Question 16 - Cyber AB CMMC-CCA Real Exam Questions [March 2026 Update]

Q: 16

During a CMMC assessment, you review the OSC’s documented procedures for access control.These procedures detail a user access request and approval process for the organization’s Human Resources (HR) information system. You then interview IT personnel responsible for access control, who confirm the documented procedures accurately reflect how access is managed for the HR system. However, the OSC’s network diagram reveals the presence of other in-scope systems critical to their operations, such as their Engineering Design Database and Manufacturing Control System. Neither the documented procedures nor the interview addressed access control practices for these additional systems. Based on the CMMC Assessment Process guidelines on evidence sufficiency, how would you characterize the evidence collected so far regarding access control?

Options

Correct Answer:

Explanation

According to the CMMC Assessment Process (CAP), evidence is considered sufficient only when it is adequate in quantity and scope to support a definitive assessment finding (i.e., Met or Not Met). In this scenario, the collected evidence, while potentially valid for the HR system, does not cover other critical, in-scope systems like the Engineering Design Database and Manufacturing Control System. Because the evidence fails to address the full scope of the access control practice's implementation across the organization's CUI environment, it is quantitatively lacking. Therefore, the evidence collected so far is insufficient to make a final determination for the practice.

Why Incorrect

A. Valid but incomplete: While the evidence for the HR system may be valid, "insufficient" is the formal CMMC assessment term describing a lack of evidence quantity and scope coverage needed to make a finding.

B. Sufficient: This is incorrect because evidence is completely missing for multiple in-scope systems, failing to meet the requirement for comprehensive coverage across the CMMC Assessment Scope.

D. Inconclusive: This term is used when collected evidence is conflicting, ambiguous, or contradictory. The issue here is a clear lack of evidence for parts of the scope, not a conflict within the evidence.

---

References

1. Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) for CMMC Level 2, Version 1.0, October 2023.

Section 3.5, Conducting the Assessment, Page 12: States, "The Assessment Team must collect sufficient evidence to support their determination for each practice." This implies that evidence must cover the entire scope of the practice's implementation to be deemed sufficient.

Section 3.6, Determining Findings, Page 13: Explains that findings are based on the "sufficiency of the objective evidence." A finding of "Met" requires that the practice is "fully implemented." Without evidence from all in-scope systems, the assessor cannot confirm full implementation, rendering the current evidence insufficient.

2. CMMC Model Overview Version 2.0, December 2021.

Section: CMMC Assessment, Page 5: This document establishes that assessments are conducted to "verify the implementation of cybersecurity requirements." Verification requires evidence covering all areas where the requirements (practices) apply, which in the scenario includes all in-scope systems handling CUI.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE