Glossary of Compliance

Compliance Glossary

Our list of curated compliance glossary offers everything you to know about compliance in one place.

Glossary » Generic » CMMC Assessment Scope

CMMC Assessment Scope

Determining the scope of your CMMC assessment is a need for a successful certification process. It sets the groundwork by outlining what you need to evaluate. This approach reduces the assessment’s duration and minimizes the impact of security controls on your workforce.

This is why it is essential to account for every asset, whether within or outside the scope of the assessment, that processes Controlled Unclassified Information (CUI) or is not intended for nCUI processing. Disagreements about assessment scope can lead to certification delays. 

CMMC Self-Assessment

If you’re an Organization Seeking Compliance (OSC) aiming for CMMC Level 1 or a subset of Level 2 OSCs handling non-critical national security information, you can opt for a self-assessment. This means that your organization’s CMMC lead will conduct the assessment internally.

Level 1 Self-Assessment

Level 1 assessments evaluate how the OSC safeguards Federal Contract Information (FCI) using the 17 NIST 800-171 controls that apply to Level 1. To achieve Level 1 compliance, all objectives within these 17 controls must be met.

Level 2 Self-Assessment

Level 2 OSCs must assess against NIST 800-171 (A) and meet all 110 control assessment objectives. Success at this level requires a comprehensive System Security Plan (SSP) that details how policies, procedures, and technologies align with each assessment objective.

Both Level 1 and Level 2 OSCs need to perform self-assessments annually. They must also provide an annual affirmation from a senior company official confirming compliance with all requirements. These self-assessments and affirmations must be registered in the DoD’s Supplier Performance Risk System (SPRS).

Additional reading

GRC Metrics: KPIs, KRIs, & KCIs

GRC Metrics: KPIs, KRIs, & KCIs Explained + Sample Checklist

As you scale, the amount of people, processes, and technology you add to your infrastructure increases. This not only adds a number of risks into the mix but also creates an unprecedented level of compliance chaos. The emergence of GRC helps to close these gaps.  This module heavily depends on certain metrics – KPIs, KRIs,…
SOC 2 Automation

SOC 2 Automation: What Is It, and Why Do You Need It?

SOC 2 automation helps streamline the preparation for the audit process by assisting with scoping your report, outlining necessary actions, and running assessments to ensure you’re ready for the audit.  While not everything in a SOC 2 audit can be automated, automating what you can is a huge time-saver and cost-cutter for your business. Compliance…

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.