CMMC 2.0 Scoping Documents and Assessment Guidance for Level 1
By Amy Williams, PhD, CISSP, CMMC-PI, CMMC-RP
CMMC 2.0 scoping guides were released for Levels 1 and 2 on Dec. 3, 2021, and the assessment guide for Level 1 was released 10 days later. In this post, we discuss what is in these new documents and their potential impact on how defense contractors prepare for Cybersecurity Maturity Model Certification (CMMC) compliance.
The last BlueVoyant CMMC blog addressed how changes made in the new CMMC framework will likely impact the defense industrial base. As context for discussing the scoping documents and the new assessment guide, major changes found in the new CMMC 2 framework are recapped below:
- Levels 2 and 4 from the prior model were eliminated, leaving 3 levels;
- Level 1 requirements are primarily the same except Level 1 companies can now self-assess;
- The new Level 2 maintains the 110 requirements from NIST 800-171, eliminating the 20 additional practices that were part of the first iteration of CMMC;
- Companies will now be allowed to have certain plans of action and milestones (PoAMs) at the time of assessment, but PoAMs will only apply to certain practices yet to be disclosed, and there must be an actionable plan for remediation of all PoAMs within 180 days
- Some companies may be eligible for assessment waivers, but there will be no partial waivers. Details yet to be disclosed;
- Last, but certainly not least, contractors required to comply at Level 2 - i.e., any company with controlled unclassified information (CUI) will be bifurcated, at least temporarily, into companies that can self-assess and companies that must be third-party assessed.
The Scoping Documents
The scoping documents for Levels 1 and 2 are surprisingly succinct. The Level 1 document is designed to help companies (that only process Federal Contract Information (FCI) ) scope their environment for conducting a self-assessment. The Level 2 document is designed to help companies with CUI in their environment identify what assets are in scope for CMMC compliance. Both scoping documents outline how to categorize assets according to whether they must be protected – i.e., whether they are in scope, and define types of assets that might be found in the contractor’s environment.
The Level 1 scoping guide is three pages long and starts by defining FCI Assets as those assets that process, store, or transmit FCI. The Level 1 guide goes on to define Specialized Assets as assets that can be categorized as Government Property; Internet of Things devices (IoT); Operational Technology (OT); Restricted Information Systems and Test Equipment. After describing these assets, the guide states that “Specialized Assets are not part of the Level 1 CMMC Self-Assessment Scope and are not assessed against CMMC practices.” Yet later in the document, additional guidance states that since FCI is a broad category of information, “contractors will likely focus the self-assessment on their entire environment,” which appears to conflict with the earlier statement.
Further, Level 1 guidance states that external service providers, network appliances, satellite offices, and other facilities should be taken into consideration when defining scope for a Level 1 self-assessment.
The Level 2 Scoping document is a bit longer at eight pages and provides clearer guidance that divides the assessment scope into the following four categories:
CUI Assets - Assets that store, process, or transmit CUI. These assets are in scope for all CMMC controls.
Security Protection Assets - Assets that provide security functions and capabilities within the contractor’s security assessment scope. These are required to conform to applicable CMMC practices regardless of physical or logical placement (i.e, cloud providers, third-party security companies are in scope).
Contractor Risk Managed Assets – Assets that can, but are not intended to process, store, or transmit CUI. These assets at minimum must be documented in an asset inventory, included in the SSP to show how they are managed and be included in the network diagram.
Specialized Assets – IoT, OT, government equipment, restricted information equipment, and testing equipment in the environment. These assets are also all in scope for the assessment in that they must be included in an asset inventory, included in the SSP and in the network diagram.
Scoping Document Analysis
Every additional bit of clarification that comes out helps improve understanding. Having said that, the greatest challenges with the new scoping documents are the same challenges that existed with CMMC 1.x and, indeed, also the initial NIST 800-171 self-attestation requirements. Small- and medium-sized companies, and even a few large companies, struggle with understanding what FCI and CUI exists in their systems, which further means that they have a difficult time determining where it exists since they are not sure what they have to begin with.
