CMMC-CCA Practice Exam Questions with Answers Certified CMMC Assessor (CCA) Exam Certification

Applicable Requirement (CAP & Scoping): Assessors must use objective artifacts to validate system boundaries and scoping decisions. Network or topology diagrams are the most direct method to confirm logical and physical separation between environments handling CUI and those that do not.

Why A is Correct: Network/topology diagrams provide a visual and technical representation of how isolation is achieved (e.g., VLANs, firewalls, segmentation). This is the primary evidence source for confirming separation.

Why Other Options Are Insufficient:

B: Change tickets/inventory show updates but not logical isolation.

C: The SSP describes but does not demonstrate separation.

D: Baseline configs show standard builds, not network isolation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) — Scope Validation

CMMC Assessment Guide – Level 2 — Evidence Types (network diagrams, topology)

===========

The Shared Responsibility Matrix (Customer Responsibility Matrix) is the authoritative document that specifies which security responsibilities are owned by the OSC versus the Cloud Service Provider (CSP). This enables assessors to determine which CMMC practices apply to the OSC and which are inherited from the provider.

Exact extracts:

“External Service Providers (ESPs), including CSPs, must provide a Shared Responsibility Matrix that delineates customer versus provider responsibilities.”

“Assessors should request and review this matrix to determine practice applicability.”

Why other options are incorrect:

A: Zero Trust Architecture is a design framework, not a responsibility breakdown.

C: White papers are marketing/technical resources, not binding assignments of responsibility.

D: IAM Plans address access management, not overall shared responsibilities.

Applicable Requirement: SC.L2-3.13.16 — “Protect the confidentiality of CUI at rest.”

Why D is Correct: Cryptographic mechanisms (e.g., full-disk encryption, database encryption, file encryption) provide the strongest protection for information at rest by preventing unauthorized disclosure if systems or media are accessed.

Why Other Options Are Insufficient:

A (Patching): Protects against vulnerabilities, but not specific to data-at-rest confidentiality.

B (File share): Provides a storage method, not protection.

C (Secure offline storage): Helps physically, but not sufficient for digital confidentiality without encryption.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — SC.L2-3.13.16

NIST SP 800-171A — SC.L2-3.13.16 Assessment Objectives

CMMC Assessment Guide – Level 2, Data at Rest Protection

===========

AC.L2-3.1.7 (Privileged Functions) requires that execution of privileged functions be restricted to authorized privileged accounts. The best evidence is an access list demonstrating who is allowed privileged access.

Extract:

“Limit the use of privileged functions to authorized users. Assessors should review access control lists or equivalent evidence to verify only privileged accounts have privileged permissions.”

Thus, the best next step is to examine a user access list for authorized privileged users.

To scope connections to external systems, the OSC must fully define all external connections — not just general statements about "small use" or "backups." Incomplete or vague descriptions are not sufficient for scoping.

Extract:

“The OSC must identify and define the extent of all external connections that support processing, storage, or transmission of CUI to determine scope.”

Thus, the data provided are not sufficient, because the OSC has not fully defined external connections.

The CMMC Scoping Guidance defines Specialized Assets (e.g., OT, IoT, test equipment, manufacturing machines) that may process CUI but do not always meet traditional IT security requirements. These assets are still within scope and must be documented and assessed as Specialized Assets.

Extract:

“Specialized Assets are defined as operational technology, IoT, test equipment, and similar devices that may process CUI but cannot be secured in the same manner as standard assets. They remain in-scope for the assessment.”

Thus, waterjet machines are Specialized Assets in scope.

When CUI and FCI reside on the same network, the entire environment is considered a CUI environment. The presence of CUI drives the assessment requirement to CMMC Level 2, regardless of whether FCI also exists. Assets cannot be assessed separately under Level 1 vs. Level 2 within the same network boundary.

Exact extracts:

“If CUI is processed, stored, or transmitted within an environment, the environment is in scope for CMMC Level 2.”

“The presence of CUI dictates the assessment level, regardless of whether FCI is also present.”

“Segmentation may reduce scope, but if assets remain within the same environment, all assets fall under Level 2.”

Why other options are incorrect:

B: Level 1 cannot be applied to Server A while Server B undergoes Level 2 in the same network.

C: Presence of CUI means Level 2 is required, not Level 1.

