A contractor has retained you to assess compliance with CMMC practices as part of their triennial review.
During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 - Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 - System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, why is time synchronization with the NTP server necessary, and what is the recommended synchronization time?

An OSC uses a colocation facility to house its CUI assets. The colocation restricts access to the data center via keycard and requires all entrants to sign in and out. The OSC's cage and cabinets are further secured with keys accessible only to OSC-authorized personnel.
In order to assess physical controls, the CCA should:

A CCA is conducting a CMMC assessment and discovers that the OSC's evidence includes a policy that contradicts a practice's objectives (e.g., allowing unrestricted access when restricted access is required). The OSC claims it's a typo and the practice is followed correctly. How should the CCA proceed?

In your assessment of an OSC's information systems, you realize that the OSC has been having issues determining what is and isn't CUI. One of the employees asks for your help identifying CUI so that they can take measures to protect it. They also request that you recommend a resource where they can understand the national CUI policy. Which of the following is the BEST resource they should visit to understand what CUI is and the national CUI policy?

As a CCA, John feels he can make some extra cash by aggregating and rewriting CMMC materials into a book titledAcing Your CMMC Assessment: A Complete Guide. You ask him about potential issues, such as the failure to get permission from the Cyber Accreditation Body. John tells you that since he is a CCA, this is not a requirement, and in any case, the information is already publicly available. Has John broken any CoPC guiding principles or practices? If so, which one?