Level 1 Scoping Guidance: Difference between revisions
No edit summary |
(Importing content from PDF File: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdf) |
||
| Line 36: | Line 36: | ||
* AC.L1-3.1.20 – Verify and control/limit connections to and use of external information systems. | * AC.L1-3.1.20 – Verify and control/limit connections to and use of external information systems. | ||
* SC.L1-3.13.1 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. | * SC.L1-3.13.1 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. | ||
Version 2.13 | September 2024 | |||
DoD-CIO-00005 (ZRIN 0790-ZA21) | |||
'''CMMC Scoping Guide ''' | |||
'''Level 1 ''' | |||
24-T-2769 | |||
CMMC Assessment Scope – Level 1 | Version 2.13 | |||
ii | |||
NOTICES | |||
The contents of this document do not have the force and effect of law and are not meant to | |||
bind the public in any way. This document is intended only to provide clarity to the public | |||
regarding existing requirements under the law or departmental policies. | |||
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. | |||
Introduction | |||
CMMC Assessment Scope – Level 1 | Version 2.13 | |||
1 | |||
''' ''' | |||
Introduction <br /> | |||
This document provides scoping guidance for Level 1 of the Cybersecurity Maturity Model | |||
Certification (CMMC) as set forth in section 170.19 of title 32, Code of Federal Regulations | |||
(CFR). Guidance for scoping a Level 2 self-assessment or certification assessment can be | |||
found in the ''CMMC Scoping Guide – Level 2 ''document. Guidance for scoping a Level 3 | |||
certification assessment can be found in the ''CMMC Scoping Guide – Level 3'' document. More | |||
details on the CMMC Model can be found in the ''CMMC Model Overview'' document. <br /> | |||
Purpose and Audience <br /> | |||
This guide is intended for Organizations Seeking Assessment (OSAs) that will be conducting | |||
a Level 1 self-assessment and the professionals or companies that will support them in those | |||
efforts. | |||
Identifying the CMMC Assessment Scope | |||
CMMC Assessment Scope – Level 1 | Version 2.13 | |||
2 | |||
''' ''' | |||
Identifying the CMMC Assessment Scope <br /> | |||
Level 1 Assessment Scope <br /> | |||
Prior to a Level 1 self-assessment the OSA must specify the CMMC Assessment Scope. The | |||
CMMC Assessment Scope defines which assets within the OSA’s environment will be | |||
assessed and the details of the self-assessment. There are no documentation requirements | |||
for Level 1 self-assessments including In-Scope, Out-of-Scope, and Specialized Assets. | |||
In-Scope Assets <br /> | |||
Assets in scope for a Level 1 self-assessment, as defined in 32 CFR § 170.19(b), are all assets | |||
that process, store, or transmit Federal Contract Information (FCI). <br /> | |||
• | |||
'''Process''' – FCI is used by an asset (e.g., accessed, entered, edited, generated, manipulated, | |||
or printed). | |||
• | |||
'''Store''' – FCI is inactive or at rest on an asset (e.g., located on electronic media, in system | |||
component memory, or in physical format such as paper documents). | |||
• | |||
'''Transmit''' – FCI is being transferred from one asset to another asset (e.g., data in transit | |||
using physical or digital transport methods). | |||
These assets are part of the CMMC Assessment Scope and are assessed against all Level 1 | |||
requirements. | |||
Out-of-Scope Assets <br /> | |||
Assets out of scope for a Level 1 self-assessment, as defined in 32 CFR § 170.19(b)(2), are | |||
those that do not process, store, or transmit FCI. These assets are outside of the CMMC | |||
Assessment Scope and are not part of the assessment. | |||
''Specialized Assets <br /> | |||
''Specialized Assets, as defined in 32 CFR § 170.19(b)(2)(ii), are those assets that can process, | |||
store, or transmit FCI but are unable to be fully secured, including: Internet of Things (IoT) | |||
devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), | |||
Government Furnished Equipment (GFE), Restricted Information Systems, and Test | |||
Equipment. Specialized Assets are not part of the Level 1 self-assessment scope and are not | |||
assessed against CMMC requirements. The following assets, defined in 32 CFR § 170.4, are | |||
considered specialized assets for a Level 1 self-assessment. <br /> | |||
• | |||
'''Government Furnished Equipment''' (GFE) has the same meaning as “government- | |||
furnished property” as defined in 48 CFR § 45.101. Government-furnished property | |||
means property in the possession of, or directly acquired by, the Government and | |||
subsequently furnished to the contractor for performance of a contract. Government- | |||
furnished property includes, but is not limited to, spares and property furnished for | |||
repair, maintenance, overhaul, or modification. Government-furnished property also | |||
