CMMC-CCA Certified CMMC Assessor (CCA) Exam Questions and Answers

Under AC.L2-3.1.12: Remote Access, assessors must verify that all remote access sessions are identified, authorized, controlled, and monitored. Whether remote access is “necessary” is a business decision, not an assessment concern. The assessor is concerned with whether it is properly controlled and implemented, not with the business justification for its existence.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled;• remote access sessions are monitored.”

“The requirement does not assess business necessity of remote access, only its security and authorization.”

Why the other options are important:

B: Authorization (permitted) must be verified.

C: Monitoring of remote sessions is mandatory.

D: Permitted methods must be identified (e.g., VPN, VDI, etc.).

The requirement of least privilege mandates that users be granted only the access necessary to perform their duties. Assessors confirm compliance by reviewing user access lists, ensuring privileged access is limited, documented, and assigned only where required.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Assessment Guide: “Evidence includes user access lists, role-based access assignments, and documentation of privileged accounts.”

NIST SP 800-171A Objective: “Examine system access lists, rights, and permissions for least privilege.”

Why other options are not correct:

A (Authentication policy): Pertains to verifying identity, not enforcing least privilege.

B (System configurations): Provide technical settings, but access lists are the primary evidence for least privilege.

D (Terminated employees list): Tied to AC.L2-3.1.2 (Access enforcement) and AC.L2-3.1.7 (Account management), not least privilege.

To validate separation of CUI systems from non-CUI systems on a local network, the assessor must evaluate the VLAN configuration. VLANs are a recognized logical segmentation method for separating enclaves, as defined in the CMMC Scoping Guide.

Exact Extracts:

CMMC Scoping Guide: “Isolation can be achieved by implementing subnetworks with firewalls, routers, and VLANs to ensure separation of CUI assets from out-of-scope assets.”

“CUI Assets must be isolated from non-CUI assets unless those non-CUI assets are designated as Security Protection Assets or Contractor Risk Managed Assets.”

Why other options are not correct:

A (WAN): Wide Area Networks describe external connectivity, not local separation.

B (VPN): VPN provides encrypted remote access but does not enforce local network segmentation.

D (NAT): NAT provides IP translation, not logical separation of traffic.

Applicable Requirement: SC.L2-3.13.7 — “Prevent split tunneling for remote devices connecting to organizational systems.”

Assessment Method: “Examine” requires direct review of system hardware, software, and architecture to verify split tunneling is disabled.

Why C is Correct: This aligns with the NIST SP 800-171A assessment objective, which specifies verifying that mechanisms enforcing the prevention of split tunneling are implemented at the system level.

Why Other Options Are Insufficient:

A: Describes “test” method, not “examine.”

B: Describes “interview” method, not “examine.”

D: Too general and vague; does not align to evidence required under “examine.”

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — SC.L2-3.13.7

NIST SP 800-171A — SC.L2-3.13.7 (Assessment Objectives & Examine Method)

CMMC Assessment Guide – Level 2, SC.L2-3.13.7

===========

According to the CMMC Scoping Guidance, assets are categorized based on whether they can process, store, or transmit Controlled Unclassified Information (CUI), or if they are physically/logically separated or inherently unable to interact with CUI systems. Assets that cannot process, store, or transmit CUI and are properly segregated are considered Out-of-Scope.

Extract from CMMC Scoping Guidance:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.”

Thus, the Lead Assessor determines out-of-scope assets by confirming that they are either segregated from CUI systems or technically incapable of handling CUI.

Both the CSP’s cloud environment and the OSC’s on-premises network/workstations are in-scope because CUI is stored in the cloud but also accessed and transmitted by OSC assets. The cloud vendor’s internal employee network is not in-scope because only the customer-facing FedRAMP environment is within the assessment boundary.

Exact extracts:

“CUI Assets include any OSC asset that stores, processes, or transmits CUI.”

“External service providers are in-scope if their services process, store, or transmit CUI on behalf of the OSC.”

“The OSC’s endpoints and local infrastructure that access CUI are also in-scope.”

Why the other options are incorrect:

A: Cloud environment only is incomplete; OSC workstations also access and transmit CUI.

B: OSC network only ignores the fact that CUI is stored in the cloud.

D: The cloud vendor’s internal employee network is not in-scope.

SI.L2-3.14.7 requires the OSC to identify unauthorized use of organizational systems. The OSC meets this requirement by configuring the FedRAMP MODERATE provider’s SIEM to monitor their entire cloud environment where CUI is processed.

Extract:

“Organizations must employ monitoring mechanisms to detect unauthorized use of information systems. Cloud-native environments with FedRAMP authorized monitoring meet the requirement when properly configured and documented.”

Thus, the practice is MET because the SIEM covers the cloud environment.

The CMMC Assessment Process (CAP) defines four methods: Examine, Interview, Test, and Observe.

Interview Method: Involves discussions with personnel to gather evidence about the implementation of practices.

In this case, the CCA is discussing with the system administrator to understand processes, which clearly aligns with the Interview method.

Extract:

“Interview: The assessor uses discussions with personnel to obtain evidence about how practices are implemented within the OSC’s environment.”

Printers are a concern because they can produce hard copies of CUI, which must be safeguarded like digital CUI. CUI handling requirements extend to both electronic and printed media.

Extract from MP.L2-3.8.4:

“Protect the confidentiality of CUI at rest and in use, including hardcopy outputs such as printed material.”

Thus, the concern is that printed CUI must be protected, making printers relevant to maintenance and safeguarding practices.

When External Service Providers are used, the OSC can inherit practices from the ESP if sufficient evidence is provided (such as FedRAMP authorization or equivalent). The Lead Assessor must verify which controls are noted as inherited, as these are assessed differently from controls implemented directly by the OSC.

Exact Extracts:

CMMC Assessment Guide: “An OSC may inherit practices from External Service Providers when those providers demonstrate equivalent compliance (e.g., FedRAMP Moderate for CUI).”

“Assessors must review documentation that identifies which practices are inherited, partially implemented, or implemented internally.”

CMMC Scoping Guide: “Inherited controls must be clearly documented by the OSC in the SSP.”

Why the other options are not correct:

B: Waivers are not part of CMMC assessments.

C: “Not Applicable” does not apply to ESP involvement; they either provide inherited practices or not.

D: “Partially implemented” indicates deficiencies, not proper inheritance.

The CMMC Assessment Process (CAP) requires the Lead Assessor to develop an Assessment Plan that specifies anticipated evidence to be provided by the OSC. This preliminary evidence list ensures that OSC staff understand what policies, procedures, logs, and technical configurations must be available during the assessment. Without this, the assessment may stall due to missing documentation.

Exact extracts:

“The Lead Assessor coordinates with the OSC to develop an evidence list of artifacts anticipated for review.”

“The assessment plan must include a schedule of interviews, site visits, and anticipated evidence.”

“Preliminary evidence identification is critical to reduce assessment delays and ensure assessor readiness.”

Expanded explanation:

This step bridges planning and execution:

Scope has already been set.

Now, the evidence (SSPs, policies, audit logs, diagrams, etc.) must be identified.

Out-of-scope assets are part of scoping, not this planning stage.

System manuals are not required by CMMC, and “list of objectives” refers to assessor methodology, not OSC preparation.

Why other options are incorrect:

A: Objectives come from the practice requirements themselves, not something requested from the OSC.

B: System manuals are not required artifacts for CMMC.

D: Out-of-scope assets were already determined during scoping.

The CAP defines evidence evaluation requirements. Evidence must not only exist but must also be:

Complete (addresses all assessment objectives for the practice)

Validated (verified by the assessor)

Mapped to the practice requirements (traceable to objectives)

Extract:

“The assessor must confirm that the evidence is complete, validated, and mapped directly to the practice requirements in order to conclude that a practice is MET.”

MP.L2-3.8.4 requires that CUI markings follow the media, meaning when electronic documents are printed, the original markings must carry over to the hard copy. Distribution lists or colored stamps are not specifically required.

Extract:

“Mark media containing CUI with the CUI designation indicators as required. When converting CUI from one medium to another, the original markings must be retained.”

Thus, the assessor should expect to see the original markings carried onto the printouts.

