Practical Approach to CMMC Compliance: Identifying and Reducing the Scope of Your Assessment-Practical Approach to CMMC Compliance Identifying and Reducing the Scope of Your Assessment Slides

Practical Approach to CMMC Compliance Identifying and Reducing the Scope of Your Assessment Slides

Pdf Summary

This document, authored by Charles Riordan, Senior Director of Platform Compliance at Egnyte in March 2023, provides guidance on scoping and defining the Controlled Unclassified Information (CUI) processing environment for CMMC 2.0 compliance.

Key steps outlined include:

1. <strong>Specifying the CMMC Assessment Scope:</strong> Contractors must create an asset inventory covering all assets within the scope that process, store, or transmit CUI.

2. <strong>Developing and Documenting the System Security Plan (SSP):</strong> The SSP must describe the environment of operation, how security requirements are implemented, relationships to other systems, and roles/responsibilities. It should also specify frequency of updates.

3. <strong>Performing a Self-Assessment:</strong> Using the CMMC Assessment Guide Level 2, contractors perform a self-assessment of their CUI environment to identify gaps in compliance and produce a current state profile.

4. <strong>Developing a Plan of Action and Milestones (POAM):</strong> The POAM captures remediation plans addressing compliance gaps identified during the self-assessment.

The document emphasizes the importance of thoroughly documenting asset categories, breaking them down as follows:

- <strong>CUI Assets:</strong> Assets that process, store, or transmit CUI (including people, technology, and facilities).

- <strong>Security Protection Assets (SPA):</strong> Assets providing security capabilities within the assessment scope.

- <strong>Contractor Risk Managed Assets (CRMA):</strong> Assets secured by policy to avoid processing CUI but still within contractor management.

- <strong>Specialized Assets:</strong> Including government property, IoT/IIoT, operational technology (SCADA, PLCs, ICS), and test equipment.

All applicable assets must be assessed against all 110 CMMC 2.0 controls. Assets outside these categories are considered out-of-scope.

The SSP is a critical document and must meet CA.L2-3.12.4 requirements, describing the assessment scope, system description, security controls implementation, and interconnections.

Overall, the guide underlines rigorous documentation, self-assessment, and remediation planning as essential processes for ensuring compliance with CMMC 2.0 related to CUI environments.

Keywords

CMMC 2.0 compliance

Controlled Unclassified Information

CUI processing environment

System Security Plan

SSP documentation

Self-assessment

Plan of Action and Milestones

POAM remediation

Asset inventory

Security Protection Assets