includes contractor-acquired property if the contractor-acquired property is a | |||
Identifying the CMMC Assessment Scope | |||
CMMC Assessment Scope – Level 1 | Version 2.13 | |||
3 | |||
''' ''' | |||
deliverable under a cost contract when accepted by the Government for continued use | |||
under the contract. | |||
• | |||
'''Internet of Things (IoT) or Industrial Internet of Things (IIoT)''' is defined is NIST SP | |||
800-172A. These are interconnected devices having physical or virtual representation in | |||
the digital world, sensing/actuation capability, and programmability features. They are | |||
uniquely identifiable and may include smart electric grids, lighting, heating, air | |||
conditioning, and fire and smoke detectors [Reference: iot.ieee.org/definition; National | |||
Institute of Standards and Technology (NIST) 800-183]. | |||
• | |||
'''Operational Technology (OT)'''[[017fc2ea748b1f3e96df9700ce159821fc970307.html#5|1 ]]means programmable systems or devices that interact | |||
with the physical environment (or manage devices that interact with the physical | |||
environment). These systems or devices detect or cause a direct change through the | |||
monitoring or control of devices, processes, and events. Examples include industrial | |||
control systems, building management systems, fire control systems, and physical access | |||
control mechanisms. [Source: NIST SP 800-160v2 Rev 1] NOTE: Operational Technology | |||
(OT) specifically includes Supervisory Control and Data Acquisition (SCADA); this is a | |||
rapidly evolving field. [Source: NIST SP 800-82r3] | |||
• | |||
'''Restricted Information Systems''' means systems [and associated Information | |||
Technology (IT) components comprising the system] that are configured based entirely | |||
on government security requirements (i.e., connected to something that was required to | |||
support a functional requirement) and are used to support a contract (e.g., fielded | |||
systems, obsolete systems, and product deliverable replicas). | |||
• | |||
'''Test Equipment '''means hardware and/or associated IT components used in the testing | |||
of products, system components, and contract deliverables. | |||
1 | |||
Operational Technology includes hardware and software that use direct monitoring and control of industrial | |||
equipment to detect or cause a change. | |||
Additional Guidance on Level 1 Scoping | |||
CMMC Assessment Scope – Level 1 | Version 2.13 | |||
4 | |||
''' ''' | |||
Additional Guidance on Level 1 Scoping <br /> | |||
In accordance with 32 CFR § 170.19(b)(3), to appropriately scope a Level 1 self-assessment, | |||
the OSA should consider the people, technology, facilities, and external service providers | |||
within its environment that process, store, or transmit FCI. <br /> | |||
• | |||
'''People''' – May include, but are not limited to, employees, contractors, vendors, and | |||
external service provider personnel. | |||
• | |||
'''Technology''' – May include, but are not limited to, servers, client computers, mobile | |||
devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP devices, | |||
applications, virtual machines, and database systems. | |||
• | |||
'''Facilities''' – May include, but are not limited to, physical office locations, satellite offices, | |||
server rooms, datacenters, manufacturing plants, and secured rooms. | |||
• | |||
'''External Service Provider (ESP) '''–''' '''as defined in''' '''32 CFR § 170.4, means external people, | |||
technology, or facilities that an OSA utilizes for provision and management of | |||
comprehensive IT and/or cybersecurity services on behalf of the OSA. | |||
In accordance with 32 CFR § 170.19(b)(1), assets that process, store, or transmit FCI and | |||
which are not Specialized Assets are in the CMMC Assessment Scope. Using the asset types | |||
approach allows an OSA to determine how they will satisfy the Level 1 requirements. FCI is | |||
a broad category of information; therefore, the self-assessment may need to address a wide | |||
array of assets. <br /> | |||
For example, identifying the people within the OSA who process, store, or transmit FCI, will | |||
assist with fulfillment of the assessment of the following Level 1 security requirement: <br /> | |||
• | |||
''IA.L1-b.1.v – Identify information system users, processes acting on behalf of users, or '' | |||
''devices. '' | |||
As another example, identification of all technologies may inform assessment of the | |||
following Level 1 security requirements: <br /> | |||
• | |||
''AC.L1-b.1.iii – Verify and control/limit connections to and use of external information '' | |||
''systems. '' | |||
• | |||
''SC.L1-b.1.x – Monitor, control, and protect organizational communications (i.e., '' | |||
''information transmitted or received by organizational information systems) at the external '' | |||
