February 9, 2021 at 4:50 pm #1935Jim Goepel
Here’s a scenario I’ve bumped into recently. Let’s say I work for an OSC that has been in business for many, many years. They have a LOT of data in their environment. They have reason to believe some of the data is likely CUI (or at least it was likely to have been FOUO), but it wasn’t marked properly when the client received it. The client wants to know how to go about building an environment that can meet CMMC ML3 certification requirements. Let’s set aside the issue of what the client’s obligations are with respect to that CUI for the moment, and let’s assume that the company has an internal team that handles all of the IT work (i.e., no MSP/MSSPs are involved).
The standard advice is to have them start by conducting a data and systems inventory. But that will be VERY expensive for this client. Instead, the client says “look, we want to draw a line in the sand. All of our new FCI/CUI data, which hopefully will be marked properly, will go into a new environment we’re creating that specifically meets or exceeds the ML3 certification requirements.” They invest heavily in ensuring the new environment meets the requirements, and they put in place proper policies and procedures around the systems that are in that environment.
Now it is time for the assessment. The OSC says that the certification and assessment boundaries encompass only the new environment.
Does the assessor have the ability to say “I want to see what you’re doing outside the assessment boundary, including where else you have CUI”? Does the company then have to conduct the data inventory? More directly, does the Assessor have the authority to look at the data on the equipment outside the assessment and certification boundaries to determine whether there is CUI there? I think the answer is “no” to all of these scenarios, but I’m curious to get everyone else’s take.
- You must be logged in to reply to this topic.