New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Cyber AB CMMC-CCA Exam - Topic 3 Question 3 Discussion

Actual exam question for Cyber AB's CMMC-CCA exam
Question #: 3
Topic #: 3
[All CMMC-CCA Questions]

An OSC is preparing for a CMMC assessment. It has multiple information systems, some of which process CUI and others that do not. The OSC has identified a specific system that processes CUI and defined this as its system boundary. However, this system is connected to other systems within the OSC that are separately authorized and do not process CUI. As a Certified CMMC Assessor, which of the following best describes your approach to defining the CMMC Certification Boundary and Assessment Scope for the OSC?

Show Suggested Answer Hide Answer
Suggested Answer: D

Comprehensive and Detailed

The CMMC Assessment Process (CAP) distinguishes the Certification Boundary (the CUI-processing system) from the Assessment Scope (all components needing authorization, excluding separately authorized connected systems). The scoping guide and glossary confirm that separately authorized systems are out of scope, aligning with Option D. Option A is too broad, Option B too narrow, and Option C reverses the definitions. D is correct.


CMMC Assessment Process (CAP) v1.0, Section 2.1 (Certification Boundary), p. 8: 'The Assessment Scope excludes separately authorized systems.'

by Delsie at Oct 07, 2025, 10:57 PM

Limited Time Offer

25%

Off

Get Premium CMMC-CCA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Tracey
10 hours ago
B seems too narrow. We need to consider connections.
upvoted 0 times
...
Joanna
6 days ago
I feel like A is too inclusive. We shouldn’t assess everything.
upvoted 0 times
...
Dannie
11 days ago
Option C could work too, but it feels too broad.
upvoted 0 times
...
Quentin
16 days ago
I agree, D is the best choice. It focuses on what’s necessary.
upvoted 0 times
...
Iluminada
21 days ago
B seems too narrow; we need a broader view.
upvoted 0 times
...
Bernadine
26 days ago
Wait, why would we include non-CUI systems? Seems off.
upvoted 0 times
...
Flo
1 month ago
Totally agree with D! It covers all bases.
upvoted 0 times
...
Lynette
1 month ago
I think option D makes the most sense here.
upvoted 0 times
...
Terina
1 month ago
I recall that the certification boundary should be specific to CUI systems, but I’m not clear if the assessment scope should be broader. I might lean towards option D, but I need to think it through.
upvoted 0 times
...
Eleonora
2 months ago
I’m a bit confused about whether we should include all systems in the assessment scope or just the one that processes CUI. I feel like I’ve seen similar questions before.
upvoted 0 times
...
Valentine
2 months ago
I think option D makes sense because it mentions excluding the separately authorized systems, which aligns with what we practiced in class.
upvoted 0 times
...
Ettie
2 months ago
Option D is the way to go. Wouldn't want to miss any critical systems during the assessment. *wink wink*
upvoted 0 times
...
Gilberto
2 months ago
I think option D makes the most sense. It’s clear and precise.
upvoted 0 times
...
Laurene
2 months ago
I remember discussing how the certification boundary should focus on systems that handle CUI, but I'm not sure if we should include all connected systems in the assessment scope.
upvoted 0 times
...
Quentin
3 months ago
D balances everything well. It’s about risk management.
upvoted 0 times
...
Benton
3 months ago
I’m surprised this is even a question—D is clearly the best choice!
upvoted 0 times
...
Isabella
3 months ago
Option D is the way to go. Wouldn't want to miss any critical systems during the assessment.
upvoted 0 times
...
Jose
3 months ago
Option D is the correct answer. Anything less would be a half-baked assessment.
upvoted 0 times
...
Verdell
4 months ago
Option D is the way to go. Gotta make sure the assessment covers all the right components.
upvoted 0 times
...
Earlean
4 months ago
I agree, Option D is the best choice as it aligns with the CMMC guidance on system boundaries.
upvoted 0 times
...
Fatima
4 months ago
Option D seems the most comprehensive approach to defining the CMMC Certification Boundary and Assessment Scope.
upvoted 0 times
...
Luis
4 months ago
Okay, I've got this. The certification boundary is just for the CUI-processing system itself, but the assessment scope needs to look at all the parts of that system that are in scope, even if they connect to other systems that aren't part of the certification. Separating the boundary and scope is important to make sure you're assessing everything that's relevant.
upvoted 0 times
...
Bobbie
4 months ago
I think D is the best answer here. The key is that the certification boundary is just for the specific CUI-processing system, but the assessment scope needs to be broader to cover all the components of that system. Gotta make sure you're assessing everything that's part of the CUI-handling system, even if it's connected to other systems.
upvoted 0 times
...
Gerald
4 months ago
Hmm, I'm a bit confused on this one. I'm not sure if I fully understand the difference between the certification boundary and the assessment scope. I'll need to review the CMMC guidelines more carefully to make sure I'm clear on the right approach.
upvoted 0 times
...
Vivienne
5 months ago
I'm pretty sure the answer is D. The certification boundary should only include the specific system that processes CUI, while the assessment scope should cover all the components of that system that require authorization, excluding any separately authorized systems it's connected to.
upvoted 0 times
Sharen
2 months ago
I think D makes the most sense. Focus on the system that handles CUI.
upvoted 0 times
...
...

Save Cancel