Cyber AB CMMC-CCA - Certified CMMC Assessor (CCA) Exam

Applicable Requirement: AC.L2-3.1.5 — “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Why A is Correct: Audit logs document when privileged functions (such as account creation, privilege changes, or configuration changes) occur, who performed them, and whether access control restrictions are enforced. Reviewing logs is the only way to confirm the IT manager alone has the capability.

Why Other Options Are Insufficient:

B (Inventory records): Shows ownership, not privilege changes.

C (Acceptable use): Policy guidance, not enforcement evidence.

D (Remote access): Deals with remote connections, not privilege management.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.5

NIST SP 800-171A — AC.L2-3.1.5 Assessment Methods

CMMC Assessment Guide – Level 2

===========

CMMC Level 2 requires that wireless access be formally authorized based on management-approved policy and criteria. The Assessment Guide specifies that “management guidelines form the basis for the requirements that must be met prior to authorizing a wireless connection.” Therefore, a written policy executed by the CEO, which defines pre-authorization requirements, constitutes proper evidence of authorization. Informal emails or IT connection instructions do not meet this requirement.

Exact extracts:

“Authorize wireless access prior to allowing such connections.”

“Assessment Objectives … Determine if: [a] wireless access points are identified; and [b] wireless access is authorized prior to allowing such connections.”

“Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following: • types of devices, such as corporate or privately owned equipment; • configuration requirements of the devices; and • authorization requirements before granting such connections.”

Assessment method – Examine: “Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless access authorizations …”

Why the other options are unacceptable:

A and C are ad-hoc instructions from the CEO, not a formal management policy establishing authorization criteria.

D is an IT-authored instruction document, not a management-level authorization policy.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.16 “Wireless Access Authorization” (Assessment Objectives; Discussion; Further Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.16 (mapped within the CMMC Level 2 Assessment Guide).

Under AT.L2-3.2.3 (Security Awareness Training) and AT.L2-3.2.2 (Insider Threat Training), insider threat awareness training must equip personnel to recognize and report indicators of insider threat activity. Training must focus on organizational processes for reporting suspicious behavior, not just awareness of famous cases or punitive systems. The ability to act and report appropriately is the most critical element.

Exact extracts:

“Training includes recognition of potential indicators of insider threat activity and the organizational processes for reporting suspicious activity.”

“Assessment Objectives … Determine if: insider threat training includes reporting mechanisms.”

“Case studies may be used for context, but training must include clear reporting procedures.”

Expanded explanation:

Insider threat programs under DoD guidance (e.g., NISPOM, CMMC) emphasize:

Awareness of behaviors that may indicate insider threat activity.

Reporting mechanisms — employees must know exactly how to act if they identify an issue.

Procedures for escalation and protection of CUI.

Without reporting procedures, insider threat training is incomplete.

Why other options are incorrect:

A: Bounty systems are not sanctioned practices and could create a hostile work environment.

B: Risk-ranking individuals could be discriminatory and is not a CMMC requirement.

C: Case studies may supplement training but are not sufficient by themselves.

If an OSC wishes to separate environments that process FCI from those that process CUI, they may pursue two separate CMMC certifications (Level 1 for FCI and Level 2 for CUI). A single certification cannot cover both environments unless all requirements for the higher level are met across the entire enterprise.

Exact Extracts:

CMMC Assessment Guide: “An OSC may choose to undergo multiple CMMC certification activities if they wish to limit scope between FCI and CUI environments.”

“Level 1 applies to safeguarding FCI, while Level 2 applies to CUI; separate certifications may be pursued if the OSC chooses to segregate these environments.”

Why the other options are not correct:

A: A single certification would require all assets to meet Level 2 controls, which may not be the OSC’s intent.

C: Defining scope for FCI only aligns with Level 1, but this does not meet Level 2 certification requirements for CUI.

D: A self-assessment scope only applies to Level 1 assessments, not Level 2 third-party certification.

The test assessment method means the assessor actively exercises or stimulates the system (or object) under defined conditions to compare actual results with expected behavior. This goes beyond review or observation and involves hands-on validation.

Exact Extracts:

NIST SP 800-171A: “The test method is the process of exercising assessment objects under specified conditions to compare actual with expected behavior.”

CMMC Assessment Guide: “Testing requires assessors to observe the execution of functions, mechanisms, or activities to confirm effectiveness.”

Why the other options are not correct:

A: This defines Examine (not Test).

B: This aligns with Interview or compliance review, not Test.

D: This is a generic definition but does not capture the essence of Test (direct execution under conditions).

The Access Control (AC) domain governs remote access, privileged access, and VPN controls. Documents describing how VPNs are controlled, monitored, and restricted fall under the Access Control Policy.

Extract:

“Access Control practices include the management of remote connections, monitoring of sessions, and enforcement of VPN controls.”

Thus, the correct document is the Access Control Policy.

The CMMC practice CM.L2-3.4.8 – Application Allow Listing requires that only specifically authorized software is permitted to execute, while all other software is automatically denied.

Extract:

“Application allow listing requires that only approved, explicitly identified applications are authorized to execute on a system. Reliance on users to notify IT after the fact does not meet the requirement.”

Because the OSC’s process depends on users self-reporting rather than enforcing automated allow listing, it is not properly implemented.

For IA.L2-3.5.1 (Identify system users, processes, and devices), the strongest evidence is direct lists of accounts, devices, and supporting audit logs/records that show users and devices are actively identified and managed. Policies and procedures are supporting evidence but not as strong as system-generated, real evidence.

Extract:

“Strong evidence includes account listings, device inventories, and audit logs demonstrating that all users, processes, and devices are identified and uniquely associated.”

Applicable Requirement (CAP – Planning Phase): Both the OSC (Client) and the CCA are responsible for protecting sensitive evidence and CUI during assessment. This includes documenting risks and mitigations for how such information is handled, especially during virtual collection.

Why D is Correct: CAP requires assessors and OSCs to jointly establish processes ensuring safeguarding of CUI evidence. Both parties must record and agree to risks and mitigations as part of the assessment plan.

Why Other Options Are Insufficient:

A & B: Responsibility is shared, not one-sided.

C: Recording by the assessor alone does not fulfill CAP’s joint responsibility requirement.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Planning Phase (Handling CUI and Sensitive Evidence)

Code of Professional Conduct — Assessor responsibility for safeguarding CUI

===========

The next step after configuring audit logs and ensuring event content is correct is to periodically review and update the logged events to maintain alignment with evolving security requirements and risks.

Extract from AU.L2-3.3.2 & AU.L2-3.3.7:

“Organizations must review and update audit log events periodically to ensure they continue to support accountability and monitoring objectives.”

While centralized collection and retention are important, the next required objective per progression is review and update of logged events.