The Lead Assessor’s readiness checks focus on logistics, scope, evidence availability, and risk awareness to ensure the assessment can proceed. It is not the assessor’s role to advise or determine if the OSC could achieve a higher certification level — the OSC selects its target level.

Exact extracts:

“Lead Assessors must confirm readiness by verifying logistics, scope boundaries, risks, and evidence availability.”

“Assessors do not advise OSCs on selecting certification levels or alternative approaches; this is outside the assessment scope.”

Why the other options are required:

A: OSC risks must be identified and discussed as part of scoping.

B: Logistics (scheduling, facilities, communications) must be confirmed.

D: Evidence must be available and accessible to avoid delays.

When an OSC leverages cloud providers in a CMMC Level 2 assessment, the provider should have FedRAMP Moderate or higher authorization to align with NIST SP 800-171 requirements. SOC 2, HIPAA, or CCPA compliance do not demonstrate federal-level assurance for protecting CUI. Thus, CSP B is the most appropriate choice.

Exact extracts:

“Cloud service providers that process, store, or transmit CUI should be FedRAMP Moderate Authorized or equivalent.”

“Assessors must verify evidence of FedRAMP authorization or comparable assurance before determining that OSC reliance on the provider is acceptable.”

Why the other options are incorrect:

A: SOC 2, HIPAA, and CCPA compliance do not equate to CMMC-required federal assurance.

C: Only FedRAMP-authorized providers meet the requirement, so both are not acceptable.

D: CSP B does meet the criteria.

The CMMC Assessment Process emphasizes the importance of confidentiality and non-attribution in interviews to ensure OSC personnel provide candid, accurate information. Interviewees may give shallow or evasive answers if they fear attribution. Assuring confidentiality and non-attribution improves the quality and reliability of responses.

Exact extracts:

“The assessment team must ensure confidentiality and non-attribution during interviews.”

“Responses should be validated against evidence, but the quality of input depends on establishing a safe environment for candor.”

“Non-attribution is critical to elicit detailed and honest responses.”

Why the other options are incorrect:

A: Training matrices identify who is trained, not who should be interviewed.

C: NDAs are not a CCA responsibility — they are contractual, not assessment requirements.

D: Mapping to artifacts is part of correlation after interviews, but does not solve the problem of poor interview responses.

Acceptable physical safeguards in lieu of encryption (in limited cases) include trusted couriers, locked containers, and monitored physical transport. “Tamper protection technologies” are not recognized as an acceptable alternative safeguard for protecting CUI in transit.

Extract:

“Physical safeguards such as trusted couriers, locked containers, and controlled site monitoring may substitute for cryptographic protections when encryption is not feasible. Other measures not defined (e.g., tamper protection) do not satisfy the requirement.”

Thus, D is NOT an acceptable safeguard.

CMMC requires physical access to systems containing or transmitting CUI to be limited to authorized individuals and for access records to be maintained. Badge readers with unique identification provide individual accountability, access control enforcement, and auditable access logs, which are stronger than labels, cameras, or keypads.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.5: “Maintain audit logs of physical access.”

CMMC Assessment Guide: “Badge systems with access control lists and logs are considered a best method for meeting physical access requirements.”

Why the other options are not correct:

A: Labels and lists do not prevent unauthorized access.

C: Cameras monitor but do not restrict access; they are detective, not preventive.

D: Keypads do not provide individual accountability (codes can be shared).

CMMC Level 2 requires the ability to control and monitor physical access to systems and facilities containing CUI. The best practice is a badge-based access control system, which provides individual accountability, access tracking, and historical audit records. Keys and keypads do not provide individual traceability. Cameras alone do not prevent unauthorized entry.

Exact Extracts (official CMMC Assessor/Study documents):

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

PE.L2-3.10.5: “Access records must be maintained.”

CMMC Assessment Guide clarifies that acceptable methods include badging systems with individual accountability for traceability.

Why the other options are not correct:

A (keys): Keys do not provide audit logs or individual accountability.

B (cameras): Monitoring alone is insufficient; prevention and control are required.

D (keypads): Shared codes do not provide unique traceability or access history per user.

