Loading...

CMMC scoping: How to ensure your scope is ready for assessment | Baker Tilly

Visualization of cmmc cui data

Webinar

CMMC scoping: How to ensure your scope is ready for assessment

Sept. 3, 2024 · Authored by Matt Gilbert, Jacob Stroupe

Understanding your scope starts with controlled unclassified information (CUI)

When considering your cybersecurity maturity model certification (CMMC) assessment—as with most important discussions—it’s best to begin by clearly defining your terms. In this case, the terms to define are federal contract information (FCI) and controlled unclassified information (CUI).

FCI is not public information, but it is provided by—or generated for—the government under a contract. Essentially, FCI is anything you are handling—that is not public information—as part of your contract with the government (specifically the Department of Defense (DOD), in the case of CMMC).

A subset of FCI, is CUI. This is also non-public information, belonging to the government, which is sensitive (though unclassified). What makes it CMMC CUI specifically, though, is that this information requires safeguarding or limitations with dissemination controls pursuant to various laws, regulations and government-wide policies. In short, CUI comes with special rules designed to ensure it is protected, handled and access is limited in appropriate ways.

Who makes the rules about CUI?

It’s important to note that CUI is not exclusive to the DOD, or CMMC. Executive Order 13556, under the Obama administration, officially defined CUI, established the National Archives and Records Administration (NARA) as the executive agent, tasked them with setting the standards, rules and policies for how to protect CUI and instituted this entire process.

Under such guidance, the requirements for CUI pertain to government agencies as well as federal contractors. It’s important to note, however, that this process establishes the bare minimum. The DOD can add to it, but they cannot deviate from the minimum. In fact, a series of policies and guidelines apply:

Executive Order 13556
32 Code of Federal Regulations (CFR) Part 2002 (implementing directive)
CUI Marking Handbook
CUI notices
CUI Notice 2020-01 (CUI implementation deadlines)
CIO Notice 2020-02 (alternate marking methods)

Matt Gilbert

Matt Gilbert

Principal

Related sections

Article Tags

Cybersecurity Maturity Model Certification (CMMC)

People shaking hands at a meeting to discuss cmmc faq

Next up

Cybersecurity Maturity Model Certification (CMMC) Q&A

A final consideration: How will the CMMC assessment cover third parties?

As you examine your CUI assets and data flow, you might have a couple of applications or tools that exist within the cloud. Or, as a company, you may have outsourced your information technology (IT) function to an external service provider. In these instances—and others like them—how will the CMMC assessment handle such involvement from third parties?

In the proposed rule (which may still change, though it’s close to finalization in its current form), the answer revolves around the differences between external service providers (ESPs) and cloud service providers (CSPs).

ESPs are defined in the rule as: External people, technology or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization. In the CMMC program, CUI or security protection data (e.g., log data, configuration data, etc.), must be processed, stored or transmitted on the ESP assets to be considered an ESP.

Assessment requirements for ESPs are defined as: If the Organization Seeking Assessment (OSA) utilizes an ESP other than a CSP, the ESP must have a CMMC Level 2 final certification assessment or higher to match the OSA. If the ESP is internal to the OSA, the security requirements implemented by the ESP should be listed in the OSA’s SSP to show a connection to its in-scope environment.

Alternatively, cloud service providers (CSPs) are defined as: An external company that provides a platform, infrastructure, applications and/or storage services for its clients.

While assessment requirements for CSPs are defined as: An Organization Seeking Certification (OSC) may use a Federal Risk and Authorization Management Program (FedRAMP) moderate (or higher) cloud environment to process, store or transmit CUI in execution of a contract or subcontract with a requirement for CMMC Level 2 under the following circumstances: (i) the CSP product or service offering is FedRAMP authorized at the FedRAMP moderate (or higher) baseline in accordance with the FedRAMP marketplace; or (ii) the CSP meets security requirements equivalent to those established by the FedRAMP moderate (or higher) baseline.

Following such guidance, the pervasive question immediately arose—what is FedRAMP Equivalent?

The DOD issued a memo earlier this year stating that to be considered FedRAMP Moderate equivalent, a cloud service offering (CSO) must achieve 100% compliance with the latest FedRAMP Moderate security control baseline through an assessment conducted by a FedRAMP recognized Third-Party Assessment Organizations (3PAO) and present the following supporting documentation to the contractor as part of the Body of Evidence (BoE):

System Security Plan (SSP)
Security Assessment Plan (SAP)
Security Assessment Report (SAR)
Plan of actions and milestones (POA&M)

Although the DOD’s memo provided concrete clarity regarding the equivalency question, 100% compliance is nonetheless a high bar to set (and reach!). Add to that the complexities of CUI asset categorization, data flows, proper CUI markings and so forth—and it’s easy to see how the CMMC assessment landscape can be difficult to navigate.

So, what’s the bottom line? Keys to your CMMC assessment:

Don’t wait until the assessment to understand its scope or address any challenging items.
Approach your potential C3PAO with questions and be ready to share the following: CUI data flows, asset listings and proper documentation for any judgment calls previously made about asset types or scope in general.
Understand your assessor’s view before you proceed too far into the assessment process.

Need help determining your path toward CMMC assessment? Have questions about CUI, asset categorization, data flows, FedRAMP Equivalency or more? We’re here to help.

Let’s take the first step — together.