Free Practice Questions for Cyber AB CMMC-CCA Exam

The next step after configuring audit logs and ensuring event content is correct is to periodically review and update the logged events to maintain alignment with evolving security requirements and risks.

Extract from AU.L2-3.3.2 & AU.L2-3.3.7:

“Organizations must review and update audit log events periodically to ensure they continue to support accountability and monitoring objectives.”

While centralized collection and retention are important, the next required objective per progression is review and update of logged events.

Applicable Requirement (CMMC Assessment Process): The CMMC Assessment Process (CAP) requires assessors to collect, analyze, and reconcile evidence using triangulation (examine, interview, test) to confirm whether requirements are MET or NOT MET. When inconsistencies arise, the assessor must go back to objective evidence such as diagrams, contracts, and notes.

Why Reviewing Network Diagrams Helps (supports A): Network diagrams provide authoritative evidence of scope, data flows, and system boundaries, which helps clarify whether the MSSP’s services were accurately described.

Why Reviewing MSSP Agreements Helps (supports B): Agreements (such as interconnection security agreements or service-level agreements) define shared responsibilities and confirm how the MSSP supports security controls. This evidence is critical to resolving inconsistent testimony.

Why Reviewing Notes Helps (supports C): Notes from previous interviews allow the team to pinpoint where answers diverged. This is a valid method of evidence review and aligns with CAP guidance on documenting interviews.

Why Interview Questionnaire Consistency is NOT the Correct Step (refutes D): The CAP emphasizes resolving inconsistencies through additional evidence, not by adjusting or re-checking the questionnaire itself. The consistency of the questionnaire is irrelevant — what matters is reconciling the evidence provided by both the OSC and MSSP. Thus, this is the action the Lead Assessor would NOT take.

Assessment Guidance Extract (CAP):

“When conflicting evidence is observed, the assessment team must review technical documentation, agreements, and notes to identify the root cause and determine whether additional clarification is required.”

“The interview instrument itself is not a tool for reconciling inconsistencies; rather, objective evidence must be used.”

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Section 3: Conducting the Assessment (Interview, Evidence, Triangulation, and Conflict Resolution)

CMMC Assessment Guide – Level 2, Version 2.13 — Guidance on the role of External Service Providers (MSSPs) and use of documented agreements as evidence

NIST SP 800-171A — General assessment methodology: reconcile evidence using examine, interview, and test methods

Per the CMMC Scoping Guidance, CUI Assets are those that process, store, or transmit CUI. Since System CUI is the system handling CUI data, it must be categorized as CUI Assets.

Extract:

“CUI Assets are any assets that process, store, or transmit CUI. These assets are in-scope for assessment and must meet CMMC practice requirements.”

Thus, the best classification for System CUI is CUI Assets.

If the OSC cannot remediate deficiencies during the POA&M Close-Out process, the Lead Assessor must issue a recommendation of NOT MET, and the OSC will not be certified. CMMC requires all Level 2 practices to be MET (with limited exceptions under defined POA&M close-out rules).

Exact Extracts:

CMMC Assessment Guide: “If practices cannot be met within the POA&M Close-Out process, the Lead Assessor must not recommend certification.”

DoD policy: “CMMC Level 2 requires that all 110 practices be met. A failed POA&M Close-Out results in a final determination of NOT MET.”

“There is no provisional certification status in CMMC.”

Why the other options are not correct:

A: Assessments are not paused indefinitely; unresolved deficiencies result in NOT MET.

B: Justification alone does not satisfy requirements.

C: Provisional status does not exist in CMMC.

The CMMC Assessment Process (CAP) specifies that when disputes cannot be resolved by the Lead Assessor, they must be elevated to the C3PAO Official, who has authority to make the final decision.

Extract:

“Unresolved disputes between the OSC and the Assessment Team must be elevated to the C3PAO Official for final resolution.”

Therefore, the C3PAO Official is the final arbiter in such disputes.

AC.L2-3.1.21 requires that the use of portable storage devices be restricted and explicitly authorized. The described process covers labeling and limiting use but does not include documented management authorization.

Extract:

“Restrict the use of portable storage devices on external systems. Authorization for use must be formally documented and approved by management.”

Thus, the missing element is recorded management authorization.

Applicable Requirement: AC.L2-3.1.12 and AC.L2-3.1.14 — “Monitor and control remote access sessions” and “Route remote access through managed access control points.”

Why A is Correct: For a single centralized access point, the most critical control is that remote access sessions are properly secured and monitored to prevent unauthorized access to CUI systems. This ensures both confidentiality and integrity of remote connections.

Why Other Options Are Insufficient:

B: Physical access controls protect on-site systems but do not address remote connection security.

C: Documentation alone is not sufficient; actual monitoring and security enforcement are required.

D: Notification procedures relate to incident handling, not adequacy of access point security.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.12, AC.L2-3.1.14

NIST SP 800-171A — Remote Access Assessment Objectives

CMMC Assessment Guide – Level 2, Remote Access Guidance

Under CMMC 2.0 Level 2, POA&Ms are permitted only for a limited subset of practices and only if the organization achieves at least 80% compliance, with no high-weight practices failed. With 23 practices NOT MET, the OSC falls below this threshold. Therefore, the Lead Assessor must recommend a Fail, requiring remediation and reassessment.

Exact extracts:

“For Level 2, OSCs must achieve a score of at least 80% and cannot fail any high-weighted practices.”

“POA&Ms may be allowed for a small number of selected practices but must be closed within 180 days.”

“If the OSC does not meet minimum requirements, the assessment result is Fail and the OSC must remediate before reapplying.”

Why the other options are incorrect:

A: POA&Ms cannot cover such a large number of deficiencies.

C/D: Interim certification does not exist in CMMC 2.0.

The Assessment Plan (planning agreement) must be signed by both the Lead Assessor and the OSC Assessment Official. This formalizes agreement on scope, resources, and methodology. The C3PAO is responsible for overall oversight but does not co-sign the plan.

Exact extracts:

“The Lead Assessor is responsible for developing the Assessment Plan in collaboration with the OSC Assessment Official.”

“Both the Lead Assessor and the OSC Assessment Official must sign the Assessment Plan to proceed.”

“The C3PAO maintains responsibility for quality assurance and submission, but not signing.”

Why other options are incorrect:

A/B: Both signatures are required, not one alone.

D: The C3PAO does not sign the planning agreement.