Free Practice Questions for Cyber AB CMMC-CCA Exam

CMMC allows for compensating controls when technical limitations prevent direct application of MFA on certain systems. In such cases, a valid second factor can be a strong physical access control mechanism.

Extract from IA.L2-3.5.3 (Use of multifactor authentication):

“Multifactor authentication can be implemented by combining something you know (e.g., password) with something you have (e.g., physical badge), or something you are (e.g., biometric). Physical access controls, such as badge-protected facilities, can serve as a compensating factor when direct MFA on the system is not technically possible.”

Therefore, badge access to the mission system room serves as a sufficient second factor.

The OSC remains responsible for ensuring that any External Service Provider (ESP) such as a CSP supports compliance with CMMC. FedRAMP authorization is evidence, but the OSC must still demonstrate that the CSP’s services are being used in a manner that complies with CMMC Level 2 requirements.

Extract:

“The OSC is responsible for demonstrating that services provided by external providers are implemented and operated in a manner that complies with CMMC requirements for the OSC’s environment.”

Therefore, the OSC must provide proof of compliance in their environment, not simply rely on FedRAMP documentation.

Visitor access control (PE.L2-3.10.3 and PE.L2-3.10.4) typically involves procedures at entry points. The front-desk receptionist is the staff member most directly involved in logging, controlling, and monitoring visitor access. While system admins and partners handle IT and business operations, they do not control physical visitor access day-to-day.

Exact extracts:

“Assessment Method – Interview: personnel responsible for visitor access control (e.g., reception staff, security desk staff).”

“Assessment Objectives … Determine if visitor access is identified, logged, escorted, and monitored.”

Why the other options are incorrect:

A: System admins focus on IT, not visitor management.

C: Administrative assistants generally perform clerical tasks, not visitor logging.

D: Senior partners may approve contracts but are not directly responsible for visitor control.

The CMMC Assessment Process (CAP) states that deficiency correction is not permitted during the assessment. Practices must be evaluated based on their implementation at the time of assessment. If the OSC corrects deficiencies after assessment activities have begun, the changes cannot be considered in the scoring.

Extract:

“Deficiency correction during the assessment is not permitted. Practices are scored based on evidence available at the time of assessment activities.”

Thus, the correct next step is to score the practice as NOT MET.

In CMMC scoping, only assets that process, store, or transmit CUI (CUI Assets) or that can access them (Security Protection, Contractor Risk Managed, Specialized Assets) are in-scope. Since the SCADA system is firewalled off and does not handle CUI, it does not fall under CUI Asset classification and is considered Out-of-Scope.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Assets that do not process, store, or transmit CUI and have no connectivity to CUI Assets are considered Out-of-Scope.”

“Specialized Assets… are only in-scope if they process, store, or transmit CUI.”

Why the other options are incorrect:

A: Inclusion requires processing/storing/transmitting CUI.

C: OSC cannot arbitrarily bring unrelated systems into scope; CUI relevance governs scope.

D: Not all Specialized Assets are in-scope; only those with CUI interaction are.

Certification can only be granted to the legal entities that own the CAGE codes under assessment. If multiple CAGE codes are in play (HQ, host, and supporting units), and they are all included in scope, then all entities with corresponding CAGE codes that were assessed can be certified.

Exact Extracts:

CMMC Assessment Guide: “The CMMC certificate is issued to the legal entity (as identified by the CAGE code(s)) that was assessed.”

“When multiple CAGE codes are presented, all in-scope entities must provide documentation and may be certified if assessed.”

“Certification applies to the OSC legal entity (or entities) within scope, including HQ, host, and supporting units, as applicable.”

Why other options are not correct:

A/B/C: Limit scope to only HQ or subsets, but the requirement is that all entities with provided and in-scope CAGE codes are eligible.

To validate least functionality, the assessor must evaluate implementation (via security staff, admins, developers). Interviewing the policy author provides limited value since it does not confirm whether the policy is implemented in practice.

Extract:

“Assessors should confirm least functionality through interviews with individuals responsible for system configuration, security, and implementation. Policy documentation authors alone are not sufficient evidence.”

Thus, interviewing the policy writer is least useful.

The Physical Protection (PE) practices require that visitors to facilities where CUI is processed must be escorted at all times by an authorized individual. Familiarity or long-term knowledge of the visitor does not remove the requirement.

Extract from PE.L2-3.10.3:

“Escort visitors and monitor visitor activity to ensure they do not access areas or information for which they are not authorized.”

Thus, the correct action is for the contact person (the engineer’s point of contact) to escort the engineer during the entire maintenance activity.

The Lead Assessor’s readiness checks focus on logistics, scope, evidence availability, and risk awareness to ensure the assessment can proceed. It is not the assessor’s role to advise or determine if the OSC could achieve a higher certification level — the OSC selects its target level.

Exact extracts:

“Lead Assessors must confirm readiness by verifying logistics, scope boundaries, risks, and evidence availability.”

“Assessors do not advise OSCs on selecting certification levels or alternative approaches; this is outside the assessment scope.”

Why the other options are required:

A: OSC risks must be identified and discussed as part of scoping.

B: Logistics (scheduling, facilities, communications) must be confirmed.

D: Evidence must be available and accessible to avoid delays.

In CMMC scoping, assets are categorized based on where CUI is processed, stored, or transmitted. According to the CMMC Scoping Guide for Level 2, if CUI is only stored and used in HQ and Site A, those locations contain CUI Assets. Since Site B neither stores, processes, nor transmits CUI, its assets are considered Out of Scope.

Exact extracts:

“CUI Assets are those that store, process, or transmit CUI.”

“Assets that do not process, store, or transmit CUI, and cannot provide access to CUI, are considered Out-of-Scope.”

“Only those assets in the scope of CMMC assessment will be evaluated against practices.”

Why the other options are incorrect:

B: Site B has VPN connectivity, but if it does not use or process CUI, its assets remain out of scope. Connectivity alone does not bring it into scope.

C/D: The terms “Certification in Risk Management Assurance” are not valid CMMC asset categories.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (CUI Assets, Out-of-Scope Assets).

===========