CMMC-CCA Exam Dumps - Cyber AB CMMC Questions and Answers

The CMMC Scoping Guidance specifies that Contractor Risk Managed Assets must:

Be documented in the asset inventory,

Be governed by the organization’s own risk-based policies and procedures,

Be included in the system boundary/network diagram.

Extract:

“Contractor Risk Managed Assets are those managed according to the OSC’s risk-based policies and procedures. They must be documented in the asset inventory and represented in the system boundary.”

Thus, option C is the best answer.

Logical separation refers to the use of technical and access control mechanisms (e.g., role-based access, IAM tools, VLANs) to enforce boundaries between different users, roles, or networks. In contrast, physical separation relies on distinct hardware or physical barriers. Role-based access control within an IAM solution is a textbook example of logical separation, and it is specifically called out in the CMMC/NIST context.

Exact extracts:

“Logical separation may be achieved through the use of virtualization, encryption, or access control mechanisms such as role-based access controls.”

“Assessment Objectives … Determine if: • separation of users and information types is enforced by physical or logical means.”

“Logical separation is implemented using technical solutions such as access control lists, firewalls configured by policy, or identity and access management solutions.”

Why the other options are incorrect:

A (Data loss alerting): This is monitoring, not separation.

B (Badge access): This is a physical access control, not logical separation.

D (Proxy-configured firewall): This is boundary protection/traffic control; depending on setup it may be physical or logical, but the scenario points to role-based IAM as the logical example.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.6 “Network Separation.”

NIST SP 800-171 Rev. 2, 3.13.6.

If an OSC wishes to separate environments that process FCI from those that process CUI, they may pursue two separate CMMC certifications (Level 1 for FCI and Level 2 for CUI). A single certification cannot cover both environments unless all requirements for the higher level are met across the entire enterprise.

Exact Extracts:

CMMC Assessment Guide: “An OSC may choose to undergo multiple CMMC certification activities if they wish to limit scope between FCI and CUI environments.”

“Level 1 applies to safeguarding FCI, while Level 2 applies to CUI; separate certifications may be pursued if the OSC chooses to segregate these environments.”

Why the other options are not correct:

A: A single certification would require all assets to meet Level 2 controls, which may not be the OSC’s intent.

C: Defining scope for FCI only aligns with Level 1, but this does not meet Level 2 certification requirements for CUI.

D: A self-assessment scope only applies to Level 1 assessments, not Level 2 third-party certification.

For hybrid and cloud environments, the Customer Responsibility Matrix is the critical artifact. It identifies which security responsibilities are handled by the CSP and which remain with the OSC, directly impacting scope.

Extract:

“The OSC must provide responsibility matrices or equivalent documentation that clearly delineates which security controls are the responsibility of the provider and which are retained by the OSC.”

This is necessary for the Lead Assessor to define assessment scope boundaries.

AC.L2-3.1.7 (Privileged Functions) requires that execution of privileged functions be restricted to authorized privileged accounts. The best evidence is an access list demonstrating who is allowed privileged access.

Extract:

“Limit the use of privileged functions to authorized users. Assessors should review access control lists or equivalent evidence to verify only privileged accounts have privileged permissions.”

Thus, the best next step is to examine a user access list for authorized privileged users.

The CMMC Assessment Process (CAP) defines the logical order:

After collecting and examining evidence, the next step is to determine and record initial practice scores (MET, NOT MET, or NA).

Only after practice scoring is completed are findings validated and aggregated into final recommended results.

Extract:

“Following evidence collection and review, assessors determine and record the practice status (MET/NOT MET/NA) before compiling results into final recommendations.”

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why D is Correct: A gate with a badge system represents preventive perimeter control that ensures only authorized personnel can access sensitive areas (e.g., loading docks). This directly aligns with Level 2 physical protection requirements.

Why Other Options Are Insufficient:

A (Turnstiles): More relevant for internal building entry, not loading docks.

B (Visitor log): Supports accountability, but does not prevent unauthorized entry.

C (Cameras): Provides monitoring but not control — surveillance alone does not restrict access.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2, Physical Protection

===========

AC.L2-3.1.6 requires that non-privileged accounts are used for normal tasks and privileged accounts are only used when necessary for privileged functions.

Extract:

“Require that users employ the least privilege principle by using non-privileged accounts for general tasks. Privileged accounts must only be used when elevated privileges are required.”

Thus, the correct procedure is:

All employees have non-privileged accounts.

Admins also have separate privileged accounts.

Admins perform normal duties with their non-privileged accounts, using privileged accounts only when required.

The Identification and Authentication (IA) practices require that passwords be protected using strong methods. Storing passwords with salted one-way hashes ensures they cannot be reversed, providing strong protection.

Extract from IA.L2-3.5.10:

“Passwords must be stored and transmitted in a form that is resistant to compromise, typically using salted one-way cryptographic hashes.”

Options A and B do not align with modern password guidance, and option C (two-way cryptographic hashing) is insecure because it allows reversal.

The determining factor for whether an ESP is in scope is the services provided. If the ESP provides services that process, store, or transmit CUI or provide security protection functions, then the ESP is within scope. Other SLA components (intervals, penalties, measurements) are irrelevant to scope determination.

Exact Extracts:

CMMC Scoping Guide: “External Service Providers that provide services involving the storage, processing, or transmission of CUI or provide Security Protection Assets are considered in scope.”

“The OSC must identify in the SSP which services are provided by ESPs and how compliance is achieved.”

Why other options are not correct:

B (Intervals): Refers to timing of services, not scope relevance.

C (Penalties): Contract penalties are unrelated to CMMC scope.

D (Measurements): SLAs metrics do not determine scope.