Our current definition of Scope comes from 16th century mid Europe when the firearm spread across the continent. Scopo, aim in Italian, derived from the Greek word skopos for target. Skopos roots lie in the word Skeptesthai ‘look out.’
In terms of Cybersecurity Maturity Model Certification,o= or CMMC, ‘look out’ works. You need to know where federal contract information and control unclassified systems live within your business, network, and deal flows.
The NIST Guide for Developing Security Plans for Federal Information Systems defines scoping guidance as:
Provides organizations with specific technology-related, infrastructure-related, public access-related, scalability-related, common security control-related, and risk-related considerations on the applicability and implementation of individual security controls in the control baseline.
A lot of complex jargon to define the target you paint on the people, processes, and technology that touch either FCI or CUI a comonay handles as the result or on behalf of a Department of Defense contract with the DFARS 7012 clause.
When it comes time for a CMMC assessment we only aim the light at these places. The assessor will target areas sensitive data live. So we have to know how we protect data across our networks and those of our service providers.
You must know what an assessor would consider relevant when determining what parts of your business fall in scope. This includes people, processes, and technology. All three work in tandem to secure FCI and CUI.
You have to know what kind of supporting documents an assessor will ask for when determining if the scope you provided matches their evaluation ofhow you protect data across your network and those of your service providers. This often begins with a network diagram
What is a Network Diagram?
A network diagram illustrates how data moves through your system and includes “third-party services, cloud instances and remote access methods” (Complinace Forge, 2021).
You limit scope by creating boundaries, like a lock on a door, that only allows authorized users to interact with data they have a legal need to use. As a small business owner, a managed service provide delivering IT support, or a consultant working with an Organization Seeking Certification you need the skills to quickly rough out a network diagram. To have a true network diagram you will need to enage a cybersecurity expert to perform a formative scoping assessment.
As a contractor or manufacuturer in the Defense Industrial Base you should have the ability to draw a low-level diagram, a rough cartoonish space. Your Managed Service Provider or a cybersecurity expert wil help you with a high level diagram. This needs to be detailed and identify the ports, protocols and services. A high level diagram will also account for the physical and logical boundaries that restrict access to only authorized holders.
What is a Boundary?
Amira Armond, President of Kieri Solutions, defines boundries as anything that can break and allow data spillage. The lock works as a metaphor for boundaries because your physical boundaries fall in scope. Someone can break or pick a lock and steal data. Theft is data spillage.
Physical security helps us think how boundaries fit in a network diagram of the data flow in our scope. You must lock your business to keep stuff from dissapearing. So scoping guidance, and network diagrams do include physical boundaries.
Just as we must lock our physcial doors we also have to restrict the public from our data on our networks and the networks of service providers. We call these logical boundaries. These logical perimeters extend to all users of a system who can output sensitve data without the intervention of another person.
The Committee on National Security System, a forum for the discussion of policy issues and is responsible for setting national-level cybersecurity policies, defines logical perimters as:
A conceptual perimeter that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system without a reliable human review by an appropriate authority
So basically can they print stuff off the Internet and do you need to restrict this ability to “output” data to certain people? Many of these logical boundaries thus fall into th Domain of Access Control, limiting who gets to see what, and when.
Logical boundaries also involve the processes of your company. Does marketing need access to FCI or CUI? Do you use access control policies to create a logical boundary? You can also use technology.
Just as we have doors and locks on our physical business we also keep technological locks using routers and firewalls.
What data are in scope?
You must begin by first identifying where sensitive data exists in the day to day operations of your company. First you need to identify what contracts you have that flow from Department of Defense contracts with the 7012 clause. You then have to examine what data and artifacts you receive or create for this work. Now we can consider the people, processes and technology that touch and must protect CUI and FCI.
Everyone one of these projects, that have FCI or CUI need to have someone responsible for that data. Data must have an owner. Typically this could be a project manager. Often in small firms this may also be the President or CEO
Once you know who owns the data now you determine who should have access to the data. You need to restrict the sensitive data to only those with a legal reason to use that data. The less people in scope often the more money you save. Every person in scope may have a workstation or want remote access.
Your systems, the technology, also fall in scope. Cell phones, email servers, cloud documents, and databases all contain CUI and require protection. In fact NIST wrote NIST-SP-800-171 to protect CUI on technology systems.
Finally you need to think not just about the logical boundaries but also the physical boundariesthat protect your data. What buildings or offices does the data travel through? How are these spaces connected to the network? How are they secured physically.
