Free Practice Questions for Cyber AB CMMC-CCA Exam

The CMMC Scoping Guidance allows assets to be classified as Out-of-Scope if:

They are physically/logically isolated, and

They cannot process, store, or transmit CUI.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI and are physically or logically separated from CUI assets.”

The VESDA system only monitors environmental conditions and does not interact with CUI. Its segregation supports an out-of-scope classification.

When External Service Providers are used, the OSC can inherit practices from the ESP if sufficient evidence is provided (such as FedRAMP authorization or equivalent). The Lead Assessor must verify which controls are noted as inherited, as these are assessed differently from controls implemented directly by the OSC.

Exact Extracts:

CMMC Assessment Guide: “An OSC may inherit practices from External Service Providers when those providers demonstrate equivalent compliance (e.g., FedRAMP Moderate for CUI).”

“Assessors must review documentation that identifies which practices are inherited, partially implemented, or implemented internally.”

CMMC Scoping Guide: “Inherited controls must be clearly documented by the OSC in the SSP.”

Why the other options are not correct:

B: Waivers are not part of CMMC assessments.

C: “Not Applicable” does not apply to ESP involvement; they either provide inherited practices or not.

D: “Partially implemented” indicates deficiencies, not proper inheritance.

The negative finding is that the OSC permits an uncertified external security provider to access the OSC’s internal network. This introduces unmanaged risk to the CUI environment. CMMC requires the OSC to control and monitor external service provider access. The storage of recordings externally is not inherently noncompliant if properly controlled, and video monitoring is a valid method of meeting PE.L2-3.10.2. The key failure is giving unmanaged third-party access.

Exact extracts:

“Monitor physical facility to detect and respond to physical security incidents.” (PE.L2-3.10.2)

“Assessment Objectives … Determine if: monitoring is performed; unauthorized physical access is detected and responded to.”

“External service providers that connect into the OSC network are considered in-scope and must meet CMMC requirements or have equivalent authorization (e.g., FedRAMP).”

Why other options are incorrect:

A: Requirement does not mandate monitoring of both public and private areas.

C: Video surveillance is an acceptable facility monitoring method when properly implemented.

D: External storage can be acceptable if contractual safeguards and compliance are in place.

A shared Internet connection indicates that Security Protection Assets (SPAs) are present and serving both the CUI environment and other parts of the enterprise. SPAs are always in-scope regardless of where they are located, because they provide security protections for CUI. Therefore, if documentation or diagrams show that the commercial and federal environments share a single Internet connection, the assessor must request access to the other building to confirm proper implementation and isolation.

Exact Extracts (from CMMC Assessor/Study documents):

“Security Protection Assets provide security functions or capabilities within the OSA’s CMMC Assessment Scope. Security Protection Assets are part of the CMMC Assessment Scope and are assessed against Level 2 security requirements that are relevant to the capabilities provided.”

“Contractor Risk Managed Assets are not required to be physically or logically separated from CUI Assets… If documentation or other findings raise questions about these assets, the assessor can conduct a limited check to identify deficiencies.”

“Separation… is required only for Out-of-Scope Assets. Isolation can be achieved… by implementing subnetworks with firewalls or other boundary protection devices.”

“The CMMC Assessment Scope includes all assets in the OSA’s environment that will be assessed… OSAs will be required to provide a network diagram of the CMMC Assessment Scope to facilitate scoping discussions during pre-assessment.”

“An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for a specific enclave(s), depending upon how the CMMC Assessment Scope is defined…”

Why the other options are not correct:

A (locked cases): Physical movement of materials does not establish scope. Scoping is determined by CUI flow and security protection assets, not incidental observation of personnel activities.

B (underground passageway): Physical tunnels or building connections do not affect scope unless they result in shared IT/security functions.

D (HR location): HR is not a SPA because it does not provide security functions to protect CUI. Unless HR systems process or store CUI directly, they remain out of scope.

References (official CCA/CMMC documents):

CMMC Assessment Scope – Level 2, Version 2.13 (Scoping Guide): Asset Categories, SPA definitions and examples; CRMA limited-check language; Separation requirements; network diagram requirements (pp. 3–13).

CMMC Assessment Guide – Level 2, Version 2.13: Assessment scope, enclave validation, and assessor methods (pp. 1–4, 8–10).

