The OSC POC has supplied all of the procedures, policies, and plans at the start of the assessment. One of the assessors notes that some of the documents have very recent approval dates, while others have been in place for several years based on the document history. In order to ensure the review of this evidence is sufficient, what is the BEST step to validate the sufficiency of these documents?
Correct Answer: C
The Interview assessment method is used to validate whether procedures and policies are actually being implemented and followed by the personnel who use them. Even if the documents are dated correctly, assessors must confirm their operational use. Extract: "Interviews with personnel are used to verify that documented policies, plans, and procedures are actually implemented in daily practice." Thus, interviewing OSC team members who use the procedures provides the strongest validation. Reference: CMMC Assessment Process (CAP); Assessment Methods (Examine, Interview, Test, Observe).
Question 12
An OSC seeking Level 2 certification is migrating to a fully cloud-based environment. The organization wants to select a Cloud Service Provider (CSP) that can share responsibilities for CMMC Level 2 requirements. Assume both CSPs can equally provide the technical capabilities and business value required. * CSP A has SOC 2 certification and is California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA) compliant. * CSP B has SOC 2 and FedRAMP Moderate certifications. Based on this information, which CSP is MOST LIKELY to be acceptable?
Correct Answer: B
When an OSC leverages cloud providers in a CMMC Level 2 assessment, the provider should have FedRAMP Moderate or higher authorization to align with NIST SP 800-171 requirements. SOC 2, HIPAA, or CCPA compliance do not demonstrate federal-level assurance for protecting CUI. Thus, CSP B is the most appropriate choice. Exact extracts: * "Cloud service providers that process, store, or transmit CUI should be FedRAMP Moderate Authorized or equivalent." * "Assessors must verify evidence of FedRAMP authorization or comparable assurance before determining that OSC reliance on the provider is acceptable." Why the other options are incorrect: * A: SOC 2, HIPAA, and CCPA compliance do not equate to CMMC-required federal assurance. * C: Only FedRAMP-authorized providers meet the requirement, so both are not acceptable. * D: CSP B does meet the criteria. References: CMMC Level 2 Scoping Guide - External Service Providers. CMMC Assessment Guide - Treatment of Cloud Service Providers.
Question 13
During a readiness assessment for CoolPlanes Inc., Liz, a CCA, discovers a folder of technical drawings and illustrations of the aircraft that CoolPlanes produces. Liz has a younger brother, J.D., who loves airplanes. She thinks a large printed copy of one of the illustrations would make an excellent gift for J.D.'s birthday next month. She copies the drawing and sends it to be printed on a large canvas when she gets home. Which of the following principles of the CMMC Code of Professional Conduct did Liz most likely violate?
Correct Answer: D
Comprehensive and Detailed in Depth Explanation: Using OSC proprietary data personally breaches Confidentiality (Option D). Options A, B, and C are less directly applicable. Extract from Official Document (CoPC): * Paragraph 3.5 - Respect for Intellectual Property (pg. 8):"Do not use OSC confidential information for personal purposes." References: CMMC Code of Professional Conduct, Paragraph 3.5.
Question 14
Dwayne is the Lead Assessor for a C3PAO Assessment Team conducting an assessment for an OSC. During the evaluation, he learns that the OSC recently won a lucrative contract with the Department of Defense, a significant milestone for the organization. Impressed by the OSC's accomplishment, Dwayne begins to view the organization more favorably and is inclined to interpret the evidence gathered during the assessment in a way that would enable the OSC to achieve the desired CMMC certification level. What is the primary reason Dwayne's assessment of the OSC may be influenced?
Correct Answer: D
Comprehensive and Detailed in Depth Explanation: Dwayne's favorable view of the OSC due to its recent DoD contract success exemplifies positive bias, a key concern in the CMMC Assessment Process (CAP). Bias influences how evidence is interpreted, potentially leading to overly favorable assessments that overlook noncompliances. The CAP requires assessors to evaluate practices objectively within the OSC's context, free from external factors like contract wins, to maintain assessment integrity. Option A (incomplete understanding) assumes a knowledge gap not indicated here. Option B (time constraints) and Option C (lack of experience) are unrelated to Dwayne's described behavior. Option D (bias) directly addresses the influence of his positive perception, making it the correct answer per CAP guidelines. Reference Extract: * CMMC Assessment Process (CAP) v1.0, Section 2.3:"Personal biases, whether positive or negative, can shape evidence interpretation, leading to potential inaccuracies."Resources:https://cyberab.org/Portals/0 /Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf
Question 15
You are part of the Assessment Team evaluating an OSC's implementation of AC.L2-3.1.13 - Remote Access Confidentiality. This requirement mandates the organization to employ cryptographic mechanisms to protect the confidentiality of remote access sessions. During your assessment, you want to determine whether these cryptographic mechanisms have been properly identified as required by assessment objective [a]. What specification can you use to make this determination?
Correct Answer: D
Comprehensive and Detailed in Depth Explanation: AC.L2-3.1.13[a] requires the OSC to identify cryptographic mechanisms protecting remote access session confidentiality, per NIST SP 800-171A and CMMC Level 2 guidelines. The organization's Access Control Policy and Procedures outline the standards and requirements for cryptography (e.g., FIPS-validated modules), while system design documentation details the specific mechanisms implemented (e.g., TLS, VPN configurations). These documents directly address the identification of cryptographic controls, making them the primary specifications for this objective. Option A and B (interviews) provide supplementary insights but lack the authoritative detail of written policies and designs. Option C (remote access authorizations) focuses on permissions, not cryptographic mechanisms. Option D is the correct answer, as it aligns with NIST SP 800-171A'semphasis on examining specifications for objective [a]. Reference Extract: * NIST SP 800-171A, AC-3.1.13[a]:"Examine access control policy; procedures addressing remote access... system design documentation to determine if cryptographic mechanisms are identified." * CMMC AG Level 2, AC.L2-3.1.13:"Verify cryptographic mechanisms via policy and design specs." Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final;https://dodcio.defense.gov/Portals/0/Documents /CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
