Business Owner’s Guide to CMMC
Ep 3: Scoping
Watch episode 3 of our Business Owner’s Guide to CMMC series with Ben Scully (Avatara) and Dan Langley (Lupa Advisors), or read the transcript below. Stay tuned weekly for new episodes containing actionable insights and an overview of each CMMC domain.
BEN: Alright, so continuing with our Business Owner’s Guide to CMMC, let’s talk about scoping. I hear this term getting thrown around, so can you talk to me a little bit about what that means.
DAN: Scoping for the CMMC is, big animal picture: where is the important stuff that I want to secure? If I’m doing drawings, if I have important controlled unclassified information, things about my contract with the defense industry…where is that kept? Is it on every PC in your environment? Probably not. So, what they’re doing is, they’re looking at it and saying, what’s in scope? In other words, where’s all that information that I want to control?
BEN: I understand it’s not just where the information is, but what and who has access to that information.
BEN: So, is there anything out there that kind of can provide a good guide to help our listeners try to figure out how to scope their business?
DAN: Yeah, there’s a couple of key documents out there you want to make sure you or your team has. One of them is done by the Cyber AB. It’s actually the CMMC assessment scope. There’s a level one and a level two. The level two is what we typically use for customers, and it basically says, here’s what you want to look for and here’s what you have to provide. And it makes you go through and look at your entire network. The first thing is that you have to know what devices are out there. A lot of customers don’t even know what they have. And this is the surprising thing, Ben, is that we could have Windows 7. We could have old Windows systems out there and they are vulnerable. So, we want to make sure we don’t put anything important on those systems. All those systems need to be outside of important information, therefore they would fall outside of our scope.
BEN: Got it, okay. And then, what about people that have access? I mean, how do they think about that?
DAN: Well, when you look at the important information, your scope, you say, if this is where all my information is, how does information flow in and out of that scope? That could be systems talking to other systems. It could be people authorized to access those systems. And it’s the overall control of that environment, not just from the IT standpoint. If I have a cleaning crew, can they come in and can they have my CAD drawings? Can they physically pick them up or are they under lock and key? It’s really about securing your environment and securing this information.
BEN: Yeah, we always use the analogy here about what’s inside the closed envelope. Within our system—and again, we have the luxury of having a little bit of an advantage because our platform is set up as a centralized infrastructure in a private data center. So, all the servers and compute and data is all within that closed envelop. I think about scoping the same way , right? Can you draw a box around it and does everything stay inside that closed envelope? Put your security around the closed envelope, and if it comes out, what sort of encryption are you using? Or what sort of security measures are you doing once it leaves that that closed envelop? So, that’s kind of how we think about scoping and then it’s, who are the people that have access? Because they get pulled into scope. So as a technology provider for DIB contractors/businesses, we even kind of get pulled into scope, as well, through these assessment processes. So, it’s important to think about how you draw your closed envelope, and once data/CUI leaves that envelope, is it leaving in an appropriate way? Can you prove that? Who gets in, who is authorized or has the privilege to manage or control the data within that environment? How are they now kind of brought into scope? I don’t think a lot of people are thinking about that latter piece of it.
DAN: Well, on a very high level, this is not an IT project. It’s not a, “I need to know every PC and operating system and put it on a piece of paper and show me your network diagram.” It comes down to…yes, that’s a piece of it, show me the network…but also, you have an HVAC system—your heating and control.
Does it have an internet connection? Does it have a phone connection? Can people dial into that system and is that system connected somehow to your network? Well, guess what?
Some of the major breaches that have come out, that’s where they got access. When you peel back, they got in through the heating and ventilation control system. And then, from there, got their privileges up and went over to the other networks. So, secure your front door and secure your IT, but also think about what all is connected. There’s a lot of connections out there.
Watch Episode 4 on Access Control.
Need help getting compliant?
Avatara’s DoD Platform is a turnkey solution for centralized data and easier compliance. Schedule a free consultation today to learn more.