CMMC-CCA Exam Dumps - Certified CMMC Assessor (CCA) Exam

The CMMC practice CM.L2-3.4.8 – Application Allow Listing requires that only specifically authorized software is permitted to execute, while all other software is automatically denied.

Extract:

“Application allow listing requires that only approved, explicitly identified applications are authorized to execute on a system. Reliance on users to notify IT after the fact does not meet the requirement.”

Because the OSC’s process depends on users self-reporting rather than enforcing automated allow listing, it is not properly implemented.

Malicious code protection is typically implemented and managed by system or network administrators, who configure, deploy, and monitor anti-malware solutions. Interviews with these administrators provide direct evidence of control implementation.

Exact Extracts:

SI.L2-3.14.2: “Provide protection from malicious code at appropriate locations within organizational information systems.”

CMMC Assessment Guide: “Interviews should be conducted with administrators responsible for deployment and monitoring of malicious code protection.”

NIST SP 800-171A (SI.L2-3.14.2): “Interview system or network administrators to determine how malicious code protection is implemented.”

Why other options are not correct:

A (developers): Developers do not typically manage system-wide malicious code protections.

C (audit personnel): They review logs, not deploy/manage protections.

D (security advisory staff): They track alerts but don’t operate malicious code defenses.

The requirement for CA.L2-3.12.3 – Security Control Monitoring mandates monitoring to be performed on an ongoing basis to ensure the continued effectiveness of the controls. This is not satisfied by a yearly review alone.

CA.L2-3.12.3 Security Control Monitoring – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The OSC’s statement in their SSP that monitoring occurs on a one-year periodic basis fails to meet this requirement, because the term "ongoing basis" implies continual or recurring monitoring activities that occur throughout the system’s lifecycle—not a single annual review.

Therefore, the assessor must determine that the OSC’s implementation is not acceptable.

The next step after configuring audit logs and ensuring event content is correct is to periodically review and update the logged events to maintain alignment with evolving security requirements and risks.

Extract from AU.L2-3.3.2 & AU.L2-3.3.7:

“Organizations must review and update audit log events periodically to ensure they continue to support accountability and monitoring objectives.”

While centralized collection and retention are important, the next required objective per progression is review and update of logged events.

The CMMC Scoping Guidance specifies that Out-of-Scope Assets are those that neither process, store, nor transmit CUI, and do not provide security protections for CUI assets.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI, and do not provide security protections for CUI assets.”

Thus, the correct answer is B.

Testing may be performed on a mirrored system if the OSC can demonstrate that it is configured identically to the production system. The assessor must confirm equivalency through objective evidence before accepting test results.

Exact Extracts:

NIST SP 800-171A: “Test assessment method involves exercising assessment objects under specified conditions… mirrored or replicated systems may be used if validated as equivalent.”

CMMC Assessment Guide: “If production systems cannot be tested, assessors may accept mirrored systems provided evidence demonstrates that the mirrored environment is representative of the production system.”

Why the other options are not correct:

A/B: Testing must focus on systems and controls, not limited groups or customer matrices.

C: Incorrect — mirrored systems are acceptable if validated as equivalent.

D: Correct, as validation of equivalency is required.

Applicable Requirement: AC.L2-3.1.7 — “Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.”

Correct Interpretation:

A non-privileged (standard) user should be prevented from performing privileged functions (e.g., uninstalling security software).

The attempt must be logged to provide traceability and support accountability.

Why C is Correct: It demonstrates both prevention (software not uninstalled) and auditing (attempt captured in a log), exactly matching the practice.

Why Other Options Are Insufficient:

A: Prevention is shown, but there is no evidence of logging.

B: Function was not prevented, so requirement not met.

D: Logging exists, but privileged action was not prevented.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.7

NIST SP 800-171A — AC.L2-3.1.7 Assessment Objectives

CMMC Assessment Guide – Level 2, AC.L2-3.1.7

===========

The Physical Protection (PE) practices require that visitors to facilities where CUI is processed must be escorted at all times by an authorized individual. Familiarity or long-term knowledge of the visitor does not remove the requirement.

Extract from PE.L2-3.10.3:

“Escort visitors and monitor visitor activity to ensure they do not access areas or information for which they are not authorized.”

Thus, the correct action is for the contact person (the engineer’s point of contact) to escort the engineer during the entire maintenance activity.