Skip to Content

Webinar: Proactive Healthcare Cybersecurity for Today's Threat Landscape Register

Dark teal and black gradient

Blog

CMMC – Scoping Considerations for Successful Certification 

Achieving Cybersecurity Maturity Model Certification (CMMC) is a critical step for organizations handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Proper scoping is essential to streamline the certification process and ensure compliance. In this post, we’ll outline key scoping information for a CMMC audit, explain how using an enclave can help achieve compliance rapidly, and discuss the scoping document released by the office of the DoD Chief Information Officer (CIO) in September of 2024. 

Understanding CMMC Scoping 

Scoping for a CMMC audit involves identifying and categorizing assets within your organization that process, store, or transmit CUI and FCI. The scope defines the boundary of the assessment and determines which assets will be evaluated. Key considerations include: 

  1. In-Scope Assets: These are assets that handle CUI and FCI directly, or provide security functions such as logging. They must meet all CMMC requirements. 
  1. Contractor Risk Managed Assets: Assets that can, but are not intended to access CUI due to policies and practices in place must be documented but are not subject to CMMC requirements 
  1. Specialized Assets: Certain assets, such as Industrial Control Systems (ICS) or Internet of Things (IoT) devices that cannot implement all CMMC requirements, must be documented but are not subject to CMMC requirements. 
  1. Out-of-Scope Assets: Assets that cannot process, store, or transmit CUI and FCI. These are excluded from the assessment. 

Using an Enclave for Rapid Compliance 

An enclave is a segmented portion of your network that is isolated from other parts of your IT environment. By creating an enclave, you can limit the scope of your CMMC assessment to only the assets within this secure boundary. This approach offers several benefits: 

  • Reduced Complexity: Isolating CUI and FCI within an enclave simplifies the assessment process. 
  • Enhanced Security: Enclaves provide an additional layer of security, protecting sensitive information from broader network threats. 
  • Faster Compliance: By focusing on a smaller, well-defined scope, organizations can achieve compliance more rapidly. 

The DoD CIO Scoping Document 

The DoD CIO provides a comprehensive scoping guide to help organizations prepare for their CMMC assessment. This document outlines the steps to identify in-scope and out-of-scope assets, categorize specialized assets, and define the assessment boundary. Key elements of the scoping document include: 

  • Asset Categorization: Guidance on classifying assets based on their interaction with CUI and FCI. 
  • Boundary Definition: Instructions for delineating the scope of the assessment. 
  • Documentation Requirements: Details on the necessary documentation to support the scoping process. 

By following the scoping guide, organizations can ensure they are well-prepared for their CMMC assessment, reducing the risk of non-compliance and streamlining the certification process. 

Conclusion 

Proper scoping is a foundational step in achieving CMMC certification. By understanding the scoping requirements, leveraging enclaves for rapid compliance, and utilizing the DoD CIO scoping document, organizations can navigate the certification process efficiently and effectively. Stay ahead of the curve and ensure your organization is ready for CMMC certification by focusing on these critical scoping considerations. 

About the Author

Alex Adams is an Information Security Associate at Tevora.

Explore More In-Depth CMMC Resources

View Our Resources