The Problem

The Cybersecurity Maturity Model Certification (CMMC) Assessment Scope – Level 2 Guide is misleading cybersecurity professionals into underapplying National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” information security requirements (a.k.a., CMMC Practices). This is putting Organizations Seeking Compliance (OSC) at risk of failing their CMMC Conformity Assessment, wasting money, and not adequately protecting the Government’s Intellectual Property per NIST SP 800-171.

Why is this problem happening?

This problem is happening for two key reasons.

The CMMC 7 Stages of Grief

CMMC 7 Stages of Grief

CMMC 7 Stages of Grief

The reader may think the CMMC 7 Stages of Grief is sarcasm.

It is not. Implementing CMMC is a culture change. Culture changes drive people and organizations through the 7 Stage Stages of Grief. CMMC’s 7 Stages of Grief are a bit more complex than a personal one.

In our experience helping Organizations Seeking Certification (OSC) become conformant to NIST SP 800-171, we have walked the OSCs through the 7 stages. This walk through is because implementing CMMC is a culture change that affects the whole organization. OSCs start the CMMC 7 Stages of Grief during the Gap Analysis Phase and then re-enter it during the Planning phase to develop the Plan of Action & Milestones (POA&M).

For those closer to the change, they can experience the 7 stages individually and can even be at different stages for different controls.

Not Understanding the Authority Flow down from Public Law, Regulations, Policies, and “Guide”

In the arcane realm of Federal law, Regulations, Agency policies, and their supplemental guidance provided by the agency, it is easy for Information Security professionals to get lost in the hierarchy. The core hierarchy at play with CMMC is:

  1. Federal Information Security Modernization Act of 2014 1
    1. Executive Order 13556, Controlled Unclassified Information, November 4, 2010 2
      1. Title 32 Code of Federal Regulation (CFR) Part 2002, Controlled Unclassified Information (CUI) 3,4
        1. Defense Federal Acquisition Rules Supplement (DFARS) Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” 5
          1. Department of Defense (DoD) Instruction (DoDI) 5200.48, Controlled Unclassified Information (CUI) 6
            1. CMMC Documentation 7

The fundamental rule is that lower-levels of the hierarchy cannot contradict higher levels.

The lack of understanding about this hierarchy is fueling OSCs and individuals to remain stuck between Denial and Bargaining. Being stuck and not understanding is also what is creating the following myths we continue to debunk.

MYTH #1: CMMC Assessment Scope – Level 2 Guide Supersedes Higher Level Guidance

The Myth

OSCs and some Information Security professionals believe the CMMC guidance supersedes all higher-level guidance because it is a new Cybersecurity Program from DoD.

The Facts

CMMC technically does not exist within DoD and for the Defense Industrial Base

When DoD pulled back publication of DFARS Clause 252.204-7021, CMMC, in January 2022, they rescinded all legal authority for the program. The current DFARS Clauses 252.204-7012/7019/7020 make no mention of CMMC. Nor does DoDI 5200.48, which means it is not enforceable within DoD and the Defense Industrial Base (DIB).

CMMC will formally come into existence when DoD publishes the new interim rule, supposedly, in May/June 2023. When it does, or at least when the interim rule is made available for public comment, this paper likely will be re-written.

Myth Busted

Because CMMC does not formally exist and guidance (at the very bottom) alone cannot trump 32 CFR Part 2002 and down in the hierarchy, the CMMC documentation does not supersede higher-level drivers.

MYTH #2:  CMMC Assessment Scope – Level 2 establishes the Scope of Applicability outside of NIST SP 800-171

The Myth

OSCs and some Information Security professionals believe the CMMC Assessment Scope – Level 2 document establishes a new way to approach defining the Scope of Applicability for applying 110 NIST SP 800-171 Security Requirements (a.k.a., CMMC Practices).