''boundaries and key internal boundaries of the information systems. '' | |||
Self-assessments and certification assessments may be valid for a defined CMMC Assessment | |||
Scope as outlined in 32 CFR § 170.19 CMMC Scoping. A new assessment is required if there | |||
are significant architectural or boundary changes to the previous CMMC Assessment Scope. | |||
Examples include, but are not limited to, expansions of networks or mergers and | |||
acquisitions. Operational changes within a CMMC Assessment Scope, such as adding or | |||
subtracting resources within the existing assessment boundary that follow the existing SSP[[017fc2ea748b1f3e96df9700ce159821fc970307.html#6|2]] | |||
do not require a new assessment, but rather are covered by the annual affirmations to the | |||
continuing compliance with requirements. | |||
2 | |||
It is recommended that an OSA develop a SSP as a best practice at Level 1. However, it is not required in order | |||
to conduct a Level 1 self-assessment. | |||
Additional Guidance on Level 1 Scoping | |||
CMMC Assessment Scope – Level 1 | Version 2.13 | |||
5 | |||
''' ''' | |||
'' <br /> | |||
'' | |||
''This page intentionally left blank. '' | |||
= Document Outline = | |||
* [[017fc2ea748b1f3e96df9700ce159821fc970307.html#3|Introduction]] | |||
* [[017fc2ea748b1f3e96df9700ce159821fc970307.html#4|Identifying the CMMC Assessment Scope]] | |||
** [[017fc2ea748b1f3e96df9700ce159821fc970307.html#4|Level 1 Assessment Scope]] | |||
*** [[017fc2ea748b1f3e96df9700ce159821fc970307.html#4|In-Scope Assets]] | |||
*** [[017fc2ea748b1f3e96df9700ce159821fc970307.html#4|Out-of-Scope Assets]] | |||
**** [[017fc2ea748b1f3e96df9700ce159821fc970307.html#4|Specialized Assets]] | |||
* [[017fc2ea748b1f3e96df9700ce159821fc970307.html#6|Additional Guidance on Level 1 Scoping]] | |||
----- | |||
Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdf | |||
Revision as of 15:48, 24 February 2025
Source of Reference: The official CMMC Level 1 Scoping Guidance from the Department of Defense Chief Information Officer (DoD CIO).
For inquiries and reporting errors on this wiki, please contact us. Thank you.
FCI Assets
Federal Contract Information (FCI) Assets process, store, or transmit FCI as follows:
- Process – FCI can be used by an asset (e.g., accessed, entered, edited, generated, manipulated, or printed).
- Store – FCI is inactive or at rest on an asset (e.g., located on electronic media, in system component memory, or in physical format such as paper documents).
- Transmit – FCI is being transferred from one asset to another asset (e.g., data in transit using physical or digital transport methods).
FCI Assets are part of the CMMC Self-Assessment Scope and are assessed against applicable CMMC practices.
Out-of-Scope Assets
Out-of-Scope Assets do not process, store, or transmit FCI. Out-of-Scope Assets are outside of the CMMC Self-Assessment Scope and should not be part of the CMMC self-assessment. These assets are out of scope when evaluating their conformity with applicable CMMC practices. There are no documentation requirements for Out-of-Scope Assets. Specialized assets, as discussed in the next section, are out of scope for a Level 1 Self-Assessment.
Specialized Assets
The following are considered specialized assets for a CMMC Level 1 self-assessment when properly documented.
- Government Property is all property owned or leased by the government. Government property includes both government-furnished and contractor-acquired property. Government property includes material, equipment, special tooling, special test equipment, and real property. Government property does not include intellectual property or software [Reference: Federal Acquisition Regulation (FAR) 52.245-1].
- Internet of Things (IoT) or Industrial Internet of Things (IIoT) are interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features. They are uniquely identifiable and may include smart electric grids, lighting, heating, air conditioning, and fire and smoke detectors [Reference: iot.ieee.org/definition; National Institute of Standards and Technology (NIST) 800-183].
- Operational Technology (OT) is used in manufacturing systems, industrial control systems (ICS), or supervisory control and data acquisition (SCADA) systems. OT may include programmable logic controllers (PLCs), computerized numerical control (CNC) devices, machine controllers, fabricators, assemblers, and machining.
- Restricted Information Systems can include systems (and associated IT components comprising the system) that are configured based entirely on government requirements (i.e., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas).
- Test Equipment can include hardware and/or associated IT components used in the testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment).
Specialized Assets are not part of the Level 1 CMMC Self-Assessment Scope and are not assessed against CMMC practices.
