What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

December 7, 2021

Good afternoon, everyone!

CMMC 2.0 Scoping Guides Are Here!

These are exciting times, folks! We finally have the long-awaited scoping guides for L1 and L2. Both docs are quite short (3 and 8 pages, respectively) so it’s worth downloading and reading for yourself at the earliest opportunity. While they don’t directly address a few things I had hoped for, there is still a lot of good stuff in here. I’m going to tackle just one concept today:

Where do IoT and OT fit into your compliance program?

The L2 scoping guide has a very useful table describing categories of assets and where they fit into your compliance program. We finally have some clarity on IoT (“Internet of Things” or “smart devices” with sensors that can control physical things like electrical grids, HVAC, alarm systems) and OT (Operational Technology like ICS, SCADA, PLCs, CNC).

The scoping guide puts IoT and OT into the category of “Specialized Assets.” If these devices are on the same network which “stores, processes or transmits” CUI, they must be:

  • Documented in your asset inventory
  • Documented in your SSP (showing how you manage this risk with your policies, procedures and practices)
  • Documented in the network diagram of CMMC Assessment Scope

HOWEVER, and this is really key, these devices do not have to be assessed against any CMMC practice other than the SSP requirement at CA.L2-3.12.4! This is a big relief to many of us, I know.

Remember, also, that if you segment these devices off from your CMMC network (VLANs are your friend!) then they aren’t a part of your scope at all, and don’t need to be included in your documentation. The L2 scoping guide provides information on Separation Techniques, including logical and physical separation.

I’ll tackle some more details in the scoping guides over the next few weeks. Meanwhile, you’ve heard that old saw “When is the best time to plant a tree? 20 years ago. When is the second best time? Today.” Think of your 800-171 compliance as a tree! Start planting TODAY.

P.S. – Need help? I’m just an email or phone call away!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!

Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy