CMMC-CCA Exam Dumps : Certified CMMC Assessor (CCA) Exam

Applicable Requirement: SC.L2-3.13.8 (Cryptographic protection of communications) and IA.L2-3.5.x (Identification and authentication).

Why D is Correct: Encryption must be validated as FIPS 140-2/3 compliant but is never “authenticated as a prerequisite to access.” Authentication applies to users, devices, and processes, not cryptographic modules themselves.

Why A, B, C are Correct Considerations:

Devices must be authorized before connecting.

Processes acting on behalf of a user must be authenticated.

Users must be authorized prior to access. These are all directly mapped to AC and IA domains.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IA and SC requirements

NIST SP 800-171A — Assessment Objectives for AC/IA wireless and cloud access

CMMC Assessment Guide – Level 2, Cloud/ESP Considerations

===========

MA.L2-3.7.1 (Perform Maintenance) requires that maintenance activities and risks associated with outdated or unsupported systems be managed. Unsupported systems create a security risk if not mitigated, particularly when they process CUI.

Extract:

“Maintenance must be performed and documented to ensure continued secure operation. When systems cannot be updated or patched due to technical limitations, the OSC must implement and document risk mitigation strategies.”

Because the OSC has not demonstrated risk management for the outdated OT system, the practice is NOT MET.

To validate that remote access is routed through managed access control points, the assessor requires technical evidence, not just policy. The network diagram shows the design and routing of remote access through controlled points (e.g., VPN gateways), and VPN logs provide operational evidence that remote sessions are enforced through those points.

Exact Extracts:

AC.L2-3.1.14: “Route remote access through managed access control points.”

Assessment Objective (AC.L2-3.1.14[a]): “Remote access is routed through managed access control points.”

Assessment Method (Examine/Interview/Test): Requires network diagrams and remote access logs as evidence.

CMMC Assessment Guide specifies: “Network diagrams and supporting logs are required to demonstrate implementation of remote access routing.”

Why the other options are not correct:

B (policy/procedures): Policies describe intent, not proof of implementation.

C (SSP/vendor mgmt): SSPs provide system description but not direct evidence of enforcement.

D (cloud logs/hardware inventory): These do not specifically demonstrate remote access routing through managed points.