CMMC-CCA Exam Dumps - Certified CMMC Assessor (CCA) Exam

To scope connections to external systems, the OSC must fully define all external connections — not just general statements about "small use" or "backups." Incomplete or vague descriptions are not sufficient for scoping.

Extract:

“The OSC must identify and define the extent of all external connections that support processing, storage, or transmission of CUI to determine scope.”

Thus, the data provided are not sufficient, because the OSC has not fully defined external connections.

If the OSC cannot remediate deficiencies during the POA&M Close-Out process, the Lead Assessor must issue a recommendation of NOT MET, and the OSC will not be certified. CMMC requires all Level 2 practices to be MET (with limited exceptions under defined POA&M close-out rules).

Exact Extracts:

CMMC Assessment Guide: “If practices cannot be met within the POA&M Close-Out process, the Lead Assessor must not recommend certification.”

DoD policy: “CMMC Level 2 requires that all 110 practices be met. A failed POA&M Close-Out results in a final determination of NOT MET.”

“There is no provisional certification status in CMMC.”

Why the other options are not correct:

A: Assessments are not paused indefinitely; unresolved deficiencies result in NOT MET.

B: Justification alone does not satisfy requirements.

C: Provisional status does not exist in CMMC.

The Interview assessment method is used to validate whether procedures and policies are actually being implemented and followed by the personnel who use them. Even if the documents are dated correctly, assessors must confirm their operational use.

Extract:

“Interviews with personnel are used to verify that documented policies, plans, and procedures are actually implemented in daily practice.”

Thus, interviewing OSC team members who use the procedures provides the strongest validation.

The requirement of least privilege mandates that users be granted only the access necessary to perform their duties. Assessors confirm compliance by reviewing user access lists, ensuring privileged access is limited, documented, and assigned only where required.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Assessment Guide: “Evidence includes user access lists, role-based access assignments, and documentation of privileged accounts.”

NIST SP 800-171A Objective: “Examine system access lists, rights, and permissions for least privilege.”

Why other options are not correct:

A (Authentication policy): Pertains to verifying identity, not enforcing least privilege.

B (System configurations): Provide technical settings, but access lists are the primary evidence for least privilege.

D (Terminated employees list): Tied to AC.L2-3.1.2 (Access enforcement) and AC.L2-3.1.7 (Account management), not least privilege.

Applicable Requirement: CAP – Assessment Execution Phase.

Why D is Correct: After scoring and validating preliminary results, the next step is to finalize and record recommended final findings for submission. This closes the assessment process and supports certification decisions.

Why Other Options Are Insufficient:

A: Scope determination occurs in planning, not after validation.

B: Results are delivered after finalization, not immediately after validation.

C: Considering additional evidence occurs during data collection, before validation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Reporting Phase

CMMC Assessment Guide – Level 2 — Assessment Closure

===========

The CMMC Assessment Process (CAP) requires that results be reported at the OSC level. While findings may be gathered from enclaves or units, the final reporting must be aggregated and scored across the entire OSC assessment boundary.

Extract:

“Final recommended assessment results must be consolidated and reported at the OSC level, regardless of assessment locations or enclaves.”

Thus, the Lead Assessor must ensure aggregation to the OSC level.

Applicable Requirement: CA.L2-3.12.4 — “Develop, document, periodically review/update, and disseminate system security plans.” Policies require executive approval and evidence of regular review.

Why B is Correct: Multiple years of emails from executives approving policies provide a pattern of consistent executive involvement, demonstrating habitual compliance with review and approval requirements. This is stronger evidence than one-time or informal attestations.

Why Other Options Are Insufficient:

A: Handwritten notes are informal and lack authenticity controls.

C: A notarized letter from a previous CEO is a one-time attestation, not evidence of recurring review.

D: Employee interviews may demonstrate awareness but do not show executive approval.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CA.L2-3.12.4

NIST SP 800-171A — CA.L2-3.12.4 Assessment Objectives (evidence of policy review/approval)

CMMC Assessment Guide – Level 2 — Policy and Approval Evidence Requirements

===========

For hybrid and cloud environments, the Customer Responsibility Matrix is the critical artifact. It identifies which security responsibilities are handled by the CSP and which remain with the OSC, directly impacting scope.

Extract:

“The OSC must provide responsibility matrices or equivalent documentation that clearly delineates which security controls are the responsibility of the provider and which are retained by the OSC.”

This is necessary for the Lead Assessor to define assessment scope boundaries.