This guide is provided by our sponsor: Kieri Solutions, a C3PAO candidate in Maryland USA.
Kieri Solutions uses this guide as part of their readiness review process with clients.
If your company needs a Gap Analysis for CMMC you may want to reach out to them!
CMMC terms used in this guide
CMMC = Cybersecurity Maturity Model Certification. DoD cybersecurity requirements which are verified by a third party assessor.
C3PAO = Certified Third Party Assessment Organization. A company that performs official CMMC assessments for certification.
FCI = Federal Contract Information. Mildly sensitive information used to deliver goods or services for a Federal Contract.
CUI = Controlled Unclassified Information. Very sensitive information which needs extensive cybersecurity protections.
CMMC ML1 = CMMC Maturity Level 1. “Basic hygiene” level of cybersecurity intended for the protection of FCI.
CMMC ML3 = CMMC Maturity Level 3. “Good hygiene” level of cybersecurity intended for the protection of CUI.
Legacy = Equipment or software that is old and doesn’t meet current standards for security or vendor support.
Before we start, let’s put this all into perspective
Why are you trying to get a CMMC assessment? Here is the standard scenario.
- Your company wants to bid on a DoD contract which requires a CMMC Maturity Level.
- To be eligible for that contract, you need to demonstrate that you have a secure information system for performance of the contract.
- You build a secure information system.
- You get the secure information system CMMC certified.
- You bid on a contract and state that you will use the certified information system for that contract.
- You win the contract.
- You use your certified information system to deliver goods and services for that contract.
- You bid on more contracts, stating you will use your certified information system for them too.
- Every three years, you get your information system re-certified.
We hope this is how your CMMC experience goes. But this scenario leads to some questions that haven’t been answered yet.
Unanswered questions about certified information systems and contracts
Q: If a contract requires CMMC ML3, does the government expect all FCI for that contract will be kept on the certified information system?
Q: (Phrased differently) Can you use a CMMC ML1 information system to store FCI for a contract that requires CMMC ML3?
Q: If multiple certified information systems will be used for a contract, how does a company describe this during bidding?
Q: For a contract that requires CMMC ML3, does every subcontractor need their own CMMC ML3 information system, no matter what?
Q: Can subcontractors say they will use a partner’s certified information system during the bid process?
Q: Can subcontractors say that they won’t deal with FCI or CUI so they don’t need a certified information system?
Q: If your information system loses its CMMC certification while you are in the middle of a contract, what happens?
Do we need the answers now?
To get your information system assessed, we don’t need to know the answers to these questions. We just need a secure information system, an identified scope, and an approved assessment team.
Once you have your certificate and are trying to bid on contracts, these questions will be critical. These questions have not been answered officially by the DoD.
We are sure about one thing: We plan to use a CMMC certified information system for performance on at least one DoD contract.
Now we have perspective on all this, let’s get back to scope.
What is scope / scoping?
When you request a CMMC assessment for certification from an assessment organization, you (the client) will need to identify scope.
Scope is like a spotlight on your network diagrams which says “look at this, but not anything else”.
Good news: You have the freedom to draw scope around your systems any way you choose.
Bad news: You will need to justify your scope selection. If your scope doesn’t meet certain rules, the assessor should not accept the job.
WidgetsUSA shows the assessor their network diagram for the entire company. WidgetsUSA has identified three computers, the switch, and the firewall as being “in-scope”. If the assessor agrees, the CMMC assessment will only consider security for the in-scope systems.
WidgetsUSA intends to bid on a DoD contract to make F-18 parts. They have identified their headquarters and jet fighter manufacturing facility as in-scope. If the assessor accepts this scope, then the assessor will not inspect physical security at the Marketing or Commercial Airliners facilities.
WidgetsUSA has identified staff which support Department of Defense projects as in-scope. These staff need access to facilities or systems that are in-scope. The out-of-scope staff can perform their jobs without using these systems or facilities.
How do you identify scope to an assessor?
When you engage with a C3PAO to perform an assessment or gap analysis, they should ask you to identify scope.
They might ask you to fill out a standard template, provide your security documentation, or schedule meetings to identify scope together.
This section will describe common ways that a client can describe (and justify) their scope to an assessment organization.
