Assessment Scope

Assessment Scope

1. The Overview collects the most basic data about the organization. 
    
2. The Assessment Scope is critical to defining what is "in" and what is "out" of the assessment.  Here the type of assessment is defined, Enterprise vs. Organizational Unit vs. Enclave.  Additionally, details defining system boundaries, CAGE codes and contracts are captured.  The Assessment Scope section contains useful elements that may be revisited after the assessment by management as needed:
   
   Company Settings - provides a place to reset review flags and organize assessment consultants/partners
   
   
3. Contract Manager - contracts provide the regulatory justification for compliance and give the government rights to validate self-assessments (DFARS Interim Rule Change 30 Nov 2020), remotely or onsite.  This element provides a place to track which contracts contain relevant DFARS clauses and relates contracts to CAGE codes (used to track suppliers in the government's SAM database).
   
   For more information about choosing amongst Enterprise-wide, Organizational Unit or Program Enclave, see the Scoping an Assessment article.
   
   
4. Physical Data Locations provide a place to record the physical locations for the organization.  It can also be used to store other physical locations where the organization's data may be stored.  The inventory of locations creates a roadmap of what needs physical security controls.
   
   
5. Electronic Data Locations are the corollary to physical data locations and list the databases where CUI, FCI or other confidential data is stored.  Electronic Data Locations is not an area to record the tools that the organization uses, but the location of the data stored by them.  

The goal of the assessment is to protect data.  The list of databases provides a roadmap for what needs to be protected.