The CMMC Scoping Guidance specifies that Out-of-Scope Assets are those that neither process, store, nor transmit CUI, and do not provide security protections for CUI assets .

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI, and do not provide security protections for CUI assets.”

Thus, the correct answer is B .

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why D is Correct: A gate with a badge system represents preventive perimeter control that ensures only authorized personnel can access sensitive areas (e.g., loading docks). This directly aligns with Level 2 physical protection requirements.

Why Other Options Are Insufficient:

A (Turnstiles): More relevant for internal building entry, not loading docks.

B (Visitor log): Supports accountability, but does not prevent unauthorized entry.

C (Cameras): Provides monitoring but not control — surveillance alone does not restrict access.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2, Physical Protection

===========

CMMC requires physical access to systems containing or transmitting CUI to be limited to authorized individuals and for access records to be maintained. Badge readers with unique identification provide individual accountability, access control enforcement, and auditable access logs , which are stronger than labels, cameras, or keypads.

Exact Extracts:

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.5: “Maintain audit logs of physical access.”

CMMC Assessment Guide: “Badge systems with access control lists and logs are considered a best method for meeting physical access requirements.”

Why the other options are not correct:

A: Labels and lists do not prevent unauthorized access.

C: Cameras monitor but do not restrict access; they are detective, not preventive.

D: Keypads do not provide individual accountability (codes can be shared).

Applicable Requirement: CA.L2-3.12.4 — “Develop, document, periodically review/update, and disseminate system security plans.” Policies require executive approval and evidence of regular review.

Why B is Correct: Multiple years of emails from executives approving policies provide a pattern of consistent executive involvement , demonstrating habitual compliance with review and approval requirements. This is stronger evidence than one-time or informal attestations.

Why Other Options Are Insufficient:

A: Handwritten notes are informal and lack authenticity controls.

C: A notarized letter from a previous CEO is a one-time attestation, not evidence of recurring review.

D: Employee interviews may demonstrate awareness but do not show executive approval.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CA.L2-3.12.4

NIST SP 800-171A — CA.L2-3.12.4 Assessment Objectives (evidence of policy review/approval)

CMMC Assessment Guide – Level 2 — Policy and Approval Evidence Requirements

===========

The control PS.L2-3.9.1: Screen Individuals requires that individuals be screened before authorizing access to organizational systems and CUI . Since employees are assigned to work immediately upon hire, before screenings are complete, this practice is NOT MET . Completing screenings within the first week does not satisfy the requirement.

Exact extracts:

“Screen individuals prior to authorizing access to organizational systems containing CUI.”

“Assessment Objectives … Determine if: [a] individuals requiring access to CUI are screened before access is granted.”

“It is not sufficient for screening to occur after access has been authorized.”

Why the other options are incorrect:

A: Remediation may be possible, but scoring must be NOT MET .

B: A single practice being NOT MET does not automatically cause assessment failure (depends on aggregate score).

C: HR responsibility does not excuse failure to complete screening before granting access.

For CMMC Level 2, an OSC must score at least 88 out of 110 practices (80%) to qualify for use of POA & Ms. Practices on the DoD’s Authorized POA & M List may then be deferred, but only if the OSC meets the 88-point threshold and no high-weight practices are failed.

Exact extracts:

“Organizations must score at least 88 out of 110 (80%) to be eligible for POA & Ms.”

“POA & Ms may only be applied to a limited subset of practices designated by DoD.”

“Failure to reach the 88-point threshold results in an assessment failure.”

Why other options are incorrect:

A: Below 88 is automatic fail.

B: 110/110 is full compliance (no POA & M needed).

C: 80 is a distractor; 88 is the actual DoD threshold.

Acceptable physical safeguards in lieu of encryption (in limited cases) include trusted couriers, locked containers, and monitored physical transport . “Tamper protection technologies” are not recognized as an acceptable alternative safeguard for protecting CUI in transit.

Extract:

“Physical safeguards such as trusted couriers, locked containers, and controlled site monitoring may substitute for cryptographic protections when encryption is not feasible. Other measures not defined (e.g., tamper protection) do not satisfy the requirement.”

Thus, D is NOT an acceptable safeguard.

Assessor conduct is governed by the CMMC Code of Professional Conduct . Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC’s Assessment Official (AO) . The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.

Exact Extracts:

CMMC Assessor Code of Professional Conduct: “No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC’s designated Assessment Official.”

“Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization.”

Why the other options are not correct:

A: Too absolute — proprietary data can leave if AO provides written consent.

B: IT staff cannot authorize release of proprietary data.

C: POC is not the authority for data release — only the Assessment Official is.

The Physical and Environmental Protection (PE) Policy is the governing artifact that describes how physical access to facilities and environments is managed and controlled. While the SSP provides a system-wide overview, and access lists provide details of who is authorized, it is the PE Policy that explicitly documents the physical access control measures required under CMMC.

Extract from PE.L2-3.10.1:

“Organizations must develop, document, and disseminate physical and environmental protection policies that govern how access to buildings and systems containing CUI is limited to authorized individuals.”

The OSC (Organization Seeking Certification) is always responsible for meeting CMMC requirements, regardless of what responsibilities are shared or outsourced to an ESP. ESPs can provide inherited practices (e.g., FedRAMP Moderate for cloud CUI), but the OSC remains accountable for compliance under government mandates.

Exact Extracts:

CMMC Assessment Guide: “The OSC is the entity being assessed. While an ESP may provide inherited practices, the OSC retains ultimate responsibility for compliance.”

Scoping Guide: “External Service Providers may meet requirements on behalf of the OSC; however, it is the OSC that is assessed and must demonstrate sufficiency of evidence.”

Why other options are not correct:

A: Incorrect — ESPs that process CUI must meet FedRAMP Moderate equivalency, even if not directly assessed for CMMC.

B: While true, factoring documentation does not override that OSC remains accountable .

C: ESPs are not assessed at the same time as the OSC; only the OSC receives certification.