The following is an illustrative composite drawn from current CMMC assessment market conditions. Contractor A had 340 workstations, four office locations, a shared IT environment spanning HR, finance, and engineering, and a standard enterprise network where everyone accessed everything. When their Certified Third-Party Assessment Organization (C3PAO) showed up, every one of those 340 workstations was in scope. Every user. Every location. The assessment bill came in at $112,000. Contractor B processed Controlled Unclassified Information (CUI) on a dedicated 22-workstation segment, isolated from the rest of the network, accessible only to the engineers who needed it. Their assessment scope covered 22 systems, 19 users, and one location. They paid $38,000.
Both contractors pursued the same Cybersecurity Maturity Model Certification (CMMC) Level 2 certification. Our CMMC Level 2 assessment preparation guide covers the full certification process. Both had the same security obligations under 32 CFR Part 170. The difference was not their security posture. It was their architecture. Contractor B had built a CUI enclave, a bounded environment where all controlled unclassified information processing happens, and the boundary is enforced, documented, and defensible. Contractor A had not. That single architectural decision drove a $74,000 difference in assessment cost before the first control was validated.
Assessment scope is not a function of how large your company is. Scope is a function of where CUI lives and flows in your environment. CMMC scoping guidance gives contractors five asset categories and a clear framework for deciding what stays inside the boundary and what stays out. Contractors who master that framework before their assessment arrives pay a fraction of what those who discover it during the assessment pay.
Reduce your CMMC assessment scope by building a CUI enclave using one of four patterns: dedicated network segment (operator estimates from current managed-enclave providers: $15K-$40K), Virtual Desktop Infrastructure (VDI)/DaaS for remote access ($8K-$25K/year), cloud enclave in AWS GovCloud or Azure Government ($1.5K-$6K/month), or a managed enclave service provider ($3K-$10K/month) (operator estimates; vary by vendor and configuration). Start with the CUI data flow diagram. Categorize every asset into one of five CMMC asset types under 32 CFR §170.19(c)(1) Table 3. The category assignment determines what is in scope and what is not.
The Five CMMC Asset Categories That Determine Your Assessment Scope
CMMC scoping guidance, formalized in 32 CFR §170.19(c)(1) Table 3 and the DoD CIO CMMC Level 2 Scoping Guide (v2.13, Sept 2024), defines five asset categories. Every system, device, user, and application in your environment falls into one of them. The category assignment determines whether an asset is in scope for assessment and, critically, which controls apply to it. Getting the categorization right is the foundational step in enclave architecture.
CUI Assets: The Core of Your Scope
CUI Assets are systems that process, store, or transmit controlled unclassified information. These are always in scope. The C3PAO validates all 110 NIST SP 800-171 Rev 2 practices against these assets. (For how Rev 3 changes affect this landscape, see our NIST 800-171 Rev 2 vs Rev 3 comparison.) CUI Assets are validated against all 110 practices; the other asset categories receive different treatment as described below. Every laptop that opens a CUI email, every server that hosts CUI files, every application where engineers enter CUI data, is a CUI Asset. The goal of enclave architecture is to make this list as short as operationally possible, not as short as theoretically possible.
The distinction matters because contractors sometimes pursue aggressive scoping that excludes systems their engineers actually use for CUI work. If a system touches CUI in practice, it belongs in this category regardless of the architecture diagram. C3PAOs verify scope through interviews, network traffic analysis, and log review.
Security Protection Assets: In Scope for Relevant Controls
Security Protection Assets (SPAs) are systems that provide security functions for the CUI environment: firewalls, intrusion detection systems, log aggregators, multi-factor authentication platforms, and identity providers. SPAs are in scope, but the assessment treatment is more precise than “all 110 controls.” Per 32 CFR §170.19(c)(2) and the DoD CIO CMMC Level 2 Scoping Guide, SPAs must be documented in the SSP and in the network diagram, and they are assessed against the Level 2 security requirements that are relevant to the capabilities they provide. A firewall protecting the CUI segment is assessed against the controls relevant to its security function, not the full 110-control set. The intent of the scoping rule is to capture the security risk the SPA presents, not to impose controls irrelevant to what the asset actually does.
Many contractors discover this category expands their scope materially when they try to isolate the CUI network but share security infrastructure across the enterprise. The identity provider that authenticates CUI access also authenticates corporate access. The log aggregator that monitors the CUI segment also monitors the finance network. Shared security infrastructure pulls both environments into scope. The enclave architecture decision that avoids this outcome: dedicated or logically isolated security infrastructure for the CUI environment, separate from corporate security tooling.
Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets
Contractor Risk Managed Assets (CRMAs) are systems that could affect the confidentiality of CUI but do not directly process it. A corporate email gateway that routes messages through the CUI network segment, or an IT management platform with network visibility into the CUI environment, falls here. These are in scope for assessment but evaluated differently: contractors document why these systems do not present unacceptable risk rather than demonstrating full NIST SP 800-171 compliance for each one.
Specialized Assets include government-furnished equipment (GFE), operational technology (OT), IoT devices, test equipment, and restricted information systems. Per the DoD CIO CMMC Level 2 Scoping Guide (v2.13, Sept 2024), Specialized Assets must be documented in the System Security Plan (SSP) and managed under the contractor’s risk-based information security policies. Specialized Assets are not assessed against the NIST SP 800-171 practice set. This is a documentation and risk-management obligation, not an assessor negotiation about which controls apply. A manufacturing contractor with CNC machines on the same network as CUI has a Specialized Asset documentation problem worth solving before the assessment, not during it.
Out-of-Scope Assets are systems that cannot process, store, transmit, or affect CUI. They require no assessment consideration. Every system you successfully migrate to this category represents assessment cost eliminated. The enclave architecture strategy is, at its core, a systematic effort to maximize this category by keeping CUI confined to the minimum viable set of systems that operations require.
The audit fix. Map every system in your environment to one of the five CMMC asset categories before your assessment. Start with a discovery exercise: pull device inventory from your MDM, network logs, and Active Directory. For each asset, answer one question: does this system process, store, transmit, or protect CUI? If yes, categorize it as CUI Asset or Security Protection Asset. If it indirectly affects CUI confidentiality, it is a Contractor Risk Managed Asset. Document your categorization rationale in writing. This document becomes your scoping justification during the C3PAO assessment.
CUI Data Flow Diagram: The Foundational Scoping Artifact
The CUI data flow diagram is the document your C3PAO examines before anything else. It traces every path CUI takes from entry to exit in your environment: where it arrives, which systems touch it, how it moves internally, where it rests, and how it leaves. The diagram defines your boundary. If a system is on the diagram, it is in scope. If it is not on the diagram but CUI flows through it in practice, your scope documentation is wrong and your assessment will surface the gap.
What a Defensible CUI Data Flow Diagram Contains
A defensible data flow diagram for CMMC scoping contains six elements: all CUI entry points (email, VPN, file sharing platforms, government network integrations); every system that touches CUI in transit or at rest, labeled with its asset category; network boundaries enforcing isolation between CUI and non-CUI systems; every user role with CUI access mapped to its authentication mechanism; CUI egress paths when delivering to the government customer or subcontractors; and any cloud services processing CUI with FedRAMP authorization status noted.
Keep the diagram current before the assessment. C3PAOs will cross-reference the diagram against network configurations, email logs, and user interviews. Discrepancies between the diagram and operational reality expand scope and generate additional assessment findings. Outdated diagrams are themselves a finding.
How the Diagram Drives SPRS Score Calculation
Your Supplier Performance Risk System (SPRS) score is calculated against in-scope systems. (See our SPRS score calculation guide for the full methodology.) Fewer in-scope systems means fewer controls to validate and fewer potential gaps in your SPRS submission under the Department of Defense (DoD) Assessment Methodology. The math is direct: every system you keep off the CUI network is a system where a missing control does not reduce your score.
This effect compounds at assessment time. C3PAOs sample evidence across in-scope assets. A 340-asset scope requires a larger evidence sample than a 22-asset scope. Larger samples surface more gaps. More gaps mean more findings, longer remediation cycles, and higher conditional certification costs. The enclave decision upstream of the assessment reduces downstream risk by reducing surface area.
The audit fix. Build your CUI data flow diagram before you architect the enclave, not after. Use Lucidchart, Visio, or draw.io. Start from entry points: what contract vehicles require CUI handling, and how does that CUI arrive? Email attachment, SFTP download, or government portal? Trace each CUI packet from entry through every system it touches to final delivery or disposal. Mark every system with its asset category. Where CUI crosses a network boundary, label the control enforcing that boundary (firewall rule, VLAN, jump server). Review the diagram with your network engineer and your program manager. When their mental models match the diagram, the diagram is accurate.
The CUI data flow diagram is both a compliance artifact and a business tool. Contractors who build it before designing their enclave architecture find and eliminate unnecessary CUI touch points during design, before those touch points are installed, configured, and later assessed.
CMMC Enclave Architecture Patterns: Four Implementation Options
Four enclave patterns are in production use across the defense industrial base. Each achieves the same goal: isolating CUI to a defined boundary that minimizes assessment scope. The right pattern depends on your operation size, CUI volume, technical capacity, and budget. The table below compares them across the dimensions that matter most for scoping decisions. Cost ranges are operator estimates from current managed-enclave and MSSP providers and will vary by vendor and configuration.
| Enclave Pattern | How It Works | In-Scope Asset Count (Typical) | Implementation Cost (Operator Estimates) | Best For |
|---|---|---|---|---|
| Dedicated CUI Network Segment | Separate VLAN or physical network for CUI systems; firewall enforces boundary | 10-40 workstations + servers | $15,000-$40,000 (hardware + configuration) | Mid-size contractors with on-premises infrastructure and dedicated CUI staff |
| VDI / DaaS for CUI Access | CUI processing occurs in virtual desktops; physical endpoints are out of scope | VDI servers + broker only (endpoints excluded) | $8,000-$25,000/year (cloud-hosted VDI licensing) | Contractors with distributed or remote CUI staff; reduces endpoint scope to zero |
| Cloud Enclave (GovCloud) | CUI resides entirely in FedRAMP-authorized cloud environment (AWS GovCloud, Azure Government) | Cloud environment only; on-premises systems excluded | $1,500-$6,000/month (IaaS + managed security tooling) | Small contractors with minimal on-premises infrastructure; fastest path to clean boundary |
| Managed Enclave Service Provider | Third-party MSSP provides a pre-built, pre-assessed CUI environment as a managed service | Customer-side: near zero (provider owns in-scope infrastructure) | $3,000-$10,000/month | Small contractors without internal IT capacity; provider inherits most assessment burden |
Dedicated CUI Network Segment
The dedicated network segment separates CUI systems from the corporate network using VLANs and firewall rules. CUI workstations, servers, and storage live on the CUI segment. Corporate workstations, HR systems, and finance applications live outside it. The firewall enforces the boundary. Remote access into the CUI segment requires a separate VPN profile or jump server, not the corporate VPN. This pattern works well for contractors with 10 to 50 CUI users and existing on-premises network infrastructure.
The implementation risk is shared infrastructure. Active Directory, DNS, DHCP, and security tooling often span both environments in initial deployments. Every shared infrastructure component pulls corporate systems into scope as a Security Protection Asset. The clean implementation requires either dedicated infrastructure for the CUI segment or documented isolation with compensating controls for each shared component.
VDI and DaaS for CUI Access
Virtual desktop infrastructure keeps CUI processing on servers in a controlled environment. Engineers access CUI through a virtual desktop session. Their physical laptops or desktops connect to the VDI broker but never process, store, or receive CUI directly. The physical endpoints become out-of-scope assets because no CUI touches them. Only the VDI servers, the broker, and the network they operate on are in scope.
This pattern reduces endpoint scope to near zero and solves the remote workforce CUI problem. A contractor with engineers in five locations does not need CUI-compliant workstations at each location. The VDI servers in one location handle compliance; the physical machines everywhere else are out of scope. The trade-off is latency sensitivity: engineers doing work that requires high-bandwidth local processing find VDI limiting. Document those exceptions and assess whether those workloads actually require CUI access.
Cloud Enclave and Managed Enclave Providers
A cloud enclave in AWS GovCloud or Azure Government places CUI infrastructure on FedRAMP-authorized platforms (see also FedRAMP 20x requirements). On-premises systems that do not connect to the cloud environment are out of scope. The C3PAO assessment focuses on the cloud environment configuration, access controls, and monitoring. Contractors without on-premises infrastructure find this the lowest-cost entry point because they inherit the physical security and many baseline controls from the cloud provider.
Managed enclave service providers go further: they operate the CUI environment on behalf of the contractor. The contractor’s users access CUI through the managed environment. The MSSP maintains the infrastructure, applies patches, monitors for threats, and produces evidence packages for assessments. Contractors pay a monthly fee and inherit an environment already structured for CMMC compliance. The scoping benefit is significant: when the MSSP owns the CUI infrastructure, the contractor’s assessment scope shrinks to the interface between their users and the managed environment.
The audit fix. Select your enclave pattern before engaging a C3PAO. Most assessors will advise on patterns, but they assess what exists, not what you plan to build. Choose a pattern, implement it, validate the boundary with a gap assessment, then schedule the C3PAO. If you are early in your CMMC journey with fewer than 25 CUI users and no existing on-premises CUI infrastructure, evaluate the cloud enclave or managed MSSP option first. The total cost of ownership including assessment fees often makes these options less expensive than building on-premises infrastructure even when the monthly fees appear high.
Common CMMC Scoping Mistakes That Expand Assessment Cost
Three scoping mistakes account for most of the scope expansion contractors discover during assessments. Each one pulls systems, users, or locations into the CUI boundary that the contractor believed were excluded. Each one is avoidable with a pre-assessment scoping review.
Shared Administrative Accounts Across Boundaries
A system administrator with a single account that authenticates to both CUI systems and corporate systems creates a security and scoping problem. The corporate systems become Security Protection Assets because the shared admin account means a compromise of corporate credentials could pivot to CUI systems. C3PAOs identify shared admin accounts through Active Directory review and interview. When they find them, the corporate systems those accounts touch move into scope.
The fix requires dedicated privileged accounts for CUI system administration, separate from any account used for corporate IT management. This is not optional. NIST SP 800-171 §3.1.5 requires employing the principle of least privilege, including for specific security functions and privileged accounts. §3.1.6 reinforces this by requiring the use of non-privileged accounts or roles when accessing nonsecurity functions. Shared admin accounts violate both practices and expand your scope simultaneously.
CUI on Personal Devices and Unmanaged Endpoints
CUI received via email and opened on a personal laptop makes that laptop a CUI Asset. CUI files downloaded from a contract portal to an unmanaged home computer pull that computer into scope. Engineers using personal phones to access CUI-containing SharePoint libraries create scope that includes personal devices the contractor neither manages nor controls. This pattern appears in nearly every small contractor’s initial scoping review.
The remediation requires either device enrollment in MDM before any CUI access is permitted, or VDI architecture that prevents CUI from touching the endpoint at all. Policy without technical enforcement is a finding waiting to happen. C3PAOs ask engineers directly in interviews whether they have accessed CUI from a personal device. Engineers answer honestly.
Email Systems Carrying CUI Across the Boundary
Corporate email is the most common unintentional CUI transport channel in the defense industrial base. A prime contractor sends a CUI-marked document to the engineering team. The email lands in the corporate Exchange or Microsoft 365 environment. That email server, the mail flow rules, and the archiving system are now processing CUI. If the corporate email environment was not in the CUI boundary, it just joined it.
Two architectural responses exist. The first moves email into the CUI boundary, routing all CUI-eligible communications through a compliant email system inside the enclave. The second blocks CUI from entering email entirely: CUI shares only through the secure collaboration platform inside the enclave, and primes and government customers are notified of the protocol. The second produces a cleaner boundary. Document whichever approach you choose in your System Security Plan (SSP) and train the engineers who handle CUI.
The audit fix. Run a pre-assessment scoping audit 90 days before your C3PAO engagement. Cover three areas. First, pull a complete privileged account inventory from Active Directory. Identify every admin account and confirm it has no access rights outside the CUI boundary. Second, review your email logs for CUI-marked messages. Identify every system that handled those messages and verify each one is either in scope or isolated from CUI flow. Third, survey your engineers directly: ask whether they have accessed CUI from any device not enrolled in your MDM. Document the answers. Any yes response requires immediate remediation before the assessment.
How Enclave Scoping Affects Assessment Cost and Timeline
Assessment cost scales with scope in two ways: the C3PAO charges more to assess more assets, and more assets produce more potential findings that require remediation before certification. Both effects are real and both are reducible through scoping decisions made before the assessment begins.
