If you are finding it a challenge to figure out the requirements of the updated cybersecurity maturity model certification (CMMC), you are not alone. CMMC 2.0, currently has two principal levels, level one and level two. Let’s walk through how to scope your CMMC assessment in order to help your organization prepare for certification.
What is scoping and why should you do it?
Scoping the impact of CMMC on your company helps lay the foundation for a successful assessment and ultimately a successful certification. Knowing what needs to be completed at the outset helps limit the assessment, which in turn reduces its length and cost, and minimizes the impact of controls on your workforce.
Keep in mind that each asset must be accounted for whether it is in or out of scope, actually processes CUI, or is not intended to process CUI. Disagreements on the scope of an assessment can cause delays in obtaining certification. In fact, the first thing an assessor is going to do before even beginning the assessment is talk to you about how you defined and limited the scope, and what controls you have in place to protect the envelope of that scope.
Another reason for limiting the assessment scope is the long term need to maintain your CMMC certification. Every 3 years you will be required to renew your CMMC Certification, but in between certifications, you may be required to undergo a delta assessment if you make significant changes to your CUI environment.
Scoping guidance for CMMC 2.0, Levels 1 and 2
CMMC Level 1 is for the protection of federal contract information (FCI). Specialized assets, including factory, IoT, and government furnished equipment (GFE), do not have to be included in your CMMC scope and neither do assets that do not process, store, or transmit FCI. All other assets are considered in scope and must be included in your CMMC L1 Self Assessment. Refer to CMMC L1 Scoping Guidance for more information.
CMMC Level 2 is for the protection of controlled unclassified information (CUI). The scoping guidance defines five categories of assets associated with a Level 2 assessment.
As the label suggests, these are “assets that process, store, or transmit CUI”. CUI assets include all laptops and workstations of users that work with CUI, all servers that store CUI or run applications that process CUI, backup systems that store data from the aforementioned, network equipment that connect the above assets, and even cloud services associated with your CUI data set.
CMMC assessment status: CUI assets will be assessed against all 110 CMMC practices.
Security Protection Assets
These are “assets that provide security functions or capabilities to the contractor’s CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI”. Security protection assets Include log management tools like a SIEM, vulnerability scanning tools, endpoint detection and response (EDR) tools, and identity and access management tools such as Active Directory.
For example, if your laptop’s anti-virus solution connects to a management console to receive updates, send alerts, and control settings, the server does not process, store, or transmit CUI; however, it implements several CMMC controls. In this case, it would be considered a Security Protection Asset and is required to meet all 110 CMMC controls.
CMMC assessment status: All 110 controls must be in place to protect these assets as well.
Contractor Risk Managed Assets
These are “assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. … (These) assets are not required to be physically or logically separated from CUI assets”.
These assets include all laptops and workstations that share a network with CUI assets but whose users do not work with CUI, all servers that share a network with CUI assets but do not store CUI or run applications that process CUI, and backup systems that store data from the above (if separate from CUI assets).
A good example is your email system. If you decide that you do not need to use email to transmit CUI, then take steps to prevent CUI from getting into your email system, such as:
- Establish a Policy not to transmit CUI via email
- Train your employees not to send CUI via email
- Provide your employees with an approved process to transmit CUI that does not require an email
- Inform your customers and partners not to send CUI via email (e.g., include a note in your company standard email signature)
- Establish a procedure to remove CUI if found in an email
With these or similar steps in place, your email system could be identified as a Contractor Risk Managed Asset and would not be required to meet all 110 CMMC controls.
Contractor risk managed assets must be documented in the system security plan (SSP), including contractor defined controls in place to protect those assets and prevent their use with CUI.
CMMC assessment status: Contactor risk managed assets are NOT assessed against the 110 CMMC practices, although spot checks may be necessary if questions about asset exposure to CUI are raised.
These are “assets that may or may not process, store, or transmit CUI”. They include: GFE, IoT devices, operational technology (OT), restricted information systems, and test equipment. They must be documented in the SSP, where you identify these items and categorize them as specialized assets.
Examples include your network connected factory equipment, a networked smart TV in the conference room, an office thermostat that is network enabled, or a laptop running a government furnished application that has unique configuration requirements.
CMMC assessment status: Specialty assets are not assessed against the 110 CMMC practices.
Out of Scope Assets
These are “assets that cannot process, store, or transmit CUI”. They include all assets that are physically separated from CUI assets (for example, in a separate building or facility), and all assets that are logically separated from CUI assets (via a firewall, flow controlling VLANs, etc.).
CMMC assessment status: Out of scope assets are not assessed against CMMC practices.
Steps to Consider
As you move toward your assessment, it might make sense to take these actions.
