Online CMMC-CCA Questions Video

Applicable Requirement: SC.L2-3.13.8 (Cryptographic protection of communications) and IA.L2-3.5.x (Identification and authentication).

Why D is Correct: Encryption must be validated as FIPS 140-2/3 compliant but is never “authenticated as a prerequisite to access.” Authentication applies to users, devices, and processes, not cryptographic modules themselves.

Why A, B, C are Correct Considerations:

Devices must be authorized before connecting.

Processes acting on behalf of a user must be authenticated.

Users must be authorized prior to access. These are all directly mapped to AC and IA domains.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — IA and SC requirements

NIST SP 800-171A — Assessment Objectives for AC/IA wireless and cloud access

CMMC Assessment Guide – Level 2, Cloud/ESP Considerations

===========

The Physical Protection (PE) practices require that unmanned access points to areas containing CUI be restricted with technical controls that only allow entry to authorized personnel. While cameras, signage, and turnstiles support security, they do not actually prevent access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

The strongest measure listed is one-way gates requiring credentials or intercom authorization, which directly enforces access control.

The CMMC Assessment Process (CAP), Phase 2 – Conduct the Assessment defines the subphases for generating final recommended results. The steps are:

Determine final practice MET/NOT MET/NA results

Create, finalize, and record recommended final findings

Resolve assessment findings disputes

Extract:

“The assessment team determines the final practice status, records recommended findings, and resolves disputes with the OSC prior to finalizing recommended results.”

The CMMC Assessment Process (CAP) requires that when sensitive or proprietary materials are exchanged during an assessment, the OSC and the C3PAO should establish confidentiality protections through a Non-Disclosure Agreement (NDA).

Extract:

“OSC and C3PAOs are expected to execute a Non-Disclosure Agreement (NDA) to protect sensitive information such as proprietary, attorney-client privileged, or pre-patent materials shared during the assessment process.”

Thus, the NDA is the correct document.