The C3PAO Pricing Model
C3PAO assessments are priced primarily on time. A 22-asset scope with 19 users takes three to five days of assessor time. A 340-asset scope across four locations takes three to five weeks. At $2,500 to $4,000 per assessor per day (current market range per C3PAO operator data; no Cyber AB published rate card exists), the difference between those two scenarios runs $60,000 to $125,000 before remediation. Contractors with large, poorly defined scopes are more likely to receive conditional certifications because larger scopes surface more gaps. The remediation-then-reassessment cycle often costs as much as the original assessment.
SPRS Score Impact and Continuous Monitoring
Your SPRS score affects your ability to win contracts today. Defense contractors have historically submitted SPRS scores based on self-assessments against NIST SP 800-171 Rev 2 while CMMC third-party assessments phased in under DFARS 252.204-7019 and 252.204-7020. As of February 1, 2026, a DFARS class deviation has suppressed the basic self-assessment obligation under DFARS 252.204-7019 for new prime contracts pending the full CMMC third-party assessment rollout under the phase-in schedule at 32 CFR §170.3(e). Assessment obligations for new solicitations now route primarily through DFARS 252.204-7021. Fewer in-scope systems means fewer controls to validate and fewer potential gaps regardless of whether the assessment is self-reported or third-party. A 170-point score against 22 systems is easier to defend than a 170-point score against 340 systems when a Defense Contract Management Agency (DCMA) / Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) review or contracting officer scrutiny arrives.
After certification, continuous monitoring requirements under CMMC Level 2 require annual affirmations under 32 CFR §170.22 and periodic validation that your environment remains within the certified boundary. A smaller, well-documented enclave is easier to monitor, easier to keep compliant, and easier to reaffirm annually. Scope creep, where CUI gradually migrates to systems outside the certified boundary, is a common post-certification failure. The remediation is a new assessment. Engineers who understood the enclave boundary at certification and enforce it operationally prevent this outcome.
- Complete a CUI data flow diagram that traces all CUI from entry to egress across every system in your environment
- Categorize every system using the five CMMC asset categories per 32 CFR §170.19(c)(1) Table 3: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, Out-of-Scope Assets
- Select an enclave pattern (dedicated segment, VDI/DaaS, cloud enclave, or managed MSSP) based on your CUI user count and infrastructure
- Verify no shared administrative accounts authenticate to both CUI and non-CUI systems
- Confirm CUI email flow routes only through in-scope systems or is blocked from email entirely
- Verify all CUI access from remote users routes through VPN or VDI, not through unmanaged endpoints
- Confirm all security infrastructure serving the CUI environment (firewalls, IdP, SIEM) is either dedicated to the CUI environment or documented as a Security Protection Asset in scope
- Run a personal device audit: confirm no engineer accesses CUI from a device not enrolled in MDM
- Document scoping justifications in your System Security Plan for every asset excluded from CUI scope
- Validate boundary enforcement through network configuration review and simulated lateral movement test before the C3PAO engagement
Contractors who treat CMMC scoping as a pre-assessment exercise leave money on the table. The scoping decision is an architectural decision, and it belongs in the design phase, before infrastructure is purchased and before engineers build habits around the wrong systems. A CUI enclave sized to operational need, with a defensible data flow diagram and clean asset category documentation, consistently produces assessments in the $30,000 to $50,000 range for mid-size contractors (operator estimates; actual costs vary by C3PAO and scope complexity). The same contractor with an undocumented boundary pays two to three times more and often requires re-assessment. Build the boundary first. The certification follows from the architecture, not the other way around.
Frequently Asked Questions
What is CMMC enclave architecture scoping and why does it reduce assessment cost?
CMMC enclave architecture scoping is the process of isolating all CUI processing to a defined network segment or environment and documenting which systems fall inside that boundary. Assessment cost correlates to in-scope asset count: C3PAOs charge for the time required to assess every in-scope system, user, and location. A smaller, well-documented enclave reduces in-scope assets and reduces assessment time accordingly. Contractors with documented enclaves of 20 to 30 systems routinely pay $35,000 to $50,000 for CMMC Level 2 assessments, while contractors with enterprise-wide scope pay $80,000 to $150,000 or more (operator estimates from current assessment market conditions).
Which CMMC asset categories are always in scope for a C3PAO assessment?
