CMMC 2.0 L1 & L2 Scoping Guidance Explained

Written by Ignyte Team

January 10, 2022

Speaker Introduction

Aaron McCray, Ignyte’s Chief Operating Officer, is giving a brief overview of the changes to CMMC 2.0,  and more specifically its Practice levels vs Maturity levels in the video below.

Aaron is a commercial risk management leader by trade and a Commander in the U.S. Navy Reserves. He joined the Ignyte Assurance Platform team to help us raise the awareness and readiness of the emerging Cybersecurity Maturity Model Certification, as well as NIST 800-171, NIST 800-72, NIST 800-53, and soon FedRAMP, for organizations involved in dealing with sensitive information.

Level One Scoping Guidance

Prior to a Level One (L1) CMMC Self-Assessment, an organization must specify the scope of the assessment. Understanding that Federal Contract Information (FCI) Assets are in-scope assets based on what they:

  • Process, Store, and Transmit; anything that doesn’t is out-of-scope.
  • These assets are assessed against applicable CMMC practices.

In addition, an organization should consider the following areas that process, store, or transmit FCI:

  • People 
  • Technology
  • Facilities
  • External Service Providers (ESPs)

By doing so, an organization demonstrates compliance with the following practices:

  • Identify system users, processes acting on behalf of users, or devices 
  • Verify and control connections to, and the use of, external information systems
  • Monitor, control, and protect organizational communications

Level Two Scoping Guidance

The CMMC Assessment Guide for Level Two (L2) maps organizational assets into one of five categories:

  • Controlled Unclassified Information (CUI) – assets that store, process, or transmit CUI – part of the assessment scope
  • Security Protection Assets – provide security functions to the CMMC assessment scope – part of the assessment scope and must conform to CMMC practices

  • Contractor Risk Managed Assets – these should be separated (logically or physically) from CUI assets; even though they could process, store, or transmit CUI – they are not intended to do so – part of the assessment scope but are not assessed according to CMMC practices*
  • Specialized Assets – Assets that may or may not process, store, or transmit CUI; including government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment. Refer to the scoping guidance for further details about each type of specialized asset – part of the assessment scope but are not assessed according to CMMC practices*
  • Out of Scope Assets – anything that doesn’t process, store, or transmit CUI – not part of the assessment scoping process or part of the assessment itself

             * be sure to Include in Asset Inventory and System Security Plan (SSP)

Additional Requirements for categorized assets:

  • Document these assets in an asset inventory
  • Document these assets in the System Security Plan
  • Provide a network diagram of the assessment scope (authorization boundary (AB))

Defining the CMMC L2 Assessment Scope

  • After properly categorizing assets, an organization then defines the assessment scope
  • This requires providing documentation to the certified assessor for your organization’s assessment scope (i.e., asset inventory, SSP, a network diagram of the AB)

Reducing The Scope for Your Assessment

One of the ways that you can reduce the scope of your assessment is by utilizing separation techniques, both physical and logical:

  • Logical Separation: utilizes software configuration to prevent data from flowing from an authorized asset, to one that is not authorized
    • examples: Firewall, ACLs, VLANs, SDNs, etc.
  • Physical Separation: when authorized and non-authorized are not connected or able to connect via a wired or wireless connection.
    • examples: Gates, Locks, Badge Access, Guards, etc.

L2 Use Case

  1. FCI and CUI within the same CMMC assessment scope and within the same assessment scope (i.e., the same boundary – logically and physically), should pursue a single assessment and certification, and not one for FCI and a second for CUI. However, you do have the option to pursue them independently.
  2. The certification would be at the highest level of information processed, stored, and transmitted. In this case, L2 because of the CUI.
  3. If you are utilizing an external service provider (ESP) – like an MSP or MSSP, ensure you have a well-defined:

            a.  responsibility matrix defining what is your organization’s responsibilities, what is the ESPs, and what is shared between you both

            b.  If the ESP has accreditation (e.g., SOC 2, FedRAMP, etc.) – are the controls similar or compliant with CMMC 2.0 standards

            c.  Ensure the contracts and SLAs support your organization’s compliance requirements for CMMC 2.0

Download your copy of the slides used in this video from our SlideShare.