NIST SP 800-171 Assessment Checklist
If you are preparing for your NIST 800-171 assessment, this checklist will help you organize your thoughts, understand CMMC scoring, and more. Download it for free today.
.jpg?ext=.jpg)
Webinar on Demand: CMMC Assessment Scope
As the landscape of cybersecurity compliance evolves, defense contractors are being called to look deeper—not just at what they protect, but how they define the boundaries of that protection. Scoping a CMMC (Cybersecurity Maturity Model Certification) assessment is not simply a checklist exercise; it's an opportunity to refine your understanding of your systems, people, and data flow—and to avoid costly missteps down the road.
In this webinar, Robert McVay walks attendees through the fundamentals of proper scoping for CMMC assessments. Here's what contractors need to know now, and what to prepare for in the near future.
When it comes to scope, less is more: When scoping your assessment, the golden rule is: The less CUI you touch, the less your environment is in scope and the easier your assessment will be.
Reduce your scope by pushing back on CUI you do not need and limiting access to CUI. Most likely, not all employees in your organization need to touch the CUI in your system.
Build an asset inventory via clear documentation: Remember document and categorize CUI Assets, Security Protection Assets (Firewalls, Active Directory, etc.), Contractor Risk-Managed Assets (not intended to handle CUI, but may incidentally touch it), and Specialized Assets.
Out-of-scope assets should also be listed and rationalized—this provides clarity and prevents auditors from flagging them during an assessment.
Encrypt and Isolate Data Strategically: CUI must be encrypted at rest and in transit. This is non-negotiable. Physical isolation of CUI is ideal, but logical isolation via VLANs, VPNs, or Virtual Desktop Infrastructure (VDI) is acceptable if rigorously tested and monitored.
Be careful not to “over-engineer.” More controls aren't always better. Complexity can hinder usability and raise costs unnecessarily.
Scoping is Significant
Scoping is one of the most important decisions you will make during your CMMC compliance journey. A well-defined scope can save your organization time and money. Do you have questions? Feel free to contact us.