Question 7 - Cyber AB CMMC-CCP Real Exam Questions [March 2026 Update]

Q: 7

In late September. CA.L2-3.12.1: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application is assessed. Procedure specifies that a security control assessment shall be conducted quarterly. The Lead Assessor is only provided the first quarter assessment report because the person conducting the second quarter's assessment is currently out of the office and will return to the office in two hours. Based on this information, the Lead Assessor should determine that the evidence is;

Options

Correct Answer:

Explanation

The CMMC assessment is a point-in-time evaluation based on objective evidence presented. The assessment takes place in late September, by which time the first, second, and third quarters have passed. The organization's procedure mandates quarterly security control assessments. To satisfy the practice CA.L2-3.12.1, the organization must provide sufficient evidence that assessments are conducted periodically (quarterly). Presenting only the first quarter's report is insufficient to demonstrate adherence to this required frequency. The promise of providing the second quarter's report later is not considered valid evidence at the time of assessment. Therefore, the Lead Assessor must find the evidence insufficient and rate the practice as NOT MET.

Why Incorrect

A. sufficient, and rate the audit finding as MET

This is incorrect because one report does not provide sufficient evidence to verify a recurring quarterly process has been followed for the elapsed time.

C. sufficient, and re-rate the audit finding after a quarter two assessment report is examined.

This is incorrect because the evidence is insufficient, not sufficient. Findings are based on the evidence available, not on promises of future evidence.

D. insufficient, and re-rate the audit finding after a quarter two assessment report is examined.

This is incorrect because while the evidence is insufficient, the definitive finding at that moment must be NOT MET. An assessor cannot leave a finding open based on a promise.

References

1. Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) for CMMC Level 2

Version 2.0

The Cyber AB

December 2021.

Section 3.3.3

Analyze and Score Assessment Findings

Page 15: "The Assessment Team makes a MET or NOT MET determination for each practice based on the sufficiency of the objective evidence collected during the assessment." This establishes that a finding is based on the sufficiency of evidence collected

not promised.

Section 3.3.2

Collect Objective Evidence

Page 14: "The Assessment Team collects objective evidence for each practice in the assessment scope... If the OSC does not provide sufficient evidence to support a practice

the Assessment Team cannot award a MET for that practice." This directly supports the conclusion that insufficient evidence leads to a NOT MET finding.

2. CMMC Model v2.0

Level 2 Assessment Guide

Department of Defense

December 2021.

CA.L2-3.12.1 Assessment Objectives

Page 178: The objectives are to determine if "[a] the security controls in organizational systems are assessed periodically" and "[b] the effectiveness of the controls in their application is determined." Providing only one report when more were required by policy fails to demonstrate the "periodically" objective

making the evidence insufficient.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE