Level 1 Scoping Guidance: Difference between revisions
No edit summary |
No edit summary |
||
| Line 21: | Line 21: | ||
=== In-Scope Assets === | === In-Scope Assets === | ||
Assets in scope for a Level 1 self-assessment, as defined in 32 CFR § 170.19(b), are all assets that process, store, or transmit Federal Contract Information (FCI). | Assets in scope for a Level 1 self-assessment, as defined in 32 CFR § 170.19(b), are all assets that process, store, or transmit Federal Contract Information (FCI). | ||
* '''Process''' – FCI is used by an asset (e.g., accessed, entered, edited, generated, manipulated, or printed). | |||
* '''Store''' – FCI is inactive or at rest on an asset (e.g., located on electronic media, in system component memory, or in physical format such as paper documents). | |||
* '''Transmit''' – FCI is being transferred from one asset to another asset (e.g., data in transit using physical or digital transport methods). | |||
These assets are part of the CMMC Assessment Scope and are assessed against all Level 1 requirements. | |||
or | === Out-of-Scope Assets === | ||
Assets out of scope for a Level 1 self-assessment, as defined in 32 CFR § 170.19(b)(2), are those that do not process, store, or transmit FCI. These assets are outside of the CMMC Assessment Scope and are not part of the assessment. | |||
== ''Specialized Assets'' == | |||
Specialized Assets, as defined in 32 CFR § 170.19(b)(2)(ii), are those assets that can process, store, or transmit FCI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. Specialized Assets are not part of the Level 1 self-assessment scope and are not assessed against CMMC requirements. The following assets, defined in 32 CFR § 170.4, are considered specialized assets for a Level 1 self-assessment. | |||
* '''Government Furnished Equipment''' (GFE) has the same meaning as “government-furnished property” as defined in 48 CFR § 45.101. Government-furnished property means property in the possession of, or directly acquired by, the Government and subsequently furnished to the contractor for performance of a contract. Government-furnished property includes, but is not limited to, spares and property furnished for repair, maintenance, overhaul, or modification. Government-furnished property also includes contractor-acquired property if the contractor-acquired property is a deliverable under a cost contract when accepted by the Government for continued use under the contract. | |||
* '''Internet of Things (IoT) or Industrial Internet of Things (IIoT)''' is defined is NIST SP800-172A. These are interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features. They are uniquely identifiable and may include smart electric grids, lighting, heating, air conditioning, and fire and smoke detectors [Reference: iot.ieee.org/definition; National Institute of Standards and Technology (NIST) 800-183]. | |||
* '''Operational Technology (OT)'''[[017fc2ea748b1f3e96df9700ce159821fc970307.html#5|1 ]]means programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems or devices detect or cause a direct change through the monitoring or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms. [Source: NIST SP 800-160v2 Rev 1] NOTE: Operational Technology (OT) specifically includes Supervisory Control and Data Acquisition (SCADA); this is a rapidly evolving field. [Source: NIST SP 800-82r3] | |||
* '''Restricted Information Systems''' means systems [and associated Information Technology (IT) components comprising the system] that are configured based entirely on government security requirements (i.e., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas). | |||
* '''Test Equipment''' means hardware and/or associated IT components used in the testing of products, system components, and contract deliverables. | |||
Assets | |||
'' | |||
store, or transmit FCI but are unable to be fully secured, including: Internet of Things (IoT) | |||
devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), | |||
Government Furnished Equipment (GFE), Restricted Information Systems, and Test | |||
Equipment. Specialized Assets are not part of the Level 1 self-assessment scope and are not | |||
assessed against CMMC requirements. The following assets, defined in 32 CFR § 170.4, are | |||
considered specialized assets for a Level 1 self-assessment. | |||
furnished property” as defined in 48 CFR § 45.101. Government-furnished property | |||
means property in the possession of, or directly acquired by, the Government and | |||
subsequently furnished to the contractor for performance of a contract. Government- | |||
furnished property includes, but is not limited to, spares and property furnished for | |||
repair, maintenance, overhaul, or modification. Government-furnished property also | |||
includes contractor-acquired property if the contractor-acquired property is a | |||
deliverable under a cost contract when accepted by the Government for continued use | |||
under the contract. | |||
the digital world, sensing/actuation capability, and programmability features. They are | |||
uniquely identifiable and may include smart electric grids, lighting, heating, air | |||
conditioning, and fire and smoke detectors [Reference: iot.ieee.org/definition; National | |||
Institute of Standards and Technology (NIST) 800-183]. | |||
with the physical environment (or manage devices that interact with the physical | |||
environment). These systems or devices detect or cause a direct change through the | |||
monitoring or control of devices, processes, and events. Examples include industrial | |||
control systems, building management systems, fire control systems, and physical access | |||
control mechanisms. [Source: NIST SP 800-160v2 Rev 1] NOTE: Operational Technology | |||
(OT) specifically includes Supervisory Control and Data Acquisition (SCADA); this is a | |||
rapidly evolving field. [Source: NIST SP 800-82r3] | |||
Technology (IT) components comprising the system] that are configured based entirely | |||
on government security requirements (i.e., connected to something that was required to | |||
support a functional requirement) and are used to support a contract (e.g., fielded | |||
systems, obsolete systems, and product deliverable replicas). | |||
of products, system components, and contract deliverables. | |||
Revision as of 17:17, 24 February 2025
Source of Reference: The official CMMC Level 1 Scoping Guidance from the Department of Defense Chief Information Officer (DoD CIO).
For inquiries and reporting errors on this wiki, please contact us. Thank you.
NOTICES
The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or departmental policies.
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
Introduction
This document provides scoping guidance for Level 1 of the Cybersecurity Maturity Model Certification (CMMC) as set forth in section 170.19 of title 32, Code of Federal Regulations (CFR). Guidance for scoping a Level 2 self-assessment or certification assessment can be found in the CMMC Scoping Guide – Level 2 document. Guidance for scoping a Level 3 certification assessment can be found in the CMMC Scoping Guide – Level 3 document. More details on the CMMC Model can be found in the CMMC Model Overview document.
Purpose and Audience
This guide is intended for Organizations Seeking Assessment (OSAs) that will be conducting a Level 1 self-assessment and the professionals or companies that will support them in those efforts.
Identifying the CMMC Assessment Scope
Level 1 Assessment Scope
Prior to a Level 1 self-assessment the OSA must specify the CMMC Assessment Scope. The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the self-assessment. There are no documentation requirements for Level 1 self-assessments including In-Scope, Out-of-Scope, and Specialized Assets.
In-Scope Assets
Assets in scope for a Level 1 self-assessment, as defined in 32 CFR § 170.19(b), are all assets that process, store, or transmit Federal Contract Information (FCI).
- Process – FCI is used by an asset (e.g., accessed, entered, edited, generated, manipulated, or printed).
- Store – FCI is inactive or at rest on an asset (e.g., located on electronic media, in system component memory, or in physical format such as paper documents).
- Transmit – FCI is being transferred from one asset to another asset (e.g., data in transit using physical or digital transport methods).
These assets are part of the CMMC Assessment Scope and are assessed against all Level 1 requirements.
Out-of-Scope Assets
Assets out of scope for a Level 1 self-assessment, as defined in 32 CFR § 170.19(b)(2), are those that do not process, store, or transmit FCI. These assets are outside of the CMMC Assessment Scope and are not part of the assessment.
Specialized Assets
Specialized Assets, as defined in 32 CFR § 170.19(b)(2)(ii), are those assets that can process, store, or transmit FCI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. Specialized Assets are not part of the Level 1 self-assessment scope and are not assessed against CMMC requirements. The following assets, defined in 32 CFR § 170.4, are considered specialized assets for a Level 1 self-assessment.
