CMMC-CCA Exam Dumps : Certified CMMC Assessor (CCA) Exam

Certification can only be granted to the legal entities that own the CAGE codes under assessment. If multiple CAGE codes are in play (HQ, host, and supporting units), and they are all included in scope, then all entities with corresponding CAGE codes that were assessed can be certified.

Exact Extracts:

CMMC Assessment Guide: “The CMMC certificate is issued to the legal entity (as identified by the CAGE code(s)) that was assessed.”

“When multiple CAGE codes are presented, all in-scope entities must provide documentation and may be certified if assessed.”

“Certification applies to the OSC legal entity (or entities) within scope, including HQ, host, and supporting units, as applicable.”

Why other options are not correct:

A/B/C: Limit scope to only HQ or subsets, but the requirement is that all entities with provided and in-scope CAGE codes are eligible.

If an asset processes or generates CUI, it is a CUI Asset by definition, regardless of whether it is also part of a test lab or claimed as a Specialized Asset. Specialized Asset handling applies only when the asset does not process, store, or transmit CUI. Since the workstation outputs CUI, it must be assessed fully against CMMC practices.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Specialized Assets… do not process, store, or transmit CUI.”

“If a Specialized Asset processes CUI, it must be categorized as a CUI Asset and is assessed against all applicable practices.”

Why the other options are incorrect:

B: The issue is not with the SSP practice; it is with misclassification of an asset.

C/D: Risk-based treatment applies only to Specialized Assets without CUI, which is not the case here.

Applicable Requirement: PE.L2-3.10.1 — “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Why D is Correct: Documented procedures describing physical access restrictions (badge policies, visitor management, locked server rooms, guard post orders) serve as primary evidence that access is managed and enforced. Assessors can then corroborate via interviews and observation.

Why Other Options Are Insufficient:

A (VPN configuration): Relates to remote logical access, not physical security.

B (Switch configs): Technical network controls, not physical access.

C (Architecture drawings): Show logical/system design, not physical entry restrictions.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.1

NIST SP 800-171A — PE.L2-3.10.1 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Protection Evidence Guidance