CMMC 2.0 did not change much for level one beyond moving to a self-assessment model rather than relying on a third party assessor. In fact many companies will end up hiring a Certified CMMC Professional to conduct their self-assessment.
Level one, under the Cybersecurity Maturity Model Certification Framework, requires companies to self assess against 15 Safeguards in FAR Clause 52.204-21 which get assessed against 17 requirements from NIST-SP-800-171 and 59 assessment objectives from NIST-SP-800-171a.
Before one can begin a Level One self-assessment you need to conduct a CMMC Level One Scoping assessment.
Before one can conduct a Level One scoping assessment you need to categorize your FCI, or Federal Contract Information assets.
Do not think of FCI as something you put in one bucket and your company’s data in another bucket. Work towards a baseline of keeping the water clean of malicious intent, deliberate or accidental. regardless of how you categorize the data.
Only you can prevent dumpster fires.
Federal Contract Information (FCI) is any information recieved, created, transmitted, or stored that is the result of a federal contract and not meant for public release.
FCI,does not get labeled and represents such a broad category of data most companies will simply apply Level One as the baseline for their entire system.
CMMC level one represents the floor in cybersecurity. Few will have an FCI enclave that separates FCI from data in other systems and processes. Remember a process can involve multiple systems and a system gets made up of different components.We will see exceptions.
Companies that do level two work or higher may separate an FCI environment by default of carving out a Controlled Unclassified Environment. Many service companies that do Level Three or even Classified work may have a front office that handles all the contracting and associated with an award.
Multi-national corporations may have some subsidaries or divsions that are level one and others that are level three.
Even in these scenarios your risk based security plan should exceed the basic safeguards of FAR-21 if you want to protect your company’s intellectual property.
So when identifying FCI assets in scope it maybe best to not think of individual files or even software but to think about how your company processes, stores, and transmits federal contract information.
When assets get defined as anything with value that processes, stores, and transmits federal contract information it is easy to see how having your entire system in scope becomes a requirement.
- Process-Assets that access, enter, edit, generate, change, print and delete FCI in the workflow of your contract
- Store-Simply data at rest like a saved file. You need to protect your data as much as the governments data.
- Transmit-Assets sharing FCI. Remember this can be person to person or software to software (components)
How do I identify FCI Assets?
Given the advice that one should consider the entire system in scope for FCI how should a contractor go about categorizing FCI Assets?
Even though the Level One assessment and scoping guides say there are no documentation requirements assessed at level one you should have documentation about your FCI assets.
You do not need to see your documentation to pass yourself on a self-assessment but you should never be able to pass yourself without good asset management. This requires policies, procedures, and inventory.
So to best assess the FCI in your environment you may choose the following set of checklist questions derived from the assessment guide. These questions attempt to elicit all the FCI assets you would need to document across processes, storage, and transmission.
As you begin to identify the processes that involve FCI you seeo to answer, “How does data flow through your company from contract award to conlcusion?”
Some of the FCI assets, such as key boundaries, places that stop unauthorized access, could fit in all categories. These assets got listed under transmission rather than listing them in multiple places. I chose transmission over process thinking risk management.
Most spillage occurs at the boundaries when data is in transit (and by leaked crednetials through phish but there is no phishing awareness and training requirements at level one. Please do phishing training and turn on MFA). Therefore thinking about your key boundaries (even though they protect data at rest too) as assets protecting FCI in transmission made sense to me. Feel free to move the questions into any shape or form you want.
Also remember most level one companies will rely on commercial cloud enterprise software. Much of the FCI asset categorization revolves around knowing your software, the default configurations and how to properly configure it based on your security plan.
When considering categorizing processes that handle FCI assets you need to answer:
- What people can access FCI?
- What are all the third party apps and software people use…All of them, even people’s favorite browser plug-ins?
- Does your list of people identify what systems and processes they can access by identifier or role?
- Do you list the devices that can access your system? Do you know how your enterprise software list devices accessing the system?
- By type of device?
- By specific devices?
- A mix of both?
- Do you have a list of unique identifiers you assign to devices?
- Do you have a list of your external systems’ (Microsoft, Google, Salesforce) identification and access management and password policy defaults?
- Do you treat FCI different than rest of your data?
- Do you list all external systems you use like your Enterprise Software and Alarm Company?
- Do you list any policies and procedures you have for destroying FCI?
- Do you have a list of you policies and procedures for escorting and logging visitors?
- Do you have a list of all your physical access devices such as keys, and NFC badges?
- Do you have a list of policies and procedures for handing out and collecting devices during hiring and termination?
- Do you have a network diagram?
- Do you have a systems diagram showing how FCI moves (data flow diagram)?
- Do you have a floor plan?
- Do you have an org chart?
- Do you have a list of devices and systems that store FCI?
- Do you have a list of people who can access processes that protect stored data?
- Do you have a list of all your enterprise baseline controls for securing and possibly encrypting FCI?
- Do you have a list of people who can transmit FCI?
- Do you have a list of approved methods for transmitting FCI?
- Do you list individuals allowed to post information to public systems?
- Do you list the components of key internal boundaries
- Do you list all the components that protect communication at key external boundaries?
- Do you list system components vulnerable to malicious code?
- Do you have a list of your current external systems (email, file sharing, etc) software life cycles for all the processes you use?
- Do you list the policies your Enterprise Software uses to scan for malicious code?
StoreMost companies at level one will use an enterprise cloud storage solution. While most effort will be needed to train employees not to use personal accounts, level one has no training requirements.
When considering categorizing FCI assets you need to ask:
TransmitAgain when transmitting FCI your employees, often through accidental internal threats, will cause most issues by using personal accounts. Not knowing the default settings of your Enterprise software is a close second.
When considering categorizing FCI assets you need to ask:
A small business doing a level one self-assessment will inherit responsibility for protecting FCI assets from third party enterprise cloud vendors such as Microsoft Office 365 or Google Workspace. Much of your level one asset management will get determined by how well you can find the terms of service, baseline configurations. You then list any requirements you add to the defaults (turn on MFA please).
You self-assess the FCI assets against the applicable controls in the CMMC Level One assessment guide. Meaning you would not assess key boundaries like a firewall for documenting physical access devices.
These questions will only help you categorize Federal Contract Information as it moves through your processes built in your system and when you transmit or store this data. The list of questions should help to identify the type of inventory needed for a level one self-assessment.
Pleasse do not think each question requires an its own inventory or document. The Netowrk Diagram for example may check off more than five of the prompts listed above.
As a company self-assessing you need to focus on using Level One to get a baseline measure of your cybersecurity hygiene and use your compliance with FAR Clause 52.204-21 to create a bare minimum for protecting data, both your IP and the Gov’s FCI, in your risk based security plan.
For companies working toward level two CMMC certification if you were honest when calculating a score to upload in SPRS, and it was was below -50 getting to level one first may provide you with direction (just make sure any devices and components at key boundaries meet Level two requirements) before purchasing.
Do not think of FCI in terms of an enclave or the assets moving through subsystems. Your entire system needs to handle federal contract information
It is okay if you can not answer these questions yet, but one can not self-assess at level one without scoping. You can not scope until you know how in-scope assets move through your system.
Count your stuff, Then protect it.
Otherwise when you go to put out the next fire at work you may grab the bucket full of lubricant oil and not water.
(P.S. Please turn on MFA) (P.S.S. The first P.S is really important)