Comprehensive and Detailed Explanation:
SPAs, per the CMMC Assessment Scope - Level 2, are assets providing security functions or capabilities to the CMMC Assessment Scope, regardless of CUI handling. Hosted VPN Services (Option A), Cloud-based security solutions (Option C), and SIEM Solutions (Option D) all provide security (e.g., encryption, monitoring), qualifying as SPAs. Virtualized desktops (Option B) are endpoints for user access, not security tools, unless configured as such (not indicated here). B is the correct answer.
[Reference:, CMMC Assessment Scope - Level 2, Section 2.3.3 (SPAs), p. 6: "SPAs provide security functions, e.g., VPNs, SIEMs, not general-purpose endpoints.", ]
Submit