[Jan-2026] Pass CMMC-CCA Exam in First Attempt Updated CMMC-CCA Exam Questions [Q85-Q107]

[Jan-2026] Pass CMMC-CCA Exam in First Attempt Updated CMMC-CCA Exam Questions

Cyber AB CMMC Dumps CMMC-CCA Exam for Full Questions - Exam Study Guide

NEW QUESTION # 85
During the planning and preparation discussions, a key member of the C3PAO Assessment Team falls ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as planned and has expressed willingness to accommodate a smaller assessment team. Can the Lead Assessor proceed with the assessment using a reduced assessment team size?

• A. The decision is solely up to the OSC.
• B. Yes, but only with the express written consent of the Cyber AB.
• C. No, the assessment must be postponed until the full team is available.
• D. Yes, as long as the remaining team members possess the necessary qualifications to cover all CMMC practices.

Answer: D

Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP allows flexibility in team size if the remaining members are qualified to cover all practices (Option A). Options B, C, and D impose unnecessary restrictions not supported by CAP.
Extract from Official Document (CAP v1.0):
* Section 1.5 - Assessment Team Roles (pg. 16):"The Lead Assessor may proceed with a reduced team if remaining members are qualified to cover all required CMMC practices." References:
CMMC Assessment Process (CAP) v1.0, Section 1.5.

NEW QUESTION # 86
In your assessment of an OSC's information systems, you realize that the OSC has been having issues determining what is and isn't CUI. One of the employees asks for your help identifying CUI so that they can take measures to protect it. They also request that you recommend a resource where they can understand the national CUI policy. Which of the following is the BEST resource they should visit to understand what CUI is and the national CUI policy?

• A. 32 CFR Part 2002 and ISOO CUI Registry
• B. 22 CFR Part 120-130
• C. DFARS 252.204-7012 and ISOO CUI Registry
• D. 48 CFR 52.204-21 and NIST SP 800-171

Answer: A

Explanation:
Comprehensive and Detailed In-Depth Explanation:
32 CFR Part 2002defines CUI and establishes the national policy, while theISOO CUI Registrycategorizes CUI types-together providing the authoritative resource for understanding CUI. Other options (A, B) are contract-specific or implementation-focused, and 22 CFR (D) relates to ITAR, not CUI policy. The CMMC guide references these sources.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0): "Refer to 32 CFR Part 2002 and ISOO Registry for CUI definition."
* 32 CFR 2002.4(h): "CUI defined."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf

NEW QUESTION # 87
Your C3PAO has selected you as the Lead Assessor for the Assessment Team assessing an OSC's implementation of CMMC practices. Part of this assessment includes validating the OSC's CMMC assessment scope. Which of the following is NOT a factor to consider when determining which assets are in scope?

• A. Assets that secure the CUI or FCI storage location.
• B. Organizational assets that process CUI or FCI.
• C. Third-party assets that store CUI or FCI.
• D. Government assets transmitting CUI into the OSC's systems.

Answer: D

Explanation:
Comprehensive and Detailed Explanation:
The CMMC Assessment Scope - Level 2 includes assets under the OSC's control that process, store, or transmit CUI/FCI (Option B), secure these assets (Option C), or are managed by third parties (e.g., ESPs) handling CUI/FCI (Option D). Government assets transmitting CUI into the OSC's systems (Option A) are out of scope, as they fall under a separate government authorization boundary and are not managed by the OSC. The scoping guide explicitly excludes such assets, making A the correct answer.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.5 (Out-of-Scope Assets), p. 7: "Government assets transmitting CUI into OSC systems are out of scope."

NEW QUESTION # 88
Ron is the Lead Assessor for an OSC's CMMC assessment. His team has scheduled interviews and demonstrations with the OSC's system administrator, Olivia. However, on the first day, the CEO informs Ron that Olivia is very ill and is unavailable. The CEO offers to be interviewed about Olivia's responsibilities instead, even though he does not actually perform those tasks. What should Ron do in this scenario?

• A. Have the CEO accompanied by another IT rep during the interview.
• B. It depends on the specific details discussed during the interview with the CEO.
• C. Interview the CEO.
• D. Reschedule the interviews with Olivia or continue with another person who understands and performs Olivia's duties while she is away.

Answer: D

Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP requires interviews with individuals who perform the tasks, not proxies like the CEO (Options A, B, C). Option D ensures compliance by seeking the appropriate personnel.
Extract from Official Document (CAP v1.0):
* Section 2.2 - Conduct Assessment (pg. 25):"Interviews and demonstrations must be conducted with the person responsible for carrying out the work." References:
CMMC Assessment Process (CAP) v1.0, Section 2.2; CoPC Paragraph 2.4.

NEW QUESTION # 89
A DoD contractor developing guidance and targeting systems has subcontracted a data analytics company to analyze their data accuracy. How should the DoD contractor handle the analytics company when preparing a CMMC assessment scope?

• A. Do not include the analytics company in the CMMC assessment scope.
• B. Include the entire analytics company in the assessment scope.
• C. Include only assets of the analytics company that deal with their equipment data analytics.
• D. Terminate their engagement with the analytics company during the assessment process.

Answer: C

Explanation:
Comprehensive and Detailed Explanation:
The analytics company, as an ESP, must be included in the scope for assets processing, storing, or transmitting CUI (e.g., guidance system data), per the CMMC Assessment Scope - Level 2. Only relevant assets are scoped, not the entire company (Option B). Termination (Option C) is unnecessary, and exclusion (Option D) violates the guidance. A is correct.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.3 (ESPs), p. 6: "Include ESP assets handling CUI/FCI."

NEW QUESTION # 90
Does CMMC Level 2 require that a Cloud Service Provider (CSP) hold a FedRAMP HIGH authorization hosted in a government community cloud (GCC)?

• A. Yes. FedRAMP HIGH is required for CUI data controls due to the sensitive nature of the Defense Industrial Base systems.
• B. No. The CSP must hold a FedRAMP MODERATE authorization.
• C. Yes. FedRAMP HIGH authorization demonstrates the CSP compliance with NIST SP 800-53 and SP
  800-171 control requirements.
• D. No. The CSP can obtain a FedRAMP MODERATE equivalency.

Answer: B

Explanation:
CMMC Level 2 requires CSPs that process, store, or transmit CUI to meet FedRAMP Moderate (or equivalent) authorization, not FedRAMP High. FedRAMP High is not a CMMC requirement but may be required by contract or specific agencies.
Exact Extracts:
* DoD CMMC Scoping Guide: "External Cloud Service Providers must meet FedRAMP Moderate equivalency when storing, processing, or transmitting CUI."
* CMMC Assessment Guide: "The baseline requirement for CUI in cloud environments is FedRAMP Moderate; higher levels may be contractually required." Why other options are not correct:
* A: Equivalency is allowed, but only to FedRAMP Moderate level.
* C/D: Incorrect, because CMMC Level 2 does not mandate FedRAMP High.
References:
CMMC Assessment Guide - Level 2, Version 2.13: External Service Providers and FedRAMP Moderate equivalency requirements.
DoD Cloud Computing SRG (referenced in CMMC documentation): CUI requires FedRAMP Moderate baseline.

NEW QUESTION # 91
You are assessing an organization's implementation of the System and Information Integrity (SI) practices.
During your assessment, you find that the organization has subscribed to security alert and advisory services from reputable sources, such as US-CERT and relevant industry-specific organizations. In interviews with their network and system administrators, you learn that they have deployed an intrusion detection system (IDS) to monitor network traffic for known threats and suspicious activities. They also have a Security Information and Event Management (SIEM) system in place to aggregate and analyze logs from various sources for potential security incidents. Additionally, the network administrator informs you that they have established a Security Operations Center (SOC) to monitor and analyze activity on networks, servers, databases, applications, and other systems. However, you notice that while the organization receives these alerts and advisories, there is no documented process or assigned personnel responsible for reviewing and acting upon them. After reviewing the organization's implementation, which of the following would be the most appropriate next step for the assessor to validate compliance with CMMC practice SI.L2-3.14.3 - Security Alerts & Advisories?

• A. Interview the personnel responsible for the Security Operations Center (SOC) to determine whether they take actions in response to security alerts and advisories
• B. Test the organization's processes for defining, receiving, and disseminating security alerts and advisories
• C. Review system audit logs and records for evidence of actions taken in response to security alerts and advisories
• D. Examine the organization's system and information integrity policies and procedures

Answer: A

Explanation:
Comprehensive and Detailed In-Depth Explanation:
SI.L2-3.14.3 requires organizations to "monitor security alerts and advisories and take appropriate actions in response." While the organization has tools (IDS, SIEM, SOC) and subscriptions to alerts, the lack of a documented process or assigned personnel to act on them raises a compliance gap. Interviewing SOC personnel is the most direct next step to determine if actions are taken, as they are operationally positioned to respond to alerts. Testing processes (A) assumes a process exists, which isn't evident. Examining policies (B) won't reveal operational actions, and reviewing logs (C) requires prior knowledge of actions to look for. The CMMC guide prioritizes interviews to validate operational implementation.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), SI.L2-3.14.3: "Interview: Personnel with security responsibilities; SOC personnel to determine actions taken in response to alerts."
* NIST SP 800-171A, 3.14.3: "Interview personnel to verify that alerts and advisories are reviewed and acted upon." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf

NEW QUESTION # 92
While assessing the scope provided by an OSC, you realize they have two environments with distinct characteristics: the headquarters space located at 24 Industrial Pkwy and an off-site location at 25 Industrial Pkwy. The headquarters houses several offices where document processing occurs on a cloud-hosted Microsoft Dynamics 365 GCC environment. At the off-site location, users access designs from servers hosted at the headquarters through a Virtual Private Network (VPN). These designs are used first in a 3D printer to develop prototypes and subsequently in a Computer Numerical Control (CNC) machine for production. All these operations are supported by a high-quality Industrial Control System (ICS). What type of environment is the off-site facility located at 25 Industrial Pkwy?

• A. Professional environment
• B. Industrial environment
• C. Backup environment
• D. Off-site environment

Answer: B

Explanation:
Comprehensive and Detailed in Depth Explanation:
The off-site facility at 25 Industrial Pkwy is characterized by production activities involving 3D printers, CNC machines, and an ICS, which are hallmarks of an industrial environment per CMMC scoping guidance. These systems support manufacturing and prototyping, distinguishing it from a backup (Option A) or generic office (Option B) environment. While "off-site" (Option D) describes its location, "industrial" defines its function, aligning with CMMC's focus on environment types handling CUI. Option C is the correct answer.
Reference Extract:
* CMMC AG Level 2, Section 1.3:"Industrial environments include production facilities with ICS, 3D printers, or CNC machines processing CUI."Resources:https://dodcio.defense.gov/Portals/0/Documents
/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

NEW QUESTION # 93
An OSC submits to the C3PAO Assessment Team for validation a CMMC assessment scope that includes an enclave. During validation, you learn that while CUI is stored on a single physical server, authorized employees can access it through virtual instances, thanks to VMware. You also determine that the OSC has deployed a DFARS-compliant firewall to protect network connections to the enclave and a VLAN to restrict communication between different portions of the network. Which method can the OSC be said to have used to secure its enclave?

• A. Decentralization
• B. Segmentation
• C. Virtualization
• D. Physical separation

Answer: B

Explanation:
Comprehensive and Detailed Explanation:
The OSC uses VLANs and a firewall to restrict communication, which constitutes segmentation-a method to create logical barriers within a network to isolate the enclave. Physical separation (Option A) requires distinct hardware, not applicable here with a single server. Decentralization (Option C) involves distributed systems, not relevant. Virtualization (Option D) enables access via VMware but is not the security method.
Segmentation aligns with the CMMC and NIST SP 800-171 guidance for enclave protection.
Reference:
CMMC Assessment Scope - Level 2, Section 2.2 (Enclave Scoping), p. 4: "Segmentation uses VLANs and firewalls to isolate enclaves."

NEW QUESTION # 94
A midsized professional services organization that frequently contracts with government entities is undergoing a CMMC Level 2 assessment. The CCA interviews IT leadership about their audit logging capabilities and determines that a third-party vendor is responsible for correlating and reviewing audit logs.
During the interview, they discuss the process that has been implemented by the vendor to provide a monthly summary of their audit log review to the organization. What issue should the CCA resolve during the interview?

• A. Audit logs must be reviewed on at least a weekly basis for CMMC requirements.
• B. The vendor may not use the same authoritative time source.
• C. The vendor has the ability to provide report generation.
• D. Audit logs should not be correlated and reviewed by a third party as they may contain CUI.

