CUI Scoping Wizard — Step 1 of 5
Contract & Program Context
Effective CUI scoping starts with your contract. The type of contract, the clauses it contains, and the nature of the work you perform determine whether CUI is involved — and at what level. Answer each question based on your primary DoD contract or program.
What Is CUI?
Controlled Unclassified Information (CUI) is government-created or government-owned information that requires safeguarding under law, regulation, or government-wide policy — but is not classified. CUI is unclassified but sensitive. If your contract involves CUI, DFARS 252.204-7012 and CMMC Level 2 apply to your organization. DFARS 252.204-7012 also requires reporting any cyber incidents affecting CUI to the DoD Cyber Crime Center (DC3) within 72 hours of discovery.
Contract Type
What best describes your primary DoD contract or subcontract?
DFARS Clause Presence
Does your contract or subcontract contain DFARS clause 252.204-7012?
Tip: Search your contract document for "252.204-7012" or "safeguarding covered defense information." Its presence is the clearest indicator that CUI is in scope.
Work Nature
Which of the following best describes the primary nature of your work under the contract? (Select all that apply)
CUI Scoping Wizard — Step 2 of 5
Identify Your CUI Categories
The CUI Registry (administered by NARA) defines the specific categories of information that qualify as CUI. Select every category that applies to information you receive from DoD, generate under the contract, or handle on behalf of the government. When in doubt, select it — your Contracting Officer is required to identify CUI in the contract if asked.
Important — Two Types of CUI
CUI Basic — standard handling requirements apply (NIST 800-171 controls, marking with "CUI" banner). Most common type for defense contractors.
CUI Specified — additional or different handling requirements set by specific law or regulation (e.g., ITAR, Nuclear). Marked with category label e.g. "CUI // CTI" or "CUI // EXPT". Requires additional review with your legal team.
Select all CUI categories that your organization handles under this contract:
✓Controlled Technical Information (CTI)
Technical data with military or space application — drawings, specifications, engineering data subject to distribution statement B-F.
Examples: Technical drawings, system specs, CAD files, test data, engineering reports
✓Export Controlled (ITAR/EAR)
Technical data subject to International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) when created or possessed for government purposes.
Examples: Defense articles technical data, dual-use technology, munitions-related data
✓Procurement & Acquisition
Sensitive contract data, source selection information, bid information, proposal details, pre-award information protected under FAR/DFARS.
Examples: Competitor pricing data, evaluation criteria, pre-decisional contract awards
✓Privacy / PII
Personally Identifiable Information (PII) of government personnel, veterans, or other individuals. Includes information protected under the Privacy Act of 1974.
Examples: Personnel rosters, SSNs, medical records, background investigation data
✓Proprietary Business Information
Trade secrets, commercial or financial information obtained under confidentiality, or source selection data protected under federal acquisition regulations.
Examples: Contractor cost data, proprietary processes, sensitive financial submissions
✓Critical Infrastructure
Information about systems and assets vital to national security, public health/safety, or economic security whose disruption would have serious consequences.
Examples: Vulnerability assessments, security plans for critical systems, infrastructure maps
✓Law Enforcement
Information compiled for law enforcement purposes that could interfere with proceedings, deprive a person of a fair trial, or disclose investigative techniques.
Examples: NCIS investigation data, criminal referral information, undercover operation details
✓NATO / International Agreements
Information shared under formal agreements with foreign governments or NATO. Subject to specific dissemination and handling controls in the agreement.
Examples: ATOMAL data, NATO-marked documents, bilateral agreement information
✓None of the Above / Unsure
I do not believe my organization handles any of these CUI categories, or I am unsure what types of information qualify as CUI in my contract.
Globe-America can review your contract to identify CUI categories that apply.
CUI Scoping Wizard — Step 3 of 5
Map Your CUI Data Flows
CUI scoping requires understanding how CUI enters your organization, where it travels, and how it exits. Every location where CUI is received, stored, processed, transmitted, or destroyed must be within your compliance boundary. Answer honestly — gaps here are the most common assessment finding.
How CUI Enters Your Organization
How does CUI typically arrive at your organization? (Select all that apply)
Where CUI Is Stored
Where does CUI reside in your IT environment once received? (Select all that apply)
How CUI Is Shared or Transmitted
How is CUI transmitted or shared within or outside your organization? (Select all that apply)
CUI Scoping Wizard — Step 4 of 5
Assess Your Systems & Asset Boundaries
CMMC scoping categorizes your IT assets into five types based on their relationship to CUI. Every asset that processes, stores, or transmits CUI — or provides security protection for those that do — falls within your CMMC assessment boundary. Proper categorization is the foundation of a defensible SSP.
CUI Assets (In Scope)
Systems that directly process, store, or transmit CUI. These are always in scope and must implement all applicable NIST 800-171 controls.
Examples: Workstations with CAD files, email servers, file shares containing technical drawings
Examples: Workstations with CAD files, email servers, file shares containing technical drawings
Security Protection Assets (In Scope)
Systems that provide security functions for CUI Assets — even if they don't directly handle CUI. Also always in scope.
Examples: Firewalls, identity/access management systems, SIEM, antivirus servers
Examples: Firewalls, identity/access management systems, SIEM, antivirus servers
Contractor Risk Managed Assets
Assets capable of handling CUI but managed by policy to prevent it. Documented controls required. Can reduce full assessment scope if properly managed.
Examples: Personal phones, home computers with documented CUI prohibition policies
Examples: Personal phones, home computers with documented CUI prohibition policies
Specialized Assets
Assets with unique characteristics making standard CMMC controls impractical — handled separately in the SSP.
Examples: IoT devices, OT/ICS systems, test equipment, government-furnished equipment (GFE)
Examples: IoT devices, OT/ICS systems, test equipment, government-furnished equipment (GFE)
Out-of-Scope Assets
Assets fully isolated from CUI — no processing, storage, transmission, or security protection role. Not assessed. Proper isolation must be documented and defensible.
Examples: HR or payroll systems fully segregated from CUI environment
Examples: HR or payroll systems fully segregated from CUI environment
Current Asset Inventory Status
Has your organization documented an inventory of IT assets that may come into contact with CUI?
CUI Enclave Strategy
Has your organization established or considered a CUI enclave — a separate, isolated network segment specifically for CUI processing?
A CUI enclave can dramatically reduce your CMMC assessment scope and cost by limiting the number of assets that must be fully compliant.
Cloud Environment
If CUI is stored or processed in a cloud environment, which platform does your organization use?
CUI Scoping Summary
Your CUI Scope Report
Based on your inputs, here is your preliminary CUI scoping summary. This report identifies key findings, compliance gaps, recommended next steps, and your enclave strategy options. Use this as a starting point — your Globe-America engagement will produce a formal, documented CUI data flow diagram and SSP-ready scope narrative.