1. Identify where your sensitive data exists
Protecting sensitive data, specifically FCI and CUI, is what CMMC is designed to do. You need to ask yourself the following questions:
Q: Where is FCI and CUI stored on my systems? Examples are file servers, email servers, manufacturing servers, clouds, PCs, databases.
Q: Which of my staff access FCI or CUI? Their workstations probably have FCI or CUI on them too.
Q: Who is responsible for this data? Typically project managers and supervisors are data owners.
Q: Which buildings have FCI or CUI stored in them? Which buildings have network connectivity to FCI or CUI systems?
Now that you’ve thought these questions through, make a list of each location where FCI or CUI is stored. Remember that FCI is a parent category for CUI, so each location with CUI may also be listed as FCI.
WidgetsUSA has created a list of sensitive data for the contract(s) that will use the CMMC certified information system. Their scope should include every location in this table at a bare minimum.
2. Data flow diagrams are evidence that your scope is realistic
The next documentation you should use to identify scope to an assessor is your data flow diagram. Or diagrams. In a typical organization, there are many ways that sensitive data can be transmitted between systems. When your diagram starts getting cluttered, split it up!
What are some common ways for data to flow?
- Processes (interfaces) which move data between companies automatically
- Digital transmission between people (email, web-based file sharing)
- Physical transfers between offices or departments (mailing, courier, employee carries)
It is important to have a functional and realistic scope
Don’t be this person.
Your data flow diagrams should demonstrate that you have functional ways to move sensitive data into and out of your in-scope system.
If your employees are using undocumented methods to move FCI and CUI around, you will probably have a bad time during your assessment.
WidgetsUSA receives FCI via email from their contract partners and the U.S. Government. The FCI may be transmitted between the email server, end-user computers, the file server, and the printer. WidgetsUSA may send emails out to their contract partners and the U.S. Government which contain FCI.
WidgetsUSA is building a prototype F-18 part for the Department of Defense. Because this part cannot be secured to CMMC Level 3 requirements, it is protected separately from the rest of the network. Test data is sent digitally from the Department of Defense to the secure file share. It is received by an engineer who puts the data onto a USB drive and carries it to the prototype for upload.
The prototype is ready for operational testing by the Department of Defense. It is escorted by the factory supervisor to the shipping dock, where it is prepared for transport according to identified CUI procedures. The package is tracked until delivery and the Department of Defense notifies the WidgetsUSA project manager when they receive it.
Data flow diagrams can show many different methods of moving FCI and CUI. Your organization needs to demonstrate that they understand the interim steps that the data moves through and have protections at each step.
Sidebar: Why isn’t the entire data flow in-scope?
You may have noticed that the Partner / Government is not in-scope in the diagrams above. Why not?
Assessors understand that a company can’t control everything. Your responsibility needs to end somewhere.
You need to make a thoughtful decision about where your scope ends. You should be able to describe why you feel that the other side (the Government or Partner) can handle their own security. Perhaps you have flowed-down the regulations in your contract with them. Maybe they flowed-down to you. Maybe they sent you FCI or CUI first. After 2026, the answer should be, “Because I verified they have a CMMC certified information system.”
Your scope assignment shouldn’t be arbitrary. Be prepared to describe why you feel that something isn’t in scope. For items that are not in-scope, how can you trust that the data will be safe?
3. Network diagrams
Network diagrams are the most traditional way of identifying scope to your assessor. You should definitely provide at least one network diagram during the assessment planning stages.
WidgetsUSA plans to use their main business network for DoD contracts. They provide a network diagram to the assessor which shows the external boundaries (their firewall and the gateway of their cloud service provider). Because their remote laptops use VPN, they feel that the corporate firewall acts as an external boundary to protect those remote laptops.
4. Facilities diagrams
WidgetsUSA shows the assessment team their headquarters’ building layout. All networking, devices, and physical documents used for the F-18 contract is kept within a secure portion of the building. Physical security measures will be assessed only at the boundaries and within the in-scope area.
5. Org Charts
Organizational charts to describe scope are optional. They are mentioned here because some companies find it very helpful to identify the people who will access their in-scope network, particularly at CMMC ML3.
WidgetsUSA considers the president of the company and CFO in-scope because they can exert major influence on security for the F-18 contract. While most of the IT department is out of scope, the CIO and one administrator (United States persons) are in-scope because they have administrative access to the in-scope systems. Operational team members are in-scope because they are performing the day-to-day work on the contract.