Additional Guidance on Level 1 Scoping Activities
To appropriately scope a CMMC Level 1 self-assessment, the contractor should consider the people, technology, facilities, and external service providers within their environment that process, store, or transmit FCI.
- People – Employees, contractors, vendors, and external service provider personnel
- Technology – Servers, client computers, mobile devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP devices, applications, virtual machines, and database systems.
- Facilities – Physical office locations, satellite offices, server rooms, datacenters, manufacturing plants, and secured rooms.
- External Service Provider (ESP) – External people, technology, or facilities that the organization uses, including cloud services, co-located data centers, hosting providers, and managed security service providers.
Assets that process, store, or transmit FCI are considered in the self-assessment scope. Using the asset types approach allows a contractor to determine and iterate on how they will satisfy the CMMC Level 1 practices. Because FCI is a broad category of information, the contractor will likely focus the self-assessment on their entire environment.
For example, identifying the people within the contractor’s organization that process, store, or transmit FCI, informs how that contractor performs the following practice:
- IA.L1-3.5.1 – Identify information system users, processes acting on behalf of users, or devices.
Another example is when the contractor considers all of its technology and external service providers, it will allow them to convey how they satisfy the following practices:
- AC.L1-3.1.20 – Verify and control/limit connections to and use of external information systems.
- SC.L1-3.13.1 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Version 2.13 | September 2024
DoD-CIO-00005 (ZRIN 0790-ZA21)
CMMC Scoping Guide
Level 1
24-T-2769
CMMC Assessment Scope – Level 1 | Version 2.13
ii
NOTICES
The contents of this document do not have the force and effect of law and are not meant to
bind the public in any way. This document is intended only to provide clarity to the public
regarding existing requirements under the law or departmental policies.
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
Introduction
CMMC Assessment Scope – Level 1 | Version 2.13
1
Introduction
This document provides scoping guidance for Level 1 of the Cybersecurity Maturity Model
Certification (CMMC) as set forth in section 170.19 of title 32, Code of Federal Regulations
(CFR). Guidance for scoping a Level 2 self-assessment or certification assessment can be
found in the CMMC Scoping Guide – Level 2 document. Guidance for scoping a Level 3
certification assessment can be found in the CMMC Scoping Guide – Level 3 document. More
details on the CMMC Model can be found in the CMMC Model Overview document.
Purpose and Audience
This guide is intended for Organizations Seeking Assessment (OSAs) that will be conducting
a Level 1 self-assessment and the professionals or companies that will support them in those
efforts.
Identifying the CMMC Assessment Scope
CMMC Assessment Scope – Level 1 | Version 2.13
2
Identifying the CMMC Assessment Scope
Level 1 Assessment Scope
Prior to a Level 1 self-assessment the OSA must specify the CMMC Assessment Scope. The
CMMC Assessment Scope defines which assets within the OSA’s environment will be
assessed and the details of the self-assessment. There are no documentation requirements
for Level 1 self-assessments including In-Scope, Out-of-Scope, and Specialized Assets.
In-Scope Assets
Assets in scope for a Level 1 self-assessment, as defined in 32 CFR § 170.19(b), are all assets
that process, store, or transmit Federal Contract Information (FCI).
•
Process – FCI is used by an asset (e.g., accessed, entered, edited, generated, manipulated,
or printed).
•
Store – FCI is inactive or at rest on an asset (e.g., located on electronic media, in system
component memory, or in physical format such as paper documents).
•
Transmit – FCI is being transferred from one asset to another asset (e.g., data in transit
using physical or digital transport methods).
These assets are part of the CMMC Assessment Scope and are assessed against all Level 1
requirements.
Out-of-Scope Assets
Assets out of scope for a Level 1 self-assessment, as defined in 32 CFR § 170.19(b)(2), are
those that do not process, store, or transmit FCI. These assets are outside of the CMMC
Assessment Scope and are not part of the assessment.
Specialized Assets
Specialized Assets, as defined in 32 CFR § 170.19(b)(2)(ii), are those assets that can process,
store, or transmit FCI but are unable to be fully secured, including: Internet of Things (IoT)
devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT),
Government Furnished Equipment (GFE), Restricted Information Systems, and Test
Equipment. Specialized Assets are not part of the Level 1 self-assessment scope and are not
assessed against CMMC requirements. The following assets, defined in 32 CFR § 170.4, are
considered specialized assets for a Level 1 self-assessment.
