CMMC Scoping
The Cybersecurity Maturity Model Certification (CMMC) requires defense contractors to protect Controlled Unclassified Information (CUI). But what is CUI and where does it reside in your networks? As you begin the daunting process of CMMC certification, reducing the scope of what needs to be certified will save you time and money. Knowing what CUI you have, where it’s located and how it flows through your network will allow you to focus limited resources on hardening those assets. Attempting to harden and certify your entire network strains already overtaxed resources and exposes you to the additional, unnecessary challenges, of protecting them to NIST SP 800-171 standards. Only harden and certify those assets that process, store, and transmit CUI. By doing so you reduce your costs and your attack surfaces.
The goal of CMMC Scoping is to document all asset categories that are part of the assessment scope in an asset inventory and provide a network diagram of the assessment scope to facilitate scoping discussions during pre-assessment activities.
A good scoping assessment allows you to:
Identify your Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)
Determine how it flows through your organization and what assets it touches
Create an inventory of your assets
Classify your assets
Create network and certification boundary diagrams
The final products of a successful scoping assessment should be a CUI Data Flow Diagram, an Asset Inventory, and Network Diagrams. Let’s examine five steps towards a solid CMMC scoping effort.
1. Identifying CUI
The first step is to identify all the CUI associated with your contracts. To do this you must determine where it comes from, what forms it takes, how it’s transmitted, how and where it’s stored, who and/or what needs access to it, and how it’s marked. Having an inventory of CUI will allow you to identify it, determine if it’s required, make sure it’s stored in the proper place and properly marked. How many copies of a CUI document do you need? Do they need to be stored in multiple places? Does everyone need access to them? Is it properly marked? Answering these questions first is critical to scoping your assessment and passing it. And it allows you to properly dispose of unnecessary CUI in your possession and reduce the overall scope of the assessment.
2. Tracking CUI Through Your Company
Tracking CUI as it flows through your network allows you to identify every system that handles it and subsequently becomes in scope for the assessment. The easiest way to determine how CUI flows through your organization and what assets it touches is to create a Data Flow Diagram. Through this process you will understand which assets transmit, process and store CUI within your company. With this understanding you can classify your assets, create an asset inventory, and work to reduce assets that are in scope.
A data flow diagram maps out the flow of information for any process or system. It depicts data inputs, outputs, storage points and the routes between each destination.
3. Creating an Asset Inventory
Through the development of a Data Flow Diagram, you will be able to create an asset inventory. The asset inventory allows you to determine which assets need protecting and subsequently certifying, and which assets are out of scope and don’t require certifying. An inventory identifies and lists hardware, software, systems, and people.
4. Categorizing CMMC Assets
Once you have a complete inventory of your assets, you can then categorize them using the five CMMC categories. The “CMMC Assessment Guide – Level 2” maps contractor assets into these five categories:
CUI Assets — Assets that process, store or transmit CUI.
Security Protection Assets — Assets that provide functions or capabilities to include people, technology and facilities.
Contractor Risk Managed Assets — Assets that are capable of, but are not intended to, process, store, or transmit CUI because of the security policy, procedures, and practices in place.
Specialized Assets — Government Property, Industrial Internet of Things, SCADA systems, Restricted Information Systems or Test Equipment that may handle CUI.
Out-of-Scope Assets – Assets that cannot process, store, or transmit CUI.
Knowing what categories your assets fall in determines what needs to be protected and assessed.
5. Network Diagrams
The final step is to utilize the information gathered in the first four steps to create a network diagram and certification boundary diagram. These diagrams provide a visual aide in discussing scope with your assessor. The diagrams cover all the components of an information system and should include:
Hardware and firmware devices
System and applications software
Hardware, software, and system interfaces (internal and external)
Subsystems (static and dynamic)
Information flows and paths (including inputs and outputs)
Cross domain devices/requirements
Network connection rules for communicating with external information systems
Interconnected information systems and identifiers for those systems
Encryption techniques used for information processing, transmission, and storage; and
Cryptographic key management information (public key infrastructures, certificate authorities, etc.)
Assets you use to back up your system and store its data archive
The certification boundary diagram is added to the network diagram and encompasses all components that are hardened to protect CUI. The authorizing official (AO) has management control of all components within the Certification Boundary. Management control involves budgetary, programmatic, or operational authority and associated responsibility. This boundary will determine what is in scope and which assets the C3PAO assesses for certification.
Conclusion
CMMC certification will be a costly endeavor for all defense contractors, reducing that burden by reducing the scope of the assessment is essential to your success. Whether you conduct the scoping yourself or outsource it through a company such as Ascolta, it must be one of your first steps in your CMMC assessment process.