Cyber AB CMMC-CCA Exam With Confidence Using Practice Dumps

Certification can only be granted to the legal entities that own the CAGE codes under assessment. If multiple CAGE codes are in play (HQ, host, and supporting units), and they are all included in scope, then all entities with corresponding CAGE codes that were assessed can be certified.

Exact Extracts:

CMMC Assessment Guide: “The CMMC certificate is issued to the legal entity (as identified by the CAGE code(s)) that was assessed.”

“When multiple CAGE codes are presented, all in-scope entities must provide documentation and may be certified if assessed.”

“Certification applies to the OSC legal entity (or entities) within scope, including HQ, host, and supporting units, as applicable.”

Why other options are not correct:

A/B/C: Limit scope to only HQ or subsets, but the requirement is that all entities with provided and in-scope CAGE codes are eligible.

In CMMC scoping, assets are categorized based on where CUI is processed, stored, or transmitted. According to the CMMC Scoping Guide for Level 2, if CUI is only stored and used in HQ and Site A, those locations contain CUI Assets. Since Site B neither stores, processes, nor transmits CUI, its assets are considered Out of Scope.

Exact extracts:

“CUI Assets are those that store, process, or transmit CUI.”

“Assets that do not process, store, or transmit CUI, and cannot provide access to CUI, are considered Out-of-Scope.”

“Only those assets in the scope of CMMC assessment will be evaluated against practices.”

Why the other options are incorrect:

B: Site B has VPN connectivity, but if it does not use or process CUI, its assets remain out of scope. Connectivity alone does not bring it into scope.

C/D: The terms “Certification in Risk Management Assurance” are not valid CMMC asset categories.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (CUI Assets, Out-of-Scope Assets).

===========

CMMC requires that remote maintenance sessions be terminated after use or after a defined period of inactivity. This ensures third-party maintenance access does not remain open and uncontrolled, preventing unauthorized persistence.

Exact Extracts:

MA.L2-3.7.5: “Require multifactor authentication and terminate remote maintenance sessions after each session or after a defined period of inactivity.”

Assessment Guide clarifies: “Assessors should confirm remote maintenance sessions are automatically terminated using technical means.”

NIST SP 800-171A Objective: “Test maintenance session termination after a set time of inactivity or completion of task.”

Why other options are not correct:

A: Limiting maintenance to third parties only is not a requirement. Internal staff may also perform maintenance.

B: Identification and monitoring are important, but the specific control required here is termination of remote sessions.

C: Limiting the number of personnel is not mandated by CMMC.