Version 2.1 - DRAFT | July 2023

NOTICES

The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or departmental policies.

[DISTRIBUTION STATEMENT A] Approved for public release.

Introduction

This document provides scoping guidance for Level 1 of the Cybersecurity Maturity Model Certification (CMMC) as set forth in 32 CFR § 170.19. Guidance for scoping a CMMC Level 2 assessment can be found in CMMC Scoping Guide – Level 2. Guidance for Scoping a CMMC Level 3 assessment can be found in the CMMC Scoping Guide – Level 3 document. More details on the CMMC Model can be found in the CMMC Model Overview document.

Purpose and Audience

This guide is intended for Organizations Seeking Assessment (OSAs) that will be conducting a CMMC Level 1 self-assessment and the professionals or companies that will support them in those efforts.

Identifying the CMMC Assessment Scope

Level 1 Assessment Scope

Prior to a Level 1 Cybersecurity Maturity Model Certification (CMMC) Self-Assessment the OSA must specify the CMMC Assessment Scope. The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the self-assessment.

FCI Assets

Federal Contract Information (FCI) Assets, as defined in 32 CFR § 170.4, are assets that process, store, or transmit FCI.

• Process – FCI is used by an asset (e.g., accessed, entered, edited, generated, manipulated, or printed).

• Store – FCI is inactive or at rest on an asset (e.g., located on electronic media, in system component memory, or in physical format such as paper documents).

• Transmit – FCI is being transferred from one asset to another asset (e.g., data in transit using physical or digital transport methods).

FCI Assets are part of the CMMC Assessment Scope and are assessed against all CMMC Level 1 requirements.

Out‑of‑Scope Assets

Out-of-Scope Assets as defined in 32 CFR § 170.19(b)(2) do not process, store, or transmit FCI. Out‑of‑Scope Assets are outside of the CMMC Assessment Scope and are not part of the CMMC self-assessment. There are no documentation requirements for Out-of-Scope Assets. Specialized assets, as discussed in the next section, are out of scope for a Level 1 Self-Assessment.

Specialized Assets

In accordance with 32 CFR § 170.19(a)(2), Specialized Assets are not part of the Level 1 CMMC Assessment Scope and are not assessed against CMMC requirements.

As defined in 32 CFR § 170.19(b)(2)(ii) specialized assets are those assets that can process, store, or transmit FCI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. Specialized Assets are not part of the Level 1 CMMC Self-Assessment Scope and are not assessed against CMMC requirements. The following, defined in 32 CFR § 170.4, are considered specialized assets for a CMMC Level 1 self-assessment.

• Government Furnished Equipment (GFE) has the same meaning as “government -furnished property” as defined in FAR § 45.101. Government-furnished property means property in the possession of, or directly acquired by, the Government and subsequently furnished to the contractor for performance of a contract. Government-furnished property includes, but is not limited to, spares and property furnished for repair, maintenance, overhaul, or modification. Government-furnished property also includes contractor-acquired property if the contractor-acquired property is a deliverable under a cost contract when accepted by the Government for continued use under the contract.

• Internet of Things (IoT) or Industrial Internet of Things (IIoT) is defined is NIST SP 800-172A. These are interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features. They are uniquely identifiable and may include smart electric grids, lighting, heating, air conditioning, and fire and smoke detectors [Reference: iot.ieee.org/definition; National Institute of Standards and Technology (NIST) 800-183].

• Operational Technology (OT)¹ means programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems or devices detect or cause a direct change through the monitoring or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms. [Source: NIST SP 800-160v2 Rev 1]. NOTE: Operational Technology (OT) specifically includes Supervisory Control and Data Acquisition (SCADA); this is a rapidly evolving field. [Source: NIST SP 800-82r3]

• Restricted Information Systems means systems (and associated IT components comprising the system) that are configured based entirely on government requirements (i.e., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas).

Test Equipment means hardware and/or associated IT components used in the testing of products, system components, and contract deliverables.

Additional Guidance on Level 1 Scoping Activities

In accordance with 32 CFR § 170.19(a)(3), to appropriately scope a CMMC Level 1 self-assessment, the OSA should consider the people, technology, facilities, and external service providers within its environment that process, store, or transmit FCI.

• People – May include, but are not limited to, employees, contractors, vendors, and external service provider personnel.

• Technology – May include, but are not limited to, servers, client computers, mobile devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP devices, applications, virtual machines, and database systems.

• Facilities – May include, but are not limited to, physical office locations, satellite offices, server rooms, datacenters, manufacturing plants, and secured rooms.

• External Service Provider (ESP) –, as defined in 32 CFR § 170.4, means external people, technology, or facilities that an OSA utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the OSA.

In accordance with 32 CFR § 170.19, assets that process, store, or transmit FCI and which are not Specialized Assets are in the CMMC Assessment Scope. Using the asset types approach allows an OSA to determine how they will satisfy the CMMC Level 1 requirements. FCI is a broad category of information; therefore, the self-assessment may need to address a wide array of assets.

For example, identifying the people within the OSA who process, store, or transmit FCI, will assist with fulfillment of the assessment of the following CMMC Level 1 security requirement:

• IA.L1-b.1.v – Identify information system users, processes acting on behalf of users, or devices.

As another example, identification of all of technologies may inform assessment of the following CMMC Level 1 security requirements:

• AC.L1-b.1.iii – Verify and control/limit connections to and use of external information systems.

• SC.L1-b.1.x – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.