Free Practice Questions for Cyber AB CMMC-CCA Exam

If an asset processes or generates CUI, it is a CUI Asset by definition, regardless of whether it is also part of a test lab or claimed as a Specialized Asset. Specialized Asset handling applies only when the asset does not process, store, or transmit CUI. Since the workstation outputs CUI, it must be assessed fully against CMMC practices.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Specialized Assets… do not process, store, or transmit CUI.”

“If a Specialized Asset processes CUI, it must be categorized as a CUI Asset and is assessed against all applicable practices.”

Why the other options are incorrect:

B: The issue is not with the SSP practice; it is with misclassification of an asset.

C/D: Risk-based treatment applies only to Specialized Assets without CUI, which is not the case here.

Malicious code protection is typically implemented and managed by system or network administrators, who configure, deploy, and monitor anti-malware solutions. Interviews with these administrators provide direct evidence of control implementation.

Exact Extracts:

SI.L2-3.14.2: “Provide protection from malicious code at appropriate locations within organizational information systems.”

CMMC Assessment Guide: “Interviews should be conducted with administrators responsible for deployment and monitoring of malicious code protection.”

NIST SP 800-171A (SI.L2-3.14.2): “Interview system or network administrators to determine how malicious code protection is implemented.”

Why other options are not correct:

A (developers): Developers do not typically manage system-wide malicious code protections.

C (audit personnel): They review logs, not deploy/manage protections.

D (security advisory staff): They track alerts but don’t operate malicious code defenses.

The requirement for CA.L2-3.12.3 – Security Control Monitoring mandates monitoring to be performed on an ongoing basis to ensure the continued effectiveness of the controls. This is not satisfied by a yearly review alone.

CA.L2-3.12.3 Security Control Monitoring – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The OSC’s statement in their SSP that monitoring occurs on a one-year periodic basis fails to meet this requirement, because the term "ongoing basis" implies continual or recurring monitoring activities that occur throughout the system’s lifecycle—not a single annual review.

Therefore, the assessor must determine that the OSC’s implementation is not acceptable.

MP.L2-3.8.4 requires that CUI markings follow the media, meaning when electronic documents are printed, the original markings must carry over to the hard copy. Distribution lists or colored stamps are not specifically required.

Extract:

“Mark media containing CUI with the CUI designation indicators as required. When converting CUI from one medium to another, the original markings must be retained.”

Thus, the assessor should expect to see the original markings carried onto the printouts.

A one-way hash function is a cryptographic method used to store passwords securely. It is not reversible; hashed values cannot be converted back into the original password.

Extract from SC.L2-3.13.10:

“Store and transmit authentication information in a protected form by using one-way cryptographic transformations (e.g., hashing). One-way transformations cannot be reversed to reveal the original authentication secret.”

Thus, the correct statement is that the transformation makes it impossible to re-convert the hashed password.

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why D is Correct: A gate with a badge system represents preventive perimeter control that ensures only authorized personnel can access sensitive areas (e.g., loading docks). This directly aligns with Level 2 physical protection requirements.

Why Other Options Are Insufficient:

A (Turnstiles): More relevant for internal building entry, not loading docks.

B (Visitor log): Supports accountability, but does not prevent unauthorized entry.

C (Cameras): Provides monitoring but not control — surveillance alone does not restrict access.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2, Physical Protection

===========

The Lead Assessor is responsible for managing the assessment team and planning the assessment, including defining the methods, techniques, and responsibilities for collecting, managing, and reviewing evidence. Team members execute assigned tasks, but the Lead Assessor provides direction and oversight.

Exact Extracts:

CMMC Assessment Guide: “The Lead Assessor is responsible for the management of the assessment, including defining evidence collection methods, techniques, and responsibilities.”

“The assessment team members carry out activities as directed by the Lead Assessor.”

“The C3PAO Quality Oversight and CMMC Quality Assurance are post-assessment quality functions, not evidence planning functions.”

Why other options are not correct:

B: Team members execute tasks but do not define methods and responsibilities.

C: Quality Oversight Managers review assessments after completion, not during planning.

D: CMMC Quality Assurance Professionals conduct QA on assessments, not evidence planning.

Both the CSP’s cloud environment and the OSC’s on-premises network/workstations are in-scope because CUI is stored in the cloud but also accessed and transmitted by OSC assets. The cloud vendor’s internal employee network is not in-scope because only the customer-facing FedRAMP environment is within the assessment boundary.

Exact extracts:

“CUI Assets include any OSC asset that stores, processes, or transmits CUI.”

“External service providers are in-scope if their services process, store, or transmit CUI on behalf of the OSC.”

“The OSC’s endpoints and local infrastructure that access CUI are also in-scope.”

Why the other options are incorrect:

A: Cloud environment only is incomplete; OSC workstations also access and transmit CUI.

B: OSC network only ignores the fact that CUI is stored in the cloud.

D: The cloud vendor’s internal employee network is not in-scope.

When protecting backup data containing CUI, the requirement is to ensure confidentiality through logical or physical security controls appropriate to the sensitivity of CUI. Acceptable implementations include controlling access to CUI (AC family controls), physically securing media (MP family controls), and encrypting files or media (SC family controls). Merely implementing alternative physical controls for site access is insufficient because site access protections do not directly ensure the confidentiality of the backup media itself.

Exact Extracts (from official CMMC Assessor/Study documents and NIST SP 800-171A references):

SC.L2-3.13.16 (Encrypt CUI): “Employ cryptographic mechanisms to prevent unauthorized disclosure of CUI during storage and transmission unless otherwise protected by alternative physical safeguards.”

MP.L2-3.8.9 (Protect backup CUI): “Protect the confidentiality of backup CUI at storage locations.”

AC.L2-3.1.3 (Access enforcement): “Limit access to CUI on the basis of need-to-know to protect confidentiality.”

Physical security references (PE family): “Physical access controls provide general site protection but are not substitutes for encryption or media protection controls when CUI confidentiality is at risk.”

Why the other options are correct (acceptable methods):

B (Managing who has access to the information): Satisfies Access Control (AC) requirements that limit exposure of CUI only to authorized individuals.

C (Physically securing devices and media): Satisfies Media Protection (MP) requirements, ensuring CUI is stored securely and protected against unauthorized access.

D (Encrypting files or media): Directly satisfies System and Communications Protection (SC) requirements for confidentiality, a highly reliable method.

Why option A is least acceptable:

Alternative physical controls for site access protect buildings or rooms, but they do not directly safeguard backup media confidentiality. If backups are removed, lost, or accessed internally, site access controls alone cannot ensure confidentiality.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices SC.L2-3.13.16, MP.L2-3.8.9, AC.L2-3.1.3, and PE family discussion (pp. 93–96, 108–110, 125–127).

NIST SP 800-171A, Assessing Security Requirements for CUI: Related assessment objectives for protecting CUI backup confidentiality.

During the planning phase, the Lead Assessor must ensure that evidence gaps are identified and documented before assessment execution. This ensures that the OSC is aware of missing or insufficient evidence and can address them prior to final scoring.

Exact Extracts:

CMMC Assessment Guide: “During planning, assessors and OSC should confirm sufficiency of evidence and identify/document any evidence gaps.”

“The planning phase ensures readiness to proceed with the assessment, including identifying gaps and establishing how they will be addressed.”

Why the other options are not correct:

B: Appeals are addressed post-assessment, not in planning.

C: Assessment costs are agreed upon contractually, not part of the assessment planning phase.

D: FedRAMP equivalency determination is part of scope validation, not general planning.