The OSC is responsible for identifying and declaring where CUI is processed, stored, or transmitted. A Certified CMMC Assessor (CCA) may verify boundaries, examine evidence, and confirm monitoring or control practices, but cannot independently determine if a physically separated asset contains CUI. That determination is the responsibility of the OSC, not the assessor.
Exact extracts:
“The OSC is responsible for identifying CUI assets.”
“Assessors verify and validate the OSC’s identification, but do not independently declare or determine the presence of CUI.”
“Assessors are permitted to examine boundary protections, monitoring mechanisms, and internal boundary controls.”
Why the other options are allowed:
A: Assessors are required to verify internal system boundaries.
C: Assessors must confirm that external system boundaries are clearly defined.
D: Assessors must examine evidence of communication monitoring.
References (CCA documents / Study Guide):
CMMC Assessment Guide – Level 2, Assessor Roles and Responsibilities.
CMMC Code of Professional Conduct (OSC retains CUI ownership; assessors validate but cannot declare CUI).
