Scoping- #1 Reason for CMMC False Starts

Let’s talk about correctly defining boundaries for your Risk Assessment by identifying the systems, networks, assets and data – especially CUI – that have to be included to meet CMMC requirements.

Scope refers to specific people, systems, networks, and processes that store, transmit, or process CUI. This is called the CUI environment or enclave.

If you “under scope”, assessors will fail you because you leave CUI pathways unprotected. But if you “over scope” and bring in your whole organization when it doesn’t really have to all be part of the CUI environment, you’ll dramatically increase your compliance cost. And you’ll increase your workload over time as you keep up your compliance effort.

The goal is to get the right size scope. Justify it. Document it. And make sure it’s defensible.

To define scope, we answer three key questions:

1. Where is it stored? It could be servers, laptops – maybe the cloud.
2. Where is it transmitted or processed? That could be email, applications, or networks.
3. Who has access to it? It’s not just the employees of the organization – but it could be their contractors, cloud service providers, or MSPs… Hopefully not MPSs!

These elements form your system boundary, and that’s the exact parameter within which your Risk Assessment is conducted.

CMMC requires you to formally document your scope. Typically, this is at the top of your System Security Plan — — in the very first few sections. It includes network diagrams, data flow diagrams, and a description of what’s inside and outside of your CUI boundary.

Once you define and document the scope, you’ll have established the foundation for your Risk Assessment. Every threat, vulnerability or control decision will be based on this boundary.

Have questions or need help with scoping? Feel free to drop questions in the comments or shoot me a text.