•
Government Furnished Equipment (GFE) has the same meaning as “government-
furnished property” as defined in 48 CFR § 45.101. Government-furnished property
means property in the possession of, or directly acquired by, the Government and
subsequently furnished to the contractor for performance of a contract. Government-
furnished property includes, but is not limited to, spares and property furnished for
repair, maintenance, overhaul, or modification. Government-furnished property also
includes contractor-acquired property if the contractor-acquired property is a
Identifying the CMMC Assessment Scope
CMMC Assessment Scope – Level 1 | Version 2.13
3
deliverable under a cost contract when accepted by the Government for continued use
under the contract.
•
Internet of Things (IoT) or Industrial Internet of Things (IIoT) is defined is NIST SP
800-172A. These are interconnected devices having physical or virtual representation in
the digital world, sensing/actuation capability, and programmability features. They are
uniquely identifiable and may include smart electric grids, lighting, heating, air
conditioning, and fire and smoke detectors [Reference: iot.ieee.org/definition; National
Institute of Standards and Technology (NIST) 800-183].
•
Operational Technology (OT)1 means programmable systems or devices that interact
with the physical environment (or manage devices that interact with the physical
environment). These systems or devices detect or cause a direct change through the
monitoring or control of devices, processes, and events. Examples include industrial
control systems, building management systems, fire control systems, and physical access
control mechanisms. [Source: NIST SP 800-160v2 Rev 1] NOTE: Operational Technology
(OT) specifically includes Supervisory Control and Data Acquisition (SCADA); this is a
rapidly evolving field. [Source: NIST SP 800-82r3]
•
Restricted Information Systems means systems [and associated Information
Technology (IT) components comprising the system] that are configured based entirely
on government security requirements (i.e., connected to something that was required to
support a functional requirement) and are used to support a contract (e.g., fielded
systems, obsolete systems, and product deliverable replicas).
•
Test Equipment means hardware and/or associated IT components used in the testing
of products, system components, and contract deliverables.
1
Operational Technology includes hardware and software that use direct monitoring and control of industrial
equipment to detect or cause a change.
Additional Guidance on Level 1 Scoping
CMMC Assessment Scope – Level 1 | Version 2.13
4
Additional Guidance on Level 1 Scoping
In accordance with 32 CFR § 170.19(b)(3), to appropriately scope a Level 1 self-assessment,
the OSA should consider the people, technology, facilities, and external service providers
within its environment that process, store, or transmit FCI.
•
People – May include, but are not limited to, employees, contractors, vendors, and
external service provider personnel.
•
Technology – May include, but are not limited to, servers, client computers, mobile
devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP devices,
applications, virtual machines, and database systems.
•
Facilities – May include, but are not limited to, physical office locations, satellite offices,
server rooms, datacenters, manufacturing plants, and secured rooms.
•
External Service Provider (ESP) – as defined in 32 CFR § 170.4, means external people,
technology, or facilities that an OSA utilizes for provision and management of
comprehensive IT and/or cybersecurity services on behalf of the OSA.
In accordance with 32 CFR § 170.19(b)(1), assets that process, store, or transmit FCI and
which are not Specialized Assets are in the CMMC Assessment Scope. Using the asset types
approach allows an OSA to determine how they will satisfy the Level 1 requirements. FCI is
a broad category of information; therefore, the self-assessment may need to address a wide
array of assets.
For example, identifying the people within the OSA who process, store, or transmit FCI, will
assist with fulfillment of the assessment of the following Level 1 security requirement:
•
IA.L1-b.1.v – Identify information system users, processes acting on behalf of users, or
devices.
As another example, identification of all technologies may inform assessment of the
following Level 1 security requirements:
•
AC.L1-b.1.iii – Verify and control/limit connections to and use of external information
systems.
•
SC.L1-b.1.x – Monitor, control, and protect organizational communications (i.e.,
information transmitted or received by organizational information systems) at the external
boundaries and key internal boundaries of the information systems.
Self-assessments and certification assessments may be valid for a defined CMMC Assessment
Scope as outlined in 32 CFR § 170.19 CMMC Scoping. A new assessment is required if there
are significant architectural or boundary changes to the previous CMMC Assessment Scope.
Examples include, but are not limited to, expansions of networks or mergers and
acquisitions. Operational changes within a CMMC Assessment Scope, such as adding or
subtracting resources within the existing assessment boundary that follow the existing SSP2
do not require a new assessment, but rather are covered by the annual affirmations to the
continuing compliance with requirements.
2
It is recommended that an OSA develop a SSP as a best practice at Level 1. However, it is not required in order
to conduct a Level 1 self-assessment.
Additional Guidance on Level 1 Scoping
CMMC Assessment Scope – Level 1 | Version 2.13
5
This page intentionally left blank.
Document Outline
Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdf