During the scoping phase of a CMMC Level 2 assessment, the Assessment Team must validate the CMMC Assessment Scope (CAS) defined by the Organization Seeking Certification (OSC). According to the CMMC Assessment Process (CAP), the OSC is required to provide a System Security Plan (SSP) and network topology diagrams. These documents are fundamental for defining the assessment boundary and understanding the CUI environment. A preliminary list of evidence may also be reviewed to gauge the OSC's readiness. However, "System Design documentation" is a broad category. While it includes required items like network diagrams, the entire set of design documents is not a standard requirement for the initial scoping activity. Detailed design documents are more typically reviewed as objective evidence for specific practices during the assessment itself.

A. Network diagrams: Incorrect. Network diagrams are explicitly required to visualize the assessment boundary, asset locations, and CUI data flows, which is a core activity of scoping.

B. System Security Plan (SSP): Incorrect. The SSP is a foundational document required by NIST SP 800-171 (3.12.4) and the CMMC CAP. It formally describes the system environment and the assessment scope.

C. Preliminary List of Evidence: Incorrect. While not a primary scoping document, this may be requested as part of the initial planning and readiness review to ensure the OSC is prepared for the assessment.

1. U.S. Department of Defense, CMMC Assessment Process (CAP) for CMMC Level 2, Version 2.1, December 21, 2022.

Section 2.3.1, Phase 1 – Plan and Prepare the Assessment: This section lists the key inputs from the OSC for the initial phase, which includes the "Assessment Scope," "System Security Plan (SSP)," and "Network topology diagram of the assessment scope." It does not list "System Design documentation" as a required input for this phase.

2. U.S. Department of Defense, CMMC Scoping Guidance Level 2, Version 2.0, November 2021.

Section 2.2, Step 2: Categorize Assets: States, "The OSC should use network and data flow diagrams to help identify where CUI is processed, stored, or transmitted and to identify assets that are part of CUI security protection." (Supports the requirement for Network Diagrams).

Section 2.3, Step 3: Determine the CMMC Assessment Scope: Notes that "The CMMC Assessment Scope is documented in the SSP..." (Supports the requirement for the SSP).

3. NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, February 2020.

Section 3.12.4 (System Security Plan): Explicitly requires organizations to "Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems." This makes the SSP a mandatory document.

The CMMC Assessment Process (CAP) explicitly requires the C3PAO and the Organization Seeking Certification (OSC) to agree on the assessment scope before the assessment formally begins. As the Lead Assessor, your responsibility is to ensure the scope is accurate and mutually understood. The most professional and procedurally correct first step is to engage in a dialogue with the OSC Assessment Official to resolve the discrepancy. This action upholds the principles of professional conduct by seeking clarification and agreement, which is a foundational requirement for a valid and reliable assessment, before considering any form of escalation or concession.

B. Demand the OSC nominates another Assessment Official. This is an unprofessional and overly aggressive response to a procedural disagreement and is not a constructive conflict-resolution step.

C. Give in to the OSC Assessment Official’s demands. This would compromise the Lead Assessor's objectivity and the integrity of the assessment, as it would be based on an inaccurate scope.

D. Report the OSC Assessment Official to the CMMC Accreditation Body. This is a premature escalation. The Cyber AB should only be contacted after direct attempts to resolve the issue between the C3PAO and OSC have failed.

---

1. Cyber AB, "CMMC Assessment Process (CAP) for CMMC Level 2," Version 2.1, December 21, 2023.

Section 2.1, Phase 1: Plan and Prepare the Assessment, Page 10: This section states, "The C3PAO and the OSC must agree on the CMMC Assessment Scope prior to the assessment." This directly supports the requirement to resolve scope disagreements before the assessment starts (Answer A).

2. Cyber AB, "Cyber AB Code of Professional Conduct (CoPC)," Version 2.0, October 21, 2022.

Canon 2: Act honorably, honestly, justly, responsibly, and legally, Page 3: This canon requires assessors to act responsibly. Attempting to resolve a disagreement directly (Answer A) is the most responsible first action. Giving in (Answer C) would be dishonest, while demanding a replacement (Answer B) or escalating prematurely (Answer D) would be unjust and irresponsible.

