Home Resources CUI Scoping
Pre-Assessment · 14-minute read · Foundational

CUI Scoping Methodology

Before you write an SSP, choose an enclave platform, or run a self-assessment, you have to know where your CUI actually lives. This is the inventory exercise that nearly every contractor underestimates — and that drives every downstream scoping, architecture, and remediation decision.

Why Scoping Comes First

Every CMMC compliance decision downstream of CUI scoping depends on knowing what CUI you have. The architecture choice (whole-org compliance versus enclave) hinges on how much CUI you handle and how concentrated it is. The SSP boundary statement is a written description of where your CUI lives. The cost of remediation scales directly with the count of in-scope systems. The cost of the C3PAO assessment scales with the count of in-scope users, applications, and network segments.

An incomplete CUI inventory invalidates everything that follows. If you scope your enclave to a 10-person engineering team but program managers in a different department also receive CUI by email, your enclave does not actually contain all your CUI — and your SSP, your remediation plan, and your assessor's findings will all reflect that gap.

The good news: scoping is one of the few CMMC activities that is genuinely free. It costs time and discipline, not money. Done well, it can be the single largest cost-saving step in your entire compliance program — by ruling things out of scope as well as identifying what's in.

CUI vs. CDI vs. FCI: Resolve the Terms First

Three overlapping terms appear in the regulations and trip up nearly every new reader. Resolve them before you start the inventory.

  • Federal Contract Information (FCI): Information not intended for public release, provided by or generated for the government under a contract. Broadest and least sensitive of the three. Triggers FAR 52.204-21 and CMMC Level 1.
  • Controlled Unclassified Information (CUI): Government-created or government-owned information requiring safeguarding under a law, regulation, or government-wide policy. Categories are enumerated in the NARA CUI Registry. Triggers DFARS 252.204-7012 and CMMC Level 2.
  • Covered Defense Information (CDI): The DFARS-specific subset of CUI. Defined in DFARS 252.204-7012 as unclassified controlled technical information or other CUI marked or otherwise identified in a contract that is collected, developed, received, transmitted, used, or stored in support of contract performance. All CDI is CUI; not all CUI is CDI (CUI on a non-DoD contract isn't called CDI).

For practical CMMC scoping work, treat any CUI you receive in connection with a DoD contract as CDI. The scoping exercise below applies to both terms.

Reading the NARA Registry as a Discovery Tool

The NARA CUI Registry is the authoritative list of CUI categories — over 100 categories grouped into 20 organizational indexes (Defense, Critical Infrastructure, Export Control, Privacy, Procurement and Acquisition, etc.). Most contractors approach it as a reference; treat it instead as a discovery tool.

Read every category in every index that could plausibly relate to your work. The categories most relevant to defense contractors include:

  • Controlled Technical Information (CTI): Technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. The most common CUI category for engineering and manufacturing contractors.
  • Defense Information: Information about military operations, plans, or capabilities that does not rise to the level of classification.
  • Export Controlled (EXPT): Information subject to ITAR or EAR. Carries US-person access restrictions in addition to CUI safeguarding. See the ITAR/EAR controls guide.
  • Procurement and Acquisition: Source selection information, sealed bid information, and proprietary contractor information received during acquisition.
  • Critical Infrastructure (PCII, CEII): Protected Critical Infrastructure Information and Critical Energy Infrastructure Information — relevant for contractors supporting defense facilities, energy, or transportation.
  • Privacy (PII categories): Personnel records, medical records, and similar information often present incidentally in contractor environments.

Walk through the registry with the people in your organization who actually handle the work — engineers, program managers, contracts staff, HR. Ask them to identify what they receive and create. The registry will surface categories you would not have thought to look for.

Start From Your Contracts

The most reliable starting point for a CUI inventory is your contracts themselves. Every DoD contract under DFARS 252.204-7012 names the CUI categories the contractor will handle. The contract tells you what the government expects you to be safeguarding.

For each active and recent DoD contract:

  1. Identify the CUI categories named in the contract or its attachments (DD-254, statement of work, security classification guide)
  2. Identify the deliverables the contract requires you to produce — those deliverables will themselves be CUI in most cases
  3. Identify the data the government will provide you (technical data packages, drawings, source selection information, etc.) — these are CUI on receipt
  4. Note any flow-down obligations to subcontractors handling that CUI (see the DFARS flow-down guide)

Build a contract-by-contract table: contract number, CUI categories handled, government data inputs, contractor data outputs, points of contact for each, and the prime if you are the sub. This table becomes the spine of your CUI inventory and feeds directly into your SSP system overview section.

