CMMC CMMC-CCA Book

The CMMC Assessment Process (CAP) requires that results be reported at the OSC level. While findings may be gathered from enclaves or units, the final reporting must be aggregated and scored across the entire OSC assessment boundary.

Extract:

“Final recommended assessment results must be consolidated and reported at the OSC level, regardless of assessment locations or enclaves.”

Thus, the Lead Assessor must ensure aggregation to the OSC level.

The Physical Protection (PE) requirements require that systems containing FCI or CUI be placed in controlled-access facilities with safeguards against unauthorized physical access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

Thus, ensuring that the VMs run on hardware located in a controlled-access facility is the correct method to meet physical security requirements.

The Shared Responsibility Matrix (Customer Responsibility Matrix) is the authoritative document that specifies which security responsibilities are owned by the OSC versus the Cloud Service Provider (CSP). This enables assessors to determine which CMMC practices apply to the OSC and which are inherited from the provider.

Exact extracts:

“External Service Providers (ESPs), including CSPs, must provide a Shared Responsibility Matrix that delineates customer versus provider responsibilities.”

“Assessors should request and review this matrix to determine practice applicability.”

Why other options are incorrect:

A: Zero Trust Architecture is a design framework, not a responsibility breakdown.

C: White papers are marketing/technical resources, not binding assignments of responsibility.

D: IAM Plans address access management, not overall shared responsibilities.

If the OSC cannot remediate deficiencies during the POA&M Close-Out process, the Lead Assessor must issue a recommendation of NOT MET, and the OSC will not be certified. CMMC requires all Level 2 practices to be MET (with limited exceptions under defined POA&M close-out rules).

Exact Extracts:

CMMC Assessment Guide: “If practices cannot be met within the POA&M Close-Out process, the Lead Assessor must not recommend certification.”

DoD policy: “CMMC Level 2 requires that all 110 practices be met. A failed POA&M Close-Out results in a final determination of NOT MET.”

“There is no provisional certification status in CMMC.”

Why the other options are not correct:

A: Assessments are not paused indefinitely; unresolved deficiencies result in NOT MET.

B: Justification alone does not satisfy requirements.

C: Provisional status does not exist in CMMC.