Cyber AB CMMC-CCA Exam With Confidence Using Practice Dumps

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why A is Correct: Security guards are a recognized preventive and detective physical control to limit access to only authorized individuals. Guards can verify credentials, monitor behavior, and provide real-time deterrence.

Why Other Options Are Insufficient:

B (Cameras): Provide monitoring and evidence, but not direct access control.

C (Firewalls): A network control, not a physical access measure.

D (Partition walls): Barriers may help physically separate areas but do not control who enters.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Security Controls

===========

In CMMC scoping, assets are categorized based on where CUI is processed, stored, or transmitted. According to the CMMC Scoping Guide for Level 2, if CUI is only stored and used in HQ and Site A, those locations contain CUI Assets. Since Site B neither stores, processes, nor transmits CUI, its assets are considered Out of Scope.

Exact extracts:

“CUI Assets are those that store, process, or transmit CUI.”

“Assets that do not process, store, or transmit CUI, and cannot provide access to CUI, are considered Out-of-Scope.”

“Only those assets in the scope of CMMC assessment will be evaluated against practices.”

Why the other options are incorrect:

B: Site B has VPN connectivity, but if it does not use or process CUI, its assets remain out of scope. Connectivity alone does not bring it into scope.

C/D: The terms “Certification in Risk Management Assurance” are not valid CMMC asset categories.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (CUI Assets, Out-of-Scope Assets).

===========

The control SC.L2-3.13.5: Boundary Protection requires that organizations monitor and control communications at the external boundary and at key internal boundaries. The CMMC Assessment Guide states that assessors should examine boundary protection procedures to verify logging, monitoring, and alerting are defined and implemented. Physical access logs, account management documents, and configuration management policies do not provide details of how network boundaries are monitored and protected.

Exact extracts:

“Assessment Objectives … Determine if: • external boundary and key internal boundaries are defined; • communications are monitored and controlled at boundaries; • traffic is checked for unauthorized transfer of information; and • boundary protection devices are configured and managed.”

“Potential Assessment Methods: Examine … boundary protection policy; boundary protection procedures; system security plan; configuration settings for boundary protection devices; logs of boundary protection devices.”

Why the other options are incorrect:

A (Physical access logs): Relates to facility entry, not network boundary protection.

C (Account management document): Addresses user account lifecycle, not firewall and traffic control.

D (Configuration management policy): Governs system changes, not firewall logging/alerting controls.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.5 “Boundary Protection.”

NIST SP 800-171 Rev. 2, 3.13.5.

===========