CMMC Assessment Checklist
If you think you are ready for a CMMC assessment, use this resource to test where you actually are before contacting a professional.
.jpg?ext=.jpg)
CMMC Deep Dive: Scoping for the Shop Floor
- Prioritize CUI flow throughout the shop
- Don't put CUI into an ERP or a CNC machine unless it has to be there
- Carefully monitor who needs to access CUI and why
- Review vendors like MSPs carefully and create RACI charts to avoid gaps
Setting a sensible scope for a CMMC assessment represents one of the most important steps an organization will take in preparing for CMMC certification. Thinking about how CUI (Controlled Unclassified Information) flows through the organization, who has access to the CUI, what has access to the CUI, and more, is an absolutely critical step.
For many manufacturers, the Enterprise Resource Planning (ERP) system needs to be a part of this initial conversation. Modern ERPs are fantastic for job shops. They pull financials, HR, scheduling, vendor management, and plant floor operations into a single, seamless data pool. However, from a CMMC standpoint, keeping all data in just one place has the potential to make scoping more difficult.
If your CUI, like military part blueprints, technical specs, or specialized CAD files, is commingled with your general business data inside the ERP, the entire ERP system, and every user who touches it, falls into the CMMC assessment scope.
When preparing the scope for a C3PAO assessment, consider the following.
1. Where Is the Data Stored?
If a shop uses a cloud-based ERP, you need to know that any cloud provider handling CUI must meet FedRAMP Moderate equivalency. The DoD recently clarified that "equivalency" effectively means the provider must have an active FedRAMP Authorization to Operate (ATO). If your cloud ERP vendor doesn't have an ATO, you will fail your CMMC assessment.
If the ERP is on site or hybrid, the organization must look at:
- Vendor Maintenance: When your software provider logs in remotely to push updates or troubleshoot, do they have unfettered access to the live environment? If so, their personnel are now in your compliance scope.
- Unencrypted Backups: Storing local backups on hard drives or tapes? If that data isn't encrypted using a FIPS-validated algorithm, a single misplaced drive constitutes a massive breach.
2. Who Has Access?
CMMC emphasizes access control, including who can access CUI and how access is logged and monitored. Not everyone in a company needs to see sensitive data.
Employees accessing CUI must be properly screened, U.S. citizens (especially if ITAR data is involved), and bound by non-disclosure agreements (NDAs). If an ERP cannot strictly segregate access or prevent unprivileged users from seeing the metadata or file names of CUI, this will represent an obstacle to compliance.
3. What Data Are You Actually Storing?
Job shops handle two main types of protected data: Federal Contract Information (FCI) and CUI. FCI only requires meeting 17 basic cybersecurity practices (CMMC Level 1), which most modern ERPs can handle out of the box. CUI pushes you into Level 2 (110 controls) at a minimum. If data is neither FCI nor CUI, try to keep it out of the ERP.
4. Why Store CUI in the ERP?
Does the ERP truly need to hold the raw CUI? Do CNC machines, laser cutters, or engineering teams need the data inside the ERP system, or do they just need it temporarily in the organization’s localized design or manufacturing software?
Shrink the Target with CMMC Scoping
The ultimate scoping goal is to make the compliance boundary as small as possible. The smaller the boundary, the less an assessor will need to do. This will help save time and money in the long run. Three quick tips for scoping are:
- Isolate Your CUI Environment: Instead of upgrading your entire ERP infrastructure to meet CMMC standards, consider isolating CUI on an internal server disconnected from the broader internet, or utilizing a specialized, separate enclave specifically built for secure file storage.
- Encrypt Everything: Ensure all CUI is encrypted using FIPS-validated algorithms at rest, in transit, and whenever possible, in motion.
- Audit Your MSPs: If you use a Managed Service Provider (MSP) to run your IT boundary, they are in scope too. Ensure they can prove their own CMMC or NIST conformance.
ERPs can help an organization, but they can also become obstacles where CMMC is concerned. Cleanly segregate data and strictly limit access. These two tactics will help you protect defense data, safeguard the business, and clear the CMMC hurdle on the first try.
What Questions Do You Have About CMMC Scoping?
Reach out to us today to ask any questions you have about ERPs, CUI, and CMMC scoping. If you are ready for your assessment, we would be glad to kick off the quoting process with you.