CMMC-CCA Certified CMMC Assessor (CCA) Exam Questions and Answers

When CUI and FCI reside on the same network, the entire environment is considered a CUI environment. The presence of CUI drives the assessment requirement to CMMC Level 2, regardless of whether FCI also exists. Assets cannot be assessed separately under Level 1 vs. Level 2 within the same network boundary.

Exact extracts:

“If CUI is processed, stored, or transmitted within an environment, the environment is in scope for CMMC Level 2.”

“The presence of CUI dictates the assessment level, regardless of whether FCI is also present.”

“Segmentation may reduce scope, but if assets remain within the same environment, all assets fall under Level 2.”

Why other options are incorrect:

B: Level 1 cannot be applied to Server A while Server B undergoes Level 2 in the same network.

C: Presence of CUI means Level 2 is required, not Level 1.

D: Segmentation can reduce scope but is not required before assessment; it is an OSC design choice.

Applicable Requirement: AC.L2-3.1.12 and AC.L2-3.1.14 — “Monitor and control remote access sessions” and “Route remote access through managed access control points.”

Why A is Correct: For a single centralized access point, the most critical control is that remote access sessions are properly secured and monitored to prevent unauthorized access to CUI systems. This ensures both confidentiality and integrity of remote connections.

Why Other Options Are Insufficient:

B: Physical access controls protect on-site systems but do not address remote connection security.

C: Documentation alone is not sufficient; actual monitoring and security enforcement are required.

D: Notification procedures relate to incident handling, not adequacy of access point security.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.12, AC.L2-3.1.14

NIST SP 800-171A — Remote Access Assessment Objectives

CMMC Assessment Guide – Level 2, Remote Access Guidance

If an OSC wishes to separate environments that process FCI from those that process CUI, they may pursue two separate CMMC certifications (Level 1 for FCI and Level 2 for CUI). A single certification cannot cover both environments unless all requirements for the higher level are met across the entire enterprise.

Exact Extracts:

CMMC Assessment Guide: “An OSC may choose to undergo multiple CMMC certification activities if they wish to limit scope between FCI and CUI environments.”

“Level 1 applies to safeguarding FCI, while Level 2 applies to CUI; separate certifications may be pursued if the OSC chooses to segregate these environments.”

Why the other options are not correct:

A: A single certification would require all assets to meet Level 2 controls, which may not be the OSC’s intent.

C: Defining scope for FCI only aligns with Level 1, but this does not meet Level 2 certification requirements for CUI.

D: A self-assessment scope only applies to Level 1 assessments, not Level 2 third-party certification.

The assessor must first confirm facts with the OSC before making a determination. It is possible the technician has been granted temporary authorized access, in which case the situation may not be a violation. Therefore, the correct next step is to ask the OSC about the technician’s authorization.

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Assessors should confirm with the OSC whether individuals observed are classified as visitors or authorized personnel before determining compliance.”

“Findings must be validated with OSC-provided evidence or clarification.”

Why other options are not correct:

A: Cannot mark as MET without verifying the technician’s status.

B: Inappropriate — assessors do not direct OSC personnel or vendors.

C: Cannot mark as NOT MET without first confirming authorization.

The Physical Protection (PE) Domain requires implementation of physical access controls to prevent unauthorized access to CUI systems. Simply trusting employees or sending communications is not sufficient. However, if the server is located inside a secondary restricted room that only the IT team can access, then adequate physical protection controls are still in place.

Extract from PE.L2-3.10.x (Physical Protection Practices):

“Organizations must limit physical access to systems, equipment, and environments that process, store, or transmit CUI to authorized individuals only.”

Thus, placing the server within an additional restricted access-controlled room ensures compliance, even if the outer door is propped open for cooling.

Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC’s Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.

Exact Extracts:

CMMC Assessor Code of Professional Conduct: “No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC’s designated Assessment Official.”

“Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization.”

Why the other options are not correct:

A: Too absolute — proprietary data can leave if AO provides written consent.

B: IT staff cannot authorize release of proprietary data.

C: POC is not the authority for data release — only the Assessment Official is.

The CMMC Assessment Process (CAP) defines four methods: Examine, Interview, Test, and Observe.

Interview Method: Involves discussions with personnel to gather evidence about the implementation of practices.

In this case, the CCA is discussing with the system administrator to understand processes, which clearly aligns with the Interview method.

Extract:

“Interview: The assessor uses discussions with personnel to obtain evidence about how practices are implemented within the OSC’s environment.”

The CMMC Assessment Process (CAP) specifies that when disputes cannot be resolved by the Lead Assessor, they must be elevated to the C3PAO Official, who has authority to make the final decision.

Extract:

“Unresolved disputes between the OSC and the Assessment Team must be elevated to the C3PAO Official for final resolution.”

Therefore, the C3PAO Official is the final arbiter in such disputes.

The CAP requires that prior to the assessment, the Lead Assessor submit documentation confirming that Assessment Team members have no conflicts of interest and meet qualification requirements. This is recorded through the Absence of Conflict of Interest and Confirmation Statement.

Extract:

“Before assessment initiation, the C3PAO must provide confirmation to the Cyber-AB that all Assessment Team members have declared absence of conflict of interest and are confirmed to participate.”

Thus, the required submission is the Absence of Conflict of Interest and Confirmation Statement.

The next step after configuring audit logs and ensuring event content is correct is to periodically review and update the logged events to maintain alignment with evolving security requirements and risks.

Extract from AU.L2-3.3.2 & AU.L2-3.3.7:

“Organizations must review and update audit log events periodically to ensure they continue to support accountability and monitoring objectives.”

While centralized collection and retention are important, the next required objective per progression is review and update of logged events.

When an IoT device processes, stores, or transmits CUI, it is categorized as a CUI Asset (not CRMA). All in-scope assets must be documented in the System Security Plan (SSP). The SSP must identify how the asset is managed, secured, and integrated into the OSC’s environment.

Exact Extracts:

CMMC Scoping Guide: “All CUI Assets must be identified and described in the SSP.”

“Specialized Assets (including IoT) must be documented in the SSP if they process, store, or transmit CUI.”

“Contractor Risk Managed Assets do not include assets that process, store, or transmit CUI.”

Why other options are not correct:

A: Incorrect, because an IoT device with CUI cannot be a CRMA.

C: Incorrect, IoT can process CUI if properly secured and documented.

D: While true in general (AC control applies), the mandatory requirement is accurate SSP documentation.

The CMMC Assessment Guide (Level 2) requires organizations to have a documented procedure for the identification and handling of unmarked potential CUI. The DoD guidance specifies that contractors cannot assume unmarked data is not CUI; instead, they must have a process to ensure unmarked potential CUI is handled properly until its classification is clarified.

Extract from Assessment Guide:

“Organizations must establish procedures for the handling of unmarked data that is suspected of being CUI. These procedures should define how unmarked information is protected until such time its status can be determined.”

Therefore, the correct answer is to have a procedure for proper handling of unlabeled data.

Applicable Requirement (CAP – Evidence Validity): Evidence must be relevant, reliable, and timely. Artifacts from separate entities or outdated sources require extra scrutiny.

Why D is Correct: The least reliable evidence is old (18 months) and produced by individuals not part of the OSC entity being assessed. Such artifacts require the most verification to determine applicability.

Why Other Options Are Insufficient:

A: Strongest evidence (current and from OSC staff).

B: Outdated, but still from OSC staff (more reliable than outside entity).

C: Current, but external (still stronger than outdated + external).

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Evidence Collection and Reliability Criteria

CMMC Assessment Guide – Level 2 — Acceptable Evidence

===========

Both the CSP’s cloud environment and the OSC’s on-premises network/workstations are in-scope because CUI is stored in the cloud but also accessed and transmitted by OSC assets. The cloud vendor’s internal employee network is not in-scope because only the customer-facing FedRAMP environment is within the assessment boundary.

Exact extracts:

“CUI Assets include any OSC asset that stores, processes, or transmits CUI.”

“External service providers are in-scope if their services process, store, or transmit CUI on behalf of the OSC.”

“The OSC’s endpoints and local infrastructure that access CUI are also in-scope.”

Why the other options are incorrect:

A: Cloud environment only is incomplete; OSC workstations also access and transmit CUI.

B: OSC network only ignores the fact that CUI is stored in the cloud.

D: The cloud vendor’s internal employee network is not in-scope.

Malicious code protection is typically implemented and managed by system or network administrators, who configure, deploy, and monitor anti-malware solutions. Interviews with these administrators provide direct evidence of control implementation.

