The Certified Third-Party Assessment Organization (C3PAO) enters into a contractual relationship with the OSC. As part of that contract, the C3PAO maintains a non-disclosure agreement (NDA) to protect sensitive and proprietary information reviewed during the assessment.
Supporting Extracts from Official Content:
CAP v2.0, Roles and Responsibilities (§2.8): “The C3PAO maintains a non-disclosure agreement with the OSC to protect all sensitive information disclosed during the assessment.”
Why Option B is Correct:
Only the C3PAO contracts directly with the OSC and is bound to protect assessment data.
NIST, The Cyber AB (formerly CMMC-AB), and OUSD A&S do not enter NDAs directly with OSCs.
References (Official CMMC v2.0 Content):
CMMC Assessment Process (CAP) v2.0, Section on OSC–C3PAO agreements.
===========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit