Webinar
CMMC scoping: How to ensure your scope is ready for assessment
Understanding your scope starts with controlled unclassified information (CUI)
When considering your cybersecurity maturity model certification (CMMC) assessment—as with most important discussions—it’s best to begin by clearly defining your terms. In this case, the terms to define are federal contract information (FCI) and controlled unclassified information (CUI).
FCI is not public information, but it is provided by—or generated for—the government under a contract. Essentially, FCI is anything you are handling—that is not public information—as part of your contract with the government (specifically the Department of Defense (DOD), in the case of CMMC).
A subset of FCI, is CUI. This is also non-public information, belonging to the government, which is sensitive (though unclassified). What makes it CUI specifically, though, is that this information requires safeguarding or limitations with dissemination controls pursuant to various laws, regulations and government-wide policies. In short, CUI comes with special rules designed to ensure it is protected, handled and access is limited in appropriate ways.
Who makes the rules about CUI?
It’s important to note that CUI is not exclusive to the DOD, or CMMC. Executive Order 13556, under the Obama administration, officially defined CUI, established the National Archives and Records Administration (NARA) as the executive agent, tasked them with setting the standards, rules and policies for how to protect CUI and instituted this entire process.
Under such guidance, the requirements for CUI pertain to government agencies as well as federal contractors. It’s important to note, however, that this process establishes the bare minimum. The DOD can add to it, but they cannot deviate from the minimum. In fact, a series of policies and guidelines apply:
- Executive Order 13556
- 32 Code of Federal Regulations (CFR) Part 2002 (implementing directive)
- CUI Marking Handbook
- CUI notices
- CUI Notice 2020-01 (CUI implementation deadlines)
- CIO Notice 2020-02 (alternate marking methods)
- National Institute of Standards and Technology (NIST) publications
- Office of Management and Budget (OMB) Circular No. A-11
- CUI Advisory Council
So, when pursuing CMMC, understand it is a DOD requirement that builds on the CUI protection requirements that apply to all government agencies.
CMMC asset categories—what are they?
The CMMC Assessment Scope document defines five different asset categories as follows:
These, quite simply, are any assets that store, process or transmit CUI. All CMMC requirements apply for CUI assets, and they must be fully assessed against all 110 CMMC controls.
These are assets that provide security functions or capabilities to the contractor’s CMMC Assessment Scope, irrespective of storing, processing or transmitting CUI. Essentially, any systems that may not contain or process CUI themselves but are used as a security protection asset for other CUI assets—think firewalls, security information and event management (SIEM) tools, etc. As with CUI assets, security protection assets are subject to all CMMC requirements and are heavily assessed against all 110 CMMC controls.
Assets that can (but are not intended to) store, process or transmit CUI. These are not physically or logically separated from CUI assets. Because they are in the same environment as CUI assets but do not contain any CUI elements themselves, they fall into a third bucket. Contractor risk-managed assets still need to be included in inventory and include documentation detailing security policies, procedures and practices, but they are not fully assessed against all 110 CMMC controls.
This is the broadest (and trickiest!) category to define/determine. Specialized assets are those that may or may not store, process or transmit CUI—including government property, internet of things (IoT), operational technology (OT), restricted information tech or test equipment. All specialized assets are documented and controlled (if/when applicable) but, due to their nature, are not fully assessed during a CMMC assessment but can be considered on a limited risk basis.
Any asset that cannot store, process or transmit CUI (i.e., it does not fit any of the categories above). Assets must be physically or logically separated to be out of scope.
The challenge here—as you may have already experienced—is how to properly identify, organize, assess and control each of these assets. For a deeper dive into specialized asset definitions and determinations, example CUI markings, CUI data flow diagrams and more—explore our recent on-demand webinar.
A final consideration: How will the CMMC assessment cover third parties?
As you examine your CUI assets and data flow, you might have a couple of applications or tools that exist within the cloud. Or, as a company, you may have outsourced your information technology (IT) function to an external service provider. In these instances—and others like them—how will the CMMC assessment handle such involvement from third parties?
In the proposed rule (which may still change, though it’s close to finalization in its current form), the answer revolves around the differences between external service providers (ESPs) and cloud service providers (CSPs).
ESPs are defined in the rule as: External people, technology or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization. In the CMMC program, CUI or security protection data (e.g., log data, configuration data, etc.), must be processed, stored or transmitted on the ESP assets to be considered an ESP.
Assessment requirements for ESPs are defined as: If the Organization Seeking Assessment (OSA) utilizes an ESP other than a CSP, the ESP must have a CMMC Level 2 final certification assessment or higher to match the OSA. If the ESP is internal to the OSA, the security requirements implemented by the ESP should be listed in the OSA’s SSP to show a connection to its in-scope environment.
Alternatively, cloud service providers (CSPs) are defined as: An external company that provides a platform, infrastructure, applications and/or storage services for its clients.
While assessment requirements for CSPs are defined as: An Organization Seeking Certification (OSC) may use a Federal Risk and Authorization Management Program (FedRAMP) moderate (or higher) cloud environment to process, store or transmit CUI in execution of a contract or subcontract with a requirement for CMMC Level 2 under the following circumstances: (i) the CSP product or service offering is FedRAMP authorized at the FedRAMP moderate (or higher) baseline in accordance with the FedRAMP marketplace; or (ii) the CSP meets security requirements equivalent to those established by the FedRAMP moderate (or higher) baseline.
Following such guidance, the pervasive question immediately arose—what is FedRAMP Equivalent?
The DOD issued a memo earlier this year stating that to be considered FedRAMP Moderate equivalent, a cloud service offering (CSO) must achieve 100% compliance with the latest FedRAMP Moderate security control baseline through an assessment conducted by a FedRAMP recognized Third-Party Assessment Organizations (3PAO) and present the following supporting documentation to the contractor as part of the Body of Evidence (BoE):
- System Security Plan (SSP)
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
- Plan of actions and milestones (POA&M)
Although the DOD’s memo provided concrete clarity regarding the equivalency question, 100% compliance is nonetheless a high bar to set (and reach!). Add to that the complexities of CUI asset categorization, data flows, proper CUI markings and so forth—and it’s easy to see how the CMMC assessment landscape can be difficult to navigate.
So, what’s the bottom line? Keys to your CMMC assessment:
- Don’t wait until the assessment to understand its scope or address any challenging items.
- Approach your potential C3PAO with questions and be ready to share the following: CUI data flows, asset listings and proper documentation for any judgment calls previously made about asset types or scope in general.
- Understand your assessor’s view before you proceed too far into the assessment process.
Need help determining your path toward CMMC assessment? Have questions about CUI, asset categorization, data flows, FedRAMP Equivalency or more? We’re here to help.
