FORVIS Perspectives on CMMC 2.0 Level 2 Scoping

On the heels of the Cybersecurity Maturity Model Certification's (CMMC) reboot, dubbed CMMC 2.0, the Department of Defense (DoD) released official scoping guides for the refreshed CMMC levels 1 and 2. With the newly defined scoping guidance, contractors can better prepare for CMMC compliance with more confidence.

FORVIS' CMMC advisory team has prepared the following overview of the level 2 scoping guidance and highlights key takeaways for contractors to consider as they prepare for CMMC certification.

Scoping Overview

CMMC 2.0 scoping guidance introduces asset categories of systems that could impact the length and complexity of a CMMC assessment.

Three Unfamiliar Asset Classes

Prior to the release of official scoping guidance, Controlled Unclassified Information (CUI) assets and Out-of-Scope assets subjugated the majority of scoping efforts. With the release of official guidance, contractors must consider three newly defined asset classes that can have a significant impact on potential assessment scope.

Security Protection Assets (SPAs): SPAs encompass people, technology and facilities that provide security functions or capabilities within a contractor's CMMC assessment scope. They represent the largest expansion of potential scope and extend CMMC requirements to security consultants, cloud-based security solutions, outsourced security centers and many more areas that may have previously been omitted from scoping considerations.

The security requirements defined within NIST 800-171 were previously extended to the SPA asset category prior to CMMC 2.0. However, the guidance lacked detail and organizations may not have considered their SPA assets in scope for an assessment. With CMMC 2.0, contractors must document SPA assets within their System Security Plan and validate that applicable NIST 800-171 control requirements are met.

Contractor Risk Managed Assets (CRMAs): CRMAs are assets capable of, but are not intended to process, store or transmit CUI because of policy, procedures or practices in place. In contrast to SPAs, CRMAs represent the most likely justification for contractors to reduce their potential assessment scope. These assets are not required to be logically or physically separated from CUI assets but, at a minimum, these assets and associated risk-based security policies must be documented in the CMMC asset inventory, applicable system diagrams and the System Security Plan. Accurate documentation of these assets and associated policies could largely take them out of scope of an assessment.

Some previously held CMMC scoping ideologies required contractors to implement network layer segmentation or data loss prevention (DLP) as a means of separation, thus, the allowance for documented risk-managed policies or procedures represents a lifeboat to many contractors with limited IT or security resources.

Specialized Assets: This is a broad category of assets that includes government property, Internet of Things (IoT), Industrial Internet of Things (IIoT), Operational Technology (OT), Restricted Information Systems and test equipment. Specialized assets and associated risk-based security policies must be documented in the asset inventory, applicable system diagrams and the System Security Plan. If adequately documented, an assessor only needs to verify that these assets and their risk-based policies are included in the System Security Plan.

Contractors struggling to implement CMMC requirements across these assets may now take a risk-based approach as these specialized assets represent a continuously growing threat vector. Contractors must still be prudent to identify and apply strong security controls over these assets. Network segmentation is a common technique used to reduce risks associated with the use of OT and IoT and can be an effective tool to mitigate risk and reduce CMMC scope.

3 Action Items

1. Revisit Previous Scoping Determinations: Review previously defined scope and validate whether assets and their assigned class have been defined in asset inventories and the System Security Plan. Accurate identification and classification of assets is the first step to preparing for CMMC certification under the official scoping guidance.
    
2. Review System Security Plan: As the primary means of demonstrating compliance, contractors should validate that existing System Security Plans identify the different asset classes in place in the environment. To reduce assessment scope, it is critical that System Security Plans are updated to identify risk-based policies applied to CRMAs and specialized assets. Control implementation for security protection assets should be documented for all relevant CMMC practices.
    
3. Review and Refresh Self-Assessment: With additional information cementing CMMC scoping requirements now available, contractors should ensure that their current compliance posture is understood and documented. An updated self-assessment to consider new scoping guidance will provide contractors a clear idea of where they stand ahead of voluntary CMMC assessments and anticipated rulemaking.

How FORVIS Can Help

FORVIS is an Authorized CMMC 3rd Party Assessor Organization (C3PAO) with the CMMC Accreditation Body, able to perform CMMC certification assessments for contractors of all sizes and complexity across the country.

Look to the team of IT professionals at FORVIS to tailor our industry insight to the specific cybersecurity needs of your organization. FORVIS offers a comprehensive suite of cyber and data privacy and compliance services, as well as a full understanding of the evolving compliance requirements. To learn more about our technology services, please reach out to us.