- Separate business units that do not need access to CUI. If you have different business units, one that deals with DoD contracts and another that deals with commercial contracts, separate those businesses and the resources they use so employees working for the commercial business unit do not have physical or logical access to CUI assets. If you take that step, individuals without access to CUI do not have to follow all of the controls for a CMMC assessment.
- Separate functional departments that do not need access to CUI. Perhaps your finance and HR departments don’t generally access your engineering content. If this is the case, even if they have common resources like a timekeeping application, you can separate those functions and separate the resources that they have access to so that they don’t have access to CUI. Therefore these departments can go outside the scope of your assessment.
- Place specialized assets on separate network segment(s). Even though specialized assets like your IoT devices, factory equipment, or QA lab testing equipment are outside the scope of an assessment, keeping them on a separate network makes it easier for the assessor to identify that separation and verify that those assets are indeed out of scope. Note that anything you can do to make things easier for your assessor will boost your probability of success.
- Implement an enclave to separate the CUI work flows from the rest of the organization. Every business is different. If the number of people who actually work with CUI on a regular basis is relatively limited, but they have a lot of contact with other individuals, you could put that small segment of the work product into an enclave either on your own network or in the cloud. By wrapping an envelope around that information and those workflows, you reduce the impact on the rest of your organization while still protecting the CUI.
If you have any questions about what is in scope or out of scope for your CMMC assessment, give us a call. We are experts in cybersecurity, understand the new mandates, and are here to help your organization succeed. Join us at CMMC CON 2022 to hear CyberSheath SMEs speak on the topic of preparing for your CMMC assessment with a focus on scoping.
With all the acronym-labeled requirements and definitions related to doing business with the federal government, it can seem like you are swimming in an alphabet soup. In addition to the consumer off the shelf (COTS) designation which determines the presence of controlled unclassified information (CUI), there is another program to be aware of, ITAR.
International traffic and arms regulations (ITAR) is a signed acknowledgement companies make with the government during contract on-boarding. ITAR is required if the government determines that your piece part or widget is going to be included in a weapon system designed, developed, or manufactured by the DoD.
For your fulfillment with the DoD contract, your company agrees to have your product reviewed by the government when you sell it to international companies. This applies to COTS products, like microprocessors or GPS receivers, as if these components are being put into a weapon system, the DoD wants to bind this technology to America. Also, if you are knowingly selling this same component to companies that are including it in weapons, you must acknowledge that to the government so that it can be trafficked.
As a current example, right now the drones that are being shot down by Russia have a lot of American chips in them. The FBI just launched an investigation against the companies that provide these chips to understand how those chips made it into the drones. These microprocessing companies were surely bound by ITAR and they should have had more control over their chips. As a result, the government can actually come back and claim restitution.
Why it is important to know if you have ITAR
Often if you’re bound by the government’s laws on international trade in arms or controlled technologies, your products are not available commercially off the shelf. The ITAR program means that there’s not a reselling marketplace without your knowledge, control, and authorization. Consequently, ITAR can be seen as the opposite of COTS.
ITAR itself binds your company to operating in a Federal Risk and Authorization Management Program (FedRAMP) high infrastructure, which requires more stringent cybersecurity controls than DFARS. Talking about COTS and CUI is actually a red herring when it comes to ITAR because ITAR actually bypasses all the DFARS requirements.
If you have any questions where your company and its wares fall in terms of ITAR, COTS, and CUI, get in touch with the experts at CyberSheath. We can help determine your current designation and strategize how to move forward with implementing the required security controls.
When you’re looking to protect Controlled Unclassified Information (CUI), enclaves have several benefits. But how do you actually get started and what should you consider to ensure you’re successful?
Where to establish the enclave boundary
You need a strategy to isolate CUI and Federal Contract Information (FCI), training for users on the enclave, and ongoing monitoring for compliance with organizational policy. Remember that adopting an enclave might mean a duplicate system to isolate CUI and FCI from your other business.
This may incur indirect costs and cause user inconvenience, so consider carefully where to establish the system boundary for Cybersecurity Maturity Model Certification (CMMC) certification.
Practices vs controls
CMMC’s framework doesn’t specify how a security practice should be applied and most of the required practices allow for multiple avenues of successful implementation. There is, however, a requirement for controls within NIST 800-171 and NIST 800-53. This subtlety is another factor you need to consider when your security professionals embark on the CMMC journey.
Educate them around the nuances of practices vs. controls and be sure your external security assessors have completed CMMC training.
CyberSheath’s Federal Enclave accounts for the multiple approaches to compliance and is able to adjust to the different levels of CMMC 2.0, which will likely soon be required of contractors outside the Department of Defense (DoD).
