Now and in the following months, many defense contractors will begin to see CMMC requirements appear in their contracts. These organizations will need to engage with a C3PAO, schedule an audit date, and reevaluate how their business is run in order to adhere to regulatory requirements and for many small-medium sized businesses, achieving compliance can be complex, time consuming, and costly. This is why, prior to doing anything else, your organization must understand where its CUI boundary lies and how data, people, and devices are secured.
Defining Scope
Before a CMMC level 2 assessment begins, your organization must define and document the scope of systems and services that will be evaluated. However, this isn't a simple inventory of your devices, people, and applications. Your scope must exhibit an understanding of what CUI you have and how it moves through your organization. During this initial phase, your organization is effectively building a map, showing where critical information is stored and who has access to it.
What is CUI?
Controlled Unclassified Information (CUI) is information created or possessed by contractors or the government that, while not classified, requires safeguarding and dissemination controls. CUI is defined within the CUI Registry and may include:
- Personal Identifiable Information
- Critical Infrastructure Data
- Proprietary business information
- Blueprints
- Technology specifications
- etc.
Your organization must create a diagram of how CUI flows through your organization. You should have a complex understanding of where CUI comes from, where it is stored, how is it processed and by what applications, where does it leave the organization, and who has access at each step?
Once you've established where CUI exists, you must draw a boundary that defines what is in and what is out. Your boundary must include the physical infrastructure, virtual and cloud environments, identity and access management platforms, and any other tools or service provider that accesses CUI. Another crucial aspect of defining your scope is compiling an inventory of your organization's assets. This includes your CUI assets, security protection assets, contractor risk managed assets, specialized assets (OT or IoT systems that aren't easily replaced or isolated), and out-of-scope assets. Classifying these assets enables you to make defensible scoping decisions and conduct assessments that are efficient and accurate.
Including Cloud and Managed Service Providers
Your scope should not be limited to just your organizations system. Many businesses utilized third-party service providers to aid in securing, processing, storing, or transmitting CUI on their behalf. Cloud service providers (CSP) and managed service providers (MSP) are considered in scope if they come into contact with CUI or contribute to its security. These service providers must be included in your system security plan (SSP) and will be evaluated during your audit.
CSPs are always considered in scope for CMMC assessments if they host, process, store, or transmit Controlled Unclassified Information (CUI) on behalf of your organization. This includes both Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS) providers when their platforms are part of your CUI environment. Any CSP handling CUI must either: hold a FedRAMP Moderate authorization issued by the General Services Administration (GSA), or Provide evidence of FedRAMP equivalency, meaning their security posture and controls demonstrably align with FedRAMP Moderate baseline requirements.
An ESP/MSP is any third-party organization that processes, stores, transmits, or has the ability to impact the security of CUI systems on behalf of an Organization Seeking Certification (OSC). If a vendor has remote access, manages technical configurations, installs or troubleshoots software, handles backups, or performs any activity that could affect the confidentiality, integrity, or availability of CUI or the systems that protect it, they are considered an ESP and are in scope for the CMMC assessment.
Your Next Steps
Scoping your CUI boundary should be one of the first steps along your CMMC compliance journey. Failing to provide a comprehensive or accurate scope can doom your third-party audit from the very beginning, which is why it's important to get it right the first time. As previously stated, many organizations will enlist the help of an MSP to aid in achieving CMMC compliance. However, choosing the right MSP is important. MSPs that have not undergone a third-party audit via a C3PAO and passed can harm your chances of passing your own audit. If it is found that your MSP has not implemented CMMC requirements, it will count against your own assessment. Additionally, anytime your MSP changes toolsets, applications, or systems it will trigger a re audit, costing many businesses time and money.
Key Points from understanding your CUI boundary:
- Define and document your CUI scope before your CMMC assessment begins.
- Map how CUI moves through your organization and identify who accesses it.
- Include all systems, people, devices, and service providers that process or secure CUI.
- Classify company assets to make defensible scoping decisions.
Reach out to CorpInfoTech and learn more about how our services can benefit your organization!
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.
