Specifications include, but are not limited to: PHASE 1 – SECURITY ARCHITECTURE/TECHNICAL GAP ANALYSIS Identify Scope of Analysis: Review Clemson University’s covered contractor information system and secure enclave technical security architecture in alignment with the DoD’s CMMC Assessment Scope – Level 2 Establish Future Ideal State: Advise to reduce scope of assets that, in turn, inform the specification of CMMC Level-2 assessment scope. Analyze Current State: Taking an engineering, security architecture, and technical architecture approach, analyze Clemson’s covered contractor information system and secure enclave in alignment with NIST SP 800-171 and specific to the requirements of the DoD’s CMMC Assessment Guide – Level 2 and CMMC Assessor Process. Compare Current State with Idealized State, Report Gaps and Recommendations to Address Gaps. Using the same engineering approach, recommend architectural design and configuration changes to bring Clemson’s current covered contractor information system and secure enclave in alignment with CMMC Level-2 requirements. Deliverables of this step include, but are not limited to: a) Security Architecture/Technology Gap Analysis Report detailing why the particular architecture was chosen with NIST-specific references. b) A concise description of the idealized future state Security Plan Architecture, suitable for inclusion in System Security Plan (SSP) c) A network/data flow diagram that represents the idealized future CMMC Assessment Scope for Clemson’s selected research covered contractor information system with inscope assessments, and data flow visualized. d) A chart/table, or other CMMC Assessment conforming document that represents Clemson’s idealized future-state in-scope assets aligned with the 5 CMMC asset categories (Controlled Unclassified Information (CUI) Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets e) A completed Asset Inventory f) A completed CUI role and permissions matrix