Canon 4: Advance and protect the profession, Page 3: This canon implies maintaining professional decorum and following established processes, which includes collaborative scope finalization rather than immediate confrontation or capitulation.

The External Service Provider (ESP) is delivering critical security functions (SIEM, log management, MDM) that are integral to the OSC's ability to meet CMMC practice requirements for protecting Controlled Unclassified Information (CUI). According to official CMMC scoping guidance, when an ESP provides security protection for CUI assets, the ESP's offering is considered in-scope for the OSC’s CMMC assessment. The Assessment Team is therefore required to assess the ESP's services against all applicable CMMC practices to verify their implementation and effectiveness. The OSC remains accountable for ensuring the ESP's services meet these CMMC requirements.

B. Assess them against CA.L2-3.12.4 - System Security Plan only.

This is incorrect because assessing only the documentation in the SSP is insufficient; the actual implementation and effectiveness of the security controls provided by the ESP must be validated.

C. Review the SSP per practice CA.L2-3.12.4 - System Security Plan.

This is incorrect as it implies only a documentation review. The assessment must go beyond the SSP to test and verify that the ESP's services effectively meet the required CMMC practices.

D. They are out of scope; there is no need to assess them against CMMC practices.

This is incorrect because the ESP provides security protection for CUI assets, which explicitly places their services within the CMMC assessment boundary according to official scoping guidance.

---

1. Department of Defense (DoD). (2021, December 3). CMMC Scoping Guide Level 2. Version 2.0.

Section 2.4, External Service Providers (ESPs), Page 7: "If an ESP is used to process, store, or transmit CUI, or provides security protection for CUI assets, the ESP offering is in-scope for the OSC’s CMMC assessment." The scenario describes the ESP providing security protection (SIEM, Intune), making it in-scope.

Section 2.4, Page 7: "If the ESP does not have a CMMC assessment or a FedRAMP authorization with a scope that is appropriate for the OSC’s assessment, the C3PAO will assess the ESP’s offering as part of the OSC’s assessment against the applicable CMMC practices." This directly supports assessing the ESP against the practices.

2. Department of Defense (DoD). (2023, July). CMMC Assessment Process (CAP) for CMMC Level 2. Version 2.0.

Section 3.3.3, Scoping, Page 14: "The Assessment Team Lead validates the OSC’s proposed CMMC Assessment Scope... The CMMC Assessment Scope must include all assets that process, store, or transmit CUI as well as assets that provide security protection for CUI assets." This reinforces that the ESP's security services are part of the scope to be assessed.

The main task of the Lead Assessor in validating the CMMC Assessment Scope is to independently verify that the boundary proposed by the Organization Seeking Certification (OSC) is correct and complete. This involves confirming that all assets—including people, processes, technology, and facilities—that process, store, or transmit Controlled Unclassified Information (CUI) are contained within the defined assessment boundary. This verification ensures the assessment will be comprehensive and accurately reflect the OSC's security posture regarding CUI, as required by the CMMC Scoping Guidance. The validation is a critical prerequisite for developing the final Assessment Plan.

A. Documenting discrepancies is an outcome or a sub-task of the validation process, not the primary validation task itself.

C. Determining if additional systems are needed is a part of the verification process, but the main task is the overall boundary verification.

D. The OSC proposes and approves its scope; the Lead Assessor's role is to perform an independent technical validation, not confirm the OSC's internal approval.

---

1. CMMC Assessment Process (CAP) for CMMC Level 2, Version 1.0 (December 2, 2022).

Section 2.2.2, Readiness Review, Page 10: States, "The Lead Assessor also reviews the OSC’s proposed CMMC Assessment Scope to determine if it is correct." This correctness check involves verifying the boundary contains all relevant assets.

