Assessment Scope
Also known as: CMMC Assessment Scope, Boundary
The assessment scope (also called the boundary) is the set of assets — people, technology, facilities, external service providers — that process, store, or transmit FCI or CUI and therefore must meet the applicable CMMC requirements. Drawing the smallest defensible scope is the highest-leverage decision in a CMMC project.
Related terms
- Covered Contractor Information System
A Covered Contractor Information System is an unclassified information system owned, or operated by or for, a contractor that processes, stores, or transmits Federal Contract Information. FAR 52.204-21's 15 safeguarding requirements apply to every Covered Contractor Information System.
- Self-Assessment
A CMMC self-assessment is an internally-conducted evaluation of an organization's implementation of the applicable security requirements, performed without a third-party assessor. CMMC Level 1 is exclusively self-assessed; CMMC Level 2 is self-assessed for some programs and C3PAO-assessed for others depending on the contract requirement.