Level 3 Scoping Guidance: Difference between revisions
m (Wikiadmin moved page Level 3 Scoping Guide to Level 3 Scoping Guidance without leaving a redirect) |
No edit summary |
||
| Line 1: | Line 1: | ||
= NOTICES = | |||
The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing CMMC requirements under the law or departmental policies. DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. | |||
= Introduction = | |||
This document provides scoping guidance for Level 3 of the Cybersecurity Maturity Model Certification (CMMC) as set forth in section 170.19 of title 32, Code of Federal Regulations (CFR). Guidance for scoping a Level 1 self-assessment can be found in the ''CMMC Scoping Guide – Level 1'' document. Guidance for scoping a Level 2 self-assessment or certification assessment can be found in the ''CMMC Scoping Guide – Level 2'' document. More details on the CMMC Model can be found in the ''CMMC Model Overview'' document. | |||
== Purpose and Audience == | |||
This guide is intended for Organizations Seeking Certification (OSCs) that will be obtaining a Level 3 certification assessment and the professionals or companies that will support them in those efforts. | |||
= Identifying the CMMC Assessment Scope = | |||
An ''assessment'', as defined in 32 CFR § 170.4, means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization. | |||
This document should help the reader understand the categorization of assets that, in turn, inform the specification of the boundary for a CMMC assessment. The scope of the CMMC Program does not include classified assets, even if they contain applicable Controlled Unclassified Information (CUI). | |||
Prior to conducting a Level 3 certification assessment, the CMMC Assessment Scope must be defined as addressed in 32 CFR § 170.19(d). The CMMC Assessment Scope informs which assets within the OSC’s environment will be assessed and the details of the assessment. | |||
When seeking a Level 3 certification assessment, the OSC must have a Final Level 2 (C3PAO) CMMC Status for the same CMMC Assessment Scope as the Level 3 assessment. Any Level 2 Plan of Action and Milestones (POA&M) items, as defined in 32 CFR §170.4, must be closed prior to the initiation of the Level 3 assessment. The Level 3 CMMC Assessment Scope may be a subset of the Level 2 CMMC Assessment Scope (e.g., a Level 3 data enclave with greater restrictions and protections within the Level 2 data enclave). | |||
Assets designated as Contractor Risk Managed Assets (CRMAs) in the Level 2 CMMC Assessment Scope are treated as CUI assets if they fall within the Level 3 CMMC Assessment Scope. OSCs may choose to designate them as CUI assets for the Level 2 certification assessment and have them assessed by a C3PAO. | |||
Since the assessment requirements for Specialized Assets differ between Level 2 and Level 3, the OSC may choose to have them assessed by a C3PAO during the Level 2 certification assessment. During a Level 3 certification assessment, DCMA DIBCAC may check any Level 2 security requirement of any in-scope asset. | |||
CRMAs and Specialized Assets not assessed to the Level 3 scoping requirements by a C3PAO during the Level 2 certification assessment, will undergo limited checks for compliance with Level 2 security requirements during the DCMA DIBCAC Level 3 certification assessment and will be assessed against all CMMC Level 3 security requirements. | |||
CRMAs and Specialized Assets not assessed to the Level 3 scoping requirements by a C3PAO | |||
during the Level 2 certification assessment, will undergo limited checks for compliance with | |||
Level 2 security requirements during the DCMA DIBCAC Level 3 certification assessment and | |||
will be assessed against all CMMC Level 3 security requirements | |||
== CMMC Asset Categories == | |||
For a Level 3 assessment, assets are mapped into one of four categories defined in 32 CFR § 170.19(d)(1) Table 4. This table describes each asset category and its corresponding OSC requirements and CMMC assessment requirements. Additional information about each asset category is provided in the ensuing sections. | |||
{| class="wikitable" style="margin:auto" | |||
|+ '''Table 1. Level 3 Asset Categories and Associated Requirements Overview''' | |||
|- | |||
!colspan="4"|Assets that are in the Level 3 CMMC Assessment Scope | |||
|- | |||
! Asset Category !! Asset Description !! OSC Requirements !! CMMC Assessment Requirements | |||
|- | |||
| Controlled Unclassified Information (CUI) Assets | |||
| | |||
* Assets that process, store, or transmit CUI | |||
* Assets that can, but are not intended to, process, store, or transmit CUI (defined as Contractor Risk Managed Assets in Table 1 to 32 CFR § 170.19(c)(1)) | |||
| | |||
* Document in the asset inventory | |||
* Document asset treatment in the System Security Plan (SSP) | |||
* Document in the network diagram of the CMMC Assessment Scope | |||
* Prepare to be assessed against CMMC Level 2 and Level 3 security requirements | |||
| | |||
* Limited check against Level 2 and assess against all Level 3 CMMC security requirements | |||
|- | |||
| Example | |||
| Example | |||
| Example | |||
| Example | |||
|- | |||
| Example | |||
| Example | |||
| Example | |||
| Example | |||
|- | |||
| Example | |||
| Example | |||
| Example | |||
| Example | |||
|} | |||
'''''' | |||
| Line 169: | Line 68: | ||
'''Security ''' | '''Security ''' | ||
| Line 262: | Line 75: | ||
'''Assets ''' | '''Assets ''' | ||
o Assets that provide security | * o Assets that provide security | ||
functions or capabilities to the | functions or capabilities to the | ||
Revision as of 20:44, 23 February 2025
NOTICES
The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing CMMC requirements under the law or departmental policies. DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
Introduction
This document provides scoping guidance for Level 3 of the Cybersecurity Maturity Model Certification (CMMC) as set forth in section 170.19 of title 32, Code of Federal Regulations (CFR). Guidance for scoping a Level 1 self-assessment can be found in the CMMC Scoping Guide – Level 1 document. Guidance for scoping a Level 2 self-assessment or certification assessment can be found in the CMMC Scoping Guide – Level 2 document. More details on the CMMC Model can be found in the CMMC Model Overview document.
