Assets that store, process, or transmit FCI or CUI are always in scope for CMMC. If a server with a cloud provider is used for long-term storage of FCI, that server is considered in scope because it directly holds covered data.
Supporting Extracts from Official Content:
CMMC Scoping Guide for Level 1: “Assets that store, process, or transmit FCI are in scope.”
CMMC Scoping Guide for Level 2: confirms the same rule applies for CUI.
Why Option A is Correct:
The server stores FCI, making it automatically in scope.
Option B is incorrect because long-term storage does not make an asset out of scope.
Option C is incorrect — Level 1 (FCI) does not require a Level 2 certified provider.
Option D is incorrect because encryption does not remove scope requirements.
References (Official CMMC v2.0 Content):
CMMC Scoping Guide, Level 1.
CMMC Model v2.0, Scoping and Implementation guidance.
===========
Submit