CMMC Scoping: Charting the Course for Comprehensive Cybersecurity Assessments

Redspin Blog

Author: Tara Lemieux, CMMC Consultant, PA/PI/CCP/CCA/ISO Lead Auditor 

The U.S. Department of Defense (DoD) has undertaken a significant and vital effort to secure our Nation’s data. This includes initiating a comprehensive cybersecurity strategy that encourages collaboration with industry experts, continuous training of personnel and contractors, and implementing advanced defense countermeasures to protect against these threats. Through the Cybersecurity Maturity Model Certification (CMMC), the DoD aims to ensure that all contractors handling sensitive data are up to the task of protecting it. 

As a member of our Defense Industrial Base (DIB), you’re likely already aware of the recent changes in U.S. cybersecurity legislation – including an imminent DFARS rule change requiring organizations handling CUI to undergo an independent, third-party CMMC assessment. Given the sensitive nature of defense contracts and the escalating cyber threats faced globally, achieving and maintaining CMMC certification isn’t ‘just another mandate’ – it’s a clarion call urging organizations to fortify their cyber defenses, especially those organizations that store, process, or transmit, Controlled Unclassified Data (CUI). It is hoped that through these changes our U.S. government may reinforce that national S=security is foundational to all decision making.  

Although many defense contractors are eager to comply, they are struggling to determine the boundaries for their assessment, often uncertain as to what elements fall within or outside of their certification scope.  

This is why ‘scoping’ is so important: by accurately defining the boundaries of an assessment, defense contractors can effectively limit their cyber exposure. Not only does this help to keep costs in check, but it also reinforces that the organization is taking the proper steps to ensure compliance – prioritizing both security and regulatory obligations.  

But what is scoping, and why is it so critical?  

Let’s dive in. 

The Essence of Scoping 

At its core, scoping helps to identify which assets within a contractor’s environment will be subject to review during the CMMC assessment. Consider it as drawing a boundary around the devices, assets, and processes that receive, store, process, or transmit CUI data. This requires a thorough and complete understanding of the organization’s workflows – isolating how protected data moves through the organization’s devices and enclaves.  

For a CMMC assessment, we are primarily concerned with the following asset categories: 

1. CUI Assets: These include any information labeled as or determined to be CUI. Examples include contracts, statements of work, technical data, source code, proposals, and more. In practice, as an assessor, I want to ensure that any assets that interact with the CUI data are sufficiently protected and that those protections are operating as intended (e.g., they are configured correctly, they are producing the desired outcomes, etc.)
2. Security Protection Assets: These are the shields and guardians of the contractor’s environment and include tools like firewalls, antivirus solutions, and intrusion detection systems. More specifically, and according to the CMMC Level 2 assessment guide, security protection assets are “any assets that provide security functions or capabilities to the contractor’s CMMC Assessment Scope, and irrespective of whether or not these assets store, process, or transmit CUI data.” These assets, when appropriately implemented and managed, collectively contribute to an organization’s overall security posture and resilience against threats. 
3. Contractor Risk Managed Assets: These are assets that “can but are not intended to process, store, or transmit CUI” because of an existing security policy, procedures, or practices” currently in place. There are the assets for which the contractor assumes responsibility of managing the associated risks and may include: contractor-owned equipment, information systems, intellectual property, communication systems, and facilities.
4. Specialized Assets: These assets may or may not process, store, or transmit CUI and include things like operationalized technology, Internet of Things, restricted information systems, and test systems. 
5. Out-of-Scope Assets: The outliers that aren’t directly related to the CMMC assessment, specifically those assets and devices that do not receive, store, or process controlled unclassified information. 

As you can see, CMMC scoping is directly contingent upon how protected data moves through your organization. If the organization can maintain a smaller footprint — for example, by restricting the flow of this protected data to a limited number of devices and components — the organization may significantly reduce the costs and effort associated with their assessment. An excellent first step is to create a data flow diagram showing all processes, devices, and resources that interact with this data. As an organization entrusted with protecting this data, it is imperative that the organization accounts for all instances, uses, and interactions.  

Your assessor will, in part, verify that everything within those boundaries is sufficiently protected, configured correctly, and accessible only by those authorized.  

Factors Influencing Scoping 

There are a few primary factors that more frequently influence CMMC assessment scoping: that is, the organization’s size, structure, and complexity – including the use of external service providers or reliance upon cloud-based environments. 

For instance, a small company operating from a single location will likely have a different scope than a multi-site, sprawling enterprise. But irrespective of size and complexity, achieving CMMC levels is within reach for all. 

Moreover, as cloud environments gain popularity, understanding shared responsibilities between contractors and Cloud Service Providers (CSP) or External Service Providers (ESP) becomes crucial. This effort ensures that security controls relevant to the assessment are in place and evidenced appropriately. 

To make this process more digestible, the organization must identify these assets and provide adequate security controls for their protection. Doing so will help to facilitate and provide for: 

1. Regulatory Compliance: The primary focus of your CMMC assessment is to ensure that Department of Defense contractors are adequately controlling and safeguarding CUI. If any of these assets are missed in the assessment, it may lead to non-compliance, jeopardizing the contractor’s ability to win or retain DoD contracts.
2. Comprehensive Risk Assessment: Overlooking CUI assets can result in ‘blind spots’ in the contractor’s risk assessment. This may leave vulnerabilities unaddressed, exposing the contractor to an increased likelihood of a data breach.
3. Cost Efficiency: Properly identifying the scope reinforces that resources are effectively allocated to protect the most sensitive data and systems. Without clear identification and prioritization, there could be over-extension of resources or, conversely, gaps in protection. 
4. Consistent and Well-Managed Security Posture: Recognizing and recording how CUI data flows throughout your organizational systems, devices, and resources helps to ensure that the security measures are consistently and thoroughly managed across the board. 
5. Operational Efficiency: When boundaries and assets are clearly defined, it becomes easier to implement, manage, and monitor security protocols leading to smoother operations. 
6. Stakeholder Confidence: Effective demonstration of security control implementation and maintenance can boost confidence amongst the organization’s stakeholders – including DoD, current and prospective clients or business partners, and employees. 
7. 7. Control Legal and Financial Consequences: Failing to adequately define protected data and assets can lead to potential breaches, resulting in legal repercussions, financial penalties, and loss of business. 

Wrapping Up 

A practical cybersecurity approach isn’t just about having the right tools in place; it’s about understanding the systems, the data they protect, and the responsibilities that come with it. As we navigate the intricate world of cybersecurity, it’s comforting to know that the path to CMMC Level 2 certification is entirely achievable with the proper guidance and understanding. Prepare, protect, and proceed with confidence. 

Are you confident in your scoping strategy?