As a candidate C3PAO undergoing our own Level 3 assessment by the Defense Industrial Base…
The Department of Defense (DoD) has delayed the long-awaited scoping guidance that defines in detail the scope requirements for CMMC assessments for CMMC Maturity Levels 1 and 3.
In the most basic terms, scoping determines the boundaries where CUI/FCI is stored, processed, and exchanged within the contractor’s environment. If the contractor gets the scoping wrong, it will be very difficult to accurately assess their conformity to CMMC standards.
“It won’t impact our ability to conduct assessments per se, but it impacts our ability to conduct the assessment with the full knowledge that we are assessing the proper in-scope systems,” Leslie Weinstein, CMMC lead at auditing firm OCD Tech, told Inside Cybersecurity. “We can assess controls, but we need to make sure we are looking at the right systems.”
The DoD states that the next version of the CMMC Assessment Guide will include guidance on scoping. At this time. there is no timeline for an update release.
There are two assessment guides; one for CMMC Level 1 and the other for CMMC Level 3, which are available on the Office of the Under Secretary of Defense for Acquisition & Sustainment website: Cybersecurity Maturity Model Certification (CMMC) (osd.mil)
The CMMC Level 1 Assessment Guide is focused on FCI and describes 17 CMMC practices (somewhat equivalent to security controls) that DoD contractors will need to meet to obtain a Level 1 certification.
The CMMC Level 3 Assessment Guide is focused on CUI and describes 110 CMMC practices and 3 maturity processes that DoD contractors will need to meet to obtain a Level 3 certification.
For more information, please tune back into Redspin for updates as they become available!