Exact Extracts:

SI.L2-3.14.2: “Provide protection from malicious code at appropriate locations within organizational information systems.”

CMMC Assessment Guide: “Interviews should be conducted with administrators responsible for deployment and monitoring of malicious code protection.”

NIST SP 800-171A (SI.L2-3.14.2): “Interview system or network administrators to determine how malicious code protection is implemented.”

Why other options are not correct:

A (developers): Developers do not typically manage system-wide malicious code protections.

C (audit personnel): They review logs, not deploy/manage protections.

D (security advisory staff): They track alerts but don’t operate malicious code defenses.

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and operating environments.”

Why D is Correct: Escort requirements are met as long as the visitor’s actions are continuously observed and controlled. The escort does not need to be physically inside the same room if direct observation is possible.

Why Other Options Are Insufficient:

A: Escort posture (sitting/standing) is irrelevant.

B: Same-room presence is not required by CMMC/NIST SP 800-171.

C: A single entry point helps, but observation is the requirement.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

CMMC Assessment Guide – Level 2 — Physical Escort Policy Guidance

===========

Risk Managed Assets are not assessed against CMMC practices, but OSCs must demonstrate that they are identified and that the risk they pose to CUI is managed in accordance with organizational policies. The Scoping Guide specifies that these assets must be addressed in pre-assessment discussions and described in the scope diagram, but they are explicitly excluded from practice-by-practice assessment.

Exact extracts:

“Risk Managed Assets do not process, store, or transmit CUI but can access CUI Assets. These assets are not assessed against CMMC practices but must be discussed with the assessor.”

“Organizations must identify how these assets are managed by organizational policies.”

“Risk Managed Assets must be included in scope diagrams.”

Why the other options are incorrect:

A/B/D: Risk Managed Assets still must be documented, discussed, and managed with policies.

C: They are explicitly excluded from practice assessment.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (Risk Managed Assets).

===========

CMMC assessments are evidence-based. An offering cannot be accepted solely on reputation or assumptions of security. The OSC must provide adequate and sufficient evidence that the CSP offering meets CMMC requirements. Without evidence, the assessor cannot mark the practice as MET.

Exact Extracts:

CMMC Assessment Guide: “Assessment determinations must be based on objective evidence; absence of evidence results in a finding of NOT MET.”

“Evidence may include documentation, interviews, and tests but must be sufficient to confirm implementation.”

“Reciprocity is not granted for external offerings unless evidence is provided.”

Why other options are not correct:

A (reciprocity): CMMC does not allow blanket reciprocity for cloud offerings without validation.

B (training issue): Training is separate; the core issue is lack of evidence.

D (well-known CSP): Reputation alone is not evidence; objective evidence is required.

The CMMC Scoping Guidance allows assets to be classified as Out-of-Scope if:

They are physically/logically isolated, and

They cannot process, store, or transmit CUI.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI and are physically or logically separated from CUI assets.”

The VESDA system only monitors environmental conditions and does not interact with CUI. Its segregation supports an out-of-scope classification.

According to the CMMC Scoping Guidance, assets are categorized based on whether they can process, store, or transmit Controlled Unclassified Information (CUI), or if they are physically/logically separated or inherently unable to interact with CUI systems. Assets that cannot process, store, or transmit CUI and are properly segregated are considered Out-of-Scope.

Extract from CMMC Scoping Guidance:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.”

Thus, the Lead Assessor determines out-of-scope assets by confirming that they are either segregated from CUI systems or technically incapable of handling CUI.

The requirement of least privilege mandates that users be granted only the access necessary to perform their duties. Assessors confirm compliance by reviewing user access lists, ensuring privileged access is limited, documented, and assigned only where required.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Assessment Guide: “Evidence includes user access lists, role-based access assignments, and documentation of privileged accounts.”

NIST SP 800-171A Objective: “Examine system access lists, rights, and permissions for least privilege.”

Why other options are not correct:

A (Authentication policy): Pertains to verifying identity, not enforcing least privilege.

B (System configurations): Provide technical settings, but access lists are the primary evidence for least privilege.

D (Terminated employees list): Tied to AC.L2-3.1.2 (Access enforcement) and AC.L2-3.1.7 (Account management), not least privilege.

