FM College ~ News & Articles

CMMC Begins With Scoping

Mar 15, 2023 | Public | 0 comments

Though the timeline for full implementation of Cybersecurity Maturity Model Certification (CMMC) 2.0 may shift into 2024, U.S. manufacturers will need to comply with those rules soon enough. CMMC 2.0, announced late in 2021, is not finalized, but a decision on an effective date is in 2023. “Where to begin?” is often the top question. The answer, experts say, is to start with scoping. 

Scoping, in a general sense, means assessing your environment. For CMMC specifically, scoping is determining what assets in your environment handle sensitive material, which cyber safeguards are required for those assets, and how any cyber safeguards will be measured.

That means it’s important for manufacturers to get started now. The DoD has published guidance to help its contractors begin, including 5 Steps To Make Your Company More Cybersecure. Manufacturers should begin by asking questions such as:

• What federal contract information or controlled unclassified information am I getting?

• How does it come into my organization? 

• How does it move from one place to the next within my organization? 

• Who has access and should they?

For example, if there’s a design for a part to be manufactured, the first step is to understand the path that design takes. Begin by determining how the design arrives. Is that through email or perhaps a secure file transfer protocol (FTP) site?  

Next, determine how many employees review the design and determine if they can print or forward it. Also, evaluate whether the number of employees with access needs to change. Then, how does the design move to the factory floor? Be sure to map out where it’s stored and/or how it is destroyed. From there, you can figure out which assets encounter the FCI or CUI and take the next CMMC steps.

Manufacturers shouldn’t limit scoping only to information under the CMMC umbrella.

Having a clear picture of how all your sensitive data is handled—and making sure that information is locked down tight—is the smart thing to do and an industry best practice. That sensitive data can range from the Social Security numbers stored by your HR department to any intellectual property. 

For help with scoping, companies can turn to sources including the Unified Scoping Guide, a free resource from cybersecurity company ComplianceForge, Sheridan, WY ( MxD also has produced a free CMMC Playbook, which helps manufacturers with a Level 1 self-assessment. It can be downloaded at EP

EP Editorial Staff | March 1, 2023

By Laura Elan, MxD

The post "CMMC Begins With Scoping" appeared first on Efficient Plant


Submit a Comment

How to properly assess structural wind damage

Prompt site assessment of wind damage from major storms such as hurricanes and tornadoes is a crucial step in determining...

Keeping outdoor workers safe in the summer

As the weather gets hotter and summer approaches, there are many maintenance workers who need to spend their days in the...

2023 Commercial Building Trends Include AI, Sustainability, and Predictive Maintenance

  In the aftermath of the COVID-19 pandemic, the commercial real estate and building management sectors have had the...

Preparing for Safe Electrical Disaster Recovery During Hurricane Season Using NFPA 70B

Hurricane season is officially upon us. Although the period can often begin earlier and run later, June 1 through November...

What’s Ahead for this Hurricane Season?

June marks the official start of hurricane season, which runs through Nov. 30. But how many of these potentially dangerous...