The Department of Defense (DoD) has recently released new CMMC 2.0 audit and assessment scoping guides. The awaited CMMC 2.0 Level 1 and Level 2 scoping guides provide insight into how a certified CMMC third-party assessor organization (C3PAO) may scope the CMMC audit and how businesses can potentially scope their own environments. These scoping guides are critical for the CMMC audit and boundary diagrams developed as part of your business’s System Security Plan (SSP).
While the industry is still waiting for a Level 3 scoping guide, let’s deep dive into some key areas for properly scoping CMMC assessments.
Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) Flow
The key theme throughout both scoping guides is to trace and track the flow of information to understand which assets, such as identities, technologies, facilities, and external service providers or ESPs, are part of the potential CMMC assessment scope. Security controls focus on assets that process, transmit, or store regulated data. Following sensitive information (CUI and FCI) will guide organizations in understanding their asset categories and types. Most likely, one of the first questions a C3PAO auditor would ask is, “Do you have an understanding of where your CUI resides today and how it flows through your organization?” If you cannot answer this question with a high level of assurance, then the asset mapping and scoping of your boundary will not be possible.
Assets should be classified and labeled based on the type of data the asset processes, stores, or transmits and categorized as either FCI or CUI, or both. For CMMC Level 1 (L1) Self-Assessments, only assets classified as FCI are considered in-scope. The rest will either be labeled out-of-scope or specialized assets (e.g., Govt. Property, IoT, Operational Technology, Restricted Information Systems, or Test Equipment). Specialized assets are not part of an L1 self-assessment.
CMMC Level 2 (L2) Assessments are required for organizations that transmit, store, or process CUI. These organizations may also process FCI along with CUI. If the FCI and CUI environments are separate, two assessments would be required – an L1 for FCI and an L2 for the CUI environment. If the environments are not independent, and L2 CMMC assessment would be necessary for both.
For organizations with semi-complex environments and tight budgets, a good understanding of what is not in scope is just as important as what is in scope. This understanding can benefit proper technology planning for organizations that may wish to separate assets and environments to reduce the categories for their L2 CMMC assessments.
The following are the asset categories detailed in the L2 guide (Table 1):
- Control Unclassified Information Assets
- Security Protection Assets
- Contractor Risk Managed Assets
- Specialized Assets
- Out of Scope Assets (not part of an L2 assessment)
Further clarification for each category, with examples, is provided within the L2 guide.
Defining the scope of C3PAO Audit Assessment
One of the primary reasons for having a detailed understanding of your authorization boundary is to successfully prepare for and pass your CMMC audit, demonstrating the appropriate protection of FCI and CUI information. Your organization should look to adopt a flexible asset management system tied to the controls required for the type of assessment that will be performed, either an L1 or L2.
An organization can utilize various separation techniques (e.g., physical and logical) to isolate assets that process, transmit or store CUI from those that do not. These techniques are incredibly beneficial in separating out-of-scope assets from in-scope assets. Why is this important? Because many systems are naturally interconnected and could be classified in the CUI data flow process and create assessment issues.
Email systems are a great example. Email is interconnected to all employees and provides the capability to transmit CUI. In this example, an organization may choose to physically separate email systems from their in-scope boundary and train employees on the appropriate transmissions systems and processes for CUI.
Captured below are some key separation techniques that can be used to design an effective in-scope boundary:
Logical separation techniques for CUI and CMMC 2.0 Scoping:
- Firewalls serve as the primary method of segmenting and isolating an organization’s boundary.
- Virtualized local area networks (VLANS) utilize software configurations to restrict data flows to a specified logical path and create isolation within a physical network.
Physical separation techniques for CUI and CMMC 2.0 Scoping:
- Separate rooms and cages with proper locking mechanisms are standard methods for creating isolated environments (i.e., CUI environments from non-CUI environments).
- Badging systems provide an entry point into your physically separated rooms and create audit records for access into your controlled CUI environment.
- Guards and Camera Systems offer a higher level of assurance, especially if you are co-locating your assets inside a managed data center.
- Geographically separated data centers are common for many organizations for the resiliency of their systems and applications. As a result, CMMC controls may need to be in place at both data centers adding complexity, time, and cost for an organization’s in-scope boundary and subsequent assessments.
Administrative & Human Behavior Separation Techniques
Security professionals understand that an organization could implement the best technology, physical and logical separations, yet a single human error could compromise the entire environment. CUI protection is no different. Regardless of how you design your boundary, the importance of human security cannot be overstated or underappreciated.
Below are some basic techniques that security leaders should look to apply within their respective organizations:
- Contract reviews by procurement, legal, and IT to understand and correctly interpret what (e.g., data and assets) must be protected.
- Implement training based on contract types to help develop an understanding of the importance of specific types of controlled information, such as CUI or ITAR data.
- Training on email regarding attachments that contain FCI or CUI and the proper use of labeling said emails.
Get Your CMMC 2.0 Scoping guidance from a Digital C3PAO
When deciding on the C3PAO or CMMC consultant to help your organization, companies should be wary of emails and advertisements promising to help you quickly get CMMC compliant and certified. A little research ahead of time can save your organization time and money on the back end and help you select a certified organization to help properly scope your environment and prepare for your audit.
At Ignyte, we understand your organization’s challenge in selecting a C3PAO. We recommend that you utilize the CMMC-AB marketplace to help cut through the market confusion and identify a C3PAO that is the right fit for your CMMC 2.0 audit and assessments. The Ignyte team stands ready to help simplify these efforts by leveraging automation and rapid business scope processes.
Contact us today to speak to a DoD-trained professional on all forms of security audits, including CMMC, FedRAMP, or any other cybersecurity requirement.
Read more about the scoping guides here:
CMMC 2.0 Level 1 – https://www.acq.osd.mil/cmmc/docs/Scope_Level1_V2.0_FINAL_20211203.pdf
CMMC 2.0 Level 2 – https://www.acq.osd.mil/cmmc/docs/Scope_Level2_V2.0_FINAL_20211203.pdf