32 C.F.R. § 170.19

Current through November 30, 2024
Section 170.19 - [Effective 12/16/2024] CMMC scoping
(a)Scoping requirement.
(1) The CMMC Assessment Scope must be specified prior to assessment in accordance with the requirements of this section. The CMMC Assessment Scope is the set of all assets in the OSA's environment that will be assessed against CMMC security requirements.
(2) The requirements for defining the CMMC Assessment Scope for CMMC Levels 1, 2, and 3 are set forth in this section. Additional guidance regarding scoping can be found in the guidance documents listed in paragraphs (e) through (g) of appendix A to this part.
(b)CMMC Level 1 scoping. Prior to performing a Level 1 self-assessment, the OSA must specify the CMMC Assessment Scope.
(1)Assets in scope for Level 1 self-assessment. OSA information systems which process, store, or transmit FCI are in scope for CMMC Level 1 and must be self-assessed against applicable CMMC security requirements.
(2)Assets not in scope for Level 1 self-assessment -
(i)Out-of-Scope Assets. OSA information systems which do not process, store, or transmit FCI are outside the scope for CMMC Level 1. An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of FCI beyond the Keyboard/Video/Mouse sent to the VDI client is considered out-of-scope. There are no documentation requirements for out-of-scope assets.
(ii)Specialized Assets. Specialized Assets are those assets that can process, store, or transmit FCI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. Specialized Assets are not part of the Level 1 CMMC Assessment Scope and are not assessed against CMMC security requirements.
(3)Level 1 self-assessment scoping considerations. To scope a Level 1 self-assessment, OSAs should consider the people, technology, facilities, and External Service Providers (ESP) within its environment that process, store, or transmit FCI.
(c)CMMC Level 2 Scoping. Prior to performing a Level 2 self-assessment or Level 2 certification assessment, the OSA must specify the CMMC Assessment Scope.
(1) The CMMC Assessment Scope for CMMC Level 2 is based on the specification of asset categories and their respective requirements as defined in table 3 to this paragraph (c)(1). Additional information is available in the guidance document listed in paragraph (f) of appendix A to this part.

Table 3 to § 170.19 (c)(1) -CMMC Level 2 Asset Categories and Associated Requirements

Asset category Asset description OSA requirementsCMMC assessment requirements
Assets that are in the Level 2 CMMC Assessment Scope
Controlled Unclassified Information (CUI) Assets. Assets that process, store, or transmit CUI. Document in the asset inventory . Document asset treatment in the System Security Plan (SSP). . Document in the network diagram of the CMMC Assessment Scope. . Prepare to be assessed against CMMC Level 2 security requirements.. Assess against all Level 2 security requirements.
Security Protection Assets. Assets that provide security functions or capabilities to the OSA's CMMC Assessment Scope. Document in the asset inventory . Document asset treatment in SSP. . Document in the network diagram of the CMMC Assessment Scope. . Prepare to be assessed against CMMC Level 2 security requirements.. Assess against Level 2 security requirements that are relevant to the capabilities provided.
Contractor Risk Managed Assets. Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place . Assets are not required to be physically or logically separated from CUI assets.. Document in the asset inventory . Document asset treatment in the SSP. . Document in the network diagram of the CMMC Assessment Scope. . Prepare to be assessed against CMMC Level 2 security requirements.. Review the SSP: . If sufficiently documented, do not assess against other CMMC security requirements, except as noted. . If OSA's risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited check to identify deficiencies.
. The limited check(s) shall not materially increase the assessment duration nor the assessment cost.
. The limited check(s) will be assessed against CMMC security requirements.
Specialized Assets. Assets that can process, store, or transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. Document in the asset inventory . Document asset treatment in the SSP. . Show these assets are managed using the contractor's risk-based security policies, procedures, and practices. . Document in the network diagram of the CMMC Assessment Scope.. Review the SSP. . Do not assess against other CMMC security requirements.
Assets that are not in the Level 2 CMMC Assessment Scope
Out-of-Scope Assets. Assets that cannot process, store, or transmit CUI; and do not provide security protections for CUI Assets. Prepare to justify the inability of an Out-of-Scope Asset to process, store, or transmit CUI. None.
. Assets that are physically or logically separated from CUI assets
. Assets that fall into any in-scope asset category cannot be considered an Out-of-Scope Asset
. An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset

(2)
(i) Table 4 to this paragraph (c)(2)(i) defines the requirements to be met when utilizing an External Service Provider (ESP). The OSA must consider whether the ESP is a Cloud Service Provider (CSP) and whether the ESP processes, stores, or transmits CUI and/or Security Protection Data (SPD).

Table 4 to § 170.19 (c)(2)(i) -ESP Scoping Requirements

When the ESP processes, stores, or transmits:When utilizing an ESP that is:
A CSPNot a CSP
CUI (with or without SPD)The CSP shall meet the FedRAMP requirements in 48 CFR 252.204-7012 The services provided by the ESP are in the OSA's assessment scope and shall be assessed as part of the OSA's assessment.
SPD (without CUI)The services provided by the CSP are in the OSA's assessment scope and shall be assessed as Security Protection AssetsThe services provided by the ESP are in the OSA's assessment scope and shall be assessed as Security Protection Assets.
Neither CUI nor SPDA service provider that does not process CUI or SPD does not meet the CMMC definition of an ESPA service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP.

