When validating an OSC’s assessment scope, an Assessment Team learns that the proposed scope is too narrow and their asset categorization is mixed up. What should the Assessment Team do?
A.
Review the OSC’s environment and asset categorization to determine the proper scoping for the organization.
B.
Stop the assessment.
C.
Advise the OSC to conduct another scoping exercise that covers all assets.
D.
Require the OSC to refine its security boundaries to include all assets that come into contact with CUI.
The CMMC Assessment Process (CAP) tasks the Lead Assessor with validating and refining the OSC’s scope during Phase 1. If the scope is too narrow and assets are miscategorized, the Assessment Team should review the OSC’s environment and categorization to correct inaccuracies collaboratively, ensuring compliance with CMMC requirements. Option B halts prematurely, Option C shifts responsibility without guidance, and Option D is overly prescriptive. A follows the CAP’s iterative validation process.
[Reference:, CMMC Assessment Process (CAP) v1.0, Section 2.2 (Scope Validation), p. 9: "The Assessment Team reviews and adjusts the OSC’s scope as needed.", ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit