CMMC-CCA Sample Questions Answers

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and operating environments.”

Why D is Correct: Escort requirements are met as long as the visitor’s actions are continuously observed and controlled. The escort does not need to be physically inside the same room if direct observation is possible.

Why Other Options Are Insufficient:

A: Escort posture (sitting/standing) is irrelevant.

B: Same-room presence is not required by CMMC/NIST SP 800-171.

C: A single entry point helps, but observation is the requirement.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

CMMC Assessment Guide – Level 2 — Physical Escort Policy Guidance

===========

Visitor access control (PE.L2-3.10.3 and PE.L2-3.10.4) typically involves procedures at entry points. The front-desk receptionist is the staff member most directly involved in logging, controlling, and monitoring visitor access. While system admins and partners handle IT and business operations, they do not control physical visitor access day-to-day.

Exact extracts:

“Assessment Method – Interview: personnel responsible for visitor access control (e.g., reception staff, security desk staff).”

“Assessment Objectives … Determine if visitor access is identified, logged, escorted, and monitored.”

Why the other options are incorrect:

A: System admins focus on IT, not visitor management.

C: Administrative assistants generally perform clerical tasks, not visitor logging.

D: Senior partners may approve contracts but are not directly responsible for visitor control.

Both the CSP’s cloud environment and the OSC’s on-premises network/workstations are in-scope because CUI is stored in the cloud but also accessed and transmitted by OSC assets. The cloud vendor’s internal employee network is not in-scope because only the customer-facing FedRAMP environment is within the assessment boundary.

Exact extracts:

“CUI Assets include any OSC asset that stores, processes, or transmits CUI.”

“External service providers are in-scope if their services process, store, or transmit CUI on behalf of the OSC.”

“The OSC’s endpoints and local infrastructure that access CUI are also in-scope.”

Why the other options are incorrect:

A: Cloud environment only is incomplete; OSC workstations also access and transmit CUI.

B: OSC network only ignores the fact that CUI is stored in the cloud.

D: The cloud vendor’s internal employee network is not in-scope.

For CMMC Level 2, an OSC must score at least 88 out of 110 practices (80%) to qualify for use of POA&Ms. Practices on the DoD’s Authorized POA&M List may then be deferred, but only if the OSC meets the 88-point threshold and no high-weight practices are failed.

Exact extracts:

“Organizations must score at least 88 out of 110 (80%) to be eligible for POA&Ms.”

“POA&Ms may only be applied to a limited subset of practices designated by DoD.”

“Failure to reach the 88-point threshold results in an assessment failure.”

Why other options are incorrect:

A: Below 88 is automatic fail.

B: 110/110 is full compliance (no POA&M needed).

C: 80 is a distractor; 88 is the actual DoD threshold.

During the planning phase, the Lead Assessor must ensure that evidence gaps are identified and documented before assessment execution. This ensures that the OSC is aware of missing or insufficient evidence and can address them prior to final scoring.

Exact Extracts:

CMMC Assessment Guide: “During planning, assessors and OSC should confirm sufficiency of evidence and identify/document any evidence gaps.”

“The planning phase ensures readiness to proceed with the assessment, including identifying gaps and establishing how they will be addressed.”

Why the other options are not correct:

B: Appeals are addressed post-assessment, not in planning.

C: Assessment costs are agreed upon contractually, not part of the assessment planning phase.

D: FedRAMP equivalency determination is part of scope validation, not general planning.

Least privilege requires users to perform privileged functions only with privileged accounts and to use their basic (non-privileged) accounts for general activity. This prevents unnecessary exposure of elevated rights and limits attack surfaces. Database Administrators must use their DBA accounts only for DBA tasks, and all users must use their basic accounts for non-privileged tasks.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Assessment Objectives: Require separate accounts for privileged and non-privileged activities.

Assessment Guide Clarification: “Privileged accounts should be used only for privileged functions; standard accounts must be used for all other activities.”

Why the other options are not correct:

B: States “non-privileged users use their basic account” but does not explicitly require all users (including admins) to use their basic account for non-privileged tasks.

C/D: Incorrectly assign System Administrator accounts to Database Administrators, which violates least privilege (admins must only have the access needed for their role).