D: Segmentation can reduce scope but is not required before assessment; it is an OSC design choice.

Applicable Requirement (CAP – Pre-Assessment Activities): Before the assessment, the team must confirm the assessment scope (systems, assets, CUI boundaries, and relevant environments). Without scoping, evidence identification and collection cannot be validated.

Why A is Correct: Identifying scope is the foundational requirement in the pre-assessment stage, as defined in the CMMC Assessment Process. Scope determines what systems, people, and assets are included in evidence collection.

Why Other Options Are Insufficient:

B: Verification of evidence occurs during assessment, not pre-assessment readiness.

C: Observations are recorded during on-site assessment, not beforehand.

D: Interview selection happens during evidence collection, after scope confirmation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Pre-Assessment Phase

CMMC Assessment Guide – Level 2, Pre-Assessment Readiness Activities

CMMC requires physical access to systems containing or transmitting CUI to be limited to authorized individuals and for access records to be maintained. Badge readers with unique identification provide individual accountability, access control enforcement, and auditable access logs, which are stronger than labels, cameras, or keypads.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.5: “Maintain audit logs of physical access.”

CMMC Assessment Guide: “Badge systems with access control lists and logs are considered a best method for meeting physical access requirements.”

Why the other options are not correct:

A: Labels and lists do not prevent unauthorized access.

C: Cameras monitor but do not restrict access; they are detective, not preventive.

D: Keypads do not provide individual accountability (codes can be shared).

Applicable Requirement: SC.L2-3.13.8 (Cryptographic protection of communications) and IA.L2-3.5.x (Identification and authentication).

Why D is Correct: Encryption must be validated as FIPS 140-2/3 compliant but is never “authenticated as a prerequisite to access.” Authentication applies to users, devices, and processes, not cryptographic modules themselves.

Why A, B, C are Correct Considerations:

Devices must be authorized before connecting.

Processes acting on behalf of a user must be authenticated.

Users must be authorized prior to access. These are all directly mapped to AC and IA domains.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IA and SC requirements

NIST SP 800-171A — Assessment Objectives for AC/IA wireless and cloud access

CMMC Assessment Guide – Level 2, Cloud/ESP Considerations

===========

According to CMMC Scoping Guidance, assets controlled by a parent organization are out-of-scope when they are physically and logically isolated from the OSC’s environment and do not process, store, or transmit CUI within the OSC’s boundary.

Extract from Scoping Guidance:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.”

Since the badge activation machine is completely isolated and managed by the parent organization, and it has no network connectivity to the OSC, it is out-of-scope.

The CMMC Assessment Guide (Level 2) requires organizations to have a documented procedure for the identification and handling of unmarked potential CUI. The DoD guidance specifies that contractors cannot assume unmarked data is not CUI; instead, they must have a process to ensure unmarked potential CUI is handled properly until its classification is clarified.

Extract from Assessment Guide:

“Organizations must establish procedures for the handling of unmarked data that is suspected of being CUI. These procedures should define how unmarked information is protected until such time its status can be determined.”

Therefore, the correct answer is to have a procedure for proper handling of unlabeled data.

The OSC is responsible for providing the scoping documentation before the assessment begins. The assessor validates the scoping documentation but does not create it on behalf of the OSC. If the OSC cannot provide scope documentation, the assessment cannot proceed.

Exact Extracts:

CMMC Scoping Guide: “The OSC must prepare and provide scoping documentation, including network diagrams, asset inventories, and SSP, prior to assessment.”

CMMC Assessment Guide: “The assessment team validates scoping documentation; it is not the responsibility of the C3PAO or assessor to create the OSC’s scope.”

Why other options are not correct:

A: Incorrect — assessment teams validate but do not generate scoping documents.

C: Joint creation is not allowed; OSC must own and prepare documentation.

D: Lead Assessor cannot create scope; must rely on OSC’s provided documentation.

The CMMC Assessment Process (CAP) states that deficiency correction is not permitted during the assessment. Practices must be evaluated based on their implementation at the time of assessment. If the OSC corrects deficiencies after assessment activities have begun, the changes cannot be considered in the scoring.

Extract:

“Deficiency correction during the assessment is not permitted. Practices are scored based on evidence available at the time of assessment activities.”

Thus, the correct next step is to score the practice as NOT MET.

