Free Practice Questions for Cyber AB CMMC-CCA Exam

The determining factor for whether an ESP is in scope is the services provided. If the ESP provides services that process, store, or transmit CUI or provide security protection functions, then the ESP is within scope. Other SLA components (intervals, penalties, measurements) are irrelevant to scope determination.

Exact Extracts:

CMMC Scoping Guide: “External Service Providers that provide services involving the storage, processing, or transmission of CUI or provide Security Protection Assets are considered in scope.”

“The OSC must identify in the SSP which services are provided by ESPs and how compliance is achieved.”

Why other options are not correct:

B (Intervals): Refers to timing of services, not scope relevance.

C (Penalties): Contract penalties are unrelated to CMMC scope.

D (Measurements): SLAs metrics do not determine scope.

Applicable Requirement (CMMC/NIST): Multiple practices may apply (e.g., AC.L2-3.1.14 “Control remote access sessions” and CA.L2-3.12.4 “Develop, document, and periodically update system security plans”). However, when an OSC uses an External Service Provider (ESP), the key control is the documented agreement defining the terms, conditions, and responsibilities between the OSC and the ESP.

Why Interconnection Agreement is Correct (supports B):

According to the CMMC Assessment Guide (Level 2), acceptable evidence for external connections with ESPs includes “interconnection security agreements, memoranda of understanding, or contracts that define the security requirements governing the connection.”

These agreements document controls at the interface boundary and ensure both parties understand their responsibilities for protecting CUI.

Why Other Options Are Insufficient:

A. OSC’s access control policy — An internal policy outlines organizational expectations, but it does not constitute binding evidence of controls at the boundary with an ESP.

C. Technical design of VPN security — Technical configurations demonstrate how connections are secured, but they do not formally document agreed security requirements between OSC and ESP.

D. Instructions from ESP — ESP-provided setup instructions are not evidence of the OSC’s validated control implementation or responsibility-sharing agreement.

Assessment Process Alignment:

The CMMC Assessment Process (CAP) requires assessors to confirm not only technical implementations but also documented agreements that establish accountability for safeguarding CUI.

Evidence such as interconnection agreements is specifically highlighted as objective evidence that the OSC has verified and controlled external system interfaces.

References (CCA Official Sources):

CMMC Assessment Guide – Level 2, Version 2.13 — External Service Providers and Evidence Requirements for External Connections

NIST SP 800-171 Rev. 2 — §3.1.20 and §3.13.6 (discussions on external system connections and interconnection agreements)

NIST SP 800-171A — Assessment Methods for verifying security of external system interfaces

Testing may be performed on a mirrored system if the OSC can demonstrate that it is configured identically to the production system. The assessor must confirm equivalency through objective evidence before accepting test results.

Exact Extracts:

NIST SP 800-171A: “Test assessment method involves exercising assessment objects under specified conditions… mirrored or replicated systems may be used if validated as equivalent.”

CMMC Assessment Guide: “If production systems cannot be tested, assessors may accept mirrored systems provided evidence demonstrates that the mirrored environment is representative of the production system.”

Why the other options are not correct:

A/B: Testing must focus on systems and controls, not limited groups or customer matrices.

C: Incorrect — mirrored systems are acceptable if validated as equivalent.

D: Correct, as validation of equivalency is required.

The control PS.L2-3.9.1: Screen Individuals requires that individuals be screened before authorizing access to organizational systems and CUI. Since employees are assigned to work immediately upon hire, before screenings are complete, this practice is NOT MET. Completing screenings within the first week does not satisfy the requirement.

Exact extracts:

“Screen individuals prior to authorizing access to organizational systems containing CUI.”

“Assessment Objectives … Determine if: [a] individuals requiring access to CUI are screened before access is granted.”

“It is not sufficient for screening to occur after access has been authorized.”

Why the other options are incorrect:

A: Remediation may be possible, but scoring must be NOT MET.

B: A single practice being NOT MET does not automatically cause assessment failure (depends on aggregate score).

C: HR responsibility does not excuse failure to complete screening before granting access.

To verify compliance with AC.L2-3.1.5 (Least Privilege), the assessor must confirm that privileged accounts are not used for routine or non-privileged tasks. Asking if a user uses their privileged account for tasks like researching vulnerabilities on the Internet directly tests whether the principle of least privilege is being followed.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

CMMC Assessment Guide: “Interviews should confirm that privileged accounts are used exclusively for privileged functions, and that standard accounts are used for general tasks.”

NIST SP 800-171A Objective: “Determine through interviews whether users employ privileged accounts for non-privileged tasks.”

Why other options are not correct:

A: Awareness of other privileged users is not the issue being assessed.

B: Knowledge of RBAC is useful but does not confirm account usage practices.

D: Provisioning procedures are an IT staff responsibility, not a user behavior check.