Exam CMMC-CCA Topic 2 Question 144 Discussion

Actual exam question for Cyber AB's CMMC-CCA exam
Question #: 144
Topic #: 2
During a CMMC assessment, you review the OSC's documented procedures for access control.These procedures detail a user access request and approval process for the organization's Human Resources (HR) information system. You then interview IT personnel responsible for access control, who confirm the documented procedures accurately reflect how access is managed for the HR system. However, the OSC's network diagram reveals the presence of other in-scope systems critical to their operations, such as their Engineering Design Database and Manufacturing Control System. Neither the documented procedures nor the interview addressed access control practices for these additional systems. Based on the CMMC Assessment Process guidelines on evidence sufficiency, how would you characterize the evidence collected so far regarding access control?

Suggested Answer: C Vote an answer

Comprehensive and Detailed in Depth Explanation:
The CMMC Assessment Process (CAP) requires evidence to be sufficient and complete across all in-scope systems handling CUI to validate compliance with practices like AC.L2-3.1.1 (Authorized Access Control).
While the evidence for the HR system (documents and interviews) is valid, it does not cover the Engineering Design Database and Manufacturing Control System, which are critical and in-scope per the network diagram.
CAP guidelines state that partial evidence covering only some systems is insufficient for a full assessment, as all CUI-related systems must be evaluated.
Option A (valid but incomplete) is close but not a CAP-defined category-evidence is either sufficient or insufficient. Option B (sufficient) overstates the evidence's scope. Option D (inconclusive) implies uncertainty, whereas the gap is clear. Option C (insufficient) aligns with CAP's requirement for comprehensive coverage, making it the correct answer.
Reference Extract:
* CMMC Assessment Process (CAP) v1.0, Section 4.2:"Evidence is insufficient if it does not address all in-scope systems and processes required by the CMMC practice."Resources:https://cyberab.org/Portals
/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf

by Bonnie at Jan 30, 2026, 06:05 PM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10