Identifying how and where Controlled Unclassified Information (CUI) is stored, transmitted, and processed within your organization is a critical first step to achieving CMMC compliance. Many organizations overlook this step, however, leading to major security and compliance gaps down the line.
In this article, we’ll break down everything you need to know about scoping for CMMC, including:
- What is scoping for CMMC?
- Why is identifying your system boundaries necessary for achieving CMMC compliance?
- What are the risks of not completing a CUI scoping exercise?
What is Scoping for CMMC?
Scoping for CMMC is the process of identifying how and where CUI is stored, transmitted, and processed within an organization. Organizations must conduct an in-depth investigation into their systems and personnel to:
- Identify how CUI enters, leaves, and flows throughout their organization.
- Identify the people, processes, and technology that interact with CUI.
- Develop conceptual diagrams and documents illustrating this data flow.
Additionally, advisors can suggest a strategy to centralize your CUI in order to reduce the portion of your organization that’s subject to compliance.
Why is Scoping Needed?
Clearly defining the areas of your organization that touch CUI is a foundational step to determining which areas of your organization are required to adhere to NIST 800-171. A CUI Data Mapping assessment provides you with system-boundary and data-flow diagrams that will serve as your blueprint for all other stages of compliance, including security gap assessments and remediation services.
3 Risks of Overlooking Scoping for CMMC
1. Underestimating the Scope of Your CUI, Leading to Costly Surprises
When an organization assumes it knows where its CUI is without conducting a proper investigation, there’s a high risk that certain CUI will go overlooked and, subsequently, unprotected. This can lead to audit failures, delays in certification, additional costs, and critical security weaknesses.
For instance, organizations that have set up Cloud enclaves for their CUI may assume that no CUI is being transmitted out of the enclave. However, this isn’t always the case – we recently helped a client discover that several employees were transferring CUI out of the enclave and accessing it in out-of-scope applications, expanding the organization’s CMMC scope by 100%.
In virtually every instance where SP6 has provided advisory services to organizations that have overlooked scoping, at some point later in the process, additional locations of CUI are uncovered. When this occurs, time and cost estimates are always expanded, and IT and security owners are always placed in the unenviable position of needing to request additional funding.
Conducting a CUI scoping exercise minimizes costly surprises and provides more cost certainty to C-level executives and boards of directors.
2. Overestimating the Scope of Your CUI, Leading to Unnecessary Investments
Organizations that don’t properly map out their CUI also commonly make their scope larger than it needs to be, resulting in excessive spending and resource allocation. Implementing NIST 800-171 security controls across business areas that don’t require them can be costly and inefficient, as time, money, and personnel are diverted from critical areas to less important ones.
For example, we recently helped a client:
- Determine that over 400 users did not require logical access to a CUI enclave, saving duplicate Microsoft licensing costs of 130%.
- Identify five satellite offices that did not store, transmit, or process CUI, resulting in significant savings in physical security and media handling.
- Reduce the percentage of resource-intensive software and specialized-equipment assets that required CMMC compliance to 40%, resulting in significant VDI infrastructure savings.
Analyzing and mapping out exactly how and where CUI exists in your systems allows you to put gates around InfoSec and Compliance investments. By identifying those specific components of your environment that contain CUI, you can limit those areas of your systems and business that are subject to CMMC compliance — reducing the overall cost of meeting the CMMC compliance mandate.
3. Having an Inefficient Flow of CUI
In addition to identifying your current CUI data flow, CUI Data Mapping assessments also serve to optimize and centralize this flow. We’ve helped clients achieve this in a variety of ways, such as:
- Identifying on-premises systems that could easily be moved to a Cloud enclave to centralize CUI.
- Reducing the number of edge cases between Cloud enclaves and on-prem equipment and software.
- Detailing the compliance, cost, and operational impacts of various approaches to empower stakeholders to make an informed decision.
The goal of these actions is to help you reduce the surface area of your organization that requires NIST 800-171 protections so that you can save money, time, and effort while still protecting CUI.
Get Started with Scoping Your CUI for CMMC
Whether you’re just starting your CMMC journey and are unsure of where to start, are struggling to understand what CUI is and where it’s located in your organization, or want to minimize the areas of your environment subject to compliance, SP6’s CUI Data Mapping service is here to help.
Our Certified CMMC Professionals and Assessors will investigate your environment to trace where CUI enters, leaves, and flows. From there, we’ll provide suggestions on how to reduce and centralize this data flow, leaving you with fewer areas subject to compliance.
