CMMC-CCA Exam Dumps - Certified CMMC Assessor (CCA) Exam

The Assessment Guide emphasizes that a policy is insufficient unless it is implemented consistently across all applicable assets. Evidence from interviews showing exceptions means the practice is NOT MET.

Extract:

“Policies must not only exist but must also be enforced and implemented consistently. Exceptions indicate non-compliance.”

Thus, the correct answer is B.

The Physical Protection (PE) requirements require that systems containing FCI or CUI be placed in controlled-access facilities with safeguards against unauthorized physical access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Thus, ensuring that the VMs run on hardware located in a controlled-access facility is the correct method to meet physical security requirements.

Applicable Requirement (CAP – Planning Phase): Both the OSC (Client) and the CCA are responsible for protecting sensitive evidence and CUI during assessment. This includes documenting risks and mitigations for how such information is handled, especially during virtual collection.

Why D is Correct: CAP requires assessors and OSCs to jointly establish processes ensuring safeguarding of CUI evidence. Both parties must record and agree to risks and mitigations as part of the assessment plan.

Why Other Options Are Insufficient:

A & B: Responsibility is shared, not one-sided.

C: Recording by the assessor alone does not fulfill CAP’s joint responsibility requirement.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Planning Phase (Handling CUI and Sensitive Evidence)

Code of Professional Conduct — Assessor responsibility for safeguarding CUI

===========

The Scoping Guidance for Specialized Assets allows exclusion of assets when they are physically and logically isolated from the CMMC assessment boundary and do not process, store, or transmit CUI.

Extract from CMMC Scoping Guidance:

“Specialized Assets may be designated as out-of-scope if they are physically or logically separated from CUI assets, or if they are inherently unable to process, store, or transmit CUI.”

The camera system in this case does not interact with CUI and is fully isolated, making exclusion appropriate.

Applicable Requirement: IR.L2-3.6.1 — “Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”

Validation Expectation: For this practice, the CCA must confirm that the OSC:

Tracks incidents consistently,

Documents incident details (who, what, when, where, and how), and

Maintains incident records to support analysis and corrective action.

Why A is Correct: Tracking and documenting incidents demonstrates that the OSC has an operational incident-handling capability and provides objective evidence of detection, response, and lessons learned.

Why Other Options Are Insufficient:

B (Sources configured/tuned): Helpful for detection, but not sufficient by itself.

C (Law enforcement notified): This may occur in certain cases, but it is not required by CMMC Level 2.

D (Forensics): Deep forensic investigation may be useful, but CMMC requires incident response capability, not mandatory forensic-level activities.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IR.L2-3.6.1

NIST SP 800-171A — IR.L2-3.6.1 Assessment Objectives (tracking, documenting, handling incidents)

CMMC Assessment Guide – Level 2 — Incident Reporting

===========