You are a CCA evaluating an OSC's proposed CMMC assessment scope when planning and preparing a CMMC assessment. The assessment scope is defined in CMMC Assessment Scope - Level 2. Which statement best defines the assessment scope according to CMMC guidelines?
An aerospace company bids on a DoD contract that requires CMMC Level 2 compliance. The company has multiple divisions, but only the Manufacturing Division will work on the project. The Manufacturing Division has its own IT infrastructure and security policies, but it relies on the company’s centralized IT department for some administrative tasks. Which of the following is the Host Unit in this scenario?
An OSC plans to bid for a DoD contract to supply laser welding services to repair a fleet of unmanned aerial vehicles (UAVs). This requires them to be CMMC Level 2 certified since the information they will receive from the DoD is Controlled Technical Information (CTI). However,their repair and welding services require a Computer Numerical Control (CNC) machine to fabricate some crucial parts. Since the welding is mainly automated using robots, the OSC has intelligently integrated its SCADA system with Programmable Logic Controllers (PLCs) for increased accuracy, improved safety and efficiency, and enhanced flexibility. As the Lead Assessor for the C3PAO Assessment Team validating the OSC’s CMMC assessment scope, you expect the OSC to handle the SCADA system, PLCs, and CNC machines in all the following ways EXCEPT?
As a Lead Assessor, you are in contact with the OSC Assessment Official. The Assessment Official has submitted a document that outlines the scope of your assessment engagement. You expect to find all the following elements on the Assessment Scope document, EXCEPT?
An OSC specializing in developing directed energy systems plans to bid on a DoD contract to produce a 250kW High Energy Laser Weapon System (HELWS). This system is to be deployed on military bases across the globe to protect U.S. servicemen against aerial threats, including mortars, rockets, and unmanned aerial vehicles (UAVs), as well as swarms of mini-UAVs. Because of the sensitivity of the information, the OSC has prohibited using emails to transmit information regarding the project, whether encrypted or otherwise. They also have instituted procedures to remove CUI from the email system. What CMMC assessment requirements must the Assessment Team follow regarding the OSC’s email system?
A defense contractor has a complex network design with multiple VLANs. The network is divided into three VLANs: VLAN 10 for the administrative offices, VLAN 20 for the engineering department, and VLAN 30 for the manufacturing floor. The company’s System Security Plan states that VLANs are used to create logical network segments and improve security. A Layer 3 switch is responsible for routing traffic between the VLANs, and the switch is configured to allow any type of traffic between the VLANs. How should VLANs be treated when defining the contractor’s CMMC Assessment Scope?
An OSC employs guards to protect the manufacturing shop where the magnetic radar-absorbing coating is manufactured. The Army uses this specific coating for a particular fleet of unmanned aerial vehicles (UAVs). The facility is under constant surveillance with the help of HD CCTVs. Within the OSC’s facilities is a Vector Network Analyzer (VNA) that measures the reflection and transmission properties of the coating over a range of frequencies. Guards protect the OSC’s anechoic chamber, and anyone entering must use an iris scanner and sign a physical form detailing their name and reason for being there. At the door is a huge sign reading “Authorized Personnel Only.” The OSC has implemented the following physical separation methods to secure its facilities, EXCEPT?
A Defense Contractor is preparing for their upcoming CMMC Level 2 assessment. One of the key controls they need to address is CMMC practice MP.L2-3.8.5 – Media Accountability, which deals with maintaining accountability for media containing CUI during transport outside of controlled areas. The organization regularly needs to transport physical media, such as hard drives and backup tapes, between their primary data center and an off-site storage facility. In the past, they have simply used standard packaging and commercial shipping services to move this media. Which of the following is NOT an assessment method for MP.L2-3.8.5 – Media Accountability?
When assessing a contractor’s implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. What key features regarding the deployment of Splunk for AU.L2-3.3.6 – Reduction & Reporting would you be interested in assessing?
During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI)handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Once the inconsistencies are addressed, when should the contractor’s privacy and security notice be displayed?