Answer: A

Explanation:
CMMC Level 2 requires that audit logs be reviewed and updated at least weekly to detect anomalies and potential security incidents. A vendor providing only monthly summaries does not meet the requirement. The assessor must resolve this issue to confirm compliance.
Exact Extracts (official CMMC Assessor/Study documents):
* AU.L2-3.3.7: "Review and update logged events, as well as the audit log, at least weekly."
* AU.L2-3.3.6: "Review and analyze information system audit records for indications of inappropriate or unusual activity and report findings."
* CMMC Level 2 Assessment Guide emphasizes: "Organizations must demonstrate procedures to review audit logs at least weekly, even when external vendors perform this function."
* NIST SP 800-171A states: "The frequency of review must be sufficient to detect anomalies in a timely manner... at least weekly is required." Why other options are not correct:
* A: Report generation capability is not the compliance issue; frequency of review is.
* B: Using a common authoritative time source (AU.L2-3.3.7) is important, but the deficiency here is frequency of log review, not time source.
* D: Third-party involvement is permitted if the OSC maintains control and ensures requirements (frequency, integrity, protection of CUI) are met.
References (official CCA/CMMC documents):
* CMMC Assessment Guide - Level 2, Version 2.13: Practices AU.L2-3.3.6 and AU.L2-3.3.7 (pp. 56-
60).
* NIST SP 800-171A, Audit and Accountability objectives.

NEW QUESTION # 95
A contractor is preparing to bid on an upcoming DoD contract to provide next-generation upper limb prosthetics for injured servicemen. Part of the preparation is undergoing a CMMC assessment, and they have hired you to assess their implementation of CMMC practices. The contractor has multiple design, manufacturing, and supply chain management systems. Each system generates its audit logs, which are stored in separate repositories. Different teams analyze and review them independently, with each team reporting the findings to the respective departmental heads. For instance, the engineering team reviews and analyzes logs related to the design systems and reports to the lead engineer, while the operations team focuses on the manufacturing system logs. When interviewing personnel responsible for audit record review, analysis, and reporting, they inform you that this is deliberately set up to ensure departmental independence and granular risk identification. Based on the CMMC practice AU.L2-3.3.5 - Audit Correlation, what is the likely issue you would identify with the contractor's current approach?

• A. Lack of defined processes for audit record review, analysis, and reporting
• B. Failure to retain audit logs for an adequate duration
• C. The audit review, analysis, and reporting processes are not correlated across systems
• D. Absence of automated mechanisms for analyzing and correlating audit records

Answer: C

Explanation:
Comprehensive and Detailed In-Depth Explanation:
AU.L2-3.3.5 requires organizations to "correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, or suspicious activity." The contractor's siloed approach, with separate teams and repositories, lacks correlation across systems, undermining the ability to detect organization-wide patterns or incidents. While departmental independence may aid granular risk identification, it doesn't meet the practice's requirement for integrated correlation. The other options (A, C, D) aren't directly supported by the scenario-processes exist, automation isn't mandated, and retention isn' t addressed.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AU.L2-3.3.5: "Correlate audit record review across systems to support investigation of suspicious activity."
* NIST SP 800-171A, 3.3.5: "Examine processes to ensure correlation across differentsystems and repositories." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf

NEW QUESTION # 96
While examining evidence, a CCA is trying to confirm the claim that the OSC has identified all information system users, processes acting on behalf of users, and all devices.
Which of the following provides the STRONGEST evidence of this practice?

• A. Lists of system accounts and devices and system audit logs and records
• B. System design documentation and other relevant documents or records
• C. Procedures addressing user and system identification and authentication and SSP
• D. Identification and authentication policy and system configuration settings and associated documentation

Answer: A

Explanation:
For IA.L2-3.5.1 (Identify system users, processes, and devices), the strongest evidence is direct lists of accounts, devices, and supporting audit logs/records that show users and devices are actively identified and managed. Policies and procedures are supporting evidence but not as strong as system-generated, real evidence.
Extract:
"Strong evidence includes account listings, device inventories, and audit logs demonstrating that all users, processes, and devices are identified and uniquely associated." Reference: CMMC Assessment Guide - Level 2, IA.L2-3.5.1.

