top of page
Search

Facility Scoping for Organizations Seeking Assessment (OSA) of their Information Systems for Cybersecurity Maturity Model Certification (CMMC)

Writer's picture: Dr. Jeff BaldwinDr. Jeff Baldwin

Introduction

In the context of CMMC, can an OSA inherit all of Physical and Environmental (PE) security controls from a Cloud Service Provider (CSP) that provides a Virtual Desktop Infrastructure (VDI) service, if all of the OSA's CUI is hosted in the cloud and none of it is stored locally? 

Do not stop here and comment to answer that question without reading the rest of the article first.

32 CFR Part 170 was clear in that the endpoint hosting the VDI client can be out of scope if it only receives KVM from the VDI service but does that take the facility also out of scope? For more information on what 32 CFR Part 170 says about VDIs, refer to my previous article here: https://www.linkedin.com/pulse/endpoints-accessing-vdi-can-out-scope-cmmc-jeff-baldwin-d-sc--orp6e/?trackingId=aN%2B5EvzWQoSoA8TyciFF3Q%3D%3D


Definitions

Before we start to debate the topic of the article, let's review some definitions.

32 CFR Part 2002: "Controlled environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers or managed access controls) to protect CUI from unauthorized access or disclosure." 

DoDI 5200.48 includes this sentence: "The concept of a controlled environment means there is sufficient internal security measures in place to prevent or detect unauthorized access to CUI"

Commentary: The key part to me for this definition is that they protect from unauthorized access or disclosure. One example of an unauthorized disclosure (UD) would be processing CUI on your screen in an uncontrolled environment where shoulder surfing by unauthorized individuals would be possible.


NIST Glossary: environment of operation

"Definitions:   The physical surroundings in which an information system processes, stores, and transmits information.

Sources:

NIST SP 800-137 under Environment of Operation

NIST SP 800-37 Rev. 2 from OMB Circular A-130 (2016)

NIST SP 800-39 under Environment of Operation

NIST SP 800-53 Rev. 5 from OMB Circular A-130 (2016)

NIST SP 800-53A Rev. 5 from OMB Circular A-130 (2016)

NIST SP 800-53B from OMB Circular A-130 (2016)"

Commentary: While this term is not defined within NIST SP 800-171, it is in 800-53 from which 800-171 is derived. Regardless, describing the environment of operation and the overall system context should be described within the OSA's System Security Plan (SSP).


Background Information

CMMC Assessment Guide – Level 2: PE.L2-3.10.1 – Limit Physical Access [CUI Data] "Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals." 

Commentary: As a note, NIST does not include operating environment in the NIST glossary and I could not otherwise find a definition that fits this context. The NIST glossary definition above for environment of operation seems to be synonymous. However, per this control, the operating environment would be wherever you decide to setup the VDI client and this control requires you to limit access to that endpoint.


CMMC Level 2 Scoping Guide: Security Protection Assets provide security functions or capabilities within the OSA’s CMMC Assessment Scope.

Commentary: This guidance shows that an OSA must scope their Security Protection Assets across people, technology, and facilities. So, while the technology in use with VDI can be brought out of scope, the people assets still need to have personnel screening and complete awareness training, and the facilities from which the processing is occurring (i.e., the controlled environment) are still in scope. Since the facility protects the VDI client where KVM and CUI is displayed, the facility would still be an SPA and not out of scope.


FedRAMP Customer Responsibility Matrices

I think most of the confusion on this topic stems from Customer Responsibility Matrices (CRM) from FedRAMP Cloud Service Providers. Within FedRAMP, the PE controls are marked as fully inherited, which is true for all of the cloud data centers and cloud resources that the customer consumes from the CSP. The FedRAMP package only covers the Cloud Service Offering (CSO) while an OSA's CMMC scope would more than just the CSOs that they utilize. So, when a CSP converts their 800-53 based CRM into an 800-171 CRM, the natural tendency is to mark those PE controls as fully inherited. 


Discussion

Based on the above, and from personal discussions with DoD personnel, while most of us might want to include the facilities as out of scope for an OSA with all of the CUI in the cloud utilizing VDI for simplicity purposes, we cannot fully take facilities out of scope.

In terms of processing/storing/transmitting CUI, storage of CUI is taken care of in a VDI by being stored in the cloud, transmitting CUI is taken care of by nature of the connection to VDI having FIPS 140 validated encryption modules, and processing CUI is occurring centrally in the cloud and the KVM is being sent to the facility. However, unauthorized disclosure can occur from that KVM if unauthorized personnel are present in the controlled environment for that contractor.

If you were to take facilities out of scope, then you could process CUI on your out of scope technology asset anywhere you want to without protections in place to prevent unauthorized disclosure because the facility would be out of scope of the requirements, and you'd just be left with the people assets with requirements applied to them.

Picture this scenario, you have a facility and you allow unauthorized individuals to freely walk through it without escort. You have failed to create a physical security perimeter with physical access controls adjudicating access to the controlled environment to prevent unauthorized disclosures. If we say the facility is out of scope and the PE controls are fully inherited then there would be no escorting of these individuals who could then overhear CUI conversations and see CUI on monitors. 

Okay, so facilities are in scope, what does this mean? Well, you would have to address the PE controls for your facilities. You probably weren't planning on it, and it will cost more money than you were planning to spend and your personnel might be more inconvenienced than they are now but you can define the shape and size of your controlled environment, it can be a single room, a single floor, or a whole building. You might need to have a paper sign-in book for visitors to complete and escort them, you might need to add cameras to entry/exit points to the controlled environment and otherwise address all of the PE requirements for facilities where CUI is processed even if that processing is only the receiving of KVM from a VDI session. If a facility does not protect assets that process, store, or transmit any CUI or FCI, then the facility would be out of scope.

The next question you will have is what about home users, do they need to have home security assessments and visitor sign-in logs? I wrote an article back in 2021 that answered that question here. If your CAGE code is assigned to a home address, you will probably get a security assessment to your home and you would want to show how you are meeting PE controls. If you are a regular employee and work from home and your home is not a data center or the HQ with the CAGE code, then it is unlikely you would receive a home visit but you would follow whatever policies your organization has set for your security requirements as your home as an alternate work site. I typically recommend documenting those responsibilities in a teleworking agreement and have users acknowledge the requirements by signing it and produce those executed agreements as an artifact for assessors.


Conclusion

I recognize this will be an unpopular position but thinking through the logic it does make some sense, even if it wasn't intuitive based on the FedRAMP precedent and how most vendors' CRM currently state that PE is fully inherited for NIST SP 800-171 requirements. 

So, there should probably be some updates to some vendor CRMs out there for CMMC or the fine print already says PE is only inherited for the cloud assets, not your assets and facilities making PE a shared responsibility.


While the PE applies to OSA's facility, you may still be able to be creative in how you address the PE controls but you still have to address them. You might be able to implement temporary CUI controlled areas that need to meet the PE controls for while the processing is occurring but once completed with processing, you sanitize the environment and it ceases to be a CUI controlled environment and operate it similar to how restricted areas are executed for classified processing in contractor facilities. However, I would not advise this without adequate training and procedures in place but one of my go to statements is "if it works for classified protection, it should work for CUI too."

2 views0 comments

Recent Posts

See All

Comments


  • LinkedIn
  • YouTube
  • Twitter

©2024 by Space Coast Cybersecurity LLC

bottom of page