Cyber AB CMMC-CCA Exam With Confidence Using Practice Dumps

The OSC is responsible for identifying and declaring where CUI is processed, stored, or transmitted. A Certified CMMC Assessor (CCA) may verify boundaries, examine evidence, and confirm monitoring or control practices, but cannot independently determine if a physically separated asset contains CUI. That determination is the responsibility of the OSC, not the assessor.

Exact extracts:

“The OSC is responsible for identifying CUI assets.”

“Assessors verify and validate the OSC’s identification, but do not independently declare or determine the presence of CUI.”

“Assessors are permitted to examine boundary protections, monitoring mechanisms, and internal boundary controls.”

Why the other options are allowed:

A: Assessors are required to verify internal system boundaries.

C: Assessors must confirm that external system boundaries are clearly defined.

D: Assessors must examine evidence of communication monitoring.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Assessor Roles and Responsibilities.

CMMC Code of Professional Conduct (OSC retains CUI ownership; assessors validate but cannot declare CUI).

Access Control (AC): Wi-Fi access must be restricted to authorized users and devices. CMMC Level 2 incorporates NIST SP 800-171 AC requirements to limit and control access to systems and resources.

Identification and Authentication (IA): Wireless access requires authentication to ensure only authorized individuals/devices can connect (e.g., WPA2-Enterprise, certificates, or strong passwords).

System and Communications Protection (SC): Wi-Fi encryption and secure configuration protect data-in-transit from interception or unauthorized disclosure.

Why Other Options Are Incorrect:

A (MP, AC, PE): Media protection and physical protection are not primary domains for Wi-Fi configuration.

B (IA, MP, SI): Media protection and system/information integrity do not directly address Wi-Fi security.

D (SC, SI, PE): Physical and integrity controls are not central to wireless access security.

References (CCA Official Sources):

CMMC Model v2.0 — Domains AC, IA, SC

NIST SP 800-171 Rev. 2 — AC.L2-3.1.1, IA.L2-3.5.3, SC.L2-3.13.8 (wireless access, identification/authentication, protection of communications)

NIST SP 800-171A — Associated assessment objectives verifying Wi-Fi control and encryption

===========

The negative finding is that the OSC permits an uncertified external security provider to access the OSC’s internal network. This introduces unmanaged risk to the CUI environment. CMMC requires the OSC to control and monitor external service provider access. The storage of recordings externally is not inherently noncompliant if properly controlled, and video monitoring is a valid method of meeting PE.L2-3.10.2. The key failure is giving unmanaged third-party access.

Exact extracts:

“Monitor physical facility to detect and respond to physical security incidents.” (PE.L2-3.10.2)

“Assessment Objectives … Determine if: monitoring is performed; unauthorized physical access is detected and responded to.”

“External service providers that connect into the OSC network are considered in-scope and must meet CMMC requirements or have equivalent authorization (e.g., FedRAMP).”

Why other options are incorrect:

A: Requirement does not mandate monitoring of both public and private areas.

C: Video surveillance is an acceptable facility monitoring method when properly implemented.

D: External storage can be acceptable if contractual safeguards and compliance are in place.