NEW QUESTION # 97
An OSC uses a colocation facility to house its CUI assets. The colocation restricts access to the data center via keycard and requires all entrants to sign in and out. The OSC's cage and cabinets are further secured with keys accessible only to OSC-authorized personnel.
In order to assess physical controls, the CCA should:

• A. Evaluate the colocation facility security process as listed in the service agreement.
• B. Physically visit the colocation facility to determine the effectiveness of controls and review the OSC's process for maintaining access to the keys.
• C. Evaluate the colocation facility security process as listed in the service agreement and review the OSC's process for maintaining access to the keys.
• D. Physically visit the colocation facility to determine the effectiveness of controls.

Answer: B

Explanation:
The Physical Protection (PE) practices require both direct assessor observation of security controls and verification of how the OSC manages access to its cages/cabinets.
Extract:
"Assessors should observe and verify the effectiveness of physical access controls and confirm the OSC's processes for maintaining control over restricted areas and assets." Thus, the best option is to physically visit the facility and review OSC's key access management process.
Reference: CMMC Assessment Guide - Level 2, PE Practices.

NEW QUESTION # 98
When interviewing a contractor's CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates that the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that after every four months, the contractor tests its incident response plan and regularly updates its monitoring tools. Impressed by the contractor's policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited their security systems in over two years. How many points would you score the contractor's implementation of the practice CA.L2-3.12.1 - Security Control Assessment?

• A. 0
• B. 1
• C. 2
• D. 3

Answer: C

Explanation:
Comprehensive and Detailed In-Depth Explanation:
CA.L2-3.12.1 requires "periodically assessing security controls to determine effectiveness." The policy defines a 10-month cycle, but no audits have occurred in over two years, failing the implementation objective.
Per the DoD Scoring Methodology, this 5-point practice scores -5 (Not Met) when not fully implemented, as partial compliance isn't recognized. The CMMC guide stresses actual execution over documented intent.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), CA.L2-3.12.1: "Assess controls at defined frequency."
* DoD Scoring Methodology: "5-point practice: Met = +5, Not Met = -5."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf

NEW QUESTION # 99
An OSC has recently obtained an ISO 27001 certification and a FedRAMP Authorization to Operate (ATO) for its information systems. During the initial stages of the CMMC Assessment Process, the OSC claims that these certifications should grant them automatic credit or exemption from certain CMMC requirements. As the Lead Assessor, what should be your response?

• A. Accept the OSC's claim and grant them appropriate credit or exemption based on their ISO 27001 and FedRAMP certifications.
• B. Proceed with the CMMC Assessment as planned, disregarding the OSC's claim about their ISO 27001 and FedRAMP certifications.
• C. Inform the OSC that their ISO 27001 and FedRAMP certifications do not bestow any status or credit towards their CMMC assessment or certification.
• D. Request the OSC to provide evidence of their ISO 27001 and FedRAMP certifications and then consult with the CMMC Accreditation Body to determine if any credit or exemption can be granted.

Answer: C

Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP explicitly states that other certifications like ISO 27001 or FedRAMP do not automatically grant CMMC credit unless DoD publishes non-duplication policies, making Option D correct. Option A (disregarding) is incomplete without explanation. Option B (consulting Cyber AB) is unnecessary without policy support. Option C (accepting) violates CAP.
Extract from Official Document (CAP v1.0):
* Section 1.1 - Purpose (pg. 7):"Other cybersecurity conformance regimes do not grant automatic status or credit towards CMMC Assessment unless the DoD publishes non-duplication policies." References:
CMMC Assessment Process (CAP) v1.0, Section 1.1.

NEW QUESTION # 100
A leading technology solutions provider that works with various government agencies and commercial clients has implemented a dedicated CUI enclave within its network infrastructure to ensure the secure handling of CUI. As a Certified CMMC Assessor, you are tasked with assessing the scope of the solutions provider's CMMC requirements. Which separation technique can the technology solutions provider use to isolate the network assets in its CUI enclave?

