The Lead Assessor is planning to conduct an assessment for an OSC. The Assessor has been given a preliminary asset inventory list by the OSC. How would the Lead Assessor determine if any assets are out-of-scope for the assessment?
A.
All assets in an OSC’s inventory fall within the scope of the assessment and, as such, should be assessed against the CMMC practices.
B.
None of the assets in an OSC’s inventory fall within the scope of the assessment and, as such, should not be assessed against the CMMC practices.
C.
Assets cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.
D.
Out-of-Scope Assets can process, store, or transmit CUI because they do not need to be physically or logically separated.
According to the CMMC Scoping Guidance, assets are categorized based on whether they can process, store, or transmit Controlled Unclassified Information (CUI), or if they are physically/logically separated or inherently unable to interact with CUI systems. Assets that cannot process, store, or transmit CUI and are properly segregated are considered Out-of-Scope.
Extract from CMMC Scoping Guidance:
“Out-of-Scope assets are those that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.”
Thus, the Lead Assessor determines out-of-scope assets by confirming that they are either segregated from CUI systems or technically incapable of handling CUI.
[Reference: CMMC 2.0 Scoping Guidance for Level 2 Assessments (Official CCA documentation)., ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit