DISCLAIMER
The C3PAO Stakeholder Forum is an industry group of C3PAOs. The group is formed from C3PAOs and aspiring C3PAOs; it is open to all CMMC-AB Marketplace C3PAOs and confirmed C3PAO applicants. The mission is to advance the CMMC assessor and C3PAO input, participation, and consensus within the CMMC ecosystem. This include advocating for policies, sharing perspectives and working alongside the DoD, CMMC-AB, Organizations seeking certification and other stakeholders to advance the mission of CMMC, which broadly is to increase the cyber posture of the Defense Industrial Base. The C3PAO Stakeholder Forum’s participation is voluntary and those individuals that participate do so of their own volition and without compensation. The views of the board and the C3PAO Stakeholder Forum are not necessarily those of each member or their respective companies. The DoD, and where delegated by the DoD to the CMMC-AB, are the ultimate authority with regard to CMMC. Any guidance contained within is not authoritative and if found in conflict with DoD guidance should be considered subordinate. We simply seek to share this guidance to help advance the conversations and drive consistency among the industry. To the extent that subsequent guidance is published by the DoD or similar authorities, this document will be revised.
The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought.
Explanation of problem
Please note, “assessment scoping” means identifying the systems that must be reviewed during a single CMMC assessment. This is different than the “scope guidance” in the release scope guidance position which identifies whether CMMC requirements apply to individual components within an information system.
The lack of assessment scoping language in the DFARS 252.204-7021 creates a significant gap for C3PAOs as they work with clients to scope assessments.
The DFARS requirement text for CMMC states only: “The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.” This language does not require any relationship between the system being assessed and contract performance or contract data.
Our current assessment scope guidance allows C3PAOs to review only a client’s CUI enclave at CMMC ML3. The client’s FCI systems could remain un-assessed. The CMMC ML3 certificate could be used to submit for contracts that would not utilize the assessed enclave.
Since the DFARS language does not scope the CMMC certification to the systems used to perform on that contract, we expect that contractors will request assessment of systems that are not actually used for contract performance. It encourages smaller assessment scopes which are likelier to result in a certification, but do not ensure that all FCI and CUI is protected.
The gap introduced by the DFARS 252.204-7021 language can be resolved with CMMC Program Management Office (PMO) guidance to C3PAOs on how to scope an assessment for certification. Below is a suggestion on how this could be worded.
Recommendation:
Identify CMMC assessment scope to include all contractor-owned systems that are being used or are intended to be used for performance on contracts that include DFARS 252.204-7021. While this may not assess all intended systems immediately, during the re-assessment each three years, all systems will eventually be accounted for.