Cyber AB CMMC-CCA Certified CMMC Assessor (CCA) Exam Exam Practice Test

To verify compliance with AC.L2-3.1.5 (Least Privilege), the assessor must confirm that privileged accounts are not used for routine or non-privileged tasks. Asking if a user uses their privileged account for tasks like researching vulnerabilities on the Internet directly tests whether the principle of least privilege is being followed.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

CMMC Assessment Guide: “Interviews should confirm that privileged accounts are used exclusively for privileged functions, and that standard accounts are used for general tasks.”

NIST SP 800-171A Objective: “Determine through interviews whether users employ privileged accounts for non-privileged tasks.”

Why other options are not correct:

A: Awareness of other privileged users is not the issue being assessed.

B: Knowledge of RBAC is useful but does not confirm account usage practices.

D: Provisioning procedures are an IT staff responsibility, not a user behavior check.

A one-way hash function is a cryptographic method used to store passwords securely. It is not reversible; hashed values cannot be converted back into the original password.

Extract from SC.L2-3.13.10:

“Store and transmit authentication information in a protected form by using one-way cryptographic transformations (e.g., hashing). One-way transformations cannot be reversed to reveal the original authentication secret.”

Thus, the correct statement is that the transformation makes it impossible to re-convert the hashed password.

MA.L2-3.7.1 (Perform Maintenance) requires that maintenance activities and risks associated with outdated or unsupported systems be managed. Unsupported systems create a security risk if not mitigated, particularly when they process CUI.

Extract:

“Maintenance must be performed and documented to ensure continued secure operation. When systems cannot be updated or patched due to technical limitations, the OSC must implement and document risk mitigation strategies.”

Because the OSC has not demonstrated risk management for the outdated OT system, the practice is NOT MET.

CMMC Level 2 requires that audit logs be reviewed and updated at least weekly to detect anomalies and potential security incidents. A vendor providing only monthly summaries does not meet the requirement. The assessor must resolve this issue to confirm compliance.

Exact Extracts (official CMMC Assessor/Study documents):

AU.L2-3.3.7: “Review and update logged events, as well as the audit log, at least weekly.”

AU.L2-3.3.6: “Review and analyze information system audit records for indications of inappropriate or unusual activity and report findings.”

CMMC Level 2 Assessment Guide emphasizes: “Organizations must demonstrate procedures to review audit logs at least weekly, even when external vendors perform this function.”

NIST SP 800-171A states: “The frequency of review must be sufficient to detect anomalies in a timely manner… at least weekly is required.”

Why other options are not correct:

A: Report generation capability is not the compliance issue; frequency of review is.

B: Using a common authoritative time source (AU.L2-3.3.7) is important, but the deficiency here is frequency of log review, not time source.

D: Third-party involvement is permitted if the OSC maintains control and ensures requirements (frequency, integrity, protection of CUI) are met.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices AU.L2-3.3.6 and AU.L2-3.3.7 (pp. 56–60).

NIST SP 800-171A, Audit and Accountability objectives.

If the OSC cannot remediate deficiencies during the POA&M Close-Out process, the Lead Assessor must issue a recommendation of NOT MET, and the OSC will not be certified. CMMC requires all Level 2 practices to be MET (with limited exceptions under defined POA&M close-out rules).

Exact Extracts:

CMMC Assessment Guide: “If practices cannot be met within the POA&M Close-Out process, the Lead Assessor must not recommend certification.”

DoD policy: “CMMC Level 2 requires that all 110 practices be met. A failed POA&M Close-Out results in a final determination of NOT MET.”

“There is no provisional certification status in CMMC.”

Why the other options are not correct:

A: Assessments are not paused indefinitely; unresolved deficiencies result in NOT MET.

B: Justification alone does not satisfy requirements.

C: Provisional status does not exist in CMMC.

The CMMC Assessment Process (CAP) requires that when sensitive or proprietary materials are exchanged during an assessment, the OSC and the C3PAO should establish confidentiality protections through a Non-Disclosure Agreement (NDA).