Both the OSC’s on-premise LAN room and the leased colocation data center are in-scope because they contain systems that process, store, or transmit CUI. Assessors must physically examine visitor and access controls at both locations to confirm compliance with PE practices.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

CMMC Assessment Guide: “Assessors must validate physical protections at all in-scope facilities where CUI assets reside.”

CMMC Scoping Guide: “Physical protection applies to all facilities within the CMMC Assessment Scope, including colocation facilities.”

Why the other options are not correct:

A/B: Reviewing only one facility is insufficient; both are in scope.

D: Customer relationship management reviews are not substitutes for physical examination by assessors.

The CMMC Scoping Guidance specifies that Out-of-Scope Assets are those that neither process, store, nor transmit CUI, and do not provide security protections for CUI assets.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI, and do not provide security protections for CUI assets.”

Thus, the correct answer is B.

The Escort Visitors practice falls under Physical and Environmental Protection (PE.L2-3.10.3), which requires organizations to escort visitors and monitor visitor activity. To validate this, the assessor should interview personnel responsible for physical access control (security guards, facility access managers) and information security (to confirm integration with CUI protection requirements).

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Interview personnel responsible for physical access control and security monitoring to confirm escort and visitor activity tracking.”

Assessment Objectives: Require evidence of visitor escorts, visitor logs, and monitoring practices.

Why the other options are not correct:

A (Repair/maintenance): Not responsible for escort procedures.

B (Local access control only): Missing the information security link, which ensures visitors cannot access CUI assets.

D (IT management): IT is not responsible for escorting visitors in physical spaces.

To verify scanning (such as anti-virus and file integrity functions), the strongest evidence includes system configurations, AV alerts/logs, and interviews with technical staff. A policy document (System Information and Integrity Policy) provides intent but not actual implementation proof, making it the least helpful.

Extract:

“Policies provide documented intent, but assessors must validate actual implementation through configuration reviews, alerts/logs, and personnel interviews.”

Thus, the policy alone is the least useful evidence for confirming scans are actually performed.

Applicable Requirement (CAP & Scoping): Assessors must use objective artifacts to validate system boundaries and scoping decisions. Network or topology diagrams are the most direct method to confirm logical and physical separation between environments handling CUI and those that do not.

Why A is Correct: Network/topology diagrams provide a visual and technical representation of how isolation is achieved (e.g., VLANs, firewalls, segmentation). This is the primary evidence source for confirming separation.

Why Other Options Are Insufficient:

B: Change tickets/inventory show updates but not logical isolation.

C: The SSP describes but does not demonstrate separation.

D: Baseline configs show standard builds, not network isolation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) — Scope Validation

CMMC Assessment Guide – Level 2 — Evidence Types (network diagrams, topology)

===========

During the planning phase, the Lead Assessor must ensure that evidence gaps are identified and documented before assessment execution. This ensures that the OSC is aware of missing or insufficient evidence and can address them prior to final scoring.

Exact Extracts:

CMMC Assessment Guide: “During planning, assessors and OSC should confirm sufficiency of evidence and identify/document any evidence gaps.”

“The planning phase ensures readiness to proceed with the assessment, including identifying gaps and establishing how they will be addressed.”

Why the other options are not correct:

B: Appeals are addressed post-assessment, not in planning.

C: Assessment costs are agreed upon contractually, not part of the assessment planning phase.

D: FedRAMP equivalency determination is part of scope validation, not general planning.

Under AT.L2-3.2.3 (Security Awareness Training) and AT.L2-3.2.2 (Insider Threat Training), insider threat awareness training must equip personnel to recognize and report indicators of insider threat activity. Training must focus on organizational processes for reporting suspicious behavior, not just awareness of famous cases or punitive systems. The ability to act and report appropriately is the most critical element.

Exact extracts:

“Training includes recognition of potential indicators of insider threat activity and the organizational processes for reporting suspicious activity.”

“Assessment Objectives … Determine if: insider threat training includes reporting mechanisms.”

“Case studies may be used for context, but training must include clear reporting procedures.”

Expanded explanation:

Insider threat programs under DoD guidance (e.g., NISPOM, CMMC) emphasize:

Awareness of behaviors that may indicate insider threat activity.

