Cyber AB Certified CMMC Professional (CCP) Exam CMMC-CCP Question # 27 Topic 3 Discussion
CMMC-CCP Exam Topic 3 Question 27 Discussion:
Question #: 27
Topic #: 3
An OSC performing a CMMC Level 1 Self-Assessment uses a legacy Windows 95 computer, which is the only system that can run software that the government contract requires. Why can this asset be considered out of scope?
A Restricted Information System (IS) is defined as an asset that cannot meet modern security controls but is still needed for contract performance. These systems may be declared out of scope if they are properly isolated, mitigated, and documented. A legacy Windows 95 computer meets the definition of a restricted IS.
Supporting Extracts from Official Content:
CMMC Scoping Guide (Level 2): “Restricted IS assets are those that cannot reasonably apply security requirements due to legacy or operational constraints. They are not assessed but must be identified and protected by alternative methods.”
Why Option B is Correct:
The Windows 95 system is an example of a restricted IS, so it can be scoped out.
Option A is incorrect — the asset is not handling CUI in this case.
Option C is incorrect — government property designation does not define scope.
Option D is incorrect — while it is “legacy,” it is not classified as OT; the correct CMMC term is restricted IS.
References (Official CMMC v2.0 Content):
CMMC Scoping Guide, Level 1 and Level 2 – Restricted IS definition.
===========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit