An OSC has produced two assessment scopes. When the Lead Assessor questioned the OSC PoC why, they detailed that they process, store, or transmit FCI within one assessment scope and CUI in another. Which scope will the OSC obtain a CMMC Level 2 certification for?
Correct Answer: B
Comprehensive and Detailed Explanation: The CMMC framework allows separate scopes for FCI (Level 1) and CUI (Level 2). Level 2 certification applies only to environments handling CUI, as it requires all 110 practices, whereas Level 1 (17 practices) suffices for FCI alone. The OSC's CUI scope qualifies for Level 2, while the FCI scope aligns with Level 1 (or a self-assessment). Option C is incorrect, as Level 2 doesn't apply to FCI-only scopes. Option D lacks evidence of Level 1 non-compliance. B is correct per the scoping guide. Reference: CMMC Assessment Scope - Level 2, Section 1.1 (Level Applicability), p. 2: "Level 2 certification applies to CUI-handling environments."
CMMC-CCA Exam Question 92
You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. What would you recommend the contractor do to avert the risk?
Correct Answer: B
Comprehensive and Detailed In-Depth Explanation: AC.L2-3.1.4 - Separation of Duties aims to "reduce unauthorized activity risk by separating duties." A single engineer handling all tasks concentrates privileges, increasing error or malice risks. Assigning separate roles and adding peer reviews (B) mitigates this, aligning with CMMC intent. Overtime (A), hardware (C), and salary (D) don't address duty separation or risk reduction. Extract from Official CMMC Documentation: * CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.4: "Separate duties to reduce risk; implement peer reviews." * NIST SP 800-171A, 3.1.4: "Recommend role distribution." Resources: * https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2. 0_FINAL_202112016_508.pdf
CMMC-CCA Exam Question 93
When validating an OSC's proposed CMMC assessment scope, the Assessment Team finds that the OSC has properly categorized its assets. The OSC has contracted an External Service Provider (ESP) for various cybersecurity functions. The ESP has deployed FortiSIEM and Splunk for real-time security monitoring, threat intelligence, application monitoring, log management, and reporting. They also deployed Microsoft Intune and configured app protection policies blocking proscribed apps and those suspected of data exfiltration. How should you handle the ESP during the CMMC assessment?
Correct Answer: A
Comprehensive and Detailed Explanation: External Service Providers (ESPs) that provide security functions, such as the ESP deploying FortiSIEM, Splunk, and Microsoft Intune, are classified as Security Protection Assets (SPAs) under the CMMC framework. The CMMC Assessment Scope - Level 2 mandates that SPAs be assessed against the relevant CMMC practices (up to 110 for Level 2) to ensure they adequately protect the CUI environment. These tools monitor and secure the OSC's network, directly impacting CUI security, and thus must be fully evaluated, not just reviewed in the SSP. Option B limits the assessment to one practice, which is insufficient. Option C is incomplete, as reviewing the SSP is only part of the process. Option D is incorrect, as SPAs are explicitly in scope. Option A aligns with the scoping guidance. Reference: CMMC Assessment Scope - Level 2, Section 2.3.3 (Security Protection Assets), p. 6: "ESPs providing security functions are SPAs and must be assessed against applicable CMMC practices."
CMMC-CCA Exam Question 94
Angela, a CCA, is conducting a CMMC assessment for Obsidian Technologies, the OSC. Duringthe assessment, Angela learns that her spouse owns a significant amount of stock in Obsidian Technologies, and she has not disclosed this information to Obsidian Technologies or the C3PAO. Which CMMC CoPC guiding principle has Angela violated in this scenario?
Correct Answer: A
Comprehensive and Detailed in Depth Explanation: Angela's undisclosed financial tie via her spouse's stock ownership creates a COI, violating the CoPC's Objectivity principle. Option B (Impartiality) is related but not a distinct CoPC principle. Option C (Methods) and D (Confidentiality) are unrelated. Option A is correct. Extract from Official Document (CoPC): * Paragraph 2.2 - Objectivity (pg. 5):"Disclose any financial or familial conflicts of interest to maintain objectivity." References: CMMC Code of Professional Conduct, Paragraph 2.2.
CMMC-CCA Exam Question 95
You are the Lead Assessor for a CMMC assessment. During the Final Findings Briefing, the OSC Assessment Official disputes a "NOT MET" finding, claiming the evidence was misinterpreted. What is the OSC's recourse according to the CMMC Assessment Process?
Correct Answer: B
Comprehensive and Detailed in Depth Explanation: The CAP provides an Appeals Process for disputes (Option B). Options A, C, and D do not follow CAP procedures. Extract from Official Document (CAP v1.0): * Section 3.3 - Assessment Appeals Process (pg. 34):"If the OSC disagrees with findings, they may submit an appeal using the Assessment Appeals Process." References: CMMC Assessment Process (CAP) v1.0, Section 3.3.
