Cyber AB CMMC-CCA - Certified CMMC Assessor (CCA) Exam

The Lead Assessor is responsible for managing the assessment team and planning the assessment, including defining the methods, techniques, and responsibilities for collecting, managing, and reviewing evidence. Team members execute assigned tasks, but the Lead Assessor provides direction and oversight.

Exact Extracts:

CMMC Assessment Guide: “The Lead Assessor is responsible for the management of the assessment, including defining evidence collection methods, techniques, and responsibilities.”

“The assessment team members carry out activities as directed by the Lead Assessor.”

“The C3PAO Quality Oversight and CMMC Quality Assurance are post-assessment quality functions, not evidence planning functions.”

Why other options are not correct:

B: Team members execute tasks but do not define methods and responsibilities.

C: Quality Oversight Managers review assessments after completion, not during planning.

D: CMMC Quality Assurance Professionals conduct QA on assessments, not evidence planning.

To scope connections to external systems, the OSC must fully define all external connections — not just general statements about "small use" or "backups." Incomplete or vague descriptions are not sufficient for scoping.

Extract:

“The OSC must identify and define the extent of all external connections that support processing, storage, or transmission of CUI to determine scope.”

Thus, the data provided are not sufficient, because the OSC has not fully defined external connections.

Practice AC.L2-3.1.3 requires that users are presented with privacy and security notices (system use notifications) at the point of system log-in to ensure that they are aware of authorized usage and monitoring.

Extract:

“Display privacy and security notices (system use notifications) before granting system access.”

Posters, alerts, or general awareness messages do not satisfy this practice because they are not tied directly to system access.

Applicable Requirement (CMMC Assessment Process): The CMMC Assessment Process (CAP) requires assessors to collect, analyze, and reconcile evidence using triangulation (examine, interview, test) to confirm whether requirements are MET or NOT MET. When inconsistencies arise, the assessor must go back to objective evidence such as diagrams, contracts, and notes.

Why Reviewing Network Diagrams Helps (supports A): Network diagrams provide authoritative evidence of scope, data flows, and system boundaries, which helps clarify whether the MSSP’s services were accurately described.

Why Reviewing MSSP Agreements Helps (supports B): Agreements (such as interconnection security agreements or service-level agreements) define shared responsibilities and confirm how the MSSP supports security controls. This evidence is critical to resolving inconsistent testimony.

Why Reviewing Notes Helps (supports C): Notes from previous interviews allow the team to pinpoint where answers diverged. This is a valid method of evidence review and aligns with CAP guidance on documenting interviews.

Why Interview Questionnaire Consistency is NOT the Correct Step (refutes D): The CAP emphasizes resolving inconsistencies through additional evidence, not by adjusting or re-checking the questionnaire itself. The consistency of the questionnaire is irrelevant — what matters is reconciling the evidence provided by both the OSC and MSSP. Thus, this is the action the Lead Assessor would NOT take.

Assessment Guidance Extract (CAP):

“When conflicting evidence is observed, the assessment team must review technical documentation, agreements, and notes to identify the root cause and determine whether additional clarification is required.”

“The interview instrument itself is not a tool for reconciling inconsistencies; rather, objective evidence must be used.”

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Section 3: Conducting the Assessment (Interview, Evidence, Triangulation, and Conflict Resolution)

CMMC Assessment Guide – Level 2, Version 2.13 — Guidance on the role of External Service Providers (MSSPs) and use of documented agreements as evidence

NIST SP 800-171A — General assessment methodology: reconcile evidence using examine, interview, and test methods

Applicable Requirement: AC.L2-3.1.17 — “Authorize wireless access prior to allowing such connections.”

Correct Interpretation: Strong authentication and encryption methods (e.g., WPA2-Enterprise, WPA3-Enterprise) are required to protect wireless communications and enforce authorization.

Why C is Correct: WPA2-Enterprise uses 802.1X authentication (often with RADIUS), ensuring that only authorized users/devices can connect. This directly supports AC.L2-3.1.17.

Why Other Options Are Insufficient:

A (Layer 3 switch): Network hardware but not specifically a wireless access control mechanism.

B (IDS): Detects intrusions but does not prevent or authorize wireless access.

D (Frequency-hopping): Obsolete method, not aligned with modern encryption/authentication requirements.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.17

NIST SP 800-171A — AC.L2-3.1.17 Assessment Objectives

CMMC Assessment Guide – Level 2, AC.L2-3.1.17

===========

Testing may be performed on a mirrored system if the OSC can demonstrate that it is configured identically to the production system. The assessor must confirm equivalency through objective evidence before accepting test results.

Exact Extracts:

NIST SP 800-171A: “Test assessment method involves exercising assessment objects under specified conditions… mirrored or replicated systems may be used if validated as equivalent.”

CMMC Assessment Guide: “If production systems cannot be tested, assessors may accept mirrored systems provided evidence demonstrates that the mirrored environment is representative of the production system.”

Why the other options are not correct:

A/B: Testing must focus on systems and controls, not limited groups or customer matrices.

C: Incorrect — mirrored systems are acceptable if validated as equivalent.

D: Correct, as validation of equivalency is required.

Printers are a concern because they can produce hard copies of CUI, which must be safeguarded like digital CUI. CUI handling requirements extend to both electronic and printed media.

Extract from MP.L2-3.8.4:

“Protect the confidentiality of CUI at rest and in use, including hardcopy outputs such as printed material.”

Thus, the concern is that printed CUI must be protected, making printers relevant to maintenance and safeguarding practices.

Applicable Requirement: SC.L2-3.13.16 — “Protect the confidentiality of CUI at rest.”

Why D is Correct: Cryptographic mechanisms (e.g., full-disk encryption, database encryption, file encryption) provide the strongest protection for information at rest by preventing unauthorized disclosure if systems or media are accessed.

Why Other Options Are Insufficient:

A (Patching): Protects against vulnerabilities, but not specific to data-at-rest confidentiality.

B (File share): Provides a storage method, not protection.

C (Secure offline storage): Helps physically, but not sufficient for digital confidentiality without encryption.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — SC.L2-3.13.16

NIST SP 800-171A — SC.L2-3.13.16 Assessment Objectives

CMMC Assessment Guide – Level 2, Data at Rest Protection

===========

CMMC Level 2 requires the ability to control and monitor physical access to systems and facilities containing CUI. The best practice is a badge-based access control system, which provides individual accountability, access tracking, and historical audit records. Keys and keypads do not provide individual traceability. Cameras alone do not prevent unauthorized entry.

Exact Extracts (official CMMC Assessor/Study documents):

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

PE.L2-3.10.5: “Access records must be maintained.”

CMMC Assessment Guide clarifies that acceptable methods include badging systems with individual accountability for traceability.

Why the other options are not correct:

A (keys): Keys do not provide audit logs or individual accountability.

B (cameras): Monitoring alone is insufficient; prevention and control are required.

D (keypads): Shared codes do not provide unique traceability or access history per user.