Scoping for CMMC Level 2

CMMCCMMC Assessment Process
Written By Lucy Marsden
Scoping for CMM Level 2

This Blog Covers

  • Identifying Organization Seeking Certification

  • Scoping Assets

  • Scoping Documentation

  • Separation Techniques

  • Getting Support from External Service Providers 

Scoping is a key part of the CMMC assessment process. Per CMMC Assessment Guide Level 2, “The CMMC Assessment Scope informs which assets within the contractor’s environment will be assessed and the details of the assessment.” In other words, scope determines which organizational assets are relevant when conducting CMMC assessment and certification. Scoping can be confusing, so we’ve dedicated this post to simplifying things for our readers.

Who is Being Assessed? 

The Entity to be Assessed 

While contractors confirm the legal entity subject to assessment in conjunction with the CMMC Third-Party Assessment Organization (C3PAO) Lead Assessor, it is helpful to understand that CMMC assessment does not have to apply to an entire organization.

The organization seeking certification (OSC) could be the entire company, known as the Headquarters Organization (HQ Organization), or it could be a specific subsidiary, division, or operating component referred to as the Host Unit of the larger corporation. The various elements of the assessed organization include:

  • HQ Organization: “The legal entity that will be delivering services or products under the terms of a DoD contract. The HQ Organization itself could be the OSC, or it could designate a Host Unit as the OSC”.

  • Host Unit: “The specific people, procedures, and technology within an HQ Organization that would be applied to the DoD contract and that are to be considered the OSC for CMMC Assessment purposes.”

    • Enclave: “A set of system resources that operate within the same security domain and that share the protection of a single, common, and continuous security perimeter. A segmentation of an organization’s network or data that is intended to “wall off” that network or database from all other networks or systems. A CMMC Assessment scope can be within the Assessment scope of an enclave”.

  • Supporting Organizations: “The people, procedures, and technology external to the HQ Organization that support the Host Unit. The assets affiliated with Supporting Organizations may need to be included as part of the CMMC Assessment Scope, but the Supporting Organizations themselves would NOT receive a CMMC Certification”.

What is Being Assessed? 

The Assets up for Assessment

Before an assessment, the OSC must also determine the scope of the CMMC assessment for their networked environment. The OSC must identify, categorize, and record all assets according to CMMC’s Asset Category matrix. 

CMMC Assessment Scope Level 2 outlines five critical asset categories: Controlled Unclassified Information (CUI) Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. 

  • CUI Assets process, store, or transmit CUI. CUI Assets fall within the CMMC Assessment Scope and are subject to assessment against CMMC practices. 

  • Security Protection Assets protect information systems, such as firewalls, intrusion detection systems, and antivirus software. Security Protection Assets fall within the CMMC Assessment Scope and are subject to assessment against CMMC practices. Regardless of their physical or logical location, Security Protection Assets must comply with applicable CMMC practices as part of the assessment scope. External service providers (ESP), such as those offering security information and event management services, fall into this category, even if they do not handle CUI. 

  • Contractor Risk Managed Assets are assets that are not intended to handle CUI but can do so. These assets are managed using the contractor's risk-based information security policies, procedures, and practices. Contractor Risk Managed Assets are not required to be separated from CUI assets. While included in the CMMC assessment scope, asset assessment against CMMC practices is limited. 

Where appropriately managed and documented, Contractor Risk Managed Assets should be reviewed in the SSP against only one CMMC practice: CA.L2-3.12.4 - System Security Plan

  • Specialized Assets, such as government property, Internet of Things (IoT) devices, industrial control systems (ICS), restricted information systems, and test equipment, may or may not handle CUI. Specialized Assets are considered part of the assessment when properly documented. Like Contractor Risk Managed Assets, Specialized Assets are not assessed against CMMC practices beyond practice CA.L2-3.12.4 - System Security Plan

  • Out-of-Scope Assets are those assets incapable of processing, storing, or transmitting CUI. These assets do not protect CUI and fall outside the CMMC Assessment Scope. They do not require protection under the CMMC model and should not be assessed against CMMC practices. Examples include public websites and publicly available information.

After categorizing assets according to CMMC’s Asset Categories matrix (summarized in the table below), OSCs should be able to specify the scope. 

Read more about the asset categories here.

Documentation

Proving It

Because CMMC certification requires documentation, it is essential not only to identify all of the assets within the organization that fall into these categories but also to record the details. Indeed, throughout CMMC preparations, OSCs should be finding, refining, creating, collating, and documenting every piece of compliance evidence possible. CMMC Assessment Scope Level 2 outlines some of the most critical documents. 

To prepare for assessment against CMMC practices, document CUI Assets and Security Protection Assets in

  • Asset inventory 

  • System Security Plan (SSP) 

  • Network diagram

Record Contractor Risk Managed Assets and Specialized Assets in

  • Asset inventory

  • System Security Plan (SSP)

    • OSCs should ensure that the SSP documents the risk-based security policies, procedures, and practices that manage Contractor Risk Managed Assets/Specialized Assets. 

  • Network diagram

Note that the above documents are considered the minimum acceptable. By the end of the CMMC assessment process, OSCs will have produced and refined additional documents (many practices require the creation or existence of a specific document). In scoping, organizations may also create data flow diagrams (DFD), showing the flow of CUI between the DoD to subcontractors, and an inventory of any external service providers (ESP) for help on scoping and inheritance. 

Limiting Scope

How to Assess Less

Scope can significantly impact an assessment's complexity, cost, and length. For example, if only one small department within an organization seeking certification (OSC) handles CUI, an assessment would likely be limited compared to a contractor whose CUI handling spanned its entire environment. It is in your interest to limit the assessment scope where possible. 

Separation Techniques refer to the system architecture design principle of physically or logically isolating assets that handle, transmit, or store CUI from assets that do not. Separation can help to limit the scope of the assessment. 

NIST SP 800-171 Revision 2 guides effective separation for CMMC, stating that organizations can limit the scope of security requirements by isolating designated system components in a separate CUI security domain. Isolation can be achieved through architectural and design concepts such as implementing subnetworks with firewalls or other boundary protection devices, using information flow control mechanisms, and using physical or logical separation, or a combination of both. 

  • Logical separation happens when an asset is physically connected to another asset, but software configuration prevents data from flowing along the connection. Examples of mechanisms for controlled logical access include firewalls and Virtual Local Area Networks (VLANs). 

  • Physical separation occurs when an asset is not physically connected to another asset and data is transferred manually with human control. Examples of mechanisms for controlled physical access include gates, locks, badge access, and guards.

Outsourcing 

Shifting the Burden 

You needn’t take on NIST SP 800-171 compliance and CMMC certification alone. There are plenty of external service providers who can help. Say, for example, you’re worried about meeting and documenting practices for Security Protection Assets. Instead of spending precious time attempting to separate assets or conquer the FIPS-compliance mountain, outsource it! 

When you hire an ESP like XQ to assist in your cybersecurity, you can inherit compliance from them. With next-generation security and the documentation to back it up, you can stop worrying about many complex requirements and focus on running your business. 

Still confused? Consider speaking to our partner, Captiva Solutions, about personalized support!

Lucy Marsden
Previous

Why use XQ for CMMC Compliance?
Next

Preparing for CMMC Assessment, Part Two