Q: 5
An OSC is planning to have a C3PAO perform a CMMC Level 2 assessment. When validating the OSC’s
proposed assessment scope, you realize they use an ESP for various cybersecurity services. What
action must you, as a CCA, take regarding the ESP?
Options
Discussion
A . CMMC Level 2 requires you to confirm any ESP in-scope is actually certified at Level 2 or higher, self-assessment isn't enough. That's straight out of the CAP guide if I remember right. Open to other thoughts if I'm missing something.
Nah, not D. You can't accept a self-assessment for CMMC Level 2, need to confirm the ESP is actually certified (A). B is tempting if you don't know the CAP details.
C or D. If the ESP isn't already certified, wouldn't it make more sense to either tell OSC to switch providers or ask the ESP for their own self-assessment? Not totally sure A is required in every scenario, could be a trap.
I don’t think D works here. For CMMC Level 2, a self-assessment from the ESP isn’t accepted, they have to show actual certification. B looks tempting if you miss that detail but only A meets the CAP requirement. Pretty sure about this but open to correction if someone sees it different.
A , D is a trap since self-assessments aren't accepted for Level 2 certification checks.
I’d ask, what if the ESP doesn’t actually have Level 2 or 3 certification? Does that halt the whole assessment, or can the OSC fix scope? Not seeing it spelled out in CAP, just want to be sure before moving forward.
Probably A. If an ESP is involved, as a CCA I need to verify they meet the same CMMC Level as the OSC, so confirming their Level 2 or 3 cert is required before moving forward. Pretty sure that's straight from the CAP.
Be respectful. No spam.
