Tina is working on a team conducting a Level 2 assessment for Humvees-R-Us (HRU). While gathering evidence, Tina notices that HRU has not updated several critical policies in years. Knowing that HRU is investing a significant amount of money in the assessment, she tells Bob, the CEO of HRU, that she will date the policies to make them appear as if they have been regularly revised. She explains that this will help HRU pass their assessment and save them the cost of a reassessment. Tina believes changing the dates isn’t a big deal since HRU has policies written but has not revised them as frequently as required.Was it right for Tina to adjust the dates during the assessment? If not, which principle of the CMMC Code of Professional Conduct did she violate?

An OSC is undergoing a CMMC Level 2 assessment. The assessment team is reviewing the evidence for configuration management procedures per CMMC Practice CM.L2-3.4.1-System Baselining. The assessors discover that the OSC has a documented process for creating system baselines. However, upon reviewing a sample server, they find software installed that is not listed in the baseline documentation. The OSC acknowledges the discrepancy and explains that they recently deployed new security software but have not updated the baseline documentation yet. What is the Assessment Team's initial finding regarding the OSC's implementation of CM.L2-3.4.1-System Baselining, and how should it be scored?

You were the Lead Assessor on a team that conducted a CMMC assessment for an OSC that passed and earned a CMMC L2 Certification. Meeting this requirement, the OSC bid on and won a DoD contract. However, a rival company disputes the OSC's CMMC certification status in court. As part of the evidence, the court has directed you to release the assessment results and any evidence you might have relied on to arrive at the assessment results.Based on the CoPC, what action should you take in this situation?

Before an OSC categorizes its assets into different categories, it must determine the Scope of applicability. However, after discussing with the OSC� PoC, you learn that although they follow CUI and FCI in all forms and stages, they are mostly considered technical components. What is the issue with the OSC?s approach to determining scope of applicability?

A CCA receives a notification from the Cyber AB that they are being investigated for a potential violation of the CoPC. They are concerned about the potential consequences and want to understand the process better. Who has the final authority to determine the corrective action taken against a CCA, if any?