The Facts

CMMC does not supersede NIST SP 800-171

We have already established that CMMC does not technically exist and therefore cannot supersede higher-level directives. NIST SP 800-171 is directed first to be implemented in Non-Federal Organization (NFO) (a.k.a., the DIB) information systems beginning in 32 CFR Part 2002, § 202.14 Safeguarding (h)(2).8 Furthermore, DFARS Clause 252.204-7012 directes the DIB to implement NIST SP 800-171.9

CMMC Assessment Scope – Level 2 Guide Purpose

The purpose of the CMMC Assessment Scope – Level 2 Guide is specified in the section “Identifying the CMMC Assessment Scope,” which states:

“This document provides information on the categorization of assets that, in turn, inform the specification of assessment scope for a Cybersecurity Maturity Model Certification (CMMC) assessment. The ensuing sections discuss CMMC asset categories as well as the associated requirements for Defense Industrial Base (DIB) contractors and CMMC assessments.”

The first sentence is clunky and confusing. So, let’s clean it up for DoD:

“This document provides information on the…specification of assessment scope for a Cybersecurity Maturity Model Certification (CMMC) assessment.”

Once rewritten, the second sentence now makes sense as the document is meant to establish the CMMC Assessment Scope and related requirements when evaluating assets.

CMMC Assessment Scope Actually fits within the NIST SP 800-171 Scope of Applicability

Poor wording of sentences by DoD in the CMMC Assessment Scope – Level 2 Guide and failure to incorporate the NIST SP 800-171 Scope of Applicability into their document have created confusion.

In reality, the CMMC Assessment Scope sits within the NIST SP 800-171 Scope of Applicability.

The NIST SP 800-171 Scope of Applicability

NIST SP 800-171 established the Scope of Applicability in paragraphs 1.1 and at the start of Chapter 3. Pulling from Chapter 3:

“The term organizational system is used in many of the recommended Controlled Unclassified Information (CUI) security requirements in this publication. This term has a specific meaning regarding the scope of applicability for the security requirements. The requirements apply only to the components of nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.”

Let’s do a little sentence mash-up from above:

“The scope of applicability for the security requirements…apply to the components of nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components.”

In this mash-up, the word “only” was dropped to be consistent with the original sentence in paragraph 1.1. Paragraph 1.1 goes on to state that if isolation techniques are applied, components that do not meet the sentence above can be taken out of scope. Visually, this looks like:

NIST SP 800-171 Scope of Applicability Diagram

NIST SP 800-171 Scope of Applicability Diagram

The diagram captures that the CUI and Security Protection Components define the System Boundary. The System Boundary equals the Scope of Applicability. All components in the Scope of Applicability shall have all 110 NIST SP 800-171 requirements and related 320 NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, Assessment Objectives (AO) are applied to them.10

CMMC Assessment Scope

The CMMC Assessment Scope – Level 2 Guide, Table 1. “CMMC Asset Categories Overview,” introduces CMMC Assets Categories. The categories are:

  • CMMC Assessment Scope In-Scope Assets
    • Controlled Unclassified Information (CUI) Assets: Assets that process, store, or transmit CUI
    • Security Protection Assets: Assets that provide security functions or capabilities to the contractor’s CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI
    • Contractor Risk Managed Assets (CRMA): Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
    • Specialized Assets: Assets that may or may not process, store, or transmit CUI
  • CMMC Assessment Scope Out-of–Scope Assets
    • Out-of-Scope Assets: Assets that cannot process, store, or transmit CUI

Unfortunately, DoD did not account for nor overlay the NIST SP 800-171 Scope of Applicability when creating this table.

This is a larger issue with Specialized assets that may process, store, or transmit CUI (e.g., a CNC Machine) or a Specialized Asset used to protect CUI (e.g., facility security system). Or, simply fit in neither category.