• A. Logical isolation
• B. Encryption
• C. Physical separation
• D. Segmentation

Answer: A

Explanation:
Comprehensive and Detailed Explanation:
The CMMC Assessment Scope - Level 2 allows organizations to isolate CUI within an enclave using various techniques, with logical isolation being a recognized method. Logical isolation uses software and network configurations (e.g., firewalls, VLANs) to create separate segments within the same physical infrastructure, effectively isolating the CUI enclave without requiring physically distinct hardware (Option A) or broad network segmentation (Option B). Encryption (Option D) secures data but does not inherently isolate network assets. Logical isolation aligns with the scenario's use of a dedicated enclave within the existing infrastructure, as supported by NIST SP 800-171 and CMMC guidance.
Reference:
CMMC Assessment Scope - Level 2, Section 2.2 (Enclave Scoping), p. 4: "Logical isolation, such as VLANs or firewalls, can be used to isolate CUI enclaves."

NEW QUESTION # 101
During the Planning phase, the C3PAO and Lead Assessor will collect information from the OSC to provide a Rough Order of Magnitude (ROM). This enables the Assessor to approximate the duration, schedule, and cost of the Assessment. To determine the Rough Order of Magnitude (ROM), the Lead Assessor can use the following inputs, EXCEPT?

• A. The OSC's readiness.
• B. The size and complexity of the OSC.
• C. Education levels of the Assessment Team.
• D. The OSC's location and number of facilities.

Answer: C

Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP lists OSC-related inputs for ROM (Options A, C, D), but team education (Option B) is irrelevant to this estimate.
Extract from Official Document (CAP v1.0):
* Section 1.5 - Assessment Planning (pg. 16):"ROM inputs include OSC location, size, complexity, and readiness." References:
CMMC Assessment Process (CAP) v1.0, Section 1.5.

NEW QUESTION # 102
When assessing a contractor's implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised. In assessing the contractor's implementation of AC.L2-3.1.14 - Remote Access Routing, what must you determine?

• A. The contractor manages access control points
• B. All users are authenticated before being granted remote access
• C. Managed access control points are identified, implemented, and remote access is routed through these managed network access control points
• D. All remote access is monitored

Answer: C

Explanation:
Comprehensive and Detailed In-Depth Explanation:
AC.L2-3.1.14 requires organizations to "route remote access through managed network access control points." The assessor must confirm that these points are identified, implemented, and usedto channel all remote CUI access (B), ensuring centralized control and security. Managing points alone (A) isn't enough without routing, monitoring (C) is a separate practice (AC.L2-3.1.13), and authentication (D) is covered by AC.L2-3.1.12. The CMMC guide specifies both identification and routing as objectives.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.14: "[a] Identify managed access control points;
[b] route remote access through them."
* NIST SP 800-171A, 3.1.14: "Examine routing configuration through managed points." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf

NEW QUESTION # 103
An OSC seeking Level 2 certification is reviewing the physical security of their building. Currently, the building manager unlocks and locks the doors for business operations. The OSC would like the ability to automatically unlock the door for authorized personnel, track access individually, and maintain access history for all personnel. The BEST approach is for the OSC to:

• A. Install a badge system and require each individual to use their badge to gain entry to the building.
• B. Install a keypad system and require the entry code to be changed when an individual leaves the company.
• C. Maintain security cameras to continuously monitor access to the building.
• D. Maintain a list of authorized personnel and assign them a building key.

Answer: A

Explanation:
CMMC Level 2 requires the ability to control and monitor physical access to systems and facilities containing CUI. The best practice is a badge-based access control system, which provides individual accountability, access tracking, and historical audit records. Keys and keypads do not provide individual traceability. Cameras alone do not prevent unauthorized entry.
Exact Extracts (official CMMC Assessor/Study documents):
* PE.L2-3.10.1: "Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals."
* PE.L2-3.10.3: "Escort visitors and monitor visitor activity."
* PE.L2-3.10.5: "Access records must be maintained."
* CMMC Assessment Guide clarifies that acceptable methods include badging systems with individual accountability for traceability.
Why the other options are not correct:
* A (keys): Keys do not provide audit logs or individual accountability.
* B (cameras): Monitoring alone is insufficient; prevention and control are required.
* D (keypads): Shared codes do not provide unique traceability or access history per user.
References:
CMMC Assessment Guide - Level 2, Version 2.13: PE.L2 practices (pp. 153-159).
NIST SP 800-171A, Physical and Environmental Protection (PE) assessment objectives.

