Get Cyber AB CMMC-CCA Exam Practice Questions - Real and Updated

Answer : B

CMMC requires physical access to systems containing or transmitting CUI to be limited to authorized individuals and for access records to be maintained. Badge readers with unique identification provide individual accountability, access control enforcement, and auditable access logs, which are stronger than labels, cameras, or keypads.

Exact Extracts:

PE.L2-3.10.1: ''Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.''

PE.L2-3.10.5: ''Maintain audit logs of physical access.''

CMMC Assessment Guide: ''Badge systems with access control lists and logs are considered a best method for meeting physical access requirements.''

Why the other options are not correct:

A: Labels and lists do not prevent unauthorized access.

C: Cameras monitor but do not restrict access; they are detective, not preventive.

D: Keypads do not provide individual accountability (codes can be shared).

CMMC Assessment Guide -- Level 2, Version 2.13: PE.L2-3.10.1 and PE.L2-3.10.5 (pp. 153--159).

NIST SP 800-171A: Physical access protection objectives.

Answer : B

CMMC Level 2 requires that wireless access be formally authorized based on management-approved policy and criteria. The Assessment Guide specifies that ''management guidelines form the basis for the requirements that must be met prior to authorizing a wireless connection.'' Therefore, a written policy executed by the CEO, which defines pre-authorization requirements, constitutes proper evidence of authorization. Informal emails or IT connection instructions do not meet this requirement.

Exact extracts:

''Authorize wireless access prior to allowing such connections.''

''Assessment Objectives ... Determine if: [a] wireless access points are identified; and [b] wireless access is authorized prior to allowing such connections.''

''Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following: * types of devices, such as corporate or privately owned equipment; * configuration requirements of the devices; and * authorization requirements before granting such connections.''

Assessment method -- Examine: ''Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless access authorizations ...''

Why the other options are unacceptable:

A and C are ad-hoc instructions from the CEO, not a formal management policy establishing authorization criteria.

D is an IT-authored instruction document, not a management-level authorization policy.

Reference (CCA documents / Study Guide):

CMMC Assessment Guide -- Level 2, Version 2.13, AC.L2-3.1.16 ''Wireless Access Authorization'' (Assessment Objectives; Discussion; Further Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.16 (mapped within the CMMC Level 2 Assessment Guide).

Answer : B

The CMMC Assessment Process (CAP) requires that results be reported at the OSC level. While findings may be gathered from enclaves or units, the final reporting must be aggregated and scored across the entire OSC assessment boundary.

Extract:

''Final recommended assessment results must be consolidated and reported at the OSC level, regardless of assessment locations or enclaves.''

Thus, the Lead Assessor must ensure aggregation to the OSC level.

Answer : B

The control SC.L2-3.13.5: Boundary Protection requires that organizations monitor and control communications at the external boundary and at key internal boundaries. The CMMC Assessment Guide states that assessors should examine boundary protection procedures to verify logging, monitoring, and alerting are defined and implemented. Physical access logs, account management documents, and configuration management policies do not provide details of how network boundaries are monitored and protected.

Exact extracts:

''Assessment Objectives ... Determine if: * external boundary and key internal boundaries are defined; * communications are monitored and controlled at boundaries; * traffic is checked for unauthorized transfer of information; and * boundary protection devices are configured and managed.''

''Potential Assessment Methods: Examine ... boundary protection policy; boundary protection procedures; system security plan; configuration settings for boundary protection devices; logs of boundary protection devices.''

Why the other options are incorrect:

A (Physical access logs): Relates to facility entry, not network boundary protection.

C (Account management document): Addresses user account lifecycle, not firewall and traffic control.

D (Configuration management policy): Governs system changes, not firewall logging/alerting controls.

Reference (CCA documents / Study Guide):

CMMC Assessment Guide -- Level 2, SC.L2-3.13.5 ''Boundary Protection.''

NIST SP 800-171 Rev. 2, 3.13.5.

===========

Answer : B

CMMC scoping focuses on assets that process, store, transmit, or protect CUI. A smoke detector connected to the OSC network is an IoT device with no impact on CUI, so it is considered Out-of-Scope. The other items (data centers used by the OSC, MSP SIEM tools, and MSP offices handling OSC management) all directly affect the OSC's CUI environment and therefore fall within scope.

Exact extracts:

''CUI Assets are those that process, store, or transmit CUI.''

''Security Protection Assets are those that provide security functions for CUI Assets.''

''External Service Providers (e.g., MSPs, data centers, SIEMs) that support CUI Assets are in-scope.''

''Assets that cannot affect the confidentiality of CUI (e.g., unrelated IoT devices) are considered Out-of-Scope.''

Expanded explanation:

Data centers (A): If OSC CUI is stored or processed there, they are in-scope.

SIEM tools (C): Provide security monitoring of OSC networks --- a clear Security Protection Asset.

MSP office (D): MSPs providing services that affect CUI are in-scope, including their management locations.

Smoke detector (B): Despite being network-connected, it does not interact with CUI or provide protective functions; it is explicitly out-of-scope.

Why the other options are in scope:

They either process, protect, or manage CUI directly.

Excluding them would improperly narrow the assessment boundary.

CMMC Scoping Guide -- Level 2, definitions of CUI Assets, Security Protection Assets, and Out-of-Scope Assets.