In aCMMC Level 2 assessment, theOrganization Seeking Certification (OSC)is responsible for identifying theassessment scopebased on theCMMC Scoping Guidanceprovided by theCyber AB (Cyber Accreditation Body) and DoD.
The OSC must determine which assets and systems handleControlled Unclassified Information (CUI)and categorize them accordingly.
[Reference:, CMMC Scoping Guidance for Level 2, which outlines asset categorization and scoping considerations., Step 2: Role of the C3PAO in Scope ValidationOnce the OSC has determined itsCMMC assessment scope, aCMMC Third-Party Assessment Organization (C3PAO)is responsible forvalidatingthe scope during theassessment planning phase., TheC3PAO reviewsthe OSC’s scope to ensure it aligns withDoD’s scoping guidance, ensuring that all relevant assets, networks, and policies required forCMMC Level 2 certificationare correctly identified., If there are discrepancies, the C3PAO works with the OSC to adjust the scope before proceeding with the assessment., Reference:, CMMC Assessment Process (CAP) Guide, which describes thescope validation responsibilities of a C3PAO., Step 3: Why Other Answer Choices Are IncorrectChoice A (Incorrect):A CCP (Certified CMMC Professional) doesnothave the authority to validate the scope. Their role is to guide and consult, but final validation is the C3PAO's responsibility., Choice C (Incorrect):TheCMMC Lead Assessor(part of the C3PAO team) does notdeterminethe scope; instead, the OSC does., Choice D (Incorrect):TheC3PAO validates the scopebut doesnot determine it—this is the OSC’s responsibility., Final Confirmation of Correct Answer:OSC determines the CMMC Assessment Scope., C3PAO validates the CMMC Assessment Scope., Thus, the correct answer isB. "The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope."]
Submit