If you cannot point to a file and say "this is CUI, this is not," you cannot scope CMMC. The scoping exercise - identifying Controlled Unclassified Information (CUI), marking it, tracing its flow through your environment, and segmenting it into a defensible enclave - is the single most important project in a Level 2 readiness program. It determines what is in scope, what is out, and whether your assessment cost runs $50k or $150k.
This exercise is also where most DIB contractors stumble. The CUI designation is imposed upstream by a government program office or prime contractor, not invented by your team. Your job is to identify what has been so designated, honor the markings, and protect accordingly.
The legal foundation
CUI is defined by 32 CFR Part 2002 and administered by the National Archives (NARA) under Executive Order 13556. NARA maintains the CUI Registry, which catalogs every CUI category and subcategory across the federal government. Examples relevant to the DIB:
- Controlled Technical Information (CTI): technical data with military or space application that is subject to export control
- Export Controlled: information governed by ITAR or EAR
- Basic Research (Specified): unclassified research findings with DoD dissemination restrictions
- Procurement and Acquisition (Source Selection): source selection and proposal evaluation information
- Privacy: PII where the government has directed specific safeguarding
Each category has specific handling requirements defined in the registry. Some permit limited sharing under conditions; others require stringent dissemination controls.
Identification: where CUI enters your environment
CUI enters your environment through a finite number of channels. Map each one:
Contract documents and flow-downs
The contract itself, statements of work, specifications, and government furnished information all may contain CUI. Check the DD Form 254 and the contract CUI attachment. Primes flowing work to you should provide a CUI handling guide; if they have not, request one.
The most frequent and least controlled CUI ingress point. Any email from a government PoC with an attachment - drawings, specs, test results - is a candidate for CUI. Unless you operate your mail in a FIPS-compliant enclave (GCC High or equivalent), incoming CUI email drags the entire mail plane into scope.
File transfers
Secure file transfer tools, government-provided portals (DoD SAFE, the DIBNet portal), and prime-contractor managed file shares. Each upload event is a CUI ingress event; track them.
Collaboration tools
Teams, SharePoint, OneDrive, third-party collaboration platforms. If CUI can land in a collaboration space, the space is in scope unless explicitly blocked by policy and technical control.
Engineering and production systems
Drawings exported into a CAD system. Test data captured in a manufacturing execution system. Firmware images in a version control repo. Each derived artifact inherits the CUI designation of its source and must be protected accordingly.
Backups and archives
Every backup of a CUI-bearing system contains CUI. Every long-term archive inherits CUI protection requirements for the life of the retention period. Ignoring this is a common scoping error.
Marking: the CUI banner and handling instructions
Once identified, CUI must be marked. The baseline marking is the CUI banner at the top of the document - "CONTROLLED" or "CONTROLLED//CATEGORY" - and the portion marking where applicable. Handling instructions and dissemination controls follow per the category.
Operationally, this means:
- Document management systems applying CUI banners based on sensitivity labels
- Email systems applying CUI markings on outbound messages containing CUI
- Print workflows including CUI header/footer and routing restrictions
- Training for every employee who may receive, create, or disseminate CUI
The common failure: contractors treat marking as the contractor's discretion. It is not. If the originating agency or prime marked a document CUI, you cannot re-mark it non-CUI. You can only apply additional markings required by your handling policy or downgrade if explicitly authorized by the originator.
Data flow diagrams
The single most useful artifact in a scoping exercise is a CUI data flow diagram (DFD). It shows every system that receives, processes, stores, or transmits CUI, and every connection between those systems. The DFD becomes the foundation for:
- Scope determination (which assets are CUI Assets vs SPA vs CRMA vs out-of-scope)
- Enclave architecture (where to cut segmentation boundaries)
- SSP authoring (which systems get detailed control coverage)
- Assessor walkthroughs (the diagram becomes the assessor's map on day one)
A credible DFD shows ingress points, storage locations, processing systems, outbound disseminations, backups, and administrative access paths. It should fit on a single diagram at enterprise scale but be supported by detailed sub-diagrams for each major workflow.
Enclave design: the payoff
Once CUI is identified and flows are mapped, the enclave design is a constrained optimization. The goal: minimize the number of in-scope assets while preserving business function.
Typical enclave cuts:
- Dedicated email tenant: GCC High for all CUI mail; commercial tenant for general business. Mail routing at the gateway directs government-domain mail to the GCC High plane.
- Dedicated file storage: CUI stored only in a segregated SharePoint/OneDrive in GCC High or an on-premises file server with IL5-compatible controls.
- Dedicated endpoints or VDI: engineers and contracts staff access CUI via a dedicated VDI pool with locked-down clipboard, USB, and screenshot policy.
- Dedicated network segment: VLAN or physically separate network with constrained egress.
- Dedicated identity: separate Entra tenant or carefully federated identity with strict conditional access for CUI systems.
The enclave reduces the CUI Asset category to a small, assessor-visible boundary. Everything else becomes CRMA or out-of-scope, dramatically reducing assessment cost.
Common scoping mistakes
- Treating "likely CUI" as "definitely not CUI": if in doubt, assume CUI and verify. The reverse assumption is legally untenable.
- Ignoring derivative artifacts: the engineering drawing is CUI; the CAD export is CUI; the PDF rendered from the CAD export is CUI; the thumbnail in the DMS is CUI.
- Over-scoping backups: a single tape backup of everything pulls every system into scope. Separate backup streams for CUI vs non-CUI data.
- Under-scoping SPAs: your SIEM, your EDR, your IdP - if they protect CUI Assets, they are SPA and fully in scope. Missing this in the DFD invalidates the scoping exercise.
- Shadow collaboration: employees using personal tools, unauthorized SaaS, or consumer messaging to share CUI. Address with policy, tooling, and DLP.
What to do next
If your organization cannot produce a current CUI inventory, a data flow diagram, and a defined enclave boundary within 60 days of starting the exercise, stop other CMMC work until it can. Every other control investment compounds on this foundation.
Techvera runs CUI scoping exercises for tier-2 DIB contractors as the first phase of a Level 2 readiness program. See our defense-industrial compliance practice or schedule a scoping consultation to get a defensible CUI inventory and enclave blueprint.
About the Author
Team Techvera
Techvera Team
Articles written collaboratively by the Techvera team, combining expertise across cybersecurity, managed services, and digital transformation.