Cyber AB Certified CMMC Assessor (CCA) Exam CMMC-CCA Exam Dumps: Updated Questions & Answers (September 2025)

Applicable Requirement: AC.L2-3.1.12 and AC.L2-3.1.14 — “Monitor and control remote access sessions” and “Route remote access through managed access control points.”

Why A is Correct: For a single centralized access point, the most critical control is that remote access sessions are properly secured and monitored to prevent unauthorized access to CUI systems. This ensures both confidentiality and integrity of remote connections.

Why Other Options Are Insufficient:

B: Physical access controls protect on-site systems but do not address remote connection security.

C: Documentation alone is not sufficient; actual monitoring and security enforcement are required.

D: Notification procedures relate to incident handling, not adequacy of access point security.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — AC.L2-3.1.12, AC.L2-3.1.14

NIST SP 800-171A — Remote Access Assessment Objectives

CMMC Assessment Guide – Level 2, Remote Access Guidance

The Assessment Plan (planning agreement) must be signed by both the Lead Assessor and the OSC Assessment Official. This formalizes agreement on scope, resources, and methodology. The C3PAO is responsible for overall oversight but does not co-sign the plan.

Exact extracts:

“The Lead Assessor is responsible for developing the Assessment Plan in collaboration with the OSC Assessment Official.”

“Both the Lead Assessor and the OSC Assessment Official must sign the Assessment Plan to proceed.”

“The C3PAO maintains responsibility for quality assurance and submission, but not signing.”

Why other options are incorrect:

A/B: Both signatures are required, not one alone.

D: The C3PAO does not sign the planning agreement.

Printers are a concern because they can produce hard copies of CUI, which must be safeguarded like digital CUI. CUI handling requirements extend to both electronic and printed media.

Extract from MP.L2-3.8.4:

“Protect the confidentiality of CUI at rest and in use, including hardcopy outputs such as printed material.”

Thus, the concern is that printed CUI must be protected, making printers relevant to maintenance and safeguarding practices.

The CMMC Assessment Process emphasizes the importance of confidentiality and non-attribution in interviews to ensure OSC personnel provide candid, accurate information. Interviewees may give shallow or evasive answers if they fear attribution. Assuring confidentiality and non-attribution improves the quality and reliability of responses.

Exact extracts:

“The assessment team must ensure confidentiality and non-attribution during interviews.”

“Responses should be validated against evidence, but the quality of input depends on establishing a safe environment for candor.”

“Non-attribution is critical to elicit detailed and honest responses.”

Why the other options are incorrect:

A: Training matrices identify who is trained, not who should be interviewed.

C: NDAs are not a CCA responsibility — they are contractual, not assessment requirements.

D: Mapping to artifacts is part of correlation after interviews, but does not solve the problem of poor interview responses.

Verification of physical access controls under PE.L2-3.10.3: Physical Access Control requires evidence from records, logs, and audit trails. Reviewing access logs provides direct confirmation of which badge types grant entry into controlled areas. SOPs or interviews may support the claim but are indirect; testing physical entry is not an approved method for CCAs.

Exact extracts:

“Assessment Methods – Examine: access control policy; physical access control system records; physical access audit logs.”

“Assessment Methods – Interview: staff may be interviewed, but interviews must be supported by documentary evidence.”

“Testing physical entry by assessors is not an authorized assessment method.”

Why the other options are incorrect:

A/B: Interviews or SOP reviews may provide supporting context, but they do not prove operational badge restrictions.

D: Assessors are prohibited from attempting physical bypass or entry tests.

The CMMC Scoping Guidance defines Specialized Assets (e.g., OT, IoT, test equipment, manufacturing machines) that may process CUI but do not always meet traditional IT security requirements. These assets are still within scope and must be documented and assessed as Specialized Assets.

Extract:

“Specialized Assets are defined as operational technology, IoT, test equipment, and similar devices that may process CUI but cannot be secured in the same manner as standard assets. They remain in-scope for the assessment.”

Thus, waterjet machines are Specialized Assets in scope.

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why A is Correct: Security guards are a recognized preventive and detective physical control to limit access to only authorized individuals. Guards can verify credentials, monitor behavior, and provide real-time deterrence.

Why Other Options Are Insufficient:

B (Cameras): Provide monitoring and evidence, but not direct access control.

C (Firewalls): A network control, not a physical access measure.

D (Partition walls): Barriers may help physically separate areas but do not control who enters.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Security Controls

===========

Applicable Requirement (CAP Evidence Standards): Evidence must be objective and demonstrate implementation. Newly created documentation may exist only for assessment purposes, so the assessor must validate whether the documented procedures are actually in practice.

Why D is Correct: Observation sessions confirm that personnel are knowledgeable about and actively following the documented procedures. This ensures the documents reflect actual implementation rather than being created solely for assessment.

Why Other Options Are Insufficient:

A: Approval shows authority but does not prove procedures are implemented.

B: Subjective determination of “reasonableness” is not an approved assessment method.

C: Identifying authors does not validate implementation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Evidence Collection and Triangulation

CMMC Assessment Guide – Level 2, Section on Evidence Requirements

NIST SP 800-171A — Assessment Methods: examine, interview, observe

CMMC requires physical access to systems containing or transmitting CUI to be limited to authorized individuals and for access records to be maintained. Badge readers with unique identification provide individual accountability, access control enforcement, and auditable access logs, which are stronger than labels, cameras, or keypads.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.5: “Maintain audit logs of physical access.”

CMMC Assessment Guide: “Badge systems with access control lists and logs are considered a best method for meeting physical access requirements.”

Why the other options are not correct:

A: Labels and lists do not prevent unauthorized access.

C: Cameras monitor but do not restrict access; they are detective, not preventive.

D: Keypads do not provide individual accountability (codes can be shared).

The CMMC Scoping Guidance specifies that Out-of-Scope Assets are those that neither process, store, nor transmit CUI, and do not provide security protections for CUI assets.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI, and do not provide security protections for CUI assets.”

Thus, the correct answer is B.