The Five Inventory Questions

For each CUI category identified in the contract review, work through five questions. Together they produce the inventory artifact that downstream activities depend on.

1. Who creates or receives this CUI?

  1. People: Specific named individuals or roles (program manager X, the engineering team, the contracts office). Not "the company."
  2. Systems: Where data first enters your environment — email gateway, vendor portal, file transfer system, physical mail intake.
  3. External parties: The prime, the government, the customer organization, an upstream subcontractor.

2. Where is it stored?

  1. Primary storage: The system of record — file server, SharePoint, cloud storage, ERP, CAD/PLM system.
  2. Working copies: User endpoints (laptops, workstations), local OneDrive folders, USB drives.
  3. Backups and archives: Backup systems, replication targets, long-term archives.
  4. Email: Inboxes, sent folders, attachments. Email is the most-overlooked CUI repository.
  5. Hardcopy: Printed drawings, contract files, lab notebooks.

3. Who can access it?

  1. Current authorized users: The named user list with access to each storage location.
  2. System administrators: Who can read CUI in the course of administering the systems.
  3. External access: Contractors, MSPs, cloud admin, support staff with access.
  4. Inherited access: Users who don't currently have access but could grant themselves access (privileged accounts, group memberships).

4. How does it leave?

  1. Outbound to the government or prime: Deliverables, status reports, drawings sent for review.
  2. Outbound to subcontractors: CUI flowed down for subcontractor performance.
  3. Outbound to vendors and tools: Cloud services, analytics tools, anywhere CUI moves to support a workflow.
  4. Disposal: When and how is CUI destroyed when no longer needed.

5. How is it labeled?

  1. Banner markings: Whether documents arrive with proper CUI banner markings (and whether your team knows to apply them on creation).
  2. Category designators: Which CUI categories are noted on the marking (CUI//SP-CTI, CUI//SP-EXPT, etc.).
  3. Distribution statements: For technical data, which DoD distribution statement applies (Distribution A through F).

Work these questions for each CUI category your contracts identify. The result is a structured inventory: for each category of CUI, who handles it, where it lives, who has access, how it moves, and how it's labeled. This inventory is the prerequisite for every downstream activity.

The Shadow CUI Problem

Beyond the CUI you receive directly, most contractors create or accumulate CUI in ways that no contract review or system inventory will surface. This is shadow CUI — and finding it is the part of scoping that requires the most discipline.

Shadow CUI patterns to look for

  • Email forwards and replies. A contract specialist forwards a CUI document to a colleague who is on a different DL than the original recipient list. The recipient was not authorized; the email server now holds CUI in two inboxes plus the audit log.
  • Engineering working files. A CAD file received as a design input is opened, modified, and saved with a new name in a project folder. The project folder may not be classified as a CUI repository.
  • Screenshots and clippings. A program manager takes a screenshot of a CUI document for a presentation. The screenshot is saved to local storage and embedded in PowerPoint.
  • Reports derived from CUI. Status reports, dashboards, and analyses that aggregate or summarize CUI inputs may themselves be CUI even if the report format looks innocuous.
  • Cached and rendered files. When a user opens a CUI attachment, copies are cached in temp folders, browser caches, application working directories. These survive after the user thinks they've closed the file.
  • Mobile device sync. Email sync to phones, OneDrive sync to iPads, automatic photo backup of screenshots — every sync extends the CUI footprint to a new device.
  • Voicemail and call recordings. A program manager leaves a voicemail discussing CUI specifics. The voicemail platform now holds CUI.
  • Conversation transcripts. Meeting recordings, transcription services, and AI-assistant call summaries may capture CUI verbatim.
  • Test, dev, and training environments. CUI files copied into a non-production environment for testing, training, or development. Frequently outside the CUI boundary.
  • Vendor and consultant files. CUI shared with outside counsel, an outside consultant, an auditor, or an investor under NDA — all of which create CUI footprints outside your environment.

Surfacing shadow CUI requires a combination of interview-based discovery (asking users what they actually do with CUI), technical discovery (DLP scans of file shares and email, search across endpoints, cloud storage audits), and process review (workflow walkthroughs). It is worth doing before — not after — you finalize your CUI boundary.