The National Archives and Records Administration lists 125 categories of CUI, broken down under 20 organizational index groupings. There is also DoD required training on effectively marking CUI. There is not yet, however, practical guidance on recognizing and understanding CUI. In practice, companies may receive CUI from the DoD, another contractor, a third party, or an internal colleague. And because CUI is a relatively new categorization, it may be marked as for official use only or another deprecated designation, completely unmarked, or newly created via an internal process. It might arrive via any known form of communications and stored in more than one way by different people on the same team.
These are the practical problems that need to be understood and addressed in meaningful ways to help contractors do better with cybersecurity. The “stick” as motivator only works when the participant understands what is required of them. Without that understanding, the “stick” is simply demoralizing. Accordingly, the new scoping documents, while a step in the right direction, still need significant development to truly facilitate an understanding of how to scope down FCI and CUI.
The Level 1 Scoping document is confusing from the perspective that it states what is in scope and what is not in scope, but then infers that really everything should be in scope.
The Level 2 Scoping document provides clearer guidance on how to assess specified assets but also raises a few additional questions. For example, as noted above, the new framework states Level 2 companies will be bifurcated into self-assessed and third-party assessed contractors, but the Level 2 Scoping document does not provide any guidance on whether requirements will differ at all between self-assessments and third-party assessments.
As a specific example, if a network diagram of the assessment scope (effectively a CUI dataflow diagram) is required, will self-assessing contractors be expected to upload those documents to SPRS? And if so, does this present any potential hazards for that company?
All of this is relatively new, and all new concepts take time to develop and refine. Based on BlueVoyant’s consulting experience, we believe the best thing that the DoD could do to fast track compliance is to first help companies better understand what CUI looks like, provide more guidance on how it typically comes in, where it typically flows, and provide some example best practices for illustrative purposes.
The New Level 1 Assessment Guide
A careful page by page analysis of the new Level 1 Assessment Guide reveals very little changes from the old Level 1 Assessment Guide. Self-assessment language replaces third-party assessment language at the beginning of the guide and each control was given a new functional name and a new control number. The specific control requirements are unchanged and the guidance for meeting each control is consequently also unchanged. Assuming guidance on how to meet the remaining Level 2 controls is similarly left as is, the Level 2 Assessment guidance should be out very soon (the DoD website states no later than mid-December).
A helpful next step for assessment guidance would be to present some pragmatic standards for implementation of practices. For example, if a contractor has standardized on a Microsoft platform, what are some examples of best practices around that platform? Provision of standards would go a long way toward remediating many of the issues currently facing the ecosystem. Without standards, the following are examples of problems that will continue to proliferate:
- Wide variation among and across Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and CMMC assessor interpretations of what constitutes a “met” practice;
- Variation in how consultants advise clients;
- Variation in how CMMC Third Party Assessor Organization (C3PAOs) manage engagements;
- Members of the same supply chain may have varying definitions of “sufficiency;”
- And, of course, there will simply continue to be a lack of understanding of best practices around various platforms, technologies and organizational practices that leave smaller companies with fewer resources out of the loop
What is at stake because of these missing standards includes, but is not limited to:
- Contractors lack confidence that they are performing at a best practices standard;
- Third-party risks are higher due to security practice variations that leave gaps in controls;
- C3PAOs and assessors potentially face greater liability;
- Time is wasted in assessments sifting through alternative answers to questions, costing the contractor more time and money;
- Small- and medium-sized companies lack the resources to comply;
- Assessors have less certainty in managing their processes and costs;
- Risks to our national security continue to proliferate with the absence of clarity.
In summary, every new bit of guidance that comes out is helpful and the scoping documents are no exception. We hope that authoritative guidance will continue to be developed and shared and we hope to soon see more “how to” guidance on recognizing FCI and CUI, particularly in light of the move to allow more self-assessments. Lastly, we will be on the look out for standards for meetings best practices.
Amy Williams is a BlueVoyant Senior Director of Proactive Services