CMMC 2.0 Scoping Insight: 2 Tips For Using PCI Context
The Belgian writer and painter Erik Pevernagie once said that “without a clear-cut vision and a proper reading of the roadmap we may not reach the buoyant shores of the horizon.”
While it’s more likely that Mr. Pevernagie was just being poetic at the time, his words ring true right now in the world of compliance—especially where CMMC is concerned.
Anticipated for over a year now, the Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s new approach to curbing cybercrime. But even as it’s taking longer than expected to launch, the CMMC remains the latest new target on the compliance horizon, and just because it’s not yet here doesn’t mean you can’t prepare.
If you expect to eventually become beholden to CMMC’s requirements, we recommend you make like Erik said and ensure you have a clear cut understanding and roadmap so that you aren’t caught out when this certification actually does become required.
How to do that, you’re wondering now.
The good news is, the DoD has already put out a significant amount of content around CMMC version 2.0. But as one of the first CMMC C3PAOs authorized to perform these audit services when the certification is finally launched, we want to offer another perspective for your benefit.
Back when the latest 2.0 version was released, we wrote about CMMC, but now we’d like to take it a step further than that overview in order to help you understand more about your potential assessment.
One of the documents the DoD released was CMMC scoping guidance—the first of its type. There’s a lot of detail in there that can help you, along with some fantastic scoping scenarios shared by Amira Armond that really give you real world examples to digest, discuss, and debate.
But upon our reading of this guidance, we discovered something else that could really help you in understanding what will fall into scope for this assessment—parallels in this area between Payment Card Industry (PCI) Data Security Standard and CMMC.
As PCI is a more established and popular compliance standard, it might help you to draw connections between them. Using familiar territory like this to map to this new “horizon” can help ease the addition of this new certification to your compliance portfolio.
Let us explain exactly what we mean.
Tip #1: Control Your CUI Environment
Being a provider of a diverse suite of compliance services, our breadth of expertise allows us the ability to identify nuance across compliance domains. It’s a complicated industry, and so we want to provide a simplified version of this kind of specialized knowledge to help you—especially when it comes to new standards like CMMC that remain completely unknown in practice.
This nuance between PCI and CMMC that we’ve discovered is specific. During our PCI DSS engagements, one of the first things we always hear is, “what is in scope?” Or, more importantly, “Is my scope correct?”
It’s a question that’s surely also going to come up during future CMMC talks, and you should know that like PCI, CMMC is similarly concerned with Controlled Unclassified Information (CUI). It won’t surprise you then, that in these early days as guidance on CMMC was and still is being released, we’ve actually been taking a PCI-like approach when speaking with clients about CUI in a CMMC context.
The basic idea of CUI security is, the less places that it sits, the less risk you have and the easier it is to assess (normally). If you’ve been through a PCI assessment, you’ll know and have done this, but in case you have not—if CMMC is on your horizon, you should work with an advisor or consultant to figure out how to make your CUI environments as compact and manageable as possible.
Tip #2: Understand the Role of Your “Connected To” Systems
That’s your first tip, but in fact, there’s more we can decipher about CMMC by using PCI to translate. For instance, in PCI, there are three categories of scope:
- Systems that store, process, and transmit cardholder data (CHD)
- Systems that connect to systems that store, process, and transmit CHD
- Systems that impact the security of the CHD environment
If we replace CHD with CUI, using the CMMC scoping guide, we can understand this about what’s potentially in your CMMC scope:
- Systems that store, process, and transmit CUI: In scope and called “CUI Assets”
- Systems that connect to systems that store, process, and transmit CUI: Not in scope and referred to as “Contractor Risk Managed Assets” **
- Systems that impact the security of the CUI environment: In scope and called “Security Protection Assets”
You probably noted the difference in second item of both of those lists—the one that references “connected-to systems.” These are not treated the same for PCI and CMMC, as one is in-scope and one is not, and this difference is important.
Why?
- Whereas PCI does require you to secure and assess the systems that connect to the systems that store/process/transmit at the same level of compliance and assessment, CMMC will only ask you to document those assets in the asset inventory and system security plan (SSP).
- That means that for CMMC certification, you will need to show that you are using the “contractor’s risk-based security policies, procedures, and practices” (as per p. 2 and 4 of the scoping guide), but these items will not actually be scoped for assessment.
Of course, there could be caveats—reviews of policies, procedures, and vulnerability scans and other data points could potentially identify concerns and the guide does say that your C3PAO will be able to do spot checks. Still, the requirements as they are fall short of pulling these systems into scope even if there is an identified concern.
Understanding Risk and Your CMMC Scope
Even if these systems are to be excluded from your eventual CMMC scope, we will say this—any security professional would agree that the most common path to compromising a host is through a networked neighbor. As such, we would never tell you not to adequately protect assets that connect to systems that store, process, and transmit CUI, even if the scoping guidance says it won’t be checked during this assessment.
Some may argue this is a weakness in the standard, while others may believe that this provides needed flexibility.
But one thing is clear—it’s up to you whether you want on what kind of risk you assume in your approach, not your auditor.
This has been very much an in-the-weeds attempt to relate what remains unknown to us in CMMC to elements of something compliance is already accustomed to in PCI. Though CMMC remains out there on the murky horizon, we will continue to do our best to keep you updated on new developments with breakdowns of what they mean for you.
In the meantime, please reach out to us if you have any concerns about this new certification. We look forward to addressing any questions you may have, and to partnering on these assessments as we get all the go-ahead to perform them.
About Douglas Barbin
As President and National Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.