CMMC 2.0 Scoping Guides Deep-dive
James Goepel
Cybersecurity Public Speaker & Thought Leader; Author of Several Cyber/Infosec Books; CMMC CCP, CCA, PI; General Counsel; Electrical & Computer Engineer; Systems Admin./Dev.; Educator; Expert Witness; Company Co-founder
In a recent LinkedIn post, the ever-diligent Matt Titcomb asked my opinion on three separate but related questions regarding CMMC 2.0, and specifically the Level 2 scoping guide published by DoD earlier today. Because of the complexities involved in the questions, answers are too long to fit into individual LinkedIn posts. So I'm taking the somewhat unusual approach of writing a LinkedIn article to respond.
I want to preface this by saying these are my opinions only, and don't necessarily reflect those of my employer or others and are not intended to (and don't) provide legal advice. As with all things DoD, the devil is in the details, and there are always LOTS of them, so talk to a qualified person and get advice specific to your situation rather than relying on this analysis.
With that out of the way, Matt asked 3 questions, and I'll answer them in turn.
1) Does DoD have authority to descope "Specialized Assets"?
This gets really tricky quickly, but I think the answer is yes. 32 CFR 2002 says:
Agencies must use NIST SP 800-171 when establishing security requirements to protect CUI's confidentiality on non-Federal information systems (unless the authorizing law, regulation, or Government-wide policy listed in the CUI Registry for the CUI category or subcategory of the information involved prescribes specific safeguarding requirements for protecting the information's confidentiality, or unless an agreement establishes requirements to protect CUI Basic at higher than moderate confidentiality).
800-171, in turn, says:
领英推荐
The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.9 If nonfederal organizations designate specific system components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both.
So, 800-171 specifically says that CUI systems can be isolated in a separate CUI security domain. It doesn't say they have to be on their own networks, either; it simply says they must be isolated. And isolation is achieved by applying architectural and design concepts, including using "information flow control mechanisms". Information flow control mechanisms are discussed in 3.1.3 of 800-171, and among the information flow enforcement mechanisms discussed is "prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels."
Putting it all together (along with other parts of the scoping guidance), to properly claim that an asset is a "Specialized Asset", the organization must have created risk-based policies, procedures, and practices that document how the asset implements (or how the other assets on the network implement, to the exclusion of the Specialized Asset) information flow enforcement mechanisms that allow access only (i.e., no information transfer), one-way information flows, etc. If the organization can do all of that, then they have met the requirements under NIST SP 800-171 and by extension 32 CFR 2002, and DoD can allow the corresponding assets to be deemed out of scope for the remainder of the assessment.
2) What is to stop an OSC from declaring everything but the security components as "Specialized Assets"?
The definition of a Specialized Asset. It is limited to Government Property, IoT/IIOT, OT, Restricted Information Systems, and Test Equipment. Of these categories, only the Restricted Information Systems really has any flexibility that might allow contractors to "hide" other assets under the definition. But even those have to be configured based on government requirements and used to support a contract. So, I would expect the assessment team to want carefully documented descriptions of how/why the asset meets this definition. That's going to be a huge time waster for contractors unless they really need to do it.
3) Why don't the Scoping Guides mention the application of Level 1 or Level 2?
They don't need to. That will likely be addressed in the Assessment Guides.
Fooling with Words and Identities
3 年The scoping Guides do not descope OT from the moderate baseline laid out in CFR 32. The risk and mediation still documented in SSP. The OT is descoped from the assessment. An OSC must still document how they meet the requirements of protecting the confidentiality of CUI on OT
CMMC Therapist || Lead CMMC Certified Assessor || CEO at Peak InfoSec, an Authorized C3PAO
3 年James, I don’t the 32 CFR reference is applicable. In the first case, there is no cited CUI category and CTI has no such restrictions. The second part of the 32 CFR citation actually points towards using NIST SP 800-172. I also don’t this the NIST SP 800-171 para 1.1 interpretation is accurate. That paragraph discusses how an OSC can use logical or physical separation techniques to isolate system components that CUI from thos that don’t. My real heartburn is the language “may or may not process CUI.” That is inclusive language that creates and exception area that will only be abused.