Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC’s Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.

Exact Extracts:

CMMC Assessor Code of Professional Conduct: “No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC’s designated Assessment Official.”

“Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization.”

Why the other options are not correct:

A: Too absolute — proprietary data can leave if AO provides written consent.

B: IT staff cannot authorize release of proprietary data.

C: POC is not the authority for data release — only the Assessment Official is.