Building Your CMMC Assessment Scope

If you feel overwhelmed by the CMMC process and even where to start, you are not alone. Many companies have had endless questions about where to start and what they can do to save time and money on their certification process. With the upcoming release of CMMC 2.0, RADICL is making the process easier. 

What is Scoping, and Why Should You Establish your Scope? 

Establishing your scope is the first step in saving time and money when preparing for your certification. You can’t start preparing for an assessment if you don’t know what systems will be assessed. This is where scoping comes in. Under the current CMMC rules, there are 2 levels that most companies will fall under, and there is scoping for each level: 

• The first level involves working with systems that process, store, or transmit Federal Contract Information (FCI).  
• The second level deals with systems that process, store or transmit Controlled Unclassified Information (CUI).  

The definitions of each FCI and CUI will be listed in their respective levels below.  

Establishing your scope for your assessment will show you what systems need to be compliant with what standards. This will hopefully help reduce the size and impact of your organization's work.  

Below are the different levels and assets that could fall under your CMMC scope.  

Scoping Guidance for CMMC 2.0 

Level 1 

CMMC Level 1 covers 17 requirements for the protection of assets that process, store or transmit Federal Contract Information (FCI). FCI is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” 

Specialized assets and assets that are either logically or physically separated are out-of-scope. These assets include government property, the Internet of Things (IoT), operational technology (OT), and test equipment.  

Level 2 

CMMC Level 2 covers 110 requirements for protecting assets that process, store, or transmit controlled unclassified information (CUI). CUI is defined as “Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding classified information.”  

When looking at the different types of assets that process, store, or transmit CUI, CMMC points to a few different asset types that fall under the Level 2 scope. These are the assets we will be looking for in our initial scoping, and planning for Level 2. 

Controlled Unclassified Information (CUI) Assets 

CUI Assets are “Assets that process, store, or transmit CUI. These assets will include any cloud system, workstation, desktop, backup system, network asset or server that interacts with CUI.  

Security Protection Assets 

These assets are described as “Assets that provide security functions or capabilities to the contractor’s CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI.” 

Security protection assets will not specifically handle CUI but will handle “Security Protection Data” which is listed as “log data, or configuration data”. Examples of these assets include vulnerability scanning tools, log management tools, managed detection and response tools, and access management tools like Active Directory.   

A big addition to CMMC 2.0 was including External Service Providers (ESP) in the scope. An ESP means “external people, technology, or facilities that an organization utilizes to provide and manage comprehensive IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data) must be processed, stored, or transmitted on the ESP assets to be considered an ESP.” 

Specialized Assets 

These assets are described as “Assets that may or may not process, store, or transmit CUI. Assets include government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment. 

Out-of-Scope Assets 

Assets listed as out-of-scope are described as “Out-of-Scope Assets cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets or are inherently unable to do so.” 

The different separation techniques that CMMC identifies are as follows: 

Logical separation occurs when an asset is physically connected (wired or wirelessly) to another asset or set of assets, but software configuration prevents data from flowing along the physical connection path. Examples of mechanisms that provide controlled logical access include: 

• firewalls; and 
• Virtual Local Area Networks (VLANs). 

Physical separation occurs when an asset is not physically (wired or wirelessly) connected to another asset or set of assets. Data may be transferred manually using human control (e.g., a USB drive). Examples of mechanisms that provide controlled physical access include: 

• gates
• locks
• badge access, and 
• guards 

 Considerations for Scoping 

Scoping helps a company narrow the level of effort needed to implement CMMC controls due to its targeted nature. Companies may choose to include their entire network in scope. This will result in enhanced security protections but also increase cost, time, and level of effort. Creating a CUI enclave is important for companies that decide not to include their entire network in scope. This is especially useful if a small subset of your employee base regularly interacts with CUI. Creating a CUI enclave limits the impact of an assessment and ensures that the scope remains limited.  

Stay tuned for further guidance on the CMMC process and how you can better prepare for your upcoming certification.