Last Updated on April 5, 2022
The first step toward compliance with CMMC 2.0—or any cybersecurity standard—is to identify the scope of your environment that will be assessed for CMMC compliance. Because CMMC is all about protecting controlled unclassified information (CUI), “scoping” for CMMC starts with identifying what CUI you handle, where it resides and what assets (people, systems and processes) create, store, process or transmit CUI.
To help both organizations seeking certification (OSCs) and assessors get a better handle on scoping, the US Department of Defense (DoD) released new scoping guidance and other CMMC documentation updates in December 2021.
On a recent episode of The Virtual CISO Podcast, CMMC experts Kyle Lai, founder and CISO at KLC Consulting, and Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, talked about why and how they see DIB orgs struggling with CMMC scoping. The show’s host is Pivot Point Security’s CISO and Managing Partner, John Verry.
Why the new scoping guidance is causing confusion
Caleb notes that the purpose of the new scoping guidance is mainly to help assessors ensure that they’ve covered everything.
“You didn’t hear scoping talked about as much as an issue prior to the scoping guide being released, outside of OT systems,” says Caleb. “There were a lot of complaints like, ‘Hey, we can’t do this for our OT systems. Somebody needs to give us some guidance on how we scope this and how we scope the requirements.”
But when the scoping guide came out, the more extensive details seem to have created confusion on how to wrap one’s mind around scoping.
“’Alright, I’ve got the scoping guide. Now I have to go through the entirety of everything that makes up my organization and try to fit it into these different silos and categories,” Caleb surmises.
The CMMC scoping 101 flyby
The tried-and-true way to approach scoping hasn’t changed at all. You start with knowing where your CUI is. Where does CUI come into your system? Do you create any CUI? Then you diagram your CUI data flows and identify the assets that those flows touch. Keep tracking the CUI all the way to archiving and/or destruction.
“They’ve almost lost track of the fact that the system security plan is what defines what we’re trying to protect, right?” John instructs. “We have to look through the lens of the system security plan to add assets.”
“The first step in scoping is probably marking [CUI],” adds John. “Making sure you understand what specific FCU and CUI we have. Then scoping based on that, and then scoping drives asset management.”
Once you have a lifecycle view of your CUI flows, you can identify and categorize all your in-scope assets (technology, people, data storage, SaaS or on-premises security solutions, etc.). The rest of your systems are out of scope or risk managed.
Of course, to sort out CUI from non-CUI assets, you need a working asset management process and an asset catalog. This is why asset management controls are seen as fundamental to cybersecurity. How can you protect it if you don’t even know you have it?
To hear this CMMC 2.0 podcast in its entirety, Click here.
Looking for more insight into scoping? This special podcast with John Verry covers scoping “gotchas” in detail: EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance