An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineering company has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. The scenario describes a multi-factor authentication (MFA) solution being used to access digital media containing CUI. However, the access control procedures for non-digital media require authorized personnel to sign three separate forms. While both methods aim to verify user identity, which of the following is the MOST significant security concern associated with the reliance on a paper-based form process?

During an assessment, the OSC IT security team provided documentation on how they use replay-resistant authentication to protect CUI. What can be used as a replay-resistant mechanism?

You are the Lead Assessor for a CMMC Level 2 assessment. The OSC has implemented a practice using a custom-built tool developed by their IT team. The tool appears to meet the practice's objectives, but no formal documentation or testing records exist. How should you evaluate this evidence?

Ron is the Lead Assessor for an OSC's CMMC assessment. His team has scheduled interviews and demonstrations with the OSC's system administrator, Olivia. However, on the first day, the CEO informs Ron that Olivia is very ill and is unavailable. The CEO offers to be interviewed about Olivia's responsibilities instead, even though he does not actually perform those tasks. What should Ron do in this scenario?

John has just passed the CCA examination and is looking to gain real-world knowledge. You are a CCA working for a leading C3PAO and a friend of John's, and he hears that you are conducting a CMMC assessment and wants to learn about how some documents are completed. He asks if you could provide a CA- RR document you completed during your current engagement to help him understand how various fields are filled out. Which of the following is the most appropriate course of action?