In CMMC scoping, assets are categorized based on where CUI is processed, stored, or transmitted . According to the CMMC Scoping Guide for Level 2, if CUI is only stored and used in HQ and Site A, those locations contain CUI Assets . Since Site B neither stores, processes, nor transmits CUI, its assets are considered Out of Scope .

Exact extracts:

“CUI Assets are those that store, process, or transmit CUI.”

“Assets that do not process, store, or transmit CUI, and cannot provide access to CUI, are considered Out-of-Scope. ”

“Only those assets in the scope of CMMC assessment will be evaluated against practices.”

Why the other options are incorrect:

B: Site B has VPN connectivity, but if it does not use or process CUI, its assets remain out of scope. Connectivity alone does not bring it into scope.

C/D: The terms “Certification in Risk Management Assurance” are not valid CMMC asset categories.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (CUI Assets, Out-of-Scope Assets).

===========

Applicable Requirement: PE.L2-3.10.3 — “Control physical access to organizational systems, equipment, and the respective operating environments.”

Why A is Correct: Security guards are a recognized preventive and detective physical control to limit access to only authorized individuals. Guards can verify credentials, monitor behavior, and provide real-time deterrence.

Why Other Options Are Insufficient:

B (Cameras): Provide monitoring and evidence, but not direct access control.

C (Firewalls): A network control, not a physical access measure.

D (Partition walls): Barriers may help physically separate areas but do not control who enters.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — PE.L2-3.10.3

NIST SP 800-171A — PE.L2-3.10.3 Assessment Objectives

CMMC Assessment Guide – Level 2 — Physical Security Controls

===========

The Lead Assessor’s readiness checks focus on logistics, scope, evidence availability, and risk awareness to ensure the assessment can proceed. It is not the assessor’s role to advise or determine if the OSC could achieve a higher certification level — the OSC selects its target level.

Exact extracts:

“Lead Assessors must confirm readiness by verifying logistics, scope boundaries, risks, and evidence availability.”

“Assessors do not advise OSCs on selecting certification levels or alternative approaches; this is outside the assessment scope.”

Why the other options are required:

A: OSC risks must be identified and discussed as part of scoping.

B: Logistics (scheduling, facilities, communications) must be confirmed.

D: Evidence must be available and accessible to avoid delays.

The CMMC Assessment Process emphasizes the importance of confidentiality and non-attribution in interviews to ensure OSC personnel provide candid, accurate information. Interviewees may give shallow or evasive answers if they fear attribution. Assuring confidentiality and non-attribution improves the quality and reliability of responses.

Exact extracts:

“The assessment team must ensure confidentiality and non-attribution during interviews.”

“Responses should be validated against evidence, but the quality of input depends on establishing a safe environment for candor.”

“Non-attribution is critical to elicit detailed and honest responses.”

Why the other options are incorrect:

A: Training matrices identify who is trained, not who should be interviewed.

C: NDAs are not a CCA responsibility — they are contractual, not assessment requirements.

D: Mapping to artifacts is part of correlation after interviews, but does not solve the problem of poor interview responses.

For hybrid and cloud environments, the Customer Responsibility Matrix is the critical artifact. It identifies which security responsibilities are handled by the CSP and which remain with the OSC, directly impacting scope .

Extract:

“The OSC must provide responsibility matrices or equivalent documentation that clearly delineates which security controls are the responsibility of the provider and which are retained by the OSC.”

This is necessary for the Lead Assessor to define assessment scope boundaries.

The CMMC practice CM.L2-3.4.8 – Application Allow Listing requires that only specifically authorized software is permitted to execute, while all other software is automatically denied.

Extract:

“Application allow listing requires that only approved, explicitly identified applications are authorized to execute on a system. Reliance on users to notify IT after the fact does not meet the requirement.”

Because the OSC’s process depends on users self-reporting rather than enforcing automated allow listing, it is not properly implemented .

The CMMC Assessment Process (CAP) defines the logical order:

After collecting and examining evidence , the next step is to determine and record initial practice scores (MET, NOT MET, or NA) .

Only after practice scoring is completed are findings validated and aggregated into final recommended results.

Extract:

“Following evidence collection and review, assessors determine and record the practice status (MET/NOT MET/NA) before compiling results into final recommendations.”

The CMMC Assessment Process (CAP) states that deficiency correction is not permitted during the assessment . Practices must be evaluated based on their implementation at the time of assessment . If the OSC corrects deficiencies after assessment activities have begun, the changes cannot be considered in the scoring.

Extract:

“Deficiency correction during the assessment is not permitted. Practices are scored based on evidence available at the time of assessment activities.”

Thus, the correct next step is to score the practice as NOT MET .

Least privilege requires users to perform privileged functions only with privileged accounts and to use their basic (non-privileged) accounts for general activity . This prevents unnecessary exposure of elevated rights and limits attack surfaces. Database Administrators must use their DBA accounts only for DBA tasks , and all users must use their basic accounts for non-privileged tasks .

Exact Extracts:

AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

Assessment Objectives: Require separate accounts for privileged and non-privileged activities.

Assessment Guide Clarification: “Privileged accounts should be used only for privileged functions; standard accounts must be used for all other activities.”

Why the other options are not correct:

B: States “non-privileged users use their basic account” but does not explicitly require all users (including admins) to use their basic account for non-privileged tasks.

C/D: Incorrectly assign System Administrator accounts to Database Administrators, which violates least privilege (admins must only have the access needed for their role).

Public-facing systems (such as web servers) must be separated from internal enterprise networks to limit exposure. CMMC (aligned with NIST SP 800-171 SC.L2-3.13.5 “Boundary Protection”) specifies that placing public servers into a demilitarized zone (DMZ) provides a security buffer and prevents direct access from the internet into the internal LAN.

Exact extracts:

“Publicly accessible systems should be placed on separate subnets or in DMZs.”

“Boundary protection devices should separate public servers from the enterprise network.”

“DMZs provide layered protection for internet-facing assets.”

Why the other options are incorrect:

A: Relocating the server physically does not provide network-layer security.

C: Firewall rules allowing only internal traffic would prevent public access, defeating the purpose of a public website.

D: Object reuse protections are unrelated to network boundary security.