Using the bullet structure above, let’s overlay it with the NIST SP 800-171 Scope of Applicability:

  • NIST SP 800-171 Scope Of Applicability
    • CMMC Assessment Scope In-Scope Assets
      • NIST SP 800-171 CUI Components: The requirements apply to components of nonfederal systems that process, store, or transmit CUI.
        • CUI Assets
        • Contractor Risk Managed Assets (CRMA)
        • CUI Specialized Assets
      • NIST SP 800-171 Security Protection Components: The requirements apply to components of nonfederal systems that provide security protection for such components.
        • Security Protection Assets
        • Security Protection Specialized Assets
  • NIST SP 800-171 Out of the Scope of Applicability
    • CMMC Assessment Scope Out-of–Scope Assets
      • Out-of-Scope Assets (including Specialized Assets that do neither)

Graphically this would look like:

NISP SP 800-171 Scope of Applicability and CMMC Assessment Scope Categories

NISP SP 800-171 Scope of Applicability and CMMC Assessment Scope Categories

Myth Busted

Because the CMMC documentation cannot contradict NIST SP 800-171, it must operate within it. This drives the CMMC Assessment Scope to actually reside within the NIST SP 800-171 Scope of Applicability.

MYTH #3: OSCs do not have to apply the requirements/practices to Contractor Risk Managed Assets (CRMA)

The Myth

OSCs and some Information Security professionals are seizing onto the first sentence in the description of a CRMA, “Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place” and then the contractors’ requirements to:

“Document in the asset inventory

Document in the System Security Plan (SSP). Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices

Document in the network diagram of the CMMC Assessment Scope”

mean that the OSC does not have to apply the 110 NIST SP 800-171 Information Requirements to CRMAs.

Additionally, the OSCs and some Information Security professionals are in denial regarding the need to explain how the CRMAs meet the requirements per CA.L2-3.12.4.

The Facts

CMMC 7 Stages of Grief

The Denial and Bargaining phases are at play emotionally with this Myth. The first two Myths and underlying confusions lead to this Myth.

Reading but not understanding the CRMA definition in context of NIST SP 800-171

Going back to the whole definition of a CRMA:

“Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place

Assets are not required to be physically or logically separated from CUI assets”

So, if an OSC did not “limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain,”11 because CRMAs “are not required to be physically or logically separated from CUI assets,” then the CRMAs cannot be considered out-of-scope for the NIST SP 800-171 requirements.

To clarify, a “Security domain” is, per NIST SP 800-171, para 1.1, “Security domains may employ physical separation, logical separation, or a combination of both.”

So, if the CRMA(s) are not in either a separate logical or physical security domain to achieve isolation from the CUI assets, then they must be in-scope as a CUI component.

CMMC does not supersede NIST SP 800-171

In this case, they are hoping a Guide will supersede NIST SP 800-171 written to specifically implement 32 CFR Part 2002, Controlled Unclassified Information. DoD simply does not have the authority to contradict 32 CFR Part 2002, which requires the implementation of NIST SP 800-171.

Likewise, to make this true, DoD would have to also revise DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which they have not done.

SSP Reporting

First, only out-of-scope assets do not need explanations for how “assets are managed using the contractor’s risk-based security policies, procedures, and practices.”  Out-of-Scope assets only need an explanation for why they are out-of-scope and how isolation techniques have been applied.

When it comes to reporting, the SSP Assessment Objectives will be evaluated for CRMAs, especially:

  • [b] the system boundary is described and documented in the system security plan.
  • [e] the method of security requirement implementation is described and documented in the system security plan.
  • [f] the relationship with or connection to other systems is described and documented in the system security plan.

Myth Busted

CRMAs are in-scope and the OSC is responsible for applying all 110 NIST SP 800-171 requirements and related 320 NIST SP 800-171A AOs applied to them. Best practice is to take them out of scope by applying isolation techniques.

MYTH #4: OSCs do not have to apply the requirements/practices to Specialized Assets

The Myth

OSCs and some Information Security professionals are focusing on three words in the Specialized Asset description, “Assets that may or may not process, store, or transmit CUI” and then the contractors’ requirements to:

Document in the asset inventory

Document in the System Security Plan (SSP): Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices

Document in the network diagram of the CMMC Assessment Scope”

to mean that the OSC does not have to apply the 110 NIST SP 800-171 Information Requirements to Specialized Assets.

