When External Service Providers are used, the OSC can inherit practices from the ESP if sufficient evidence is provided (such as FedRAMP authorization or equivalent). The Lead Assessor must verify which controls are noted as inherited, as these are assessed differently from controls implemented directly by the OSC.
Exact Extracts:
* CMMC Assessment Guide: "An OSC may inherit practices from External Service Providers when those providers demonstrate equivalent compliance (e.g., FedRAMP Moderate for CUI)."
* "Assessors must review documentation that identifies which practices are inherited, partially implemented, or implemented internally."
* CMMC Scoping Guide: "Inherited controls must be clearly documented by the OSC in the SSP." Why the other options are not correct:
* B: Waivers are not part of CMMC assessments.
* C: "Not Applicable" does not apply to ESP involvement; they either provide inherited practices or not.
* D: "Partially implemented" indicates deficiencies, not proper inheritance.
References:
CMMC Assessment Guide - Level 2, Version 2.13: External Service Providers and inheritance (pp. 10-13).
CMMC Scoping Guide - Level 2: Inherited practices documentation requirements.

Comprehensive and Detailed in Depth Explanation:
The OSC PoC's role, per CAP, focuses on logistics and facilitation, not reviewing assessment results, which is the OSC Assessment Official's responsibility. Option A, C, and D are explicit PoC duties. Option B is incorrect as it exceeds the PoC's scope.
Extract from Official Document (CAP v1.0):
* Section 1.3 - Identify OSC PoC (pg. 12):"The OSC PoC facilitates logistics, site access, and coordination of SMEs, but reviewing assessment results is the responsibility of the OSC Assessment Official." References:
CMMC Assessment Process (CAP) v1.0, Section 1.3.

Comprehensive and Detailed In-Depth Explanation:
AC.L2-3.1.7 - Privileged Functions requires "preventing non-privileged users from executing privileged functions." The developer's access to kernel memory suggests inherited or misconfigured permissions.
Prohibiting inheritance (B) ensures Dev_Roles don't gain Admin_Roles privileges, enforcing least privilege.
Internet removal (A), dual authorization (C), and time restrictions (D) don't directly address role-based privilege creep, per the CMMC guide.
Extract from Official CMMC Documentation:
* CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.7: "Prevent privilege inheritance in role-based controls."
* NIST SP 800-171A, 3.1.7: "Examine RBAC configs for privilege separation." Resources:
* https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.
0_FINAL_202112016_508.pdf

* Applicable Requirement: CA.L2-3.12.4 - "Develop, document, periodically review/update, and disseminate system security plans." Policies require executive approval and evidence of regular review.
* Why B is Correct: Multiple years of emails from executives approving policies provide a pattern of consistent executive involvement, demonstrating habitual compliance with review and approval requirements. This is stronger evidence than one-time or informal attestations.
* Why Other Options Are Insufficient:
* A: Handwritten notes are informal and lack authenticity controls.
* C: A notarized letter from a previous CEO is a one-time attestation, not evidence of recurring review.
* D: Employee interviews may demonstrate awareness but do not show executive approval.
References (CCA Official Sources):
* NIST SP 800-171 Rev. 2 - CA.L2-3.12.4
* NIST SP 800-171A - CA.L2-3.12.4 Assessment Objectives (evidence of policy review/approval)
* CMMC Assessment Guide - Level 2 - Policy and Approval Evidence Requirements

The Lead Assessor's readiness checks focus on logistics, scope, evidence availability, and risk awareness to ensure the assessment can proceed. It is not the assessor's role to advise or determine if the OSC could achieve a higher certification level - the OSC selects its target level.
Exact extracts:
* "Lead Assessors must confirm readiness by verifying logistics, scope boundaries, risks, and evidence availability."
* "Assessors do not advise OSCs on selecting certification levels or alternative approaches; this is outside the assessment scope." Why the other options are required:
* A: OSC risks must be identified and discussed as part of scoping.
* B: Logistics (scheduling, facilities, communications) must be confirmed.
* D: Evidence must be available and accessible to avoid delays.
References:
CMMC Assessment Process (CAP), Pre-Assessment Readiness Activities.
CCA Study Guide - Lead Assessor Responsibilities.