Free Cyber AB CMMC-CCA Practice Exam with Questions & Answers | Set: 2

According to CMMC Scoping Guidance, assets controlled by a parent organization are out-of-scope when they are physically and logically isolated from the OSC’s environment and do not process, store, or transmit CUI within the OSC’s boundary.

Extract from Scoping Guidance:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.”

Since the badge activation machine is completely isolated and managed by the parent organization, and it has no network connectivity to the OSC, it is out-of-scope.

SI.L2-3.14.7 requires the OSC to identify unauthorized use of organizational systems. The OSC meets this requirement by configuring the FedRAMP MODERATE provider’s SIEM to monitor their entire cloud environment where CUI is processed.

Extract:

“Organizations must employ monitoring mechanisms to detect unauthorized use of information systems. Cloud-native environments with FedRAMP authorized monitoring meet the requirement when properly configured and documented.”

Thus, the practice is MET because the SIEM covers the cloud environment.

Applicable Requirement: CAP – Interview Guidance.

Why C is Correct: Interviews must be directed to personnel responsible for implementing, performing, or supporting practices to ensure accurate and objective evidence is collected.

Why Other Options Are Insufficient:

A: Yes/no questions do not provide sufficient evidence detail.

B: OSC personnel cannot ask themselves assessment questions; only assessors may conduct interviews.

D: Group interviews may be used in some cases, but CAP stresses targeted interviews for evidence reliability.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Interview Requirements

NIST SP 800-171A — Use of Interview as an Assessment Method

The requirement for CA.L2-3.12.3 – Security Control Monitoring mandates monitoring to be performed on an ongoing basis to ensure the continued effectiveness of the controls. This is not satisfied by a yearly review alone.

CA.L2-3.12.3 Security Control Monitoring – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The OSC’s statement in their SSP that monitoring occurs on a one-year periodic basis fails to meet this requirement, because the term "ongoing basis" implies continual or recurring monitoring activities that occur throughout the system’s lifecycle—not a single annual review.

Therefore, the assessor must determine that the OSC’s implementation is not acceptable.

The OSC is responsible for providing the scoping documentation before the assessment begins. The assessor validates the scoping documentation but does not create it on behalf of the OSC. If the OSC cannot provide scope documentation, the assessment cannot proceed.

Exact Extracts:

CMMC Scoping Guide: “The OSC must prepare and provide scoping documentation, including network diagrams, asset inventories, and SSP, prior to assessment.”

CMMC Assessment Guide: “The assessment team validates scoping documentation; it is not the responsibility of the C3PAO or assessor to create the OSC’s scope.”

Why other options are not correct:

A: Incorrect — assessment teams validate but do not generate scoping documents.

C: Joint creation is not allowed; OSC must own and prepare documentation.

D: Lead Assessor cannot create scope; must rely on OSC’s provided documentation.

The CAP defines evidence evaluation requirements. Evidence must not only exist but must also be:

Complete (addresses all assessment objectives for the practice)

Validated (verified by the assessor)

Mapped to the practice requirements (traceable to objectives)

Extract:

“The assessor must confirm that the evidence is complete, validated, and mapped directly to the practice requirements in order to conclude that a practice is MET.”

The OSC is responsible for identifying and declaring where CUI is processed, stored, or transmitted. A Certified CMMC Assessor (CCA) may verify boundaries, examine evidence, and confirm monitoring or control practices, but cannot independently determine if a physically separated asset contains CUI. That determination is the responsibility of the OSC, not the assessor.

Exact extracts:

“The OSC is responsible for identifying CUI assets.”

“Assessors verify and validate the OSC’s identification, but do not independently declare or determine the presence of CUI.”

“Assessors are permitted to examine boundary protections, monitoring mechanisms, and internal boundary controls.”

Why the other options are allowed:

A: Assessors are required to verify internal system boundaries.

C: Assessors must confirm that external system boundaries are clearly defined.

D: Assessors must examine evidence of communication monitoring.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Assessor Roles and Responsibilities.

CMMC Code of Professional Conduct (OSC retains CUI ownership; assessors validate but cannot declare CUI).

Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC’s Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.

Exact Extracts:

CMMC Assessor Code of Professional Conduct: “No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC’s designated Assessment Official.”

“Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization.”

Why the other options are not correct:

A: Too absolute — proprietary data can leave if AO provides written consent.

B: IT staff cannot authorize release of proprietary data.

C: POC is not the authority for data release — only the Assessment Official is.

The CMMC Assessment Process (CAP) requires the Lead Assessor to develop an Assessment Plan that specifies anticipated evidence to be provided by the OSC. This preliminary evidence list ensures that OSC staff understand what policies, procedures, logs, and technical configurations must be available during the assessment. Without this, the assessment may stall due to missing documentation.

Exact extracts:

“The Lead Assessor coordinates with the OSC to develop an evidence list of artifacts anticipated for review.”

“The assessment plan must include a schedule of interviews, site visits, and anticipated evidence.”

“Preliminary evidence identification is critical to reduce assessment delays and ensure assessor readiness.”

Expanded explanation:

This step bridges planning and execution:

Scope has already been set.

Now, the evidence (SSPs, policies, audit logs, diagrams, etc.) must be identified.

Out-of-scope assets are part of scoping, not this planning stage.

System manuals are not required by CMMC, and “list of objectives” refers to assessor methodology, not OSC preparation.

Why other options are incorrect:

A: Objectives come from the practice requirements themselves, not something requested from the OSC.

B: System manuals are not required artifacts for CMMC.

D: Out-of-scope assets were already determined during scoping.

AC.L2-3.1.21 requires that the use of portable storage devices be restricted and explicitly authorized. The described process covers labeling and limiting use but does not include documented management authorization.

Extract:

“Restrict the use of portable storage devices on external systems. Authorization for use must be formally documented and approved by management.”

Thus, the missing element is recorded management authorization.