Cyber AB CMMC-CCA Exam - Topic 4 Question 10 Discussion

Actual exam question for Cyber AB's CMMC-CCA exam

Question #: 10
Topic #: 4

During an assessment, the OSC was found to have implemented 68% of CMMC practice SC.L2-3.13.11 -- CUI Encryption. However, the OSC Assessment Official cited issues with the vendor for not fully implementing the practice. Nonetheless, it has been listed in their POA&M. Which of the following is true regarding the use of a POA&M during a CMMC assessment?

AA POA&M addressing unimplemented security requirements is not a substitute for a completed CMMC practice

BA POA&M can be used as evidence of full implementation for any unimplemented CMMC practices

CIf a practice is listed in the POA&M, it is considered fully implemented during the assessment

DAssessors are required to accept any POA&M as evidence of implementation for partially implemented practices

Show Suggested Answer

Suggested Answer: A

Comprehensive and Detailed In-Depth Explanatio n:

SC.L2-3.13.11 (5-point practice) requires full implementation for certification. Per CAP, a POA&M documents deficiencies but isn't a substitute for completion (A). Options B, C, and D contradict CMMC rules, as partial implementation or POA&M listing doesn't equate to Met status, especially for 5-point practices ineligible for POA&M deferral.

Extract from Official CMMC Documentation:

CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.11: 'Full implementation required.'

CAP v5.6.1: 'POA&M not a substitute for Met status.'

Resources:

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf

by Ronna at Mar 06, 2026, 10:36 PM

Limited Time Offer

25%

27 days ago

I remember that a POA&M can't replace actual implementation, so I think A is the right choice.

upvoted 0 times

...