Extract:

“OSC and C3PAOs are expected to execute a Non-Disclosure Agreement (NDA) to protect sensitive information such as proprietary, attorney-client privileged, or pre-patent materials shared during the assessment process.”

Thus, the NDA is the correct document.

Applicable Requirement: CAP – Assessment Execution Phase.

Why D is Correct: After scoring and validating preliminary results, the next step is to finalize and record recommended final findings for submission. This closes the assessment process and supports certification decisions.

Why Other Options Are Insufficient:

A: Scope determination occurs in planning, not after validation.

B: Results are delivered after finalization, not immediately after validation.

C: Considering additional evidence occurs during data collection, before validation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Reporting Phase

CMMC Assessment Guide – Level 2 — Assessment Closure

===========

The CMMC Assessment Process (CAP) requires that results be reported at the OSC level. While findings may be gathered from enclaves or units, the final reporting must be aggregated and scored across the entire OSC assessment boundary.

Extract:

“Final recommended assessment results must be consolidated and reported at the OSC level, regardless of assessment locations or enclaves.”

Thus, the Lead Assessor must ensure aggregation to the OSC level.

The Lead Assessor’s readiness checks focus on logistics, scope, evidence availability, and risk awareness to ensure the assessment can proceed. It is not the assessor’s role to advise or determine if the OSC could achieve a higher certification level — the OSC selects its target level.

Exact extracts:

“Lead Assessors must confirm readiness by verifying logistics, scope boundaries, risks, and evidence availability.”

“Assessors do not advise OSCs on selecting certification levels or alternative approaches; this is outside the assessment scope.”

Why the other options are required:

A: OSC risks must be identified and discussed as part of scoping.

B: Logistics (scheduling, facilities, communications) must be confirmed.

D: Evidence must be available and accessible to avoid delays.

Printers are a concern because they can produce hard copies of CUI, which must be safeguarded like digital CUI. CUI handling requirements extend to both electronic and printed media.

Extract from MP.L2-3.8.4:

“Protect the confidentiality of CUI at rest and in use, including hardcopy outputs such as printed material.”

Thus, the concern is that printed CUI must be protected, making printers relevant to maintenance and safeguarding practices.

The Physical Protection (PE) requirements require that systems containing FCI or CUI be placed in controlled-access facilities with safeguards against unauthorized physical access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Thus, ensuring that the VMs run on hardware located in a controlled-access facility is the correct method to meet physical security requirements.

The requirement for CA.L2-3.12.3 – Security Control Monitoring mandates monitoring to be performed on an ongoing basis to ensure the continued effectiveness of the controls. This is not satisfied by a yearly review alone.

CA.L2-3.12.3 Security Control Monitoring – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The OSC’s statement in their SSP that monitoring occurs on a one-year periodic basis fails to meet this requirement, because the term "ongoing basis" implies continual or recurring monitoring activities that occur throughout the system’s lifecycle—not a single annual review.

Therefore, the assessor must determine that the OSC’s implementation is not acceptable.

CMMC Level 2 requires that wireless access be formally authorized based on management-approved policy and criteria. The Assessment Guide specifies that “management guidelines form the basis for the requirements that must be met prior to authorizing a wireless connection.” Therefore, a written policy executed by the CEO, which defines pre-authorization requirements, constitutes proper evidence of authorization. Informal emails or IT connection instructions do not meet this requirement.

Exact extracts:

“Authorize wireless access prior to allowing such connections.”

“Assessment Objectives … Determine if: [a] wireless access points are identified; and [b] wireless access is authorized prior to allowing such connections.”

“Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following: • types of devices, such as corporate or privately owned equipment; • configuration requirements of the devices; and • authorization requirements before granting such connections.”

Assessment method – Examine: “Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless access authorizations …”

Why the other options are unacceptable:

A and C are ad-hoc instructions from the CEO, not a formal management policy establishing authorization criteria.

