Cyber AB Updated CMMC-CCA Exam Questions and Answers by aliyah

When protecting backup data containing CUI, the requirement is to ensure confidentiality through logical or physical security controls appropriate to the sensitivity of CUI. Acceptable implementations include controlling access to CUI (AC family controls), physically securing media (MP family controls), and encrypting files or media (SC family controls). Merely implementing alternative physical controls for site access is insufficient because site access protections do not directly ensure the confidentiality of the backup media itself.

Exact Extracts (from official CMMC Assessor/Study documents and NIST SP 800-171A references):

SC.L2-3.13.16 (Encrypt CUI): “Employ cryptographic mechanisms to prevent unauthorized disclosure of CUI during storage and transmission unless otherwise protected by alternative physical safeguards.”

MP.L2-3.8.9 (Protect backup CUI): “Protect the confidentiality of backup CUI at storage locations.”

AC.L2-3.1.3 (Access enforcement): “Limit access to CUI on the basis of need-to-know to protect confidentiality.”

Physical security references (PE family): “Physical access controls provide general site protection but are not substitutes for encryption or media protection controls when CUI confidentiality is at risk.”

Why the other options are correct (acceptable methods):

B (Managing who has access to the information): Satisfies Access Control (AC) requirements that limit exposure of CUI only to authorized individuals.

C (Physically securing devices and media): Satisfies Media Protection (MP) requirements, ensuring CUI is stored securely and protected against unauthorized access.

D (Encrypting files or media): Directly satisfies System and Communications Protection (SC) requirements for confidentiality, a highly reliable method.

Why option A is least acceptable:

Alternative physical controls for site access protect buildings or rooms, but they do not directly safeguard backup media confidentiality. If backups are removed, lost, or accessed internally, site access controls alone cannot ensure confidentiality.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices SC.L2-3.13.16, MP.L2-3.8.9, AC.L2-3.1.3, and PE family discussion (pp. 93–96, 108–110, 125–127).

NIST SP 800-171A, Assessing Security Requirements for CUI: Related assessment objectives for protecting CUI backup confidentiality.

CMMC requires physical access to systems containing or transmitting CUI to be limited to authorized individuals and for access records to be maintained. Badge readers with unique identification provide individual accountability, access control enforcement, and auditable access logs, which are stronger than labels, cameras, or keypads.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.5: “Maintain audit logs of physical access.”

CMMC Assessment Guide: “Badge systems with access control lists and logs are considered a best method for meeting physical access requirements.”

Why the other options are not correct:

A: Labels and lists do not prevent unauthorized access.

C: Cameras monitor but do not restrict access; they are detective, not preventive.

D: Keypads do not provide individual accountability (codes can be shared).

To scope connections to external systems, the OSC must fully define all external connections — not just general statements about "small use" or "backups." Incomplete or vague descriptions are not sufficient for scoping.

Extract:

“The OSC must identify and define the extent of all external connections that support processing, storage, or transmission of CUI to determine scope.”

Thus, the data provided are not sufficient, because the OSC has not fully defined external connections.

The CAP requires that the OSC provide an organized and traceable set of evidence for review. While missing an evidence map does not stop the assessment, it is a best practice and strongly recommended to improve efficiency.

Extract:

“The OSC should provide an organized list of evidence and mappings to support efficient review by the assessment team. While not strictly required, it is recommended as part of readiness for a Level 2 assessment.”

Thus, the Lead Assessor should advise the OSC to provide the evidence mapping list, but the absence does not invalidate proceeding.