In January, the DoD rolled out updates to Cybersecurity Maturity Model Certification (CMMC) 2.0. One of the biggest announcements was the introduction of Scoping Guides for CMMC Levels 1 and 2, which were designed to better guide organizations seeking NIST 800-171 and CMMC compliance through a clearer assessment process.
Below we’ll examine what’s included in these guides and how to use them to complete a CMMC assessment.
What is Scope?
First, for context, let’s define what ‘scope’ is. Scope is defined as the assets within your environment that need to be assessed in order to comply with NIST 800-171 and CMMC standards, while assessment is the overall objective to comply with NIST 800-171 and CMMC standards.
How do CMMC 2.0 Scoping Guides Help?
Under NIST 800-171 and CMMC, it’s important to document all assets so they can be properly protected. But with the increasing complexity of the regulatory landscape, it can be difficult to understand in terms of scope and assessment.
These scoping guides were built to help contractors understand more clearly what needs to be assessed in order to complete a CMMC assessment.
Let’s go into each Scoping Guide in deeper detail.
Key Parts of Level 1 Scoping Guide
Before an organization can perform a Level 1 CMMC assessment, they must first determine what will be within the assessment scope.
The assets that process, store or transmit Federal Contract Information (FCI) are considered in scope and should be assessed against the CMMC Level 1 practices. These assets, and how they relate to a Level 1 assessment, are outlined below.
FCI: Federal Contract Information, or FCI, is data created or generated by the Government under a contract to provide a product or service for the Government.
Out of Scope: Assets that do not process, store or transmit Federal Contract Information (FCI). These require no documentation.
Specialized: If documented, these assets are considered specialized assets; Government Property, Internet of Things (IoT) or Industrial Internet of Things (IIoT), Operational Technology, Restricted Information Systems and Test Equipment. However, these are not part of a Level 1 Self-Assessment and are not assessed against CMMC practices.
Another important consideration is the people, technology, facilities and external service providers that process, store or transmit FCI. Examples of each include:
People: Employees, contractors, vendors and external service provider personnel.
Technology: Servers, client computers, mobile devices, network appliances, VoIP devices, applications, virtual machines and database systems.
Facilities: Physical office locations, satellite offices, server rooms, data centers, manufacturing plants and secured rooms.
External Service Provider (ESP): External people, technology or facilities that the organization uses, including cloud services, co-located data centers, hosting providers and managed security service providers.
Key Parts of Level 2 Scoping Guides
Level 2, or Advanced, is for organizations that handle Controlled Unclassified Information (CUI). Assessments at this level require more detailed documentation and include a much broader parameter for scope.
There are 5 categories that assets can fall into.
CUI: Assets created or owned by the Government. CUI might include emails, electronic files, blueprints, drawings, sales orders or contracts.
Security Protection: Assets that provide security functions and capabilities within the contractor’s security assessment scope. These are required to conform to applicable CMMC practices regardless of physical or logical placement (i.e, cloud providers, third-party security companies are in scope).
Contractor Risk Managed: Assets that have the ability to process, store or transmit CUI but are not in use. These assets are required to be documented but at a decreased level.
Specialized: IoT, OT, government equipment, restricted information equipment and testing equipment in the environment. These assets must be included in an asset inventory, included in the SSP and in the network diagram.
Out-of-Scope: These assets do not process, store or transmit CUI. They must be physically or logically separated from CUI assets.
In terms of CMMC 2.0, separation is defined as the physical/logical isolation of assets that process, transmit or store CUI from assets not involved with CUI. Logically or physically separating assets is required only for Out-of-Scope Assets.
Let’s examine the difference between the two.
Logical separation means an asset is physically (wired or wirelessly) connected to another asset or set of assets, but there are configurations in place to prevent data from flowing along the physical connection path.
Examples of logical separation:
- Virtual Local Area Networks (VLANs)
Physical separation means an asset is not physically (wired or wirelessly) connected
to another asset or set of assets. Data can only be manually transferred using human control, for example, with a USB drive.
Examples of physical separation:
- Badge access
External Service Providers (ESP)
An ESP may fall within scope if it meets CUI asset criteria. To determine whether your organization’s ESPs fall in scope consider the following:
- Does your shared responsibility matrix identify security control objectives that fall into the ESP’s responsibility and your responsibility?
- Does the ESP conform to and/or have accreditations for institutions like FedRAMP, SOC 2 and CMMC Certification?
- Do agreements in place with the ESP, such as service-level agreements, memoranda of understanding and contracts support your information security objectives?
SSE Can Help You Assess and Prepare Your Business
SSE has the vetted IT tools, policy templates and assessment services mapped to NIST 800-171 and CMMC requirements to assist businesses on the road to compliance.
Let us demonstrate how we can help in preparing your business. Schedule your complimentary CMMC Readiness Assessment to get started.
Need to Meet CMMC Compliance?
Schedule Your CMMC Readiness Assessment
Fill out the form below to start the process
"*" indicates required fields
Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.