Scope: Any individual, group, department, etc. that works with/handles/processes/stores/etc. FCI and/or CUI. Additionally, any system that processes, transmits, and stores FCI and/or CUI.
Stakeholders: Information Security; Information Technology; Office of Compliance, Privacy, and Internal Audit; Office of Research & Innovation, Grants, Agreements, and Contracts; Office of the General Counsel.
Phase I - Internal Preparation
- Scope Identification
- Identify where FCI and/or CUI is located (e.g., where on the network, which systems process, transmit, and/or store it, etc.)
- Identify and determine how many enclaves will be needed.
- Certification Level Identification - identify the level of certification needed to achieve compliance with CMMC based on the amount of FCI and CUI we handle.
- Understand how much FCI and CUI we process.
- Identify the departments handling this data.
- Determine if we are primary or secondary contractor on the awards.
- Research and retain a company to assist with a pre-assessment and gap remediation of the selected enclaves.
Phase II - Pre-Assessment - Internal Information Gathering
- Have all departments handling FCI & CUI submit objective evidence (screen captures, audit logs, interviews with stakeholders, etc.) demonstrating how each CMMC requirement is met or not applicable to each in scope system.
- Review and ensure evidence contains necessary content, is complete, and satisfies the requirements.
- If necessary, research and retain either an RPO or C3PAO to assist with the pre-assessment.
Phase III - Gap Remediation
- Ensure a good change management plan is in place to account for any necessary policy and procedure changes resulting from new implementations, etc.
- Remediate any gaps and get assistance from the company that performed the pre-assessment.
- Once remediated, retain a C3PAO for the Assessment & Certification (possibly use the previously retained company).
Phase IV - Assessment & Certification
- Have a C3PAO perform the assessment and certification of the designated enclave(s).
- Continue to maintain and comply with all practices and processes at the level of certification.
- Perform continuous education/outreach programs to ensure that the research community and any new organizations that engage with us for these purposes are CMMC compliant.