Strategic Scoping for CMMC Compliance

Managing the Scope of CMMC Assessments to Keep Certification Costs Down

This webinar explores various approaches to setting up systems for protecting Controlled Unclassified Information (CUI) based on your needs and budget.

Today’s session discusses a key decision you will need to make that directly affects the cost and complexity of CMMC for your businesses.

With the final release of CMMC expected by end of 2024 and certifications starting in Q1 2025, defining and narrowing your scope can simplify the process and make it achievable.

Today, we’re joined by cybersecurity experts Scott Dawson, President of Core Business Solutions, Rick Krick, Director of Security Solutions, and Reagan Jorgensen, Security Solutions Technician.

Easier and More Affordable Approaches to CMMC Compliance

Simpler and more affordable approaches can make this tradeoff more manageable, rather than upgrading the entire company network. This applies to both preparing for and maintaining certification.

Understanding the Scope of Your CMMC Certification

We need options. The place to start is to understand the scope of your certification and ways to manage it. For most small businesses, this decision will determine whether or not to pursue CMMC. Some might even be looking for the CMMC “easy button.” This might do just that.

What is Meant by the Scope of a CMMC Assessment?

The term “scope” refers to the breadth or boundary of the CMMC assessment. In other words, “What’s included?”

That means you need to determine which computers and other devices, which networking equipment, which people, and what physical areas of your facility are being secured in order to protect CUI.

For Example:

• If you have fewer assets and people involved, you have a smaller scope.
• If everyone and everything in your network and facility are involved, you have a larger scope.

If you have a smaller scope, you’ll have fewer things to upgrade and secure, fewer people to train, etc. which will cost less. But if everyone and your entire network and facility are included, there will be more cost.

I’m not just talking about the cost of preparation but also the costs of the assessment and maintaining compliance.

“The scope has the biggest impact on the cost of your CMMC certification and it’s one of the first things you’ll need to decide.”

Rick Krick, Director of Security Solutions, Core Business Solutions, Inc.

What are the Steps Needed to Determine the CMMC Scope?

Step 1: Understand the CMMC Requirements

To understand CMMC requirements, you have to become familiar with the published documentation from the government that explains what it is, who it’s for, and what is required to become certified. These are the “source documents”.

DFARS 252.204-7012, -7019, -7020, & -7021.

• • The first four documents listed are the contract clauses that explain the compliance requirements for DOD contractors to protect CUI.
  • These regulations flow down from contract to contract through all levels in the supply chain and apply to all DOD suppliers.
  • The language in your contract is what obligates you to comply with the requirements to get certified.

NIST SP 800-171 Rev. 2

• • This document is where you’ll find the 110 controls required for DFARS compliance and CMMC Level 2 certification.
  • Every one of the 110 requirements must be fully met within the scope of your assessment. You have to get 100% on the test to pass.
  • Be aware that CMMC uses the earlier version of this document (Rev 2) for its controls not the currently released version of Rev. 3.

NIST SP 800-171A

• • This is the expanded version of the 110 controls that explains the 320 assessment objectives that have to be demonstrated during an assessment.
  • It shows what the assessor will look for.

CMMC Model Version 2.0

• • This explains the CMMC certification program, how assessors are qualified, and how companies get certified.

There are several more documents that you should become familiar with. Each of these gives more detail or a different perspective.

I think the takeaway is that there is a lot of information out there explaining CMMC and it is not all in one place. This makes it somewhat overwhelming. But if you want to learn CMMC and know what to expect from an assessment, these are the resources that you will need.

Step 2: Identifying CUI

The next step in the process of managing the scope of CMMC compliance is to identify your CUI.

CMMC Level 2 focuses on protecting CUI so you should consider these questions:

• • Which customers/contracts have DFARS/NIST/CMMC requirements included?
  • What information/documentation do we receive, create, or manage for those contracts? Is it clear which is CUI? If not, treat all related information as CUI.
  • How is the information received, used, stored, printed, or transmitted while it’s in your company’s possession?
  • Who in your organization uses or has access to this information? Can access be limited?

Step 3: Identify Asset Categories

The DOD has defined five types of assets. Assets refer to the equipment and systems in your network that process and store CUI. They vary in their impact on CUI security.