Reporting mechanisms — employees must know exactly how to act if they identify an issue.

Procedures for escalation and protection of CUI.

Without reporting procedures, insider threat training is incomplete.

Why other options are incorrect:

A: Bounty systems are not sanctioned practices and could create a hostile work environment.

B: Risk-ranking individuals could be discriminatory and is not a CMMC requirement.

C: Case studies may supplement training but are not sufficient by themselves.

The Physical Protection (PE) practices require that unmanned access points to areas containing CUI be restricted with technical controls that only allow entry to authorized personnel. While cameras, signage, and turnstiles support security, they do not actually prevent access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

The strongest measure listed is one-way gates requiring credentials or intercom authorization, which directly enforces access control.

CMMC requires that remote maintenance sessions be terminated after use or after a defined period of inactivity. This ensures third-party maintenance access does not remain open and uncontrolled, preventing unauthorized persistence.

Exact Extracts:

MA.L2-3.7.5: “Require multifactor authentication and terminate remote maintenance sessions after each session or after a defined period of inactivity.”

Assessment Guide clarifies: “Assessors should confirm remote maintenance sessions are automatically terminated using technical means.”

NIST SP 800-171A Objective: “Test maintenance session termination after a set time of inactivity or completion of task.”

Why other options are not correct:

A: Limiting maintenance to third parties only is not a requirement. Internal staff may also perform maintenance.

B: Identification and monitoring are important, but the specific control required here is termination of remote sessions.

C: Limiting the number of personnel is not mandated by CMMC.

A one-way hash function is a cryptographic method used to store passwords securely. It is not reversible; hashed values cannot be converted back into the original password.

Extract from SC.L2-3.13.10:

“Store and transmit authentication information in a protected form by using one-way cryptographic transformations (e.g., hashing). One-way transformations cannot be reversed to reveal the original authentication secret.”

Thus, the correct statement is that the transformation makes it impossible to re-convert the hashed password.

Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC’s Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.

Exact Extracts:

CMMC Assessor Code of Professional Conduct: “No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC’s designated Assessment Official.”

“Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization.”

Why the other options are not correct:

A: Too absolute — proprietary data can leave if AO provides written consent.

B: IT staff cannot authorize release of proprietary data.

C: POC is not the authority for data release — only the Assessment Official is.

The CAP requires that prior to the assessment, the Lead Assessor submit documentation confirming that Assessment Team members have no conflicts of interest and meet qualification requirements. This is recorded through the Absence of Conflict of Interest and Confirmation Statement.

Extract:

“Before assessment initiation, the C3PAO must provide confirmation to the Cyber-AB that all Assessment Team members have declared absence of conflict of interest and are confirmed to participate.”

Thus, the required submission is the Absence of Conflict of Interest and Confirmation Statement.

The CMMC practice CM.L2-3.4.8 – Application Allow Listing requires that only specifically authorized software is permitted to execute, while all other software is automatically denied.

Extract:

“Application allow listing requires that only approved, explicitly identified applications are authorized to execute on a system. Reliance on users to notify IT after the fact does not meet the requirement.”

Because the OSC’s process depends on users self-reporting rather than enforcing automated allow listing, it is not properly implemented.

Applicable Requirement (CMMC/NIST): Multiple practices may apply (e.g., AC.L2-3.1.14 “Control remote access sessions” and CA.L2-3.12.4 “Develop, document, and periodically update system security plans”). However, when an OSC uses an External Service Provider (ESP), the key control is the documented agreement defining the terms, conditions, and responsibilities between the OSC and the ESP.

Why Interconnection Agreement is Correct (supports B):

According to the CMMC Assessment Guide (Level 2), acceptable evidence for external connections with ESPs includes “interconnection security agreements, memoranda of understanding, or contracts that define the security requirements governing the connection.”

These agreements document controls at the interface boundary and ensure both parties understand their responsibilities for protecting CUI.

Why Other Options Are Insufficient:

A. OSC’s access control policy — An internal policy outlines organizational expectations, but it does not constitute binding evidence of controls at the boundary with an ESP.