CMMC Level 2 control AC.L2-3.1.12: Remote Access requires that all methods of remote access be authorized, monitored, and controlled to protect CUI when accessed from external locations. The assessment guide specifies that assessors must verify that remote sessions are identified, permitted, and controlled. There is no requirement for remote access sessions to be “validated” — this is not part of the assessment objectives for this practice.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled; and• cryptographic mechanisms are employed to protect confidentiality and integrity of remote access sessions.”

“Remote access to organizational systems is accomplished through the use of managed access control points. A detailed record of all remote access sessions is maintained, and the sessions are subject to monitoring and control.”

Why the other options are required:

Identified (B): OSCs must identify all remote access methods in use.

Permitted (C): Remote access must be explicitly authorized before it is allowed.

Controlled (D): Sessions must be controlled (e.g., via encryption, multifactor authentication, and monitoring).

Validated (A): Not a required assessment objective; it is a distractor option.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.12 “Remote Access” (Assessment Objectives; Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.12 (remote access).

Applicable Requirement: CAP – Assessment Execution Phase.

Why D is Correct: After scoring and validating preliminary results, the next step is to finalize and record recommended final findings for submission. This closes the assessment process and supports certification decisions.

Why Other Options Are Insufficient:

A: Scope determination occurs in planning, not after validation.

B: Results are delivered after finalization, not immediately after validation.

C: Considering additional evidence occurs during data collection, before validation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Reporting Phase

CMMC Assessment Guide – Level 2 — Assessment Closure

===========

CMMC Levels and Scope:

Level 1: Protects Federal Contract Information (FCI) under FAR 52.204-21 (17 basic safeguarding requirements).

Level 2: Protects Controlled Unclassified Information (CUI) under NIST SP 800-171 (110 practices).

Why C is Correct: The Level 1 self-assessment covers FCI-related practices. Since Level 2 focuses exclusively on CUI environments, FCI-only requirements from the Level 1 self-assessment fall outside the scope of the Level 2 assessment.

Why Other Options Are Insufficient:

A (CUI in paper): Still in scope at Level 2 (CUI applies to both digital and physical formats).

B (FCI within CUI enclave): If FCI is processed within the enclave, it is covered by Level 2.

D (SCI): Classified information is entirely out of scope of CMMC; however, it is not relevant to Level 1 self-assessment either, making C the more precise choice.

References (CCA Official Sources):

DoD CMMC Model v2.0 — Scope Differences between Level 1 (FCI) and Level 2 (CUI)

NIST SP 800-171 Rev. 2 — Focus on CUI

FAR 52.204-21 — FCI Safeguarding Requirements (Level 1 baseline)

The Lead Assessor is responsible for managing the assessment team and planning the assessment, including defining the methods, techniques, and responsibilities for collecting, managing, and reviewing evidence. Team members execute assigned tasks, but the Lead Assessor provides direction and oversight.

Exact Extracts:

CMMC Assessment Guide: “The Lead Assessor is responsible for the management of the assessment, including defining evidence collection methods, techniques, and responsibilities.”

“The assessment team members carry out activities as directed by the Lead Assessor.”

“The C3PAO Quality Oversight and CMMC Quality Assurance are post-assessment quality functions, not evidence planning functions.”

Why other options are not correct:

B: Team members execute tasks but do not define methods and responsibilities.

C: Quality Oversight Managers review assessments after completion, not during planning.

D: CMMC Quality Assurance Professionals conduct QA on assessments, not evidence planning.

External connections are defined as connections crossing the OSC’s assessment boundary. Here:

The dedicated VPN from office to cloud = one external connection.

The user-initiated VPNs from remote laptops to cloud = a second external connection.

Extract:

“External connections include all system interfaces that cross the assessment boundary, including VPNs initiated by users or established between sites.”

Thus, there are two external connections.

Applicable Requirement: IR.L2-3.6.1 — “Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”

Validation Expectation: For this practice, the CCA must confirm that the OSC:

Tracks incidents consistently,

Documents incident details (who, what, when, where, and how), and

Maintains incident records to support analysis and corrective action.

Why A is Correct: Tracking and documenting incidents demonstrates that the OSC has an operational incident-handling capability and provides objective evidence of detection, response, and lessons learned.

Why Other Options Are Insufficient:

B (Sources configured/tuned): Helpful for detection, but not sufficient by itself.

C (Law enforcement notified): This may occur in certain cases, but it is not required by CMMC Level 2.

D (Forensics): Deep forensic investigation may be useful, but CMMC requires incident response capability, not mandatory forensic-level activities.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IR.L2-3.6.1

NIST SP 800-171A — IR.L2-3.6.1 Assessment Objectives (tracking, documenting, handling incidents)

CMMC Assessment Guide – Level 2 — Incident Reporting

===========

MA.L2-3.7.1 (Perform Maintenance) requires that maintenance activities and risks associated with outdated or unsupported systems be managed. Unsupported systems create a security risk if not mitigated, particularly when they process CUI.

Extract:

“Maintenance must be performed and documented to ensure continued secure operation. When systems cannot be updated or patched due to technical limitations, the OSC must implement and document risk mitigation strategies.”

Because the OSC has not demonstrated risk management for the outdated OT system, the practice is NOT MET.

AC.L2-3.1.6 requires that non-privileged accounts are used for normal tasks and privileged accounts are only used when necessary for privileged functions.

Extract:

“Require that users employ the least privilege principle by using non-privileged accounts for general tasks. Privileged accounts must only be used when elevated privileges are required.”

Thus, the correct procedure is:

All employees have non-privileged accounts.

Admins also have separate privileged accounts.

Admins perform normal duties with their non-privileged accounts, using privileged accounts only when required.

Applicable Requirement: PE.L2-3.10.1 — “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Why D is Correct: Documented procedures describing physical access restrictions (badge policies, visitor management, locked server rooms, guard post orders) serve as primary evidence that access is managed and enforced. Assessors can then corroborate via interviews and observation.

Why Other Options Are Insufficient:

A (VPN configuration): Relates to remote logical access, not physical security.

B (Switch configs): Technical network controls, not physical access.

C (Architecture drawings): Show logical/system design, not physical entry restrictions.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.1

NIST SP 800-171A — PE.L2-3.10.1 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Protection Evidence Guidance

The CMMC Assessment Process (CAP) specifies that when disputes cannot be resolved by the Lead Assessor, they must be elevated to the C3PAO Official, who has authority to make the final decision.

Extract:

“Unresolved disputes between the OSC and the Assessment Team must be elevated to the C3PAO Official for final resolution.”

Therefore, the C3PAO Official is the final arbiter in such disputes.

Applicable Requirement: CAP – Interview Guidance.

Why C is Correct: Interviews must be directed to personnel responsible for implementing, performing, or supporting practices to ensure accurate and objective evidence is collected.

Why Other Options Are Insufficient:

A: Yes/no questions do not provide sufficient evidence detail.

B: OSC personnel cannot ask themselves assessment questions; only assessors may conduct interviews.

D: Group interviews may be used in some cases, but CAP stresses targeted interviews for evidence reliability.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Interview Requirements

NIST SP 800-171A — Use of Interview as an Assessment Method

The requirement for CA.L2-3.12.3 – Security Control Monitoring mandates monitoring to be performed on an ongoing basis to ensure the continued effectiveness of the controls. This is not satisfied by a yearly review alone.

CA.L2-3.12.3 Security Control Monitoring – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The OSC’s statement in their SSP that monitoring occurs on a one-year periodic basis fails to meet this requirement, because the term "ongoing basis" implies continual or recurring monitoring activities that occur throughout the system’s lifecycle—not a single annual review.

Therefore, the assessor must determine that the OSC’s implementation is not acceptable.

Printers are a concern because they can produce hard copies of CUI, which must be safeguarded like digital CUI. CUI handling requirements extend to both electronic and printed media.

Extract from MP.L2-3.8.4:

“Protect the confidentiality of CUI at rest and in use, including hardcopy outputs such as printed material.”

Thus, the concern is that printed CUI must be protected, making printers relevant to maintenance and safeguarding practices.

Risk Managed Assets are not assessed against CMMC practices, but OSCs must demonstrate that they are identified and that the risk they pose to CUI is managed in accordance with organizational policies. The Scoping Guide specifies that these assets must be addressed in pre-assessment discussions and described in the scope diagram, but they are explicitly excluded from practice-by-practice assessment.

Exact extracts:

“Risk Managed Assets do not process, store, or transmit CUI but can access CUI Assets. These assets are not assessed against CMMC practices but must be discussed with the assessor.”

“Organizations must identify how these assets are managed by organizational policies.”

“Risk Managed Assets must be included in scope diagrams.”

Why the other options are incorrect:

A/B/D: Risk Managed Assets still must be documented, discussed, and managed with policies.

C: They are explicitly excluded from practice assessment.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (Risk Managed Assets).

===========

If the OSC cannot remediate deficiencies during the POA&M Close-Out process, the Lead Assessor must issue a recommendation of NOT MET, and the OSC will not be certified. CMMC requires all Level 2 practices to be MET (with limited exceptions under defined POA&M close-out rules).

Exact Extracts:

CMMC Assessment Guide: “If practices cannot be met within the POA&M Close-Out process, the Lead Assessor must not recommend certification.”

DoD policy: “CMMC Level 2 requires that all 110 practices be met. A failed POA&M Close-Out results in a final determination of NOT MET.”

“There is no provisional certification status in CMMC.”

Why the other options are not correct:

A: Assessments are not paused indefinitely; unresolved deficiencies result in NOT MET.

B: Justification alone does not satisfy requirements.

C: Provisional status does not exist in CMMC.

According to the CMMC Scoping Guidance, assets are categorized based on whether they can process, store, or transmit Controlled Unclassified Information (CUI), or if they are physically/logically separated or inherently unable to interact with CUI systems. Assets that cannot process, store, or transmit CUI and are properly segregated are considered Out-of-Scope.

Extract from CMMC Scoping Guidance:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.”

Thus, the Lead Assessor determines out-of-scope assets by confirming that they are either segregated from CUI systems or technically incapable of handling CUI.

During the planning phase, the Lead Assessor must ensure that evidence gaps are identified and documented before assessment execution. This ensures that the OSC is aware of missing or insufficient evidence and can address them prior to final scoring.

Exact Extracts:

CMMC Assessment Guide: “During planning, assessors and OSC should confirm sufficiency of evidence and identify/document any evidence gaps.”

“The planning phase ensures readiness to proceed with the assessment, including identifying gaps and establishing how they will be addressed.”

Why the other options are not correct:

B: Appeals are addressed post-assessment, not in planning.

C: Assessment costs are agreed upon contractually, not part of the assessment planning phase.

D: FedRAMP equivalency determination is part of scope validation, not general planning.

The negative finding is that the OSC permits an uncertified external security provider to access the OSC’s internal network. This introduces unmanaged risk to the CUI environment. CMMC requires the OSC to control and monitor external service provider access. The storage of recordings externally is not inherently noncompliant if properly controlled, and video monitoring is a valid method of meeting PE.L2-3.10.2. The key failure is giving unmanaged third-party access.

Exact extracts:

“Monitor physical facility to detect and respond to physical security incidents.” (PE.L2-3.10.2)

“Assessment Objectives … Determine if: monitoring is performed; unauthorized physical access is detected and responded to.”

“External service providers that connect into the OSC network are considered in-scope and must meet CMMC requirements or have equivalent authorization (e.g., FedRAMP).”

Why other options are incorrect:

A: Requirement does not mandate monitoring of both public and private areas.

C: Video surveillance is an acceptable facility monitoring method when properly implemented.

D: External storage can be acceptable if contractual safeguards and compliance are in place.

Per the CMMC Scoping Guidance, CUI Assets are those that process, store, or transmit CUI. Since System CUI is the system handling CUI data, it must be categorized as CUI Assets.

Extract:

“CUI Assets are any assets that process, store, or transmit CUI. These assets are in-scope for assessment and must meet CMMC practice requirements.”

Thus, the best classification for System CUI is CUI Assets.

IA.L2-3.5.7 requires password complexity rules that include uppercase, lowercase, numeric, and special characters. The given policy addresses three requirements but does not mandate at least one special character.

Extract:

“Enforce password complexity by requiring combinations of upper-case letters, lower-case letters, numbers, and special characters.”

Thus, the missing requirement is the use of a special character.

The Identification and Authentication (IA) practices require that passwords be protected using strong methods. Storing passwords with salted one-way hashes ensures they cannot be reversed, providing strong protection.

Extract from IA.L2-3.5.10:

“Passwords must be stored and transmitted in a form that is resistant to compromise, typically using salted one-way cryptographic hashes.”

Options A and B do not align with modern password guidance, and option C (two-way cryptographic hashing) is insecure because it allows reversal.

Applicable Requirement (CAP – Planning Phase): Both the OSC (Client) and the CCA are responsible for protecting sensitive evidence and CUI during assessment. This includes documenting risks and mitigations for how such information is handled, especially during virtual collection.

Why D is Correct: CAP requires assessors and OSCs to jointly establish processes ensuring safeguarding of CUI evidence. Both parties must record and agree to risks and mitigations as part of the assessment plan.

Why Other Options Are Insufficient:

A & B: Responsibility is shared, not one-sided.

C: Recording by the assessor alone does not fulfill CAP’s joint responsibility requirement.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Planning Phase (Handling CUI and Sensitive Evidence)

Code of Professional Conduct — Assessor responsibility for safeguarding CUI

===========

Wireless access to systems transmitting, processing, or storing CUI must be protected with FIPS 140-validated cryptography and access must be limited to authenticated users. This ensures confidentiality and integrity of CUI while preventing unauthorized wireless access.

Exact Extracts (official CMMC Assessor/Study documents):

SC.L2-3.13.13: “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.”

AC.L2-3.1.1 / 3.1.2: “Limit system access to authorized users… and authenticate the identities of those users.”

SC.L2-3.13.17: “Protect wireless access to the system using authentication and encryption.”

Assessment Guide clarifies: “Wireless access must use FIPS 140 validated cryptographic modules and must be restricted to authenticated users.”

Why other options are not correct:

A: Only requires encryption; does not address authenticated access, which is mandatory.

B: Vetting and access lists may be useful, but they are not sufficient substitutes for cryptographic and authentication requirements.

D: Identifying users in diagrams is good documentation practice but not a CMMC requirement for wireless protection.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices SC.L2-3.13.13 and SC.L2-3.13.17 (pp. 134–136).

NIST SP 800-171A, Assessment Objectives for wireless access and cryptographic requirements.

When an OSC leverages cloud providers in a CMMC Level 2 assessment, the provider should have FedRAMP Moderate or higher authorization to align with NIST SP 800-171 requirements. SOC 2, HIPAA, or CCPA compliance do not demonstrate federal-level assurance for protecting CUI. Thus, CSP B is the most appropriate choice.

Exact extracts:

“Cloud service providers that process, store, or transmit CUI should be FedRAMP Moderate Authorized or equivalent.”

“Assessors must verify evidence of FedRAMP authorization or comparable assurance before determining that OSC reliance on the provider is acceptable.”

Why the other options are incorrect:

A: SOC 2, HIPAA, and CCPA compliance do not equate to CMMC-required federal assurance.

C: Only FedRAMP-authorized providers meet the requirement, so both are not acceptable.

D: CSP B does meet the criteria.

In CMMC scoping, assets are categorized based on where CUI is processed, stored, or transmitted. According to the CMMC Scoping Guide for Level 2, if CUI is only stored and used in HQ and Site A, those locations contain CUI Assets. Since Site B neither stores, processes, nor transmits CUI, its assets are considered Out of Scope.

Exact extracts:

“CUI Assets are those that store, process, or transmit CUI.”

“Assets that do not process, store, or transmit CUI, and cannot provide access to CUI, are considered Out-of-Scope.”

“Only those assets in the scope of CMMC assessment will be evaluated against practices.”

Why the other options are incorrect:

B: Site B has VPN connectivity, but if it does not use or process CUI, its assets remain out of scope. Connectivity alone does not bring it into scope.

C/D: The terms “Certification in Risk Management Assurance” are not valid CMMC asset categories.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (CUI Assets, Out-of-Scope Assets).

===========

The Examine assessment method requires the assessor to review policies, processes, and procedures that are finalized and approved, not drafts or informal materials. This ensures the OSC has formally documented, management-approved artifacts supporting each practice. Drafts, in-process training materials, or incomplete diagrams do not satisfy the “Examine” method requirements.

Exact extracts:

“Examine: Review, inspect, and analyze assessment objects, such as policies, procedures, and system documentation.”

“Examine requires finalized artifacts; draft or incomplete materials do not constitute valid evidence.”

Why the other options are incorrect:

A: “Mailed form” is irrelevant — only completeness and approval matter.

C: Training materials are not substitutes for policy/process evidence.

D: Draft diagrams do not satisfy final documentation requirements.