Documenting the Inventory

The CUI inventory is a working artifact, not a one-time deliverable. Document it in a form that can be maintained and reviewed.

FieldPurposeExample
CUI categoryMaps to NARA registryControlled Technical Information (CTI)
Source contract(s)Establishes the safeguarding obligationFA8000-25-D-1234
DescriptionWhat the data actually is, in plain languageEngineering drawings for the X-100 propulsion subsystem
OriginHow it enters the environmentReceipt by program manager via Kiteworks transfer from prime
Storage locationsWhere it resides at restSharePoint X-100 site (primary); user OneDrive (working copies); engineering file server (master copies)
Authorized usersSpecific named individuals or rolesX-100 engineering team (12 named users); program manager; contracts officer
Outbound destinationsWhere copies leave toSubcontractor Y via Kiteworks; prime via Kiteworks; archive after contract close
Marking statusWhether banner markings are appliedMarked on receipt; markings preserved on derivative works per CTI policy
DispositionWhen and how it is destroyedRetained for contract life + 6 years per FAR 4.703; destroyed by NIST 800-88 sanitization
Last verifiedDate the inventory entry was confirmed accurate2026-04-15

One row per CUI category, per contract (or per program if the categories are shared across contracts). Update the inventory at least annually, and whenever a new CUI source enters your environment.

The inventory feeds the SSP. Section 1 (System Overview) of your SSP describes the CUI categories handled. Section 2 (Boundary) describes where they live. Section 4 (CUI Flow) describes how they move. Your inventory is the source of truth for all three sections — see the SSP guide for the documentation requirements.

From Inventory to Boundary

The CUI inventory drives the boundary decision. With the inventory in hand, ask:

  • How concentrated is the CUI? If most CUI lives in a small set of systems used by a small set of people, an enclave is feasible. If CUI is scattered across the enterprise (every engineer's laptop, the general SharePoint, the corporate email system), enclaving is harder and a whole-org compliance approach may be more honest.
  • Can the boundary be enforced? An enclave is only as strong as the controls preventing CUI from crossing it. If shadow CUI patterns suggest CUI routinely crosses to personal email, BYOD, or commercial cloud, the boundary will not hold.
  • What scope reduction is realistic? A common error is assuming an enclave will reduce scope by 90% when in practice it reduces it by 40% because half the organization continues to receive CUI by email. Build the inventory before estimating the scope reduction.

Once the inventory is solid, move to architecture: see the enclave architecture guide for the patterns and tradeoffs in detail.

Common Pitfalls

  • Asking only IT. IT can tell you which systems exist; only the users can tell you what's in them. The inventory must be informed by the people who actually handle CUI in the course of their work — not derived from a network scan.
  • Assuming "we don't have CUI." Many contractors who hold prime or subcontract relationships under DoD believe they don't handle CUI. Read the contracts before drawing that conclusion. CUI obligations attach by contract clause, not by self-assessment.
  • Treating the inventory as a one-time document. CUI flows change as contracts start and end, as personnel change roles, as new tools are adopted. An inventory frozen at the time of your initial assessment will be stale within months.
  • Missing the marking obligation. Receiving CUI is one obligation; creating derivative works (reports, analyses, drawings) carries the obligation to apply CUI markings to those derivatives. Your inventory should note marking status as a control item, not just an observation.
  • Conflating CUI with all sensitive information. Trade secrets, internal financials, and other proprietary data are sensitive but are not CUI unless they meet the regulatory definition. Over-scoping by treating proprietary data as CUI inflates compliance cost without serving the regulatory purpose.

Authoritative References

NARA CUI Registry
The authoritative list of CUI categories — read it as a discovery tool, not just a reference
NARA Limited Dissemination Controls
Markings that may appear in addition to the CUI banner — NOFORN, REL TO USA, FED ONLY, and others
DoD CUI Program Office
DoD-specific guidance on CUI marking, handling, and the Defense CUI Registry
DFARS 252.204-7012
The clause that defines Covered Defense Information and creates the safeguarding obligation
NIST SP 800-171 Rev 2
The 110 requirements that apply to systems holding CUI — your inventory determines which systems they apply to
NARA: Controlled Technical Information
Detailed definition of the CTI category — the most common CUI type for defense contractors

Next steps: With your CUI inventory in hand, work through the enclave architecture decision, then document the inventory in your SSP boundary section. If you flow CUI to subcontractors, see DFARS 252.204-7012(m) flow-down obligations.