CMMC-CCA Exam Dumps - Certified CMMC Assessor (CCA) Exam

The CMMC Scoping Guidance allows assets to be classified as Out-of-Scope if:

They are physically/logically isolated, and

They cannot process, store, or transmit CUI.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI and are physically or logically separated from CUI assets.”

The VESDA system only monitors environmental conditions and does not interact with CUI. Its segregation supports an out-of-scope classification.

Under AC.L2-3.1.12: Remote Access, assessors must verify that all remote access sessions are identified, authorized, controlled, and monitored. Whether remote access is “necessary” is a business decision, not an assessment concern. The assessor is concerned with whether it is properly controlled and implemented, not with the business justification for its existence.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled;• remote access sessions are monitored.”

“The requirement does not assess business necessity of remote access, only its security and authorization.”

Why the other options are important:

B: Authorization (permitted) must be verified.

C: Monitoring of remote sessions is mandatory.

D: Permitted methods must be identified (e.g., VPN, VDI, etc.).

CMMC Level 2 requires the ability to control and monitor physical access to systems and facilities containing CUI. The best practice is a badge-based access control system, which provides individual accountability, access tracking, and historical audit records. Keys and keypads do not provide individual traceability. Cameras alone do not prevent unauthorized entry.

Exact Extracts (official CMMC Assessor/Study documents):

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

PE.L2-3.10.5: “Access records must be maintained.”

CMMC Assessment Guide clarifies that acceptable methods include badging systems with individual accountability for traceability.

Why the other options are not correct:

A (keys): Keys do not provide audit logs or individual accountability.

B (cameras): Monitoring alone is insufficient; prevention and control are required.

D (keypads): Shared codes do not provide unique traceability or access history per user.

For CMMC Level 2, an OSC must score at least 88 out of 110 practices (80%) to qualify for use of POA&Ms. Practices on the DoD’s Authorized POA&M List may then be deferred, but only if the OSC meets the 88-point threshold and no high-weight practices are failed.

Exact extracts:

“Organizations must score at least 88 out of 110 (80%) to be eligible for POA&Ms.”

“POA&Ms may only be applied to a limited subset of practices designated by DoD.”

“Failure to reach the 88-point threshold results in an assessment failure.”

Why other options are incorrect:

A: Below 88 is automatic fail.

B: 110/110 is full compliance (no POA&M needed).

C: 80 is a distractor; 88 is the actual DoD threshold.

CMMC assessments are evidence-based. An offering cannot be accepted solely on reputation or assumptions of security. The OSC must provide adequate and sufficient evidence that the CSP offering meets CMMC requirements. Without evidence, the assessor cannot mark the practice as MET.

Exact Extracts:

CMMC Assessment Guide: “Assessment determinations must be based on objective evidence; absence of evidence results in a finding of NOT MET.”

“Evidence may include documentation, interviews, and tests but must be sufficient to confirm implementation.”

“Reciprocity is not granted for external offerings unless evidence is provided.”

Why other options are not correct:

A (reciprocity): CMMC does not allow blanket reciprocity for cloud offerings without validation.

B (training issue): Training is separate; the core issue is lack of evidence.

D (well-known CSP): Reputation alone is not evidence; objective evidence is required.

CMMC scoping focuses on assets that process, store, transmit, or protect CUI. A smoke detector connected to the OSC network is an IoT device with no impact on CUI, so it is considered Out-of-Scope. The other items (data centers used by the OSC, MSP SIEM tools, and MSP offices handling OSC management) all directly affect the OSC’s CUI environment and therefore fall within scope.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Security Protection Assets are those that provide security functions for CUI Assets.”

“External Service Providers (e.g., MSPs, data centers, SIEMs) that support CUI Assets are in-scope.”

“Assets that cannot affect the confidentiality of CUI (e.g., unrelated IoT devices) are considered Out-of-Scope.”

Expanded explanation:

Data centers (A): If OSC CUI is stored or processed there, they are in-scope.

SIEM tools (C): Provide security monitoring of OSC networks — a clear Security Protection Asset.

MSP office (D): MSPs providing services that affect CUI are in-scope, including their management locations.

Smoke detector (B): Despite being network-connected, it does not interact with CUI or provide protective functions; it is explicitly out-of-scope.

Why the other options are in scope:

They either process, protect, or manage CUI directly.

Excluding them would improperly narrow the assessment boundary.

Public-facing systems (such as web servers) must be separated from internal enterprise networks to limit exposure. CMMC (aligned with NIST SP 800-171 SC.L2-3.13.5 “Boundary Protection”) specifies that placing public servers into a demilitarized zone (DMZ) provides a security buffer and prevents direct access from the internet into the internal LAN.

Exact extracts:

“Publicly accessible systems should be placed on separate subnets or in DMZs.”

“Boundary protection devices should separate public servers from the enterprise network.”

“DMZs provide layered protection for internet-facing assets.”

Why the other options are incorrect:

A: Relocating the server physically does not provide network-layer security.

C: Firewall rules allowing only internal traffic would prevent public access, defeating the purpose of a public website.

D: Object reuse protections are unrelated to network boundary security.

When an IoT device processes, stores, or transmits CUI, it is categorized as a CUI Asset (not CRMA). All in-scope assets must be documented in the System Security Plan (SSP). The SSP must identify how the asset is managed, secured, and integrated into the OSC’s environment.

Exact Extracts:

CMMC Scoping Guide: “All CUI Assets must be identified and described in the SSP.”

“Specialized Assets (including IoT) must be documented in the SSP if they process, store, or transmit CUI.”

“Contractor Risk Managed Assets do not include assets that process, store, or transmit CUI.”

Why other options are not correct:

A: Incorrect, because an IoT device with CUI cannot be a CRMA.

C: Incorrect, IoT can process CUI if properly secured and documented.

D: While true in general (AC control applies), the mandatory requirement is accurate SSP documentation.