December 7, 2021
Good afternoon, everyone!
CMMC 2.0 Scoping Guides Are Here!
These are exciting times, folks! We finally have the long-awaited scoping guides for L1 and L2. Both docs are quite short (3 and 8 pages, respectively) so it’s worth downloading and reading for yourself at the earliest opportunity. While they don’t directly address a few things I had hoped for, there is still a lot of good stuff in here. I’m going to tackle just one concept today:
Where do IoT and OT fit into your compliance program?
The L2 scoping guide has a very useful table describing categories of assets and where they fit into your compliance program. We finally have some clarity on IoT (“Internet of Things” or “smart devices” with sensors that can control physical things like electrical grids, HVAC, alarm systems) and OT (Operational Technology like ICS, SCADA, PLCs, CNC).
The scoping guide puts IoT and OT into the category of “Specialized Assets.” If these devices are on the same network which “stores, processes or transmits” CUI, they must be:
- Documented in your asset inventory
- Documented in your SSP (showing how you manage this risk with your policies, procedures and practices)
- Documented in the network diagram of CMMC Assessment Scope
HOWEVER, and this is really key, these devices do not have to be assessed against any CMMC practice other than the SSP requirement at CA.L2-3.12.4! This is a big relief to many of us, I know.
Remember, also, that if you segment these devices off from your CMMC network (VLANs are your friend!) then they aren’t a part of your scope at all, and don’t need to be included in your documentation. The L2 scoping guide provides information on Separation Techniques, including logical and physical separation.
I’ll tackle some more details in the scoping guides over the next few weeks. Meanwhile, you’ve heard that old saw “When is the best time to plant a tree? 20 years ago. When is the second best time? Today.” Think of your 800-171 compliance as a tree! Start planting TODAY.