The Physical Protection (PE) practices require that visitors to facilities where CUI is processed must be escorted at all times by an authorized individual. Familiarity or long-term knowledge of the visitor does not remove the requirement.

Extract from PE.L2-3.10.3:

“Escort visitors and monitor visitor activity to ensure they do not access areas or information for which they are not authorized.”

Thus, the correct action is for the contact person (the engineer’s point of contact) to escort the engineer during the entire maintenance activity.

The CMMC Assessment Process (CAP), Phase 2 – Conduct the Assessment defines the subphases for generating final recommended results. The steps are:

Determine final practice MET/NOT MET/NA results

Create, finalize, and record recommended final findings

Resolve assessment findings disputes

Extract:

“The assessment team determines the final practice status, records recommended findings, and resolves disputes with the OSC prior to finalizing recommended results.”

Applicable Requirement: SC.L2-3.13.7 — “Prevent split tunneling for remote devices connecting to organizational systems.”

Assessment Method: “Examine” requires direct review of system hardware, software, and architecture to verify split tunneling is disabled.

Why C is Correct: This aligns with the NIST SP 800-171A assessment objective, which specifies verifying that mechanisms enforcing the prevention of split tunneling are implemented at the system level.

Why Other Options Are Insufficient:

A: Describes “test” method, not “examine.”

B: Describes “interview” method, not “examine.”

D: Too general and vague; does not align to evidence required under “examine.”

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — SC.L2-3.13.7

NIST SP 800-171A — SC.L2-3.13.7 (Assessment Objectives & Examine Method)

CMMC Assessment Guide – Level 2, SC.L2-3.13.7

===========

The Access Control (AC) domain governs remote access, privileged access, and VPN controls. Documents describing how VPNs are controlled, monitored, and restricted fall under the Access Control Policy.

Extract:

“Access Control practices include the management of remote connections, monitoring of sessions, and enforcement of VPN controls.”

Thus, the correct document is the Access Control Policy.

Logical separation refers to the use of technical and access control mechanisms (e.g., role-based access, IAM tools, VLANs) to enforce boundaries between different users, roles, or networks. In contrast, physical separation relies on distinct hardware or physical barriers. Role-based access control within an IAM solution is a textbook example of logical separation, and it is specifically called out in the CMMC/NIST context.

Exact extracts:

“Logical separation may be achieved through the use of virtualization, encryption, or access control mechanisms such as role-based access controls.”

“Assessment Objectives … Determine if: • separation of users and information types is enforced by physical or logical means.”

“Logical separation is implemented using technical solutions such as access control lists, firewalls configured by policy, or identity and access management solutions.”

Why the other options are incorrect:

A (Data loss alerting): This is monitoring, not separation.

B (Badge access): This is a physical access control, not logical separation.

D (Proxy-configured firewall): This is boundary protection/traffic control; depending on setup it may be physical or logical, but the scenario points to role-based IAM as the logical example.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.6 “Network Separation.”

NIST SP 800-171 Rev. 2, 3.13.6.

The CAP defines evidence evaluation requirements. Evidence must not only exist but must also be:

Complete (addresses all assessment objectives for the practice)

Validated (verified by the assessor)

Mapped to the practice requirements (traceable to objectives)

Extract:

“The assessor must confirm that the evidence is complete, validated, and mapped directly to the practice requirements in order to conclude that a practice is MET.”

The OSC remains responsible for ensuring that any External Service Provider (ESP) such as a CSP supports compliance with CMMC. FedRAMP authorization is evidence, but the OSC must still demonstrate that the CSP’s services are being used in a manner that complies with CMMC Level 2 requirements.

Extract:

“The OSC is responsible for demonstrating that services provided by external providers are implemented and operated in a manner that complies with CMMC requirements for the OSC’s environment.”

Therefore, the OSC must provide proof of compliance in their environment, not simply rely on FedRAMP documentation.

The CMMC practices for cryptographic protection (SC.L2-3.13.11, SC.L2-3.13.8, etc.) require that cryptography protecting CUI must be FIPS-validated. The authoritative source for validation is the NIST Cryptographic Module Validation Program (CMVP).

Extract:

“To use cryptography in compliance with CMMC requirements, organizations must use modules validated under the NIST Cryptographic Module Validation Program (CMVP). The CMVP is the authoritative source to verify whether a cryptographic implementation is FIPS-validated.”