CMMC requires physical access to systems containing or transmitting CUI to be limited to authorized individuals and for access records to be maintained. Badge readers with unique identification provide individual accountability, access control enforcement, and auditable access logs, which are stronger than labels, cameras, or keypads.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.5: “Maintain audit logs of physical access.”

CMMC Assessment Guide: “Badge systems with access control lists and logs are considered a best method for meeting physical access requirements.”

Why the other options are not correct:

A: Labels and lists do not prevent unauthorized access.

C: Cameras monitor but do not restrict access; they are detective, not preventive.

D: Keypads do not provide individual accountability (codes can be shared).

The OSC is responsible for providing the scoping documentation before the assessment begins. The assessor validates the scoping documentation but does not create it on behalf of the OSC. If the OSC cannot provide scope documentation, the assessment cannot proceed.

Exact Extracts:

CMMC Scoping Guide: “The OSC must prepare and provide scoping documentation, including network diagrams, asset inventories, and SSP, prior to assessment.”

CMMC Assessment Guide: “The assessment team validates scoping documentation; it is not the responsibility of the C3PAO or assessor to create the OSC’s scope.”

Why other options are not correct:

A: Incorrect — assessment teams validate but do not generate scoping documents.

C: Joint creation is not allowed; OSC must own and prepare documentation.

D: Lead Assessor cannot create scope; must rely on OSC’s provided documentation.

According to the CMMC Scoping Guidance, assets are categorized based on whether they can process, store, or transmit Controlled Unclassified Information (CUI), or if they are physically/logically separated or inherently unable to interact with CUI systems. Assets that cannot process, store, or transmit CUI and are properly segregated are considered Out-of-Scope.

Extract from CMMC Scoping Guidance:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.”

Thus, the Lead Assessor determines out-of-scope assets by confirming that they are either segregated from CUI systems or technically incapable of handling CUI.

CMMC Level 2 requires that audit logs be reviewed and updated at least weekly to detect anomalies and potential security incidents. A vendor providing only monthly summaries does not meet the requirement. The assessor must resolve this issue to confirm compliance.

Exact Extracts (official CMMC Assessor/Study documents):

AU.L2-3.3.7: “Review and update logged events, as well as the audit log, at least weekly.”

AU.L2-3.3.6: “Review and analyze information system audit records for indications of inappropriate or unusual activity and report findings.”

CMMC Level 2 Assessment Guide emphasizes: “Organizations must demonstrate procedures to review audit logs at least weekly, even when external vendors perform this function.”

NIST SP 800-171A states: “The frequency of review must be sufficient to detect anomalies in a timely manner… at least weekly is required.”

Why other options are not correct:

A: Report generation capability is not the compliance issue; frequency of review is.

B: Using a common authoritative time source (AU.L2-3.3.7) is important, but the deficiency here is frequency of log review, not time source.

D: Third-party involvement is permitted if the OSC maintains control and ensures requirements (frequency, integrity, protection of CUI) are met.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices AU.L2-3.3.6 and AU.L2-3.3.7 (pp. 56–60).

NIST SP 800-171A, Audit and Accountability objectives.

System baselines are part of Configuration Management (CM). Maintaining an inventory of hardware and software is important, but the evidence of managing baselines lies in the configuration management process, which establishes and documents standard system configurations, approved software, and change control. The CMMC practice CM.L2-3.4.1 requires the OSC to establish and maintain baseline configurations.

Exact extracts:

“Baseline configurations are documented, formally reviewed, and maintained as part of configuration management.”

“Assessment Objectives … Determine if: baseline configurations are established; baseline configurations are maintained.”

“Potential Assessment Methods – Examine: configuration management policy; documented baseline configuration; inventory of system components.”

Expanded explanation:

Hardware/software lists show what exists, but without baseline control they do not demonstrate effective management.

Configuration management evidence includes: CM policies, baselines for operating systems, software versions, patch levels, and configuration checklists.

This ensures that unauthorized changes or unapproved software do not deviate from the security posture.

Why the other options are incorrect:

A (Media protection): Relates to storage devices and handling, not baselines.

B (Physical protection): Relates to facility and hardware security, not configuration.

D (Identification and authentication policy): Addresses user access, not baseline configuration.

IA.L2-3.5.7 requires password complexity rules that include uppercase, lowercase, numeric, and special characters. The given policy addresses three requirements but does not mandate at least one special character.

Extract:

“Enforce password complexity by requiring combinations of upper-case letters, lower-case letters, numbers, and special characters.”

Thus, the missing requirement is the use of a special character.