CUI Assets and Security Protection Assets are always in scope, but the extent of what the C3PAO validates against each category differs. CUI Assets are validated against all 110 NIST SP 800-171 Rev 2 practices. Security Protection Assets are assessed against the Level 2 security requirements relevant to the capabilities they provide, per 32 CFR §170.19(c)(2) and the DoD CIO CMMC Level 2 Scoping Guide (v2.13, Sept 2024). Contractor Risk Managed Assets are also in scope but assessed with documented risk acceptance rather than full NIST SP 800-171 validation. Specialized Assets are documented in the SSP and managed under contractor risk-based policies; they are not assessed against the NIST SP 800-171 practice set.
Can a cloud environment like AWS GovCloud or Azure Government reduce CMMC assessment scope?
A FedRAMP-authorized cloud environment like AWS GovCloud or Azure Government can serve as a CUI enclave. When all CUI processing moves to the cloud environment and on-premises systems have no connection to CUI, those on-premises systems become out-of-scope assets. The C3PAO assessment focuses on the cloud environment configuration, access controls, and monitoring. Contractors with no on-premises CUI infrastructure may achieve a significantly smaller assessment scope using this approach. Under DFARS 252.204-7012(b)(2)(ii)(D), the cloud environment must meet at minimum the FedRAMP Moderate baseline (or DoD-defined equivalency). Under the FedRAMP shared-responsibility model, the cloud provider’s authorization covers infrastructure-level controls; the contractor remains responsible for customer-responsibility controls in the shared-responsibility matrix. The contractor does not re-validate all 110 practices for controls the FedRAMP authorization already covers.
What is a CUI data flow diagram and what must it contain?
A CUI data flow diagram traces every path CUI takes through your environment from entry to egress. C3PAOs use it to verify your scoping documentation matches operational reality. A defensible diagram contains all CUI entry points, every system that processes or stores CUI, network boundary enforcement mechanisms, user roles with CUI access, CUI egress paths to government customers or subcontractors, and any cloud services processing CUI with their FedRAMP status noted. The diagram must be current before the assessment; C3PAOs cross-reference it against network configurations and user interviews.
Do managed enclave service providers reduce CMMC assessment scope for small contractors?
Managed enclave service providers reduce the contractor’s in-scope asset count significantly because the MSSP owns and operates the CUI infrastructure. The contractor’s users access CUI through the managed environment, but the physical servers, security tooling, and network infrastructure belong to the provider. The C3PAO assesses the managed environment, and the contractor’s assessment scope shrinks to the interface between their users and the managed platform. Small contractors without internal IT capacity often find managed enclave providers deliver a better cost and compliance outcome than building and maintaining their own CUI environment.
How do shared administrative accounts affect CMMC assessment scope?
Shared administrative accounts that authenticate to both CUI systems and corporate systems convert corporate systems into Security Protection Assets, pulling them into assessment scope. C3PAOs identify shared accounts through Active Directory review. Every corporate system those accounts access must then be assessed. The fix requires dedicated privileged accounts for CUI system administration with no access rights outside the CUI boundary. This satisfies both NIST SP 800-171 §3.1.5 (least privilege) and §3.1.6 (non-privileged accounts for nonsecurity functions), and it corrects the scoping defect simultaneously.
What happens if CUI appears on systems outside the documented enclave boundary during a C3PAO assessment?
When CUI appears on systems outside the documented boundary, the C3PAO expands scope to include those systems. This typically triggers a scope expansion discussion, an assessment pause, and potentially a rescheduled assessment once the contractor either remediates the out-of-scope CUI presence or formally expands the boundary and validates those systems against the applicable controls. Both outcomes increase cost and delay certification. Contractors who discover out-of-scope CUI during their pre-assessment scoping review can remediate before the C3PAO arrives, preventing this outcome.
How does CMMC enclave scoping affect the SPRS score calculation?
SPRS score calculations under the DoD Assessment Methodology evaluate NIST SP 800-171 practice implementation across all in-scope systems. Fewer in-scope systems means fewer total practice validations and fewer potential gaps in your score submission. A contractor with 22 in-scope systems validating all 110 practices has fewer total control instances than a contractor with 340 in-scope systems, and thus fewer opportunities for unimplemented controls to reduce the score. This effect applies to both self-assessments submitted to SPRS and third-party C3PAO assessments.
Subscribe to The Authority Brief for next week’s analysis.
