Cyber AB CMMC-CCA Exam With Confidence Using Practice Dumps

The control SC.L2-3.13.5: Boundary Protection requires that organizations monitor and control communications at the external boundary and at key internal boundaries. The CMMC Assessment Guide states that assessors should examine boundary protection procedures to verify logging, monitoring, and alerting are defined and implemented. Physical access logs, account management documents, and configuration management policies do not provide details of how network boundaries are monitored and protected.

Exact extracts:

“Assessment Objectives … Determine if: • external boundary and key internal boundaries are defined; • communications are monitored and controlled at boundaries; • traffic is checked for unauthorized transfer of information; and • boundary protection devices are configured and managed.”

“Potential Assessment Methods: Examine … boundary protection policy; boundary protection procedures; system security plan; configuration settings for boundary protection devices; logs of boundary protection devices.”

Why the other options are incorrect:

A (Physical access logs): Relates to facility entry, not network boundary protection.

C (Account management document): Addresses user account lifecycle, not firewall and traffic control.

D (Configuration management policy): Governs system changes, not firewall logging/alerting controls.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.5 “Boundary Protection.”

NIST SP 800-171 Rev. 2, 3.13.5.

===========

The Physical and Environmental Protection (PE) Policy is the governing artifact that describes how physical access to facilities and environments is managed and controlled. While the SSP provides a system-wide overview, and access lists provide details of who is authorized, it is the PE Policy that explicitly documents the physical access control measures required under CMMC.

Extract from PE.L2-3.10.1:

“Organizations must develop, document, and disseminate physical and environmental protection policies that govern how access to buildings and systems containing CUI is limited to authorized individuals.”

CMMC requires that remote maintenance sessions be terminated after use or after a defined period of inactivity. This ensures third-party maintenance access does not remain open and uncontrolled, preventing unauthorized persistence.

Exact Extracts:

MA.L2-3.7.5: “Require multifactor authentication and terminate remote maintenance sessions after each session or after a defined period of inactivity.”

Assessment Guide clarifies: “Assessors should confirm remote maintenance sessions are automatically terminated using technical means.”

NIST SP 800-171A Objective: “Test maintenance session termination after a set time of inactivity or completion of task.”

Why other options are not correct:

A: Limiting maintenance to third parties only is not a requirement. Internal staff may also perform maintenance.

B: Identification and monitoring are important, but the specific control required here is termination of remote sessions.

C: Limiting the number of personnel is not mandated by CMMC.