D is an IT-authored instruction document, not a management-level authorization policy.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.16 “Wireless Access Authorization” (Assessment Objectives; Discussion; Further Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.16 (mapped within the CMMC Level 2 Assessment Guide).

For IA.L2-3.5.1 (Identify system users, processes, and devices), the strongest evidence is direct lists of accounts, devices, and supporting audit logs/records that show users and devices are actively identified and managed. Policies and procedures are supporting evidence but not as strong as system-generated, real evidence.

Extract:

“Strong evidence includes account listings, device inventories, and audit logs demonstrating that all users, processes, and devices are identified and uniquely associated.”

If an asset processes or generates CUI, it is a CUI Asset by definition, regardless of whether it is also part of a test lab or claimed as a Specialized Asset. Specialized Asset handling applies only when the asset does not process, store, or transmit CUI. Since the workstation outputs CUI, it must be assessed fully against CMMC practices.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Specialized Assets… do not process, store, or transmit CUI.”

“If a Specialized Asset processes CUI, it must be categorized as a CUI Asset and is assessed against all applicable practices.”

Why the other options are incorrect:

B: The issue is not with the SSP practice; it is with misclassification of an asset.

C/D: Risk-based treatment applies only to Specialized Assets without CUI, which is not the case here.

Under AT.L2-3.2.3 (Security Awareness Training) and AT.L2-3.2.2 (Insider Threat Training), insider threat awareness training must equip personnel to recognize and report indicators of insider threat activity. Training must focus on organizational processes for reporting suspicious behavior, not just awareness of famous cases or punitive systems. The ability to act and report appropriately is the most critical element.

Exact extracts:

“Training includes recognition of potential indicators of insider threat activity and the organizational processes for reporting suspicious activity.”

“Assessment Objectives … Determine if: insider threat training includes reporting mechanisms.”

“Case studies may be used for context, but training must include clear reporting procedures.”

Expanded explanation:

Insider threat programs under DoD guidance (e.g., NISPOM, CMMC) emphasize:

Awareness of behaviors that may indicate insider threat activity.

Reporting mechanisms — employees must know exactly how to act if they identify an issue.

Procedures for escalation and protection of CUI.

Without reporting procedures, insider threat training is incomplete.

Why other options are incorrect:

A: Bounty systems are not sanctioned practices and could create a hostile work environment.

B: Risk-ranking individuals could be discriminatory and is not a CMMC requirement.

C: Case studies may supplement training but are not sufficient by themselves.

Applicable Requirement: AC.L2-3.1.7 — “Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.”

Correct Interpretation:

A non-privileged (standard) user should be prevented from performing privileged functions (e.g., uninstalling security software).

The attempt must be logged to provide traceability and support accountability.

Why C is Correct: It demonstrates both prevention (software not uninstalled) and auditing (attempt captured in a log), exactly matching the practice.

Why Other Options Are Insufficient:

A: Prevention is shown, but there is no evidence of logging.

B: Function was not prevented, so requirement not met.

D: Logging exists, but privileged action was not prevented.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.7

NIST SP 800-171A — AC.L2-3.1.7 Assessment Objectives

CMMC Assessment Guide – Level 2, AC.L2-3.1.7

===========

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and operating environments.”

Why D is Correct: Escort requirements are met as long as the visitor’s actions are continuously observed and controlled. The escort does not need to be physically inside the same room if direct observation is possible.

Why Other Options Are Insufficient:

A: Escort posture (sitting/standing) is irrelevant.

B: Same-room presence is not required by CMMC/NIST SP 800-171.

C: A single entry point helps, but observation is the requirement.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

CMMC Assessment Guide – Level 2 — Physical Escort Policy Guidance

===========

The Physical Protection (PE) practices require both direct assessor observation of security controls and verification of how the OSC manages access to its cages/cabinets.

Extract:

“Assessors should observe and verify the effectiveness of physical access controls and confirm the OSC’s processes for maintaining control over restricted areas and assets.”

Thus, the best option is to physically visit the facility and review OSC’s key access management process.

