Pass the Cyber AB CMMC CMMC-CCA Questions and answers with ExamsMirror

Certification can only be granted to the legal entities that own the CAGE codes under assessment. If multiple CAGE codes are in play (HQ, host, and supporting units), and they are all included in scope, then all entities with corresponding CAGE codes that were assessed can be certified.

Exact Extracts:

CMMC Assessment Guide: “The CMMC certificate is issued to the legal entity (as identified by the CAGE code(s)) that was assessed.”

“When multiple CAGE codes are presented, all in-scope entities must provide documentation and may be certified if assessed.”

“Certification applies to the OSC legal entity (or entities) within scope, including HQ, host, and supporting units, as applicable.”

Why other options are not correct:

A/B/C: Limit scope to only HQ or subsets, but the requirement is that all entities with provided and in-scope CAGE codes are eligible.

The Shared Responsibility Matrix (Customer Responsibility Matrix) is the authoritative document that specifies which security responsibilities are owned by the OSC versus the Cloud Service Provider (CSP). This enables assessors to determine which CMMC practices apply to the OSC and which are inherited from the provider.

Exact extracts:

“External Service Providers (ESPs), including CSPs, must provide a Shared Responsibility Matrix that delineates customer versus provider responsibilities.”

“Assessors should request and review this matrix to determine practice applicability.”

Why other options are incorrect:

A: Zero Trust Architecture is a design framework, not a responsibility breakdown.

C: White papers are marketing/technical resources, not binding assignments of responsibility.

D: IAM Plans address access management, not overall shared responsibilities.

The Scoping Guidance defines Security Protection Assets as systems, tools, or services that provide security functions protecting CUI assets, even if outsourced to third parties.

Extract:

“Security Protection Assets are tools, systems, or services that provide security functionality (e.g., SOC, antivirus, logging) to protect CUI assets. These must be included in scope.”

Therefore, SOC and AV must be categorized as Security Protection Assets.

The requirement for CA.L2-3.12.3 – Security Control Monitoring mandates monitoring to be performed on an ongoing basis to ensure the continued effectiveness of the controls. This is not satisfied by a yearly review alone.

CA.L2-3.12.3 Security Control Monitoring – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The OSC’s statement in their SSP that monitoring occurs on a one-year periodic basis fails to meet this requirement, because the term "ongoing basis" implies continual or recurring monitoring activities that occur throughout the system’s lifecycle—not a single annual review.

Therefore, the assessor must determine that the OSC’s implementation is not acceptable.

Under CMMC 2.0 Level 2, POA&Ms are permitted only for a limited subset of practices and only if the organization achieves at least 80% compliance, with no high-weight practices failed. With 23 practices NOT MET, the OSC falls below this threshold. Therefore, the Lead Assessor must recommend a Fail, requiring remediation and reassessment.

Exact extracts:

“For Level 2, OSCs must achieve a score of at least 80% and cannot fail any high-weighted practices.”

“POA&Ms may be allowed for a small number of selected practices but must be closed within 180 days.”

“If the OSC does not meet minimum requirements, the assessment result is Fail and the OSC must remediate before reapplying.”

Why the other options are incorrect:

A: POA&Ms cannot cover such a large number of deficiencies.

C/D: Interim certification does not exist in CMMC 2.0.

Applicable Requirement: AC.L2-3.1.5 — “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Why A is Correct: Audit logs document when privileged functions (such as account creation, privilege changes, or configuration changes) occur, who performed them, and whether access control restrictions are enforced. Reviewing logs is the only way to confirm the IT manager alone has the capability.

Why Other Options Are Insufficient:

B (Inventory records): Shows ownership, not privilege changes.

C (Acceptable use): Policy guidance, not enforcement evidence.

D (Remote access): Deals with remote connections, not privilege management.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.5

NIST SP 800-171A — AC.L2-3.1.5 Assessment Methods

CMMC Assessment Guide – Level 2

===========

The Identification and Authentication (IA) practices require that passwords be protected using strong methods. Storing passwords with salted one-way hashes ensures they cannot be reversed, providing strong protection.

Extract from IA.L2-3.5.10:

“Passwords must be stored and transmitted in a form that is resistant to compromise, typically using salted one-way cryptographic hashes.”

Options A and B do not align with modern password guidance, and option C (two-way cryptographic hashing) is insecure because it allows reversal.

Applicable Requirement: SC.L2-3.13.16 — “Protect the confidentiality of CUI at rest.”

Why D is Correct: Cryptographic mechanisms (e.g., full-disk encryption, database encryption, file encryption) provide the strongest protection for information at rest by preventing unauthorized disclosure if systems or media are accessed.

Why Other Options Are Insufficient:

A (Patching): Protects against vulnerabilities, but not specific to data-at-rest confidentiality.

B (File share): Provides a storage method, not protection.

C (Secure offline storage): Helps physically, but not sufficient for digital confidentiality without encryption.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — SC.L2-3.13.16

NIST SP 800-171A — SC.L2-3.13.16 Assessment Objectives

CMMC Assessment Guide – Level 2, Data at Rest Protection

===========

CMMC Level 2 control AC.L2-3.1.12: Remote Access requires that all methods of remote access be authorized, monitored, and controlled to protect CUI when accessed from external locations. The assessment guide specifies that assessors must verify that remote sessions are identified, permitted, and controlled. There is no requirement for remote access sessions to be “validated” — this is not part of the assessment objectives for this practice.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled; and• cryptographic mechanisms are employed to protect confidentiality and integrity of remote access sessions.”

“Remote access to organizational systems is accomplished through the use of managed access control points. A detailed record of all remote access sessions is maintained, and the sessions are subject to monitoring and control.”

Why the other options are required:

Identified (B): OSCs must identify all remote access methods in use.

Permitted (C): Remote access must be explicitly authorized before it is allowed.

Controlled (D): Sessions must be controlled (e.g., via encryption, multifactor authentication, and monitoring).

Validated (A): Not a required assessment objective; it is a distractor option.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.12 “Remote Access” (Assessment Objectives; Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.12 (remote access).

The CAP requires that prior to the assessment, the Lead Assessor submit documentation confirming that Assessment Team members have no conflicts of interest and meet qualification requirements. This is recorded through the Absence of Conflict of Interest and Confirmation Statement.

Extract:

“Before assessment initiation, the C3PAO must provide confirmation to the Cyber-AB that all Assessment Team members have declared absence of conflict of interest and are confirmed to participate.”

Thus, the required submission is the Absence of Conflict of Interest and Confirmation Statement.