- Government Furnished Equipment (GFE) has the same meaning as “government-furnished property” as defined in 48 CFR § 45.101. Government-furnished property means property in the possession of, or directly acquired by, the Government and subsequently furnished to the contractor for performance of a contract. Government-furnished property includes, but is not limited to, spares and property furnished for repair, maintenance, overhaul, or modification. Government-furnished property also includes contractor-acquired property if the contractor-acquired property is a deliverable under a cost contract when accepted by the Government for continued use under the contract.
- Internet of Things (IoT) or Industrial Internet of Things (IIoT) is defined is NIST SP800-172A. These are interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features. They are uniquely identifiable and may include smart electric grids, lighting, heating, air conditioning, and fire and smoke detectors [Reference: iot.ieee.org/definition; National Institute of Standards and Technology (NIST) 800-183].
- Operational Technology (OT)1 means programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems or devices detect or cause a direct change through the monitoring or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms. [Source: NIST SP 800-160v2 Rev 1] NOTE: Operational Technology (OT) specifically includes Supervisory Control and Data Acquisition (SCADA); this is a rapidly evolving field. [Source: NIST SP 800-82r3]
- Restricted Information Systems means systems [and associated Information Technology (IT) components comprising the system] that are configured based entirely on government security requirements (i.e., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas).
- Test Equipment means hardware and/or associated IT components used in the testing of products, system components, and contract deliverables.
1
Operational Technology includes hardware and software that use direct monitoring and control of industrial
equipment to detect or cause a change.
Additional Guidance on Level 1 Scoping
CMMC Assessment Scope – Level 1 | Version 2.13
4
Additional Guidance on Level 1 Scoping
In accordance with 32 CFR § 170.19(b)(3), to appropriately scope a Level 1 self-assessment,
the OSA should consider the people, technology, facilities, and external service providers
within its environment that process, store, or transmit FCI.
•
People – May include, but are not limited to, employees, contractors, vendors, and
external service provider personnel.
•
Technology – May include, but are not limited to, servers, client computers, mobile
devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP devices,
applications, virtual machines, and database systems.
•
Facilities – May include, but are not limited to, physical office locations, satellite offices,
server rooms, datacenters, manufacturing plants, and secured rooms.
•
External Service Provider (ESP) – as defined in 32 CFR § 170.4, means external people,
technology, or facilities that an OSA utilizes for provision and management of
comprehensive IT and/or cybersecurity services on behalf of the OSA.
In accordance with 32 CFR § 170.19(b)(1), assets that process, store, or transmit FCI and
which are not Specialized Assets are in the CMMC Assessment Scope. Using the asset types
approach allows an OSA to determine how they will satisfy the Level 1 requirements. FCI is
a broad category of information; therefore, the self-assessment may need to address a wide
array of assets.
For example, identifying the people within the OSA who process, store, or transmit FCI, will
assist with fulfillment of the assessment of the following Level 1 security requirement:
•
IA.L1-b.1.v – Identify information system users, processes acting on behalf of users, or
devices.
As another example, identification of all technologies may inform assessment of the
following Level 1 security requirements:
•
AC.L1-b.1.iii – Verify and control/limit connections to and use of external information
systems.
•
SC.L1-b.1.x – Monitor, control, and protect organizational communications (i.e.,
information transmitted or received by organizational information systems) at the external
boundaries and key internal boundaries of the information systems.
Self-assessments and certification assessments may be valid for a defined CMMC Assessment
Scope as outlined in 32 CFR § 170.19 CMMC Scoping. A new assessment is required if there
are significant architectural or boundary changes to the previous CMMC Assessment Scope.
Examples include, but are not limited to, expansions of networks or mergers and
acquisitions. Operational changes within a CMMC Assessment Scope, such as adding or
subtracting resources within the existing assessment boundary that follow the existing SSP2
do not require a new assessment, but rather are covered by the annual affirmations to the
continuing compliance with requirements.
2
It is recommended that an OSA develop a SSP as a best practice at Level 1. However, it is not required in order
to conduct a Level 1 self-assessment.
Additional Guidance on Level 1 Scoping
CMMC Assessment Scope – Level 1 | Version 2.13
5
This page intentionally left blank.
Document Outline
Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdf