February 17, 2021
Good morning, everyone!
Hot Topics in the CMMC Ecosystem
The CMMC-related webinars just keep coming! The two hottest topics of the past few weeks are cloud security and scoping. Let's take a quick look.
Cloud Security and the CMMC
"Can’t I just put all my CUI in the Cloud and let them be responsible for it?" Well, yes, no, maybe. A few key points to consider:
- The shared responsibility model What's this? Cloud service providers (CSPs) like Amazon, Microsoft, Google, Oracle, etc. are responsible for the security "of" the cloud, while the customer is responsible for security "in" the cloud. (Read more about this in an earlier newsletter.)
In a webinar last summer, a DoD official mentioned several times that they were working with Amazon Web Services (AWS) to develop simple, secure solutions for small businesses. Each time the official said this, the AWS rep on the webinar would reply something along the lines of yes, they were working on new products for SMBs and security would of course be a priority “within the context of the shared responsibility model.” I watched a cloud security seminar last week, and they were singing the same song. I believe this will continue to be a hot topic for a long time.
- Inherited controls Under the CMMC assessment methdology, you can inherit security controls. In this case, if you store your CUI with a CSP, any security controls they meet are flowed down to you for that data. This is good news! You are only responsible for meeting the controls that they haven’t. BUT, although FedRamp.gov Marketplace is a good place to look, since those CSPs have FedRamp certification, it’s not a free ticket to CMMC compliance. The FedRamp certification is less rigorous than the CMMC, and it also allows for POAMs which the CMMC does not.
- Reciprocity Apparently there is a DoD memo about to come out describing an arrangement of reciprocity between CMMC and FedRamp (also DIBCAC) on a practice-by-practice basis. This means that a FedRamp certified organization can flow down their “fully met” practices to their customers, and it will count as “fully met” on your own CMMC official assessment, no evidence needed. You will still have to fully meet (and provide evidence for) all controls in CMMC that are not in FedRamp, and also for any of your CSP’s controls they have addressed by POAM.
- Connected systems The CMMC assessment methodology takes a close look not only at your information systems, but also connected systems. What exactly is a “connected system” when you have cloud storage? This is a very big question in terms of scoping (limiting the scope of your information systems subject to the CMMC), and one for which we hope the DoD will provide more information in the very near future.
As usual, it boils down to doing your homework. Hopefully we will have more clarity on scope, especially for cloud solutions, in the near future. You may have noted that one of the pilot contracts is for an Azure cloud solution. The results of that should be beneficial to small businesses that handle CUI.
This is probably the hottest topic among professionals in the field. How exactly does one define scope for a CMMC assessment? Let’s take a brief look, as this is a complicated question. First, a definition: “extent or range of view, outlook, application, operation, effectiveness, etc.”. So the scope of your CMMC assessment is confined to the scope of your contract environment. What exactly is the scope of your contract environment? That’s where it gets tricky. A few points of note:
- The CMMC applies only to the scope of your FCI (ML1) or CUI (ML3) environment. By limiting the scope, you can limit your compliance burden. Depending on your particular circumstances, this can make a HUGE difference in the amount of effort (and expense) required to achieve compliance. This is why our six-step system for achieving compliance begins with Phase One: Initial Review and Scope, followed by Phase Two: Scope Reduction. You don’t want to spend time and money implementing practices on systems that don’t need to be in the scope of your contract environment. This is your first step. (I talked about this in depth recently – “Follow the Data” to determine your scope.)
- You are responsible for determining the scope of your CUI environment. When you engage a C3PAO to perform your official CMMC assessment, you will define for them what you consider to be your scope. You will have to provide evidence and good reasoning for this. The C3PAO will not accept the engagement if they disagree with your defined scope. So think carefully and be prepared to justify this decision.
- The DoD has not yet provided any official guidance on scoping. In fact, the recently-released CMMC Assessment Guide for Level Three has exactly two sentences on scope:
Prior to a CMMC assessment, the contractor must define the boundary for which the CMMC certificate will be issued. Additional guidance on assessment scope will be available in the next version of this Assessment Guide –Level 3.
I would have to call this not very helpful. I have listened to several webinars where scope is a question and a few comments are made, but no one is tackling the whole thing in depth just yet. Hopefully this will change soon.
Next Workshop: CMMC 101: Readiness Crash Course
My next CMMC workshop is March 3:
- Explore the CMMC Ecosystem
- Decode the CMMC alphabet
- Determine your organization's obligations
- Calculate allowable cost
- Define your timeline
- Identify the data you need to protect
- Understand the importance of scoping
- Avoid the most common pitfalls
- Prepare for the assessment
This 2-hour online class is Part One of my CMMC "deep dive" series. Only 30 places available! Class kept small to enable Q&A and discussions.
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!