Vendor documentation or SSP claims alone cannot serve as authoritative proof. The CCA must consult the NIST CMVP validation list.

Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC’s Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.

Exact Extracts:

CMMC Assessor Code of Professional Conduct: “No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC’s designated Assessment Official.”

“Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization.”

Why the other options are not correct:

A: Too absolute — proprietary data can leave if AO provides written consent.

B: IT staff cannot authorize release of proprietary data.

C: POC is not the authority for data release — only the Assessment Official is.

External connections are defined as connections crossing the OSC’s assessment boundary. Here:

The dedicated VPN from office to cloud = one external connection.

The user-initiated VPNs from remote laptops to cloud = a second external connection.

Extract:

“External connections include all system interfaces that cross the assessment boundary, including VPNs initiated by users or established between sites.”

Thus, there are two external connections.

The Interview assessment method is used to validate whether procedures and policies are actually being implemented and followed by the personnel who use them. Even if the documents are dated correctly, assessors must confirm their operational use.

Extract:

“Interviews with personnel are used to verify that documented policies, plans, and procedures are actually implemented in daily practice.”

Thus, interviewing OSC team members who use the procedures provides the strongest validation.

To validate least functionality, the assessor must evaluate implementation (via security staff, admins, developers). Interviewing the policy author provides limited value since it does not confirm whether the policy is implemented in practice.

Extract:

“Assessors should confirm least functionality through interviews with individuals responsible for system configuration, security, and implementation. Policy documentation authors alone are not sufficient evidence.”

Thus, interviewing the policy writer is least useful.

AC.L2-3.1.21 requires that the use of portable storage devices be restricted and explicitly authorized. The described process covers labeling and limiting use but does not include documented management authorization.

Extract:

“Restrict the use of portable storage devices on external systems. Authorization for use must be formally documented and approved by management.”

Thus, the missing element is recorded management authorization.

If an OSC wishes to separate environments that process FCI from those that process CUI, they may pursue two separate CMMC certifications (Level 1 for FCI and Level 2 for CUI). A single certification cannot cover both environments unless all requirements for the higher level are met across the entire enterprise.

Exact Extracts:

CMMC Assessment Guide: “An OSC may choose to undergo multiple CMMC certification activities if they wish to limit scope between FCI and CUI environments.”

“Level 1 applies to safeguarding FCI, while Level 2 applies to CUI; separate certifications may be pursued if the OSC chooses to segregate these environments.”

Why the other options are not correct:

A: A single certification would require all assets to meet Level 2 controls, which may not be the OSC’s intent.

C: Defining scope for FCI only aligns with Level 1, but this does not meet Level 2 certification requirements for CUI.

D: A self-assessment scope only applies to Level 1 assessments, not Level 2 third-party certification.

The CMMC Scoping Guidance specifies that Out-of-Scope Assets are those that neither process, store, nor transmit CUI, and do not provide security protections for CUI assets.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI, and do not provide security protections for CUI assets.”

Thus, the correct answer is B.

The CMMC Scoping Guidance specifies that Contractor Risk Managed Assets must:

Be documented in the asset inventory,

Be governed by the organization’s own risk-based policies and procedures,

Be included in the system boundary/network diagram.

Extract:

“Contractor Risk Managed Assets are those managed according to the OSC’s risk-based policies and procedures. They must be documented in the asset inventory and represented in the system boundary.”

Thus, option C is the best answer.

System baselines are part of Configuration Management (CM). Maintaining an inventory of hardware and software is important, but the evidence of managing baselines lies in the configuration management process, which establishes and documents standard system configurations, approved software, and change control. The CMMC practice CM.L2-3.4.1 requires the OSC to establish and maintain baseline configurations.

Exact extracts:

“Baseline configurations are documented, formally reviewed, and maintained as part of configuration management.”

“Assessment Objectives … Determine if: baseline configurations are established; baseline configurations are maintained.”

“Potential Assessment Methods – Examine: configuration management policy; documented baseline configuration; inventory of system components.”

Expanded explanation:

Hardware/software lists show what exists, but without baseline control they do not demonstrate effective management.

Configuration management evidence includes: CM policies, baselines for operating systems, software versions, patch levels, and configuration checklists.

