Question 61
You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. What would you recommend the contractor do to avert the risk?
Question 62
John, a CCA, has been assigned by his C3PAO to conduct a CMMC assessment for an OSC. During the assessment, John notices that the OSC's security practices leave much to be desired. After speaking with the OSC's IT staff, John offers to connect them with a vendor he knows who sells a vulnerability management tool that could address some of their weaknesses. According to the CMMC CoPC, which of the following best describes John's actions?
Question 63
An OSC employs guards to protect the manufacturing shop where the magnetic radar-absorbing coating is manufactured. The Army uses this specific coating for a particular fleet of unmanned aerial vehicles (UAVs).
The facility is under constant surveillance with the help of HD CCTVs. Within the OSC's facilities is a Vector Network Analyzer (VNA) that measures the reflection and transmission properties of the coating over a range of frequencies. Guards protect the OSC's anechoic chamber, and anyone entering must use an iris scanner and sign a physical form detailing their name and reason for being there. At the door is a huge sign reading "Authorized Personnel Only." The OSC has implemented the following physical separation methods to secure its facilities, EXCEPT?
The facility is under constant surveillance with the help of HD CCTVs. Within the OSC's facilities is a Vector Network Analyzer (VNA) that measures the reflection and transmission properties of the coating over a range of frequencies. Guards protect the OSC's anechoic chamber, and anyone entering must use an iris scanner and sign a physical form detailing their name and reason for being there. At the door is a huge sign reading "Authorized Personnel Only." The OSC has implemented the following physical separation methods to secure its facilities, EXCEPT?
Question 64
After the OSC and the Assessment Team scheduled the initial meeting, they agreed that the initial discussions would be held in the OSC's facilities. Walking into the conference room, the Lead Assessor notices multiple laptops and printers tagged "U.S. Government Owned." How should the OSC have categorized these assets in their proposed assessment scope?
Question 65
An OSC previously received a Conditional CMMC Level 2 Certification during Phase 3 of the assessment process. The OSC has been working on implementing a POA&M to address the practice deficiencies identified during the initial assessment. Now, within 180 days from the Final Recommended Findings Briefing, you are to conduct a POA&M Closeout Assessment. As the Lead Assessor, you and your assessment team review the OSC's updated POA&M, accompanying evidence, and any scheduled observations, interviews, or tests with the aim of validating the implementation of the corrective actions. If the Organization Seeking Certification (OSC) disagrees with the C3PAO's findings during the POA&M Closeout Assessment, what is the recourse?