CMMC Scoping
In Part 3 of the scoping series, Amira Armond and Mark Hapeman of Kieri Solutions continue their deep dive into the CMMC Level 2 scoping process—this time focusing on how to define and manage CUI assets within your environment.
Viewers will learn:
What qualifies as a CUI asset—including systems, people, services, and infrastructure that process, store, or transmit CUI.
The detailed meanings of “process,” “store,” and “transmit” based on the new CMMC Scoping Guide, and how they impact your asset inventory.
Common misunderstandings about remote access and web-based tools, including whether technologies like VDI and online document viewers remove systems from scope.
How assessors typically interpret web-based document access (e.g., Office 365, Google Docs) and what evidence organizations need to demonstrate out-of-scope endpoints.
The role of policy vs. technical controls in restricting unauthorized handling of CUI—especially in cloud and hybrid environments.
The concept of “accessed” data and why even the ability to connect to CUI locations could bring a system into scope.
How to decide which systems are assessed against all CMMC Level 2 requirements versus only partial or role-based responsibilities—such as for IT administrators or supporting infrastructure.
The nuanced differences between CUI assets, security protection assets, and contractor risk-managed assets, and how a single asset (like a sysadmin’s machine) can fall into multiple categories.
This session builds on earlier discussions to help organizations understand the complexity of scoping in practice—and how the type of access and system function determine which CMMC requirements apply.