Certified Cybersecurity Maturity Model Certification (CMMC) Professional (CCP) Practice Exam

What is an example of relevant documentation the OSC must provide for assessment?

• A. Historical data analysis reports
• B. Policy manuals and System Security Plan (SSP)
• C. External audit reports
• D. Training materials for employees

The correct answer is: Policy manuals and System Security Plan (SSP)

The requirement for documentation in a CMMC assessment is focused on demonstrating how an organization's cybersecurity practices and controls are implemented and managed. The combination of policy manuals and the System Security Plan (SSP) is vital because these documents form the foundation of an organization's cybersecurity framework. Policy manuals outline the organization’s cybersecurity policies, procedures, and standards, thus establishing the rules and guidelines that direct employee behavior concerning cybersecurity. They are integral to ensuring all staff understands their responsibilities and the regulations that govern the management of sensitive information. The System Security Plan (SSP) is a comprehensive document that details the system's security controls, how they are implemented, and how they align with the required CMMC practices. It provides a clear picture of how the organization protects its information systems and demonstrates compliance with the CMMC requirements. While historical data analysis reports, external audit reports, and training materials for employees can provide valuable context and support for the assessment, they do not serve as fundamental documentation outlining the current cybersecurity posture and operational controls like policy manuals and the SSP do. Therefore, the combination of these two documents is the most relevant and essential for the OSC to provide during the assessment process.