Exam CMMC-CCA Topic 3 Question 96 Discussion

Actual exam question for Cyber AB's CMMC-CCA exam
Question #: 96
Topic #: 3
In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Which of the following would be the most appropriate next step for the assessor?

Suggested Answer: A Vote an answer

Comprehensive and Detailed In-Depth Explanation:
SC.L2-3.13.11 requires "FIPS-validated cryptography for CUI." AES-256 alone isn't sufficient without FIPS
140 validation. Interviewing personnel (A) clarifies if validated cryptography is used elsewhere, aiding compliance assessment. Testing decryption (B) is impractical, switching algorithms (C) misses the validation issue, and accepting (D) ignores FIPS requirements. The CMMC guide prioritizes interviews for evidence gathering.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.11: "Interview personnel to verify FIPS- validated cryptography usage."
* NIST SP 800-171A, 3.13.11: "Assess cryptographic practices via interviews." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf

by Abraham at Oct 30, 2025, 02:28 PM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10