Pass the Cyber AB CMMC CMMC-CCA Questions and answers with CertsForce

The requirement of least privilege mandates that users be granted only the access necessary to perform their duties. Assessors confirm compliance by reviewing user access lists, ensuring privileged access is limited, documented, and assigned only where required.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Assessment Guide: “Evidence includes user access lists, role-based access assignments, and documentation of privileged accounts.”

NIST SP 800-171A Objective: “Examine system access lists, rights, and permissions for least privilege.”

Why other options are not correct:

A (Authentication policy): Pertains to verifying identity, not enforcing least privilege.

B (System configurations): Provide technical settings, but access lists are the primary evidence for least privilege.

D (Terminated employees list): Tied to AC.L2-3.1.2 (Access enforcement) and AC.L2-3.1.7 (Account management), not least privilege.

CMMC Level 2 requires that wireless access be formally authorized based on management-approved policy and criteria. The Assessment Guide specifies that “management guidelines form the basis for the requirements that must be met prior to authorizing a wireless connection.” Therefore, a written policy executed by the CEO, which defines pre-authorization requirements, constitutes proper evidence of authorization. Informal emails or IT connection instructions do not meet this requirement.

Exact extracts:

“Authorize wireless access prior to allowing such connections.”

“Assessment Objectives … Determine if: [a] wireless access points are identified; and [b] wireless access is authorized prior to allowing such connections.”

“Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following: • types of devices, such as corporate or privately owned equipment; • configuration requirements of the devices; and • authorization requirements before granting such connections.”

Assessment method – Examine: “Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless access authorizations …”

Why the other options are unacceptable:

A and C are ad-hoc instructions from the CEO, not a formal management policy establishing authorization criteria.

D is an IT-authored instruction document, not a management-level authorization policy.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.16 “Wireless Access Authorization” (Assessment Objectives; Discussion; Further Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.16 (mapped within the CMMC Level 2 Assessment Guide).

Applicable Requirement: AC.L2-3.1.12 and AC.L2-3.1.14 — “Monitor and control remote access sessions” and “Route remote access through managed access control points.”

Why A is Correct: For a single centralized access point, the most critical control is that remote access sessions are properly secured and monitored to prevent unauthorized access to CUI systems. This ensures both confidentiality and integrity of remote connections.

Why Other Options Are Insufficient:

B: Physical access controls protect on-site systems but do not address remote connection security.

C: Documentation alone is not sufficient; actual monitoring and security enforcement are required.

D: Notification procedures relate to incident handling, not adequacy of access point security.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.12, AC.L2-3.1.14

NIST SP 800-171A — Remote Access Assessment Objectives

CMMC Assessment Guide – Level 2, Remote Access Guidance

Applicable Requirement: CM.L2-3.4.3 — “Track, review, approve/disapprove, and audit changes to organizational systems.”

Why CCB Minutes Are Correct (supports B):

Change Control Board (CCB) documentation includes impact analyses, approvals, disapprovals, and justification for system changes.

The CMMC Assessment Guide explicitly identifies CCB minutes and supporting records as primary evidence of compliance with change management practices.

Why Other Options Are Insufficient:

A (Vendor description): Provides information on the update, but does not show organizational review or approval.

C (Audit logs): Show when a change occurred, but not whether it was analyzed and approved beforehand.

D (Incident logs): Reflects results after implementation, but not the review/approval process.

Assessment Guidance Extract (NIST SP 800-171A, CM.L2-3.4.3):

Objectives include verifying that system changes are:

Documented,

Reviewed,

Approved/disapproved, and

Audited.

Evidence such as CCB minutes and approval records directly satisfies these objectives.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CM.L2-3.4.3 (Change Management)

NIST SP 800-171A — Assessment Objectives for CM.L2-3.4.3

CMMC Assessment Guide – Level 2, Version 2.13 — Change Management evidence expectations

When CUI and FCI reside on the same network, the entire environment is considered a CUI environment. The presence of CUI drives the assessment requirement to CMMC Level 2, regardless of whether FCI also exists. Assets cannot be assessed separately under Level 1 vs. Level 2 within the same network boundary.

