April 4, 2022

Last Updated on March 16, 2023

CMMC has come a long way in recent months. But organizations still face plenty of challenges navigating the guidance.

What are the biggest hurdles and how can you reduce the confusion and move forward?

To answer these questions, host John Verry is joined by Kyle Lai, Founder and CISO of KLC Consulting, and Caleb Leidy, the CUI Protection and CMMC Consultant at Pivot Point Security, on a recent episode of The Virtual CISO Podcast.

Scoping is getting a little bit broader and becoming more confusing. And people seem to be struggling with scoping a little bit.” — Kyle Lai

The current CMMC landscape

Kyle and Caleb agree that scoping, marking controlled unclassified information (CUI), and asset management the major areas of concern impeding CMMC compliance—and all three are incredibly interrelated. You need to address these concerns collectively to address CMMC compliance risk that could derail your business with the government.

Firms across industries are dealing with more data than ever before. How best to identify CUI and determine what’s in scope? CMMC 2.0 attempts to address these questions (from an audit/assessment point of view) via its new scoping guide, which defines five asset types:

  1. Your CUI assets
  2. Security protection assets
  3. Contractor risk-managed assets
  4. Specialized assets
  5. Out of scope and out of mind

The CMMC 2.0 scoping guide can help you assess your entire environment as you move toward compliance and protecting CUI. For example, your security protection assets would include hardware, software, endpoint protection, your managed service providers (MSPs) both on-premises and in the cloud, etc. Under specialized assets lurk your IoT devices like sensors, IP-connected cameras and other equipment, and so on.

The government seems to be catching up on CUI, but they are not all the way there yet.” — Kyle Lai

Through the lens of your system security plan

The first step of any strategy is to define your CMMC scope. Don’t forget that your system security plan defines what assets you’re trying to protect.

Knowing the precise boundaries that contain your federal contract information (FCI) and CUI drives efficient asset control. It’s also crucial to map your data flow from beginning to end and go through the entire asset lifecycle from acquisition to disposal.

Once you define exactly what assets are in scope, you can start focusing on managing assets and evaluating controls, processes, policies and so on.

Is this CUI?

If you have to ask, it probably is… at least from the standpoint of “CYA.”

It’s common for orgs—and even the government—to get confused when trying to identify and label CUI. To achieve compliance (and get some breathing room), it’s a smart move to do a detailed audit.

Things can get complicated at the contract level. But if you want the sweet projects, you have to be thorough. In some cases, it can truly be like searching for a needle in a haystack.

“Everybody is focused on doing scoping properly by using the scoping guide. That’s really not the intent of it. It’s more for assessors.” — Caleb Leidy

Better safe than sorry

There’s only benefit in being prepared and setting up an environment that can secure any potential CUI.

Unfortunately, everything has a price. The best requires a greater investment of time, effort and money. Many SMBs in the defense supply chain are lagging far behind on CMMC compliance because they either can’t afford it, or find getting a grip on security to be overwhelmingly difficult due to a lack of expertise.

Operational technology

OT is vitally important to the manufacturing industry. These systems have to work, or else.

Likewise, asset management is a fundamental element of your critical security controls. In smaller organizations, especially those that haven’t yet realized the importance of digital security, managing assets (especially OT assets) is often done manually.

But when you start adding in sensors, test equipment, the workstations that run the test software, and so on, you need automation to keep track of it all. Detailed assessment, precise scoping and careful documentation will help ensure a positive report at assessment time.

Management buy-in

Forward-thinking leaders know the value of their information security team, and they also realize that every company is a tech company now.

However, there is still an abundance of upper management who don’t grasp the intricacies and increasing importance of investing in information technology. If your C-suite isn’t committed to security, then you’re in a highly difficult position.

“’Yeah, make this go away,’” Kyle jokes, “’We don’t have that type of money. You deal with it.’”

How many IS pros have heard that refrain from the C-suite? Compliance isn’t cheap. This just adds another layer of effort for third-party CMMC experts—helping to convince the boss it’ll all be worth it in the long run, often by explaining what might happen if investments aren’t made.

Shoddy cybersecurity is a serious business risk. CMMC 2.0 will help companies scope and protect their assets more effectively, encouraging a healthier security stance.

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.