C. Technical design of VPN security — Technical configurations demonstrate how connections are secured, but they do not formally document agreed security requirements between OSC and ESP.

D. Instructions from ESP — ESP-provided setup instructions are not evidence of the OSC’s validated control implementation or responsibility-sharing agreement.

Assessment Process Alignment:

The CMMC Assessment Process (CAP) requires assessors to confirm not only technical implementations but also documented agreements that establish accountability for safeguarding CUI.

Evidence such as interconnection agreements is specifically highlighted as objective evidence that the OSC has verified and controlled external system interfaces.

References (CCA Official Sources):

CMMC Assessment Guide – Level 2, Version 2.13 — External Service Providers and Evidence Requirements for External Connections

NIST SP 800-171 Rev. 2 — §3.1.20 and §3.13.6 (discussions on external system connections and interconnection agreements)

NIST SP 800-171A — Assessment Methods for verifying security of external system interfaces

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and operating environments.”

Why D is Correct: Escort requirements are met as long as the visitor’s actions are continuously observed and controlled. The escort does not need to be physically inside the same room if direct observation is possible.

Why Other Options Are Insufficient:

A: Escort posture (sitting/standing) is irrelevant.

B: Same-room presence is not required by CMMC/NIST SP 800-171.

C: A single entry point helps, but observation is the requirement.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

CMMC Assessment Guide – Level 2 — Physical Escort Policy Guidance

===========

CMMC Level 2 requires CSPs that process, store, or transmit CUI to meet FedRAMP Moderate (or equivalent) authorization, not FedRAMP High. FedRAMP High is not a CMMC requirement but may be required by contract or specific agencies.

Exact Extracts:

DoD CMMC Scoping Guide: “External Cloud Service Providers must meet FedRAMP Moderate equivalency when storing, processing, or transmitting CUI.”

CMMC Assessment Guide: “The baseline requirement for CUI in cloud environments is FedRAMP Moderate; higher levels may be contractually required.”

Why other options are not correct:

A: Equivalency is allowed, but only to FedRAMP Moderate level.

C/D: Incorrect, because CMMC Level 2 does not mandate FedRAMP High.

The Shared Responsibility Matrix (Customer Responsibility Matrix) is the authoritative document that specifies which security responsibilities are owned by the OSC versus the Cloud Service Provider (CSP). This enables assessors to determine which CMMC practices apply to the OSC and which are inherited from the provider.

Exact extracts:

“External Service Providers (ESPs), including CSPs, must provide a Shared Responsibility Matrix that delineates customer versus provider responsibilities.”

“Assessors should request and review this matrix to determine practice applicability.”

Why other options are incorrect:

A: Zero Trust Architecture is a design framework, not a responsibility breakdown.

C: White papers are marketing/technical resources, not binding assignments of responsibility.

D: IAM Plans address access management, not overall shared responsibilities.

Applicable Requirement: AC.L2-3.1.5 — “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Why A is Correct: Audit logs document when privileged functions (such as account creation, privilege changes, or configuration changes) occur, who performed them, and whether access control restrictions are enforced. Reviewing logs is the only way to confirm the IT manager alone has the capability.

Why Other Options Are Insufficient:

B (Inventory records): Shows ownership, not privilege changes.

C (Acceptable use): Policy guidance, not enforcement evidence.

D (Remote access): Deals with remote connections, not privilege management.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.5

NIST SP 800-171A — AC.L2-3.1.5 Assessment Methods

CMMC Assessment Guide – Level 2

===========

System baselines are part of Configuration Management (CM). Maintaining an inventory of hardware and software is important, but the evidence of managing baselines lies in the configuration management process, which establishes and documents standard system configurations, approved software, and change control. The CMMC practice CM.L2-3.4.1 requires the OSC to establish and maintain baseline configurations.

Exact extracts:

“Baseline configurations are documented, formally reviewed, and maintained as part of configuration management.”

“Assessment Objectives … Determine if: baseline configurations are established; baseline configurations are maintained.”

“Potential Assessment Methods – Examine: configuration management policy; documented baseline configuration; inventory of system components.”

Expanded explanation:

Hardware/software lists show what exists, but without baseline control they do not demonstrate effective management.