This ensures that unauthorized changes or unapproved software do not deviate from the security posture.

Why the other options are incorrect:

A (Media protection): Relates to storage devices and handling, not baselines.

B (Physical protection): Relates to facility and hardware security, not configuration.

D (Identification and authentication policy): Addresses user access, not baseline configuration.

The CMMC Assessment Process (CAP) defines the logical order:

After collecting and examining evidence, the next step is to determine and record initial practice scores (MET, NOT MET, or NA).

Only after practice scoring is completed are findings validated and aggregated into final recommended results.

Extract:

“Following evidence collection and review, assessors determine and record the practice status (MET/NOT MET/NA) before compiling results into final recommendations.”

The Physical Protection (PE) requirements require that systems containing FCI or CUI be placed in controlled-access facilities with safeguards against unauthorized physical access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Thus, ensuring that the VMs run on hardware located in a controlled-access facility is the correct method to meet physical security requirements.

The Physical Protection (PE) Domain requires implementation of physical access controls to prevent unauthorized access to CUI systems. Simply trusting employees or sending communications is not sufficient. However, if the server is located inside a secondary restricted room that only the IT team can access, then adequate physical protection controls are still in place.

Extract from PE.L2-3.10.x (Physical Protection Practices):

“Organizations must limit physical access to systems, equipment, and environments that process, store, or transmit CUI to authorized individuals only.”

Thus, placing the server within an additional restricted access-controlled room ensures compliance, even if the outer door is propped open for cooling.

CMMC Level 2 requires CSPs that process, store, or transmit CUI to meet FedRAMP Moderate (or equivalent) authorization, not FedRAMP High. FedRAMP High is not a CMMC requirement but may be required by contract or specific agencies.

Exact Extracts:

DoD CMMC Scoping Guide: “External Cloud Service Providers must meet FedRAMP Moderate equivalency when storing, processing, or transmitting CUI.”

CMMC Assessment Guide: “The baseline requirement for CUI in cloud environments is FedRAMP Moderate; higher levels may be contractually required.”

Why other options are not correct:

A: Equivalency is allowed, but only to FedRAMP Moderate level.

C/D: Incorrect, because CMMC Level 2 does not mandate FedRAMP High.

IA.L2-3.5.7 requires password complexity rules that include uppercase, lowercase, numeric, and special characters. The given policy addresses three requirements but does not mandate at least one special character.

Extract:

“Enforce password complexity by requiring combinations of upper-case letters, lower-case letters, numbers, and special characters.”

Thus, the missing requirement is the use of a special character.

Applicable Requirement: CA.L2-3.12.4 — “Develop, document, periodically review/update, and disseminate system security plans.” Policies require executive approval and evidence of regular review.

Why B is Correct: Multiple years of emails from executives approving policies provide a pattern of consistent executive involvement, demonstrating habitual compliance with review and approval requirements. This is stronger evidence than one-time or informal attestations.

Why Other Options Are Insufficient:

A: Handwritten notes are informal and lack authenticity controls.

C: A notarized letter from a previous CEO is a one-time attestation, not evidence of recurring review.

D: Employee interviews may demonstrate awareness but do not show executive approval.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CA.L2-3.12.4

NIST SP 800-171A — CA.L2-3.12.4 Assessment Objectives (evidence of policy review/approval)

CMMC Assessment Guide – Level 2 — Policy and Approval Evidence Requirements

===========

SI.L2-3.14.7 requires the OSC to identify unauthorized use of organizational systems. The OSC meets this requirement by configuring the FedRAMP MODERATE provider’s SIEM to monitor their entire cloud environment where CUI is processed.

Extract:

“Organizations must employ monitoring mechanisms to detect unauthorized use of information systems. Cloud-native environments with FedRAMP authorized monitoring meet the requirement when properly configured and documented.”

Thus, the practice is MET because the SIEM covers the cloud environment.

The Lead Assessor’s readiness checks focus on logistics, scope, evidence availability, and risk awareness to ensure the assessment can proceed. It is not the assessor’s role to advise or determine if the OSC could achieve a higher certification level — the OSC selects its target level.

Exact extracts:

“Lead Assessors must confirm readiness by verifying logistics, scope boundaries, risks, and evidence availability.”

