During scoping discussions with a Lead Assessor, the OSC mentions that there are several connected systems within the organization’s network. How should the Lead Assessor consider connected systems in the scoping of the CMMC assessment?
A.
Connected systems are never in scope unless specifically requested by the OSC.
B.
Connected systems are only in scope if they directly transmit FCI and/or CUI.
C.
Only internally connected systems directly handling FCI and/or CUI are in scope.
D.
Connected systems would be considered in scope for the assessment if the systems could impact the security of the CUI (or FCI) environment or if they store, process, or transmit CUI (or FCI) within the organization’s network.
The CMMC Assessment Scope - Level 2 requires that connected systems be included in the scope if they process, store, or transmit CUI/FCI or could impact the security of the CUI/FCI environment (e.g., as Security Protection Assets). This broader criterion ensures a comprehensive security evaluation, unlike the narrower focuses of Options B and C. Option A contradicts the guidance by deferring to the OSC alone. D aligns with the scoping requirements, capturing both direct handling and potential security influence.
[Reference:, CMMC Assessment Scope - Level 2, Section 2.2 (Scoping Considerations), p. 4: "Connected systems impacting CUI/FCI security or handling CUI/FCI are in scope.", ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit