Wireless access to systems transmitting, processing, or storing CUI must be protected with FIPS 140- validated cryptography and access must be limited to authenticated users. This ensures confidentiality and integrity of CUI while preventing unauthorized wireless access.
Exact Extracts (official CMMC Assessor/Study documents):
* SC.L2-3.13.13: "Employ FIPS-validated cryptography when used to protect the confidentiality of CUI."
* AC.L2-3.1.1 / 3.1.2: "Limit system access to authorized users... and authenticate the identities of those users."
* SC.L2-3.13.17: "Protect wireless access to the system using authentication and encryption."
* Assessment Guide clarifies: "Wireless access must use FIPS 140 validated cryptographic modules and must be restricted to authenticated users." Why other options are not correct:
* A: Only requires encryption; does not address authenticated access, which is mandatory.
* B: Vetting and access lists may be useful, but they are not sufficient substitutes for cryptographic and authentication requirements.
* D: Identifying users in diagrams is good documentation practice but not a CMMC requirement for wireless protection.
References (official CCA/CMMC documents):
* CMMC Assessment Guide - Level 2, Version 2.13: Practices SC.L2-3.13.13 and SC.L2-3.13.17 (pp.
134-136).
* NIST SP 800-171A, Assessment Objectives for wireless access and cryptographic requirements.

Comprehensive and Detailed in Depth Explanation:
The CAP does not permit waivers; all practices must be met (Option A). Options B, C, and D misrepresent CMMC rules.
Extract from Official Document (CAP v1.0):
* Section 2.5 - Scoring (pg. 30):"The CMMC process does not allow waivers; all practices must be implemented for certification." References:
CMMC Assessment Process (CAP) v1.0, Section 2.5.

Comprehensive and Detailed In-Depth Explanation:
CM.L2-3.4.2 involves "enforcing security configuration settings." Checklists typically include technical parameters like permissions (B), protocols (C), and network settings (D), per CMMC guidance. Assessment readiness status (A) is an administrative metric, not a config setting, and belongs in a CA-RR checklist, not security configs.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), CM.L2-3.4.2: "Checklists include permissions, protocols, network settings; readiness status separate."
* NIST SP 800-171A, 3.4.2: "Examine technical config parameters."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf

Comprehensive and Detailed in Depth Explanation:
The CoPC prohibits CCAs from assessing an OSC they consulted for, due to potential bias, not objectivity (Option B) or confidentiality (Option D). Option A is incorrect as this is unprofessional. Option C (assessor bias) is the precise issue.
Extract from Official Document (CoPC):
* Paragraph 3.1 - Professionalism (pg. 6):"Under no circumstances shall credentialed individuals conduct a certified assessment if they have served as a consultant to prepare the organization, due to assessor bias." References:
CMMC Code of Professional Conduct, Paragraph 3.1.

Comprehensive and Detailed in Depth Explanation:
The CAP mandates uploading the Pre-Assessment Data Form to CMMC eMASS as the final step before Phase 2 (Option C). Options A, B, and D are not the final step.
Extract from Official Document (CAP v1.0):
* Section 1.6 - Prepare for Assessment (pg. 18):"The final step before commencing the assessment is uploading the Pre-Assessment Data Form into CMMC eMASS." References:
CMMC Assessment Process (CAP) v1.0, Section 1.6.