CMMC-CCA Exam Dumps - Cyber AB CMMC Questions and Answers

For CMMC Level 2, an OSC must score at least 88 out of 110 practices (80%) to qualify for use of POA&Ms. Practices on the DoD’s Authorized POA&M List may then be deferred, but only if the OSC meets the 88-point threshold and no high-weight practices are failed.

Exact extracts:

“Organizations must score at least 88 out of 110 (80%) to be eligible for POA&Ms.”

“POA&Ms may only be applied to a limited subset of practices designated by DoD.”

“Failure to reach the 88-point threshold results in an assessment failure.”

Why other options are incorrect:

A: Below 88 is automatic fail.

B: 110/110 is full compliance (no POA&M needed).

C: 80 is a distractor; 88 is the actual DoD threshold.

Applicable Requirement (CAP – Scoping and Evidence Validation): When inconsistencies arise about the environment, assessors are required to examine objective artifacts that define boundaries, such as network diagrams and system architecture documentation.

Why A is Correct: Network diagrams objectively show whether systems are hosted on-premises or involve ESPs (cloud, MSSPs, hosting providers). Reviewing them avoids ambiguity from inconsistent verbal descriptions.

Why Other Options Are Insufficient:

B: Interviewing another OSC representative may add to confusion rather than resolve it.

C: Interconnection agreements confirm ESP relationships but do not resolve whether the OSC has on-prem or hybrid environments.

D: Contacting ESPs directly is not part of the assessment process; OSC must provide evidence.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Clarifying System Boundaries

CMMC Assessment Guide – Level 2 — Evidence Types (network diagrams, architecture documentation)

===========

The CMMC Assessment Process (CAP) defines four methods: Examine, Interview, Test, and Observe.

Interview Method: Involves discussions with personnel to gather evidence about the implementation of practices.

In this case, the CCA is discussing with the system administrator to understand processes, which clearly aligns with the Interview method.

Extract:

“Interview: The assessor uses discussions with personnel to obtain evidence about how practices are implemented within the OSC’s environment.”

When CUI and FCI reside on the same network, the entire environment is considered a CUI environment. The presence of CUI drives the assessment requirement to CMMC Level 2, regardless of whether FCI also exists. Assets cannot be assessed separately under Level 1 vs. Level 2 within the same network boundary.

Exact extracts:

“If CUI is processed, stored, or transmitted within an environment, the environment is in scope for CMMC Level 2.”

“The presence of CUI dictates the assessment level, regardless of whether FCI is also present.”

“Segmentation may reduce scope, but if assets remain within the same environment, all assets fall under Level 2.”

Why other options are incorrect:

B: Level 1 cannot be applied to Server A while Server B undergoes Level 2 in the same network.

C: Presence of CUI means Level 2 is required, not Level 1.

D: Segmentation can reduce scope but is not required before assessment; it is an OSC design choice.

CMMC requires that remote maintenance sessions be terminated after use or after a defined period of inactivity. This ensures third-party maintenance access does not remain open and uncontrolled, preventing unauthorized persistence.

Exact Extracts:

MA.L2-3.7.5: “Require multifactor authentication and terminate remote maintenance sessions after each session or after a defined period of inactivity.”

Assessment Guide clarifies: “Assessors should confirm remote maintenance sessions are automatically terminated using technical means.”

NIST SP 800-171A Objective: “Test maintenance session termination after a set time of inactivity or completion of task.”

Why other options are not correct:

A: Limiting maintenance to third parties only is not a requirement. Internal staff may also perform maintenance.

B: Identification and monitoring are important, but the specific control required here is termination of remote sessions.

C: Limiting the number of personnel is not mandated by CMMC.