Purpose and Audience
This guide is intended for Organizations Seeking Certification (OSCs) that will be obtaining a Level 3 certification assessment and the professionals or companies that will support them in those efforts.
Identifying the CMMC Assessment Scope
An assessment, as defined in 32 CFR § 170.4, means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.
This document should help the reader understand the categorization of assets that, in turn, inform the specification of the boundary for a CMMC assessment. The scope of the CMMC Program does not include classified assets, even if they contain applicable Controlled Unclassified Information (CUI).
Prior to conducting a Level 3 certification assessment, the CMMC Assessment Scope must be defined as addressed in 32 CFR § 170.19(d). The CMMC Assessment Scope informs which assets within the OSC’s environment will be assessed and the details of the assessment.
When seeking a Level 3 certification assessment, the OSC must have a Final Level 2 (C3PAO) CMMC Status for the same CMMC Assessment Scope as the Level 3 assessment. Any Level 2 Plan of Action and Milestones (POA&M) items, as defined in 32 CFR §170.4, must be closed prior to the initiation of the Level 3 assessment. The Level 3 CMMC Assessment Scope may be a subset of the Level 2 CMMC Assessment Scope (e.g., a Level 3 data enclave with greater restrictions and protections within the Level 2 data enclave).
Assets designated as Contractor Risk Managed Assets (CRMAs) in the Level 2 CMMC Assessment Scope are treated as CUI assets if they fall within the Level 3 CMMC Assessment Scope. OSCs may choose to designate them as CUI assets for the Level 2 certification assessment and have them assessed by a C3PAO.
Since the assessment requirements for Specialized Assets differ between Level 2 and Level 3, the OSC may choose to have them assessed by a C3PAO during the Level 2 certification assessment. During a Level 3 certification assessment, DCMA DIBCAC may check any Level 2 security requirement of any in-scope asset.
CRMAs and Specialized Assets not assessed to the Level 3 scoping requirements by a C3PAO during the Level 2 certification assessment, will undergo limited checks for compliance with Level 2 security requirements during the DCMA DIBCAC Level 3 certification assessment and will be assessed against all CMMC Level 3 security requirements.
CMMC Asset Categories
For a Level 3 assessment, assets are mapped into one of four categories defined in 32 CFR § 170.19(d)(1) Table 4. This table describes each asset category and its corresponding OSC requirements and CMMC assessment requirements. Additional information about each asset category is provided in the ensuing sections.
| Assets that are in the Level 3 CMMC Assessment Scope | |||
|---|---|---|---|
| Asset Category | Asset Description | OSC Requirements | CMMC Assessment Requirements |
| Controlled Unclassified Information (CUI) Assets |
|
|
|
| Example | Example | Example | Example |
| Example | Example | Example | Example |
| Example | Example | Example | Example |
'
Security
Protection
Assets
- o Assets that provide security
functions or capabilities to the
OSC’s CMMC Assessment
Scope, irrespective of whether
or not these assets process,
store, or transmit CUI
o Document in the asset
inventory
o Document asset treatment in
the SSP
o Document in the network
diagram of the CMMC
Assessment Scope
o Prepare to be assessed
against CMMC Level 2 and
Level 3 security
requirements
o Limited check against
Level 2 and assess
against all Level 3
CMMC security
requirements that are
relevant to the
capabilities provided
Specialized
Assets
o Assets that can process, store,
or transmit CUI but are unable
to be fully secured, including:
Internet of Things (IoT)
devices, Industrial Internet of
Things (IIoT) devices,
Operational Technology (OT),
Government Furnished
Equipment (GFE), Restricted
Information Systems, and Test
Equipment
o Document in the asset
inventory
o Document asset treatment in
the SSP
o Document in the network
diagram of the CMMC
Assessment Scope
o Prepare to be assessed
against CMMC Level 2 and
Level 3 security
requirements
o Limited check against
Level 2 and assess
against all Level 3
CMMC security
requirements
o Intermediary devices
are permitted to
provide the capability
for the specialized
asset to meet one or
more CMMC security
requirements
Assets that are not in the Level 3 CMMC Assessment Scope
Identifying the CMMC Assessment Scope
CMMC Assessment Scope – Level 3 | Version 2.13
4
Asset
Category
Asset Description
OSC Requirements
CMMC Assessment
Requirements
Out-of-Scope
Assets
o Assets that cannot process,
store, or transmit CUI; and do
not provide security
protections for CUI Assets
o Assets that are physically or
logically separated from CUI
assets
o Assets that fall into any in-
scope asset category cannot
be considered an Out-of-Scope
Asset
o An endpoint hosting a VDI
client configured to not allow
any processing, storage, or
transmission of CUI beyond
the Keyboard/Video/Mouse
sent to the VDI client is
considered an Out-of-Scope
Asset
o Prepare to justify the
inability of an Out-of-Scope
Asset to store, process, or
transmit CUI
o None
Additional Guidance on Level 3 Scoping
CMMC Assessment Scope – Level 3 | Version 2.13
5
Additional Guidance on Level 3 Scoping
The OSC is required to document all assets that are part of the Level 3 certification
assessment in an asset inventory and provide a network diagram of the CMMC Assessment
Scope to facilitate scoping discussions during pre-assessment activities.
CUI Assets
CUI Assets can process, store, or transmit CUI as follows:
•
Process – CUI is used by an asset (e.g., accessed, entered, edited, generated, manipulated,
or printed).
•
Store – CUI is inactive or at rest on an asset (e.g., located on electronic media or in
physical format such as paper documents).
•
Transmit – CUI is being transferred from one asset to another asset (e.g., data in transit
using physical or digital transport methods).
CUI Assets are part of the CMMC Assessment Scope and are assessed against all CMMC
requirements.
In addition, the OSC is required to:
•
document each asset in an asset inventory; there is no requirement to embed each asset
in the SSP;
•
document the treatment of these assets in the SSP;
•
provide a network diagram of the CMMC Assessment Scope (to include these assets) to
facilitate scoping discussions during the pre-assessment.
Security Protection Assets/Security Protection Data
Security Protection Assets provide security functions or capabilities within the OSC’s CMMC
Assessment Scope.
Security Protection Assets are part of the CMMC Assessment Scope and are assessed against
all Level 2 and Level 3 security requirements that are relevant to the capabilities provided.
For example, an External Service Provider (ESP) that provides a security information and
event management (SIEM) service may be separated logically and may process no CUI, but
the SIEM contributes to meeting the CMMC requirements within the OSC’s CMMC
Assessment Scope. Table 2 provides examples of Security Protection Assets.
Security Protection Data means data stored or processed by Security Protection Assets that
are used to protect an OSA's assessed environment.
Security Protection Data is security-relevant information which, if disclosed, could aid an
attacker in the compromise of the system. It includes, but is not limited to:
•
configuration data required to operate a security protection asset,
•
log files generated by or ingested by a security protection asset,
Additional Guidance on Level 3 Scoping
CMMC Assessment Scope – Level 3 | Version 2.13
6
•
data related to the configuration or vulnerability status of in-scope assets, and
•
passwords that grant access to the in-scope environment.
Table 2. Security Protection Asset Examples
Asset Type
Security Protection Asset Examples
People
•
Consultants who provide cybersecurity services
•
Managed service provider personnel who implement system maintenance
•
Enterprise network administrators
Technology
•
Cloud-based security solutions
•
Hosted Virtual Private Network (VPN) services
•
SIEM solutions
Facilities
•
Co-located data centers
•
Security Operations Centers (SOCs)
•
OSC office buildings
In addition, the OSC is required to:
•
document each asset in an asset inventory; there is no requirement to embed each asset
in the SSP;
•
document the treatment of these assets in the SSP; and
•
provide a network diagram of the CMMC Assessment Scope (to include these assets) to
facilitate scoping discussions during the pre-assessment.
