CMMC Assessment Preparation: Project Scoping Phase

One of the more difficult and important elements of CMMC assessment preparation is the identification and definition of the CMMC assessment project scope. The CMMC assessment will encompass all the systems, system components, and assets to be assessed. There are several approaches to defining your CMMC assessment scope, but the easiest way is to start with the data. After all, the reason for a CMMC assessment in the first place is to adequately protect CUI data. So, let’s start with identifying all the locations in which CUI (or FCI) data is collected, stored, or processed.

1. Determine Assets

An asset is any resource (e.g., data, personnel, documents, media, devices, systems, facilities) that enables the organization to achieve a business purpose. Within the context of information technology, we tend to think of assets as technical elements such as network devices, workstations, and media but assets within the context of CMMC assessments are expanded to include any resource that may contain sensitive data, have access to sensitive data, or provide a service that is needed to protect sensitive data or systems. Therefore, consider assets as rather broad to include Technology (e.g., systems and system components, virtual machines, servers, network devices, security components, external services), Facilities (e.g., physical locations), Information (e.g., hard copy media, soft copy media), and People.

The identification of organizational assets within the system is a good start, but it is simply a list at this point. The creation of a network diagram and a data flow diagram can put the system assets into perspective.

2. Create a Network Diagram

Start with a basic and high-level network diagram. It is not important (right now) to list details such as equipment model numbers, IP addresses, or even the number of servers in the data center. Just get the basic elements that will provide a basis for the creation of a data flow diagram overlay.

3. Create a Data Flow Diagram

A data flow diagram provides a map of the information flow within the system. Data flow diagrams are a visual representation of the system components and how they are connected, along with the data flows (input, output, processing, and storage). Complex systems may require multiple data flow diagrams (one for each process). Here we use a simple example to illustrate the process of developing a data flow diagram in support of a CMMC assessment.

Tips for creating network diagrams and data flow diagrams

• Interview contract points of contact (topics: CUI input, CUI creation and processing, CUI transmission)
• Create a draft CUI data flow (based on information gained from interviews)

• Interview information technology personnel (topics: technical implementations of the CUI data flow, data exchange, data backup, logical access controls, network connectivity, technical security service implementations, other technical services, and other technical devices, external service providers)
• Revise the CUI data flow diagram with additional data gained from the technical experts.

This is multi-part article covering the CMMC Assessment Preparation. The passage was taken from Chapter 3 of the CMMC Assessment Handbook and abbreviated. For more information DM me or contact Lantego at 512 633-8405. www.lantego.com