The Certified CMMC Professional (CCP) Exam (CMMC-CCP)

Understanding SC.L2-3.13.14 – Control and Monitor the Use of VoIP Technologies

TheCMMC 2.0 Level 2requirementSC.L2-3.13.14comes fromNIST SP 800-171, Security Requirement 3.13.14, which mandates that organizations mustcontrol and monitor the use of VoIP (Voice over Internet Protocol) technologiesif used within their system boundary.

If a systemdoes not use VoIP technology, then this control isNot Applicable (N/A)because there is nothing to assess.

Why Option D is Correct

When a requirement is marked as Not Applicable (N/A), it means the OSC does not use the technology or process covered by that controlwithin its assessment boundary.

No assessment procedures are neededsince there is no VoIP system to evaluate.

Option A (Existing telephone system in scope)is incorrect becausetraditional (non-VoIP) telephone systems are not covered by SC.L2-3.13.14—only VoIP is within scope.

Option B (Error, contact the Lead Assessor)is incorrect because markingSC.L2-3.13.14 as N/A is valid if VoIP is not used. This is not an error.

Option C (VoIP in scope but using FIPS-validated encryption, so it doesn’t need to be assessed)is incorrect becauseeven if VoIP uses FIPS-validated encryption, the control would still need to be assessed to ensure monitoring and usage control are in place.

Official CMMC Documentation References

CMMC 2.0 Level 2 Assessment Guide – SC.L2-3.13.14

NIST SP 800-171, Security Requirement 3.13.14

CMMC Scoping Guidance – Determining Not Applicable (N/A) Practices

Final Verification

IfVoIP is not used within the OSC’s system boundary, the control does not require assessment, making Option D the correct answer.

The Lead Assessor has the authority to make the final determination in situations where assessors cannot agree on a rating. CAP specifies that the Lead Assessor ensures consistency, resolves disputes, and provides the authoritative interpretation during the assessment process. Escalation to the CMMC-AB or Quality Assurance would only occur in rare post-assessment review cases, not during an active assessment.

Reference Documents:

CMMC Assessment Process (CAP), v1.0

Understanding "Adequate Evidence" in the CMMC Assessment Process

In aCMMC assessment,adequate evidencerefers to the proof required to demonstrate that a specific cybersecurity practice has been implemented correctly. Evidence can come from:

Artifacts(e.g., security policies, system configurations, logs).

Interview responses(e.g., verbal confirmation from personnel about their responsibilities).

Demonstrations(e.g., showing how a security control is implemented in real time).

Testing(e.g., verifying technical security mechanisms such as multi-factor authentication).

Thegoalof evidence collection is to determinewhether a CMMC practice is met—not just whether the organization operates within the assessment scope.

Why is the Correct Answer "Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice" (D)?

A. Verify, based on an assessment and organizational scope → Incorrect

Theassessment scopedefineswhat is evaluated, but adequacy of evidence is based oncompliance with specific CMMC practices.

B. Verify, based on an assessment and organizational practice → Incorrect

CMMC assessments focus on cybersecurity practices defined in the CMMC framework, not just general organizational practices.

C. Determine if a given artifact, interview response, demonstration, or test meets the CMMC scope → Incorrect

Thescopedefines the assessment boundaries, but theassessment team's job is to confirm whether CMMC practices are satisfied.

D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice → Correct

TheCMMC assessment process focuses on ensuring that required practices are implemented, making this the correct answer.

CMMC 2.0 References Supporting this Answer:

CMMC Assessment Process (CAP) Document

Defines "adequate evidence" asproof that a CMMC practice has been correctly implemented.

CMMC 2.0 Assessment Criteria

Specifies that evidence must beevaluated against specific cybersecurity practices.

NIST SP 800-171A (Assessment Procedures for NIST SP 800-171)

Provides guidance on evaluating artifacts, interviews, demonstrations, and testing to confirm compliance with required practices.

Final Answer:

✔D. Determine if a given artifact, interview response, demonstration, or test meets the CMMC practice.

The best resource for identifying the category of Controlled Unclassified Information (CUI) is NARA , because NARA is the CUI Executive Agent for the federal CUI Program and maintains the authoritative CUI Registry . The Registry is specifically where the government publishes the approved CUI categories (and related markings and handling guidance) used across the Executive Branch.

