CMMC Begins With Scoping
EP Editorial Staff | March 1, 2023
By Laura Elan, MxD
Though the timeline for full implementation of Cybersecurity Maturity Model Certification (CMMC) 2.0 may shift into 2024, U.S. manufacturers will need to comply with those rules soon enough. CMMC 2.0, announced late in 2021, is not finalized, but a decision on an effective date is in 2023. “Where to begin?” is often the top question. The answer, experts say, is to start with scoping.
Scoping, in a general sense, means assessing your environment. For CMMC specifically, scoping is determining what assets in your environment handle sensitive material, which cyber safeguards are required for those assets, and how any cyber safeguards will be measured.
That means it’s important for manufacturers to get started now. The DoD has published guidance to help its contractors begin, including 5 Steps To Make Your Company More Cybersecure. Manufacturers should begin by asking questions such as:
• What federal contract information or controlled unclassified information am I getting?
• How does it come into my organization?
• How does it move from one place to the next within my organization?
• Who has access and should they?
For example, if there’s a design for a part to be manufactured, the first step is to understand the path that design takes. Begin by determining how the design arrives. Is that through email or perhaps a secure file transfer protocol (FTP) site?
Next, determine how many employees review the design and determine if they can print or forward it. Also, evaluate whether the number of employees with access needs to change. Then, how does the design move to the factory floor? Be sure to map out where it’s stored and/or how it is destroyed. From there, you can figure out which assets encounter the FCI or CUI and take the next CMMC steps.
Manufacturers shouldn’t limit scoping only to information under the CMMC umbrella.
Having a clear picture of how all your sensitive data is handled—and making sure that information is locked down tight—is the smart thing to do and an industry best practice. That sensitive data can range from the Social Security numbers stored by your HR department to any intellectual property.
For help with scoping, companies can turn to sources including the Unified Scoping Guide, a free resource from cybersecurity company ComplianceForge, Sheridan, WY (complianceforge.com). MxD also has produced a free CMMC Playbook, which helps manufacturers with a Level 1 self-assessment. It can be downloaded at mxdusa.org/cmmcplaybook. EP