(ii) The use of an ESP, its relationship to the OSA, and the services provided need to be documented in the OSA's SSP and described in the ESP's service description and customer responsibility matrix (CRM), which describes the responsibilities of the OSA and ESP with respect to the services provided. Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP's effort required during the OSA's assessment. The minimum assessment type for the ESP is dictated by the OSA's DoD contract requirement.
(d)CMMC Level 3 scoping. Prior to performing a Level 3 certification assessment, the CMMC Assessment Scope must be specified.
(1) The CMMC Assessment Scope for Level 3 is based on the specification of asset categories and their respective requirements as set forth in table 5 to this paragraph (d)(1). Additional information is available in the guidance document listed in paragraph (g) of appendix A to this part.

Table 5 to § 170.19 (d)(1) -CMMC Level 3 Asset Categories and Associated Requirements

Asset category Asset description OSC requirementsCMMC assessment requirements
Assets that are in the Level 3 CMMC Assessment Scope
Controlled Unclassified Information (CUI) Assets. Assets that process, store, or transmit CUI . Assets that can, but are not intended to, process, store, or transmit CUI (defined as Contractor Risk Managed Assets in table 1 to paragraph (c)(1) of this section CMMC Scoping).. Document in the asset inventory . Document asset treatment in the System Security Plan (SSP). . Document in the network diagram of the CMMC Assessment Scope. . Prepare to be assessed against CMMC Level 2 and Level 3 security requirements.. Limited check against Level 2 and assess against all Level 3 CMMC security requirements.
Security Protection Assets. Assets that provide security functions or capabilities to the OSC's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI. Document in the asset inventory . Document asset treatment in the SSP. . Document in the network diagram of the CMMC Assessment Scope. . Prepare to be assessed against CMMC Level 2 and Level 3 security requirements.. Limited check against Level 2 and assess against all Level 3 CMMC security requirements that are relevant to the capabilities provided.
Specialized Assets. Assets that can process, store, or transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. Document in the asset inventory . Document asset treatment in the SSP. . Document in the network diagram of the CMMC Assessment Scope. . Prepare to be assessed against CMMC Level 2 and Level 3 security requirements.. Limited check against Level 2 and assess against all Level 3 CMMC security requirements. . Intermediary devices are permitted to provide the capability for the specialized asset to meet one or more CMMC security requirements.
Assets that are not in the Level 3 CMMC Assessment Scope
Out-of-Scope Assets. Assets that cannot process, store, or transmit CUI; and do not provide security protections for CUI Assets. Prepare to justify the inability of an Out-of-Scope Asset to process, store, or transmit CUI. None.
. Assets that are physically or logically separated from CUI assets
. Assets that fall into any in-scope asset category cannot be considered an Out-of-Scope Asset
. An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset

(2)
(i) Table 6 to this paragraph (d)(2)(i) defines the requirements to be met when utilizing an External Service Provider (ESP). The OSA must consider whether the ESP is a Cloud Service Provider (CSP) and whether the ESP processes, stores, or transmits CUI and/or Security Protection Data (SPD).

Table 6 to § 170.19 (d)(2)(i) -ESP Scoping Requirements

When the ESP processes, stores, or transmits:When utilizing an ESP that is:
A CSPNot a CSP
CUI (with or without SPD)The CSP shall meet the FedRAMP requirements in 48 CFR 252.204-7012 The services provided by the ESP are in the OSA's assessment scope and shall be assessed as part of the OSA's assessment.
SPD (without CUI)The services provided by the CSP are in the OSA's assessment scope and shall be assessed as Security Protection AssetsThe services provided by the ESP are in the OSA's assessment scope and shall be assessed as Security Protection Assets.
Neither CUI nor SPDA service provider that does not process CUI or SPD does not meet the CMMC definition of an ESPA service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP.

(ii) The use of an ESP, its relationship to the OSC, and the services provided need to be documented in the OSC's SSP and described in the ESP's service description and customer responsibility matrix (CRM), which describes the responsibilities of the OSC and ESP with respect to the services provided. Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP's effort required during the OSA's assessment. The minimum. The minimum assessment type for the ESP is dictated by the OSC's DoD contract requirement.
(e)Relationship between Level 2 and Level 3 CMMC Assessment Scope. The Level 3 CMMC Assessment Scope must be equal to or a subset of the Level 2 CMMC Assessment Scope in accordance with § 170.18(a) (e.g., a Level 3 data enclave with greater restrictions and protections within a Level 2 data enclave). Any Level 2 POA&M items must be closed prior to the initiation of the Level 3 certification assessment. DCMA DIBCAC may check any Level 2 security requirement of any in-scope asset. If DCMA DIBCAC identifies that a Level 2 security requirement is NOT MET, the Level 3 assessment process may be paused to allow for remediation, placed on hold, or immediately terminated. For further information regarding scoping of CMMC Level 3 assessments please contact DCMA DIBCAC at www.dcma.mil/DIBCAC/.

32 C.F.R. §170.19

89 FR 83214 , 12/16/2024