Login

u/ArtifactHoarder

▲ 5 r/CMMC

CMMC Scoping Question: Commercial CRM Storing FCI Outside GCC High

Long time lurker, first time posting. 🙂

I think I know the answer to this but wanted to bounce it off the experts here. While I want to say we are a unique situation, I feel like everyone in this subreddit has their own unique architecture/story.

Here is the scenario:

We operate two completely separate Microsoft tenants.

  • ABC Cyber = standard commercial/non-FedRAMP tenant
  • ABC Public = subsidiary operating in GCC High

ABC Public was stood up specifically to store, process, and transmit CUI. No connections between the two tenants at all. Separate accounts, separate systems, separate managed assets, etc. This setup existed before my time.

We are preparing for a CMMC Level 2 third-party assessment for early June.

ABC Public is very “vanilla”:

  • Native Microsoft cloud stack only
  • No on-prem
  • No external hosted systems/tools
  • No integrations

Because of that, some business functions still rely on ABC Cyber systems, mainly a CRM platform (think HubSpot, Pipedrive, Attio, etc.). The CRM itself is a standard commercial SaaS platform and is not FedRAMP authorized.

Important detail:
Users access the CRM using their ABC Cyber accounts and ABC Cyber-managed assets only. They do NOT access the CRM from ABC Public accounts/systems/devices.

There is no identity federation, trust relationship, synchronization, mail flow, or system integration between the environments.

The CRM may contain what I would classify as FCI related to federal contracts/customers, though I am digging deeper into that now to better understand exactly what data exists there. No CUI is supposed to exist in the CRM.

So my understanding of scoping is this:

During a CMMC Level 2 assessment, if the assessor asks:
“Where does your FCI live?”
…and the answer is:
“The ABC Cyber CRM”

Then that CRM environment is still in scope at least from a Level 1/FAR 52.204-21 perspective, even though:

  • it is not part of the GCC High enclave
  • it does not handle CUI
  • it is completely separate from the Level 2 environment

In other words:
The CRM does not need full Level 2/800-171 controls, but it would still need to satisfy the Level 1 safeguarding requirements because it stores/processes/transmits FCI.

My concern is that if the CRM is determined to be in scope for FCI and is not meeting the FAR 52.204-21 / Level 1 requirements, then we may have a larger readiness issue before even moving forward with the Level 2 assessment.

Am I thinking about that correctly?

reddit.com
u/ArtifactHoarder — 1 day ago