Cyber AB CMMC-CCA Exam Questions Instant Access

Question 1

The assessment team has divided responsibilities to review portions of the OSC's scope, including the Host Unit, the specific enclave, and supporting teams such as a Managed Security Service Provider (MSSP). During evidence review, the team notices that MSSP personnel answered interview questions somewhat differently than OSC personnel. To clarify this inconsistency, the Lead Assessor decides to take all the following steps EXCEPT:

AReview the network diagrams.

BReview the agreement with the MSSP.

CReview the notes to determine what was different.

DReview interview questionnaire consistency.

Answer : D

Applicable Requirement (CMMC Assessment Process): The CMMC Assessment Process (CAP) requires assessors to collect, analyze, and reconcile evidence using triangulation (examine, interview, test) to confirm whether requirements are MET or NOT MET. When inconsistencies arise, the assessor must go back to objective evidence such as diagrams, contracts, and notes.

Why Reviewing Network Diagrams Helps (supports A): Network diagrams provide authoritative evidence of scope, data flows, and system boundaries, which helps clarify whether the MSSP's services were accurately described.

Why Reviewing MSSP Agreements Helps (supports B): Agreements (such as interconnection security agreements or service-level agreements) define shared responsibilities and confirm how the MSSP supports security controls. This evidence is critical to resolving inconsistent testimony.

Why Reviewing Notes Helps (supports C): Notes from previous interviews allow the team to pinpoint where answers diverged. This is a valid method of evidence review and aligns with CAP guidance on documenting interviews.

Why Interview Questionnaire Consistency is NOT the Correct Step (refutes D): The CAP emphasizes resolving inconsistencies through additional evidence, not by adjusting or re-checking the questionnaire itself. The consistency of the questionnaire is irrelevant --- what matters is reconciling the evidence provided by both the OSC and MSSP. Thus, this is the action the Lead Assessor would NOT take.

Assessment Guidance Extract (CAP):

''When conflicting evidence is observed, the assessment team must review technical documentation, agreements, and notes to identify the root cause and determine whether additional clarification is required.''

''The interview instrument itself is not a tool for reconciling inconsistencies; rather, objective evidence must be used.''

Reference (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 --- Section 3: Conducting the Assessment (Interview, Evidence, Triangulation, and Conflict Resolution)

CMMC Assessment Guide -- Level 2, Version 2.13 --- Guidance on the role of External Service Providers (MSSPs) and use of documented agreements as evidence

NIST SP 800-171A --- General assessment methodology: reconcile evidence using examine, interview, and test methods

Question 2

An organization's password policy includes these requirements:

Passwords must be at least 8 characters in length.

Passwords must contain at least one uppercase character, one lowercase character, and one numeric digit.

Passwords must be changed at least every 90 days.

When a password is changed, none of the previous 3 passwords can be reused.

Per IA.L2-3.5.7: Password Complexity, what requirement is missing from this password policy?

AIt does not require MFA.

BIt does not include a list of prohibited passwords.

CIt does not specify a minimum change of character requirement.

DIt does not require the password to contain at least one special character.

Answer : D

IA.L2-3.5.7 requires password complexity rules that include uppercase, lowercase, numeric, and special characters. The given policy addresses three requirements but does not mandate at least one special character.

Extract:

''Enforce password complexity by requiring combinations of upper-case letters, lower-case letters, numbers, and special characters.''

Thus, the missing requirement is the use of a special character.

Question 3

The OSC prints out documents it receives via email that are marked as CUI. According to MP.L2-3.8.4: Media Markings,

what should the Assessor expect to see on the printouts?

AA red stamp that states the document contains CUI

BWritten limitations to the distribution of the CUI within the OSC

CThe original markings that were on the document emailed to the OSC

DThe original markings from the document and a distribution list with limitations

Answer : C

MP.L2-3.8.4 requires that CUI markings follow the media, meaning when electronic documents are printed, the original markings must carry over to the hard copy. Distribution lists or colored stamps are not specifically required.

Extract:

''Mark media containing CUI with the CUI designation indicators as required. When converting CUI from one medium to another, the original markings must be retained.''

Thus, the assessor should expect to see the original markings carried onto the printouts.

Question 4

The OSC has changed its manner of operations in the past year to isolate its manufacturing division (which handles CUI) from its managerial team (which does not). Upon review of the provided information, the Lead Assessor was unable to identify this isolation in the environment. Which step should the Assessor take NEXT to understand how the current documentation isolates the operational components?

AReview the network or topology diagrams

BReview the change tickets and inventory updates

CReview the SSP

DReview to confirm the baseline configurations exist

Answer : A

Applicable Requirement (CAP & Scoping): Assessors must use objective artifacts to validate system boundaries and scoping decisions. Network or topology diagrams are the most direct method to confirm logical and physical separation between environments handling CUI and those that do not.

Why A is Correct: Network/topology diagrams provide a visual and technical representation of how isolation is achieved (e.g., VLANs, firewalls, segmentation). This is the primary evidence source for confirming separation.

Why Other Options Are Insufficient:

B: Change tickets/inventory show updates but not logical isolation.

C: The SSP describes but does not demonstrate separation.

D: Baseline configs show standard builds, not network isolation.

Reference (CCA Official Sources):

CMMC Assessment Process (CAP) --- Scope Validation

CMMC Assessment Guide -- Level 2 --- Evidence Types (network diagrams, topology)

===========

Question 5

An OSC uses a colocation facility to house its CUI assets. The colocation restricts access to the data center via keycard and requires all entrants to sign in and out. The OSC's cage and cabinets are further secured with keys accessible only to OSC-authorized personnel.

