Free Cyber AB CMMC-CCA Practice Exam with Questions & Answers | Set: 5

The Assessment Guide emphasizes that a policy is insufficient unless it is implemented consistently across all applicable assets. Evidence from interviews showing exceptions means the practice is NOT MET.

Extract:

“Policies must not only exist but must also be enforced and implemented consistently. Exceptions indicate non-compliance.”

Thus, the correct answer is B.

Applicable Requirement: CM.L2-3.4.1 — “Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.”

Why C is Correct: Baseline management requires documenting and tracking authorized deviations to ensure systems remain consistent with approved baselines. Evidence must show the OSC manages exceptions as part of its configuration management process.

Why Other Options Are Insufficient:

A: Physical safeguards protect images but do not demonstrate baseline management.

B: Reviews may be helpful, but deviations are explicitly required documentation.

D: Chain of custody applies to asset tracking, not baseline management.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CM.L2-3.4.1

NIST SP 800-171A — CM.L2-3.4.1 Assessment Objectives

CMMC Assessment Guide – Level 2, Baseline Configurations

===========

Applicable Requirement (CMMC/NIST): Multiple practices may apply (e.g., AC.L2-3.1.14 “Control remote access sessions” and CA.L2-3.12.4 “Develop, document, and periodically update system security plans”). However, when an OSC uses an External Service Provider (ESP), the key control is the documented agreement defining the terms, conditions, and responsibilities between the OSC and the ESP.

Why Interconnection Agreement is Correct (supports B):

According to the CMMC Assessment Guide (Level 2), acceptable evidence for external connections with ESPs includes “interconnection security agreements, memoranda of understanding, or contracts that define the security requirements governing the connection.”

These agreements document controls at the interface boundary and ensure both parties understand their responsibilities for protecting CUI.

Why Other Options Are Insufficient:

A. OSC’s access control policy — An internal policy outlines organizational expectations, but it does not constitute binding evidence of controls at the boundary with an ESP.

C. Technical design of VPN security — Technical configurations demonstrate how connections are secured, but they do not formally document agreed security requirements between OSC and ESP.

D. Instructions from ESP — ESP-provided setup instructions are not evidence of the OSC’s validated control implementation or responsibility-sharing agreement.

Assessment Process Alignment:

The CMMC Assessment Process (CAP) requires assessors to confirm not only technical implementations but also documented agreements that establish accountability for safeguarding CUI.

Evidence such as interconnection agreements is specifically highlighted as objective evidence that the OSC has verified and controlled external system interfaces.

References (CCA Official Sources):

CMMC Assessment Guide – Level 2, Version 2.13 — External Service Providers and Evidence Requirements for External Connections

NIST SP 800-171 Rev. 2 — §3.1.20 and §3.13.6 (discussions on external system connections and interconnection agreements)

NIST SP 800-171A — Assessment Methods for verifying security of external system interfaces

In CMMC scoping, assets are categorized based on where CUI is processed, stored, or transmitted. According to the CMMC Scoping Guide for Level 2, if CUI is only stored and used in HQ and Site A, those locations contain CUI Assets. Since Site B neither stores, processes, nor transmits CUI, its assets are considered Out of Scope.

Exact extracts:

“CUI Assets are those that store, process, or transmit CUI.”

“Assets that do not process, store, or transmit CUI, and cannot provide access to CUI, are considered Out-of-Scope.”

“Only those assets in the scope of CMMC assessment will be evaluated against practices.”

Why the other options are incorrect:

B: Site B has VPN connectivity, but if it does not use or process CUI, its assets remain out of scope. Connectivity alone does not bring it into scope.

C/D: The terms “Certification in Risk Management Assurance” are not valid CMMC asset categories.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (CUI Assets, Out-of-Scope Assets).

===========

The Examine assessment method requires the assessor to review policies, processes, and procedures that are finalized and approved, not drafts or informal materials. This ensures the OSC has formally documented, management-approved artifacts supporting each practice. Drafts, in-process training materials, or incomplete diagrams do not satisfy the “Examine” method requirements.

Exact extracts:

“Examine: Review, inspect, and analyze assessment objects, such as policies, procedures, and system documentation.”

“Examine requires finalized artifacts; draft or incomplete materials do not constitute valid evidence.”

Why the other options are incorrect:

A: “Mailed form” is irrelevant — only completeness and approval matter.

C: Training materials are not substitutes for policy/process evidence.

D: Draft diagrams do not satisfy final documentation requirements.