A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of...

Cyber AB CMMC-CCP Question Answer

A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of the assessors approaches with a signed policy. There is one signatory, and that person has since left the company. Subsequently, another person was hired into that position but has not signed the document. Is this document valid?

The signatory is the authority to implement and enforce the policy, and since that person is no longer with the company, the policy is not valid.

More research on the company policy of creating, implementing, and enforcing policies is needed. If the company has a policy identifying the authority as with the position or person, then the policy is valid.

The signatory does not validate or invalidate the policy. For the purpose of this assessment, ensuring that the policy is current and is being implemented by the individuals who are performing the work is sufficient.

The authority to implement and enforce lies with the position, not the person. As long as that position's authority and responsibilities have not been removed from implementing that domain, it is still a valid policy.

Explanation:

In the context of a CMMC Level 2 Assessment, assessors must evaluate the "Institutionalization" of practices, which includes the review of Policies. The validity of a policy document depends on the Organization Seeking Certification (OSC)'s internal governance and administrative procedures.

Internal Governance (The "Why"): CMMC does not dictate exactlyhowa company must authorize its policies (e.g., whether a signature must be refreshed immediately upon a personnel change). Instead, the assessor must verify if the document is considered "active" and "authoritative" by the OSC’s own standards.

The Role of the Assessor: As per the CMMC Assessment Process (CAP) and CCP training materials, an assessor cannot unilaterally declare a policy invalid simply because a signatory has left. The assessor must perform "more research" (typically through Interviews or examining Supplemental Documents) to determine the OSC's internal rules for policy management.

If the OSC's "Policy on Policies" states that a signature is tied to the individual, the document may be expired.

If the OSC's rules state that the authority is tied to the role/position (which is common in most corporate governance), the policy remains in effect until it is formally rescinded or updated.

Distinction from other options:

Option A is too restrictive; it assumes a universal rule that doesn't exist in the CMMC framework.

Option C is incorrect because a signatory (or formal approval)isoften what gives a policy its "authoritative" status in an audit; ignoring it would be a failure of the Examine method.

Option D is a common business assumption, but an assessor must verify this via the OSC's own procedures rather than assuming it is true for every company.

Reference Documents:

CMMC Assessment Process (CAP) v1.0: Section on "Examine" methods and evaluating evidence integrity.

NIST SP 800-171A: Discussion on "Organizational Policies" as assessment objects and the requirement for policies to be "established and maintained."

CMMC Level 2 Assessment Guide: Clarifies that policies must be "formally documented" and "representative of organizational requirements."

Cyber AB CMMC-CCP View All Questions

Cyber AB CMMC-CCP Summary

Vendor: Cyber AB
Product: CMMC-CCP
Update on: Mar 30, 2026
Questions: 221

Price: $52.5 ~~$149.99~~

Buy Now CMMC-CCP PDF + Testing Engine Pack

Plan of Action defines the clear goal or objective for the plan.

During a Level 2 Assessment, an OSC provides documentation that attests that they utilize multifactor...

Spring Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmasmnth

A Lead Assessor has been assigned to a CMMC Assessment During the assessment, one of...

The Answer Is:

Explanation:

Cyber AB CMMC-CCP Summary

Payments We Accept

Contact Us