NARA’s own CUI FAQs explicitly point users to the CUI Registry as the place that “lists all authorized CUI Categories (basic and specified).” Likewise, NIST’s CUI-related FAQ page also points to the NARA CUI Registry for CUI categories, reinforcing that the Registry is the correct source for determining which category applies to a given type of information.

By contrast, DFARS Part 252 (including clauses like 252.204-7012) addresses contractual safeguarding and cyber reporting requirements, not the authoritative categorization list itself. The CMMC Assessment Guide is about how to assess controls for CMMC levels, not how to determine CUI categories. And the Cyber AB (formerly CMMC-AB) administers the ecosystem and assessment processes, not the federal CUI category taxonomy. Therefore, NARA is the best answer.

In CMMC v2.0, Level 1 is explicitly the level that “focuses on the protection of FCI ” and is composed of the basic safeguarding requirements aligned to FAR 52.204-21 . This directly establishes Level 1 as meeting the standard for protecting FCI.

However, the question asks which levels meet the standard of protecting FCI—not which level is primarily intended for FCI. The official CMMC Model Overview (Version 2.0) states that the CMMC levels and associated sets of practices are cumulative , meaning that to achieve a higher level, an organization must also demonstrate achievement of the preceding lower levels. Because Level 2 and Level 3 certifications require meeting lower-level requirements as part of achieving the higher certification, an organization certified at Level 2 or Level 3 necessarily satisfies the Level 1 requirements that protect FCI.

In addition, the later Model Overview v2.13 reiterates the structure of the model: Level 1 requirements correspond to FAR 52.204-21 safeguards (FCI), while Level 2 and Level 3 focus on CUI protection at increasing rigor. Taken together, the official documents support that Levels 1, 2, and 3 all meet the standard for protecting FCI, with Level 1 being the foundational baseline and Levels 2/3 building on it.

===========

Understanding RA.L2-3.11.2: Vulnerability Scanning

TheRA.L2-3.11.2practice requires organizations to:

✔Regularly scan for vulnerabilitiesin systems and applications.

✔Perform scans when new vulnerabilities are identified.

✔Use vulnerability scanning tools or servicesto proactively detect security weaknesses.

Why Is an Incident Monitoring Report Irrelevant?

Anincident monitoring reporttrackssecurity incidents, notvulnerability scanning activities.

Vulnerability scanning reportsshould include:

✔A list of vulnerabilities detected.

✔Remediation actions taken.

✔Scan frequency and schedule.

Theabsence of reported security incidentsdoesnotconfirm that vulnerability scans were performed.

Why is the Correct Answer "A. Inadequate because it is irrelevant to the practice"?

A. Inadequate because it is irrelevant to the practice → Correct

Alack of reported security incidents does not confirm that vulnerability scanning was performed.

B. Adequate because it fits well for expected artifacts → Incorrect

Incident monitoring reportsare not expected artifactsfor this control.Vulnerability scan reportsare required instead.

C. Adequate because no security incidents were reported → Incorrect

The absence of incidents does not mean the OSC is performing vulnerability scanning. This isnot valid evidence.

D. Inadequate because the OSC's service provider should be interviewed → Incorrect

While interviewing the provider may be useful, themain issue is that the provided evidence is irrelevant. Thecorrect evidence (vulnerability scan reports) is missing.

CMMC 2.0 References Supporting This Answer:

NIST SP 800-171 (Requirement 3.11.2 – Vulnerability Scanning)

Defines the requirement toscan for vulnerabilities periodically and when new threats emerge.

CMMC Assessment Guide for Level 2

Specifies that evidence for RA.L2-3.11.2 should includevulnerability scan reports, not incident monitoring reports.

CMMC 2.0 Model Overview

Confirms that organizationsmust proactively identify vulnerabilities through scanning, not just rely on incident detection.

