For defense contractors working toward Cybersecurity Maturity Model Certification (CMMC) Level 2, the single most critical step does not involve configuring firewalls or deploying security software. Instead, it begins with an exercise in data governance: accurately identifying and scoping Controlled Unclassified Information (CUI) within your environment.
Scoping is the foundation upon which your entire compliance posture is built. If your scope is too broad, you will overspend on technical controls and create unnecessary internal operational friction. If your scope is too narrow, you risk an immediate assessment failure and potential contractual non-compliance.
Step 1: Understand What You Are Protecting
To establish an audit-defensible boundary, you must differentiate between the two categories of federal data defined under the Defense Federal Acquisition Regulation Supplement (DFARS):
-
Federal Contract Information (FCI): This is information provided by or generated for the government under a contract to develop or deliver a product or service. It does not include public-facing information and represents the baseline protection standard for CMMC Level 1.
-
Controlled Unclassified Information (CUI): This is unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies. CUI is more sensitive than FCI and serves as the catalyst for the 110 security requirements of NIST SP 800-171 required for CMMC Level 2.
RSAA Fact Check: CUI is not limited to documents marked with official distribution statements. It can include technical drawings, proprietary manufacturing specifications, performance logs, and email threads containing contract-specific deliverables.
Step 2: Trace the Data Lifecycle (The “Follow the Data” Rule)
Assessors will not evaluate your systems based on where you think data should live; they evaluate systems based on where data actually resides, flows, and is processed. To map this accurately, your internal compliance or advisory team must track the data across four distinct lifecycle phases:
[ Ingestion ] ➔ How does CUI enter your network? (e.g., procurement portals, emails, secure FTP)
│
[ Processing] ➔ Which applications alter, view, or compute the data? (e.g., CAD tools, ERP systems)
│
[ Storage ] ➔ Where is the data at rest? (e.g., local file servers, cloud enclaves, databases)
│
[ Transmission]➔ How is data sent internally or to subcontractors? (e.g., encrypted email, supply chain tools)
Step 3: Categorize Assets Within Your Compliance Boundary
Once the lifecycle is mapped, you must categorize every asset that interacts with—or could influence—that data. Under official CMMC scoping guidance, assets are divided into specific compliance categories:
CUI Assets
Systems, enclaves, networks, or endpoints that directly process, store, or transmit CUI. These are subject to full evaluation against all 110 NIST SP 800-171 requirements.
Security Protection Assets (SPAs)
Assets that provide security capabilities to the CUI environment, even if they do not handle CUI directly. Examples include your identity providers, multi-factor authentication (MFA) servers, firewalls, and SIEM platforms. SPAs are fully in scope for assessment.
Out-of-Scope Assets
Assets that cannot process, store, or transmit CUI because they are completely physically or logically isolated from the CUI environment.
Step 4: Implement Enclave Segmentation
A common pitfall for expanding federal contractors is allowing CUI to drift across the entire corporate network. If your corporate endpoints, sales databases, and human resources tools share a flat network with your federal production data, your entire company falls into the assessment scope.
To mitigate this burden, organizations utilize logical or physical segmentation to establish a CUI Enclave. By restricting access to CUI via strict identity governance, virtual desktop infrastructures (VDI), and dedicated firewalls, you compress your compliance boundary. This minimizes the number of endpoints that must be managed under federal standards, dramatically reducing remediation costs and long-term assessment friction.
Verifying Your Scope Pre-Assessment
A successful CMMC assessment requires verifiable alignment across your system boundaries, operational data streams, and structural documentation. To establish trust with third-party inspectors, your scoping choices must be formally justified within a dynamic System Security Plan (SSP).
RS Assurance & Advisory (RSAA) delivers specialized, CPA-led compliance readiness and advisory services engineered for defense contractors. Our compliance professionals conduct structured scope validation sessions, map data boundaries, and perform technical walkthroughs to identify undocumented data flows or hidden security protection assets before a formal C3PAO examination begins. We help you establish an accurate baseline scope, ensuring your governance framework remains audit-defensible, cost-efficient, and strategic.
Ready to accurately define your corporate CUI boundary?
Contact the government contracting advisory team at RS Assurance & Advisory today.