2. CMMC Level 2 Scoping Guidance, Version 2.0 (December 2021).

Section 2, Scoping, Page 4: Specifies that "The CMMC Assessment Scope is determined by the OSC and validated by the C3PAO." The guidance details that the scope must include assets that process, store, or transmit CUI, which is what the assessor must validate.

3. CMMC Model 2.0, CMMC Assessment Guide – Level 2 (December 2021).

Introduction, Page 1: Discusses the assessment scope, stating, "The scope of the CMMC assessment is based on the location of CUI within the contractor’s environment." The assessor's validation task is to confirm this scope is accurately defined.

As a Certified CMMC Assessor (CCA), your duty is to validate the assessment scope against official CMMC requirements. The CMMC Assessment Process (CAP) explicitly states that if an External Service Provider (ESP) manages any part of the OSC’s CUI environment, the ESP must possess a CMMC certification at the same or higher level as the OSC. Therefore, the CCA's mandatory first action is to verify that the ESP holds a valid CMMC Level 2 or higher certification. This ensures that the protection of CUI is maintained consistently across all in-scope environments and that the assessment can proceed on a valid basis.

B. The CCA must actively validate the scope against CMMC requirements, not just passively accept the OSC's proposal. This includes verifying the ESP's compliance.

C. This is premature consultative advice. The CCA's primary duty is to first verify the current ESP's certification status, not recommend a business change.

D. A self-assessment is insufficient for a Level 2 assessment. The ESP must have a formal CMMC certification from a C3PAO, not just a self-attestation.

---

1. Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) for CMMC Level 2, Version 5.1.1, July 2023.

Section 3.4.3, External Service Providers (ESPs), Page 16: "If the OSC uses an External Service Provider (ESP) (e.g., Managed Service Provider (MSP) or Managed Security Service Provider (MSSP)) to manage its CUI environment, the ESP must have a CMMC certification at the same or higher level as the OSC."

2. CMMC Scoping Guide: Level 2, Version 2.1, December 2023.

Section 2.4.3, External Service Provider (ESP) Systems, Page 10: This section details how ESP systems that process, store, or transmit CUI are considered in-scope for the CMMC assessment, reinforcing the need for them to meet CMMC requirements. It clarifies that the responsibility for protection remains with the OSC, necessitating verification of the ESP's compliance.

The core requirement of practice AC.L2-3.1.14 is to ensure that all remote connections are channeled through specific, managed, and controlled entry points before accessing the internal network where CUI resides. This prevents unauthorized or unmanaged pathways into the secure environment. The assessment objective for this practice, as defined by the CMMC Level 2 Assessment Guide, is to determine if the organization has (a) identified, (b) implemented, and (c) routed remote access through these managed access control points. Option B is the only choice that comprehensively covers all three of these essential determination criteria for the practice.

A. The contractor manages access control points: This is only one part of the requirement. The practice also requires that these points are identified and that all remote traffic is actively routed through them.

C. All remote access is monitored: While monitoring is a good security practice often implemented at access control points, it is a separate requirement covered by the Audit and Accountability (AU) domain, not AC.L2-3.1.14.

D. All users are authenticated before being granted remote access: Authentication is a fundamental security principle but is addressed by other practices, such as those in the Identification and Authentication (IA) domain (e.g., IA.L1-3.5.2).

1. Cybersecurity Maturity Model Certification (CMMC) CMMC Level 2 Assessment Guide, Version 2.0 (December 2021).

Reference: Page 31, Practice AC.L2-3.1.14, Assessment Objectives.

Content: The guide explicitly lists the assessment objectives as: "[a] managed access control points are identified; [b] managed access control points are implemented; and [c] remote access is routed through the managed network access control points." This directly corresponds to the correct answer.

2. NIST Special Publication (SP) 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Reference: Page 17, Section 3.1, Control 3.1.14.

Content: The control states, "Route remote access through managed access control points." The discussion clarifies that these points (e.g., firewalls, VPN gateways) are used to direct traffic flow and protect internal networks, reinforcing the focus on routing and management.

3. NIST Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information.

Reference: Page 2-21, Control 3.1.14, Assessment Objectives.

