CMMC-CCA Exam Dumps - Cyber AB CMMC Questions and Answers

MP.L2-3.8.4 requires that CUI markings follow the media, meaning when electronic documents are printed, the original markings must carry over to the hard copy. Distribution lists or colored stamps are not specifically required.

Extract:

“Mark media containing CUI with the CUI designation indicators as required. When converting CUI from one medium to another, the original markings must be retained.”

Thus, the assessor should expect to see the original markings carried onto the printouts.

The CMMC Assessment Process (CAP) requires that when sensitive or proprietary materials are exchanged during an assessment, the OSC and the C3PAO should establish confidentiality protections through a Non-Disclosure Agreement (NDA).

Extract:

“OSC and C3PAOs are expected to execute a Non-Disclosure Agreement (NDA) to protect sensitive information such as proprietary, attorney-client privileged, or pre-patent materials shared during the assessment process.”

Thus, the NDA is the correct document.

In CMMC scoping, only assets that process, store, or transmit CUI (CUI Assets) or that can access them (Security Protection, Contractor Risk Managed, Specialized Assets) are in-scope. Since the SCADA system is firewalled off and does not handle CUI, it does not fall under CUI Asset classification and is considered Out-of-Scope.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Assets that do not process, store, or transmit CUI and have no connectivity to CUI Assets are considered Out-of-Scope.”

“Specialized Assets… are only in-scope if they process, store, or transmit CUI.”

Why the other options are incorrect:

A: Inclusion requires processing/storing/transmitting CUI.

C: OSC cannot arbitrarily bring unrelated systems into scope; CUI relevance governs scope.

D: Not all Specialized Assets are in-scope; only those with CUI interaction are.

The control SC.L2-3.13.5: Boundary Protection requires that organizations monitor and control communications at the external boundary and at key internal boundaries. The CMMC Assessment Guide states that assessors should examine boundary protection procedures to verify logging, monitoring, and alerting are defined and implemented. Physical access logs, account management documents, and configuration management policies do not provide details of how network boundaries are monitored and protected.

Exact extracts:

“Assessment Objectives … Determine if: • external boundary and key internal boundaries are defined; • communications are monitored and controlled at boundaries; • traffic is checked for unauthorized transfer of information; and • boundary protection devices are configured and managed.”

“Potential Assessment Methods: Examine … boundary protection policy; boundary protection procedures; system security plan; configuration settings for boundary protection devices; logs of boundary protection devices.”

Why the other options are incorrect:

A (Physical access logs): Relates to facility entry, not network boundary protection.

C (Account management document): Addresses user account lifecycle, not firewall and traffic control.

D (Configuration management policy): Governs system changes, not firewall logging/alerting controls.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.5 “Boundary Protection.”

NIST SP 800-171 Rev. 2, 3.13.5.

===========

The requirement for CA.L2-3.12.3 – Security Control Monitoring mandates monitoring to be performed on an ongoing basis to ensure the continued effectiveness of the controls. This is not satisfied by a yearly review alone.

CA.L2-3.12.3 Security Control Monitoring – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The OSC’s statement in their SSP that monitoring occurs on a one-year periodic basis fails to meet this requirement, because the term "ongoing basis" implies continual or recurring monitoring activities that occur throughout the system’s lifecycle—not a single annual review.

Therefore, the assessor must determine that the OSC’s implementation is not acceptable.

CMMC Level 2 requires that wireless access be formally authorized based on management-approved policy and criteria. The Assessment Guide specifies that “management guidelines form the basis for the requirements that must be met prior to authorizing a wireless connection.” Therefore, a written policy executed by the CEO, which defines pre-authorization requirements, constitutes proper evidence of authorization. Informal emails or IT connection instructions do not meet this requirement.

Exact extracts:

“Authorize wireless access prior to allowing such connections.”

“Assessment Objectives … Determine if: [a] wireless access points are identified; and [b] wireless access is authorized prior to allowing such connections.”

“Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following: • types of devices, such as corporate or privately owned equipment; • configuration requirements of the devices; and • authorization requirements before granting such connections.”

Assessment method – Examine: “Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless access authorizations …”

Why the other options are unacceptable:

A and C are ad-hoc instructions from the CEO, not a formal management policy establishing authorization criteria.

D is an IT-authored instruction document, not a management-level authorization policy.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.16 “Wireless Access Authorization” (Assessment Objectives; Discussion; Further Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.16 (mapped within the CMMC Level 2 Assessment Guide).

The CMMC Assessment Process (CAP), Phase 2 – Conduct the Assessment defines the subphases for generating final recommended results. The steps are:

Determine final practice MET/NOT MET/NA results

Create, finalize, and record recommended final findings

Resolve assessment findings disputes

Extract:

“The assessment team determines the final practice status, records recommended findings, and resolves disputes with the OSC prior to finalizing recommended results.”

MA.L2-3.7.1 (Perform Maintenance) requires that maintenance activities and risks associated with outdated or unsupported systems be managed. Unsupported systems create a security risk if not mitigated, particularly when they process CUI.

Extract:

“Maintenance must be performed and documented to ensure continued secure operation. When systems cannot be updated or patched due to technical limitations, the OSC must implement and document risk mitigation strategies.”

Because the OSC has not demonstrated risk management for the outdated OT system, the practice is NOT MET.

The Shared Responsibility Matrix (Customer Responsibility Matrix) is a key artifact in CMMC assessments involving MSPs or cloud service providers. It defines what security responsibilities belong to the OSC and which belong to the service provider. To evaluate the MSP’s impact, the assessor must review this matrix to understand boundaries of responsibility for CUI protection.

Exact extracts:

“When external service providers are included in the assessment boundary, organizations must provide documentation that specifies security responsibilities.”

“A Shared Responsibility Matrix (or Customer Responsibility Matrix) defines which controls are implemented by the OSC versus the external provider.”

“Assessors should request and review this matrix to understand division of responsibilities.”

Why the other options are incorrect:

A: Onsite MSP staff presence does not clarify responsibility for security controls.

C: Reviewing classification helps, but it does not explain responsibility allocation.

D: Policies/org charts do not establish shared control responsibilities.

Per the CMMC Scoping Guidance, CUI Assets are those that process, store, or transmit CUI. Since System CUI is the system handling CUI data, it must be categorized as CUI Assets.

Extract:

“CUI Assets are any assets that process, store, or transmit CUI. These assets are in-scope for assessment and must meet CMMC practice requirements.”

Thus, the best classification for System CUI is CUI Assets.