Again, the OSCs and some Information Security professionals are in denial regarding the need to explain how the assets meet the requirements per CA.L2-3.12.4.

The Facts

CMMC 7 Stages of Grief

Again, the Denial and Bargaining phases are at play emotionally with this Myth. The first two Myths and underlying confusions lead to this Myth.

Reading but not understanding the Specialized Asset definition in context of NIST SP 800-171

Specialized Assets are defined as “Assets that may or may not process, store, or transmit CUI.”  There are really three (3) use cases for Specialized Assets:

  1. Specialized Assets that process, store, or transmit CUI: An example of this would be a network attached CNC machine used to mill a part based on CUI specifications.  The part is then scanned using a Quality Assurance Testing tool that ensure the part is within the CUI defined specs.  Both devices are CUI Specialized Assets.
  2. Specialized Assets that provide Security Protections for CUI assets: An example of this would be an OSC’s security alarm and camara system used to monitor and secure access.
  3. Specialized Assets that are out-of-scope: An Industrial Internet of Things (IIoT) example would be an IP enabled HVAC controller. General best practice is to always consider government property Restricted Information Systems as out-of-scope since they should be isolated and are managed independently in accordance with separate DoD Information Security authorizations.

These three use cases are why the NIST SP 800-171 Scope of Applicability and CMMC Assessment Scope diagram have two Specialized Asset boxes.

Myth Busted

Specialized Assets require the implementation of the NIST SP 800-171 requirements or truly move them out of scope.

The “Last Two Nails in the Coffin”

Another aspect is there are two other DFARS clauses (a.k.a., “the other two nails”) requiring the DIB to comply with implementing NIST SP 800-171 and its defined Scope of applicability:

  • DFARS Clause 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements.12
    • “(b) In order to be considered for award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7020) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order. The Basic, Medium, and High NIST SP 800-171 DoD Assessments are described in the NIST SP 800-171 DoD Assessment Methodology located at https://www.acq.osd.mil/asda/dpc/cp/cyber/safeguarding.html#nistSP800171.”13
  • DFARS Clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.14
    • “(c)   The Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment, as described in NIST SP 800-171 DoD Assessment Methodology at https://www.acq.osd.mil/asda/dpc/cp/cyber/safeguarding.html#nistSP800171, if necessary.”15

Let’s sum up these requirements:

  • -7019 requires a DIB contractor self-attest to their compliance with NIST SP 800-171. There is no distinction here about CMMC.
  • -7020 states the DIB contractor shall provide access to its system (facilities, people, and technologies) in order for DoD to validate the contractor has implemented NIST SP 800-171 to provide “adequate security.”16

Nowhere in these clauses is there a restriction that DoD will follow the CMMC Assessment Scoping Guide for Level 2 and consider CRMAs and Specialized Assets “out-of-scope.”

Failure to fulfill -7019 can result in loss of contract awards and loss of options years. After a DoD initiated -7020 audit, the OSC is subject to the items above; negative contractor performance reviews (essentially blacklisted); contract terminations; and possibly, submission to the Department of Justice (DoJ) for a False Claims Act charge.  In the latter case, DoJ will use your submitted self-attestations as incriminating evidence against your organization.

Way Ahead

For Members of the Defense Industrial Base and those Supporting Them

Foremost, we need to recognize the intent of the CMMC Assessment Scope – Level 2 Guide is to:

  1. Implement the CMMC Assessment Scope for a Conformity Assessment Only. To do otherwise could leave your organization open to False Claims Act charges.
  2. Reduce the number of components Assessors will have to spend evaluating an OSCs conformity. Why? To reduce CMMC Conformity Assessment costs.
  3. Transfer the risk of an OSC failing to provide “adequate security” for CRMA and Specialized Assets back to the OSC, which in turn leads back to leaving your organization open to False Claims Act charges. Why? DoD and many of the CMMC Assessors have no to little experience with Industrial Internet of Things (IIoT), Operation Technology (OT), and other real-world technologies.