How complex do your diagrams need to be?
For purposes of identifying scope to us (Kieri Solutions), we don’t feel that diagrams need to be very detailed. They need to show enough information that an external person can orient themselves and understand major systems and functionality. They should show external and internal boundaries clearly, and serve as a guide to identify whether specific devices or locations are in-scope or not.
Can a scope diagram be too detailed?
Yes. If your diagrams have large amounts of redundancy (such as showing every single device in your organization), it is probably too detailed. That amount of information makes it harder for the assessment team to understand the overall network and major systems. Keep those detailed diagrams for management of your IT systems and architectural reviews.
What are the rules for scope?
This article is about how to identify your CMMC scope to an assessment team (or to a Gap Analysis team). As you’ve seen, this article has lots of suggestions for how to describe your scope to an external party.
This article is not an authoritative source for whether your scope is correct or not. You and your assessor should rely on official sources to determine whether your scope follows the rules.
CMMC official rules for scope
There is very little scoping guidance released yet for the CMMC. The scoping section in the CMMC Assessment guide says:
Prior to a CMMC assessment, the contractor must define the scope for the assessment that represents the boundary for which the CMMC certificate will be issued.
Additional guidance on assessment scope will be available in the next version of this CMMC Assessment Guide – Level 3.
CMMC Assessment Guide for Level 3, Page 3. Released November 30, 2020.
Carnegie Mellon University’s Software Engineering Institute (the authors of the CMMC Model) put out this webinar about CMMC Scope in September 2020. While it isn’t authoritative, it has great information about how scoping has been considered so far.
NIST SP 800-171 Rev. 2 rules for scope
The clearest guidance for how to scope information systems is currently contained within NIST SP 800-171 Rev. 2.
The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.9 If nonfederal organizations designate specific system components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond that which it requires for protecting its missions, operations, and assets.
9 System components include, for example: mainframes, workstations, servers; input and output devices; network components; operating systems; virtual machines; and applications.
NIST Special Publication 800-171 Rev. 2. Page 2, Chapter 1. Updated January 28, 2021.
Can NIST SP 800-171 scope guidance be used for CMMC?
Maybe! 800-171 is very authoritative in regards to CMMC. The CMMC is primarily sourced from 800-171 (about 50% of the words in the CMMC Assessment Guides are from 800-171) and the CMMC has not modified any of the guidance that was incorporated from 800-171. But the CMMC guides did not include this paragraph. Was that an indication of disagreement? We don’t know.
Interview with the CMMC Accreditation Body regarding CMMC Assessment Scope
This Question & Answer interview may shed light on how scope is being taught by the CMMC Accreditation Body and CAICO. These are not published documents, however, so they are less authoritative than other sources.
What is the difference between physical boundaries and logical boundaries?
Physical boundaries prevent unauthorized people, or the tools they deploy, from reaching your in-scope systems.
The most common example of a physical boundary is a locked door. Here are some less obvious physical boundaries:
- A locked cabinet that protects laptops during non-working hours.
- A metal enclosure that protects network devices in a shared office building from tampering.
- Conduit around critical cabling on the outside of your building.
- The area where your wireless signal runs out of strength (or turning off WI-FI).
- Unplugging a network cable that used to run between buildings.
Use logical boundaries when you can’t implement adequate physical boundaries
Logical boundaries are used to protect things that you cannot protect with physical boundaries. Here are some examples of logical boundaries.
- When access to the internet is required, (which means you have an unbroken physical connection from your network to the rest of the internet), firewalls create logical boundaries.
- When your WI-FI network signal extends outside of your building, the passcode is a logical boundary which prevents unauthorized people from accessing your network.
- A cloud email system has millions of users. The cloud gateway is a logical boundary which only allows access to the account’s mailbox.
So without guidance, what are the rules for scope?
It is dangerous to try to answer this question because we don’t have official guidance yet for CMMC scoping.
The best we can do is give some considerations which may help you identify whether your scope is well thought out.
Identify your “data systems”
What systems do you have that process, store, or transmit FCI or CUI? Let’s call these “data systems”.
