During the planning and preparation discussions, a key member of the C3PAO Assessment Team falls ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as planned and has expressed willingness to accommodate a smaller assessment team. If the OSC Assessment Official asks the C3PAO for advice on how to proceed, the Lead Assessor, on behalf of the C3PAO, should do which of the following?
David, a Certified CMMC Assessor (CCA), is conducting a CMMC assessment for a defense contractor. During the assessment, he observes the organization’s CEO making several statements to the Assessment Team about the company’s security practices that turn out to be false. How should David respond to the CEO’s behavior according to the CMMC CoPC?
You are a Lead Assessor working with your C3PAO to conduct a CMMC Assessment for an OSC. During the preparation and planning phase, you meet with the OSC’s Assessment Official to identify the resources and schedule for the upcoming assessment. Together, you review the OSC’s pre-assessment information to estimate the level of effort required. You then collaborate to determine the specific resources needed, including the Assessment Team members, facilities, and any support personnel from the OSC. You also discuss scheduling factors like duration, key activities, and potential constraints. Based on these discussions, you develop a Rough Order of Magnitude (ROM) cost estimate and a proposed daily schedule for the assessment activities. What is your primary responsibility in identifying resources and schedule during Phase 1?
The Certification Assessment Readiness Review (CA-RR) aims to determine whether the OSC and the Assessment Team are ready to conduct the assessment as planned and within the allocated time. It addresses all of the following aspects of readiness to conduct the assessment except which one?
When conducting a CMMC assessment, the CCA must follow the steps outlined in the CMMC Assessment Process (CAP). This document is organized into several phases, each requiring the CCA to complete specific documents. The CAP also provides templates, some of which the Assessor must use and complete during specific phases. A CCA must complete all the following documents in Phase 1 of the CAP, EXCEPT?
You are the Lead Assessor for a CMMC assessment of an OSC that has previously obtained ISO 27001 certification for its information security management system. During the initial discussions, the OSC requests that you consider their ISO 27001 certification and grant them credit toward their CMMC certification. They believe there is a significant overlap between CMMC and ISO 27001. What should your response to the OSC be?
An OSC previously received a Conditional CMMC Level 2 Certification during Phase 3 of the assessment process. The OSC has been working on implementing a POA&M to address the practice deficiencies identified during the initial assessment. Now, within 180 days from the Final Recommended Findings Briefing, you are to conduct a POA&M Closeout Assessment. As the Lead Assessor, you and your assessment team review the OSC’s updated POA&M, accompanying evidence, and any scheduled observations, interviews, or tests with the aim of validating the implementation of the corrective actions. If the Organization Seeking Certification (OSC) disagrees with the C3PAO’s findings during the POA&M Closeout Assessment, what is the recourse?
You are a CCA on an Assessment Team conducting a CMMC Level 2 assessment. The OSC provides evidence for a practice that includes a log file, but the file is corrupted and cannot be opened. The OSC claims the log proves compliance but cannot provide a readable copy during the assessment. What should you do?
During a CMMC assessment, the OSC provides a service-level agreement (SLA) with an external provider as evidence for an inherited practice. The SLA outlines general security commitments but lacks specific details on how the practice’s objectives are met. How should the Lead Assessor proceed?
You are the Lead Assessor for a C3PAO Assessment Team that has recently completed a CMMC Level 2 assessment for an OSC. You and your Assessment Team have finalized the assessment process and are now in Phase 3 – Report Recommended Assessment Results. You are preparing to deliver the final recommended findings to the OSC Assessment Official and OSC participants during the Final Findings Briefing. After you present the final recommended findings and practice scores, what is the next step in the CMMC Assessment Process?