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why D is Correct: A gate with a badge system represents preventive perimeter control that ensures only authorized personnel can access sensitive areas (e.g., loading docks). This directly aligns with Level 2 physical protection requirements.

Why Other Options Are Insufficient:

A (Turnstiles): More relevant for internal building entry, not loading docks.

B (Visitor log): Supports accountability, but does not prevent unauthorized entry.

C (Cameras): Provides monitoring but not control — surveillance alone does not restrict access.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2, Physical Protection

===========

The Escort Visitors practice falls under Physical and Environmental Protection (PE.L2-3.10.3), which requires organizations to escort visitors and monitor visitor activity. To validate this, the assessor should interview personnel responsible for physical access control (security guards, facility access managers) and information security (to confirm integration with CUI protection requirements).

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Interview personnel responsible for physical access control and security monitoring to confirm escort and visitor activity tracking.”

Assessment Objectives: Require evidence of visitor escorts, visitor logs, and monitoring practices.

Why the other options are not correct:

A (Repair/maintenance): Not responsible for escort procedures.

B (Local access control only): Missing the information security link, which ensures visitors cannot access CUI assets.

D (IT management): IT is not responsible for escorting visitors in physical spaces.

Acceptable physical safeguards in lieu of encryption (in limited cases) include trusted couriers, locked containers, and monitored physical transport. “Tamper protection technologies” are not recognized as an acceptable alternative safeguard for protecting CUI in transit.

Extract:

“Physical safeguards such as trusted couriers, locked containers, and controlled site monitoring may substitute for cryptographic protections when encryption is not feasible. Other measures not defined (e.g., tamper protection) do not satisfy the requirement.”

Thus, D is NOT an acceptable safeguard.

The CMMC Assessment Process (CAP) defines the logical order:

After collecting and examining evidence, the next step is to determine and record initial practice scores (MET, NOT MET, or NA).

Only after practice scoring is completed are findings validated and aggregated into final recommended results.

Extract:

“Following evidence collection and review, assessors determine and record the practice status (MET/NOT MET/NA) before compiling results into final recommendations.”

The Physical Protection (PE) practices require that visitors to facilities where CUI is processed must be escorted at all times by an authorized individual. Familiarity or long-term knowledge of the visitor does not remove the requirement.

Extract from PE.L2-3.10.3:

“Escort visitors and monitor visitor activity to ensure they do not access areas or information for which they are not authorized.”

Thus, the correct action is for the contact person (the engineer’s point of contact) to escort the engineer during the entire maintenance activity.

CMMC Level 2 requires that network access to CUI systems be restricted to authorized users and devices. A guest network without password protection that connects directly into the LAN violates AC.L2-3.1.3 (Access Enforcement) and SC.L2-3.13.16 (Cryptographic protection) because unauthorized users may access OSC systems and CUI indirectly.

Exact Extracts:

AC.L2-3.1.3: “Control the flow of CUI by enforcing access restrictions.”

SC.L2-3.13.16: “Employ cryptographic mechanisms to protect confidentiality of CUI during transmission.”

Assessment Guide: “Guest wireless networks must be segmented and controlled to prevent unauthorized access to internal networks containing CUI.”

Why other options are not correct:

A: Additional assessment is irrelevant — issue is failure to meet requirements.

C/D: False — requirements clearly exist, and the OSC’s current setup fails them.

AC.L2-3.1.6 requires that non-privileged accounts are used for normal tasks and privileged accounts are only used when necessary for privileged functions.

Extract:

“Require that users employ the least privilege principle by using non-privileged accounts for general tasks. Privileged accounts must only be used when elevated privileges are required.”

Thus, the correct procedure is:

All employees have non-privileged accounts.

Admins also have separate privileged accounts.

Admins perform normal duties with their non-privileged accounts, using privileged accounts only when required.

To validate separation of CUI systems from non-CUI systems on a local network, the assessor must evaluate the VLAN configuration. VLANs are a recognized logical segmentation method for separating enclaves, as defined in the CMMC Scoping Guide.

