CMMC Scoping & Process

Question 1

FCI Asset

Answer 1

Any devices that stores, processes, or has access to FCI.

Question 2

CUI Asset

Answer 2

Any device that stores, processes, or has access to CUI.

Question 3

Out-of-Scope Asset

Answer 3

Any device that does not have access to CUI, or FCI.

Question 4

What are the 5 categories of Special Assets?

Answer 4

1. Government Equipment
2. IoT and Industrial IoT
3. Operation Technology (OT)
4. Restricted Information Systems
5. Test Equipment

Question 5

What is a Special Asset - Restricted Information System?

Answer 5

An information system or component essential to servicing a contract, such as a dev network. The OSC must clearly articulate how and why the asset is an SA and OoS.

Question 6

How long does a C3PAO have to respond during Phase 1?

Answer 6

5 Business Days

Question 7

How long does the OSC have to correct items in the ‘Limited Practice Deficiency Correction” Program when =>% from the Final Findings Brief?

Answer 7

5 Business Day or by a date determined by the Lead Assessor, not to exceed 5 calendar days.

Question 8

What score is required to allow an OSC to POA&M items?

Answer 8

80%, or 88/110 for practices Met.

Question 9

How long after the Final Findings Briefing does the Assessment Team have to submit the Final Reports to the CQAP?

Answer 9

10 Business Days

Question 10

How long after the Final Findings Brief must the final reports be uploaded to eMASS?

Answer 10

No later than 20 business days.

Question 11

What are details for a Level 1 Assessment?

Answer 11

Considered a Foundational Assessment, and address 17 practices.

Question 12

What are the details for a Level 2 Assessment?

Answer 12

Considered an Advanced assessment, and addresses 110 practices.

Question 13

What are the details for a Level 3 Assessment?

Answer 13

Considered an Expert assessment, and addresses 110 practices in 800-171, and additional practices listed in 800-172.

Question 14

What 6 Domains are covered in a Foundation Assessment?

Answer 14

A Foundation, Level 1 Assessment, covers the following Cybersecurity Domains:

1. Access Control (AC)
2. Identification and Authentication (IA)
3. Media Protection (MP)
4. Physical Protection (PE)
5. Systems and Communication Protections (SC)
6. System and Information Integrity (SI)

Question 15

How many domains are covered in an Advanced Assessment, and what are they?

Answer 15

Fourteen (14) Domains in a Level 2, Advanced, Assessment:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Identification and Authentication
5. Configuration Management
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Security
11. Risk Assessment
12. Security Assessment
13. Systems and Communication Protection (SC)
14. Systems and Information Integrity (SI)

Question 16

What are the four (4) phases of a CMMC assessment?

Answer 16

Phase 1 - Plan and Prepare
Phase 2 - Conducting Assessment
Phase 3 - Reporting
Phase 4 - Close-out POAM and Assessment

Question 17

What items are needed for Phase 1?

Answer 17

1. A list of Evidence (Inventory)
   
   • Provided to C3PAO for each obj.
   • Ensure evidence is sufficient and adequate
2. Scope Agreement between OSC and C3PAO
   
   • ensure the scope is thoroughly communicated and understood.

Question 18

What are some key points for Phase 2?

Answer 18

3 methods - Examine, Test, Interview

Examine is the #1 way to review evidence (usually one piece per objective)

Question 19

What are some key points for Phase 3?

Answer 19

Fully Implemented = All items found correct

Any item with a deficiency is NOT MET

Question 20

What is the LDPC?

Answer 20

Limited Practice Deficiency Program, which may be available for deficient practices worth one point. The overall assessment score must be 80% (88/110) or higher to be allowed a 180-day POAM option.

Question 21

What is a CRMA?

Answer 21

Contractor Risk Managed Asset - which is a device that can but does not touch CUI. It is not assessed.

Question 22

What is Assessment Framing?

Answer 22

The process of identifying the size, scale, date, time, place, manner, resources, and level of effort for a prospective CMMC assessment.

Question 23

What needs to be discussed during Assessment Framing?

Answer 23

• Locations
• ID OSC Staff who will provide evidence
• Scope
• Relevant Documentation, roles and responsibilities of IT and infosec staff
• Evidence
• A Rough Order-of-Magnitude (ROM) estimate for approx. duration and timing for the assessment
• Assessment outputs for the OSC Assessment Official
• Lead Assessor and OSC POC validate OSC Self-Assessment Practice Deficiency Items