Cyber AB CMMC-CCA - Certified CMMC Assessor (CCA) Exam

Applicable Requirement: SC.L2-3.13.7 — “Prevent split tunneling for remote devices connecting to organizational systems.”

Assessment Method: “Examine” requires direct review of system hardware, software, and architecture to verify split tunneling is disabled.

Why C is Correct: This aligns with the NIST SP 800-171A assessment objective, which specifies verifying that mechanisms enforcing the prevention of split tunneling are implemented at the system level.

Why Other Options Are Insufficient:

A: Describes “test” method, not “examine.”

B: Describes “interview” method, not “examine.”

D: Too general and vague; does not align to evidence required under “examine.”

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — SC.L2-3.13.7

NIST SP 800-171A — SC.L2-3.13.7 (Assessment Objectives & Examine Method)

CMMC Assessment Guide – Level 2, SC.L2-3.13.7

===========

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and operating environments.”

Why D is Correct: Escort requirements are met as long as the visitor’s actions are continuously observed and controlled. The escort does not need to be physically inside the same room if direct observation is possible.

Why Other Options Are Insufficient:

A: Escort posture (sitting/standing) is irrelevant.

B: Same-room presence is not required by CMMC/NIST SP 800-171.

C: A single entry point helps, but observation is the requirement.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

CMMC Assessment Guide – Level 2 — Physical Escort Policy Guidance

===========

CMMC Levels and Scope:

Level 1: Protects Federal Contract Information (FCI) under FAR 52.204-21 (17 basic safeguarding requirements).

Level 2: Protects Controlled Unclassified Information (CUI) under NIST SP 800-171 (110 practices).

Why C is Correct: The Level 1 self-assessment covers FCI-related practices. Since Level 2 focuses exclusively on CUI environments, FCI-only requirements from the Level 1 self-assessment fall outside the scope of the Level 2 assessment.

Why Other Options Are Insufficient:

A (CUI in paper): Still in scope at Level 2 (CUI applies to both digital and physical formats).

B (FCI within CUI enclave): If FCI is processed within the enclave, it is covered by Level 2.

D (SCI): Classified information is entirely out of scope of CMMC; however, it is not relevant to Level 1 self-assessment either, making C the more precise choice.

References (CCA Official Sources):

DoD CMMC Model v2.0 — Scope Differences between Level 1 (FCI) and Level 2 (CUI)

NIST SP 800-171 Rev. 2 — Focus on CUI

FAR 52.204-21 — FCI Safeguarding Requirements (Level 1 baseline)

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why A is Correct: Security guards are a recognized preventive and detective physical control to limit access to only authorized individuals. Guards can verify credentials, monitor behavior, and provide real-time deterrence.

Why Other Options Are Insufficient:

B (Cameras): Provide monitoring and evidence, but not direct access control.

C (Firewalls): A network control, not a physical access measure.

D (Partition walls): Barriers may help physically separate areas but do not control who enters.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Security Controls

===========

The Escort Visitors practice falls under Physical and Environmental Protection (PE.L2-3.10.3), which requires organizations to escort visitors and monitor visitor activity. To validate this, the assessor should interview personnel responsible for physical access control (security guards, facility access managers) and information security (to confirm integration with CUI protection requirements).

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Interview personnel responsible for physical access control and security monitoring to confirm escort and visitor activity tracking.”

Assessment Objectives: Require evidence of visitor escorts, visitor logs, and monitoring practices.

Why the other options are not correct:

A (Repair/maintenance): Not responsible for escort procedures.

B (Local access control only): Missing the information security link, which ensures visitors cannot access CUI assets.

D (IT management): IT is not responsible for escorting visitors in physical spaces.