Exam CMMC-CCA Topic 1 Question 151 Discussion

Actual exam question for Cyber AB's CMMC-CCA exam
Question #: 151
Topic #: 1
You are a CCA working with an OSC that outsources some of its IT operations to a third-party service provider. The service provider has access to the OSC's networks and systems that handle FCI and CUI.
During the scoping process, you need to determine if the OSC should flow down CMMC requirements to this third-party service provider. In this scenario, when should the OSCflow down CMMC requirements to the third-party service provider?

Suggested Answer: B Vote an answer

Comprehensive and Detailed Explanation:
The CMMC Assessment Scope - Level 2 requires that third-party service providers (e.g., ESPs) with access to FCI/CUI environments be subject to applicable CMMC requirements if they can influence security, directly or indirectly. This ensures the entire CUI protection chain is compliant. Option A limits flow-down to contract terms, which is insufficient per CMMC guidance. Option C contradicts the framework's inclusion of ESPs.
Option D excludes FCI, which is incorrect as both FCI and CUI trigger requirements. B aligns with the scoping guide.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.3 (ESPs), p. 6: "ESPs influencing the FCI/CUI environment must meet CMMC requirements."

by Hugo at May 07, 2026, 10:33 AM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10