Site icon

CMMC and Scoping Level 1 Self-Assessments

One of the more significant changes in the new CMMC 2.0 guidelines was the move from third-party to self-assessment at Level 1 maturity. At Level 1, contractors can perform a self-assessment rather than engage with a C3PAO, significantly reshaping their obligations and the associated costs and effort for compliance. 

Here, we’re covering the CIO’s guidance for organizations performing self-assessments, specifically how to scope their self-assessments for Level 1 maturity. 

 

What Is Level 1 Maturity for CMMC Compliance?

Under the CMMC framework, Level 1 maturity is designed for contractors within the DiB that handle Federal Contract Information (FCI) but do not process, store, or transmit Controlled Unclassified Information (CUI). CMMC 2.0 simplifies the original CMMC framework into three levels instead of five, with Level 1 being the entry-level tier focusing on basic cyber hygiene practices.

CMMC Level 1 ensures all contractors, especially smaller firms, have basic cybersecurity measures to protect information vital to national defense, albeit not classified as CUI–primarily FCI. It’s part of a broader effort to raise the cybersecurity posture of the entire defense supply chain, recognizing that even foundational cybersecurity practices can significantly mitigate the risk of cyber threats.

Under the CMMC framework, organizations that meet Level 1 standards can conduct self-assessments. 

 

What Is Federal Contract Information?

FCI, or Federal Contract Information, refers to information not intended for public release. It is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. However, it does not include information the Government provides to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

FCI is protected by various laws, regulations, and policies to prevent unauthorized disclosure. This protection is crucial because FCI can include sensitive information about government contracts, proprietary or technical data, and other details that, if disclosed improperly, could potentially harm the interests of the United States or give an unfair advantage to other contractors or foreign entities.

Contractors or subcontractors’ handling, processing, storing, and transmitting FCI are subject to specific cybersecurity requirements to safeguard this information from cyber threats and vulnerabilities. For example, the CMMC framework includes practices and processes that contractors must implement to protect FCI and more sensitive CUI within their information systems.

 

How Can These Organizations Scope Their Self-Assessment?

Organizations scoping their Level 1 CMMC self-assessment should follow a structured approach to accurately determine which parts of their environment are included in the assessment. Here’s a summary of how organizations are advised to scope their self-assessment:

 

What Are Out-of-Scope Assets?

In the CMMC self-assessment process context, out-of-scope assets refer to those components of an organization’s information system environment that do not process, store, or transmit FCI or CUI. These assets are deemed outside the boundary of what needs to be assessed against the CMMC practices for a specific certification level. 

Identifying out-of-scope assets is a critical part of the scoping process for a CMMC assessment because it helps organizations focus their cybersecurity efforts and resources on the parts of their systems that directly impact the protection of sensitive government information.

Characteristics of Out-of-Scope Assets:

 

Line Up Your Self-Assessment Capabilities with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve. If you are starting your CMMC journey and scoping out your Level 1 self-assessment, our cloud tools can help. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version