For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.


Scope: Any individual, group, department, etc. that works with/handles/processes/stores/etc. FCI and/or CUI. Additionally, any system that processes, transmits, and stores FCI and/or CUI.

Stakeholders: Information Security; Information Technology; Office of Compliance, Privacy, and Internal Audit; Office of Research & Innovation, Grants, Agreements, and Contracts; Office of the General Counsel.


Phase I - Internal Preparation

  1. Scope Identification
    1. Identify where FCI and/or CUI is located (e.g., where on the network, which systems process, transmit, and/or store it, etc.)
    2. Identify and determine how many enclaves will be needed.
  2. Certification Level Identification - identify the level of certification needed to achieve compliance with CMMC based on the amount of FCI and CUI we handle.
    1. Understand how much FCI and CUI we process.
    2. Identify the departments handling this data.
    3. Determine if we are primary or secondary contractor on the awards.
  3. Research and retain a company to assist with a pre-assessment and gap remediation of the selected enclaves.

Phase II - Pre-Assessment - Internal Information Gathering

  1. Have all departments handling FCI & CUI submit objective evidence (screen captures, audit logs, interviews with stakeholders, etc.) demonstrating how each CMMC requirement is met or not applicable to each in scope system.
  2. Review and ensure evidence contains necessary content, is complete, and satisfies the requirements.
  3. If necessary, research and retain either an RPO or C3PAO to assist with the pre-assessment.

Phase III - Gap Remediation

  1. Ensure a good change management plan is in place to account for any necessary policy and procedure changes resulting from new implementations, etc.
  2. Remediate any gaps and get assistance from the company that performed the pre-assessment.
  3. Once remediated, retain a C3PAO for the Assessment & Certification (possibly use the previously retained company).

Phase IV - Assessment & Certification

  1. Have a C3PAO perform the assessment and certification of the designated enclave(s).
  2. Continue to maintain and comply with all practices and processes at the level of certification.
  3. Perform continuous education/outreach programs to ensure that the research community and any new organizations that engage with us for these purposes are CMMC compliant.