Get Started
Scoping FCI & CUI for NIST 800-171 & CMMC: Complete Guide

SaltyCloud Research Team

Updated Sep 7, 2022 Read Time 11 min


FCI and CUI are data types on non-federal systems that must be protected according to NIST 800-171 guidelines and the CMMC program for DoD contractors. To make compliance more feasible and cost-effective, contractors should track the flow of FCI and CUI and isolate the parts of the organization that handle sensitive information.

Federal Contractor Information (FCI) and Controlled Unclassified Information (CUI) are data provided by the federal government that lives on non-federal computer systems. To protect the confidentiality of this data, the federal government requires organizations, as defined by Executive Order 13556, to safeguard FCI & CUI using the National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171). For Department of Defense (DoD) contractors and subcontractors, the Cybersecurity Maturity Model Certification (CMMC) program was created to further verify, via a certification process, that FCI & CUI are safeguarded.

Meeting CMMC compliance can be overly complex and expensive if the organization is not adequately scoped. For this reason, contractors must take the time to track the flow of FCI & CUI. This allows contractors to isolate the parts of the organization that handle sensitive information, making it much more feasible and cost-effective to implement security practices, manage compliance, and get certified.

What is Federal Contract Information (FCI)?


FCI is non-public information generated or provided during a government contract that, while not as sensitive as CUI, should still remain confidential.

As per 48 CFR 52.204-21, “FCI means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.”

In simpler terms, FCI is data generated during a contract with the government that doesn’t fall into the stricter category of CUI but is still important enough that it shouldn’t be made publicly available. Some examples of FCI could include data like contracts, subcontracts, emails, notes, recordings, reports, charts, etc.

What is Controlled Unclassified Information (CUI)?


CUI is critical government-related information requiring safeguarding or dissemination controls, which, if lost, could pose a national security risk.

As per 32 CFR 2002.4, “CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”

In simpler terms, CUI is anything the federal government considers critical enough that, if lost, could be a risk to national security. For example, if you’re a DoD contractor, your contract might mention whether specific data exchanged or created as part of the contract is considered CUI. That could include things like blueprints, technical manuals, or engineering drawings. Or if you’re a higher education institution, the Department of Education (ED) has affirmed that data it provides to administer Title IV funds is considered CUI.

For more information, the National Archives provide access to the CUI Categories (e.g., Critical Infrastructure, Financial, Privacy, Tax, etc.).

Why scope your FCI & CUI?


Properly scoping FCI and CUI within an organization’s network enables more efficient and cost-effective compliance with security practices.

Scoping your FCI & CUI helps you understand the people, processes, and technologies surrounding your critical data. If scoping is done poorly, an organization’s entire network may be in-scope, meaning that everything and everyone under that network will need to comply with the security practices of NIST 800-171 and NIST 800-172. For certain organizations, this may be unimaginably expensive and technically impossible.

On the other hand, when an organization properly scopes its network and either completely isolates the CUI environment or establishes a CUI enclave, the in-scope environment becomes much smaller and manageable, making compliance a lot more efficient and cost-effective.

What is a CUI enclave?


A CUI enclave is a segmented environment for handling FCI and CUI that adheres to specific security practices and is subject to CMMC assessment.

A CUI enclave, also known as a security enclave, is a separate environment (physical, digital, or both) segmented from the rest of an organization and used explicitly to process, store, and transmit FCI & CUI. In other words, it’s where any number of people, technologies, and processes that handle FCI & CUI operate and are required to comply with the specific security practices outlined in NIST 800-171 and NIST 800-172.

It is also the part of the organization that a Certified Third-Party Assessor Organization (C3PAO) will audit when conducting a CMMC assessment for certification. The difference between a CUI enclave and a completely isolated network is that a CUI enclave can still Interact with systems outside the enclave. For example, employees could conveniently access the enclave from their usual computer, typically via a remote desktop application or web browser.

4 steps for effective scoping


1) Know your organization; 2) Build an asset inventory; 3) Categorize your assets; and 4) Create a network diagram.

Scoping looks different for every organization and varies depending on its size and technical structure. Any system, application, or device at an organization or its subcontractors that touches FCI & CUI or can affect its security is considered in-scope and subject to compliance. The following section will review the guiding principles contractors should consider when scoping their environment.

Know your organization

You must understand how your organization works, mainly the functions you know may handle CUI. There’s no exact science to getting to know your organization. It usually means getting boots on the ground and interviewing people and teams, understanding their day-to-day, and ultimately learning how they store process, and transmit FCI & CUI. You could use a lightweight governance, risk, and compliance (GRC) assessment platform to streamline the process of collecting evidence from people across your organization.

Build an asset inventory

A comprehensive asset inventory will help you track what assets (e.g., servers, laptops, etc.) exist on your network and whether they handle FCI & CUI. Your organization may already have an existing asset inventory created, but if it doesn’t, you’ll either need to do it manually or through automated software. You’ll want to collect meta details like the hardware, software, firmware, documentation, physical location, owner(s), resource administrator(s), and data classification. You can use a lightweight governance, risk, and compliance (GRC) assessment platform to help automate asset classification surveys and subcontractor compliance assessments all in one place.

