September 7, 2022
Scoping FCI & CUI for NIST 800-171 & CMMC – Complete Guide
Table of Contents
- What is Federal Contract Information (FCI)?
- What is Controlled Unclassified Information (CUI)?
- Why scope your FCI & CUI?
- What is a CUI Enclave?
- 4 Steps for effective scoping
- Other scoping resources
- How does SaltyCloud help with the CMMC?
Federal Contractor Information (FCI) and Controlled Unclassified Information (CUI) are data provided by the federal government that lives on non-federal computer systems. To protect the confidentiality of this data, the federal government requires organizations, as defined by Executive Order 13556, to safeguard FCI & CUI using the National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171). For Department of Defense (DoD) contractors and subcontractors, the Cybersecurity Maturity Model Certification (CMMC) program was created to further verify, via a certification process, that FCI & CUI are safeguarded.
Meeting CMMC compliance can be overly complex and expensive if the organization is not adequately scoped. For this reason, contractors must take the time to track the flow of FCI & CUI. This allows contractors to isolate the parts of the organization that handle sensitive information, making it much more feasible and cost-effective to implement security practices, manage compliance, and get certified.
As per 48 CFR 52.204-21, “FCI means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.”
In simpler terms, FCI is data generated during a contract with the government that doesn’t fall into the stricter category of CUI but is still important enough that it shouldn’t be made publicly available. Some examples of FCI could include data like contracts, subcontracts, emails, notes, recordings, reports, charts, etc.
As per 32 CFR 2002.4, “CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”
In simpler terms, CUI is anything the federal government considers critical enough that, if lost, could be a risk to national security. For example, if you’re a DoD contractor, your contract might mention whether specific data exchanged or created as part of the contract is considered CUI. That could include things like blueprints, technical manuals, or engineering drawings. Or if you’re a higher education institution, the Department of Education (ED) has affirmed that data it provides to administer Title IV funds is considered CUI.
For more information, the National Archives provide access to the CUI Categories (e.g., Critical Infrastructure, Financial, Privacy, Tax, etc.).
Scoping your FCI & CUI helps you understand the people, processes, and technologies surrounding your critical data. If scoping is done poorly, an organization’s entire network may be in-scope, meaning that everything and everyone under that network will need to comply with the security practices of NIST 800-171 and NIST 800-172. For certain organizations, this may be unimaginably expensive and technically impossible. On the other hand, when an organization properly scopes its network and either completely isolates the CUI environment or establishes a CUI enclave, the in-scope environment becomes much smaller and manageable, making compliance a lot more efficient and cost-effective.
A CUI enclave, also known as a security enclave, is a separate environment (physical, digital, or both) segmented from the rest of an organization and used explicitly to process, store, and transmit FCI & CUI. In other words, it’s where any number of people, technologies, and processes that handle FCI & CUI operate and are required to comply with the specific security practices outlined in NIST 800-171 and NIST 800-172. It is also the part of the organization that a Certified Third-Party Assessor Organization (C3PAO) will audit when conducting a CMMC assessment for certification. The difference between a CUI enclave and a completely isolated network is that a CUI enclave can still Interact with systems outside the enclave. For example, employees could conveniently access the enclave from their usual computer, typically via a remote desktop application or web browser.
Scoping looks different for every organization and varies depending on its size and technical structure. Any system, application, or device at an organization or its subcontractors that touches FCI & CUI or can affect its security is considered in-scope and subject to compliance. The following section will review the guiding principles contractors should consider when scoping their environment.
You must understand how your organization works, mainly the functions you know may handle CUI. There’s no exact science to getting to know your organization. It usually means getting boots on the ground and interviewing people and teams, understanding their day-to-day, and ultimately learning how they store process, and transmit FCI & CUI. You could use a lightweight governance, risk, and compliance (GRC) assessment platform to streamline the process of collecting evidence from people across your organization.
A comprehensive asset inventory will help you track what assets (e.g., servers, laptops, etc.) exist on your network and whether they handle FCI & CUI. Your organization may already have an existing asset inventory created, but if it doesn’t, you’ll either need to do it manually or through automated software. You’ll want to collect meta details like the hardware, software, firmware, documentation, physical location, owner(s), resource administrator(s), and data classification. You can use a lightweight governance, risk, and compliance (GRC) assessment platform to help automate asset classification surveys and subcontractor compliance assessments all in one place.
After pulling together the assets that make up your environment, you’ll want to categorize them next. The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) released the CMMC Level 2 Scoping Guidance that defines five categories of assets.
CUI Assets are assets that process, store, or transmit CUI.
CUI Assets are in-scope for CMMC Assessment and must be documented in the asset inventory, System Security Plan (SSP), and network diagram, and must comply with the applicable CMMC controls.
Security Protection Asset (SPA)
SPAs are assets that provide security functions or capabilities for the contractor. SPAs include people (e.g., consultants who provide cybersecurity services, managed service provider personnel who perform system maintenance, etc.), technology (e.g., cloud-based security solutions, hosted virtual private network (VPN) services, etc.), and facilities (e.g., Security Operation Centers (SOCs), contractor office buildings, etc.).
SPAs are in-scope for CMMC Assessment, must be documented in the asset inventory, SSP, and network diagram, and must comply with applicable CMMC practices.
Contractor Risk Managed Asset (CRMA)
CRMAs are assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. For example, a computer on the same network as a server storing CUI, where the user is prevented from accessing CUI due to password protection, group policies, etc.
CRMAs are in-scope for CMMC Assessment and must be documented in the asset inventory, SSP, and network diagram. While CRMAs won’t be audited against the CMMC practices, contractors need to explain in their SSP that these assets are managed using the contractor’s risk-based security policies, procedures, and practices.
Specialized Asset (SA)
SAs are assets that may or may not process, store, or transmit CUI. SAs include government property (e.g., material, equipment, special test equipment, etc.), Internet of Things (IoT) or Industrial Internet of Things (IIOT) (e.g., smart electric grids, lighting, heating, air conditioning, etc.), Operational Technology (OT) (e.g., Supervisory Control and Data Acquisition (SCADA) systems, Industrial control systems (ICS), etc.), Restricted Information Systems (RIS) (e.g., systems and associated Information Technology (IT) components, etc.), and Test Equipment (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment).
SAs are in-scope for CMMC Assessment and must be documented in the asset inventory, SSP, and network diagram. While SAs won’t be audited against the CMMC practices, contractors need to explain in their SSP that these assets are managed using the contractor’s risk-based security policies, procedures, and practices.
Out of Scope Asset (OSA)
OSAs are assets that cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets or are inherently unable to do so.
OSAs are out-of-scope for CMMC Assessment and don’t need to be documented.
Network diagrams are an integral part of the required SSP. They visually represent your network, depicting the in-scope assets and their data flows. You can use diagramming software to help you put it together. The first version of your network diagram will be rough, but it will help you visualize your FCI & CUI environment and identify gaps & opportunities. Ultimately, your network diagram is also a reflection of the design of your systems. While you should consider minimizing scope as much as possible, you should also consider its impact on your users.
Image Source: CUI Scoping Guide by ComplianceForge
While the official CMMC Level 2 Scoping Guidance released by OUSD(A&S) should be the go-to source of truth when defining your scope, it isn’t the most robust. The team over at ComplianceForge published their Unified Scoping Guide: NIST SP 800-171 & CMMC Assessment Boundary Scoping Guide, which provides more detailed guidance on scoping and an alternative approach to asset categorization. Additionally, contractors who don’t feel confident scoping their environments can outsource it to a Registered Provider Organization (RPO), which can provide CMMC consulting services. You can find a directory of all RPOs and C3PAOs on the Cyber Accreditation Body (Cyber-AB) Marketplace.
Going zero to certified can be condensed into five fool-proof steps, but scoping your environment is arguably the process’s most critical and challenging part. After feeling confident with your scope, you’ll want to conduct a NIST 800-171 Basic Assessment to self-assess your environment against the required controls. If you’re aiming for Level 3, you’ll also need to self-assess against NIST 800-172, introducing a series of more advanced security practices.
No matter the size or function of your organization, Isora GRC from SaltyCloud, the Lightweight GRC Assessment Platform, helps Department of Defense (DoD) contractors fast-track CMMC compliance and certification. It scales with your business and includes preloaded NIST 800-171 and NIST 800-172 questionnaires that make it easy to launch a self-assessment right out of the box for any number of business units or enclaves. Isora GRC helps you break away from the complexities of manual processes and legacy software solutions, streamlining your ability to collect evidence, identify gaps, and keep track of compliance. That means your team is more efficient, and your organization keeps up with the evolving regulations from the DoD.
Scoping your FCI & CUI is an integral step on the journey to complying with NIST 800-171 & CMMC. Doing it properly ensures that only the people, processes, and technologies surrounding FCI & CUI are in scope, making compliance and certification more efficient and cost-effective.
Getting CMMC certified takes time and preparation. This guide covers the five practical steps to go from zero to certified
This comprehensive guide covers everything you need to know about the NIST 800-171 Basic Assessment and the steps you can take to build a compliance process.
Scoping FCI & CUI for NIST 800-171 & CMMC – Complete Guide
Scoping FCI & CUI is a necessary step to make NIST 800-171 & CMMC compliance more feasible and cost-effective. Read the Complete Scoping Guide.
This complete CMMC guide will review everything contractors need to know about CMMC, including its structure, requirements, and certification process.
The Department of Defense has released CMMC 2.0, introducing several new updates. Here are the six key takeaways contractors need to know
The DFARS Interim Rule came into effect on September 29, 2020, and it affects Higher Education Institutions that conduct DoD-sponsored research