Exact extracts:

“If CUI is processed, stored, or transmitted within an environment, the environment is in scope for CMMC Level 2.”

“The presence of CUI dictates the assessment level, regardless of whether FCI is also present.”

“Segmentation may reduce scope, but if assets remain within the same environment, all assets fall under Level 2.”

Why other options are incorrect:

B: Level 1 cannot be applied to Server A while Server B undergoes Level 2 in the same network.

C: Presence of CUI means Level 2 is required, not Level 1.

D: Segmentation can reduce scope but is not required before assessment; it is an OSC design choice.

The CMMC Assessment Process (CAP) provides explicit guidance for readiness reviews. If the Lead Assessor determines that the OSC is not prepared, the available options are:

Replan the assessment (adjust scope, timeline, or requirements), or

Reschedule the assessment (move the engagement to a later date).

Extract:

“Following the readiness review, if the OSC is determined not to be ready, the Lead Assessor may recommend that the assessment be replanned or rescheduled.”

Thus, the correct answer is B.

CMMC allows for compensating controls when technical limitations prevent direct application of MFA on certain systems. In such cases, a valid second factor can be a strong physical access control mechanism.

Extract from IA.L2-3.5.3 (Use of multifactor authentication):

“Multifactor authentication can be implemented by combining something you know (e.g., password) with something you have (e.g., physical badge), or something you are (e.g., biometric). Physical access controls, such as badge-protected facilities, can serve as a compensating factor when direct MFA on the system is not technically possible.”

Therefore, badge access to the mission system room serves as a sufficient second factor.

Least privilege requires users to perform privileged functions only with privileged accounts and to use their basic (non-privileged) accounts for general activity. This prevents unnecessary exposure of elevated rights and limits attack surfaces. Database Administrators must use their DBA accounts only for DBA tasks, and all users must use their basic accounts for non-privileged tasks.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Assessment Objectives: Require separate accounts for privileged and non-privileged activities.

Assessment Guide Clarification: “Privileged accounts should be used only for privileged functions; standard accounts must be used for all other activities.”

Why the other options are not correct:

B: States “non-privileged users use their basic account” but does not explicitly require all users (including admins) to use their basic account for non-privileged tasks.

C/D: Incorrectly assign System Administrator accounts to Database Administrators, which violates least privilege (admins must only have the access needed for their role).

The next step after configuring audit logs and ensuring event content is correct is to periodically review and update the logged events to maintain alignment with evolving security requirements and risks.

Extract from AU.L2-3.3.2 & AU.L2-3.3.7:

“Organizations must review and update audit log events periodically to ensure they continue to support accountability and monitoring objectives.”

While centralized collection and retention are important, the next required objective per progression is review and update of logged events.

Logical separation refers to the use of technical and access control mechanisms (e.g., role-based access, IAM tools, VLANs) to enforce boundaries between different users, roles, or networks. In contrast, physical separation relies on distinct hardware or physical barriers. Role-based access control within an IAM solution is a textbook example of logical separation, and it is specifically called out in the CMMC/NIST context.

Exact extracts:

“Logical separation may be achieved through the use of virtualization, encryption, or access control mechanisms such as role-based access controls.”

“Assessment Objectives … Determine if: • separation of users and information types is enforced by physical or logical means.”

“Logical separation is implemented using technical solutions such as access control lists, firewalls configured by policy, or identity and access management solutions.”

Why the other options are incorrect:

A (Data loss alerting): This is monitoring, not separation.

B (Badge access): This is a physical access control, not logical separation.

D (Proxy-configured firewall): This is boundary protection/traffic control; depending on setup it may be physical or logical, but the scenario points to role-based IAM as the logical example.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.6 “Network Separation.”

NIST SP 800-171 Rev. 2, 3.13.6.