February 9, 2022
Good afternoon, everyone!
CMMC 2.0 Scoping Guide: Contractor Risk Managed Assets
As you know, the DoD released the long-awaited scoping guides for L1 and L2 in December. One of the most interesting aspects of the the L2 guide is Table 1: CMMC Asset Categories Overview. I talked briefly about the Specialized Assets category (IoT/OT) in my my last newsletter, and now I want to take a look at Contractor Risk Managed Assets (CRMA) – this is a new concept and adds some interesting potential scenarios to your scoping exercises.
First, the definition of CRMA, basically two conditions:
(1) Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
(2) Assets [that] are not required to be physically or logically separated from CUI assets
Second, some examples of CRMA:
- Computers on the same network as a server storing CUI, where the user is prevented from accessing CUI due to password protection, group policies, etc.
- Computers accessing VDI or other cloud assets where it is technically possible to download the CUI to the local device, but the organization has a policy in place forbidding this
- Wireless access points in your CUI environment which do not permit access to resources storing CUI
The Good News: CRMA do not have to be assessed against CMMC practices. But wait! This is NOT a “get out of jail free card” for all those old Windows 7 PCs you haven’t replaced yet, or the inertia preventing you from logically separating out devices that don’t need to access CUI (to get them out of scope entirely).
The Bad News: CRMA must be:
- Documented in your asset inventory
- Documented in your SSP (showing how you manage this risk with your policies, procedures and practices)
- Documented in the network diagram of CMMC Assessment Scope
- May be “spot checked to identify risks” by the CCA during your assessment
What does this mean? Well, you need to be serious about having a written plan (that you are actually following!) to manage the risks presented by CRMA. What could that include? Basic cyber hygiene on all devices, including antivirus protection, unique user accounts, strong password policies, MFA, monitoring & logging activity, intrusion prevention/detection systems, etc. Having a firewall rule that prevents those old Windows 7 PCs from accessing the Internet. Making certain your employees know what policies are in place to protect CUI and providing regular training to remind them.
How to decide what to do? Realistically, if you have only a few devices that fall into this category, then following these procedures may be worthwhile. However, if you have a significant number of CRMA in your CUI environment currently, it may be the prudent path to segment these devices off from your CMMC network (VLANs are your friend!) -- then they aren’t a part of your scope at all, and don’t need to be included in your documentation. Remember, the L2 scoping guide provides information on Separation Techniques, including logical and physical separation.
I hope you have found this useful, and now I’m going to ask a favor. Please, take a couple of minutes to drop me a short email telling me whether/how CMMC v2.0 has changed your compliance strategy. I’m sincerely curious.
Remember, while CMMC “feels new,” it is really isn’t – especially that it is now based entirely on the controls of NIST 800-171, which took effect December 31, 2017. CMMC is just forcing everyone to prove that they have implemented the proper controls to protect FCI/CUI.