System baselines are part of Configuration Management (CM). Maintaining an inventory of hardware and software is important, but the evidence of managing baselines lies in the configuration management process, which establishes and documents standard system configurations, approved software, and change control. The CMMC practice CM.L2-3.4.1 requires the OSC to establish and maintain baseline configurations.

Exact extracts:

“Baseline configurations are documented, formally reviewed, and maintained as part of configuration management.”

“Assessment Objectives … Determine if: baseline configurations are established; baseline configurations are maintained.”

“Potential Assessment Methods – Examine: configuration management policy; documented baseline configuration; inventory of system components.”

Expanded explanation:

Hardware/software lists show what exists, but without baseline control they do not demonstrate effective management.

Configuration management evidence includes: CM policies, baselines for operating systems, software versions, patch levels, and configuration checklists.

This ensures that unauthorized changes or unapproved software do not deviate from the security posture.

Why the other options are incorrect:

A (Media protection): Relates to storage devices and handling, not baselines.

B (Physical protection): Relates to facility and hardware security, not configuration.

D (Identification and authentication policy): Addresses user access, not baseline configuration.

When External Service Providers are used, the OSC can inherit practices from the ESP if sufficient evidence is provided (such as FedRAMP authorization or equivalent). The Lead Assessor must verify which controls are noted as inherited, as these are assessed differently from controls implemented directly by the OSC.

Exact Extracts:

CMMC Assessment Guide: “An OSC may inherit practices from External Service Providers when those providers demonstrate equivalent compliance (e.g., FedRAMP Moderate for CUI).”

“Assessors must review documentation that identifies which practices are inherited, partially implemented, or implemented internally.”

CMMC Scoping Guide: “Inherited controls must be clearly documented by the OSC in the SSP.”

Why the other options are not correct:

B: Waivers are not part of CMMC assessments.

C: “Not Applicable” does not apply to ESP involvement; they either provide inherited practices or not.

D: “Partially implemented” indicates deficiencies, not proper inheritance.

The CMMC Assessment Process (CAP) states that deficiency correction is not permitted during the assessment. Practices must be evaluated based on their implementation at the time of assessment. If the OSC corrects deficiencies after assessment activities have begun, the changes cannot be considered in the scoring.

Extract:

“Deficiency correction during the assessment is not permitted. Practices are scored based on evidence available at the time of assessment activities.”

Thus, the correct next step is to score the practice as NOT MET.

The Examine assessment method requires the assessor to review policies, processes, and procedures that are finalized and approved, not drafts or informal materials. This ensures the OSC has formally documented, management-approved artifacts supporting each practice. Drafts, in-process training materials, or incomplete diagrams do not satisfy the “Examine” method requirements.

Exact extracts:

“Examine: Review, inspect, and analyze assessment objects, such as policies, procedures, and system documentation.”

“Examine requires finalized artifacts; draft or incomplete materials do not constitute valid evidence.”

Why the other options are incorrect:

A: “Mailed form” is irrelevant — only completeness and approval matter.

C: Training materials are not substitutes for policy/process evidence.

D: Draft diagrams do not satisfy final documentation requirements.

The determining factor for whether an ESP is in scope is the services provided. If the ESP provides services that process, store, or transmit CUI or provide security protection functions, then the ESP is within scope. Other SLA components (intervals, penalties, measurements) are irrelevant to scope determination.

Exact Extracts:

CMMC Scoping Guide: “External Service Providers that provide services involving the storage, processing, or transmission of CUI or provide Security Protection Assets are considered in scope.”

“The OSC must identify in the SSP which services are provided by ESPs and how compliance is achieved.”

Why other options are not correct:

B (Intervals): Refers to timing of services, not scope relevance.

C (Penalties): Contract penalties are unrelated to CMMC scope.

D (Measurements): SLAs metrics do not determine scope.

The CMMC Assessment Process (CAP) defines the logical order:

After collecting and examining evidence, the next step is to determine and record initial practice scores (MET, NOT MET, or NA).

Only after practice scoring is completed are findings validated and aggregated into final recommended results.

Extract:

“Following evidence collection and review, assessors determine and record the practice status (MET/NOT MET/NA) before compiling results into final recommendations.”

Applicable Requirement: CAP – Interview Guidance.

