Customized Network Diagrams For CMMC & NIST 800-171

To comply with NIST 800-171 and pass a Cybersecurity Maturity Model Certification (CMMC) assessment, it is a requirement to have a documented System Security Plan (SSP). Realistically, it is not possible to define the "assessment boundary" for a CMMC assessment without first having a network diagram that demonstrates what the pertinent network assets are and supporting IT infrastructure, including what is on-site, remote or outsourced.

 

Requirements from NIST 800-171 & CMMC that address documenting network diagrams and data flows include:

CMMC v1.02:

  • AC.2.016Control the flow of CUI in accordance with approved authorizations.

  • CA.2.157: Develop, document and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems.

NIST 800-171 rev2: 

  • 3.1.13: Control the flow of sensitive data in accordance with approved authorizations.

  • 3.12.4: Develop, document, periodically update, and implement system security plans for organizational information systems that describe the security requirements in place or planned for the systems.

As part of the expected components within the SSP, the Department of Defense (DoD) provided specific guidance, where the the "System Environment" section must contain:

"A detailed topology narrative and graphic shall be included that clearly depicts the Contractor’s internal unclassified information system boundaries, system interconnections, and key components. This does not require depicting every device, but would include an instance of operating systems in use, virtual and physical servers (e.g., file, print, web, database, application), as well as any networked workstations, firewalls, routers, switches, copiers, printers, lab equipment, etc. If components of other systems that interconnect/interface with this system need to be shown on the diagram, denote the system boundaries by referencing the security plans or names and owners of the other system(s) in the diagram. Include or reference (e.g., to an inventory database or spreadsheet) a complete hardware and software inventory, including make/model/version and maintenance responsibility."​

What Verutus provides is a cost-effective and efficient service to obtain the following necessary documentation:

  • Professional network diagram;

  • Data Flow Diagram (DFD); and

  • Scoping guidance for CMMC (identifies what is and is not in scope).

   Work Smarter, Not Harder - Compliance Scoping Guide For CMMC & NIST 800-171   

We work closely with ComplianceForge, a leader in NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC) compliance. ComplianceForge built a CMMC and NIST 800-171 scoping guide that is focused on identifying assets that would be considered in or out-of-scope. That CUI Scoping Guide is a free resource to help educate those organizations that must comply. 

 

We utilize that scoping guide, since it is intended to help companies define what is in scope to comply with NIST 800-171 and appropriately prepare for a CMMC audit. A significant step towards becoming NIST 800-171 compliant and being able to pass a CMMC audit is understanding the scope of the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) environment. 

The network diagrams Verutus provides utilize color-coded icons to tag assets based on the applicable zone, according to the scoping guide's methodology, as shown below.

Verutus - Network Diagram Template v1 -

   Questions?   

If you have any questions on this process or the network diagrams that Verutus can create, please contact us, since we are more than happy to discuss your needs for quality and affordable network diagrams.

Disclaimer: This information is provided for educational purposes only. This website does not render professional services and is not a substitute for professional services. If you have compliance-related questions, you are encouraged to consult a cybersecurity professional.

© Verutus, LLC (Verutus). All Rights Reserved.

Verutus, LLC (Verutus) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. Verutus does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

Verutus reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.