Certified CMMC Professional (CCP) — Question 13

An OSC lead has provided company information, identified that they are seeking CMMC Level 2, stated that they handle FCI, identified stakeholders, and provided assessment logistics. The OSC has provided the company’s cyber hygiene practices that are posted on every workstation, visitor logs, and screenshots of the configuration of their FedRAMP-approved applications. The OSC has not won any DoD government contracts yet but is working on two proposals. Based on this information, which statement BEST describes the CMMC Level 2 Assessment requirements?

Answer options

• A. Ready because there is no need to certify this company until after they win a DoD contract.
• B. Not ready because the OSC is not on contract because they do not know the scope of FCI protection required by the contract.
• C. Not ready because the OSC still lacks artifacts that prove they have implemented all the CMMC Level 2 Assessment requirements.
• D. Ready because all DoD contractors are required to achieve CMMC Level 2; therefore, they are being proactive in seeking certification.

Correct answer: B

Explanation

The correct answer is B because the OSC has not yet secured a contract, which means they are unclear about the specific requirements for FCI protection associated with a future contract. Options A and D are incorrect as they misinterpret the need for certification in relation to contract status, while option C is incorrect as the OSC has provided sufficient documentation to demonstrate their current practices, even if not all artifacts are complete.