March 10, 2021
Scoping CUI & FCI for NIST 800-171 & CMMC Guide
Table of Contents
Today, more than at any time in history, the federal government relies on external service providers to help carry out a wide range of federal missions and business functions using state-of-the-practice information systems. Federal information is frequently provided to or shared with state and local governments, colleges and universities, and Defense Industrial Base (DIB) companies. While Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) needs to live outside of nonfederal systems and organizations, it directly impacts the federal government’s ability to carry out its designated missions and business operations successfully. For this reason, the federal government continues to implement requirements, like NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC), to protect this information. As a contractor or research organization, you must understand where this data lives and how your organization protects it.
CUI (from 32 CFR 2002.4) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. CUI may include, but is not limited to:
- Privacy (including Health)
- Law Enforcement
- Critical Infrastructure
- Controlled Technical Information
- Unclassified Nuclear o Procurement and Acquisition
FCI (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
A CUI Enclave (also known as a security enclave or security domain) is a separate network that processes, stores, and transmits FCI and CUI and avoids unnecessarily including non-CUI processing networks (e.g., marketing and accounting).
Creating a CUI enclave may be the most efficient and cost-effective approach for nonfederal organizations to protect the confidentiality of CUI and satisfy the security requirements of NIST 800-171 and CMMC. One of the differences is the degree of segmentation you impose upon the network. Security enclaves are more thoroughly segmented from the general network environment than usual. In fact, security enclaving can be described as enhanced network segmentation. This isolation method can provide adequate security for the CUI and avoid increasing your organization’s scope. Organizations may use the same security enclave and CUI infrastructure for multiple government contracts if the CUI infrastructure meets all of the required NIST 800-171 or CMMC controls.
Identify and track your CUI and FCI
- Build an asset and data inventory. Assets are usually tracked at some level by other functions, but these inventories often don’t include the required information for day-to-day operations. At a minimum, the asset list should capture this basic data in the inventory:
- System Type and Version
- Software (including Version)
- Physical and Logical Location
- Logical Network Addressing
- Resource Administrator
- Data Sensitivity (FCI/CUI)
- Depending on your organization’s size, you can manually create the asset list or use tools to automate the process.
- In general, the federal agency’s contracting office will provide data classification guides and guidelines that determine what FCI and CUI for each contract.
Understand your data flow
- Build a Data Flow Diagram (DFD). It provides a comprehensive picture of the facilities, people, technology, and information involved in delivering critical services to the organization and its customers. The DFD does not have to be fancy, but it needs to reflect “what is being shared” and “whom the information being shared with” accurately.
- You may also analyze and amend policies, procedures including access controls to control CUI and FCI data flow.
Segregate your network
- Security enclaves may employ physical separation, logical separation, or a combination of both. At the network level, segmentation is the practice of splitting computer networks into subnets using combinations of firewalls and VLANs.
As you look to comply with the federal government’s growing cybersecurity requirements, you must understand that without properly scoping a CUI enclave (or adequate network segmentation), the entire network will become the scope of a NIST 800-171 and CMMC audit. CUI enclaves should be viewed as a risk reduction process to isolate system components that store, process, or transmit CUI from systems that do not.
The NIST 800-171 Basic Assessment is an interim requirement for all DoD contractors ahead of the CMMC. Plan your assessment with our complete guide.
The CMMC is here for DoD contractors who handle FCI or CUI. Learn everything you need to know to comply with our comprehensive CMMC guide.
Scoping CUI & FCI for NIST 800-171 & CMMC Guide
In order to minimize the scope of a NIST 800-171 or CMMC assessment, you must identify where CUI & FCI live and segregate it into an enclave
The DFARS Interim Rule came into effect on September 29, 2020, and it affects Higher Education Institutions that conduct DoD-sponsored research