Cyber AB CMMC-CCA Exam With Confidence Using Practice Dumps

Applicable Requirement: PE.L2-3.10.1 — “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Why D is Correct: Documented procedures describing physical access restrictions (badge policies, visitor management, locked server rooms, guard post orders) serve as primary evidence that access is managed and enforced. Assessors can then corroborate via interviews and observation.

Why Other Options Are Insufficient:

A (VPN configuration): Relates to remote logical access, not physical security.

B (Switch configs): Technical network controls, not physical access.

C (Architecture drawings): Show logical/system design, not physical entry restrictions.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.1

NIST SP 800-171A — PE.L2-3.10.1 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Protection Evidence Guidance

Applicable Requirement (CMMC Scoping Guidance – Specialized Assets): Specialized Assets (e.g., OT, IoT, GFE, test equipment) are not exempt from CMMC practices. OSCs must provide:

Documented identification in SSP/inventory,

Justification of specialized handling,

Evidence that risk-based security measures are implemented.

Why D is Correct: Assessors must see evidence that isolation is actually implemented (not just planned), plus supporting artifacts showing how remaining applicable practices are addressed (monitoring, inventory, access, etc.). Planned measures alone are insufficient.

Why Other Options Are Insufficient:

A: Installation/config builds do not show operational isolation.

B: Scoping statements alone do not demonstrate implementation.

C: SSP language is descriptive but must be supported by implementation evidence.

References (CCA Official Sources):

CMMC Scoping Guidance — Specialized Assets

CMMC Assessment Guide – Level 2 — Evidence Requirements for Specialized Assets

NIST SP 800-171 Rev. 2 — Asset Management and Risk-Based Controls

The Shared Responsibility Matrix (Customer Responsibility Matrix) is the authoritative document that specifies which security responsibilities are owned by the OSC versus the Cloud Service Provider (CSP). This enables assessors to determine which CMMC practices apply to the OSC and which are inherited from the provider.

Exact extracts:

“External Service Providers (ESPs), including CSPs, must provide a Shared Responsibility Matrix that delineates customer versus provider responsibilities.”

“Assessors should request and review this matrix to determine practice applicability.”

Why other options are incorrect:

A: Zero Trust Architecture is a design framework, not a responsibility breakdown.

C: White papers are marketing/technical resources, not binding assignments of responsibility.

D: IAM Plans address access management, not overall shared responsibilities.