CyberSheath has helped more than 500 clients discover their compliance starting point and roadmap. We’re holding a webinar on Feb. 23 that covers these considerations in greater depth and how Federal Enclave helps you ensure compliance. Register now!
For the past several years, contractors with the Department of Defense (DoD) have had to meet a custodial requirement in contracts as it relates to security. Soon, this will likely be required outside the defense industrial base (DIB) and apply to all federal contractors.
If you’re like many contractors, you’re wondering how best to safeguard Controlled Unclassified Information (CUI). While there are many ways to meet the rules and regulations, not all of them are feasible or efficient and many of them are expensive.
The key is to limit the scope of your CUI protections. That can be difficult because CUI isn’t always neatly organized in one place. Often it sits in many departments like legal, contracts, accounting, sales, professional services, and engineering. CUI can be on employees’ computers, in their email accounts, on their mobile devices, and on shared network folders.
Contractors tend to take one of three strategies to corral CUI and limit disrupting their larger business:
- Limit by contract or product: You serve the government with specific business segments, so you define your environment based on products and services.
- Limit by geography: A global enterprise only does business with the government through U.S. entities, so it might define limits by geography so the rest of its global sites are undisturbed.
- Limit by technology: Limiting by contract or geography ignore the shared technology resources used across the entire company. An enclave achieves compliance by segmenting CUI from other systems.
An enclave solution, or isolating the CUI within an organization, is a scalable, efficient, and cost-effective approach to the custodial responsibility of security. The National Institute of Standards and Technology (NIST) endorsed this approach with Special Publication 800-171:
“Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond that which it requires for protecting its missions, operations, and assets.”
While an enclave may require a duplicate system for business processes like email or security tools, creating a large compliance system that spans across a whole product segment or even an entire enterprise and goes far beyond just the CUI is significantly more expensive and time consuming.
CyberSheath is helping clients take the best step forward with its new Federal Enclave, which simplifies adherence to difficult cybersecurity business requirements. Register for CyberSheath’s webinar to learn more about the value of enclaves and how Federal Enclave can help.
Determining what types of information your organization possesses is one of the first steps you need to take when starting efforts to enact cybersecurity controls. This classification of information dictates how the data must be controlled and protected.
Here are the different categories of information.
FCI – Federal Contract Information
As defined by 48 CFR 52.204-21, this is, “Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information by the Government to the public (such as public websites) or simple transactional information, such as necessary to process payments.”
National Archives and Records Administration (NARA) specifies, “Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.”
It is important to note that FCI (CMMC Level 1) is the minimum if you have a Federal contract.
CUI – Controlled Unclassified Information
According to 42 CFR 2002.4, CUI is, “Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
“CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”
Additional Safeguards / Classifications:
- CUI Basic: Requiring or permitting agencies to control or protect the information but providing no specific controls.
- CUI Specified: Requiring or permitting agencies to control or protect the information and providing specific controls for doing so.
- CUI Specified, with basic controls where not specified by authority: Requiring or permitting agencies to control the information and specifying only some needed controls.
NARA states that, “NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).”
CUI categories for the defense industrial base (DIB)
Refer to this chart to see how to classify your CUI.
|Banner Marking||CUI Category||Organization Grouping|
|CUI//SP-CTI||Controlled Technical Information||Defense|
|CUI//SP-CEII||Critical Energy Infrastructure Information||Critical Infrastructure|
|CUI//SP-EXPT||Export Controlled||Export Control|
|CUI//SP-FISA(B)||Foreign Intelligence Surveillance Act (Business Records)||Intelligence|
|CUI//SP-PROCURE||General Procurement & Acquisition||Procurement & Acquisition|
|CUI//SP-PROPIN||General Proprietary Business Information||Proprietary Business Information|
|CUI//SP-NNPI||Naval Nuclear Propulsion Information||Defense|
|CUI//SP-SRI||Nuclear Security Related Information||Nuclear|
|CUI//SP-MFC||Proprietary Manufacturer||Proprietary Business Information|
|CUI//SP-PCII||Protected Critical Infrastructure Information||Critical Infrastructure|
|CUI//SP-DCNI||Unclassified Controlled Nuclear Information – Defense||Defense|
|CUI//SP-UCNI||Unclassified Controlled Nuclear Information – Energy||Nuclear|
While this blog can get you started on determining how to classify your information, the experts at CyberSheath would be happy to help your company identify your FCI and CUI and create plans for safeguarding it. Contact us to take the next step in learning how to protect your sensitive information.
Since CMMC 2.0 was announced last month, there has been a lot of supposition around what it means. Our approach is to only examine information regarding CMMC 2.0 that has come from official government bodies or authorized government bodies, like the CMMC accreditation body and the Department of Defense.
The framework remains largely unchanged
Our analysis is that CMMC 1.0 and the proposed 2.0 revision are both grounded in Defense Federal Acquisition Regulation Supplement: Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS Clause 252.204-7012), which requires the implementation of NIST Special Publication 800-171 (NIST SP 800-171). DFARS Clause 7012 was first published eight years ago and NIST 800-171 came in 2016–so they have both been around for a while.
It’s also important to note that CMMC 2.0 as proposed completed the federal rulemaking process. All articles and information as of this writing are not representative of any final ruling. All the more reason to ground your efforts in what is both final and actually required, DFARS Clause 252.204-7012 NIST 800-171.
In this series of blogs, we will be highlighting some of the changes as outlined in the proposed CMMC 2.0. For a more in-depth walk-through, save your virtual seat at our upcoming webinar, CMMC 2.0: What it Means for Your Business. Register Now
Impacts of proposed changes
Below is a rundown of the changes that CMMC 2.0 looks to bring as outlined thus far, and the corresponding effect on companies looking to continue to engage with the DoD in a commercial capacity.
|Proposed changes in CMMC 2.0||Impact|
|L2 and L4 are projected to be eliminated.||Generally speaking, most companies were aligning to CMMC 1.0 level three, so this repercussion is minimal with no material impact to the defense industrial base.|
|The naming nomenclature has changed.||The new L1 and L2 are the old L1 and L3. Stated another way, the old L3 is now L2.|
|The 20 maturity requirements and controls from CMMC 1.0, L3 have been eliminated.||Simply stated, companies should adhere to NIST 800-171. The 110 requirements of NIST 800-171 have been required for the past six years, focus there. That’s plenty for most organizations to get their hands around.|
Attend our upcoming webinar on Wednesday, December 15, 2021, at 9:00am (PST) | 12:00pm (EST), to learn more about CMMC 2.0 and how it might impact your business.
As the cybersecurity landscape continues to evolve and threats continue to infiltrate the IT infrastructure of companies across the globe, it is more important than ever to ensure that your company and your data is protected, especially when doing business with the Department of Defense (DoD). One mechanism in place to help accomplish this herculean task is 48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting.
About DFARS 252.204-7012, Clause M
The DoD is requiring compliance with this mandate to help secure the supply chain of the defense industrial base (DIB). With countless contractors and subcontractors engaging with the DoD, it can be a challenge to make sure all the companies take cybersecurity seriously.
Consider all of the different layers within the supply chain. What gets overlooked sometimes is the requirements on how each supplier needs to protect controlled unclassified information (CUI). The DFARS 7012 clause states that for every subcontract, a contractor has to flow down the original information handling requirements to the companies that they are subcontracting with.
Why is it necessary?
Foreign adversaries are starting to detect and piece together information. Individually finite pieces of unclassified data might seem inconsequential, but when aggregated the information could yield intel on a classified hardware.
This clause helps ameliorate the overall impact of information loss. By ensuring that your subcontractors guard against data breaches, you are protecting your sub, your own company, and the DoD. If a breach occurs, this clause requires that not only are you notified, but you also flow that information upstream, back to the DIB Cybersecurity Assessment Center (CAC), helping secure all points of the data flow.
What you need to do
As a contractor or subcontractor, you are required to include this clause in subcontracts or similar contextual contractual agreements. The full text is available here.
As a prime contractor
- Add the above clause in the contract with your subcontractor. Make sure to include all the verbiage within the contract, which states what the subcontractor is required to do.
- Keep your subcontractors informed and accountable. Your subcontractors are potentially putting you at additional risk with how they handle the information you are flowing down to them. Any of your subcontractors hiring additional contractors below them also need to include this clause in their contracts.
As a subcontractor
- Make sure you safeguard the covered defense information by maintaining adequate security to protect any CUI that flows to your organization. You are held to the requirements in NIST Special Publication, 800-171A, which details protections for CUI in non-federal information systems.
- Report incidents or data breaches. It is required that subcontractors notify the prime contractor when submitting a request to vary from the security rules, as well as to provide the incident report number automatically signed by the DoD to the prime when a cyber incident has been identified.
Some contractors and subcontractors who are not doing this, are putting themselves at increased risk for penalties from the government. Further incentivizing compliance is the escalating severity of the consequence of non-compliance, ranging from jail time to loss of future contracts resulting in a hit to your company’s bottom line.
If you have any questions about clause M and how to secure your CUI, you can rely on the experts at CyberSheath to help. Contact us today to get started.