Here are the categories:

Type 1. Controlled Unclassified Information (CUI) Assets

• • Assets that process, store, or transmit CUI.
  • Examples: Email Servers, Document Management Systems, CRM Systems, File Servers, Database Systems

Type 2. Security Protection Assets (SPA)

• • Assets providing security functions within the CMMC scope.
  • Examples: Firewalls, Intrusion Detection Systems (IDS), SIEM Systems, EDR Tools, Multi-Factor Authentication (MFA) Systems

Type 3. Contractor Risk Managed Assets (CRMA)

• • Assets that can, but are not intended to process, store, or transmit CUI due to security policies.
  • Examples: Guest Wi-Fi Networks, Development Environments without CUI, Public-Facing Websites, Cloud Storage for non-sensitive data

Type 4. Specialized Assets (SA)

• • Assets that can process, store, or transmit CUI but cannot be fully secured.
  • Examples: Industrial Control Systems (ICS), IoT Devices (e.g., sensors, cameras), Medical Devices, Legacy Systems, Specialized Scientific Equipment

Type 5. Out-of-Scope Assets

• • Assets that do not process, store, or transmit CUI and do not provide security protections for CUI assets.
  • Examples: Office Printers (unless used for CUI), Public-Facing Kiosks, Employee Personal Devices, General Office Supplies, Public Website Hosting Servers

These categories illustrate the roles different assets play in handling or protecting CUI. Asset types 1-3 have strict security requirements. Types 4 & 5 have little or none.

Identifying and properly classifying your assets can help you understand where to put your time and money.

The bottom line is, the fewer assets within scope, the fewer you’ll have to assess, upgrade, configure, and secure.

What CMMC Scope Category do Laptops or Desktop Computers fit into?

Laptops and desktop computers can fit into any Asset Category depending on how they are being used.

For Example:

• • If they handle CUI, they are treated as CUI Assets.
  • If they host security applications/tools they are Security Protection Assets.
  • If policies are in place to prevent them from handling CUI Laptops/Desktops can be Contractor-Risk-Managed Assets.
  • If used in environments with security constraints, they can also be Specialized Assets.
  • They are treated as Out-of-Scope Assets if not used for CUI and do not provide security functions for CUI assets.

So, the answer is simple… it depends.

Documenting Assets

Assets Need to be Documented in 3 Ways:

1. Create an Asset Inventory:  List all identified assets within each category in a comprehensive asset inventory.
2. System Security Plan (SSP):  Document all in-scope assets in the SSP, detailing their roles and configurations.
3. Network Diagram:  Develop a network diagram showing the relationships and connections between all in-scope assets.

Step 4: Define the Assessment Boundary

Determine What Needs to be Secured

That means you need to determine the equipment, systems, people, and facilities that need to be secured to protect CUI. The basic principle is wherever CUI is located or accessed, that’s “in scope”. This includes any way that CUI could be accessed, even if unintentionally.

The basic principle is wherever CUI is located or accessed, that’s “in scope.”

Step 5: Review and Validate

Are there Ways to Limit the Scope of CMMC Certification?

Yes, there are ways to limit the scope of CMMC Certification.

As you plan your scope, there are 3 options:

Entire Network

If you have several defense contracts with a lot of CUI and most or all employees need access to it, you’ll include your entire network. You’re essentially saying that everyone and everything needs to handle CUI. This option results in the highest cost due to its extensive scope.

Key Consideration:

All 110 NIST controls and 320 assessment objectives apply to your entire scope, leading to a more expensive assessment. For many companies, this is unavoidable because of the amount of defense work they do.

It also could make CMMC unachievable given the cost and complexity of securing an entire network.

For some, an enclave approach would probably be a better option.

NIST defines an enclave as “a security boundary that controls access to CUI and encompasses systems processing, storing, or transmitting CUI”

There are two types of Enclaves you can use:

Internal Enclave

An internal enclave involves segregating a portion of your existing systems to handle CUI, using internal resources and IT systems.

Implementation:

Firewalls, VLANs, air-gapping, or physically isolated networks can be used.