Specialized Assets
The following are considered Specialized Assets for a Level 3 certification assessment:
•
Government Furnished Equipment (GFE) is all equipment owned or leased by the
government and includes OSC-acquired equipment that is based on government required
specifications and/or configurations. Government Furnished Equipment does not
include intellectual property or software [Reference: Federal Acquisition Regulation
(FAR) 52.245-1].
•
Internet of Things (IoT) or Industrial Internet of Things (IIoT) means the network of
devices that contain the hardware, software, firmware, and actuators which allow the
devices to connect, interact, and freely exchange data and information, as defined in NIST
SP 800-172A1. They are interconnected devices having physical or virtual representation
in the digital world, sensing/actuation capability, and programmability features. They
are uniquely identifiable and may include smart electric grids, lighting, heating, air
conditioning, and fire and smoke detectors.
1
NIST SP800-172A March 2022
Additional Guidance on Level 3 Scoping
CMMC Assessment Scope – Level 3 | Version 2.13
7
•
Operational Technology (OT)2 means programmable systems or devices that interact
with the physical environment (or manage devices that interact with the physical
environment). These systems or devices detect or cause a direct change through the
monitoring or control of devices, processes, and events. Examples include industrial
control systems, building management systems, fire control systems, and physical access
control mechanisms. [Source: as defined in NIST SP 800-160v2 Rev 1 (incorporated by
reference, see 32 CFR § 170.2.)]. NOTE: Operational Technology (OT) specifically
includes Supervisory Control and Data Acquisition (SCADA); this is a rapidly evolving
field. [Source: DRAFT, NIST SP 800-82r3] is used in manufacturing systems, industrial
control systems (ICS), or supervisory control and data acquisition (SCADA) systems.
•
Restricted Information Systems means systems [and associated Information
Technology (IT) components comprising the system] that are configured based on
government security requirements (i.e., connected to something that was required to
support a functional requirement) and are used to support a contract (e.g., fielded
systems, obsolete systems, and product deliverable replicas).
•
Test Equipment means hardware and/or associated IT components used in the testing
of products, system components, and contract deliverables. It can include hardware
and/or associated IT components used in the testing of products, system components,
and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and
special test equipment).
Specialized Assets are part of the Level 3 CMMC Assessment Scope per 32 CFR § 170.
19(d)(1) Table 3. Note that Specialized Assets may be eligible for an Enduring Exception. The
OSC should prepare for these assets to be assessed against all CMMC requirements unless
they are physically or logically isolated into purpose-specific networks (with no connection
to the Internet or other networks). Specialized Assets may have limitations on the
application of certain security requirements. To accommodate such issues intermediary
devices are permitted to provide the capability for the specialized asset to meet one or more
CMMC requirements. An example of an intermediary device used in conjunction with a
specialized asset is a boundary device or a proxy.
Out-of-Scope Assets
Out-of-Scope Assets cannot process, store, or transmit CUI, and do not provide security
protections for CUI Assets. Assets that are physically or logically separated from CUI Assets
and do not provide security protections for CUI Assets are also Out-of-Scope Assets. Assets
that fall into any in-scope asset category cannot be considered an Out-of-Scope Asset.
In accordance with 32 CFR § 170.19(d)(1), Out-of-Scope Assets are not part of a Level 3
certification assessment. There are no documentation requirements for Out-of-Scope Assets.
Defining the CMMC Assessment Scope
After categorizing its assets, the OSC then specifies the CMMC Assessment Scope.
2
OT includes hardware and software that use direct monitoring and control of industrial equipment to detect
or cause a change.
Additional Guidance on Level 3 Scoping
CMMC Assessment Scope – Level 3 | Version 2.13
8
The CMMC Assessment Scope includes all assets in the OSC’s environment that will be
assessed in accordance with Table 1. OSCs will be required to provide documentation that
specifies the CMMC Assessment Scope to the assessor. Details about required documentation
for each asset category can be found in the CMMC Asset Categories section above.
The following asset categories are part of the Level 3 CMMC Assessment Scope:
•
CUI Assets
•
Security Protection Assets
•
Specialized Assets
Self-assessments and certification assessments are valid for a defined CMMC Assessment
Scope as outlined in 32 CFR § 170.19 CMMC Scoping. A new assessment is required if there
are significant architectural or boundary changes to the previous CMMC Assessment Scope.
Examples include, but are not limited to, expansions of networks or mergers and
acquisitions. Operational changes within a CMMC Assessment Scope, such as adding or
subtracting resources within the existing assessment boundary that follow the existing SSP
do not require a new assessment, but rather are covered by the annual affirmations to the
continuing compliance with requirements.
