Assessment Scope
Also known as: CMMC Assessment Scope, Boundary
The assessment scope (also called the boundary) is the set of assets, people, technology, facilities, external service providers, that process, store, or transmit FCI or CUI and therefore must meet the applicable CMMC requirements. Drawing the smallest defensible scope is the highest-leverage decision in a CMMC project.
Related terms
- Covered Contractor Information System
A Covered Contractor Information System is an unclassified information system owned, or operated by or for, a contractor that processes, stores, or transmits Federal Contract Information. FAR 52.204-21's 15 safeguarding requirements apply to every Covered Contractor Information System.
- Self-Assessment
A CMMC self-assessment is an internally-conducted evaluation of an organization's implementation of the applicable security requirements, performed without a third-party assessor. CMMC Level 1 is exclusively self-assessed; CMMC Level 2 is self-assessed for some programs and C3PAO-assessed for others depending on the contract requirement.