Categorize your assets

After pulling together the assets that make up your environment, you’ll want to categorize them next. The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) released the CMMC Level 2 Scoping Guidance that defines five categories of assets.

CUI Asset

CUI Assets are assets that process, store, or transmit CUI.

CUI Assets are in-scope for CMMC Assessment and must be documented in the asset inventory, System Security Plan (SSP), and network diagram, and must comply with the applicable CMMC controls.

Security Protection Asset (SPA)

SPAs are assets that provide security functions or capabilities for the contractor. SPAs include people (e.g., consultants who provide cybersecurity services, managed service provider personnel who perform system maintenance, etc.), technology (e.g., cloud-based security solutions, hosted virtual private network (VPN) services, etc.), and facilities (e.g., Security Operation Centers (SOCs), contractor office buildings, etc.).

SPAs are in-scope for CMMC Assessment, must be documented in the asset inventory, SSP, and network diagram, and must comply with applicable CMMC practices.

Contractor Risk Managed Asset (CRMA)

CRMAs are assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. For example, a computer on the same network as a server storing CUI, where the user is prevented from accessing CUI due to password protection, group policies, etc.

CRMAs are in-scope for CMMC Assessment and must be documented in the asset inventory, SSP, and network diagram. While CRMAs won’t be audited against the CMMC practices, contractors need to explain in their SSP that these assets are managed using the contractor’s risk-based security policies, procedures, and practices.

Specialized Asset (SA)

SAs are assets that may or may not process, store, or transmit CUI. SAs include government property (e.g., material, equipment, special test equipment, etc.), Internet of Things (IoT) or Industrial Internet of Things (IIOT) (e.g., smart electric grids, lighting, heating, air conditioning, etc.), Operational Technology (OT) (e.g., Supervisory Control and Data Acquisition (SCADA) systems, Industrial control systems (ICS), etc.), Restricted Information Systems (RIS) (e.g., systems and associated Information Technology (IT) components, etc.), and Test Equipment (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment).

SAs are in-scope for CMMC Assessment and must be documented in the asset inventory, SSP, and network diagram. While SAs won’t be audited against the CMMC practices, contractors need to explain in their SSP that these assets are managed using the contractor’s risk-based security policies, procedures, and practices.

Out of Scope Asset (OSA)

OSAs are assets that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets or are inherently unable to do so.

OSAs are out-of-scope for CMMC Assessment and don’t need to be documented.

Create a network diagram

Network diagrams are an integral part of the required SSP. They visually represent your network, depicting the in-scope assets and their data flows. You can use diagramming software to help you put it together. The first version of your network diagram will be rough, but it will help you visualize your FCI & CUI environment and identify gaps & opportunities. Ultimately, your network diagram is also a reflection of the design of your systems. While you should consider minimizing scope as much as possible, you should also consider its impact on your users.

Image Source: CUI Scoping Guide by ComplianceForge

Other Scoping Resources

While the official CMMC Level 2 Scoping Guidance released by OUSD(A&S) should be the go-to source of truth when defining your scope, it isn’t the most robust. The team over at ComplianceForge published their Unified Scoping Guide: NIST SP 800-171 & CMMC Assessment Boundary Scoping Guide, which provides more detailed guidance on scoping and an alternative approach to asset categorization. Additionally, contractors who don’t feel confident scoping their environments can outsource it to a Registered Provider Organization (RPO), which can provide CMMC consulting services. You can find a directory of all RPOs and C3PAOs on the Cyber Accreditation Body (Cyber-AB) Marketplace.

What happens next?

Going zero to certified can be condensed into five fool-proof steps, but scoping your environment is arguably the process’s most critical and challenging part. After feeling confident with your scope, you’ll want to conduct a NIST 800-171 Basic Assessment to self-assess your environment against the required controls. If you’re aiming for Level 3, you’ll also need to self-assess against NIST 800-172, introducing a series of more advanced security practices.

How Isora GRC from SaltyCloud can help


Isora GRC from SaltyCloud is the powerfully simple CMMC solution making regulatory compliance easier while helping organizations improve their cyber resilience.

The race against time to prepare for CMMC is intensifying as organizations attempt to safeguard sensitive data and meet DoD requirements ahead of anticipated implementation in May 2023.

Knowing where sensitive data resides, if it’s protected, and whether it meets the CMMC requirements warrants an agile and lightweight solution that transcends outdated GRC platforms and tedious manual spreadsheets.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

  • Ace CMMC compliance audits with collaborative surveys, risk assessments, dynamic dashboards, and insightful reporting for auditors and leadership.
  • Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
  • Protect CUI and other sensitive data with a comprehensive host inventory, robust API integrations, and continuous assessments.
  • Minimize third-party risk with a complete vendor inventory, vendor risk assessment surveys, and vendor approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how companies use Isora GRC from SaltyCloud platform to ease the pressure of CMMC.

Learn More
Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.

Learn More
Other Relevant Content

This guide covers everything you need to know about TAC 202, including what it entails, why it's important, and how you can comply. We even included a TAC 202 checklist to make it easy for your organization to get started.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule risk assessment of customer information security programs.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule requiring IT security programs securing customer data

Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with
collaborative GRC tooling