During a CMMC assessment of an OSC, you discover that they rely heavily on a reputable CSP for their email services. As you delve deeper into the assessment, you suspect the OSC is incorrectly assuming that the CSP's security measures are sufficient to meet all the CMMC requirements related to email security. Given the critical nature of email communications and the potential exposure of sensitive information, you recognize the importance of clearly understanding the division of responsibilities between the OSC and the CSP for email security controls. To effectively assess how email security responsibilities are divided between the OSC and the CSP, which document should you prioritize reviewing?

A company receives data that they suspect is CUI, but it is not marked as such. What is an acceptable way for the company to handle unmarked potential CUI?

CMMC MA.L2-3.7.6 - Maintenance Personnel requires that maintenance personnel without required access authorization be supervised during maintenance activities. One of the ways organizations can achieve this is to develop a documented procedure for supervised maintenance activities. Which of the following elements should be excluded from the documented procedure?

When assessing an OSC for CMMC compliance, you examine its risk assessment policy and procedures addressing organizational risk assessments. According to their policy, comprehensive risk assessments on all systems processing, storing, or transmitting CUI and facilities are performed annually. However, reviewing past risk assessment reports, you find that a risk assessment was conducted in January 2022 covering all CUI systems. The next risk assessment was not conducted until November 2023, over 21 months later. There are no records of any other risk assessments in the intervening period between January 2022 and November 2023.
Interviewing the OSC's personnel with risk assessment responsibilities, you learn they have slated the next risk assessment within the year. Based on the scenario, which of the following would you determine regarding OSC's adherence to CMMC practice RA.L2-3.11.1 - Risk Assessments?

During a CMMC assessment, the CCAs, CCPs, and Lead Assessor validate the assessment scope provided by the OSC. They must review documents and records specific to the agreed-upon scope and boundaries of the assessment. There are several documents the Assessment Team may review or analyze; some are required, and others not. Which of the following documents is NOT required when scoping a CMMC Assessment for Level 2 maturity?