GRC Knight

GRC Knight, bringing together former external auditors, skilled security engineers, and compliance aficionados, serves as your bulwark in the ever-evolving cybersecurity and regulatory landscape. Read More…..

Navigating CMMC Compliance for SMBs: A Comprehensive Guide to Identifying and Scoping Controlled Unclassified Information (CUI)

By: Frank Kyazze |  December 18, 2023


Embarking on the Cybersecurity Maturity Model Certification (CMMC) journey requires a thorough understanding of the landscape and a meticulous approach to identifying and scoping Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) for Small and Medium-sized Businesses (SMBs) within the Defense Industrial Base (DIB). In this practical guide, we dive into the intricacies of this crucial initial phase, emphasizing the significance of establishing a robust cybersecurity posture.

Understanding the Flow of Data

To kick off your CMMC journey, it’s essential to map the intricate pathways through which data flows in and out of your organizational environment. This involves pinpointing the precise locations where FCI/CUI resides or might potentially reside. Taking control of the systems housing this sensitive information requires a very fundamental and strategic first step.

The Challenge of Asset Identification

Identifying assets poses a unique set of challenges for SMBs in the DIB. The transition to robust cybersecurity practices, in addition to limited resources for building and maintaining these processes, can be daunting. Additionally, a lack of common knowledge in deciphering markings and distribution statements, coupled with the urgency imposed by DoD timelines, creates a recurring impact on costs and company-wide issues.

CMMC Self-Assessment Scope for Level 1

As you initiate the self-assessment process for CMMC Level 1, precision is key. Clearly specify which assets in your environment will undergo assessment. FCI assets, responsible for processing, storing, or transmitting FCI, include examples such as contract performance reports and process documentation.

Preparing for CMMC Level 2

Anticipate the transition to CMMC Level 2 by conducting a meticulous examination of where CUI fits within the defined asset categories. CMMC Level 2 demands compliance with 110 practices aligned with NIST SP 800-171, necessitating the documentation of all assets falling into categories such as CUI Assets, Security Protection Assets (SPA), Contractor Risk Managed Assets (CRMA), and Specialized Assets (SA).

Remembering CUI

When dealing with CUI, it’s important to consider whether the data is generated on behalf of a contract, used to fulfill contractual obligations to the government, and identifiable within sub-categories listed on the NARA CUI registry.

Impact of New Contracts and Company Growth

The acquisition of new contracts and company growth greatly increases the importance of meticulous data management and asset classification. Consider leveraging compliant Managed Service Providers (MSP) or Managed Security Service Providers (MSSP) with a shared responsibility matrix to navigate the challenges effectively.

Defining Clear Boundaries

Clarify the boundaries for data and asset management by utilizing potential software or service providers. Inquire about their Shared Responsibility Matrix, FedRAMP Moderate equivalence, and responsibilities in data protection. This proactive approach guarantees a comprehensive understanding of roles and responsibilities.

Categorizing Assets

Efficiently categorize assets into Security Protection Assets (SPA), Contractor Risk Managed Assets (CRMA), and Specialized Assets (SA). This not only streamlines the assessment process but also provides a structured framework for effective asset management.

Out of Scope Assets

Identify assets that fall outside the scope of CMMC assessment, alleviating the need for documentation in System Security Plans (SSPs) for CMMC. Examples include non-business-related personal employee information assets.

Inventory and Data Flow Control

Create a comprehensive inventory of your systems, people, and data flow, categorizing them appropriately. Utilize tools such as Microsoft Purview for content search and data flow control validation, ensuring a thorough and accurate representation of your organizational landscape.


For SMBs, the journey towards CMMC compliance begins with the critical task of identifying and scoping CUI. This foundational process not only establishes a resilient cybersecurity posture but also safeguards sensitive data crucial to national security. The implications of CMMC compliance on bidding for and securing government contracts cannot be overstated. With a clear understanding and a strategic approach, SMBs can navigate this compliance landscape effectively, contributing to a more secure and resilient Defense Industrial Base.
Still stuck? We invite you to explore how GRC Knight can assist your business in its compliance journey. Schedule a call with our experts for personalized guidance. Also, don’t forget to check out our detailed Whitepaper Survival Guide for CMMC, offering in-depth insights and strategies for navigating CMMC 2.0. Get your copy here.

Leave a Reply

Your email address will not be published. Required fields are marked *