Cyber AB CMMC-CCA Exam With Confidence Using Practice Dumps

Applicable Requirement: CM.L2-3.4.3 — “Track, review, approve/disapprove, and audit changes to organizational systems.”

Why CCB Minutes Are Correct (supports B):

Change Control Board (CCB) documentation includes impact analyses, approvals, disapprovals, and justification for system changes.

The CMMC Assessment Guide explicitly identifies CCB minutes and supporting records as primary evidence of compliance with change management practices.

Why Other Options Are Insufficient:

A (Vendor description): Provides information on the update, but does not show organizational review or approval.

C (Audit logs): Show when a change occurred, but not whether it was analyzed and approved beforehand.

D (Incident logs): Reflects results after implementation, but not the review/approval process.

Assessment Guidance Extract (NIST SP 800-171A, CM.L2-3.4.3):

Objectives include verifying that system changes are:

Documented,

Reviewed,

Approved/disapproved, and

Audited.

Evidence such as CCB minutes and approval records directly satisfies these objectives.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CM.L2-3.4.3 (Change Management)

NIST SP 800-171A — Assessment Objectives for CM.L2-3.4.3

CMMC Assessment Guide – Level 2, Version 2.13 — Change Management evidence expectations

CMMC requires physical access to systems containing or transmitting CUI to be limited to authorized individuals and for access records to be maintained. Badge readers with unique identification provide individual accountability, access control enforcement, and auditable access logs, which are stronger than labels, cameras, or keypads.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.5: “Maintain audit logs of physical access.”

CMMC Assessment Guide: “Badge systems with access control lists and logs are considered a best method for meeting physical access requirements.”

Why the other options are not correct:

A: Labels and lists do not prevent unauthorized access.

C: Cameras monitor but do not restrict access; they are detective, not preventive.

D: Keypads do not provide individual accountability (codes can be shared).

When CUI and FCI reside on the same network, the entire environment is considered a CUI environment. The presence of CUI drives the assessment requirement to CMMC Level 2, regardless of whether FCI also exists. Assets cannot be assessed separately under Level 1 vs. Level 2 within the same network boundary.

Exact extracts:

“If CUI is processed, stored, or transmitted within an environment, the environment is in scope for CMMC Level 2.”

“The presence of CUI dictates the assessment level, regardless of whether FCI is also present.”

“Segmentation may reduce scope, but if assets remain within the same environment, all assets fall under Level 2.”

Why other options are incorrect:

B: Level 1 cannot be applied to Server A while Server B undergoes Level 2 in the same network.

C: Presence of CUI means Level 2 is required, not Level 1.

D: Segmentation can reduce scope but is not required before assessment; it is an OSC design choice.