Pass the Cyber AB CMMC CMMC-CCA Questions and answers with CertsForce

MP.L2-3.8.4 requires that CUI markings follow the media, meaning when electronic documents are printed, the original markings must carry over to the hard copy. Distribution lists or colored stamps are not specifically required.

Extract:

“Mark media containing CUI with the CUI designation indicators as required. When converting CUI from one medium to another, the original markings must be retained.”

Thus, the assessor should expect to see the original markings carried onto the printouts.

The assessor must first confirm facts with the OSC before making a determination. It is possible the technician has been granted temporary authorized access, in which case the situation may not be a violation. Therefore, the correct next step is to ask the OSC about the technician’s authorization.

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Assessors should confirm with the OSC whether individuals observed are classified as visitors or authorized personnel before determining compliance.”

“Findings must be validated with OSC-provided evidence or clarification.”

Why other options are not correct:

A: Cannot mark as MET without verifying the technician’s status.

B: Inappropriate — assessors do not direct OSC personnel or vendors.

C: Cannot mark as NOT MET without first confirming authorization.

The Escort Visitors practice falls under Physical and Environmental Protection (PE.L2-3.10.3), which requires organizations to escort visitors and monitor visitor activity. To validate this, the assessor should interview personnel responsible for physical access control (security guards, facility access managers) and information security (to confirm integration with CUI protection requirements).

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Interview personnel responsible for physical access control and security monitoring to confirm escort and visitor activity tracking.”

Assessment Objectives: Require evidence of visitor escorts, visitor logs, and monitoring practices.

Why the other options are not correct:

A (Repair/maintenance): Not responsible for escort procedures.

B (Local access control only): Missing the information security link, which ensures visitors cannot access CUI assets.

D (IT management): IT is not responsible for escorting visitors in physical spaces.

Under AT.L2-3.2.3 (Security Awareness Training) and AT.L2-3.2.2 (Insider Threat Training), insider threat awareness training must equip personnel to recognize and report indicators of insider threat activity. Training must focus on organizational processes for reporting suspicious behavior, not just awareness of famous cases or punitive systems. The ability to act and report appropriately is the most critical element.

Exact extracts:

“Training includes recognition of potential indicators of insider threat activity and the organizational processes for reporting suspicious activity.”

“Assessment Objectives … Determine if: insider threat training includes reporting mechanisms.”

“Case studies may be used for context, but training must include clear reporting procedures.”

Expanded explanation:

Insider threat programs under DoD guidance (e.g., NISPOM, CMMC) emphasize:

Awareness of behaviors that may indicate insider threat activity.

Reporting mechanisms — employees must know exactly how to act if they identify an issue.

Procedures for escalation and protection of CUI.

Without reporting procedures, insider threat training is incomplete.

Why other options are incorrect:

A: Bounty systems are not sanctioned practices and could create a hostile work environment.

B: Risk-ranking individuals could be discriminatory and is not a CMMC requirement.

C: Case studies may supplement training but are not sufficient by themselves.

Testing may be performed on a mirrored system if the OSC can demonstrate that it is configured identically to the production system. The assessor must confirm equivalency through objective evidence before accepting test results.

Exact Extracts:

NIST SP 800-171A: “Test assessment method involves exercising assessment objects under specified conditions… mirrored or replicated systems may be used if validated as equivalent.”

CMMC Assessment Guide: “If production systems cannot be tested, assessors may accept mirrored systems provided evidence demonstrates that the mirrored environment is representative of the production system.”

Why the other options are not correct:

A/B: Testing must focus on systems and controls, not limited groups or customer matrices.

C: Incorrect — mirrored systems are acceptable if validated as equivalent.

D: Correct, as validation of equivalency is required.

Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC’s Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.

Exact Extracts:

CMMC Assessor Code of Professional Conduct: “No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC’s designated Assessment Official.”

“Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization.”

Why the other options are not correct:

A: Too absolute — proprietary data can leave if AO provides written consent.

B: IT staff cannot authorize release of proprietary data.

C: POC is not the authority for data release — only the Assessment Official is.

Applicable Requirement (CAP – Pre-Assessment Activities): Before the assessment, the team must confirm the assessment scope (systems, assets, CUI boundaries, and relevant environments). Without scoping, evidence identification and collection cannot be validated.

Why A is Correct: Identifying scope is the foundational requirement in the pre-assessment stage, as defined in the CMMC Assessment Process. Scope determines what systems, people, and assets are included in evidence collection.

Why Other Options Are Insufficient:

B: Verification of evidence occurs during assessment, not pre-assessment readiness.

C: Observations are recorded during on-site assessment, not beforehand.

D: Interview selection happens during evidence collection, after scope confirmation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Pre-Assessment Phase

CMMC Assessment Guide – Level 2, Pre-Assessment Readiness Activities

Applicable Requirement: PE.L2-3.10.1 — “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Why D is Correct: Documented procedures describing physical access restrictions (badge policies, visitor management, locked server rooms, guard post orders) serve as primary evidence that access is managed and enforced. Assessors can then corroborate via interviews and observation.

Why Other Options Are Insufficient:

A (VPN configuration): Relates to remote logical access, not physical security.

B (Switch configs): Technical network controls, not physical access.

C (Architecture drawings): Show logical/system design, not physical entry restrictions.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.1

NIST SP 800-171A — PE.L2-3.10.1 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Protection Evidence Guidance

The Examine assessment method requires the assessor to review policies, processes, and procedures that are finalized and approved, not drafts or informal materials. This ensures the OSC has formally documented, management-approved artifacts supporting each practice. Drafts, in-process training materials, or incomplete diagrams do not satisfy the “Examine” method requirements.

Exact extracts:

“Examine: Review, inspect, and analyze assessment objects, such as policies, procedures, and system documentation.”

“Examine requires finalized artifacts; draft or incomplete materials do not constitute valid evidence.”

Why the other options are incorrect:

A: “Mailed form” is irrelevant — only completeness and approval matter.

C: Training materials are not substitutes for policy/process evidence.

D: Draft diagrams do not satisfy final documentation requirements.

For CMMC Level 2, an OSC must score at least 88 out of 110 practices (80%) to qualify for use of POA&Ms. Practices on the DoD’s Authorized POA&M List may then be deferred, but only if the OSC meets the 88-point threshold and no high-weight practices are failed.

Exact extracts:

“Organizations must score at least 88 out of 110 (80%) to be eligible for POA&Ms.”

“POA&Ms may only be applied to a limited subset of practices designated by DoD.”

“Failure to reach the 88-point threshold results in an assessment failure.”

Why other options are incorrect:

A: Below 88 is automatic fail.

B: 110/110 is full compliance (no POA&M needed).

C: 80 is a distractor; 88 is the actual DoD threshold.