Request a Demo
Request a Demo
Blog
Article

Scoping FCI & CUI for NIST 800-171 & CMMC, Complete Guide

SaltyCloud Research Team

Updated Oct 11, 2024 Read Time 10 min
Table of Contents
Join over 800+ infosec, risk, and compliance newsletter subscribers
GRC Assessment Platform for CMMC
Centralize your CMMC compliance program
Conduct assessments, collect evidence, and work towards remediation together
Learn More

Federal Contractor Information (FCI) and Controlled Unclassified Information (CUI) are types of sensitive and regulated data provided by the U.S. federal government that are processed and stored on non-federal systems. To ensure the confidentiality of this regulated information, organizations are required to follow the guidelines set forth in NIST Special Publication (SP) 800-171, as defined by Executive Order 13556.

For Department of Defense (DoD) contractors and subcontractors, the Cybersecurity Maturity Model Certification (CMMC) adds an additional layer of verification. The CMMC program certifies that contractors have implemented proper security measures to safeguard FCI and CUI.

Effectively scoping your organization—identifying where FCI and CUI are handled—is critical to meeting compliance efficiently. Without proper scoping, compliance efforts can become unnecessarily complex and costly.

By tracking the flow of FCI and CUI, contractors can isolate the systems, applications, and teams that interact with sensitive data. This targeted approach makes it more feasible and cost-effective to implement data centric security, manage compliance, and achieve certification.

In this Complete Guide by SaltyCloud, we’ll explain the difference between FCI and CUI, the importance of enclaves, and provide a step-by-step scoping guide to help you on your compliance journey.

What is Federal Contract Information (FCI)?

FCI is non-public information that is produced, used, or generated during the performance of a government contract.

Although FCI is not classified as critical or sensitive, it is still required to remain confidential to protect the integrity of government operations.

According to 48 CFR 52.204-21, FCI refers to “information not intended for public release, provided by or generated for the government under a contract to develop or deliver a product or service to the government.” It excludes publicly available information or transactional data, such as information required to process payments.

Examples of FCI include data such as contracts, subcontracts, emails, reports, notes, and other communication or documentation shared in the course of fulfilling a government contract.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) refers to government-created or government-related information that requires safeguarding or specific dissemination controls under applicable laws, regulations, or government-wide policies.

Although CUI is not classified, its unauthorized disclosure could harm national security, government operations, or public interests.

According to 32 CFR 2002.4, CUI is “information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” It excludes classified information and information held by non-executive branch entities that did not originate from or is not possessed by an executive branch agency.

Examples of CUI include sensitive data like blueprints, technical manuals, financial records, or engineering drawings. The National Archives maintains a detailed list of CUI categories, including areas such as Critical Infrastructure, Privacy, Financial, and Tax data.

CUI vs FCI?

Controlled Unclassified Information (CUI) is more sensitive than Federal Contract Information (FCI) and requires stricter handling and safeguarding. While both are non-classified, CUI could harm national security or government interests if improperly disclosed, whereas FCI involves confidential but lower-risk data used in government contracts.

Why scope your FCI & CUI?

Properly scoping FCI and CUI ensures efficient and cost-effective compliance with security standards, including NIST 800-171 and NIST 800-172.

Scoping helps identify the sensitive data systems, sensitive data environment, and processes that handle sensitive data assets, ensuring that only these in-scope systems are measured against compliance requirements like NIST 800-171 and CMMC.

If done incorrectly, the entire network could be in scope, requiring comprehensive compliance efforts across all systems and users making it technically complex and prohibitively expensive.

What is a CUI enclave?

A CUI enclave is a segmented environment designed to process sensitive data like FCI and CUI, adhering to specific security practices and subject to a CMMC assessment.

It is a physically or digitally separated part of an organization where systems, processes, and personnel that interact with FCI and CUI are isolated to comply with the security controls in NIST 800-171 and NIST 800-172. Unlike a completely isolated network, a CUI enclave can still interact with external systems, allowing access through methods like a remote desktop or web browser.

This structure ensures that only the in-scope environment is audited during a CMMC assessment.

Step-by-Step Scoping Guide

Scoping looks different for every organization, depending on how sensitive and regulated data like FCI and CUI are handled. Use the following steps to guide you through the scoping process. We reference both the official CMMC Level 2 Scoping Guide and the ComplianceForge Unified Scoping Guide (USG).

Step 1: Understand the organization

The first step in the scoping process is to gain a clear understanding of which parts of your organization are involved in federal contracts and may handle FCI or CUI. This involves reviewing awarded contracts to determine where FCI or CUI is generated, processed, or stored. Contracts often contain clauses referencing FAR 52.204-21 (for FCI) or DFARS 252.204-7012 (for CUI), which specify safeguarding requirements.

To ensure accuracy, engage with key stakeholders like contract managers, legal teams, and business units responsible for federal work.

These teams can provide insight into which processes, systems, and personnel may be in-scope for compliance. By the end of this step, you’ll have a clear picture of which parts of the organization need further review in the scoping process.

Step 2: Identify potential in-scope assets

In this step, you will start identifying all assets that could potentially be in scope for compliance. This includes People, Processes, Technology, Data, and Facilities (PPTDF), including any external service provider, that interact with FCI or CUI.

The goal here is to get a comprehensive overview of all possible components that may be involved, laying the groundwork for later scoping decisions.

Asset discovery

You can use a combination of automated tools and manual methods to conduct this discovery:

  • Automated Tools: Tools like Armis, or other asset discovery platforms, can automatically scan your network to identify connected systems, applications, and devices.
  • Manual Discovery: This involves conducting interviews or surveys with key teams and stakeholders to identify assets, locations, and external service providers that might not be captured by automated tools.

Data flow diagram and inventory

As you gather information, begin developing a Data Flow Diagram (DFD) that visually maps where and how FCI and CUI move through your organization. The DFD should cover the full lifecycle of CUI, including how it is processed, stored, and transmitted:

  • Process: CUI can be used by an asset, such as when it is accessed, entered, edited, generated, manipulated, or printed.
  • Store: CUI at rest on an asset, such as data stored on electronic media, within system memory, or in physical formats like paper documents.
  • Transmit: CUI in transit between systems or assets, which may involve physical transfers (e.g., USB drives) or digital transport methods (e.g., over a network, via email).

The outcome of this step is a comprehensive list of all potential in-scope assets and their connections, giving you a complete view of the landscape before you classify and refine the scope.

Step 3: Assess and classify assets

After identifying potential in-scope assets in Step 2, the next step is to assess and classify these assets based on their interaction with FCI and CUI.

This process defines the assessment boundary and helps focus compliance efforts on the assets that require specific protections.

Classify assets

You can classify assets either manually or using automated tools, such as a GRC Assessment Platform like Isora GRC. Isora GRC can help you automate enrichment surveys that can be sent to end users and stakeholders to help classify assets, including those that may have direct or indirect connection. This classification process groups assets into the following categories based on their role in handling FCI and CUI:

  1. CUI Assets: Assets that process, store, or transmit CUI.
  2. Security Protection Assets (SPA): Systems providing security controls (e.g., access control, firewalls, encryption), even if they don’t directly process CUI.
  3. Contractor Risk Managed Assets (CRMA): Assets capable of handling CUI but controlled to avoid doing so, based on policies.
  4. Specialized Assets (SA): Unique systems like IoT devices or government-provided equipment.
  5. Out-of-Scope Assets (OSA): Assets that are isolated from CUI and therefore do not need to be part of the compliance scope.

Define the assessment boundary

Once the classification is done, use network segmentation and isolation techniques (such as CUI enclaves) to limit the scope to only those systems necessary for compliance. This helps streamline the assessment process by minimizing the scope to relevant assets.

Step 4: Record the Scope in the System Security Plan (SSP)

While creating a full System Security Plan (SSP) is beyond the scope of this specific guide, it is important to mention that the SSP serves as a critical record of the scoping process.

