Cyber AB Updated CMMC-CCA Exam Questions and Answers by hettie

The CMMC practices for cryptographic protection (SC.L2-3.13.11, SC.L2-3.13.8, etc.) require that cryptography protecting CUI must be FIPS-validated. The authoritative source for validation is the NIST Cryptographic Module Validation Program (CMVP).

Extract:

“To use cryptography in compliance with CMMC requirements, organizations must use modules validated under the NIST Cryptographic Module Validation Program (CMVP). The CMVP is the authoritative source to verify whether a cryptographic implementation is FIPS-validated.”

Vendor documentation or SSP claims alone cannot serve as authoritative proof. The CCA must consult the NIST CMVP validation list.

Applicable Requirement (CMMC/NIST): Multiple practices may apply (e.g., AC.L2-3.1.14 “Control remote access sessions” and CA.L2-3.12.4 “Develop, document, and periodically update system security plans”). However, when an OSC uses an External Service Provider (ESP), the key control is the documented agreement defining the terms, conditions, and responsibilities between the OSC and the ESP.

Why Interconnection Agreement is Correct (supports B):

According to the CMMC Assessment Guide (Level 2), acceptable evidence for external connections with ESPs includes “interconnection security agreements, memoranda of understanding, or contracts that define the security requirements governing the connection.”

These agreements document controls at the interface boundary and ensure both parties understand their responsibilities for protecting CUI.

Why Other Options Are Insufficient:

A. OSC’s access control policy — An internal policy outlines organizational expectations, but it does not constitute binding evidence of controls at the boundary with an ESP.

C. Technical design of VPN security — Technical configurations demonstrate how connections are secured, but they do not formally document agreed security requirements between OSC and ESP.

D. Instructions from ESP — ESP-provided setup instructions are not evidence of the OSC’s validated control implementation or responsibility-sharing agreement.

Assessment Process Alignment:

The CMMC Assessment Process (CAP) requires assessors to confirm not only technical implementations but also documented agreements that establish accountability for safeguarding CUI.

Evidence such as interconnection agreements is specifically highlighted as objective evidence that the OSC has verified and controlled external system interfaces.

References (CCA Official Sources):

CMMC Assessment Guide – Level 2, Version 2.13 — External Service Providers and Evidence Requirements for External Connections

NIST SP 800-171 Rev. 2 — §3.1.20 and §3.13.6 (discussions on external system connections and interconnection agreements)

NIST SP 800-171A — Assessment Methods for verifying security of external system interfaces

Applicable Requirement: IR.L2-3.6.1 — “Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.”

Validation Expectation: For this practice, the CCA must confirm that the OSC:

Tracks incidents consistently,

Documents incident details (who, what, when, where, and how), and

Maintains incident records to support analysis and corrective action.

Why A is Correct: Tracking and documenting incidents demonstrates that the OSC has an operational incident-handling capability and provides objective evidence of detection, response, and lessons learned.

Why Other Options Are Insufficient:

B (Sources configured/tuned): Helpful for detection, but not sufficient by itself.

C (Law enforcement notified): This may occur in certain cases, but it is not required by CMMC Level 2.

D (Forensics): Deep forensic investigation may be useful, but CMMC requires incident response capability, not mandatory forensic-level activities.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IR.L2-3.6.1

NIST SP 800-171A — IR.L2-3.6.1 Assessment Objectives (tracking, documenting, handling incidents)

CMMC Assessment Guide – Level 2 — Incident Reporting

===========

The Lead Assessor is responsible for managing the assessment team and planning the assessment, including defining the methods, techniques, and responsibilities for collecting, managing, and reviewing evidence. Team members execute assigned tasks, but the Lead Assessor provides direction and oversight.

Exact Extracts:

CMMC Assessment Guide: “The Lead Assessor is responsible for the management of the assessment, including defining evidence collection methods, techniques, and responsibilities.”

“The assessment team members carry out activities as directed by the Lead Assessor.”

“The C3PAO Quality Oversight and CMMC Quality Assurance are post-assessment quality functions, not evidence planning functions.”

Why other options are not correct:

B: Team members execute tasks but do not define methods and responsibilities.

C: Quality Oversight Managers review assessments after completion, not during planning.

D: CMMC Quality Assurance Professionals conduct QA on assessments, not evidence planning.