Free Cyber AB CMMC-CCA Practice Exam with Questions & Answers

The Physical Protection (PE) requirements require that systems containing FCI or CUI be placed in controlled-access facilities with safeguards against unauthorized physical access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Thus, ensuring that the VMs run on hardware located in a controlled-access facility is the correct method to meet physical security requirements.

Applicable Requirement: PE.L2-3.10.1 — “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Why D is Correct: Documented procedures describing physical access restrictions (badge policies, visitor management, locked server rooms, guard post orders) serve as primary evidence that access is managed and enforced. Assessors can then corroborate via interviews and observation.

Why Other Options Are Insufficient:

A (VPN configuration): Relates to remote logical access, not physical security.

B (Switch configs): Technical network controls, not physical access.

C (Architecture drawings): Show logical/system design, not physical entry restrictions.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.1

NIST SP 800-171A — PE.L2-3.10.1 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Protection Evidence Guidance

The CMMC Assessment Process (CAP) defines four methods: Examine, Interview, Test, and Observe.

Interview Method: Involves discussions with personnel to gather evidence about the implementation of practices.

In this case, the CCA is discussing with the system administrator to understand processes, which clearly aligns with the Interview method.

Extract:

“Interview: The assessor uses discussions with personnel to obtain evidence about how practices are implemented within the OSC’s environment.”

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why D is Correct: A gate with a badge system represents preventive perimeter control that ensures only authorized personnel can access sensitive areas (e.g., loading docks). This directly aligns with Level 2 physical protection requirements.

Why Other Options Are Insufficient:

A (Turnstiles): More relevant for internal building entry, not loading docks.

B (Visitor log): Supports accountability, but does not prevent unauthorized entry.

C (Cameras): Provides monitoring but not control — surveillance alone does not restrict access.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2, Physical Protection

===========

Applicable Requirement (CAP – Planning Phase): Both the OSC (Client) and the CCA are responsible for protecting sensitive evidence and CUI during assessment. This includes documenting risks and mitigations for how such information is handled, especially during virtual collection.

Why D is Correct: CAP requires assessors and OSCs to jointly establish processes ensuring safeguarding of CUI evidence. Both parties must record and agree to risks and mitigations as part of the assessment plan.

Why Other Options Are Insufficient:

A & B: Responsibility is shared, not one-sided.

C: Recording by the assessor alone does not fulfill CAP’s joint responsibility requirement.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Planning Phase (Handling CUI and Sensitive Evidence)

Code of Professional Conduct — Assessor responsibility for safeguarding CUI

===========

The CMMC Scoping Guidance specifies that Out-of-Scope Assets are those that neither process, store, nor transmit CUI, and do not provide security protections for CUI assets.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI, and do not provide security protections for CUI assets.”

Thus, the correct answer is B.

CMMC allows for compensating controls when technical limitations prevent direct application of MFA on certain systems. In such cases, a valid second factor can be a strong physical access control mechanism.

Extract from IA.L2-3.5.3 (Use of multifactor authentication):

“Multifactor authentication can be implemented by combining something you know (e.g., password) with something you have (e.g., physical badge), or something you are (e.g., biometric). Physical access controls, such as badge-protected facilities, can serve as a compensating factor when direct MFA on the system is not technically possible.”

Therefore, badge access to the mission system room serves as a sufficient second factor.

The OSC (Organization Seeking Certification) is always responsible for meeting CMMC requirements, regardless of what responsibilities are shared or outsourced to an ESP. ESPs can provide inherited practices (e.g., FedRAMP Moderate for cloud CUI), but the OSC remains accountable for compliance under government mandates.

Exact Extracts:

CMMC Assessment Guide: “The OSC is the entity being assessed. While an ESP may provide inherited practices, the OSC retains ultimate responsibility for compliance.”

Scoping Guide: “External Service Providers may meet requirements on behalf of the OSC; however, it is the OSC that is assessed and must demonstrate sufficiency of evidence.”

Why other options are not correct:

A: Incorrect — ESPs that process CUI must meet FedRAMP Moderate equivalency, even if not directly assessed for CMMC.

B: While true, factoring documentation does not override that OSC remains accountable.

C: ESPs are not assessed at the same time as the OSC; only the OSC receives certification.

Visitor access control (PE.L2-3.10.3 and PE.L2-3.10.4) typically involves procedures at entry points. The front-desk receptionist is the staff member most directly involved in logging, controlling, and monitoring visitor access. While system admins and partners handle IT and business operations, they do not control physical visitor access day-to-day.

Exact extracts:

“Assessment Method – Interview: personnel responsible for visitor access control (e.g., reception staff, security desk staff).”

“Assessment Objectives … Determine if visitor access is identified, logged, escorted, and monitored.”

Why the other options are incorrect:

A: System admins focus on IT, not visitor management.

C: Administrative assistants generally perform clerical tasks, not visitor logging.

D: Senior partners may approve contracts but are not directly responsible for visitor control.

MA.L2-3.7.1 (Perform Maintenance) requires that maintenance activities and risks associated with outdated or unsupported systems be managed. Unsupported systems create a security risk if not mitigated, particularly when they process CUI.

Extract:

“Maintenance must be performed and documented to ensure continued secure operation. When systems cannot be updated or patched due to technical limitations, the OSC must implement and document risk mitigation strategies.”

Because the OSC has not demonstrated risk management for the outdated OT system, the practice is NOT MET.