According to the CMMC Assessment Process (CAP), specifically in the context of scoping and organizational structure, the term Host Unit is used to define the specific entity within an Organization Seeking Certification (OSC) that is the primary subject of the assessment.
Definition of Host Unit: Within the CAP, the Host Unit represents the specific people, processes, and technology that process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) for the contract in scope. It is the "anchor" for the assessment boundary.
Context in High-Level Scoping: During the initial phases of an assessment, a C3PAO must distinguish between the entire corporation (the OSC) and the specific parts of that corporation that are actually performing the DoD work. The Host Unit is that functional or logical division that will be evaluated against the CMMC practices.
Relationship to other units:
Supporting Organization/Units (Option D): These are entities that provide services to the Host Unit (such as an enterprise IT department or a separate HR branch) but are not the primary "Host" of the CUI/FCI. They are in-scope because they provide "Security Protection" or "Administrative" functions to the Host Unit.
Coordinating Unit (Option C): This term is often used in broader organizational contexts but is not a defined scoping term for the "people, processes, and technology" being assessed under the CMMC CAP.
Reference Documents:
CMMC Assessment Process (CAP) v1.0: Glossary and Section 1 (Plan and Prepare Assessment), which defines the relationship between the OSC, the Host Unit, and Supporting Units.
CMMC Level 2 Scoping Guidance: Provides the framework for identifying the "assets" (people, technology, facilities) that reside within the Host Unit boundary.
CCP Study Guide: Section on "Scoping the Assessment," which explains how to identify the Host Unit versus External Service Providers (ESPs).
