Question 86
During the planning and preparation discussions, a key member of the C3PAO Assessment Team falls ill and is unavailable for the originally scheduled assessment dates. The OSC is eager to proceed as planned and has expressed willingness to accommodate a smaller assessment team. If the decision is made to replan or reschedule the assessment, what is the C3PAO's required action, according to the CAP?
Question 87
During a CMMC assessment, the Lead Assessor, Emily, notices that one of the CCAs on her team, Alex, seems overly critical and skeptical of the evidence presented by the OSC. Although the OSC demonstrates compliance with the required CMMC practices, Alex repeatedly questions the validity of the evidence and suggests the OSC is not meeting the criteria. Concerned that Alex's behavior may be influenced by bias, Emily decides to address the issue directly. She recalls a previous incident in which Alex took a similar approach, and shortly afterward, the OSC experienced a data breach. What steps should Emily and, most importantly, the C3PAO have taken to prevent this eventuality?
Question 88
An OSC seeking Level 2 certification is working with an ESP. The organization is trying to determine if the ESP is considered within the assessment and is reviewing the Service Level Agreement (SLA) between the organization and the ESP. Which SLA component should be taken into consideration to determine if the ESP is within the assessment scope?
Question 89
In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Which of the following would be the most appropriate next step for the assessor?
Question 90
You are the Lead Assessor of the Assessment Team conducting a CMMC Level 2 assessment for an OSC.
You have completed the first phase of the assessment process, which included the assessment kickoff meeting. Now, you are moving into the second phase, which involves collecting and examining evidence to determine the OSC's compliance with the CMMC practices. During the assessment, you find that the OSC has failed to meet the requirements for CMMC practice AU.L2-3.3.4 - Audit Failure Alerting. According to the CMMC Assessment Process (CAP), which of the following should be your next step?
You have completed the first phase of the assessment process, which included the assessment kickoff meeting. Now, you are moving into the second phase, which involves collecting and examining evidence to determine the OSC's compliance with the CMMC practices. During the assessment, you find that the OSC has failed to meet the requirements for CMMC practice AU.L2-3.3.4 - Audit Failure Alerting. According to the CMMC Assessment Process (CAP), which of the following should be your next step?