Content: This document, which provides the methodology for assessing NIST SP 800-171 controls, lists the objectives for this control as determining if "managed access control points are identified" and "remote access is routed through the managed access control points," which aligns with the CMMC guide and the correct answer.

The CMMC assessment scope is not limited to an OSC’s on-premises assets; it extends to any system that processes, stores, or transmits Controlled Unclassified Information (CUI), including those managed by an External Service Provider (ESP) like an MSP. The OSC remains responsible for ensuring that CUI is protected in accordance with CMMC requirements. The primary challenge for the assessor in this scenario is the limited visibility into the MSP's environment, which directly impedes the ability to gather sufficient objective evidence that controls for external connections (e.g., AC.L1-3.1.20) are effectively implemented. A Service Level Agreement (SLA) is contractual and may not provide the granular detail or verifiable proof of implementation required for an assessment.

A. Using a web browser is a common method for external connection; it does not negate the need for security evaluation but rather necessitates it, focusing on aspects like encryption and authentication.

C. The CMMC assessment boundary is dictated by the flow and location of CUI, not physical network perimeters. External cloud services handling CUI are explicitly in scope.

D. Employee training is a separate CMMC practice area. The core challenge presented in the scenario is the technical verification of controls within an external, third-party environment.

1. Cybersecurity Maturity Model Certification (CMMC) Scoping Guide, Level 2, Version 2.0 (December 21, 2021): Section 2.4, "External Service Providers (ESPs)," states, "The OSC is responsible for the protection of CUI that is processed, stored, or transmitted by an ESP... The OSC must be able to provide evidence to the C3PAO that the ESP meets the CMMC requirements..." This highlights the OSC's responsibility and the need for assessors to get evidence from the ESP environment.

2. NIST Special Publication 800-171, Revision 2, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" (February 2020): Requirement 3.1.20, "Control connections to and use of external information systems," directly applies. The discussion notes emphasize managing the risks from such connections, which is precisely what the assessor must verify. Limited visibility hinders this verification.

3. CMMC Assessment Process (CAP) for CMMC Level 2, Version 2.1 (March 20, 2023): Section 3.4, "Evidence," details that assessors must collect "sufficient" and "appropriate" evidence. It specifies that evidence must be "factual (i.e., objective)." An SLA alone is typically insufficient objective evidence of a control's implementation and effectiveness.

The requirement for displaying privacy and security notices is defined by CMMC Level 2 practice AC.L2-3.1.9, which is derived from NIST SP 800-171. The discussion for the corresponding NIST control (3.1.9) clarifies that notices must be placed on "system entry points" and "on any system component that provides user access."

A "system entry point" refers to the initial system logon. A "system component that provides user access" includes specific applications, databases, or file shares that contain CUI. Therefore, displaying the notice at both initial logon and upon accessing specific CUI-related resources is the most comprehensive and correct implementation, ensuring users are consistently aware of their responsibilities at relevant access points.

A. This is insufficient because it omits the requirement to display notices on other system components that provide user access beyond the initial logon.

C. This is overly restrictive; the notice requirement applies to all systems processing any category of CUI, not just export-controlled technical data.

D. While a persistent banner is a valid implementation method, the core requirement is about displaying notices at points of access, not necessarily continuously.

1. National Institute of Standards and Technology (NIST). (2020). Special Publication (SP) 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Section 3.1.9, Access Control, Discussion. The text states, "Notices are placed on system entry points and on any system component that provides user access."

2. U.S. Department of Defense (DoD). (2021). Cybersecurity Maturity Model Certification (CMMC) Model Version 2.0. Practice AC.L2-3.1.9, "Provide privacy and security notices consistent with applicable CUI rules."

3. National Institute of Standards and Technology (NIST). (2020). Special Publication (SP) 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations. Control AC-8, System Use Notification. This foundational control specifies displaying a notice "before granting access to the system."

The CMMC assessment scope is not limited to the organizational unit directly handling Controlled Unclassified Information (CUI). It must also include any assets or services that provide security protection for the CUI environment. In this scenario, the Manufacturing Division processes, stores, or transmits CUI, making it the primary focus. However, because the centralized IT department performs administrative tasks for this division, its systems and personnel are considered "Security Protection Assets" (SPAs). According to official CMMC scoping guidance, both CUI assets and SPAs are within the assessment boundary. Therefore, both the Manufacturing Division and the supporting centralized IT department must be assessed.

A. The Manufacturing Division: This is incorrect because it omits the centralized IT department, whose administrative functions are essential for securing the CUI environment and are therefore considered in-scope as Security Protection Assets.

B. The centralized IT department: This is incorrect because the IT department only provides supporting functions. The primary CUI assets, which are the main subject of the assessment, reside within the Manufacturing Division.

D. The entire aerospace company: This is incorrect because CMMC allows for the assessment scope to be tailored to a specific enclave or segment. Assessing the entire company is unnecessary if other divisions do not handle CUI for the contract.

1. U.S. Department of Defense (DoD), Office of the Under Secretary of Defense for Acquisition & Sustainment. (December 2021). CMMC Scoping Guide: CMMC Level 2. Version 2.0.

Page 4, Section 2.2, "Asset Categories": This section explicitly states, "The CMMC Assessment Scope includes CUI assets and Security Protection Assets."

Page 5, "Security Protection Assets (SPAs)": This page defines SPAs as "Assets that provide security functions or services to the CMMC Assessment Scope... Examples of SPAs can include... systems that provide security services (e.g., authentication, authorization, malware protection, security event monitoring/logging)." The centralized IT department's administrative tasks fall under this definition.

2. U.S. Department of Defense (DoD), Office of the Under Secretary of Defense for Acquisition & Sustainment. (November 2021). CMMC Model Overview. Version 2.0.

Page 5, "Scoping": This document notes that scoping is a critical activity and directs organizations to the official scoping guides to determine the "people, technology, and facilities" that are part of the assessment, reinforcing that the boundary extends beyond just the direct CUI environment.

The Freedom of Information Act (FOIA) applies exclusively to federal government agencies, not to private entities like a Certified Third-Party Assessment Organization (C3PAO). The CMMC assessment results are the confidential and proprietary information of the Organization Seeking Certification (OSC). The C3PAO and its assessors are bound by non-disclosure agreements (NDAs) with the OSC and the Cyber AB Code of Professional Conduct, which mandates the protection of client information. Releasing any assessment information would be a breach of these legal and ethical obligations. Therefore, the C3PAO has no legal standing to fulfill the FOIA request and must deny it to protect the OSC's sensitive data.

A. Releasing a redacted version is incorrect because the C3PAO is not subject to FOIA and has a primary duty to maintain the OSC's confidentiality.

B. The Cyber AB is also a private, non-profit organization, not a federal agency, and therefore is not the correct authority to adjudicate a FOIA request.

C. Releasing the full results would be a severe violation of the C3PAO's contractual and ethical obligations to the OSC, exposing sensitive security information.

1. U.S. Department of Justice, Guide to the Freedom of Information Act, "Agencies Subject to the FOIA" section (2022). This guide explicitly states that FOIA's disclosure requirements apply to federal executive branch agencies. It clarifies that private organizations, such as C3PAOs, are not subject to FOIA requests.

2. The Cyber AB, Code of Professional Conduct, Version 2.1 (December 2022), Section 2.1 "Confidentiality". This section states, "Cyber AB credentialed individuals shall not disclose any confidential or proprietary information entrusted to them in the course of their professional duties, unless disclosure is required by law or authorized by the information owner." Since FOIA does not apply, disclosure is not required by law, and the C3PAO must protect the information.

3. Department of Defense, 32 CFR Part 170, Cybersecurity Maturity Model Certification (CMMC) Program, § 170.16 "Information sharing and protection" (Proposed Rule, Dec 26, 2023). This rule specifies that "CMMC Assessment information is the proprietary information of the OSC" and outlines strict procedures for protecting and sharing this information, reinforcing that it is not public data. The C3PAO's role is to protect this information, not disclose it.