April 7, 2022

Last Updated on January 18, 2024

The new CMMC scoping guidance defines five asset classes. While the intent is to help defense suppliers refine and potentially narrow down the scope of their CMMC enclaves, the result has been to increase awareness of how many assets—especially operational and IoT assets—are actually in scope. And this has made some folks nervous.

How best to apply the CMMC scoping advice to “non-IT” asset classes for CMMC Level 2?

To help orgs in the US defense industrial base (DIB) navigate the top CMMC 2.0 hurdles, a recent episode of The Virtual CISO Podcast features CMMC experts Kyle Lai, founder and CISO at KLC Consulting, and Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security. As always, the show’s host is John Verry, Pivot Point Security CISO and Managing Partner.

Better OT guidance… and then some

A major driver for the new CMMC scoping guidance was requests from industry for better guidance on applying the NIST 800-171 requirements to operational (OT) assets, now called “specialized assets.”

The new scoping information also clarified what assets could be documented as “out of scope.” But it introduced new in-scope asset categories (security protection assets and contractor risk managed assets) that some orgs might not have considered previously.

“This brought in confusion, like, ‘I have to consider a lot more in my scope and apply requirements to everything is a much different way than I thought I was going to have to do,’” Caleb contends. “But I think that piece has been misunderstood.”

“Everybody’s focused on, ‘I need to do my scoping properly by using the scoping guide,’” continues Caleb. “But that’s not really the intent of it. It’s more for assessors. It’s building up the scope and the bounds of what an assessor is going to look at.”

“The applicability of requirements in the scoping guide to the asset categories is another big piece. Because you look at your security protection assets and these things, and they say, ‘All applicable controls or all CMMC practices.’ Well, you’re not going to have all CMMC practices relevant to a security protection asset. You’re not going to assess against a CUI laptop or a CUI file server for your awareness and training requirements, right? … It’s still the things that apply to that type of asset, right?” Caleb explains. “It’s becoming a non-starter, like, ‘Oh, I can’t do this because now I have to do all the requirements for every piece of everything that I have.’ Nobody stops and says, ‘Okay, well, I don’t have to encrypt my locked cabinet drawer.’”

The assessors are baffled, too

You’d think more clarity about scoping would be a good thing. But even assessors are taken aback by the new scoping guidance.

“The problem is that assessors are having the same questions,” Kyle highlights. “Recently I was in a C3PAO stakeholder forum. A bunch of the C3PAOs got together there, and we all still need clarity in terms of what is the intent [of the new scoping guidance]? How deep do we actually go during the assessment? Because if we’re not clear, then nobody’s clear, right?”

More clarity is apparently needed to get all the assessors on the same page regarding the intent and correct interpretation of the new scoping guidance.

Meanwhile, DIB orgs are advised not to overcomplicate or over-think their scoping. Stick to a methodical, commonsense approach to applying controls that’s based on your system security plan.

What’s next?

To catch to the complete show with Caleb and Kyle, Click here.
Why do your scoping before you start a “gap assessment”? Here’s the definitive answer: 13 Million Reasons Why You Need to Scope before You Do a Gap Assessment