Comprehensive and Detailed in Depth Explanation:
'Adequacy' in the CAP assesses whether evidence is relevant and directly demonstrates a CMMC practice's performance, not broader policy (Option A), quantity (Option B), or measure quality (Option D). Option C ensures evidence aligns with specific practice objectives.
Extract from Official Document (CAP v1.0):
* Section 2.1 - Evidence Collection (pg. 24):"Adequacy assesses whether the gathered evidence is relevant and demonstrates the performance of a CMMC practice." References:
CMMC Assessment Process (CAP) v1.0, Section 2.1.

Comprehensive and Detailed in Depth Explanation:
The CoPC requires internal correction of confidentiality breaches first (Option C). Options A and D skip this, and Option B violates the NDA.
Extract from Official Document (CoPC):
* Paragraph 3.2(3) - Confidentiality (pg. 6):"Do not copy materials from external entities without explicit permission." References:
CMMC Code of Professional Conduct, Paragraph 3.2(3).

CMMC requires physical access to systems containing or transmitting CUI to be limited to authorized individuals and for access records to be maintained. Badge readers with unique identification provide individual accountability, access control enforcement, and auditable access logs, which are stronger than labels, cameras, or keypads.
Exact Extracts:
* PE.L2-3.10.1: "Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals."
* PE.L2-3.10.5: "Maintain audit logs of physical access."
* CMMC Assessment Guide: "Badge systems with access control lists and logs are considered a best method for meeting physical access requirements." Why the other options are not correct:
* A: Labels and lists do not prevent unauthorized access.
* C: Cameras monitor but do not restrict access; they are detective, not preventive.
* D: Keypads do not provide individual accountability (codes can be shared).
References:
CMMC Assessment Guide - Level 2, Version 2.13: PE.L2-3.10.1 and PE.L2-3.10.5 (pp. 153-159).
NIST SP 800-171A: Physical access protection objectives.

Comprehensive and Detailed in Depth Explanation:
PE.L2-3.10.2 [c] and [d] require monitoring physical facilities and infrastructure (e.g., cameras, sensors), per NIST SP 800-171 and CMMC Level 2. The CAP lists these among 15 objectives needing on-site validation.
Testing or examining mechanisms like access controls or monitoring systems (Option D) directly assesses implementation effectiveness, as required by NIST SP 800-171A's test/examine methods for physical controls. Option A (interviews) provides insight but not direct evidence. Option B (Incident Response Plan) is unrelated. Option C (SSP) documents intent, not execution. Option D is the correct answer per CAP and NIST guidance.
Reference Extract:
* CMMC Assessment Process (CAP) v1.0, Section 3.5.2:"PE.L2-3.10.2 [c] and [d] require on-site testing or examination of physical monitoring mechanisms."
* NIST SP 800-171A, PE-3.10.2[c,d]:"Test or examine physical access monitoring mechanisms." Resources:https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process- CAP-v1.0.pdf;https://csrc.nist.gov/pubs/sp/800/171/a/final

Comprehensive and Detailed In-Depth Explanation:
MA.L2-3.7.1 requires "performing and documenting maintenance on systems." The lack of documentation from the third party fails this objective. Requiring logs (C) ensures evidence ofmaintenance activities, aligning with CMMC. Frequency (A), in-house work (B), and MSP use (D) don't address documentation needs. The guide mandates records for compliance.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), MA.L2-3.7.1: "Document maintenance activities."
* NIST SP 800-171A, 3.7.1: "Examine maintenance logs."
Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf