From Defcert.com: The Importance of Scoping and Applicability in CMMC

Original article can be found here: https://defcert.com/the-importance-of-scoping-and-applicability-in-cmmc/


Article highlights:

  • While establishing the scope is an effort to determine the maximum breadth and depth of an assessment, applicability is a concept embedded inside of an organization's agreed-upon scope.

  • In the context of an assessment, the scope can represent several things. Assessment scope can include the requirements to assess, the individuals who will be part of the assessment, the methods used to assess an organization, the facilities where sensitive data exists, and of course, the IT system components involved in handling and securing in-scope data.

  • The fundamental objective when determining applicability is to determine which requirements apply to individual systems or system components within the assessment scope. This step is where you'll reduce complexity and find most of your cost avoidance.

  • Once we understand that not all requirements are universally applicable, it becomes easier to compare requirements to individual system components in the assessment scope.