Under CMMC 2.0 Level 2, which aligns with the requirements of NIST SP 800-171, maintaining robust control over nonlocal maintenance sessions is critical. While multifactor authentication (MFA) is a required safeguard for secure access, additional measures must be implemented to fully meet the maintenance requirements as outlined in Control 3.3.5:

Key Requirements for Nonlocal Maintenance:

Termination of Nonlocal Maintenance Sessions:

To reduce the attack surface and prevent unauthorized access, nonlocal maintenance connections must be terminated immediately after the maintenance activity is completed. This is a direct requirement to mitigate risks associated with lingering remote sessions that could be exploited by threat actors.

Supporting Reference: NIST SP 800-171, Control 3.3.5 states: "Ensure that remote maintenance is conducted in a controlled manner and disable connections immediately after use."

Multifactor Authentication (MFA):

OSCs are required to implement MFA for nonlocal remote maintenance sessions. MFA must include at least two factors (e.g., something you know, something you have, or something you are).

While the OSC’s use of MFA satisfies part of the requirement, it does not complete the control unless proper termination procedures are in place.

Policy and Procedure Adherence:

The OSC must also document a maintenance policy and ensure it reflects the need for terminating connections post-maintenance. The policy should outline roles, responsibilities, and steps for ensuring secure nonlocal maintenance practices.

Incorrect Options:

B. Unlimited connections: Allowing unrestricted nonlocal maintenance sessions is a significant security risk and violates the principle of least privilege.

C. Removing restrictions: Removing restrictions for convenience directly undermines compliance and security.

D. Multifactor authentication details: While MFA is necessary, the question states the OSC already uses it. Termination of sessions is the missing requirement.

Conclusion:

The requirement to terminate nonlocal maintenance sessions after maintenance is complete (Option A) is critical for compliance with CMMC 2.0 Level 2 and NIST SP 800-171, Control 3.3.5. This ensures that nonlocal maintenance activities are secured against unauthorized access and potential vulnerabilities.

Understanding the CMMC Level 2 Final Report Requirements

For aCMMC Level 2 Assessment, theFinal CMMC Assessment Results Reportmust include:

Assessment findings for each practice

Final ratings (MET or NOT MET) for each practice

A detailed rationale for each practice rated as NOT MET

Why "B. Documented rationale for each failed practice" is Correct?

The CMMC Assessment Process (CAP) Guidestates that if a practice is markedNOT MET, theassessors must provide a rationale explaining why it failed.

This rationale helps theOSC understand what needs remediationand, if applicable, whether the deficiency can be addressed via aPlan of Action & Milestones (POA & M).

TheFinal Report serves as an official recordand must be submitted as part of theresults package.

Why Other Answers Are Incorrect?

A. Affirmation for each practice or control (Incorrect)

While the report includes aMET/NOT MET ratingfor each practice,affirmation is not a required component.

C. Suggested improvements for each failed practice (Incorrect)

Assessors do not provide recommendations for improvement—they only document findings and rationale.

Providing suggestions would create aconflict of interestperCMMC-AB Code of Professional Conduct.

D. Gaps or deltas due to any reciprocity model are recorded as met (Incorrect)

If an organization isleveraging reciprocity (e.g., FedRAMP, Joint Surveillance Voluntary Assessments), gapsmust still be documented—not automatically marked as "MET."

Conclusion

The correct answer isB. Documented rationale for each failed practice, as this is amandatory requirement in the Final CMMC Assessment Results Report.

The National Archives and Records Administration (NARA) serves as the authoritative body overseeing the Controlled Unclassified Information (CUI) program within the United States federal government. NARA maintains the CUI Registry, which is the definitive resource for all categories, subcategories, and associated markings of CUI. This registry provides comprehensive guidance on the identification and handling of CUI, ensuring standardized practices across federal agencies and their contractors.

The other options are delineated as follows:

CMMC-AB:The Cybersecurity Maturity Model Certification Accreditation Body is responsible for overseeing the CMMC program but does not manage CUI classifications.

DoD Contractors FAQ:While it may offer guidance to Department of Defense contractors, it is not an authoritative source for CUI data classifications.

OSC's privacy policies:An Organization Seeking Certification's internal policies pertain to its own data handling practices and are not authoritative for CUI classifications.

Therefore, for authoritative information on CUI data classifications, the NARA's CUI Registry is the appropriate resource.