Cyber AB Updated CMMC-CCA Exam Questions and Answers by emaan

The Escort Visitors practice falls under Physical and Environmental Protection (PE.L2-3.10.3), which requires organizations to escort visitors and monitor visitor activity. To validate this, the assessor should interview personnel responsible for physical access control (security guards, facility access managers) and information security (to confirm integration with CUI protection requirements).

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Interview personnel responsible for physical access control and security monitoring to confirm escort and visitor activity tracking.”

Assessment Objectives: Require evidence of visitor escorts, visitor logs, and monitoring practices.

Why the other options are not correct:

A (Repair/maintenance): Not responsible for escort procedures.

B (Local access control only): Missing the information security link, which ensures visitors cannot access CUI assets.

D (IT management): IT is not responsible for escorting visitors in physical spaces.

IA.L2-3.5.7 requires password complexity rules that include uppercase, lowercase, numeric, and special characters. The given policy addresses three requirements but does not mandate at least one special character.

Extract:

“Enforce password complexity by requiring combinations of upper-case letters, lower-case letters, numbers, and special characters.”

Thus, the missing requirement is the use of a special character.

The OSC (Organization Seeking Certification) is always responsible for meeting CMMC requirements, regardless of what responsibilities are shared or outsourced to an ESP. ESPs can provide inherited practices (e.g., FedRAMP Moderate for cloud CUI), but the OSC remains accountable for compliance under government mandates.

Exact Extracts:

CMMC Assessment Guide: “The OSC is the entity being assessed. While an ESP may provide inherited practices, the OSC retains ultimate responsibility for compliance.”

Scoping Guide: “External Service Providers may meet requirements on behalf of the OSC; however, it is the OSC that is assessed and must demonstrate sufficiency of evidence.”

Why other options are not correct:

A: Incorrect — ESPs that process CUI must meet FedRAMP Moderate equivalency, even if not directly assessed for CMMC.

B: While true, factoring documentation does not override that OSC remains accountable.

C: ESPs are not assessed at the same time as the OSC; only the OSC receives certification.

Applicable Requirement (CAP Evidence Standards): Evidence must be objective and demonstrate implementation. Newly created documentation may exist only for assessment purposes, so the assessor must validate whether the documented procedures are actually in practice.

Why D is Correct: Observation sessions confirm that personnel are knowledgeable about and actively following the documented procedures. This ensures the documents reflect actual implementation rather than being created solely for assessment.

Why Other Options Are Insufficient:

A: Approval shows authority but does not prove procedures are implemented.

B: Subjective determination of “reasonableness” is not an approved assessment method.

C: Identifying authors does not validate implementation.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Evidence Collection and Triangulation

CMMC Assessment Guide – Level 2, Section on Evidence Requirements

NIST SP 800-171A — Assessment Methods: examine, interview, observe