Why C is Correct: Interviews must be directed to personnel responsible for implementing, performing, or supporting practices to ensure accurate and objective evidence is collected.

Why Other Options Are Insufficient:

A: Yes/no questions do not provide sufficient evidence detail.

B: OSC personnel cannot ask themselves assessment questions; only assessors may conduct interviews.

D: Group interviews may be used in some cases, but CAP stresses targeted interviews for evidence reliability.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Interview Requirements

NIST SP 800-171A — Use of Interview as an Assessment Method

Applicable Requirement: SC.L2-3.13.16 — “Protect the confidentiality of CUI at rest.”

Why D is Correct: Cryptographic mechanisms (e.g., full-disk encryption, database encryption, file encryption) provide the strongest protection for information at rest by preventing unauthorized disclosure if systems or media are accessed.

Why Other Options Are Insufficient:

A (Patching): Protects against vulnerabilities, but not specific to data-at-rest confidentiality.

B (File share): Provides a storage method, not protection.

C (Secure offline storage): Helps physically, but not sufficient for digital confidentiality without encryption.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — SC.L2-3.13.16

NIST SP 800-171A — SC.L2-3.13.16 Assessment Objectives

CMMC Assessment Guide – Level 2, Data at Rest Protection

===========

A shared Internet connection indicates that Security Protection Assets (SPAs) are present and serving both the CUI environment and other parts of the enterprise. SPAs are always in-scope regardless of where they are located, because they provide security protections for CUI. Therefore, if documentation or diagrams show that the commercial and federal environments share a single Internet connection, the assessor must request access to the other building to confirm proper implementation and isolation.

Exact Extracts (from CMMC Assessor/Study documents):

“Security Protection Assets provide security functions or capabilities within the OSA’s CMMC Assessment Scope. Security Protection Assets are part of the CMMC Assessment Scope and are assessed against Level 2 security requirements that are relevant to the capabilities provided.”

“Contractor Risk Managed Assets are not required to be physically or logically separated from CUI Assets… If documentation or other findings raise questions about these assets, the assessor can conduct a limited check to identify deficiencies.”

“Separation… is required only for Out-of-Scope Assets. Isolation can be achieved… by implementing subnetworks with firewalls or other boundary protection devices.”

“The CMMC Assessment Scope includes all assets in the OSA’s environment that will be assessed… OSAs will be required to provide a network diagram of the CMMC Assessment Scope to facilitate scoping discussions during pre-assessment.”

“An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for a specific enclave(s), depending upon how the CMMC Assessment Scope is defined…”

Why the other options are not correct:

A (locked cases): Physical movement of materials does not establish scope. Scoping is determined by CUI flow and security protection assets, not incidental observation of personnel activities.

B (underground passageway): Physical tunnels or building connections do not affect scope unless they result in shared IT/security functions.

D (HR location): HR is not a SPA because it does not provide security functions to protect CUI. Unless HR systems process or store CUI directly, they remain out of scope.

References (official CCA/CMMC documents):

CMMC Assessment Scope – Level 2, Version 2.13 (Scoping Guide): Asset Categories, SPA definitions and examples; CRMA limited-check language; Separation requirements; network diagram requirements (pp. 3–13).

CMMC Assessment Guide – Level 2, Version 2.13: Assessment scope, enclave validation, and assessor methods (pp. 1–4, 8–10).

CMMC Level 2 control AC.L2-3.1.12: Remote Access requires that all methods of remote access be authorized, monitored, and controlled to protect CUI when accessed from external locations. The assessment guide specifies that assessors must verify that remote sessions are identified, permitted, and controlled. There is no requirement for remote access sessions to be “validated” — this is not part of the assessment objectives for this practice.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled; and• cryptographic mechanisms are employed to protect confidentiality and integrity of remote access sessions.”

“Remote access to organizational systems is accomplished through the use of managed access control points. A detailed record of all remote access sessions is maintained, and the sessions are subject to monitoring and control.”

Why the other options are required:

Identified (B): OSCs must identify all remote access methods in use.

Permitted (C): Remote access must be explicitly authorized before it is allowed.

Controlled (D): Sessions must be controlled (e.g., via encryption, multifactor authentication, and monitoring).

Validated (A): Not a required assessment objective; it is a distractor option.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.12 “Remote Access” (Assessment Objectives; Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.12 (remote access).