The SSP consolidates all relevant details about the in-scope assets, data flows, and security measures, ensuring that your compliance efforts are well-documented and traceable.

Document in-scope assets and assessment boundary

Within the SSP, clearly outline the in-scope assets you identified in previous steps. This should include:

  • People: Teams and individuals who have access to FCI and CUI.
  • Processes: Workflows and procedures that handle sensitive data.
  • Technology: Systems and applications that store, process, or transmit FCI and CUI.
  • Data: A description of the types of FCI and CUI your organization handles.
  • Facilities: Physical locations that house in-scope systems or data.

Include network diagrams and segmentation details

Your SSP should include network diagrams that show how in-scope assets are segmented from other systems. These diagrams offer a visual representation of:

  • Data Flow: How FCI and CUI move through your network.
  • Segmentation: How in-scope assets are isolated from out-of-scope systems to limit exposure and simplify the compliance boundary.

ComplianceForge provides an example SSP template that can be useful as a reference for how to document in-scope assets, network diagrams, and assessment boundaries. This example can be found here and offers a clear framework for consolidating the scoping information gathered during this process.

Step 5: Validate the scope and prepare for pre-assessment

The final step in the scoping process is to validate that the scope you’ve defined is accurate and complete before moving into any pre-assessment or formal assessment activities.

This step ensures that your scoping decisions are aligned with compliance requirements and that you are fully prepared to proceed.

Validate the defined scope

Review the scoping decisions with internal stakeholders to ensure everything is correctly documented and that the assessment boundary captures only the necessary assets. This helps prevent unnecessary assets from being included in the compliance effort, keeping the scope focused and manageable.

Prepare for the pre-assessment

With the scope validated, you can now organize the documentation that will support the pre-assessment process. This includes:

  • Asset Inventory: A complete list of in-scope assets (People, Processes, Technology, Data, and Facilities).
  • Data Flow Diagrams: Visual representations of how FCI and CUI move through your systems and networks.
  • SSP: A document outlining your scoping decisions, supported by network diagrams and asset classifications.

Conclusion

Scoping for FCI and CUI compliance is a foundational step in ensuring that your organization meets the requirements of NIST 800-171 and CMMC Level 2. By understanding the organization’s involvement in federal contracts and identifying sensitive data types like CUI and export controlled data, you can accurately define your scope. This includes classifying critical infrastructure information, ensuring security protection assets are properly categorized, and identifying out-of-scope systems to keep your focus streamlined.

Throughout this guide, we emphasize the importance of a comprehensive data flow analysis to understand how sensitive data types move through your organization and interact with internal assets and external service providers. Effective scoping reduces complexity by targeting only the necessary systems and ensuring compliance with regulatory frameworks.

To further streamline the scoping process, organizations may consider working with a Registered Provider Organization (RPO). An RPO can provide expert guidance, helping ensure that your scoping process is thorough and aligned with compliance requirements. With the aid of an RPO and the resources outlined in the CMMC Level 2 Scoping Guide and ComplianceForge USG, your organization will be well-prepared for pre-assessments and formal compliance evaluations, ensuring a smooth path to certification.

Learn More
Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.

Learn More
Other Relevant Content
Understanding the CMMC, 2024 Complete Guide

All you need to know about the CMMC, its framework, compliance requirements, and practical tips for defense contractors.

Learn More
Article CMMC NIST 800-171 Regulations
Conducting a NIST 800-171 Basic Assessment, Complete Guide

Everything you need to know about the NIST 800-171 Basic Assessment and the steps you can take to build a compliance process.

Learn More
Article CMMC NIST 800-171 Regulations
Scoping FCI & CUI for NIST 800-171 & CMMC, Complete Guide

This Complete Guide provides step-by-step instructions for scoping FCI and CUI to make NIST 800-171 and CMMC compliance more efficient and cost-effective.

Learn More
Article CMMC NIST 800-171 Regulations
Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with a
collaborative GRC platform
Request a Demo
Woot!
We got your request. Hang on tight and we'll get back to you!
Thanks!
You successfully subscribed to our newsletter