“Assessors do not advise OSCs on selecting certification levels or alternative approaches; this is outside the assessment scope.”

Why the other options are required:

A: OSC risks must be identified and discussed as part of scoping.

B: Logistics (scheduling, facilities, communications) must be confirmed.

D: Evidence must be available and accessible to avoid delays.

Applicable Requirement (CAP – Evidence Validity): Evidence must be relevant, reliable, and timely. Artifacts from separate entities or outdated sources require extra scrutiny.

Why D is Correct: The least reliable evidence is old (18 months) and produced by individuals not part of the OSC entity being assessed. Such artifacts require the most verification to determine applicability.

Why Other Options Are Insufficient:

A: Strongest evidence (current and from OSC staff).

B: Outdated, but still from OSC staff (more reliable than outside entity).

C: Current, but external (still stronger than outdated + external).

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Evidence Collection and Reliability Criteria

CMMC Assessment Guide – Level 2 — Acceptable Evidence

===========

According to CMMC Scoping Guidance, assets controlled by a parent organization are out-of-scope when they are physically and logically isolated from the OSC’s environment and do not process, store, or transmit CUI within the OSC’s boundary.

Extract from Scoping Guidance:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.”

Since the badge activation machine is completely isolated and managed by the parent organization, and it has no network connectivity to the OSC, it is out-of-scope.

A shared Internet connection indicates that Security Protection Assets (SPAs) are present and serving both the CUI environment and other parts of the enterprise. SPAs are always in-scope regardless of where they are located, because they provide security protections for CUI. Therefore, if documentation or diagrams show that the commercial and federal environments share a single Internet connection, the assessor must request access to the other building to confirm proper implementation and isolation.

Exact Extracts (from CMMC Assessor/Study documents):

“Security Protection Assets provide security functions or capabilities within the OSA’s CMMC Assessment Scope. Security Protection Assets are part of the CMMC Assessment Scope and are assessed against Level 2 security requirements that are relevant to the capabilities provided.”

“Contractor Risk Managed Assets are not required to be physically or logically separated from CUI Assets… If documentation or other findings raise questions about these assets, the assessor can conduct a limited check to identify deficiencies.”

“Separation… is required only for Out-of-Scope Assets. Isolation can be achieved… by implementing subnetworks with firewalls or other boundary protection devices.”

“The CMMC Assessment Scope includes all assets in the OSA’s environment that will be assessed… OSAs will be required to provide a network diagram of the CMMC Assessment Scope to facilitate scoping discussions during pre-assessment.”

“An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for a specific enclave(s), depending upon how the CMMC Assessment Scope is defined…”

Why the other options are not correct:

A (locked cases): Physical movement of materials does not establish scope. Scoping is determined by CUI flow and security protection assets, not incidental observation of personnel activities.

B (underground passageway): Physical tunnels or building connections do not affect scope unless they result in shared IT/security functions.

D (HR location): HR is not a SPA because it does not provide security functions to protect CUI. Unless HR systems process or store CUI directly, they remain out of scope.

References (official CCA/CMMC documents):

CMMC Assessment Scope – Level 2, Version 2.13 (Scoping Guide): Asset Categories, SPA definitions and examples; CRMA limited-check language; Separation requirements; network diagram requirements (pp. 3–13).

CMMC Assessment Guide – Level 2, Version 2.13: Assessment scope, enclave validation, and assessor methods (pp. 1–4, 8–10).

AC.L2-3.1.6 requires that non-privileged accounts are used for normal tasks and privileged accounts are only used when necessary for privileged functions.

Extract:

“Require that users employ the least privilege principle by using non-privileged accounts for general tasks. Privileged accounts must only be used when elevated privileges are required.”

Thus, the correct procedure is:

All employees have non-privileged accounts.

Admins also have separate privileged accounts.

Admins perform normal duties with their non-privileged accounts, using privileged accounts only when required.

To verify compliance with AC.L2-3.1.5 (Least Privilege), the assessor must confirm that privileged accounts are not used for routine or non-privileged tasks. Asking if a user uses their privileged account for tasks like researching vulnerabilities on the Internet directly tests whether the principle of least privilege is being followed.

