During a CMMC assessment, you, as a CCA, are interviewing a key OSC employee with information security responsibilities about the access control procedures. As the interview progresses, you realize that the initial information provided in the System Security Plan (SSP) doesn’t fully align with the employee’s explanation. Based on the scenario and your role as a CCA, what is not one of your responsibilities as an assessment team member?
You are the Lead Assessor of the Assessment Team conducting a CMMC Level 2 assessment for an OSC. You have completed the first phase of the assessment process, which included the assessment kickoff meeting. Now, you are moving into the second phase, which involves collecting and examining evidence to determine the OSC’s compliance with the CMMC practices. During the assessment, you find that the OSC has failed to meet the requirements for CMMC practice AU.L2-3.3.4 – Audit Failure Alerting. According to the CMMC Assessment Process (CAP), which of the following should be your next step?
You are a CCA conducting a CMMC Level 2 assessment for an OSC. During the assessment, you discover that the OSC has implemented a practice using a temporary workaround due to a recent system failure. The workaround meets the practice’s objectives, but it is not documented in their System Security Plan (SSP). How should you evaluate this evidence?
As a CCA, John feels he can make some extra cash by aggregating and rewriting CMMC materials into a book titledAcing Your CMMC Assessment: A Complete Guide. You ask him about potential issues, such as the failure to get permission from the Cyber Accreditation Body. John tells you that since he is a CCA, this is not a requirement, and in any case, the information is already publicly available. Has John broken any CoPC guiding principles or practices? If so, which one?
Sarah, a Certified CMMC Assessor, is conducting an assessment for DataSecure, a cloud service provider that hosts various applications for the Defense Industrial Base (DIB). During the assessment, Sarah encounters a complex and highly specialized cloud architecture that leverages cutting-edge technologies such as containerization, serverless computing, and advanced security controls. As Sarah reviews the evidence provided by DataSecure for the relevant CMMC practices, she realizes that some of the evidence and implementations are unlike anything she has encountered in previous assessments. What is the most appropriate action for Sarah to take as a CCA in this scenario?
As a Certified CMMC Assessor, you are part of a team assessing a small defense contractor. During the assessment, an employee being interviewed appears unsure about some security practices and asks for your advice on how to answer certain questions to make their compliance appear better. As a Certified CMMC Assessor, what should you do in this situation?
You are the Lead Assessor for a CMMC assessment of an OSC that has previously obtained ISO 27001 certification for its information security management system. During the initial discussions, the OSC requests that you consider their ISO 27001 certification and grant them credit toward their CMMC certification. They believe there is a significant overlap between CMMC and ISO 27001. What should your response to the OSC be?
An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1 – System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet. The following conditions hold true for CMMC practices ineligible for deficiency corrections EXCEPT?
Sarah, a Certified CMMC Assessor, is conducting an assessment for DataSecure, a cloud service provider that hosts various applications for the Defense Industrial Base (DIB). During the assessment, Sarah encounters a complex and highly specialized cloud architecture that leverages cutting-edge technologies such as containerization, serverless computing, and advanced security controls. As Sarah reviews the evidence provided by DataSecure for the relevant CMMC practices, she realizes that some of the evidence and implementations are unlike anything she has encountered in previous assessments. What is the most appropriate action for Sarah to take as a CCA in this scenario?
During a readiness assessment for CoolPlanes Inc., Liz, a CCA, discovers a folder of technical drawings and illustrations of the aircraft that CoolPlanes produces. Liz has a younger brother, J.D., who loves airplanes. She thinks a large printed copy of one of the illustrations would make an excellent gift for J.D.’s birthday next month. She copies the drawing and sends it to be printed on a large canvas when she gets home. Which of the following principles of the CMMC Code of Professional Conduct did Liz most likely violate?
