The client has a Supervisory Control and Data Acquisition (SCADA) system as OT to be evaluated as part of its assessment. In reviewing network architecture and conducting interviews, the assessor determines that a firewall separates the SCADA system from the client’s enterprise network and that CUI is not processed by the SCADA system. Based on this information, what is an appropriate outcome?
An OSC has a testing laboratory. The lab has several pieces of equipment, including a workstation that is used to analyze test information collected from the test equipment. All equipment is on the same VLAN that is part of the certification assessment. The OSC claims that the workstation is part of the test equipment (Specialized Asset) and only needs to be addressed under risk-based security policies. However, the OSC states that the data analysis output is CUI. What is the assessor’s BEST response?
Video monitoring is used by an OSC to help meet PE.L2-3.10.2: Monitor Facility. The OSC’s building has three external doors, each with badge access and a network-connected video camera above the door. The video cameras are connected to the same network as employee computers. The OSC contracted a local security company to provide surveillance services. The security company stores the recordings at its premises and requires access to the OSC’s network to manage the video cameras. Which factor is a clear negative finding for the OSC’s assessment?
Does CMMC Level 2 require that a Cloud Service Provider (CSP) hold a FedRAMP HIGH authorization hosted in a government community cloud (GCC)?
Copyright © 2021-2025 CertsTopics. All Rights Reserved
