An OSC is looking to bid for a contract to manufacture turboprop engines for an unmanned aerial vehicle (UAV) fleet used by the Army for long-range reconnaissance. To manage production, the OSC will use Industrial Control Systems (ICS) and has documented them in its Operational Technology (OT) inventory.
While validating the OSC's proposed assessment scope, the Assessment Team reviews their SSP. How should the C3PAO Assessment Team handle the OSC's OT during the assessment?

The OSC uses an on-premises ERP system that processes and stores CUI data. A Third-Party Maintenance (TPM) provider has remote access to the ERP system for troubleshooting and maintenance purposes. The OSC allows the TPM to access the system through a secure remote access tool with Multi-Factor Authentication (MFA). As a Lead Assessor, what challenges might you encounter when assessing the OSC's compliance with CMMC's practice AC.L2-3.1.12 - Control Remote Access?

You are a CCA working for a C3PAO that has entered into a contractual agreement to provide CMMC assessment services for an OSC. After validating the evidence, the C3PAO feels that thetask is beyond its capabilities and informs the OSC that it cannot continue with the assessment. The C3PAO cites "insufficient workforce" as the reason. What principle of the CMMC CoPC has the C3PAO broken?

An OSC plans to undergo a CMMC Level 2 assessment with your C3PAO firm. As the Lead Assessor, you are collaborating with the OSC to develop the evidence collection approach for Phase 1. The OSC proposes conducting most interviews virtually due to geographically dispersed employees. You are responsible for defining the evidence collection methods for artifacts, interviews, tests or demonstrations, and information requests. Additionally, you must determine how virtual data collection will be managed, including security protocols for CUI and FCI. Which of the following is the most appropriate approach for artifact collection in this scenario?

An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineeringcompany has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. Basing your answer on the scenario, how would you score the contractor's implementation of CMMC practice MP.L2-3.8.1 - Media Protection?