Compliance Glossary

Determining the scope of your CMMC assessment is a need for a successful certification process. It sets the groundwork by outlining what you need to evaluate. This approach reduces the assessment’s duration and minimizes the impact of security controls on your workforce.

This is why it is essential to account for every asset, whether within or outside the scope of the assessment, that processes Controlled Unclassified Information (CUI) or is not intended for nCUI processing. Disagreements about assessment scope can lead to certification delays. 

CMMC Self-Assessment

If you’re an Organization Seeking Compliance (OSC) aiming for CMMC Level 1 or a subset of Level 2 OSCs handling non-critical national security information, you can opt for a self-assessment. This means that your organization’s CMMC lead will conduct the assessment internally.

Level 1 Self-Assessment

Level 1 assessments evaluate how the OSC safeguards Federal Contract Information (FCI) using the 17 NIST 800-171 controls that apply to Level 1. To achieve Level 1 compliance, all objectives within these 17 controls must be met.

Level 2 Self-Assessment

Level 2 OSCs must assess against NIST 800-171 (A) and meet all 110 control assessment objectives. Success at this level requires a comprehensive System Security Plan (SSP) that details how policies, procedures, and technologies align with each assessment objective.

Both Level 1 and Level 2 OSCs need to perform self-assessments annually. They must also provide an annual affirmation from a senior company official confirming compliance with all requirements. These self-assessments and affirmations must be registered in the DoD’s Supplier Performance Risk System (SPRS).