An OSC is planning to have a C3PAO perform a CMMC Level 2 assessment. When validating the OSC’s proposed assessment scope, you realize they use an ESP for various cybersecurity services. What action must you, as a CCA, take regarding the ESP?
A.
Confirm the ESP has a CMMC Level 2 or Level 3 certification.
B.
Accept the OSC’s inclusion of the ESP in their assessment scope.
The CMMC Assessment Scope - Level 2 requires that ESPs providing cybersecurity services (e.g.,as SPAs) to an OSC seeking Level 2 certification must themselves hold a CMMC certification at least equal to the OSC’s target level (Level 2 or higher). This ensures that the ESP’s security practices do not undermine the OSC’s compliance. As a CCA, you must confirm the ESP’s certification status to validate the scope, as outlined in the CMMC CAP.
Option B is insufficient without verification of the ESP’s certification. Option C is unnecessary unless the ESP lacks certification. Option D misapplies self-assessment, which is not a substitute for certification. A is the mandated action.
[Reference:, CMMC Assessment Scope - Level 2, Section 2.3.3 (ESP Requirements), p. 6: "ESPs must have a CMMC certification equal to or greater than the OSC’s target level.", CMMC Assessment Process (CAP) v1.0, Section 2.2 (Scope Validation), ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit