During a CMMC assessment for an OSC, the Point of Contact (POC) mentioned they conducted a self- assessment beforehand. The self-assessment was part of the organization's preparations for the CMMC assessment by your C3PAO. Which publication offers the best guidance for the self-assessment procedures OSCs might use for CMMC compliance?

You are the Lead Assessor of the Assessment Team conducting a CMMC Level 2 assessment for an OSC.
You have completed the first phase of the assessment process, which included the assessment kickoff meeting. Now, you are moving into the second phase, which involves collecting and examining evidence to determine the OSC's compliance with the CMMC practices. During the evidence collection phase, you need to examine the OSC's policies and procedures related to the CMMC practice AC.L2-3.1.5 - Least Privilege.
Which of the following would be an appropriatesource of evidence for this practice?

During your review of an OSC's system security control, you focus on CMMC practice SC.L2-3.13.9 - Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company's internal network. The server operating system utilizes default settings for connection timeouts.
Network security is managed through a centralfirewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. The scenario describes using a central firewall for network security. How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9 - Connections Termination, for the remote access application?

You are the Lead Assessor for a CMMC Assessment engagement with an OSC for CMMC Level 2. The OSC has provided you with their proposed CMMC Assessment Scope, which includes a network schematic diagram, their SSP, relevant policies, and organizational charts. During your review of the documentation, you notice they have excluded a subsidiary company's network and assets from the proposed CMMC Assessment Scope despite the subsidiary being involved in handling CUI related to federal contracts. If the OSC shares proprietary information with the Lead Assessor during the assessment engagement, what is the C3PAO's responsibility regarding this information after the completion of the assessment?

While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has defined a technical and documented policy where identifiers can only be reused after 12 months. How is the OSC likely to consider CMMC practice IA.L2-3.5.5 - Identifier Reuse if you find issues with its implementation?