Security Protection Assets (SPAs) include people, technologies, and facilities. Which of the following technologies is not an SPA?
An OSC submits to the C3PAO Assessment Team for validation a CMMC assessment scope that includes an enclave. During validation, you learn that while CUI is stored on a single physical server, authorized employees can access it through virtual instances, thanks to VMware. You also determine that the OSC has deployed a DFARS-compliant firewall to protect network connections to the enclave and a VLAN to restrict communication between different portions of the network. Which method can the OSC be said to have used to secure its enclave?
To verify the scope accuracy and integrity, a Lead Assessor asks for documents supporting some elements of the scope. However, the OSC states that the information is proprietary and requires that the Lead Assessor sign a Non-Disclosure Agreement (NDA) before granting access. What should the Lead Assessor do?
Your C3PAO has selected you as the Lead Assessor for the Assessment Team assessing an OSC's implementation of CMMC practices. Part of this assessment includes validating the OSC's CMMC assessment scope. Which of the following is NOT a factor to consider when determining which assets are in scope?
After the OSC and the Assessment Team scheduled the initial meeting, they agreed that the initial discussions would be held in the OSC’s facilities. Walking into the conference room, the Lead Assessor notices multiple laptops and printers tagged “U.S. Government Owned.” How should the OSC have categorized these assets in their proposed assessment scope?
An aerospace company bids on a DoD contract that requires CMMC Level 2 compliance. The company has multiple divisions, but only the Manufacturing Division will work on the project. The Manufacturing Division has its own IT infrastructure and security policies, but it relies on thecompany’s centralized IT department for some administrative tasks. Which unit will be assessed for CMMC Level 2 compliance?
An OSC is preparing for a CMMC assessment. It has multiple information systems, some of which process CUI and others that do not. The OSC has identified a specific system that processes CUI and defined this as its system boundary. However, this system is connected to other systems within the OSC that are separately authorized and do not process CUI. As a Certified CMMC Assessor, which of the following best describes your approach to defining the CMMC Certification Boundary and Assessment Scope for the OSC?
To showcase progress on the performance of their contract, a contractor provides semi-annual demonstrations to their federal client at the client’s conference room. The conference room is inside the client’s facility, meaning the contractor does not have control over security. All prototypes and documents subject to the contract are guarded by the contractor’s staff whenever they are in transit and at the conference room. How should you, the CCA, handle the conference room when validating the OSC’s assessment scope?
You are a Certified CMMC Assessor (CCA) working with a small defense contractor who needs a CMMC Level 2 assessment. This is their first CMMC assessment. During your initial meeting with the OSC, they express a desire for a quick assessment to minimize disruption to their daily operations. They also mention their limited budget for the assessment. How will you proceed with assessment framing in this scenario?
SecureNet is a mid-sized company that designs and manufactures access control systems for government buildings. These systems utilize Internet of Things (IoT) devices embedded within the access control panels for real-time remote monitoring. SecureNet is undergoing a CMMC Level 2 assessment to comply with new government contracting requirements. During the scope validation stage, the Certified CMMC Assessor (CCA) will review SecureNet’s proposed assessment scope with the IT team. The scope includes all servers, workstations, and laptops within SecureNet’s network. However, there is no mention of the IoT devices within the access control panels. Which of the following asset categories is most likely to encompass the in-scope IoT devices used in SecureNet’s access control systems?