In order to assess physical controls, the CCA should:

APhysically visit the colocation facility to determine the effectiveness of controls.

BEvaluate the colocation facility security process as listed in the service agreement.

CPhysically visit the colocation facility to determine the effectiveness of controls and review the OSC's process for maintaining access to the keys.

DEvaluate the colocation facility security process as listed in the service agreement and review the OSC's process for maintaining access to the keys.

Answer : C

The Physical Protection (PE) practices require both direct assessor observation of security controls and verification of how the OSC manages access to its cages/cabinets.

Extract:

''Assessors should observe and verify the effectiveness of physical access controls and confirm the OSC's processes for maintaining control over restricted areas and assets.''

Thus, the best option is to physically visit the facility and review OSC's key access management process.

Question 6

During an assessment interview, the interviewee states that anyone can connect to the company Wi-Fi without prior approval. Within which domains is the Wi-Fi configuration covered?

AMedia Protection (MP), Access Control (AC), and Physical Protection (PE)

BIdentification and Authentication (IA), Media Protection (MP), and System and Information Integrity (SI)

CAccess Control (AC), Identification and Authentication (IA), and System and Communications Protection (SC)

DSystem and Communications Protection (SC), System and Information Integrity (SI), and Physical Protection (PE)

Answer : C

Access Control (AC): Wi-Fi access must be restricted to authorized users and devices. CMMC Level 2 incorporates NIST SP 800-171 AC requirements to limit and control access to systems and resources.

Identification and Authentication (IA): Wireless access requires authentication to ensure only authorized individuals/devices can connect (e.g., WPA2-Enterprise, certificates, or strong passwords).

System and Communications Protection (SC): Wi-Fi encryption and secure configuration protect data-in-transit from interception or unauthorized disclosure.

Why Other Options Are Incorrect:

A (MP, AC, PE): Media protection and physical protection are not primary domains for Wi-Fi configuration.

B (IA, MP, SI): Media protection and system/information integrity do not directly address Wi-Fi security.

D (SC, SI, PE): Physical and integrity controls are not central to wireless access security.

Reference (CCA Official Sources):

CMMC Model v2.0 --- Domains AC, IA, SC

NIST SP 800-171 Rev. 2 --- AC.L2-3.1.1, IA.L2-3.5.3, SC.L2-3.13.8 (wireless access, identification/authentication, protection of communications)

NIST SP 800-171A --- Associated assessment objectives verifying Wi-Fi control and encryption

===========

Question 7

A C3PAO is conducting a Level 2 assessment of a midsized construction contractor that does both private (commercial) and federal work. The contractor's documentation states that all CUI flows through a single building on their office campus and is logically, physically, and administratively isolated from the rest of the environment. Why might an assessor request access to assess controls within a building or area not listed as in-scope in the documentation?

AIf the assessor sees personnel carrying locked cases into the other building or area

BIf the OSC has an underground passageway connecting the CUI building to a non-CUI building

CIf network diagrams indicate the commercial and federal sectors share a single Internet connection

DIf Human Resources that supports both commercial and federal sectors sits in the other building or area

Answer : C

A shared Internet connection indicates that Security Protection Assets (SPAs) are present and serving both the CUI environment and other parts of the enterprise. SPAs are always in-scope regardless of where they are located, because they provide security protections for CUI. Therefore, if documentation or diagrams show that the commercial and federal environments share a single Internet connection, the assessor must request access to the other building to confirm proper implementation and isolation.

Exact Extracts (from CMMC Assessor/Study documents):

''Security Protection Assets provide security functions or capabilities within the OSA's CMMC Assessment Scope. Security Protection Assets are part of the CMMC Assessment Scope and are assessed against Level 2 security requirements that are relevant to the capabilities provided.''

''Contractor Risk Managed Assets are not required to be physically or logically separated from CUI Assets... If documentation or other findings raise questions about these assets, the assessor can conduct a limited check to identify deficiencies.''

''Separation... is required only for Out-of-Scope Assets. Isolation can be achieved... by implementing subnetworks with firewalls or other boundary protection devices.''

''The CMMC Assessment Scope includes all assets in the OSA's environment that will be assessed... OSAs will be required to provide a network diagram of the CMMC Assessment Scope to facilitate scoping discussions during pre-assessment.''

''An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for a specific enclave(s), depending upon how the CMMC Assessment Scope is defined...''

Why the other options are not correct:

A (locked cases): Physical movement of materials does not establish scope. Scoping is determined by CUI flow and security protection assets, not incidental observation of personnel activities.

B (underground passageway): Physical tunnels or building connections do not affect scope unless they result in shared IT/security functions.

D (HR location): HR is not a SPA because it does not provide security functions to protect CUI. Unless HR systems process or store CUI directly, they remain out of scope.

Reference (official CCA/CMMC documents):

CMMC Assessment Scope -- Level 2, Version 2.13 (Scoping Guide): Asset Categories, SPA definitions and examples; CRMA limited-check language; Separation requirements; network diagram requirements (pp. 3--13).

CMMC Assessment Guide -- Level 2, Version 2.13: Assessment scope, enclave validation, and assessor methods (pp. 1--4, 8--10).

Cyber AB Certified CMMC Assessor (CCA) CMMC-CCA Exam Questions