CMMC-CCA Exam Dumps - Certified CMMC Assessor (CCA) Exam

The negative finding is that the OSC permits an uncertified external security provider to access the OSC’s internal network. This introduces unmanaged risk to the CUI environment. CMMC requires the OSC to control and monitor external service provider access. The storage of recordings externally is not inherently noncompliant if properly controlled, and video monitoring is a valid method of meeting PE.L2-3.10.2. The key failure is giving unmanaged third-party access.

Exact extracts:

“Monitor physical facility to detect and respond to physical security incidents.” (PE.L2-3.10.2)

“Assessment Objectives … Determine if: monitoring is performed; unauthorized physical access is detected and responded to.”

“External service providers that connect into the OSC network are considered in-scope and must meet CMMC requirements or have equivalent authorization (e.g., FedRAMP).”

Why other options are incorrect:

A: Requirement does not mandate monitoring of both public and private areas.

C: Video surveillance is an acceptable facility monitoring method when properly implemented.

D: External storage can be acceptable if contractual safeguards and compliance are in place.

The CMMC Assessment Process (CAP) requires that when sensitive or proprietary materials are exchanged during an assessment, the OSC and the C3PAO should establish confidentiality protections through a Non-Disclosure Agreement (NDA).

Extract:

“OSC and C3PAOs are expected to execute a Non-Disclosure Agreement (NDA) to protect sensitive information such as proprietary, attorney-client privileged, or pre-patent materials shared during the assessment process.”

Thus, the NDA is the correct document.

The OSC is responsible for identifying and declaring where CUI is processed, stored, or transmitted. A Certified CMMC Assessor (CCA) may verify boundaries, examine evidence, and confirm monitoring or control practices, but cannot independently determine if a physically separated asset contains CUI. That determination is the responsibility of the OSC, not the assessor.

Exact extracts:

“The OSC is responsible for identifying CUI assets.”

“Assessors verify and validate the OSC’s identification, but do not independently declare or determine the presence of CUI.”

“Assessors are permitted to examine boundary protections, monitoring mechanisms, and internal boundary controls.”

Why the other options are allowed:

A: Assessors are required to verify internal system boundaries.

C: Assessors must confirm that external system boundaries are clearly defined.

D: Assessors must examine evidence of communication monitoring.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Assessor Roles and Responsibilities.

CMMC Code of Professional Conduct (OSC retains CUI ownership; assessors validate but cannot declare CUI).

CMMC allows for compensating controls when technical limitations prevent direct application of MFA on certain systems. In such cases, a valid second factor can be a strong physical access control mechanism.

Extract from IA.L2-3.5.3 (Use of multifactor authentication):

“Multifactor authentication can be implemented by combining something you know (e.g., password) with something you have (e.g., physical badge), or something you are (e.g., biometric). Physical access controls, such as badge-protected facilities, can serve as a compensating factor when direct MFA on the system is not technically possible.”

Therefore, badge access to the mission system room serves as a sufficient second factor.

Both the CSP’s cloud environment and the OSC’s on-premises network/workstations are in-scope because CUI is stored in the cloud but also accessed and transmitted by OSC assets. The cloud vendor’s internal employee network is not in-scope because only the customer-facing FedRAMP environment is within the assessment boundary.

Exact extracts:

“CUI Assets include any OSC asset that stores, processes, or transmits CUI.”

“External service providers are in-scope if their services process, store, or transmit CUI on behalf of the OSC.”

“The OSC’s endpoints and local infrastructure that access CUI are also in-scope.”

Why the other options are incorrect:

A: Cloud environment only is incomplete; OSC workstations also access and transmit CUI.

B: OSC network only ignores the fact that CUI is stored in the cloud.

D: The cloud vendor’s internal employee network is not in-scope.

The CAP requires that prior to the assessment, the Lead Assessor submit documentation confirming that Assessment Team members have no conflicts of interest and meet qualification requirements. This is recorded through the Absence of Conflict of Interest and Confirmation Statement.

Extract:

“Before assessment initiation, the C3PAO must provide confirmation to the Cyber-AB that all Assessment Team members have declared absence of conflict of interest and are confirmed to participate.”

Thus, the required submission is the Absence of Conflict of Interest and Confirmation Statement.

The CMMC Assessment Process (CAP), Phase 2 – Conduct the Assessment defines the subphases for generating final recommended results. The steps are:

Determine final practice MET/NOT MET/NA results

Create, finalize, and record recommended final findings

Resolve assessment findings disputes

Extract:

“The assessment team determines the final practice status, records recommended findings, and resolves disputes with the OSC prior to finalizing recommended results.”

To validate that remote access is routed through managed access control points, the assessor requires technical evidence, not just policy. The network diagram shows the design and routing of remote access through controlled points (e.g., VPN gateways), and VPN logs provide operational evidence that remote sessions are enforced through those points.

Exact Extracts:

AC.L2-3.1.14: “Route remote access through managed access control points.”

Assessment Objective (AC.L2-3.1.14[a]): “Remote access is routed through managed access control points.”

Assessment Method (Examine/Interview/Test): Requires network diagrams and remote access logs as evidence.

CMMC Assessment Guide specifies: “Network diagrams and supporting logs are required to demonstrate implementation of remote access routing.”

Why the other options are not correct:

B (policy/procedures): Policies describe intent, not proof of implementation.

C (SSP/vendor mgmt): SSPs provide system description but not direct evidence of enforcement.

D (cloud logs/hardware inventory): These do not specifically demonstrate remote access routing through managed points.