CMMC & NIST 800-171 Scoping Guide

NIST 800-171 & CMMC Scoping Guide

Our partner, ComplianceForge, created a document that is intended to help companies define what is in scope to comply with NIST 800-171 and appropriately prepare for a CMMC audit. A significant step towards becoming NIST 800-171 compliant and being able to pass a CMMC audit is understanding the scope of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) environment. We leverage the principles in this scoping guide to provide guidance to our clients on what should be considered in and out-of-scope for a CMMC audit, based on data-centric security practices.

Download Scoping Guide

There is no official guidance or methodology from NIST or the DoD on categorizing assets as being either in or out of the scope for NIST 800-171 / CMMC. Given that lack of guidance and a need for businesses to demonstrate both due care and due diligence with their NIST 800-171 compliance operations, ComplianceForge developed a scoping methodology guidebook that includes seven (7) categories of system components. That guide highlights the different types of risks associated with each category. This approach makes it evident which systems, applications and services must be protected risk posed to CUI.

In simple terms, the "FCI/CUI environment" encompasses the systems, applications and services that store, process and transmit FCI/CUI:

Store – When FCI/CUI is inactive or at rest (e.g., located on electronic media, system component memory, paper)
Process – When FCI/CUI is actively being used by a system component (e.g., entered, edited, manipulated, printed, viewed)
Transmit – When FCI/CUI is being transferred from one location to another (e.g., data in motion).

However, in addition to those systems, applications and services that actually store, transmit and process FCI/CUI, there are technology dependencies and connected systems that must be properly accounted for. This guide addresses those considerations.

Zone-Based Approach To Data-Centric Security For CMMC & NIST 800-171 Compliance

When viewing scoping, there are seven (7) categories of assets for NIST 800-171 and CMMC compliance purposes.

CUI Assets: The first zone contains systems, services and applications that clearly store, transmit and/or process CUI, CTI or CDI.
Segmenting: The second zone contains “segmenting systems” that provide access (e.g., firewall, hypervisors, etc.)
Security Tools: The third zone contains “security tools” that directly impact the integrity of category 1 and 2 assets (e.g., Active Directory, centralized antimalware, vulnerability scanners, IPS/IDS, etc.).
Connected. The fourth zone contains connected systems. These are systems, applications or services that have some direct or indirect connection into the CUI environment. Systems, applications and services that may impact the security of (for example, name resolution or web redirection servers) the CUI environment are always in scope. Essentially, it something can impact the security of the CUI, it is in scope.
Out-of-Scope. The fifth zone contains out-of-scope systems that are completely isolated from the CUI systems. For these, always remember that.
Enterprise-Wide. The sixth zone addresses the organization’s overall corporate security program (cyber and physical). Note: This is where the NFO controls are applicable to NIST 800-171 and CMMC compliance.
Third-Party Service Provider. The seventh zone addresses supply-chain security with the “flow down” of contractual requirements to Third-Party Service Providers (TSPs) that can directly or indirectly influence the CUI environment.

CMMC Scoping Guide - Overview of zones.J

Zone 1: All systems, applications and services that store, transmit and/or process CUI are Category 1 devices. These systems that interact with CUI are the main assets that NIST 800-171 and CMMC are trying to protect.

Zone 2: All network devices or hypervisors that provide segmentation functions are Category 2 devices. This category involves systems that provide segmentation and prevent "CUI contamination" from the CUI environment to uncontrolled environments. Typically, these are network firewalls that implement some form of Access Control List (ACL) to restrict logical access into and out of the CUI environment.

Note: If network segmentation is in place and is being used to reduce the scope of NIST 800-171 and a CMMC audit, expect the assessor to verify that the segmentation is adequate to reduce the scope of the assessment. the more detailed the documentation your assessor will require to adequately review the implemented segmenting solution.

These two NIST 800-171 controls address the concept of segmenting:

3.1.3 Control the flow of CUI in accordance with approved authorizations.
3.13.1 Monitor, control, and protect communications (e.g., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Zone 3: All systems that provide security-related services or IT-enabling services that may affect the security of the CUI environment are Category 3 devices. There are systems that can impact configurations, security services, logging, etc. that can be in a dedicated security subnet or on the corporate LAN.