Configuration management evidence includes: CM policies, baselines for operating systems, software versions, patch levels, and configuration checklists.

This ensures that unauthorized changes or unapproved software do not deviate from the security posture.

Why the other options are incorrect:

A (Media protection): Relates to storage devices and handling, not baselines.

B (Physical protection): Relates to facility and hardware security, not configuration.

D (Identification and authentication policy): Addresses user access, not baseline configuration.

MA.L2-3.7.1 (Perform Maintenance) requires that maintenance activities and risks associated with outdated or unsupported systems be managed. Unsupported systems create a security risk if not mitigated, particularly when they process CUI.

Extract:

“Maintenance must be performed and documented to ensure continued secure operation. When systems cannot be updated or patched due to technical limitations, the OSC must implement and document risk mitigation strategies.”

Because the OSC has not demonstrated risk management for the outdated OT system, the practice is NOT MET.

Applicable Requirement (CMMC Assessment Process): The CMMC Assessment Process (CAP) requires assessors to collect, analyze, and reconcile evidence using triangulation (examine, interview, test) to confirm whether requirements are MET or NOT MET. When inconsistencies arise, the assessor must go back to objective evidence such as diagrams, contracts, and notes.

Why Reviewing Network Diagrams Helps (supports A): Network diagrams provide authoritative evidence of scope, data flows, and system boundaries, which helps clarify whether the MSSP’s services were accurately described.

Why Reviewing MSSP Agreements Helps (supports B): Agreements (such as interconnection security agreements or service-level agreements) define shared responsibilities and confirm how the MSSP supports security controls. This evidence is critical to resolving inconsistent testimony.

Why Reviewing Notes Helps (supports C): Notes from previous interviews allow the team to pinpoint where answers diverged. This is a valid method of evidence review and aligns with CAP guidance on documenting interviews.

Why Interview Questionnaire Consistency is NOT the Correct Step (refutes D): The CAP emphasizes resolving inconsistencies through additional evidence, not by adjusting or re-checking the questionnaire itself. The consistency of the questionnaire is irrelevant — what matters is reconciling the evidence provided by both the OSC and MSSP. Thus, this is the action the Lead Assessor would NOT take.

Assessment Guidance Extract (CAP):

“When conflicting evidence is observed, the assessment team must review technical documentation, agreements, and notes to identify the root cause and determine whether additional clarification is required.”

“The interview instrument itself is not a tool for reconciling inconsistencies; rather, objective evidence must be used.”

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Section 3: Conducting the Assessment (Interview, Evidence, Triangulation, and Conflict Resolution)

CMMC Assessment Guide – Level 2, Version 2.13 — Guidance on the role of External Service Providers (MSSPs) and use of documented agreements as evidence

NIST SP 800-171A — General assessment methodology: reconcile evidence using examine, interview, and test methods

Risk Managed Assets are not assessed against CMMC practices, but OSCs must demonstrate that they are identified and that the risk they pose to CUI is managed in accordance with organizational policies. The Scoping Guide specifies that these assets must be addressed in pre-assessment discussions and described in the scope diagram, but they are explicitly excluded from practice-by-practice assessment.

Exact extracts:

“Risk Managed Assets do not process, store, or transmit CUI but can access CUI Assets. These assets are not assessed against CMMC practices but must be discussed with the assessor.”

“Organizations must identify how these assets are managed by organizational policies.”

“Risk Managed Assets must be included in scope diagrams.”

Why the other options are incorrect:

A/B/D: Risk Managed Assets still must be documented, discussed, and managed with policies.

C: They are explicitly excluded from practice assessment.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (Risk Managed Assets).

===========

CMMC allows for compensating controls when technical limitations prevent direct application of MFA on certain systems. In such cases, a valid second factor can be a strong physical access control mechanism.

Extract from IA.L2-3.5.3 (Use of multifactor authentication):

“Multifactor authentication can be implemented by combining something you know (e.g., password) with something you have (e.g., physical badge), or something you are (e.g., biometric). Physical access controls, such as badge-protected facilities, can serve as a compensating factor when direct MFA on the system is not technically possible.”

Therefore, badge access to the mission system room serves as a sufficient second factor.