White Papers - Redspin

CMMC Scoping Environment

Issue link: https://insights.redspin.com/i/1336195

Contents of this Issue


Page 0 of 1

SCOPING OBJECTIVE The overall objective of scoping is to outline the logical, physical, and functional boundaries for conducting operations to ensure that FCI/CUI data is protected at a minimum of CMMC Level 1 for FCI and CMMC Level 3 for CUI. Scoping includes documenting facilities, areas, systems, applications, and services in the organization that are within scope for NIST SP 800-171 and CMMC compliance. The intent is to isolate CUI/FCI where possible to reduce the footprint for what is in scope for a CMMC assessment for certification. ZONES Scoping can be viewed in eight (8) major zones as described below. The architecture for each zone will depend on the organization's size, complexity, and contractual requirements for protecting CUI/FCI. Zone 1, designated here as the "Secure Enclave," is where the storage, processing, and transmission of CUI/ FCI occurs. The zones are not necessarily mutually exclusive and depend on the contractor's design and implementation of its applications, software, systems, personnel, and services and how they interact or impact the CUI/FCI within the Secure Enclave. It takes forethought and planning to architect an environment that isolates system components that store, process, or transmit FCI/CUI from systems those that do not store, process or transmit FCI/CUI. There is no official guidance on how to scope an environment for protection of CUI/FCI while stored, processed, and exchanged. The DoD is actively working to publish scoping guidance for CMMC assessments. The intent of this white paper is not to go into every detail for the contractor to architect its CMMC boundaries, but instead to provide a high-level overview of the foundational components that define what portions of a contractor's environment is in scope for an assessment. Contact us for more information on scoping for your environment. CMMC: Scoping the Environment GETTING STARTED ON THE RIGHT FOOT Scoping determines the boundaries where Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) is stored, processed, and exchanged within the Department of Defense (DoD) contractor's environment. If scoping is not done accurately, then the entire network and business functions may be in scope for a CMMC assessment and may be prohibitively expensive to protect the entire organization.

Articles in this issue

view archives of White Papers - Redspin - CMMC Scoping Environment