Is scoping an Inventory Control?
Yes. Scoping inventories where CUI and FCI live and without an inventory of your sensitive data. Just as you inventory all of the endpoints, printers, and routers that transmit CUI you must first have a list of data, the associated contract/project, and the data owner. Only then do you know the data in scope. You can now track how it moves through your company.
What is a data flow diagram?
A data flow diagram identifies how sensitive data travels through your company and the people, processes, and technology that protects Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
You begin by creating a rough data flow diagram. First think of the physical transfers, like between departments. Do you use the mail, usb drives, does someone walk the data over? Then think about digital data. Do people share FCI and CUI via email or an encrypted file sharing service? Finally do you have any processes that move data around such as your ERP or CRM?
Creating a data flow diagram will help you save money. It will also act as policy. If you do not document how data travels you will not enforce how it should travel. You will fail your assessment.
In your network diagram you need to consider your data handling processes. CUI, while in transit, must have encryption. Controlled Unclassified Information also has rules for encryption when at rest. These rules will change based on where data gets stored. In a desk? a server on physical premise? The cloud? All of these locations impact you flow
What about my floor plan?
Your facilities will fall in scope and you need to include them in your network diagram. As Amira Armond (2021) notes, “Physical security measures will be assessed only at the boundaries and within the in-scope area.”
So your facilities diagram should include information about where key card access lies, where vistors have access, and where CUI or FCI will exist and travel on your floor plan.
CMMC Practice MP.3.125: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
For many companies, especially smaller firms it may be cheaper to keep your entire floor plan in scope. As you get larger, or if you are a subsidiary of a foreign firm a CUI enclave will make more sense.
What technology is in scope?
Out of people, processes, and technology the latter makes scoping hard. It comes down to Is this machine in scope? If this machine is in scope, how does that “contaminate” other areas and make them in scope too? This is the real challenge.
For example If Server A is in scope, then what else must be in scope? You may use Acrtive Directory as a logical boundary. In scope. What if the Active directoy that controls access to server A, has access to otherdevices on the Local access network segment for server A? This also means the Anti-Virus console for this server is in scope. This cascade only gets tricker. You really need an expert at this point.
Is My Managed Service Provide in Scope?
Maybe.The DoD nor the CMMC-AB have released scoping guidance. So it is best to use your data flow diagram. If yoru MSP touches areas and endpoints where CUI gets transmitted or stored they will fall in scope. In fact the group doing the CMMC Level 3 assessments of the C3PAOs require the the C3PAO to rprovide a compliance inheritence matrix from any managed service provider in scope.
You have many MSPs. Think about your keycard access logs where do they live? What about access control policies on your third party anti-virus. What about your Enterprise email provider? You must document how these companies meet the requirements for handling sensitive data.
Are My Remote Employees in Scope?
Go back to your data diagram. If your remote or hybrid employees can send, recieve, transmit, create, or destroy FCI and CUI from an alternative site they fall in scope. You must document that you provide equitable controls at remote sites that you do at the home site. You have important technology steps to take to include remote employees in scope.
Are Suppliers and Subcontractors in Scope?
Maybe. Follow the data flow. A supplier may flow CUI down to you as a result of a contract with the 7012 clause. This of course falls in scope. For both of you. You may also have to send CUI to a supplier. Many comopanies design parts that have not changed for decades. They often need to rebid on contracts. One way to shrink your scope is to use a file sharing service. If you can keep email out of scope (not easy) you can save tens of thousandsa of dollars.
You need to decide where your scope ends. The C3PAO or CCA will know you can’t control everything a sub or a prime does. You must describe how they handle security controls. We call this inheritence.
What are the official CMMC rules on scoping?
They do not exist. The draft assessment guide reads:
Prior to a CMMC assessment, the contractor must define the scope for the assessment that represents the boundary for which the CMMC certificate will be issued. Additional guidance on assessment scope will be available in the next version of this CMMC Assessment.
The best guidance we have comes from NIST SP-800-171
The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.9 If nonfederal organizations designate specific system components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond that which it requires for protecting its missions, operations, and assets.
How do I get Started?
Jacob Horne and Ryan Bonner of DefCert suggest all companies conduct a scoping assessment. If you get the scope wrong you will fail your CMMC assessment. It all begins by inventorying the data. What DoD contracts do you have with a 7012 clause? Regardless of CUI or FCI how does that data move through your organization. Start there.