A CCA is offered a significant discount on cybersecurity software from a vendor whose productthey will be evaluating during a CMMC assessment. How should the CCA handle this situation according to the CoPC’s conflict of interest principle?
You are part of the Assessment Team assessing a small defense contractor. You learn that the contractor (ABC Manufacturing) outsources parts of its IT infrastructure and cybersecurity services to a reputable Managed Services Provider (MSP). During a CMMC assessment, the contractor’s Assessment Official claims that several CMMC practices related to system security and monitoring are inherited from the MSP. Which of the following actions should the Lead Assessor take?
Documentation is a key aspect of the CMMC assessment. When preparing for a prospective assessment and during the actual CMMC assessment, you will reference various documents and document various findings. Fortunately, you can download some of these documents from the DoD CIO’s CMMC website, and other templates can be found in the CAP Appendices. You are part of the team assessing an OSC’s preparedness and readiness for a CMMC assessment. Where would you document the OSC’s readiness to proceed to the second phase of the CMMC Assessment Process (CAP)?
A CCA who works for a C3PAO doubles as a penetration tester. When conducting a CMMC assessment for an OSC, he realizes their cybersecurity practices are lacking. Recognizing potential vulnerabilities in their systems, the CCA approaches the OSC’s cyber team and offers his penetration testing services. Which CoPC guiding principle or practice has the CCA failed to live up to?
As a CCA, John feels he can make some extra cash by aggregating and rewriting CMMC materials into a book titledAcing Your CMMC Assessment: A Complete Guide. You ask him about potential issues, such as the failure to get permission from the Cyber Accreditation Body. John tells you that since he is a CCA, this is not a requirement, and in any case, the information is already publicly available. Has John broken any CoPC guiding principles or practices? If so, which one?
You are part of the team conducting a CMMC assessment for an OSC. Because of the sensitive nature of the OSC’s technologies, your team signed an NDA. However, you observe one of the Assessment Team members copying something from the OSC’s computer systems. You know they don’t have permission because the NDA states that the OSC POC will provide any required material. What should you do in this case?
You are the Lead Assessor for a CMMC Level 2 assessment. The OSC has implemented a practice using a manual process instead of an automated tool, as described in their SSP. The manual process meets the practice’s objectives. How should you evaluate this evidence?
When conducting a CMMC assessment, the CCA must follow the steps outlined in the CMMC Assessment Process (CAP). This document is organized into several phases, each requiring the CCA to complete specific documents. The CAP also provides templates, some of which the Assessor must use and complete during specific phases. A CCA must complete all the following documents in Phase 1 of the CAP, EXCEPT?
During scoping discussions with a Lead Assessor, the OSC mentions that there are several connected systems within the organization’s network. How should the Lead Assessor consider connected systems in the scoping of the CMMC assessment?
As a Lead Assessor working with an OSC in preparation for an upcoming assessment, you request they appoint an Assessment Official. This is the individual you will collaborate with and who has the OSC’s decision-making authority regarding the CMMC assessment. The OSC Assessment Official will lead and manage the OSC’s engagement in the assessment. As the Lead Assessor, you expect the OSC Assessment Official to have the following responsibilities, EXCEPT?