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

CMMC Assessment Guide: “Interviews should confirm that privileged accounts are used exclusively for privileged functions, and that standard accounts are used for general tasks.”

NIST SP 800-171A Objective: “Determine through interviews whether users employ privileged accounts for non-privileged tasks.”

Why other options are not correct:

A: Awareness of other privileged users is not the issue being assessed.

B: Knowledge of RBAC is useful but does not confirm account usage practices.

D: Provisioning procedures are an IT staff responsibility, not a user behavior check.

The Assessment Guide emphasizes that a policy is insufficient unless it is implemented consistently across all applicable assets. Evidence from interviews showing exceptions means the practice is NOT MET.

Extract:

“Policies must not only exist but must also be enforced and implemented consistently. Exceptions indicate non-compliance.”

Thus, the correct answer is B.

For IA.L2-3.5.1 (Identify system users, processes, and devices), the strongest evidence is direct lists of accounts, devices, and supporting audit logs/records that show users and devices are actively identified and managed. Policies and procedures are supporting evidence but not as strong as system-generated, real evidence.

Extract:

“Strong evidence includes account listings, device inventories, and audit logs demonstrating that all users, processes, and devices are identified and uniquely associated.”

Under AC.L2-3.1.12: Remote Access, assessors must verify that all remote access sessions are identified, authorized, controlled, and monitored. Whether remote access is “necessary” is a business decision, not an assessment concern. The assessor is concerned with whether it is properly controlled and implemented, not with the business justification for its existence.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled;• remote access sessions are monitored.”

“The requirement does not assess business necessity of remote access, only its security and authorization.”

Why the other options are important:

B: Authorization (permitted) must be verified.

C: Monitoring of remote sessions is mandatory.

D: Permitted methods must be identified (e.g., VPN, VDI, etc.).

Applicable Requirement (CAP – Scoping and Evidence Validation): When inconsistencies arise about the environment, assessors are required to examine objective artifacts that define boundaries, such as network diagrams and system architecture documentation.

Why A is Correct: Network diagrams objectively show whether systems are hosted on-premises or involve ESPs (cloud, MSSPs, hosting providers). Reviewing them avoids ambiguity from inconsistent verbal descriptions.

Why Other Options Are Insufficient:

B: Interviewing another OSC representative may add to confusion rather than resolve it.

C: Interconnection agreements confirm ESP relationships but do not resolve whether the OSC has on-prem or hybrid environments.

D: Contacting ESPs directly is not part of the assessment process; OSC must provide evidence.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Clarifying System Boundaries

CMMC Assessment Guide – Level 2 — Evidence Types (network diagrams, architecture documentation)

===========

Applicable Requirement (CMMC Scoping Guidance – Specialized Assets): Specialized Assets (e.g., OT, IoT, GFE, test equipment) are not exempt from CMMC practices. OSCs must provide:

Documented identification in SSP/inventory,

Justification of specialized handling,

Evidence that risk-based security measures are implemented.

Why D is Correct: Assessors must see evidence that isolation is actually implemented (not just planned), plus supporting artifacts showing how remaining applicable practices are addressed (monitoring, inventory, access, etc.). Planned measures alone are insufficient.

Why Other Options Are Insufficient:

A: Installation/config builds do not show operational isolation.

B: Scoping statements alone do not demonstrate implementation.

C: SSP language is descriptive but must be supported by implementation evidence.

References (CCA Official Sources):

CMMC Scoping Guidance — Specialized Assets

CMMC Assessment Guide – Level 2 — Evidence Requirements for Specialized Assets

NIST SP 800-171 Rev. 2 — Asset Management and Risk-Based Controls

Applicable Requirement: CM.L2-3.4.1 — “Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.”

Why C is Correct: Baseline management requires documenting and tracking authorized deviations to ensure systems remain consistent with approved baselines. Evidence must show the OSC manages exceptions as part of its configuration management process.

Why Other Options Are Insufficient:

A: Physical safeguards protect images but do not demonstrate baseline management.

B: Reviews may be helpful, but deviations are explicitly required documentation.

D: Chain of custody applies to asset tracking, not baseline management.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CM.L2-3.4.1

NIST SP 800-171A — CM.L2-3.4.1 Assessment Objectives

CMMC Assessment Guide – Level 2, Baseline Configurations

===========