Cyber AB CMMC-CCA Exam With Confidence Using Practice Dumps

The Physical Protection (PE) practices require that visitors to facilities where CUI is processed must be escorted at all times by an authorized individual. Familiarity or long-term knowledge of the visitor does not remove the requirement.

Extract from PE.L2-3.10.3:

“Escort visitors and monitor visitor activity to ensure they do not access areas or information for which they are not authorized.”

Thus, the correct action is for the contact person (the engineer’s point of contact) to escort the engineer during the entire maintenance activity.

Under AT.L2-3.2.3 (Security Awareness Training) and AT.L2-3.2.2 (Insider Threat Training), insider threat awareness training must equip personnel to recognize and report indicators of insider threat activity. Training must focus on organizational processes for reporting suspicious behavior, not just awareness of famous cases or punitive systems. The ability to act and report appropriately is the most critical element.

Exact extracts:

“Training includes recognition of potential indicators of insider threat activity and the organizational processes for reporting suspicious activity.”

“Assessment Objectives … Determine if: insider threat training includes reporting mechanisms.”

“Case studies may be used for context, but training must include clear reporting procedures.”

Expanded explanation:

Insider threat programs under DoD guidance (e.g., NISPOM, CMMC) emphasize:

Awareness of behaviors that may indicate insider threat activity.

Reporting mechanisms — employees must know exactly how to act if they identify an issue.

Procedures for escalation and protection of CUI.

Without reporting procedures, insider threat training is incomplete.

Why other options are incorrect:

A: Bounty systems are not sanctioned practices and could create a hostile work environment.

B: Risk-ranking individuals could be discriminatory and is not a CMMC requirement.

C: Case studies may supplement training but are not sufficient by themselves.

Applicable Requirement: CM.L2-3.4.3 — “Track, review, approve/disapprove, and audit changes to organizational systems.”

Why CCB Minutes Are Correct (supports B):

Change Control Board (CCB) documentation includes impact analyses, approvals, disapprovals, and justification for system changes.

The CMMC Assessment Guide explicitly identifies CCB minutes and supporting records as primary evidence of compliance with change management practices.

Why Other Options Are Insufficient:

A (Vendor description): Provides information on the update, but does not show organizational review or approval.

C (Audit logs): Show when a change occurred, but not whether it was analyzed and approved beforehand.

D (Incident logs): Reflects results after implementation, but not the review/approval process.

Assessment Guidance Extract (NIST SP 800-171A, CM.L2-3.4.3):

Objectives include verifying that system changes are:

Documented,

Reviewed,

Approved/disapproved, and

Audited.

Evidence such as CCB minutes and approval records directly satisfies these objectives.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CM.L2-3.4.3 (Change Management)

NIST SP 800-171A — Assessment Objectives for CM.L2-3.4.3

CMMC Assessment Guide – Level 2, Version 2.13 — Change Management evidence expectations