For AC.L2-3.1.7 (Restrict Use of Privileged Accounts), it is not enough to rely on interviews or documented procedures. The assessor must also Examine technical evidence to ensure that privileged accounts exist as described and are properly controlled. Reviewing system architecture, account listings, and role assignments validates that privileged access aligns with policy and that inappropriate assignments do not exist.

Exact extracts:

“Assessment Objectives … Determine if: privileged accounts are identified; privileged functions are restricted to privileged accounts; and use of privileged accounts is monitored.”

“Assessment Methods – Examine: account management policy; system architecture documentation; system security plan; privileged account listings.”

“Assessment Methods – Test: attempt to use non-privileged accounts to execute privileged functions.”

Expanded explanation:

Assessors typically proceed in layers:

Interview: Confirm staff knowledge of policy and practice.

Examine: Verify account structures in system architecture or AD group membership lists. This ensures the number and type of privileged accounts match staff descriptions.

Test (if required): Confirm that non-privileged users cannot perform privileged actions.

Why other options are incorrect:

B: Testing non-privileged accounts is useful but is not the next immediate validation step after confirming policy/procedures. Examination comes first.

C: This phrasing implies giving privileged roles to non-privileged functions, which would itself be a finding.

D: Testing with privileged users verifies activity monitoring, but not whether privileged accounts are properly scoped.

Applicable Requirement: IR.L2-3.6.1 — “Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”

Validation Expectation: For this practice, the CCA must confirm that the OSC:

Tracks incidents consistently,

Documents incident details (who, what, when, where, and how), and

Maintains incident records to support analysis and corrective action.

Why A is Correct: Tracking and documenting incidents demonstrates that the OSC has an operational incident-handling capability and provides objective evidence of detection, response, and lessons learned.

Why Other Options Are Insufficient:

B (Sources configured/tuned): Helpful for detection, but not sufficient by itself.

C (Law enforcement notified): This may occur in certain cases, but it is not required by CMMC Level 2.

D (Forensics): Deep forensic investigation may be useful, but CMMC requires incident response capability, not mandatory forensic-level activities.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IR.L2-3.6.1

NIST SP 800-171A — IR.L2-3.6.1 Assessment Objectives (tracking, documenting, handling incidents)

CMMC Assessment Guide – Level 2 — Incident Reporting

===========

CMMC scoping focuses on assets that process, store, transmit, or protect CUI. A smoke detector connected to the OSC network is an IoT device with no impact on CUI, so it is considered Out-of-Scope. The other items (data centers used by the OSC, MSP SIEM tools, and MSP offices handling OSC management) all directly affect the OSC’s CUI environment and therefore fall within scope.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Security Protection Assets are those that provide security functions for CUI Assets.”

“External Service Providers (e.g., MSPs, data centers, SIEMs) that support CUI Assets are in-scope.”

“Assets that cannot affect the confidentiality of CUI (e.g., unrelated IoT devices) are considered Out-of-Scope.”

Expanded explanation:

Data centers (A): If OSC CUI is stored or processed there, they are in-scope.

SIEM tools (C): Provide security monitoring of OSC networks — a clear Security Protection Asset.

MSP office (D): MSPs providing services that affect CUI are in-scope, including their management locations.

Smoke detector (B): Despite being network-connected, it does not interact with CUI or provide protective functions; it is explicitly out-of-scope.

Why the other options are in scope:

They either process, protect, or manage CUI directly.

Excluding them would improperly narrow the assessment boundary.

For IA.L2-3.5.1 (Identify system users, processes, and devices), the strongest evidence is direct lists of accounts, devices, and supporting audit logs/records that show users and devices are actively identified and managed. Policies and procedures are supporting evidence but not as strong as system-generated, real evidence.

Extract:

“Strong evidence includes account listings, device inventories, and audit logs demonstrating that all users, processes, and devices are identified and uniquely associated.”

CMMC Levels and Scope:

Level 1: Protects Federal Contract Information (FCI) under FAR 52.204-21 (17 basic safeguarding requirements).

Level 2: Protects Controlled Unclassified Information (CUI) under NIST SP 800-171 (110 practices).

Why C is Correct: The Level 1 self-assessment covers FCI-related practices. Since Level 2 focuses exclusively on CUI environments, FCI-only requirements from the Level 1 self-assessment fall outside the scope of the Level 2 assessment.

