Cyber AB CMMC-CCA - Certified CMMC Assessor (CCA) Exam

External connections are defined as connections crossing the OSC’s assessment boundary. Here:

The dedicated VPN from office to cloud = one external connection.

The user-initiated VPNs from remote laptops to cloud = a second external connection.

Extract:

“External connections include all system interfaces that cross the assessment boundary, including VPNs initiated by users or established between sites.”

Thus, there are two external connections.

Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC’s Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.

Exact Extracts:

CMMC Assessor Code of Professional Conduct: “No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC’s designated Assessment Official.”

“Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization.”

Why the other options are not correct:

A: Too absolute — proprietary data can leave if AO provides written consent.

B: IT staff cannot authorize release of proprietary data.

C: POC is not the authority for data release — only the Assessment Official is.

The Physical Protection (PE) Domain requires implementation of physical access controls to prevent unauthorized access to CUI systems. Simply trusting employees or sending communications is not sufficient. However, if the server is located inside a secondary restricted room that only the IT team can access, then adequate physical protection controls are still in place.

Extract from PE.L2-3.10.x (Physical Protection Practices):

“Organizations must limit physical access to systems, equipment, and environments that process, store, or transmit CUI to authorized individuals only.”

Thus, placing the server within an additional restricted access-controlled room ensures compliance, even if the outer door is propped open for cooling.

Applicable Requirement: IR.L2-3.6.1 — “Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”

Validation Expectation: For this practice, the CCA must confirm that the OSC:

Tracks incidents consistently,

Documents incident details (who, what, when, where, and how), and

Maintains incident records to support analysis and corrective action.

Why A is Correct: Tracking and documenting incidents demonstrates that the OSC has an operational incident-handling capability and provides objective evidence of detection, response, and lessons learned.

Why Other Options Are Insufficient:

B (Sources configured/tuned): Helpful for detection, but not sufficient by itself.

C (Law enforcement notified): This may occur in certain cases, but it is not required by CMMC Level 2.

D (Forensics): Deep forensic investigation may be useful, but CMMC requires incident response capability, not mandatory forensic-level activities.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IR.L2-3.6.1

NIST SP 800-171A — IR.L2-3.6.1 Assessment Objectives (tracking, documenting, handling incidents)

CMMC Assessment Guide – Level 2 — Incident Reporting

===========

If an asset processes or generates CUI, it is a CUI Asset by definition, regardless of whether it is also part of a test lab or claimed as a Specialized Asset. Specialized Asset handling applies only when the asset does not process, store, or transmit CUI. Since the workstation outputs CUI, it must be assessed fully against CMMC practices.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Specialized Assets… do not process, store, or transmit CUI.”

“If a Specialized Asset processes CUI, it must be categorized as a CUI Asset and is assessed against all applicable practices.”

Why the other options are incorrect:

B: The issue is not with the SSP practice; it is with misclassification of an asset.

C/D: Risk-based treatment applies only to Specialized Assets without CUI, which is not the case here.

Under AC.L2-3.1.12: Remote Access, assessors must verify that all remote access sessions are identified, authorized, controlled, and monitored. Whether remote access is “necessary” is a business decision, not an assessment concern. The assessor is concerned with whether it is properly controlled and implemented, not with the business justification for its existence.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled;• remote access sessions are monitored.”

“The requirement does not assess business necessity of remote access, only its security and authorization.”

Why the other options are important:

B: Authorization (permitted) must be verified.

C: Monitoring of remote sessions is mandatory.

D: Permitted methods must be identified (e.g., VPN, VDI, etc.).

Applicable Requirement (CAP – Scoping and Evidence Validation): When inconsistencies arise about the environment, assessors are required to examine objective artifacts that define boundaries, such as network diagrams and system architecture documentation.

Why A is Correct: Network diagrams objectively show whether systems are hosted on-premises or involve ESPs (cloud, MSSPs, hosting providers). Reviewing them avoids ambiguity from inconsistent verbal descriptions.

Why Other Options Are Insufficient:

B: Interviewing another OSC representative may add to confusion rather than resolve it.

C: Interconnection agreements confirm ESP relationships but do not resolve whether the OSC has on-prem or hybrid environments.

D: Contacting ESPs directly is not part of the assessment process; OSC must provide evidence.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Clarifying System Boundaries

CMMC Assessment Guide – Level 2 — Evidence Types (network diagrams, architecture documentation)

===========

The CMMC Assessment Guide (Level 2) requires organizations to have a documented procedure for the identification and handling of unmarked potential CUI. The DoD guidance specifies that contractors cannot assume unmarked data is not CUI; instead, they must have a process to ensure unmarked potential CUI is handled properly until its classification is clarified.

Extract from Assessment Guide:

“Organizations must establish procedures for the handling of unmarked data that is suspected of being CUI. These procedures should define how unmarked information is protected until such time its status can be determined.”

Therefore, the correct answer is to have a procedure for proper handling of unlabeled data.

The CAP requires that the OSC provide an organized and traceable set of evidence for review. While missing an evidence map does not stop the assessment, it is a best practice and strongly recommended to improve efficiency.

Extract:

“The OSC should provide an organized list of evidence and mappings to support efficient review by the assessment team. While not strictly required, it is recommended as part of readiness for a Level 2 assessment.”

Thus, the Lead Assessor should advise the OSC to provide the evidence mapping list, but the absence does not invalidate proceeding.

AC.L2-3.1.6 requires that non-privileged accounts are used for normal tasks and privileged accounts are only used when necessary for privileged functions.

Extract:

“Require that users employ the least privilege principle by using non-privileged accounts for general tasks. Privileged accounts must only be used when elevated privileges are required.”

Thus, the correct procedure is:

All employees have non-privileged accounts.

Admins also have separate privileged accounts.

Admins perform normal duties with their non-privileged accounts, using privileged accounts only when required.