Four Considerations for Establishing CMMC Scope

Four Considerations for Establishing CMMC Scope

Depending upon the size of your company, your CMMC assessment may not need to include all personnel, all equipment, and all platforms. Determining the scope of your assessment is an essential step, not only because it helps build a solid understanding of where CUI is processed and stored, but also because it can reduce the size of the assessment, saving time and money. Here are four considerations that will help you build an accurate scope for your assessment.

What systems and assets touch CUI (Controlled Unclassified Information)?

It is important to remember that while some digital devices and equipment may transmit CUI, not all do. Differentiating between these two types of assets is part of smart scope planning. If your CNC machine processes CUI in order to function, it has to be in scope. If your CNC machine is sitting in a corner waiting to be sold and is not turned on most of the time, it does not need to be in scope. Similarly, while Human Resources may use platforms that process PII (Personal Identifiable Information), that sensitive data does not fall into the scope of CMMC.

What physical locations process or store CUI?

This question is particularly important if your organization utilizes contract workers or remote workers. If CUI is transmitted to offsite locations, those will need to be in scope. However, if an employee who works from home will never touch or be able to access CUI, they and their equipment do not need to be assessed.

Who on your team is processing CUI?

It is possible if you are a small company that everyone has access to CUI that is sent from the government or your client. However, it is important to understand firmly if this is the case or not. If you have a receptionist, an HR professional, or a marketing professional, they likely will never need to access CUI. If you can establish that they do not come into contact with CUI, they do not need to be in scope for your assessment.

What processes involve the transmission or storage of CUI?

How does CUI travel through your plant environment? Understanding the internal processing of CUI is essential, again not simply for your scope but also so you can strengthen protection of the data. While working on your scope you should also be considering how your company will securely dispose of CUI if a contract ends.

How to Answer These Four Questions

Ideally, an IT professional will help take the lead on finding answers to the questions. Many contractors do not have an internal IT department or professional, however, so in those cases partnering with a Cloud Service Provider (CSP) or a Managed Services Provider (MSP) is advisable. Beyond these external resources, you may also find it wise to hire a consultant to help you set your scope and prepare for your assessment. There are a few types of professionals who can assist in this regard, including Registered Professionals and Registered Professional Organizations (RPs and RPOs), and CMMC Certified Professionals and Assessors (CCPs and CCAs). All of these professionals can be found on the CyberAB marketplace.  

Do You Need Some Advice?

We are happy to talk to you about your specific organization’s current status. While we cannot provide specific consultation or remediation services, we can learn about your current cyber environment and offer steps on how you can best prepare for your assessment. We can also conduct your assessment against NIST SP 800-171 now if you are ready. Contact us for answers to your questions or to book a no-obligation 30-minute meeting with our experts.

Latest Resources

See all resources