Essential Steps for Effective Scoping of FCI and CUI in CMMC Level 2 Readiness

Preparing for CMMC Level 2 certification requires more than just implementing controls or purchasing security tools. The critical first step is understanding where Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) actually exist within your environment. Without this clarity, organizations risk misallocating resources, inflating costs, and creating inefficient security architectures. This post guides defense contractors and related stakeholders through the strategic process of properly scoping FCI and CUI, setting a strong foundation for successful CMMC Level 2 readiness.

Understanding the Importance of Scoping Before Controls

Many organizations jump straight into building secure enclaves or deploying security controls once they decide to pursue CMMC Level 2 certification. This approach often overlooks the foundational question: Do you actually possess FCI or CUI?

Why This Step Is Often Skipped

• Assumptions about Data Presence

Some contractors assume they must have CUI simply because they work with the Department of Defense (DoD). In reality, not all contracts involve CUI, and some only require protection of FCI, which has different handling requirements.

• Pressure to Act Quickly

The urgency to comply can push teams to implement controls without a clear understanding of what needs protection, leading to wasted effort and higher costs.

• Complexity of Data Environments

Modern IT environments are complex, and without a clear scoping process, organizations may miss critical data locations or overextend their security boundaries unnecessarily.

How Proper Scoping Shapes Your Readiness

Scoping defines the boundaries of your CMMC assessment. It influences:

• Assessment Scope and Cost

Knowing exactly where FCI and CUI reside helps avoid over-scoping, which can increase assessment complexity and cost.

• Security Architecture Design

Proper scoping informs how to segment networks, build enclaves, and apply controls effectively.

• Long-Term Operations

A clear scope supports sustainable compliance by focusing resources on protecting relevant data, reducing operational overhead.

Scoping Is About Data, Not Just Network Diagrams

Many organizations treat scoping as a network exercise, focusing on diagrams and IP addresses. While network topology matters, the core of scoping is data discovery and lifecycle tracing.

Lifecycle Tracing of FCI and CUI

Understanding where FCI and CUI are created, stored, transmitted, and archived is essential. This lifecycle approach ensures no data location is overlooked.

Commonly Overlooked Data Locations

Here are critical places where FCI and CUI often reside but are frequently missed during scoping:

• Email Systems

Platforms like Microsoft 365 and Gmail often contain sensitive contract information in inboxes, sent items, and archives.

• SharePoint and OneDrive

These cloud storage solutions may hold documents with CUI or FCI, especially in shared folders.

• Teams and Collaboration Tools

Chat logs, file shares, and meeting notes can contain sensitive data.

• Customer Relationship Management (CRM) Platforms

Contract details and communication history may be stored here.

• Contract Portals

External portals used for contract management often contain CUI.

• File Shares and Legacy Servers

Older servers and network shares may hold unclassified but sensitive information.

• Endpoints and Local Drives

Laptops and desktops can have local copies of sensitive files.

• Backup Repositories

Backups often contain copies of CUI and FCI that must be secured.

• Enterprise Resource Planning (ERP) Systems

Financial and procurement data related to contracts may be stored here.

• Human Resources (HR) Portals

Employee data linked to contract work can include sensitive information.

• Archived PST Files

Email archives stored locally or on servers.

• Ticketing Systems

Support and issue tracking systems may include contract-related details.

Practical Example

A defense contractor discovered that while their network diagrams showed segmented enclaves, a significant amount of CUI was stored in archived PST files on local drives and backup tapes. This oversight would have led to a failed assessment if not identified during scoping.

Steps to Conduct Effective Scoping

1. Inventory Contracts and Data Types

   Review contracts to identify if FCI or CUI is involved. Understand the specific data types and handling requirements.

   
   

1. Map Data Locations

   Use automated tools and manual checks to locate where FCI and CUI exist across systems listed above.

   
   

2. Trace Data Lifecycle

   Follow data from creation through storage, transmission, and destruction.

   
   

1. Engage Stakeholders

   Collaborate with IT, legal, compliance, and program managers to ensure all data sources are identified.

   
   

2. Define Assessment Boundaries

   Based on data locations, set clear boundaries for your CMMC Level 2 assessment.

   
   

1. Document and Validate

   Maintain detailed documentation and validate findings with internal audits or third-party assessments.

   
   
   
   

Why Scoping Sets the Stage for Success

Proper scoping reduces surprises during assessment, controls unnecessary spending, and builds a security architecture tailored to your environment. It also supports ongoing compliance by focusing efforts where they matter most.