Why Other Options Are Insufficient:

A (CUI in paper): Still in scope at Level 2 (CUI applies to both digital and physical formats).

B (FCI within CUI enclave): If FCI is processed within the enclave, it is covered by Level 2.

D (SCI): Classified information is entirely out of scope of CMMC; however, it is not relevant to Level 1 self-assessment either, making C the more precise choice.

References (CCA Official Sources):

DoD CMMC Model v2.0 — Scope Differences between Level 1 (FCI) and Level 2 (CUI)

NIST SP 800-171 Rev. 2 — Focus on CUI

FAR 52.204-21 — FCI Safeguarding Requirements (Level 1 baseline)

Applicable Requirement (CAP Evidence Standards): Evidence must be objective and demonstrate implementation. Newly created documentation may exist only for assessment purposes, so the assessor must validate whether the documented procedures are actually in practice.

Why D is Correct: Observation sessions confirm that personnel are knowledgeable about and actively following the documented procedures. This ensures the documents reflect actual implementation rather than being created solely for assessment.

Why Other Options Are Insufficient:

A: Approval shows authority but does not prove procedures are implemented.

B: Subjective determination of “reasonableness” is not an approved assessment method.

C: Identifying authors does not validate implementation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Evidence Collection and Triangulation

CMMC Assessment Guide – Level 2, Section on Evidence Requirements

NIST SP 800-171A — Assessment Methods: examine, interview, observe

The Access Control (AC) domain governs remote access, privileged access, and VPN controls. Documents describing how VPNs are controlled, monitored, and restricted fall under the Access Control Policy.

Extract:

“Access Control practices include the management of remote connections, monitoring of sessions, and enforcement of VPN controls.”

Thus, the correct document is the Access Control Policy.

Applicable Requirement (CAP & Scoping): Assessors must use objective artifacts to validate system boundaries and scoping decisions. Network or topology diagrams are the most direct method to confirm logical and physical separation between environments handling CUI and those that do not.

Why A is Correct: Network/topology diagrams provide a visual and technical representation of how isolation is achieved (e.g., VLANs, firewalls, segmentation). This is the primary evidence source for confirming separation.

Why Other Options Are Insufficient:

B: Change tickets/inventory show updates but not logical isolation.

C: The SSP describes but does not demonstrate separation.

D: Baseline configs show standard builds, not network isolation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) — Scope Validation

CMMC Assessment Guide – Level 2 — Evidence Types (network diagrams, topology)

===========

Both the OSC’s on-premise LAN room and the leased colocation data center are in-scope because they contain systems that process, store, or transmit CUI. Assessors must physically examine visitor and access controls at both locations to confirm compliance with PE practices.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

CMMC Assessment Guide: “Assessors must validate physical protections at all in-scope facilities where CUI assets reside.”

CMMC Scoping Guide: “Physical protection applies to all facilities within the CMMC Assessment Scope, including colocation facilities.”

Why the other options are not correct:

A/B: Reviewing only one facility is insufficient; both are in scope.

D: Customer relationship management reviews are not substitutes for physical examination by assessors.

The CMMC Scoping Guidance specifies that Contractor Risk Managed Assets must:

Be documented in the asset inventory,

Be governed by the organization’s own risk-based policies and procedures,

Be included in the system boundary/network diagram.

Extract:

“Contractor Risk Managed Assets are those managed according to the OSC’s risk-based policies and procedures. They must be documented in the asset inventory and represented in the system boundary.”

Thus, option C is the best answer.

CMMC Level 2 requires the ability to control and monitor physical access to systems and facilities containing CUI. The best practice is a badge-based access control system, which provides individual accountability, access tracking, and historical audit records. Keys and keypads do not provide individual traceability. Cameras alone do not prevent unauthorized entry.

Exact Extracts (official CMMC Assessor/Study documents):

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

PE.L2-3.10.5: “Access records must be maintained.”

CMMC Assessment Guide clarifies that acceptable methods include badging systems with individual accountability for traceability.

Why the other options are not correct:

A (keys): Keys do not provide audit logs or individual accountability.

B (cameras): Monitoring alone is insufficient; prevention and control are required.

D (keypads): Shared codes do not provide unique traceability or access history per user.