Step 1: Understanding CMMC Assessment Scope Determination
In a CMMC Level 2 assessment, the Organization Seeking Certification (OSC) is responsible for identifying the assessment scope based on the CMMC Scoping Guidance provided by the Cyber AB (Cyber Accreditation Body) and DoD.
The OSC must determine which assets and systems handle Controlled Unclassified Information (CUI) and categorize them accordingly.
[Reference:, CMMC Scoping Guidance for Level 2, which outlines asset categorization and scoping considerations., Step 2: Role of the C3PAO in Scope Validation, Once the OSC has determined its CMMC assessment scope, a CMMC Third-Party Assessment Organization (C3PAO) is responsible for validating the scope during the assessment planning phase., The C3PAO reviews the OSC’s scope to ensure it aligns with DoD’s scoping guidance, ensuring that all relevant assets, networks, and policies required for CMMC Level 2 certification are correctly identified., If there are discrepancies, the C3PAO works with the OSC to adjust the scope before proceeding with the assessment., Reference:, CMMC Assessment Process (CAP) Guide, which describes the scope validation responsibilities of a C3PAO., Step 3: Why Other Answer Choices Are Incorrect, Choice A (Incorrect): A CCP (Certified CMMC Professional) does not have the authority to validate the scope. Their role is to guide and consult, but final validation is the C3PAO's responsibility., Choice C (Incorrect): The CMMC Lead Assessor (part of the C3PAO team) does not determine the scope; instead, the OSC does., Choice D (Incorrect): The C3PAO validates the scope but does not determine it—this is the OSC’s responsibility., Final Confirmation of Correct Answer:, OSC determines the CMMC Assessment Scope., C3PAO validates the CMMC Assessment Scope., Thus, the correct answer is B. "The OSC determines the CMMC Assessment Scope, and the C3PAO validates the CMMC Assessment Scope.", ]