Key Consideration:

Requires advanced IT expertise to manage and maintain. It reduces assessment costs but adds to the cost of building and maintaining a separate system. You’ll need senior IT resources to pull this off.

External Enclave

An external enclave uses a cloud-based service designed for NIST and CMMC compliance. Core provides an external enclave called “CORE Vault”. This can significantly reduce the internal burden. An external enclave gives you built-in security with the responsibility for compliance falling on the enclave service provider. A couple of benefits are quick deployment and scalability.

Key Consideration:

The provider handles most compliance tasks, but some controls remain your responsibility. To keep those assets out of scope, you must ensure the enclave prevents CUI from being downloaded to local devices.

What are the Advantages of using an External Enclave?

• • Flexibility and Scalability: Easily expanded or reduced based on needs.
  • Less Disruptive: Minimizes disruptions to your existing operations.
  • Delegated Compliance Responsibilities: The provider handles many compliance tasks, though the company remains accountable.
  • Quick Deployment: For example, CORE Vault can be deployed in 3-5 days, speeding up compliance readiness.

Cloud Enclave Features

What Should Companies Look for when Selecting a Cloud Enclave?

It’s crucial to ensure the cloud enclave meets specific criteria:

• • FedRAMP authorized or equivalent
  • Encryption (FIPS 140-2 Validated Encryption)
  • The enclave provider is required to be CMMC Certified themselves

Here is a List of Features you’ll Probably want in a Cloud Enclave:

• • VDI (Virtual Desktop Infrastructure)-remote desktop
  • MS Office (GCC or GCC High) or equivalent
  • Secure Email
  • Network Security (firewalls, intrusion detection/ prevention systems (IDS/IPS)).
  • Encryption (FIPS 140-2 validated)
  • Segregated Backup and Recovery
  • SIEM/SOC (Security Information and Event Management, Security Operations Center – US Based)
  • Access Controls
  • Maintenance and Patching
  • Vulnerability Scanning
  • Web Filtering
  • Multifactor Authentication (MFA)
  • Antivirus/Endpoint Detection and Response (EDR)
  • Secure Filesharing
  • Incident Response
  • Data Loss Prevention (DLP)
  • Ability to support local printing and data exchange for your operational technology (CNC machines, etc.), if needed

If you’re not using a cloud enclave, you’ll need to implement similar capabilities in your network or enclave – based on your scope.

You will need senior-level IT and security expertise on your team, whether you have your own IT team or you contract with a local MSP or Managed Service Provider. This security configuration is far beyond a basic network setup.

What else do we need to Consider when Selecting a Cloud Enclave?

• • Ensure the enclave has protections in place to keep your computers and network out of scope and avoid data leakage. This includes the laptop or desktop you’re using to access the enclave.
  • Some cloud providers have limited features that still require your local computer or network to handle CUI, such as viewing and editing information. These systems may only offer file sharing and email, leaving your local devices in scope.
  • If CUI can transfer to the device you’re using to access the enclave, then your device is in scope, requiring all of the upgrades to meet NIST requirements.
    This could mean your entire network is in scope if CUI can be transmitted to the rest of your network, even unintentionally.

A defense contractor might assume their devices or network are out of scope, only to find out during the assessment that they are still in scope. What happens if this occurs?

If a Defense Contractor realizes during an assessment that their devices or network are in scope, what happens?

They will fail the certification.

What are the Basic Steps in Using a Cloud Enclave?

As an example, if you choose to use Core Business Solutions’ Cloud Enclave, here’s what you should do:

• • Identify your CUI, users, and workflow
  • Assess the cloud service provider for compliance with CMMC standards. (ask for Shared Responsibility Matrix).
  • Migrate your CUI and appropriate systems (e.g. email) to the enclave, based on the provider’s instructions.
  • Be sure to properly destroy all CUI in your network environment on all devices.
  • You may want to start with a gap assessment that can help you understand where you stand today and what options might be best for your organization.

We have a passion for making compliance simple especially when it comes to CMMC Compliance. We can help you with these steps. Call us Today.

In Summary:

Today we focused on the importance of scope for your CMMC certification and that several options should be considered. These choices will have a huge impact on the complexity and cost of CMMC Compliance.

For those seeking further assistance, members of our consulting team are available to assist you.