August 20, 2024

Last Updated on August 20, 2024

Thousands of small to midsized businesses (SMBs) in the US defense industrial base (DIB) will soon need to achieve Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance and certification. But according to Radicl’s new DIB Cybersecurity Maturity Report 2024, 56% of SMB defense suppliers are between 1 and over 2 years away from that goal.

What are the issues creating this collective roadblock? And what can DIB orgs do to get on track?

This article highlights the critical significance of determining the correct scope for your CMMC environment, which will largely dictate the magnitude of your CMMC Level 2 certification effort. You’ll learn about the most important CMMC scoping factors, why scoping can be a big challenge for DIB SMBs, and tips for getting scoping right.

 

What is scope in your CMMC program?

Correctly scoping the environment you need to secure is the first step on the path to achieving compliance with any cybersecurity standard, including CMMC. Until you understand the scope of your CMMC environment, you can’t assess your risks, identify gaps in your current cybersecurity posture, or decide how best to implement the CMMC controls.

Also called context, scope is the intersection of all the key factors that go into identifying what sensitive data you need to protect, how it flows and where it resides within your IT landscape. One way to concretely understand scope is to list those key factors. They include:

  • The physical locations where you store sensitive data
  • All your IT systems and applications that store, process, and/or transmit sensitive data
  • Any cloud services that store, process, and/or transmit sensitive data
  • Which employees or vendors have access to sensitive data
  • Legal requirements or other special requirements impacting the sensitive data (like whether it is subject to US government ITAR or NOFORN regulations)
  • Any data your US Department of Defense (DoD) contract specifies as in scope
  • Any specific stakeholder demands or requirements regarding sensitive data
  • Risks to the data, along with its value and the consequences of it being lost, destroyed, stolen, made public, etc.
  • And more…

Once you’ve scoped your CMMC environment, you can decide if you will certify your entire IT footprint against CMMC, or if you can create a CMMC “enclave” and make that the only part of your IT that touches CUI. Minimizing how many systems, locations, services, etc. you need to certify as CMMC compliant can significantly reduce the time, effort, and cost of your CMMC certification program.

 

How does CMMC scoping relate to CUI?

CMMC’s purpose is to protect CUI where it resides on defense suppliers’ systems. Therefore, identifying and marking all your CUI is where scoping your CMMC environment begins. Once you know what CUI you have, you can figure out what IT assets are associated with CUI and therefore relevant to CMMC compliance.

These three processes—scoping, identifying CUI, and asset management—are inextricably linked. A recommended scoping approach is:

  1. Start by identifying all your IT assets. In other words, you need an asset management program to even think about CMMC compliance.
  2. Determine what CUI you will receive as part of your DoD contract, along with what CUI you already have. This can be a major challenge for many DIB orgs because CUI doesn’t come pre-marked. To get this right, you must thoroughly understand the US government’s definition of CUI (see below) and what parts apply to your business.
  3. Create a data flow diagram that illustrates all the assets that directly store, transmit, and/or process CUI. Your CMMC program needs to protect all these assets.
  4. Now identify additional assets besides CUI assets that CMMC requires you to protect. These include:
    1. Security protection assets, such as firewalls or endpoint protection software, that serve to protect CUI. Note that CMMC explicitly considers MSP and MSSP solutions and services as security protection assets.
    2. Specialized assets, like government furnished equipment (GFE), sensors and other IoT devices, and operational technology (OT) such as test equipment, 3D printers, or CNC machines that could create and/or handle CUI.
    3. Contractor risk managed assets, such as policies and contracts designed to limit or prevent sharing CUI, that you use to mitigate the risks associated with sharing CUI with your vendors.

The ability to understand your assets, your CUI, and how your CUI is processed are foundational steps to protecting sensitive data and achieving CMMC compliance. Without these capabilities you cannot legally participate in DoD contracts that involve CUI. Nor can you protect sensitive data from adversaries, including your own intellectual property, employee records, financial data, etc.

 

Why is CMMC scoping difficult for many DIB SMBs?

According to Chris Petersen, CEO at Radicl, the stumbling block that is holding so many DIB SMBs back from achieving CMMC compliance and overall robust cybersecurity is a lack of specialist CMMC expertise on their part combined with a lack of specialist expertise on the part of their current IT or cybersecurity service provider(s).

“How do you carve out that enclave and make decisions around that?” posits Chris. “That’s not an easy decision to navigate if you don’t understand the CMMC framework, the regulations, what is considered CUI and what is not. It’s a bit of the blind leading the blind. This is where consulting partners can help out a lot.”

A significant percentage of organizations that engage with CMMC consulting specialists like Radicl or CBIZ Pivot Point Security had a “bad experience” with their first consulting partner. It takes knowledge and experience to put all the pieces in place around data, assets, regulations, controls, compliance monitoring, and more.

MSPs/MSSPs are also in scope for CMMC

CMMC requirements are now less than a year away. This timeline is accelerated for many DIB companies by their prime contractors, many of which are demanding provable CMMC compliance ahead of the CMMC rulemaking.

As time is running out, a major potential issue for many companies looking to get CMMC certified is that their in-scope MSP/MSSP cybersecurity partners also need to be CMMC compliant, per CMMC flowdown requirements. Start by asking where your current providers stand in relation to CMMC and NIST 800-171.

“There are a lot of companies that aren’t thinking about this yet,” Chris notes. “They will likely have a very unwelcome surprise when they realize that their MSP is not where they need to be, therefore they cannot achieve certification. They may have to scramble to find a new provider—and those things take time.”

 

Tips for identifying all your CUI

Whatever CUI you have will be in scope for CMMC. But once you identify all of it, you can probably find ways to limit its access and use to reduce the size of your CMMC enclave and optimize your overall CMMC effort.

How can you identify CUI? Here are some tips:

  • Start by pinpointing where data comes into your business, what data is coming in, and where it goes from there.
  • Often the DoD does a poor job identifying CUI in contracts, so you may need to ask your prime contractor or DoD contract officer.
  • Dig into the NARA registry to get a feel for which classes and categories of CUI could apply to your business.
  • Study the US government’s guidance on defining, categorizing, and marking CUI and apply it to your data. FIPS 199, the federal standard for classifying data and systems, is a useful reference.

 

What’s next?

For more guidance on this topic, listen to Episode 140 of The Virtual CISO Podcast with guest Chris Petersen, CEO at Radicl.