Cyber AB CMMC-CCA Exam - Topic 1 Question 12 Discussion

Actual exam question for Cyber AB's CMMC-CCA exam

Question #: 12
Topic #: 1

The team is assessing an OSC that uses the cloud for hosting its online services. Which of the following is NOT important for the assessor to consider?

ADevices connecting to the system are authorized.

BProcesses acting on behalf of a user are authenticated.

CUsers are authorized as a prerequisite to system access.

DFIPS encryption is authenticated as a prerequisite to system access.

Show Suggested Answer

Suggested Answer: D

Applicable Requirement: SC.L2-3.13.8 (Cryptographic protection of communications) and IA.L2-3.5.x (Identification and authentication).

Why D is Correct: Encryption must be validated as FIPS 140-2/3 compliant but is never ''authenticated as a prerequisite to access.'' Authentication applies to users, devices, and processes, not cryptographic modules themselves.

Why A, B, C are Correct Considerations:

Devices must be authorized before connecting.

Processes acting on behalf of a user must be authenticated.

Users must be authorized prior to access. These are all directly mapped to AC and IA domains.

Reference (CCA Official Sources):

NIST SP 800-171 Rev. 2 --- IA and SC requirements

NIST SP 800-171A --- Assessment Objectives for AC/IA wireless and cloud access

CMMC Assessment Guide -- Level 2, Cloud/ESP Considerations

===========

by Casey at Apr 06, 2026, 07:26 PM

Limited Time Offer

25%

2 months ago

I remember discussing the importance of user authorization, so I think options A and C are definitely crucial.

upvoted 0 times

...