they are contractual, not assessment requirements.

D: Mapping to artifacts is part of correlation after interviews, but does not solve the problem of poor interview responses.

Public-facing systems (such as web servers) must be separated from internal enterprise networks to limit exposure. CMMC (aligned with NIST SP 800-171 SC.L2-3.13.5 “Boundary Protection”) specifies that placing public servers into a demilitarized zone (DMZ) provides a security buffer and prevents direct access from the internet into the internal LAN.

Exact extracts:

“Publicly accessible systems should be placed on separate subnets or in DMZs.”

“Boundary protection devices should separate public servers from the enterprise network.”

“DMZs provide layered protection for internet-facing assets.”

Why the other options are incorrect:

A: Relocating the server physically does not provide network-layer security.

C: Firewall rules allowing only internal traffic would prevent public access, defeating the purpose of a public website.

D: Object reuse protections are unrelated to network boundary security.

Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC’s Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.

Exact Extracts:

CMMC Assessor Code of Professional Conduct: “No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC’s designated Assessment Official.”

“Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization.”

Why the other options are not correct:

A: Too absolute — proprietary data can leave if AO provides written consent.

B: IT staff cannot authorize release of proprietary data.

C: POC is not the authority for data release — only the Assessment Official is.

The OSC remains responsible for ensuring that any External Service Provider (ESP) such as a CSP supports compliance with CMMC. FedRAMP authorization is evidence, but the OSC must still demonstrate that the CSP’s services are being used in a manner that complies with CMMC Level 2 requirements.

Extract:

“The OSC is responsible for demonstrating that services provided by external providers are implemented and operated in a manner that complies with CMMC requirements for the OSC’s environment.”

Therefore, the OSC must provide proof of compliance in their environment, not simply rely on FedRAMP documentation.

The OSC is responsible for providing the scoping documentation before the assessment begins. The assessor validates the scoping documentation but does not create it on behalf of the OSC. If the OSC cannot provide scope documentation, the assessment cannot proceed.

Exact Extracts:

CMMC Scoping Guide: “The OSC must prepare and provide scoping documentation, including network diagrams, asset inventories, and SSP, prior to assessment.”

CMMC Assessment Guide: “The assessment team validates scoping documentation; it is not the responsibility of the C3PAO or assessor to create the OSC’s scope.”

Why other options are not correct:

A: Incorrect — assessment teams validate but do not generate scoping documents.

C: Joint creation is not allowed; OSC must own and prepare documentation.

D: Lead Assessor cannot create scope; must rely on OSC’s provided documentation.

CMMC assessments are evidence-based. An offering cannot be accepted solely on reputation or assumptions of security. The OSC must provide adequate and sufficient evidence that the CSP offering meets CMMC requirements. Without evidence, the assessor cannot mark the practice as MET.

Exact Extracts:

CMMC Assessment Guide: “Assessment determinations must be based on objective evidence; absence of evidence results in a finding of NOT MET.”

“Evidence may include documentation, interviews, and tests but must be sufficient to confirm implementation.”

“Reciprocity is not granted for external offerings unless evidence is provided.”

Why other options are not correct:

A (reciprocity): CMMC does not allow blanket reciprocity for cloud offerings without validation.

B (training issue): Training is separate; the core issue is lack of evidence.

D (well-known CSP): Reputation alone is not evidence; objective evidence is required.

For CMMC Level 2, an OSC must score at least 88 out of 110 practices (80%) to qualify for use of POA&Ms. Practices on the DoD’s Authorized POA&M List may then be deferred, but only if the OSC meets the 88-point threshold and no high-weight practices are failed.

Exact extracts:

“Organizations must score at least 88 out of 110 (80%) to be eligible for POA&Ms.”

“POA&Ms may only be applied to a limited subset of practices designated by DoD.”

“Failure to reach the 88-point threshold results in an assessment failure.”

Why other options are incorrect:

A: Below 88 is automatic fail.

B: 110/110 is full compliance (no POA&M needed).

C: 80 is a distractor; 88 is the actual DoD threshold.

Applicable Requirement: CM.L2-3.4.1 — “Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.”

Why C is Correct: Baseline management requires documenting and tracking authorized deviations to ensure systems remain consistent with approved baselines. Evidence must show the OSC manages exceptions as part of its configuration management process.

Why Other Options Are Insufficient:

A: Physical safeguards protect images but do not demonstrate baseline management.

B: Reviews may be helpful, but deviations are explicitly required documentation.

D: Chain of custody applies to asset tracking, not baseline management.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CM.L2-3.4.1

NIST SP 800-171A — CM.L2-3.4.1 Assessment Objectives

CMMC Assessment Guide – Level 2, Baseline Configurations

===========

The Assessment Guide emphasizes that a policy is insufficient unless it is implemented consistently across all applicable assets. Evidence from interviews showing exceptions means the practice is NOT MET.

Extract:

“Policies must not only exist but must also be enforced and implemented consistently. Exceptions indicate non-compliance.”

Thus, the correct answer is B.