These include, at a minimum:

Identity and Directory Services (Active Directory, LDAP)
Domain Name Systems (DNS)
Network Time Systems (NTP)
Patch management systems
Vulnerability & patch management systems
Anti-malware management systems
File Integrity Management (FIM) systems
Data Loss Prevention (DLP) systems
Performance monitoring systems
Cryptographic key management systems
Remote-access or Virtual Private Network (VPN) systems
Multi-factor Authentication (MFA) systems
Mobile Device Management (MDM) systems
Log management and Security Incident Event Management (SIEM) systems
Intrusion Detection Systems/ Intrusion Prevention Systems (IDS/IPS)

Zone 4: Any system that has some capability to communicate with systems, applications or services within the CUI environment is a Category 4 device. A “connected” system, application or service should be considered in scope for NIST 800-171 since it is not completely isolated. If it can potentially impact the security of the CUI, it is in scope for NIST 800-171.

There are two sub-categories of connected devices:

Directly Connected
Indirectly Connected

Zone 4-A: This sub-category addresses any system that is “connected to” the CUI environment is considered a directly-connected system. Any system outside of the CUI environment that is capable of communicating with a system that stores, transmits or processes CUI (e.g., asset within the CUI environment) is a Category 4-A device.

Note – For systems outside of the CUI environment that have periodic outbound connections from the CUI environment that do not involve the transfer of CUI data, there is a case to argue that the system could be ruled out-of-scope since it cannot have an impact on the security of the CUI. In cases like this, some form of Data Loss Prevention (DLP) tool may be warranted to act as a compensating control to further demonstrate how the asset would be out-of-scope.

Zone 4-B: This sub-category addresses any system that does not have any direct access to CUI systems (e.g., not interacting with the CUI environment). Any system that has access to Connected or Segmenting systems and that could affect the security of the CUI environment is a Category 4-B device.

An example of an indirectly connected system would be that of an administrator's workstation that can administer a security device (Active Directory, firewall, etc.) or upstream system that feeds information to connected systems (e.g. patching system, DNS, etc.). In the case of a user directory, an administrator could potentially grant himself/herself (or others) rights to systems in the CUI environment, therefore breaching the security controls applicable to the CUI environment.

Zone 5: Any system, application or service that is not a CUI-contaminated, segmenting or connected system is a Category 5 asset. These assets are considered out-of-scope for NIST 800-171 compliance. These out-of-scope assets must be completely isolated (no connections whatsoever) from CUI systems, though they may interact with connected systems (and can even reside in the same network zone with connected systems).

Four (4) tests must be considered to confirm that a system is out-of-scope and considered a Category 5 asset. This amounts to ensuring that the asset does not fall under the previously defined categories:

System components do NOT store, process, or transmit CUI/CTI/CDI.
System components are NOT on the same network segment or in the same subnet or VLAN as systems, applications or processes that store, process, or transmit CUI
System component cannot connect to or access any system in the CUI environment.
System component cannot gain access to the CUI environment, nor impact a security control for a system, application or service in the CUI environment via an in-scope system.

Zone 6: This category addresses enterprise-wide security controls that exist outside of just the CUI environment and specifically addresses Non-Federal Organization (NFO) controls. Within this category are the corporate-wide security practices that affect both cyber and physical security, including security-related policies, standards and procedures that affect the entire organization.

Zone 7: NIST 800-171 and CMMC take supply chain security seriously and this category addresses Third-Party Service Providers (TSPs). The formal contracts between your organization its TSPs dictate the logical and physical access those TSP have to the organization’s facilities, systems and data. The “flow down” considerations of NIST 800-171 and CMMC must be addressed with each TSP to clearly identify the TSPs’ ability to directly or indirectly influence the CUI environment.

FCI/CUI Scoping Decision Tree

The following decision tree provides a logical walk-through to determine if an asset is in scope or not:

CMMC NIST 800-181 SSP Network Diagram Te