CUI Scoping: The Foundation of Your Entire CMMC Program

If you do not know where your CUI lives, you cannot protect it or certify around it.

Table of Contents

Picture of Branden Reber
Branden Reber

The Most Underestimated Step in CMMC Preparation

What is CUI?

The CUI Scoping Process

Common Scoping Mistakes

Scoping as a Cost Driver

The Most Underestimated Step in CMMC Preparation

Ask any C3PAO what the most common root cause of CMMC assessment struggles is, and you will hear the same answer: poor scoping. Organizations either cast their net too wide, dragging unnecessary systems into assessment scope and driving up cost and complexity, or they scope too narrowly, leaving critical CUI flows outside their boundary and creating real security and compliance gaps. 

CUI scoping is not an administrative exercise. It is the foundational technical and organizational analysis that determines what your CMMC program actually covers and how much your assessment will cost. 

What Is CUI?

Controlled Unclassified Information is information the federal government creates or possesses, or that an entity creates or possesses on behalf of the government, that requires safeguarding consistent with applicable law, regulation, or government-wide policy. The National Archives maintains the CUI Registry, which defines over 20 categories across defense, legal, financial, privacy, and other domains. 

For defense contractors, the most relevant CUI categories include: 

  • Defense Technical Information (export-controlled technical data, engineering drawings, specifications) 
  • Defense Procurement and Acquisition (contract terms, acquisition-sensitive information) 
  • Controlled Technical Information (CTI under DFARS 252.204-7012) 
  • Naval Nuclear Propulsion Information 
  • DoW Critical Infrastructure Security Information 


Your contracts will specify which categories apply. If you are unsure, the contracting officer is the authoritative source. 

The CUI Scoping Process

Step 1: Identify CUI Inflows 

Where does CUI enter your organization? Common inflow points include government-provided portals, email from contracting officers and program managers, secure file transfer from primes, and drawing or specification databases. Map every source. 

Step 2: Trace CUI Flows 

Once you know where CUI enters, follow it. Which systems process it? Which applications store it? Which networks transmit it? This data flow analysis defines your CMMC assessment boundary. Be exhaustive. Missing a CUI flow during scoping means discovering it during assessment, which is a far more expensive problem. 

Step 3: Identify CUI Repositories 

Where does CUI at rest reside? File shares, collaboration platforms, email archives, engineering databases, backup systems, and cloud storage are all common repositories. Each one that holds CUI is in scope. 

Step 4: Map the Human Element 

Who accesses CUI? Which roles, which individuals, which third parties? Privileged users, remote workers, and subcontractors with access to CUI-containing systems all have implications for your access control and personnel security controls. 

Step 5: Define the Assessment Boundary 

With data flows and repositories mapped, you can define your formal assessment boundary: the set of systems, networks, people, and processes in scope for your CMMC assessment. This boundary drives your SSP, your control implementations, and your C3PAO assessment scope. 

Common Scoping Mistakes 

  • Including all corporate IT in scope when only a subset of systems touches CUI 
  • Excluding cloud services that store or process CUI because they are vendor-managed 
  • Missing CUI in email and collaboration tools like Microsoft 365 or Google Workspace 
  • Forgetting backup and disaster recovery systems that replicate CUI data 
  • Not accounting for remote access paths that traverse non-CUI infrastructure 

Scoping as a Cost Driver

  • Every system in your assessment boundary increases assessment cost and ongoing compliance overhead. Good scoping reduces your boundary to the minimal set of systems that actually process CUI, without creating gaps. Organizations that invest in rigorous scoping consistently see lower assessment costs and cleaner results. 

    Fortreum helps contractors work through CUI scoping as the first phase of our CMMC advisory engagements. Getting this right from the start shapes everything that follows. 

What can Fortreum do for you?

Let us know how Fortreum can help you navigate the changing currents of cybersecurity. For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.

Should you have questions about your FedRAMP, CMMC, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/

Recent Insights

  • Lessons Learned from the Mini Shai-Hulud Campaign and Supply Chain Attacks in 2026
    Blog

    What Happened Scope and Impact

  • CMMC Incident Response: What the Controls Actually Require and How to Build a Program That Passes
    Blog

    Why Incident Response Gets More

  • Choosing the Right C3PAO: What Defense Contractors Should Ask Before Signing
    Blog

    Why the C3PAO Decision Matters

  • Common CMMC Requirements That Most Contractors Get Wrong
    Blog

    Pattern Recognition From the Assessor's

  • Why Simply Having FedRAMP Moderate Does Not Equal CMMC Readiness
    Blog

    What Each Framework Actually Is

  • CMMC Flow-Down Requirements: What Prime Contractors Need to Manage in Their Supply Chain
    Blog

    The Supply Chain Problem Is

  • CMMC Gap Assessment: The Investment That Pays for Itself Before Your Assessment Begins
    Blog

    The Most Expensive Discovery What

  • CMMC for Small Businesses: Compliance Without a Full Security Team
    Blog

    The Small Business Reality Where

  • CMMC Self-Assessment vs. Third-Party Assessment: Which Path Applies to You?
    Blog

    The Two Paths to CMMC

  • Building a System Security Plan That Actually Passes CMMC Assessment
    Blog

    The Document That Defines Your