Identify connected systems
Do you have systems with logical connectivity to “data systems”? For example, your development laptop can communicate freely with the F-18 prototype over the network.
Do you have systems with physical connectivity to “data systems”? For example, the building maintenance team can physically access the F-18 prototype.
Identify systems with security roles
Do you have systems which perform security protection for “data systems”? For example, the walls and doors of your facility perform security for the F-18 prototype. The server at headquarters authenticates all accounts that are used in the F-18 development network. Janet the systems administrator is responsible for patching computers on your FCI network.
Are your boundaries effective to limit scope?
Are your logical or physical boundaries adequate to prevent malicious activity from traversing through them? For example, if an accountant’s laptop was compromised by a hacker, could they attack the F-18 prototype from it? If a non-employee was intent on stealing your F-18 prototype, could they reach it? If yes, then your scope may need to expand beyond those ineffective boundaries until you find an effective boundary.1
Are you protecting your entire scope?
Are the systems with logical or physical connectivity, or that perform security protection, protected at the same level as your “data systems”? For example, is the building maintenance team screened at the same level as your federal factory team?
1 If your boundaries are ineffective, the unofficial rules for scoping say that your scope expands and expands until it reaches an effective boundary. If all else fails, the heliosphere is widely considered an adequate boundary. Make sure you have a good boundary to limit your scope!
How should you plan your scope for CMMC?
Should you keep your scope as small as possible?
Keeping your scope small is a great idea in most cases. Especially if you seek CMMC ML3 or higher.
Performing high levels of cybersecurity is expensive. Each device, facility, user, or system added to your scope will add cost. Examples of cybersecurity costs that increase with scope are:
- Labor to screen and monitor personnel
- Labor to maintain and monitor security systems
- Labor to maintain systems (patching)
- Licenses or purchase cost for security systems
- Training and managing your staff
Your assessment is more likely to succeed and cost less with a smaller scope.
- The assessor needs to visit fewer locations
- The assessor needs to consider fewer systems for each security requirement
- You can concentrate your efforts, reducing the risk of problems
What are problems with selecting a small scope?
WidgetsUSA has created a second “in-scope” network to use for Department of Defense projects. For the in-scope network to be functional, they needed to add a second server , a second switch, and a second printer. The existing systems (Server A, Switch A, Printer A) cannot be used for the in-scope systems because the firewall blocks them (due to scoping rules).
When you select a sub-set of your systems to be in-scope, you still need to provide a certain amount of functionality for the in-scope systems. For example, most users need to be able to print and email from their in-scope systems. This can result in duplication or complexity. You may decide to give your in-scope users two laptops: one for the in-scope system, and one for your regular system. This can be frustrating and confusing for your users.
Should you select a larger scope?
In some cases, it makes sense to include your entire company’s networks, facilities, and staff in your scope. This is often the best choice for small contractors seeking CMMC Level 1 certification. It can also be a good choice for contractors that only perform Federal work.
Benefit: If you have all your systems in the same scope, then you can standardize how you operate your systems.
- All of your staff go through the same screening and training process
- Costs related to duplicate systems are saved. Your user don’t need to juggle multiple computers or accounts.
- Your entire company benefits from better cybersecurity (hooray!)
What are the drawbacks of larger scope?
- At CMMC Level 2 and above, your users have way less freedom to customize their computer
- As your scope increases, the skilled labor needed to keep it secure also increases
- Some legacy systems simply cannot meet requirements for CMMC Level 2 and above. You will want to keep those “out of scope”, or you might fail an assessment because of them.
What should I do now?
No matter where you are in your CMMC compliance journey, you should spend time defining your scope as described in this guide.
Starting from scratch? Building these data flow diagrams and lists of where sensitive information exists will help you design systems that support functionality for your users.
Mid-way through your project? This is a good time to update your diagrams, re-evaluate the quality of your boundaries, and consider the systems that provide security.
Ready for CMMC assessment? You should review your scope diagrams to ensure they are understandable by an assessor.
Thanks to Kieri Solutions for this article about how to identify scope to your CMMC assessment team (or in the short term, your CMMC Gap Analysis team).
What do you think? Have you seen any other official guidance on scope?
Heard anything about whether a CMMC ML3 contract will allow its FCI to be handled in a ML1 system?
Please comment and share if this was helpful to you!