Comprehensive and Detailed in Depth Explanation:

In a multi-cloud environment, assessing AC.L1-3.1.20 (external connection authorization) and AC.L2-3.1.13 (remote access confidentiality) is complex due to distributed resources and reliance on CSP controls. The CCA faces challenges in verifying how external connections are authorized (e.g., inconsistent methods across CSPs) and in obtaining sufficient evidence of cryptographic mechanisms (e.g., limited documentation of TLS or VPN use), as noted in the scenario. The volume of data further complicates tracking specific remote access activities, aligning with CAP guidance on evidence collection in hybrid environments.

Option A (outdated infrastructure) is unrelated to the described cloud context. Option B (physical security focus) is irrelevant to remote access controls. Option C (policy verification and personnel) is less specific than the scenario’s focus on authorization and cryptography evidence. Option D precisely captures the challenges, making it the correct answer.

Reference Extract:

CMMC Assessment Process (CAP) v1.0, Section 4.3:“Cloud environments may present challenges in verifying external controls and cryptographic evidence due to distributed architectures.”

NIST SP 800-171A, AC-3.1.20 & AC-3.1.13:“Assessors must verify authorization and cryptography across all external connections.”Resources:https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf ;https://csrc.nist.gov/pubs/sp/800/171/a/final