How to Scope Your CMMC Assessment
If you are finding it a challenge to figure out the requirements of the updated cybersecurity maturity model certification (CMMC), you are not alone. CMMC 2.0, currently has two principal levels, level one and level two. Let’s walk through how to scope your CMMC assessment in order to help your organization prepare for certification.
What is scoping and why should you do it?
Scoping the impact of CMMC on your company helps lay the foundation for a successful assessment and ultimately a successful certification. Knowing what needs to be completed at the outset helps limit the assessment, which in turn reduces its length and cost, and minimizes the impact of controls on your workforce.
Keep in mind that each asset must be accounted for whether it is in or out of scope, actually processes CUI, or is not intended to process CUI. Disagreements on the scope of an assessment can cause delays in obtaining certification. In fact, the first thing an assessor is going to do before even beginning the assessment is talk to you about how you defined and limited the scope, and what controls you have in place to protect the envelope of that scope.
Another reason for limiting the assessment scope is the long term need to maintain your CMMC certification. Every 3 years you will be required to renew your CMMC Certification, but in between certifications, you may be required to undergo a delta assessment if you make significant changes to your CUI environment.
Scoping guidance for CMMC 2.0, Levels 1 and 2
CMMC Level 1 is for the protection of federal contract information (FCI). Specialized assets, including factory, IoT, and government furnished equipment (GFE), do not have to be included in your CMMC scope and neither do assets that do not process, store, or transmit FCI. All other assets are considered in scope and must be included in your CMMC L1 Self Assessment. Refer to CMMC L1 Scoping Guidance for more information.
CMMC Level 2 is for the protection of controlled unclassified information (CUI). The scoping guidance defines five categories of assets associated with a Level 2 assessment.
As the label suggests, these are “assets that process, store, or transmit CUI”. CUI assets include all laptops and workstations of users that work with CUI, all servers that store CUI or run applications that process CUI, backup systems that store data from the aforementioned, network equipment that connect the above assets, and even cloud services associated with your CUI data set.
CMMC assessment status: CUI assets will be assessed against all 110 CMMC practices.
Security Protection Assets
These are “assets that provide security functions or capabilities to the contractor’s CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI”. Security protection assets Include log management tools like a SIEM, vulnerability scanning tools, endpoint detection and response (EDR) tools, and identity and access management tools such as Active Directory.
For example, if your laptop’s anti-virus solution connects to a management console to receive updates, send alerts, and control settings, the server does not process, store, or transmit CUI; however, it implements several CMMC controls. In this case, it would be considered a Security Protection Asset and is required to meet all 110 CMMC controls.
CMMC assessment status: All 110 controls must be in place to protect these assets as well.
Contractor Risk Managed Assets
These are “assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. … (These) assets are not required to be physically or logically separated from CUI assets”.
These assets include all laptops and workstations that share a network with CUI assets but whose users do not work with CUI, all servers that share a network with CUI assets but do not store CUI or run applications that process CUI, and backup systems that store data from the above (if separate from CUI assets).
A good example is your email system. If you decide that you do not need to use email to transmit CUI, then take steps to prevent CUI from getting into your email system, such as:
- Establish a Policy not to transmit CUI via email
- Train your employees not to send CUI via email
- Provide your employees with an approved process to transmit CUI that does not require an email
- Inform your customers and partners not to send CUI via email (e.g., include a note in your company standard email signature)
- Establish a procedure to remove CUI if found in an email
With these or similar steps in place, your email system could be identified as a Contractor Risk Managed Asset and would not be required to meet all 110 CMMC controls.
Contractor risk managed assets must be documented in the system security plan (SSP), including contractor defined controls in place to protect those assets and prevent their use with CUI.
CMMC assessment status: Contactor risk managed assets are NOT assessed against the 110 CMMC practices, although spot checks may be necessary if questions about asset exposure to CUI are raised.
These are “assets that may or may not process, store, or transmit CUI”. They include: GFE, IoT devices, operational technology (OT), restricted information systems, and test equipment. They must be documented in the SSP, where you identify these items and categorize them as specialized assets.
Examples include your network connected factory equipment, a networked smart TV in the conference room, an office thermostat that is network enabled, or a laptop running a government furnished application that has unique configuration requirements.
CMMC assessment status: Specialty assets are not assessed against the 110 CMMC practices.
Out of Scope Assets
These are “assets that cannot process, store, or transmit CUI”. They include all assets that are physically separated from CUI assets (for example, in a separate building or facility), and all assets that are logically separated from CUI assets (via a firewall, flow controlling VLANs, etc.).
CMMC assessment status: Out of scope assets are not assessed against CMMC practices.
Steps to Consider
As you move toward your assessment, it might make sense to take these actions.
- Separate business units that do not need access to CUI. If you have different business units, one that deals with DoD contracts and another that deals with commercial contracts, separate those businesses and the resources they use so employees working for the commercial business unit do not have physical or logical access to CUI assets. If you take that step, individuals without access to CUI do not have to follow all of the controls for a CMMC assessment.
- Separate functional departments that do not need access to CUI. Perhaps your finance and HR departments don’t generally access your engineering content. If this is the case, even if they have common resources like a timekeeping application, you can separate those functions and separate the resources that they have access to so that they don’t have access to CUI. Therefore these departments can go outside the scope of your assessment.
- Place specialized assets on separate network segment(s). Even though specialized assets like your IoT devices, factory equipment, or QA lab testing equipment are outside the scope of an assessment, keeping them on a separate network makes it easier for the assessor to identify that separation and verify that those assets are indeed out of scope. Note that anything you can do to make things easier for your assessor will boost your probability of success.
- Implement an enclave to separate the CUI work flows from the rest of the organization. Every business is different. If the number of people who actually work with CUI on a regular basis is relatively limited, but they have a lot of contact with other individuals, you could put that small segment of the work product into an enclave either on your own network or in the cloud. By wrapping an envelope around that information and those workflows, you reduce the impact on the rest of your organization while still protecting the CUI.
If you have any questions about what is in scope or out of scope for your CMMC assessment, give us a call. We are experts in cybersecurity, understand the new mandates, and are here to help your organization succeed. Join us at CMMC CON 2022 to hear CyberSheath SMEs speak on the topic of preparing for your CMMC assessment with a focus on scoping.