Exact Extracts:

CMMC Scoping Guide: “Isolation can be achieved by implementing subnetworks with firewalls, routers, and VLANs to ensure separation of CUI assets from out-of-scope assets.”

“CUI Assets must be isolated from non-CUI assets unless those non-CUI assets are designated as Security Protection Assets or Contractor Risk Managed Assets.”

Why other options are not correct:

A (WAN): Wide Area Networks describe external connectivity, not local separation.

B (VPN): VPN provides encrypted remote access but does not enforce local network segmentation.

D (NAT): NAT provides IP translation, not logical separation of traffic.

The OSC is responsible for identifying and declaring where CUI is processed, stored, or transmitted. A Certified CMMC Assessor (CCA) may verify boundaries, examine evidence, and confirm monitoring or control practices, but cannot independently determine if a physically separated asset contains CUI. That determination is the responsibility of the OSC, not the assessor.

Exact extracts:

“The OSC is responsible for identifying CUI assets.”

“Assessors verify and validate the OSC’s identification, but do not independently declare or determine the presence of CUI.”

“Assessors are permitted to examine boundary protections, monitoring mechanisms, and internal boundary controls.”

Why the other options are allowed:

A: Assessors are required to verify internal system boundaries.

C: Assessors must confirm that external system boundaries are clearly defined.

D: Assessors must examine evidence of communication monitoring.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Assessor Roles and Responsibilities.

CMMC Code of Professional Conduct (OSC retains CUI ownership; assessors validate but cannot declare CUI).

The CMMC Assessment Process (CAP) requires the Lead Assessor to develop an Assessment Plan that specifies anticipated evidence to be provided by the OSC. This preliminary evidence list ensures that OSC staff understand what policies, procedures, logs, and technical configurations must be available during the assessment. Without this, the assessment may stall due to missing documentation.

Exact extracts:

“The Lead Assessor coordinates with the OSC to develop an evidence list of artifacts anticipated for review.”

“The assessment plan must include a schedule of interviews, site visits, and anticipated evidence.”

“Preliminary evidence identification is critical to reduce assessment delays and ensure assessor readiness.”

Expanded explanation:

This step bridges planning and execution:

Scope has already been set.

Now, the evidence (SSPs, policies, audit logs, diagrams, etc.) must be identified.

Out-of-scope assets are part of scoping, not this planning stage.

System manuals are not required by CMMC, and “list of objectives” refers to assessor methodology, not OSC preparation.

Why other options are incorrect:

A: Objectives come from the practice requirements themselves, not something requested from the OSC.

B: System manuals are not required artifacts for CMMC.

D: Out-of-scope assets were already determined during scoping.

When an IoT device processes, stores, or transmits CUI, it is categorized as a CUI Asset (not CRMA). All in-scope assets must be documented in the System Security Plan (SSP). The SSP must identify how the asset is managed, secured, and integrated into the OSC’s environment.

Exact Extracts:

CMMC Scoping Guide: “All CUI Assets must be identified and described in the SSP.”

“Specialized Assets (including IoT) must be documented in the SSP if they process, store, or transmit CUI.”

“Contractor Risk Managed Assets do not include assets that process, store, or transmit CUI.”

Why other options are not correct:

A: Incorrect, because an IoT device with CUI cannot be a CRMA.

C: Incorrect, IoT can process CUI if properly secured and documented.

D: While true in general (AC control applies), the mandatory requirement is accurate SSP documentation.

The CMMC Assessment Process (CAP) specifies that when disputes cannot be resolved by the Lead Assessor, they must be elevated to the C3PAO Official, who has authority to make the final decision.

Extract:

“Unresolved disputes between the OSC and the Assessment Team must be elevated to the C3PAO Official for final resolution.”

Therefore, the C3PAO Official is the final arbiter in such disputes.

The Interview assessment method is used to validate whether procedures and policies are actually being implemented and followed by the personnel who use them. Even if the documents are dated correctly, assessors must confirm their operational use.

Extract:

“Interviews with personnel are used to verify that documented policies, plans, and procedures are actually implemented in daily practice.”

Thus, interviewing OSC team members who use the procedures provides the strongest validation.

Risk Managed Assets are not assessed against CMMC practices, but OSCs must demonstrate that they are identified and that the risk they pose to CUI is managed in accordance with organizational policies. The Scoping Guide specifies that these assets must be addressed in pre-assessment discussions and described in the scope diagram, but they are explicitly excluded from practice-by-practice assessment.

Exact extracts:

“Risk Managed Assets do not process, store, or transmit CUI but can access CUI Assets. These assets are not assessed against CMMC practices but must be discussed with the assessor.”

“Organizations must identify how these assets are managed by organizational policies.”

“Risk Managed Assets must be included in scope diagrams.”

Why the other options are incorrect:

A/B/D: Risk Managed Assets still must be documented, discussed, and managed with policies.

C: They are explicitly excluded from practice assessment.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (Risk Managed Assets).

===========

The CMMC Scoping Guidance specifies that Contractor Risk Managed Assets must:

Be documented in the asset inventory,

Be governed by the organization’s own risk-based policies and procedures,

Be included in the system boundary/network diagram.

Extract:

“Contractor Risk Managed Assets are those managed according to the OSC’s risk-based policies and procedures. They must be documented in the asset inventory and represented in the system boundary.”

Thus, option C is the best answer.

Applicable Requirement (CMMC/NIST): Multiple practices may apply (e.g., AC.L2-3.1.14 “Control remote access sessions” and CA.L2-3.12.4 “Develop, document, and periodically update system security plans”). However, when an OSC uses an External Service Provider (ESP), the key control is the documented agreement defining the terms, conditions, and responsibilities between the OSC and the ESP.

Why Interconnection Agreement is Correct (supports B):

According to the CMMC Assessment Guide (Level 2), acceptable evidence for external connections with ESPs includes “interconnection security agreements, memoranda of understanding, or contracts that define the security requirements governing the connection.”

These agreements document controls at the interface boundary and ensure both parties understand their responsibilities for protecting CUI.

Why Other Options Are Insufficient:

A. OSC’s access control policy — An internal policy outlines organizational expectations, but it does not constitute binding evidence of controls at the boundary with an ESP.

C. Technical design of VPN security — Technical configurations demonstrate how connections are secured, but they do not formally document agreed security requirements between OSC and ESP.

D. Instructions from ESP — ESP-provided setup instructions are not evidence of the OSC’s validated control implementation or responsibility-sharing agreement.

Assessment Process Alignment:

The CMMC Assessment Process (CAP) requires assessors to confirm not only technical implementations but also documented agreements that establish accountability for safeguarding CUI.

Evidence such as interconnection agreements is specifically highlighted as objective evidence that the OSC has verified and controlled external system interfaces.

References (CCA Official Sources):

CMMC Assessment Guide – Level 2, Version 2.13 — External Service Providers and Evidence Requirements for External Connections

NIST SP 800-171 Rev. 2 — §3.1.20 and §3.13.6 (discussions on external system connections and interconnection agreements)

NIST SP 800-171A — Assessment Methods for verifying security of external system interfaces

The CMMC Assessment Process (CAP) provides explicit guidance for readiness reviews. If the Lead Assessor determines that the OSC is not prepared, the available options are:

Replan the assessment (adjust scope, timeline, or requirements), or

Reschedule the assessment (move the engagement to a later date).

Extract:

“Following the readiness review, if the OSC is determined not to be ready, the Lead Assessor may recommend that the assessment be replanned or rescheduled.”

Thus, the correct answer is B.

The Identification and Authentication (IA) practices require that passwords be protected using strong methods. Storing passwords with salted one-way hashes ensures they cannot be reversed, providing strong protection.

Extract from IA.L2-3.5.10:

“Passwords must be stored and transmitted in a form that is resistant to compromise, typically using salted one-way cryptographic hashes.”

Options A and B do not align with modern password guidance, and option C (two-way cryptographic hashing) is insecure because it allows reversal.

Access Control (AC): Wi-Fi access must be restricted to authorized users and devices. CMMC Level 2 incorporates NIST SP 800-171 AC requirements to limit and control access to systems and resources.

Identification and Authentication (IA): Wireless access requires authentication to ensure only authorized individuals/devices can connect (e.g., WPA2-Enterprise, certificates, or strong passwords).

System and Communications Protection (SC): Wi-Fi encryption and secure configuration protect data-in-transit from interception or unauthorized disclosure.

Why Other Options Are Incorrect:

A (MP, AC, PE): Media protection and physical protection are not primary domains for Wi-Fi configuration.

B (IA, MP, SI): Media protection and system/information integrity do not directly address Wi-Fi security.

D (SC, SI, PE): Physical and integrity controls are not central to wireless access security.

References (CCA Official Sources):

CMMC Model v2.0 — Domains AC, IA, SC

NIST SP 800-171 Rev. 2 — AC.L2-3.1.1, IA.L2-3.5.3, SC.L2-3.13.8 (wireless access, identification/authentication, protection of communications)

NIST SP 800-171A — Associated assessment objectives verifying Wi-Fi control and encryption

===========

The CMMC Scoping Guidance defines Specialized Assets (e.g., OT, IoT, test equipment, manufacturing machines) that may process CUI but do not always meet traditional IT security requirements. These assets are still within scope and must be documented and assessed as Specialized Assets.

Extract:

“Specialized Assets are defined as operational technology, IoT, test equipment, and similar devices that may process CUI but cannot be secured in the same manner as standard assets. They remain in-scope for the assessment.”

Thus, waterjet machines are Specialized Assets in scope.

External connections are defined as connections crossing the OSC’s assessment boundary. Here:

The dedicated VPN from office to cloud = one external connection.

The user-initiated VPNs from remote laptops to cloud = a second external connection.

Extract:

“External connections include all system interfaces that cross the assessment boundary, including VPNs initiated by users or established between sites.”

Thus, there are two external connections.

To verify scanning (such as anti-virus and file integrity functions), the strongest evidence includes system configurations, AV alerts/logs, and interviews with technical staff. A policy document (System Information and Integrity Policy) provides intent but not actual implementation proof, making it the least helpful.

Extract:

“Policies provide documented intent, but assessors must validate actual implementation through configuration reviews, alerts/logs, and personnel interviews.”

Thus, the policy alone is the least useful evidence for confirming scans are actually performed.

Applicable CMMC/NIST Requirement: AC.L2-3.1.20 — “Verify and control/limit connections to and use of external systems.”

Isolation Not Required (refutes B): The requirement acknowledges that individuals using external systems (e.g., contractors, partners) may need to access organizational systems. In such cases, organizations must ensure those connections do not compromise or harm organizational systems. Therefore, complete isolation from all external systems is not mandated.

Policy Alone is Insufficient (refutes A): Assessment guidance requires mechanisms that technically enforce terms and conditions for use of external systems. A written employee policy by itself does not satisfy the requirement unless paired with technical enforcement (e.g., firewalls, connection rules).

Allow-lists & Firewalls are Best Practice (supports C): Assessment considerations specify that organizations should restrict external systems to an approved list, such as by using firewalls, VPNs, IP restrictions, or certificates. The company’s use of firewalls and a connection allow-list directly addresses this requirement.

Full Control of External Systems Not Required (refutes D): The definition of “external systems” clarifies that organizations typically do not have direct supervision or authority over those systems. The requirement is to limit and control connections to such systems, not to own or fully manage them.

Assessment Objectives for AC.L2-3.1.20 (from NIST SP 800-171A):

Connections to external systems are identified.

Use of external systems is identified.

Connections to external systems are verified.

Use of external systems is verified.

Connections to external systems are controlled/limited.

Use of external systems is controlled/limited.

Firewalls and allow-lists satisfy these verification and limitation requirements, enabling a CCA to mark the practice MET if evidence is present.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — §3.1.20 (Discussion)

NIST SP 800-171A — §3.1.20 (Assessment Objectives & Methods)

CMMC Assessment Guide – Level 2, Version 2.13 — AC.L2-3.1.20 (External Connections [CUI Data], including “Potential Assessment Considerations”)

Applicable Requirement: SC.L2-3.13.8 (Cryptographic protection of communications) and IA.L2-3.5.x (Identification and authentication).

Why D is Correct: Encryption must be validated as FIPS 140-2/3 compliant but is never “authenticated as a prerequisite to access.” Authentication applies to users, devices, and processes, not cryptographic modules themselves.

Why A, B, C are Correct Considerations:

Devices must be authorized before connecting.

Processes acting on behalf of a user must be authenticated.

Users must be authorized prior to access. These are all directly mapped to AC and IA domains.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IA and SC requirements

NIST SP 800-171A — Assessment Objectives for AC/IA wireless and cloud access

CMMC Assessment Guide – Level 2, Cloud/ESP Considerations

===========

A shared Internet connection indicates that Security Protection Assets (SPAs) are present and serving both the CUI environment and other parts of the enterprise. SPAs are always in-scope regardless of where they are located, because they provide security protections for CUI. Therefore, if documentation or diagrams show that the commercial and federal environments share a single Internet connection, the assessor must request access to the other building to confirm proper implementation and isolation.

Exact Extracts (from CMMC Assessor/Study documents):

“Security Protection Assets provide security functions or capabilities within the OSA’s CMMC Assessment Scope. Security Protection Assets are part of the CMMC Assessment Scope and are assessed against Level 2 security requirements that are relevant to the capabilities provided.”

“Contractor Risk Managed Assets are not required to be physically or logically separated from CUI Assets… If documentation or other findings raise questions about these assets, the assessor can conduct a limited check to identify deficiencies.”

“Separation… is required only for Out-of-Scope Assets. Isolation can be achieved… by implementing subnetworks with firewalls or other boundary protection devices.”

“The CMMC Assessment Scope includes all assets in the OSA’s environment that will be assessed… OSAs will be required to provide a network diagram of the CMMC Assessment Scope to facilitate scoping discussions during pre-assessment.”

“An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for a specific enclave(s), depending upon how the CMMC Assessment Scope is defined…”

Why the other options are not correct:

A (locked cases): Physical movement of materials does not establish scope. Scoping is determined by CUI flow and security protection assets, not incidental observation of personnel activities.

B (underground passageway): Physical tunnels or building connections do not affect scope unless they result in shared IT/security functions.

D (HR location): HR is not a SPA because it does not provide security functions to protect CUI. Unless HR systems process or store CUI directly, they remain out of scope.

References (official CCA/CMMC documents):

CMMC Assessment Scope – Level 2, Version 2.13 (Scoping Guide): Asset Categories, SPA definitions and examples; CRMA limited-check language; Separation requirements; network diagram requirements (pp. 3–13).

CMMC Assessment Guide – Level 2, Version 2.13: Assessment scope, enclave validation, and assessor methods (pp. 1–4, 8–10).

During the planning phase, the Lead Assessor must ensure that evidence gaps are identified and documented before assessment execution. This ensures that the OSC is aware of missing or insufficient evidence and can address them prior to final scoring.

Exact Extracts:

CMMC Assessment Guide: “During planning, assessors and OSC should confirm sufficiency of evidence and identify/document any evidence gaps.”

“The planning phase ensures readiness to proceed with the assessment, including identifying gaps and establishing how they will be addressed.”

Why the other options are not correct:

B: Appeals are addressed post-assessment, not in planning.

C: Assessment costs are agreed upon contractually, not part of the assessment planning phase.

D: FedRAMP equivalency determination is part of scope validation, not general planning.