The Complete Guide to Scoping FCI & CUI for NIST 800-171 & the CMMC

This guide is part of our 5-Step Guide to Prepare for the CMMC.

Federal Contractor Information (FCI) and Controlled Unclassified Information (CUI) are types of data provided by the federal government which live on non-federal computer systems. As a contractor or research organization looking to comply with NIST 800-171 & the Cybersecurity Maturity Model Certification (CMMC), you need to identify where this data lives, who has access to it, and how it’s safeguarded.

In this guide, we’ll explain what FCI & CUI are, the importance of scoping your organization and how to do it effectively, and why you need to take an enclave approach.

Table of Contents

  1. Introduction
  2. What is Federal Contract Information (FCI)?
  3. What is Controlled Unclassified Information (CUI)?
  4. Why scope your FCI & CUI?
  5. What is a CUI Enclave?
  6. Steps to scoping effectively
    1. Know your organization
    2. Build an asset inventory
    3. Categorize your systems, applications, and services
    4. Create a network diagram
  7. Next steps in compliance
  8. How does SaltyCloud help with the CMMC?
  9. Conclusion

Introduction

To protect the confidentiality of this data, the federal government requires organizations, as defined by Executive Order 13556, to safeguard FCI & CUI using a uniform set of requirements and information security controls designed to secure sensitive government information. The National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171, which outlines 110 security practices (also known as security controls), was created for this purpose. In the case of Department of Defense (DoD) contractors and subcontractors, the Cybersecurity Maturity Model Certification (CMMC) program was created to further verify, via a certification process, that FCI & CUI are in fact being adequately safeguarded.

Part of meeting compliance and becoming certified involves understanding the scope of FCI & CUI in an environment and opting for an enclave approach. Doing so ensures only the people, processes, and technologies that surround FCI & CUI are in scope, making compliance and certification more efficient and cost-effective.

What is Federal Contract Information (FCI)?

As per 48 CFR 52.204-21, “FCI means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.”

In simpler terms, FCI is data that is generated during a contract with the Government that doesn’t fall into the stricter category of CUI but is still important enough that it shouldn’t be made publicly available. Some examples of FCI could include data like contracts, subcontracts, emails, notes, recordings, reports, charts, etc.

What is Controlled Unclassified Information (CUI)?

As per 32 CFR 2002.4, “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”

In simpler terms, CUI is anything that an agency considers to be critical enough that, if lost, could be a risk to national security. For example, if you’re a DoD contractor, your contract might mention whether certain data exchanged or created as part of the contract is considered CUI. That could include things like blueprints, technical manuals, or engineering drawings. Or if you’re a higher education institution, the Department of Education (ED) has affirmed that data it provides to administer Title IV funds is considered CUI.

For more information, the National Archives provide access to the CUI Categories which covers the different categories (e.g., Critical Infrastructure, Financial, Privacy, Tax, etc.) which are considered CUI.

Why scope Your FCI & CUI?

Scoping your FCI & CUI helps you understand what people, processes, and technologies surround your critical data. If scoping is done poorly, an organization’s entire network may be in-scope, meaning that everything and everyone under that network will need to comply with the security practices of NIST 800-171 & the CMMC. For certain organizations, this may not only be unimaginably expensive but also technically impossible. On the other hand, when an organization properly scopes their network and creates a CUI enclave, the in-scope environment becomes much smaller and manageable, making compliance a lot more efficient and cost-effective.

What is a CUI Enclave?

A CUI Enclave, also known as a security enclave, is a separate environment (physical, digital, or both) that is segmented from the rest of an organization and used specifically to process, store, and transmit FCI & CUI. In other words, it’s where any number of people, technologies, and processes that handle FCI & CUI operate and are required to comply with the specific security practices outlined in NIST 800-171 & the CMMC.

Steps to Scoping Effectively

Scoping looks different for every organization and varies depending on its size and technical structure. In essence, any system, application, or device at an organization that touches FCI & CUI or can affect its security is considered in-scope and subject to compliance. In the following section we’ll go over a few guiding principles you should consider when scoping your environment.

Know your organization

It’s imperative that you understand how your organization works, especially the functions that you know may handle CUI. There’s no exact science to getting to know your organization. It usually means getting boots on the ground and taking time to interview people and teams, understand their day-to-day, and ultimately learn how they store, process, and transmit FCI & CUI. Depending on the size of your organization, this process may be tedious but it shouldn’t be avoided because  it’ll provide the most valuable insights.

Build an asset inventory

A comprehensive asset inventory will help you keep track of what assets (e.g., servers, laptops, etc.) exist on your network and whether they handle FCI & CUI. Your organization may already have an existing asset inventory created but if it doesn’t you’ll either need to do it manually or through automated software. You’ll want to make sure to collect meta details like the hardware, software, firmware, documentation, physical location, owner(s), resource administrator(s), and data classification.

Categorize your systems, applications, and services

As you start pulling together the pieces that make up your environment, you should also start categorizing your systems, applications, and services into zones. This process will help you identify what needs to be in-scope and where there might be deficiencies. It will also help you when it comes time to plan out your network diagram. There’s no official, defined way to do this but the team over at ComplianceForge published eight zones in their CUI Scoping Guide.

FCI & CUI Scoping Zones

Image Source: CUI Scoping Guide by ComplianceForge

Zone 1, FCI & CUI Assets

The first zone contains systems, services and applications that clearly store, transmit, or process FCI & CUI (e.g., cloud databases, laptops, etc.).

Zone 2, Segmenting

The second zone contains systems that provide segmentation functions and prevent FCI & CUI contamination (e.g., network firewalls, hypervisors, etc.)

Zone 3, Security Tools

The third zone contains systems that provide security-related or IT-enabling services that may affect the security of FCI & CUI environments (e.g., active directory, multi-factor authentication systems, intrusion detection systems, etc.).

Zone 4, Connected

The fourth zone contains systems that have some capability to communicate with systems, applications, or services within the FCI & CUI environment  (e.g., name resolution, web redirection servers, etc.). There are two sub categories, (1) directly connected, and (2) indirectly connected.

Zone 5, Out-of-Scope

The fifth zone contains systems that are completely isolated from FCI & CUI.

Zone 6, Enterprise-Wide

The sixth zone addresses the organization’s overall corporate security program (cyber and physical). This is where the Non-Federal Organization (NFO) controls are applicable to NIST 800-171 & CMMC compliance.

Zone 7, Third-Party Service Providers

The seventh zone addresses supply-chain security with the “flow down” of contractual requirements to Third-Party Service Providers (TSPs) that can directly or indirectly influence the FCI & CUI environment.

Zone 8, Subcontractors

The eighth zone addresses subcontractors, which are third-party organizations that are party to the actual execution of the contract where the subcontractor may create, access, receive, store, or transmit regulated data (FCI & CUI).

Create a network diagram

A network diagram is a visual representation of your network. It shows systems, applications, and services in an environment, their zones, and how they’re connected to each other. The first version of your network diagram will be rough but it will help you visualize your environment and identify gaps and plan remediation strategies. As you make improvements to your environment, you’ll also update your network diagram as it’ll be an integral part of your System Security Plan (SSP) and help prove which parts of your environment are in-scope and out of scope.

CMMC Network Diagram

Image Source: CUI Scoping Guide by ComplianceForge

Next steps in compliance

You’ll need to present your findings and recommendations to key stakeholders, make the appropriate changes to the environment, and start measuring compliance with NIST 800-171 & the CMMC. If you’d like to learn what practical steps you can take, we wrote The Step-by-Step Guide to Prepare for the CMMC.

How does SaltyCloud help with the CMMC?

SaltyCloud offers Isora GRC, a Governance, Risk, and Compliance (GRC) Assessment Platform that makes it easier for contractors to meet the cybersecurity requirements of the CMMC. It provides the ability to conduct assessments against the prescribed security frameworks (e.g., NIST 800-171, NIST 800-172, etc.), collect evidence, access dashboards, and export compliance reports and Plans of Action and Milestones (POAMs). SaltyCloud is a CMMC Registered Provider Organization (RPO). Learn more about Isora GRC.

Conclusion

Scoping your FCI & CUI is an integral step on the journey to complying with NIST 800-171 & the CMMC. Doing it properly ensures only the people, processes, and technologies that surround FCI & CUI are in scope, making compliance and certification more efficient and cost-effective.

Recommended