NEW QUESTION # 104
John, a CCA, has been assigned by his C3PAO to conduct a CMMC assessment for an OSC. During the assessment, John notices that the OSC's security practices leave much to be desired. After speaking with the OSC's IT staff, John offers to connect them with a vendor he knows who sells a vulnerability management tool that could address some of their weaknesses. According to the CMMC CoPC, which of the following best describes John's actions?

• A. John's actions were deemed acceptable since he did not directly profit from connecting the OSC with the vendor.
• B. John violated the principles of professionalism and objectivity by soliciting business for a third-party vendor while serving on the Assessment Team.
• C. John did not show respect for intellectual property.
• D. John acted appropriately by trying to help the OSC improve its security posture.

Answer: B

Explanation:
Comprehensive and Detailed in Depth Explanation:
The CoPC prohibits CCAs from soliciting business or offering vendor recommendations during assessments, violating Professionalism and Objectivity. Option A (appropriate) ignores this. Option B (IP) is unrelated.
Option C (no profit) doesn't excuse the violation. Option D is correct.
Extract from Official Document (CoPC):
* Paragraph 3.3(4) - Proper Use of Methods (pg. 7):"Do not solicit business for third-party vendors while serving on an Assessment Team." References:
CMMC Code of Professional Conduct, Paragraph 3.3(4).

NEW QUESTION # 105
A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-
3.1.18 - Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 - Encrypt CUI on Mobile, requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted. Which of the following personnel should you interview to determine how well the contractor has implemented AC.L2-
3.1.19 - Encrypt CUI on Mobile?

• A. Staff in the Human Resources department
• B. IT helpdesk staff who troubleshoot basic mobile device issues
• C. Executives in the company
• D. Personnel with access control responsibilities for mobile devices

Answer: D

Explanation:
Comprehensive and Detailed In-Depth Explanation:
CMMC practice AC.L2-3.1.19 requires that organizations "encrypt CUI on mobile devices and mobile computing platforms" to protect sensitive data from unauthorized access. To assess the implementation effectively, you need to interview personnel who have direct knowledge of and responsibility for the encryption measures on mobile devices. Personnel with access control responsibilities for mobile devices are best suited for this, as they are likely involved in configuring, managing, and enforcing encryption policies specific to mobile devices handling CUI. Executives may have a high-level overview but lack technical details. IT helpdesk staff typically handle basic troubleshooting and may not have insight into encryption implementation. HR staff focus on personnel management, not technical security controls. The CMMC Assessment Guide emphasizes interviewing individuals with operational responsibility for the specific control to verify implementation details.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.19: "Interview: Personnel with information security responsibilities; personnel with mobile device responsibilities; network and system administrators."
* NIST SP 800-171A, 3.1.19: "Interview personnel with responsibilities for encrypting CUI on mobile devices to determine the processes and mechanisms in place." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf

NEW QUESTION # 106
An OSC receives a POA&M during their CMMC L2 assessment. 170 days later, they submit an updated POA&M with evidence of all corrective actions. Can the C3PAO still conduct a close-out assessment?

• A. Yes, but the OSC must re-perform the entire CMMC L2 assessment.
• B. Yes, as long as all corrective actions are verified.
• C. No, the 180-day window has closed.
• D. No, the OSC must wait for the next assessment cycle.

Answer: B

Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP's 180-day window is a guideline for scheduling, not a strict deadline barring closeout if submitted within reason (170 days here). Option A and B misinterpret this flexibility. Option D (full reassessment) is unnecessary if corrections are verified. Option C is correct.
Extract from Official Document (CAP v1.0):
* Section 3.4 - POA&M Closeout (pg. 35):"Within 180 days from the Final Findings Briefing, conduct a POA&M Closeout Assessment to verify corrective actions, focusing on successful implementation." References:
CMMC Assessment Process (CAP) v1.0, Section 3.4.

NEW QUESTION # 107
......

Authentic Best resources for CMMC-CCA Online Practice Exam: https://www.freecram.com/Cyber-AB-certification/CMMC-CCA-exam-dumps.html

Get the superior quality CMMC-CCA Dumps with explanations waiting just for you, get it now: https://drive.google.com/open?id=1nNVhBxMLJc1QgfFPHv_FUTcIBET9trFt