Secondly, move beyond the Bargaining phase for CRMA and Specialized Assets. The right way to do NIST SP 800-171 and CMMC Scoping is to:

  1. Categorize all of your components (people, facilities, technologies) into the three main types: CUI Components, Security Protection Components, or Out of Scope.
  2. Apply the requirements per NIST SP 800-171 and NIST SP 800-171A.
  3. Bucketize the same list of components into the CMMC Asset Categories.
  4. Write your SSP boundary and control implementation descriptions with the appropriate level of detail to explain how your organization is protecting them.

Finally, be wary of under-scoping the application of NIST SP 800-171 requirements.  You are leaving your business open to many financial and legal consequences if your organization fails to provide “adequate security” for CRMAs and Specialized Assets that are in scope.

For the Department of Defense

Please revise the CMMC Assessment Scope guides for both levels. This ongoing confusion will only cause conflicts between OSCs & C3PAOs while increasing the risk of breaches because OSCs are not interpreting the official DoD guidance correctly.

Additional References

About the Author

The Author, Matthew Titcombe is the CEO of Peak InfoSec, an Authorized CMMC 3rd Party Assessor Organization (C3PAO). His support to the Defense Industrial Base began back in 2016 when he was supporting United Launch Alliance’s implementation of NIST SP 800-53 and subsequently NIST SP 800-171 when DFARS Clause 252.204-7012 came into being in 2017.

He has been involved in the CMMC ecosystem since its earliest versions and participated in the Cyber-AB’s working groups. Specifically, Mr. Titcombe worked on the Initial draft of the CMMC Assessment Guides. He was also in the first cohort of Provisional Assessors and was certified as Provisional Assessor #17. He was recently certified as a CMMC Certified Professional (CCP).

After being certified as a Professional Assessor, Mr. Titcombe worked with Local Operations, a CMMC Licensed Partner Publisher to develop the CCP curriculum, He also worked on the CMMC Certified Assessor’s (CCA) curriculum and wrote the lesson on CMMC Scoping.

Endnotes

  1. C.f., https://www.congress.gov/bill/113th-congress/senate-bill/2521
  2. C.f., https://www.federalregister.gov/documents/2010/11/09/2010-28360/controlled-unclassified-information
  3. C.f., https://www.ecfr.gov/current/title-32/part-2002
  4. 32 CFR Part 2002 established the National Archives and Records Administration (NARA) as the Federal lead for the CUI program.  Its Information Security Oversight Office (ISSO) is responsible for the program and publishes CUI Notices the supersede and Federal agency directives.
  5. C.f., https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
  6. C.f., https://www.dodcui.mil/Portals/109/Documents/Policy Docs/DoDI 5200.48 CUI.pdf
  7. C.f., https://www.acq.osd.mil/cmmc/documentation.html
  8. C.f., https://www.federalregister.gov/d/2016-21665/p-246
  9. DFARS Clause 252.204-7012, para (b)(2)(ii)(A) “The Contractor shall implement NIST SP 800-171”
  10. C.f., ISOO CUI Notice 2020-004, https://www.archives.gov/files/cui/documents/20200616-cui-notice-2020-04-assessing-security-requirements-in-non-fed-info-systems.pdf
  11. NIST SP 800-171, para 1.1, “If nonfederal organizations designate specific system components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond that which it requires for protecting its missions, operations, and assets.”
  12. C.f., https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7019
  13. DFARS Clause 252.204-7019, para (b)
  14. C.f., https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7020
  15. DFARS Clause 252.204-7020, para (c)
  16. DFARS Clause 252.204-7020, para (a), ““Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”