External Service Provider Considerations
An External Service Provider (ESP) can be within the OSA’s scope of CMMC requirements if
it meets CUI or Security Protection Asset criteria. To be considered an ESP, data
(specifically CUI or Security Protection Data, e.g., log data, configuration data) must
reside on the ESP assets as set forth in 32 CFR § 170.19(d)(2). Special considerations in for
an OSC using an ESP include the following:
•
The use of an ESP, its relationship to the OSA, and the services provided need to be
documented in the OSA’s SSP and described in the ESP’s service description and
customer responsibility matrix (CRM), which describes the responsibilities of the OSA
and ESP with respect to the services provided.
•
Evaluate the ESP’s CRM where the provider identifies security control objectives that are
the provider’s responsibility and security control objectives that are the OSC’s
responsibility.
•
Consider the agreements in place with the ESP, such as service-level agreements,
memoranda of understanding, and contracts that support the OSC’s information security
objectives.
•
ESPs that are CSPs,
o and store, process, or transmit CUI, must meet the FedRAMP requirements in DFARS
clause 252.204-7012.
o Use of a CSP does not relieve an OSC of its obligation to implement the 24
Level 3 security requirements. These 24 requirements apply to every
environment where the CUI data is processed, stored, or transmitted, when
Level 3 (DIBCAC) is the designated CMMC Status. If any of these 24
requirements are inherited from a CSP, the OSC must demonstrate that
Additional Guidance on Level 3 Scoping
CMMC Assessment Scope – Level 3 | Version 2.13
9
protection during a Level 3 certification assessment via a Customer
Implementation Summary/Customer Responsibility Matrix (CIS/CRM)
and associated Body of Evidence (BOE). The BOE must clearly indicate
whether the OSC or the CSP is responsible for meeting each requirement
and which requirements are implemented versus inherited.
o and do NOT store, process, or transmit CUI, are not required to meet FedRAMP
requirements in DFARS clause 252.204-7012. Services provided by an ESP are in the
OSA’s assessment scope.
•
ESPs that are not a CSP,
o and store, process, or transmit CUI, require assessment. The ESP services used to
meet OSA requirements are within the scope of the OSA’s CMMC assessment.
o and do NOT store, process, or transmit CUI, do not require their own CMMC
assessment. Services provided by an ESP are in the OSA’s assessment scope.
o may voluntarily request a DIBCAC assessment, and the DIBCAC may conduct such an
assessment, if the ESP makes that business decision.
•
OSAs shall also be assessed at Level 2 or Level 3, as applicable, against their on-premise
infrastructure connecting to the ESP. As part of the CMMC Assessment Scope, the security
requirements from the CRM must be documented or referred to in the OSA’s SSP, which
will also be assessed.
•
ESPs can be part of the same corporate/organizational structure but still be external to
the OSA such as a centralized SOC or NOC which supports multiple business units. The
same requirements apply and are based on whether or not the ESP provides cloud
services and whether or not the ESP processes, stores, or transmits CUI on their systems.
•
An ESP that is used as staff augmentation and the OSA provides all processes, technology,
and facilities does not need CMMC assessment.
•
When ESPs are assessed as part of an OSAs assessment, the type of the assessment is
dictated by the OSA's DoD solicitation and contract requirement.
Cloud Service Provider (CSP) means an external company that provides cloud services based
on cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction. An ESP would be
considered a CSP when it provides its own cloud services based on a model for enabling
ubiquitous, convenient, on-demand network access to a shared pool of configurable
computing that can be rapidly provisioned and released with minimal management effort or
service provider interaction.
An ESP (not a CSP) that provides technical support services to its clients would be considered
a Managed Service Provider. It does not host its own cloud platform offering. An ESP may
utilize cloud offerings to deliver services to clients without being a CSP.
An ESP that manages a third-party cloud service on behalf of an OSA would not be
considered a CSP
Additional Guidance on Level 3 Scoping
CMMC Assessment Scope – Level 3 | Version 2.13
10
An ESP may voluntarily request its own Level 3 assessment by contacting the Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC). Contact information can be
foundat https://www.dcma.mil/DIBCAC/.
Not all companies that provide services to an OSA should be considered an ESP. Cloud based
services such as human resource and accounting SaaS applications typically do not
contribute to the security of the OSA’s environment; process or store SPD; or process, store,
or transmit CUI. The OSA must determine if the company providing the service should be
considered an ESP based on the services provided and if CUI is processed, stored, or
transmitted.
Additional Guidance on Level 3 Scoping
CMMC Assessment Scope – Level 3 | Version 2.13
11
This page intentionally left blank.
Document Outline
Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL3v2.pdf