Webinar

CMMC scoping: How to ensure your scope is ready for assessment

Sept. 3, 2024 · Authored by Matt Gilbert, Jacob Stroupe

Understanding your scope starts with controlled unclassified information (CUI)

When considering your cybersecurity maturity model certification (CMMC) assessment—as with most important discussions—it’s best to begin by clearly defining your terms. In this case, the terms to define are federal contract information (FCI) and controlled unclassified information (CUI).

FCI is not public information, but it is provided by—or generated for—the government under a contract. Essentially, FCI is anything you are handling—that is not public information—as part of your contract with the government (specifically the Department of Defense (DOD), in the case of CMMC).

A subset of FCI, is CUI. This is also non-public information, belonging to the government, which is sensitive (though unclassified). What makes it CMMC CUI specifically, though, is that this information requires safeguarding or limitations with dissemination controls pursuant to various laws, regulations and government-wide policies. In short, CUI comes with special rules designed to ensure it is protected, handled and access is limited in appropriate ways.

Who makes the rules about CUI?

It’s important to note that CUI is not exclusive to the DOD, or CMMC. Executive Order 13556, under the Obama administration, officially defined CUI, established the National Archives and Records Administration (NARA) as the executive agent, tasked them with setting the standards, rules and policies for how to protect CUI and instituted this entire process.

Under such guidance, the requirements for CUI pertain to government agencies as well as federal contractors. It’s important to note, however, that this process establishes the bare minimum. The DOD can add to it, but they cannot deviate from the minimum. In fact, a series of policies and guidelines apply: