Cyber AB CMMC-CCA - Certified CMMC Assessor (CCA) Exam

The Examine method is used when the assessor reviews documents, policies, procedures, or system artifacts to validate practices.

Extract:

“Examine: Review, inspect, or analyze assessment objects such as documents, records, and policies to determine compliance with practice requirements.”

Reviewing the incident response plan falls directly under Examine.

The control PS.L2-3.9.1: Screen Individuals requires that individuals be screened before authorizing access to organizational systems and CUI. Since employees are assigned to work immediately upon hire, before screenings are complete, this practice is NOT MET. Completing screenings within the first week does not satisfy the requirement.

Exact extracts:

“Screen individuals prior to authorizing access to organizational systems containing CUI.”

“Assessment Objectives … Determine if: [a] individuals requiring access to CUI are screened before access is granted.”

“It is not sufficient for screening to occur after access has been authorized.”

Why the other options are incorrect:

A: Remediation may be possible, but scoring must be NOT MET.

B: A single practice being NOT MET does not automatically cause assessment failure (depends on aggregate score).

C: HR responsibility does not excuse failure to complete screening before granting access.

Applicable Requirement (CAP – Evidence Validity): Evidence must be relevant, reliable, and timely. Artifacts from separate entities or outdated sources require extra scrutiny.

Why D is Correct: The least reliable evidence is old (18 months) and produced by individuals not part of the OSC entity being assessed. Such artifacts require the most verification to determine applicability.

Why Other Options Are Insufficient:

A: Strongest evidence (current and from OSC staff).

B: Outdated, but still from OSC staff (more reliable than outside entity).

C: Current, but external (still stronger than outdated + external).

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Evidence Collection and Reliability Criteria

CMMC Assessment Guide – Level 2 — Acceptable Evidence

===========

The control SC.L2-3.13.5: Boundary Protection requires that organizations monitor and control communications at the external boundary and at key internal boundaries. The CMMC Assessment Guide states that assessors should examine boundary protection procedures to verify logging, monitoring, and alerting are defined and implemented. Physical access logs, account management documents, and configuration management policies do not provide details of how network boundaries are monitored and protected.

Exact extracts:

“Assessment Objectives … Determine if: • external boundary and key internal boundaries are defined; • communications are monitored and controlled at boundaries; • traffic is checked for unauthorized transfer of information; and • boundary protection devices are configured and managed.”

“Potential Assessment Methods: Examine … boundary protection policy; boundary protection procedures; system security plan; configuration settings for boundary protection devices; logs of boundary protection devices.”

Why the other options are incorrect:

A (Physical access logs): Relates to facility entry, not network boundary protection.

C (Account management document): Addresses user account lifecycle, not firewall and traffic control.

D (Configuration management policy): Governs system changes, not firewall logging/alerting controls.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.5 “Boundary Protection.”

NIST SP 800-171 Rev. 2, 3.13.5.

===========

The OSC is responsible for identifying and declaring where CUI is processed, stored, or transmitted. A Certified CMMC Assessor (CCA) may verify boundaries, examine evidence, and confirm monitoring or control practices, but cannot independently determine if a physically separated asset contains CUI. That determination is the responsibility of the OSC, not the assessor.

Exact extracts:

“The OSC is responsible for identifying CUI assets.”

“Assessors verify and validate the OSC’s identification, but do not independently declare or determine the presence of CUI.”

“Assessors are permitted to examine boundary protections, monitoring mechanisms, and internal boundary controls.”

Why the other options are allowed:

A: Assessors are required to verify internal system boundaries.

C: Assessors must confirm that external system boundaries are clearly defined.

D: Assessors must examine evidence of communication monitoring.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Assessor Roles and Responsibilities.

CMMC Code of Professional Conduct (OSC retains CUI ownership; assessors validate but cannot declare CUI).

A one-way hash function is a cryptographic method used to store passwords securely. It is not reversible; hashed values cannot be converted back into the original password.

Extract from SC.L2-3.13.10:

“Store and transmit authentication information in a protected form by using one-way cryptographic transformations (e.g., hashing). One-way transformations cannot be reversed to reveal the original authentication secret.”

Thus, the correct statement is that the transformation makes it impossible to re-convert the hashed password.

Applicable Requirement: CA.L2-3.12.4 — “Develop, document, periodically review/update, and disseminate system security plans.” Policies require executive approval and evidence of regular review.

Why B is Correct: Multiple years of emails from executives approving policies provide a pattern of consistent executive involvement, demonstrating habitual compliance with review and approval requirements. This is stronger evidence than one-time or informal attestations.

Why Other Options Are Insufficient:

A: Handwritten notes are informal and lack authenticity controls.

C: A notarized letter from a previous CEO is a one-time attestation, not evidence of recurring review.

D: Employee interviews may demonstrate awareness but do not show executive approval.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CA.L2-3.12.4

NIST SP 800-171A — CA.L2-3.12.4 Assessment Objectives (evidence of policy review/approval)

CMMC Assessment Guide – Level 2 — Policy and Approval Evidence Requirements

===========

The Scoping Guidance for Specialized Assets allows exclusion of assets when they are physically and logically isolated from the CMMC assessment boundary and do not process, store, or transmit CUI.

Extract from CMMC Scoping Guidance:

“Specialized Assets may be designated as out-of-scope if they are physically or logically separated from CUI assets, or if they are inherently unable to process, store, or transmit CUI.”

The camera system in this case does not interact with CUI and is fully isolated, making exclusion appropriate.

The Physical Protection (PE) practices require that unmanned access points to areas containing CUI be restricted with technical controls that only allow entry to authorized personnel. While cameras, signage, and turnstiles support security, they do not actually prevent access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

The strongest measure listed is one-way gates requiring credentials or intercom authorization, which directly enforces access control.

The CMMC Assessment Process (CAP) provides explicit guidance for readiness reviews. If the Lead Assessor determines that the OSC is not prepared, the available options are:

Replan the assessment (adjust scope, timeline, or requirements), or

Reschedule the assessment (move the engagement to a later date).

Extract:

“Following the readiness review, if the OSC is determined not to be ready, the Lead Assessor may recommend that the assessment be replanned or rescheduled.”

Thus, the correct answer is B.