U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Cyber AB CMMC-CCP Exam - Topic 5 Question 17 Discussion

An assessment is being conducted at a remote client site. For the duration of the assessment, the client has provided a designated hoteling space in their secure facility which consists of a desk with access to a shared printer. After noticing that the desk does not lock, a locked cabinet is requested but the client does not have one available. At the end of the day, the client provides a printout copy of an important network diagram. The diagram is clearly marked and contains CUI. What should be done NEXT to protect the document?
A) Take it with them to review in the evening.
B) Leave it on the desk for review the following day.
C) Put it in the unlocked desk drawer for review the following morning.
D) Take a picture with the personal phone before securely shredding it.

Cyber AB CMMC-CCP Exam - Topic 5 Question 17 Discussion

Actual exam question for Cyber AB's CMMC-CCP exam
Question #: 17
Topic #: 5
[All CMMC-CCP Questions]

An assessment is being conducted at a remote client site. For the duration of the assessment, the client has provided a designated hoteling space in their secure facility which consists of a desk with access to a shared printer. After noticing that the desk does not lock, a locked cabinet is requested but the client does not have one available. At the end of the day, the client provides a printout copy of an important network diagram. The diagram is clearly marked and contains CUI. What should be done NEXT to protect the document?

Show Suggested Answer Hide Answer
Suggested Answer: A

In this scenario, the primary concern is the protection of Controlled Unclassified Information (CUI) in an environment that lacks sufficient physical security controls (specifically, a lack of a locked cabinet or drawer). According to the CMMC Assessment Process (CAP) and NIST SP 800-171 (specifically the Physical Protection (PE) family), CUI must be protected from unauthorized access at all times.

Responsibility of the Assessor: CMMC Professionals (CCPs and CCAs) are bound by the CMMC Code of Professional Conduct and the C3PAO's internal security protocols to ensure that any CUI provided by the Organization Seeking Certification (OSC) is handled securely.

Physical Protection (PE.L2-3.10.1 and PE.L2-3.10.2): These practices require that an organization limit physical access to systems and equipment to authorized users and protect the physical facility. If the provided 'hoteling space' does not offer a locked container (like a cabinet) to secure the CUI overnight, leaving it in an unlocked drawer (Option C) or on the desk (Option B) would be a violation of CUI handling requirements and a security risk.

Why Option A is the best 'Next' step: In the absence of on-site secure storage, the assessor must maintain positive control of the CUI. Taking the document to a secure location (such as the assessor's hotel room or person) where they can ensure it remains under their control is the only viable way to prevent unauthorized access by janitorial staff or other unauthorized personnel at the client site overnight.

Why other options are incorrect:

Option B and C: Both fail to protect the CUI from unauthorized access in a non-secure, shared environment.

Option D: Taking a picture of CUI on a personal phone is a major security violation (spillage), as personal devices are generally not authorized to store or process CUI.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section regarding 'Assessor Responsibilities for CUI and Proprietary Information.'

NIST SP 800-171 Rev 2: Physical Protection (PE) family (3.10.1, 3.10.2).

DoD Instruction 5200.48: 'Controlled Unclassified Information (CUI),' which specifies that CUI must be protected by at least one physical barrier when not in the direct control of an authorized individual.


Contribute your Thoughts:

0/2000 characters

Currently there are no comments in this discussion, be the first to comment!


Save Cancel