As the Lead Assessor for an OSC, John admires their advanced security solutions during the assessment. However, his admiration distracts him from the assessment’s focus. Instead, he engages in conversation about the OSC’s robust security, becoming swayed by their capabilities. Consequently, John becomes hesitant to identify deficiencies or noncompliances, displaying a positive bias toward the OSC. What is the impact of this positive bias on the CMMC assessment of the OSC?
An OSC uses a web application for document management. Employees can access this application from any internet-connected device through a web browser. The application resides on servers in a secure data center managed by a third-party vendor. The OSC maintains separate servers within its network to store the documents. When employees use the web application to upload documents, what type of locations are they interacting with?
The use of removable storage media remains a source of data breaches. The CMMC requires control of the use of removable media on system components. As a CCA, you can use different assessment methods to determine whether an OSC has met this requirement. What is the best assessment method to ascertain that MP.L2-3.8.7[a] has been met?
The DoD has awarded a defense contractor a contract to deliver next-gen jet engine parts. The order requires the contractor to submit the blueprints/CAD files within six months, and once they are validated, the contractor submits a production schedule. The contractor indicates that they should be able to deliver the components in three years. Which of the following is true about the dates and schedule of the engine components?
AC.L1-3.1.2 requires OSCs to “limit information system access to the types of transactions and functions that authorized users are permitted to execute.” Assessment Objective [a] of AC.L1-3.1.2 requires the Assessor to determine whether “the types of transactions and functions that authorized users are permitted to execute are defined.” What assessment method would you use to determine whether the OSC has met this assessment objective?
You are working as a CCA on a Level 2 Assessment for a DoD prime contractor. The Organization Seeking Certification (OSC) seeks to keep assessment costs down, and the C3PAO and OSC have decided to conduct all possible work remotely. You are assigned to work primarily on the Media Protection (MP), Personnel Security (PS), and Physical Protection (PE) domains. In addition, the Lead Assessor has designated you as the one person from the Assessment Team to conduct all the on-premises work. Which of the following factors do you and the Assessment Team not need to consider as part of your on-site work?
Prior to starting an assessment, an OSC must develop a data flow diagram. This diagram can then be used as a tool to help establish the context and boundaries of the CMMC assessment activities. What is critical to capture while developing the data flow diagram?
You are a CCA who is part of an Assessment Team conducting a CMMC assessment on an aerospace company. While analyzing their network architecture, you realize that it includes a Demilitarized Zone (DMZ) to host their public-facing web servers. What is the primary purpose of a DMZ in a network architecture?
You are the CCA working with a client to deliver certified consulting services, and the OSC has asked how to ensure their scope is accurate. You mention the use of a data flow diagram, which intrigues the OSC. What would be the first step in constructing the data flow diagram for the OSC?
During a CMMC Level 2 assessment, an OSC receives a Conditional Certification with several practices placed on a Plan of Action and Milestones (POA&M). After implementing corrective actions, the OSC requests the Assessment Team to conduct a POA&M Close-Out Assessment. Which of the following is the correct action for the Team’s Lead Assessor during the POA&M Close-Out Assessment?
