Cyber AB Updated CMMC-CCP Exam Questions and Answers by rowan

ThePhysical Protection (PE) domaininCMMC 2.0 Level 1includes the requirementPE.L1-3.10.3, which mandates that organizationsescort visitors and monitor their activity.

Breaking Down the Scenario:

TheCMMC Assessment Teamarrives at the OSC.

Thereceptionist acknowledges their arrival but does not verify credentials or escort themto the appropriate location.

Failing to verify visitor identity and failing to escort them is a violation of PE.L1-3.10.3.

Analysis of the Given Options:

A. PE.L1-3.10.3: Escort visitors and monitor visitor activity→✅Correct

This requirement ensures that visitorsdo not have unsupervised access to sensitive areas.

The receptionistshould have checked credentials and escorted the assessment team.

B. PE.L1-3.10.5: Control and manage physical access devices→❌Incorrect

This requirement refers to managingkeys, access badges, and security devices, which isnot the issue in this scenario.

C. PS.L2-3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI→❌Incorrect

This control applies to personnel screeningsbefore granting access to CUI systems, not physical visitor access.

D. PS.L2-3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers→❌Incorrect

This requirement deals withoffboarding employees and ensuring they no longer have system access. It isnot relevant to visitor escorting.

Official References Supporting the Correct Answer:

CMMC 2.0 Level 1 - PE.L1-3.10.3 (Physical Protection)

Requires organizations toescort visitors and monitor visitor activityat facilities containingFCI or CUI.

NIST SP 800-171 Rev. 2, Control 3.10.3

States thatvisitors must be escorted and monitored at all timesto prevent unauthorized access.

Conclusion:

Since the receptionist failed to verify credentials and escort the visitors, this violatesPE.L1-3.10.3.

✅Correct Answer: A. PE.L1-3.10.3: Escort visitors and monitor visitor activity

Under Title 44 U.S.C. Chapter 33 (Records Management) and NARA directives, agencies and organizations must establish policies and procedures for the disposal of all recorded information, regardless of form or characteristics. This includes paper records, electronic documents, digital media, audiovisual files, and any other information format. The requirement ensures consistent handling, retention, and lawful disposal of both federal records and CUI.

Reference Documents:

Title 44, U.S. Code, Chapter 33: Records Management

NARA Records Management Directive

Understanding "Adequate Evidence" in the CMMC Assessment Process

In aCMMC assessment,adequate evidencerefers to the proof required to demonstrate that a specific cybersecurity practice has been implemented correctly. Evidence can come from:

Artifacts(e.g., security policies, system configurations, logs).

Interview responses(e.g., verbal confirmation from personnel about their responsibilities).

Demonstrations(e.g., showing how a security control is implemented in real time).

Testing(e.g., verifying technical security mechanisms such as multi-factor authentication).

Thegoalof evidence collection is to determinewhether a CMMC practice is met—not just whether the organization operates within the assessment scope.

Why is the Correct Answer "Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice" (D)?

A. Verify, based on an assessment and organizational scope → Incorrect

Theassessment scopedefineswhat is evaluated, but adequacy of evidence is based oncompliance with specific CMMC practices.

B. Verify, based on an assessment and organizational practice → Incorrect

CMMC assessments focus on cybersecurity practices defined in the CMMC framework, not just general organizational practices.

C. Determine if a given artifact, interview response, demonstration, or test meets the CMMC scope → Incorrect

Thescopedefines the assessment boundaries, but theassessment team's job is to confirm whether CMMC practices are satisfied.

D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice → Correct

TheCMMC assessment process focuses on ensuring that required practices are implemented, making this the correct answer.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines "adequate evidence" asproof that a CMMC practice has been correctly implemented.

CMMC 2.0 Assessment Criteria

Specifies that evidence must beevaluated against specific cybersecurity practices.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Provides guidance on evaluating artifacts, interviews, demonstrations, and testing to confirm compliance with required practices.

Final Answer:

✔D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.

The CMMC Assessment Process (CAP) requires that sufficient evidence must:

Cover the sampled organization,

Cover the defined model scope of the assessment (Target CMMC Level), and

Correspond to the evidence collection approach.

Evidence is always required, even if the organization holds other certifications such as ISO. External certifications cannot replace CMMC evidence requirements. Thus, the statement that “Evidence is not required if the practice is ISO certified” is not valid.

Reference Documents:

CMMC Assessment Process (CAP), v1.0