Exam CMMC-CCA Topic 1 Question 151 Discussion
Actual exam question for Cyber AB's CMMC-CCA exam
Question #: 151
Topic #: 1
Question #: 151
Topic #: 1
You are a CCA working with an OSC that outsources some of its IT operations to a third-party service provider. The service provider has access to the OSC's networks and systems that handle FCI and CUI.
During the scoping process, you need to determine if the OSC should flow down CMMC requirements to this third-party service provider. In this scenario, when should the OSCflow down CMMC requirements to the third-party service provider?
During the scoping process, you need to determine if the OSC should flow down CMMC requirements to this third-party service provider. In this scenario, when should the OSCflow down CMMC requirements to the third-party service provider?
Suggested Answer: B Vote an answer
Comprehensive and Detailed Explanation:
The CMMC Assessment Scope - Level 2 requires that third-party service providers (e.g., ESPs) with access to FCI/CUI environments be subject to applicable CMMC requirements if they can influence security, directly or indirectly. This ensures the entire CUI protection chain is compliant. Option A limits flow-down to contract terms, which is insufficient per CMMC guidance. Option C contradicts the framework's inclusion of ESPs.
Option D excludes FCI, which is incorrect as both FCI and CUI trigger requirements. B aligns with the scoping guide.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.3 (ESPs), p. 6: "ESPs influencing the FCI/CUI environment must meet CMMC requirements."
The CMMC Assessment Scope - Level 2 requires that third-party service providers (e.g., ESPs) with access to FCI/CUI environments be subject to applicable CMMC requirements if they can influence security, directly or indirectly. This ensures the entire CUI protection chain is compliant. Option A limits flow-down to contract terms, which is insufficient per CMMC guidance. Option C contradicts the framework's inclusion of ESPs.
Option D excludes FCI, which is incorrect as both FCI and CUI trigger requirements. B aligns with the scoping guide.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.3 (ESPs), p. 6: "ESPs influencing the FCI/CUI environment must meet CMMC requirements."
by Hugo at May 07, 2026, 10:33 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).