The long awaited CMMC 2.0 Scoping Guide was released last week, providing some much-needed guidance on categorization of IT assets as being either in-scope or out of scope for a CMMC assessment. The guide provides clarity and some surprising and welcome impacts– specifically on CMMC scoping for small business and the manufacturing industry.   In this post, we outline five steps an organization should take to meet the requirements of the new CMMC scoping guide.    


Step 1 – Inventory 

The scoping conversation is a critical ‘pre-assessment’ activity – identifying in-scope assets, using the organization’s network diagram as the key input. In this new guidance, the contractor is required to document all asset categories that are part of the assessment scope in an asset inventory and provide a network diagram of the assessment scope to facilitate scoping discussions during pre-assessment activities. So – there are two required artifacts from this requirement: a current asset inventory and a network diagram, identifying in-scope assets.  

The asset inventory is more than just physical system components such as hardware, server, workstation, laptop, mobile phone, printers. Asset inventory includes people, tools and facilities, it also includes physical copies of information and external service providers.  

Step 2 – Identify any External Service Providers (ESP) 

An External Service Provider (ESP) is a cloud service provider (CSP), managed service provider (MSP) or a managed security service provider (MSSP). The scoping guide indicates ESPs are in-scope if CUI is stored, transmitted, managed or protected by ESP systems or by people. For example, if your MSSP provides a security information and event management (SIEM) service, it may be separated logically and may process no CUI, but the SIEM does contribute to meeting the CMMC practice requirements and is in-scope. Evaluate your providers shared responsibility matrix and service level agreements – what is contractor responsibility and what is provider responsibility? Can you inherit any practice objectives from other certifications such as SOC 2, FedRAMP or from the ESP’s CMMC certification? Update your internal documentation to reflect responsibility. 

Step 3 – Categorize Assets 

After taking inventory, categorize each asset to determine if it is ‘in scope’ for a CMMC assessment, or out of scope. The second artifact requirement, the network diagram, is a visual representation of any assets that contain or protect CUI.  We actually recommend our clients create two network diagrams, one showing all assets for reference and the second with a subset of only the in-scope assets. The holistic diagram is beneficial to quickly answer any questions on the categorization decision – i.e. why an asset is not considered in-scope. The in-scope diagram clearly sets the boundary for the assessment.  

One quick point – the guide references CMMC practices. With CMMC 2.0, this now means the controls found in NIST SP 800-171.  

The scoping guide identifies 5 categories for assets: 

  • CUI Assets – Assets that process, store or transmit CUI. These assets are required to meet all practices   
  • Security Protection Assets – Assets that provide security functions or capabilities to the contractor’s CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI. This list includes your firewall, physical security systems, security personnel, SIEM. These assets are required to meet all practices. Security Protection Assets can include people, technology, and facility. Security protection assets are part of the assessment scope and are required to conform to applicable CMMC practices, regardless of their physical or logical placement. 
  • Contractor Risk Managed Assets – Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures and practices in place (This means at minimum – your System Security Plan or SSP. More on those policies, procedures and practices later).  Contractor Risk Managed assets are not required to be physically or logically separated from CUI assets.  They must be managed under the contractor’s risk-based information security policy, procedures, and practices, but are not assessed against CMMC Practices.  
  • Specialized Assets - Assets that may or may not process, store, or transmit CUI. Examples are contractor used government property, IoT or OT systems, Restricted Information Systems, and Test Equipment. These specialized assets Must be managed under the contractor’s risk-based information security policy, procedures, and practices, but are not assessed against CMMC Practices. 
  • Out-of-scope Assets - Assets that cannot process, store, or transmit CUI. These are outside the outside of the CMMC Assessment Scope and currently have no documentation requirements. 

In case you missed it, read that again…Contractor Risk Managed Assets and Specialized Assets are NOT assessed against CMMC practices. This is huge for small businesses and the manufacturing industry! If you have an asset in place that is not intended to but may potentially process CUI, mitigating controls can be used to protect the asset – if appropriately documented. This relieves the expensive burden of applying all CMMC practices to specific assets. If you have a legacy workstation with custom software on the shop floor that cannot be upgraded OR a Finance team not working with CUI but working on the same physical corporate LAN as those processing CUI – the guide removes the requirement to apply ALL CMMC practices.  This doesn’t mean the assets should not be secured or protected, or physically or logically separated when possible, but it does take away the costly and extensive implementation of specific practices. This is good news but makes having appropriately documented policies, procedures and practices critically important!   

Step 4 – Update Documentation 

In addition to the asset inventory and network diagram, review and verify your SSP and all security policies, procedures and practices based on the new guidance in the CMMC Scoping Guide. Keep in mind that with CMMC 2.0, we lost some clarity on documentation requirements. However, the scoping guide is clear that those haven’t gone away. Especially with the key takeaway in Step 3 above – documentation is key to adequately identifying and demonstrating those mitigating controls for Contractor Risk Managed and Specialized assets that may not be fully compliant with all CMMC practices. Reasonable documentation that demonstrates compensating controls and procedures that protect special assets is absolutely necessary. The scoping guide also incorporates a new numbering guide which may impact your documentation. 

Step 5 – Get Help 

This post highlighted five steps your organization can take NOW to identify and protect your assets. Contact us if you are just getting started or need a trusted partner for the continued evolution of your cybersecurity strategy and implementation. The CMMC Scoping Guide provided some relief to small business but it does not remove the requirement to secure and protect your assets, people, tools and facilities.  

If you run into questions on asset inventory, categorization, documentation or protection, reach out to your cyber aware network or to a security service provider for clarification. The CMMC journey continues – and not only for the sake of box checking, but because the pursuit of security in depth is critical to your organization’s success and to the protection of our country and warfighters. 

About Riverstone Solutions
Founded in 2007, Riverstone Solutions Inc. (RSI) is an Information Technology, Cybersecurity and Engineering company. We are headquartered in beautiful downtown Huntsville, Alabama and certified as a Woman Owned Small Business (WOSB) and a Historically Under-utilized Business Zone (HUBZone) company. We provide professional services in information technology, cybersecurity and cloud solutions, data and advanced analytics. Our diverse customer base includes both commercial and government clients, with varying sizes, cultures and challenges. RSI is a Registered Provider Organization (RPO) with the CMMC-AB, providing consulting and IT remediation services to our commercial clients and the defense industrial base.