Proper CMMC scoping is key to a smooth CMMC assessment
In the wake of potential data breaches and shocking long-term penetrations into the software permeating their networks, the Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) in March 2019.
The CMMC standard enhances the existing Defense Federal Acquisition Regulation Supplement (DFARS) security requirements. It adds additional compliance standards and maturity assessments that suppliers that support the DoD must meet to be awarded DoD contracts that include controlled unclassified information (CUI) and FCI (Federal Contract Information).
However, because CMMC assessments are contract-specific and involve detailed — and often hands-on evaluations of organizational security controls — scoping is a key component of having a smooth and productive assessment experience.
In light of the relatively recent introduction of the CMMC model and the importance of achieving the required CMMC Maturity Level needed to meet contractual requirements, many DoD suppliers have questions about properly preparing and scope ahead of their CMMC assessment.
Here are some key best practices and tips that organizations can follow to help the process move more smoothly.
Think holistically about your scope
Going directly to the source documentation is a good first step toward understanding what needs to be evaluated.
In this case, according to the CMMC-AB, the “CMMC only applies to Defense Industrial Base (DIB) contractor’s unclassified networks that process, store or transmit FCI or CUI.” Similarly, “if a DIB company does not process, store or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment.”
These passages point to the importance of fully understanding what types of information your organization is working with as part of your potential contractual engagements and which specific systems will be processing or storing that information.
In other words, if only certain segments of your enterprise systems, database or components of your organization are involved in executing the DoD contract, only these elements need to meet the CMMC standards for the maturity level (ML) identified by the DoD procurement.
Therefore, only these systems ultimately need to be included in the initial scoping for the follow-on CMMC assessment.
However, be mindful if managed services providers or your own internal IT department can access or support these systems as they, too, will need to be included in the assessment and the initial scoping process.
Ensure proof and documentation is in place
During the actual assessment process, the CMMC Assessors will be looking for specific proof that the security control or practice related to an evaluative standard is in place. Therefore, it is important to have these elements ready for review during the assessment.
According to Leighton Johnson, Infosec instructor and CTO at ISFMT, this review process will be digging into three practices for each evaluation area. And of those, “two out of the three practices for an area need to have objective evidence provided with the scoping document. Based on a determination of the CMMC Assessor, the third practice could be evaluated or tested.”
The Assessor will, as Johnson notes, “Will do physical assessments, technical assessments and observations that standards are being consistently applied (i.e., monitoring badging at doors, etc.) to ensure that the practice is met.
Relatedly, how long a security practice has been in place to make it effective is also up to the CMMC Assessor. In other words, the length of time that practice is in place is not as important as its strength and its consistent adoption.
Be ready to justify your implementation
In addition to providing your scope to a CMMC Assessor, which can occur ahead of their arrival or during a series of meetings at the beginning of the assessment phase, you will also be asked to justify why certain locations, systems, and work teams are or are not included in your scope.
While it can be tempting to provide comprehensive network diagrams to highlight just those areas in scope, another option is to also create and include a data flow diagram that demonstrates how CUI or FCI flows through your organization’s systems and facilities.
When creating this data flow diagram, include a justification for why a certain element is included or not included within the scope of the assessment as the data moves through the diagram. Similarly, when noting the security practices in place to protect the CUI and/or FCI, remember that inherited security controls — those employed by managed services providers or in place from other regulatory requirements — can also be within scope.
Therefore, ensure that these services are included and meet the applicable ML requirement.
Bringing it all together with CMMC assessment
While the DIB and the related CMMC Certification ecosystem continue to adjust to the new requirements and assessment methods, the CMMC-Accreditation Body (CMMC-AB) is working on additional guidance and documentation to help out OSCs.
In the meantime, while preparing for and scoping your CMMC can be a lot of work, remembering that the goal of the scoping process is to help CMMC Assessors better understand why and how your security controls are in place can ultimately make the entire process go more smoothly and effectively.
- What to Expect During a CMMC Assessment, Carnegie Mellon University Software Engineering Institute (SEI)
- CMMC Frequently Asked Questions, CMMC-AB
- The CMMC Model, CMMC-AB
- Pentagon believes it escaped unscathed from SolarWinds, Microsoft hacks, Federal News Network