CMMC 2.0: Start With Scoping

CMMC 2.0: Start With Scoping

What’s New in CMMC | Column 3

“What’s New in CMMC” is a regular column from MxD explaining aspects of the just-launched CMMC 2.0 framework.

“Where to begin?” is often the top question for manufacturers who haven’t started the work that will be required to comply with the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework. 

The answer, experts say, is to start with scoping. 

Scoping, in a general sense, means assessing your environment. For CMMC specifically, scoping is determining what assets in your environment handle sensitive Department of Defense material including federal contract information (FCI) and/or controlled unclassified information (CUI); which cyber safeguards are required for those assets; and how any cyber safeguards will be measured.

CMMC 2.0, which was announced late in 2021, is not finalized. Officials say rule-making could take until late 2023, and contract compliance won’t be required until those rules are in place. 

But it’s important for manufacturers to get started now. And the DoD has already published several documents to help its contractors begin. Those documents include Scoping Guidance for CMMC 2.0 Level 1 self-assessment and Level 2 assessment. (Level 3 is still a work in progress as are details on third-party assessments.) 

 The documents for Levels 1 and 2 define which assets are “in scope,” with any asset that does not process, store, or transmit FCI (Level 1) or CUI (Level 2) “out of scope.”  

 So, where to begin? Laura Élan, MxD’s senior director of cybersecurity, says manufacturers should start by asking questions like: 

  • What federal contract information or controlled unclassified information am I getting?
  • How does it come into my organization? 
  • How does it move from one place to the next within my organization? 
  • Who has access and should they?

For example, if there’s a design for a part to be manufactured, the first step is to understand the path that design takes. 

Begin by determining how the design arrives. Is that via email or perhaps a secure file transfer protocol (FTP) site?  

Next, determine how many employees review the design and determine if they are able to print or forward it. Also, evaluate whether the number of employees with access needs to change. 

Then, how does the design move to the factory floor? And be sure to map out where it is stored and/or how it is destroyed. From there, Élan said, you can figure out which assets come into contact with the FCI or CUI and take the next CMMC steps.

Elan cautions that manufacturers shouldn’t limit scoping only to information under the CMMC umbrella.

Having a clear picture of how all of your sensitive data is handled — and making sure that information is locked down tight — is the smart thing to do and an industry best practice, she said. That sensitive data can range from the Social Security numbers stored by your HR department to any intellectual property. 

For help with scoping, she said, companies can turn to sources including the Unified Scoping Guide, a free resource from cybersecurity company ComplianceForge. 

“There’s a lot of sensitive data under the hood of any company,” Elan said. “And it all needs to be protected.”

Register your interest in a free assessment for Cybersecurity Maturity Model Certification (CMMC) and other cybersecurity protocols by filling out this form.