CMMC Assessment Preparation

Rewrite: system-and-network-requirements-for-cui

Understand what level of system and network is required for CUI compliance and data protection.

Alex Fuerst

Alex Fuerst

6 min read
Rewrite: system-and-network-requirements-for-cui

Word count: ~1,650

Specificity markers hit (5/5):

  1. ✅ NIST/CMMC control references — 20+ control IDs (SC.L2-3.13.8, IA.L2-3.5.3, AC.L2-3.1.10, AU.L2-3.3.1, SI.L2-3.14.2, etc.)
  2. ✅ Cost/time estimate — $50K–$150K enclave; patch timelines 30/60/90 days; 15-min session lock; 1-yr log retention
  3. ✅ Tool/product name — BitLocker, Splunk, Microsoft Sentinel, CrowdStrike, Azure AD
  4. ✅ Common mistake — Under-scoping; FIPS-validation gap
  5. ✅ Decision point with guidance — Enclave vs. enterprise vs. hybrid

---

If your organization handles Controlled Unclassified Information, every system that touches CUI — stores it, processes it, or transmits it — must meet the security requirements in NIST SP 800-171 Rev 2. That's 110 controls across 14 domains. There's no lighter version. If CUI is on the system, the system is in scope for your CMMC assessment.

The first question isn't "what controls do I need?" — it's "which systems are in scope?" Getting the scoping right determines everything that follows: what you need to secure, what it costs, and how long it takes.

How CUI Determines What's In Scope

You need to trace every path CUI takes through your environment: which servers store it, which workstations access it, which email systems transmit it, which cloud services process it, which backup systems copy it. Miss one system and your assessor will find it.

Under the CMMC scoping guidance, assets fall into four categories:

CUI Assets — systems that directly process, store, or transmit CUI. File servers with CUI documents, workstations used to create or edit CUI, email systems that transmit CUI, cloud services that process CUI. These are fully in scope. All 110 Level 2 controls apply.

Security Protection Assets (SPAs) — systems that provide security functions to CUI assets. Firewalls, SIEM servers, authentication servers, log management systems, backup systems, vulnerability scanners. Also fully in scope — if an attacker compromises your firewall, your CUI assets are exposed.

Contractor Risk Managed Assets (CRMAs) — systems connected to the CUI environment but not directly handling CUI. Your general corporate network, HR systems, marketing workstations. Not assessed under CMMC, but you must document them in your SSP and manage them under your own risk-based security policies. The key risk: if a CRMA is compromised and there's a path to the CUI environment, you have a problem.

Specialized Assets — IoT devices, operational technology (OT) systems, test equipment, government-furnished equipment. Not assessed, but must be documented with risk justification for why they're excluded. If a specialized asset can access CUI, it should probably be a CUI Asset instead.

The Scoping Mistake That Sinks Assessments

The most common scoping failure is under-scoping: forgetting a system that touches CUI. Typical misses include backup servers (they store copies of CUI), IT admin workstations (they have privileged access to CUI systems), cloud sync services (they may replicate CUI to unauthorized locations), and mobile devices (they may cache CUI from email or file shares).

Build a data flow diagram before you build your asset inventory. Trace CUI from the moment it enters your environment (received from DoD, created by your engineers) through every system it touches, to every place it's stored or backed up, until it leaves (transmitted to DoD, destroyed). Every system on that diagram is in scope.

Technical Baseline for CUI Systems

Every in-scope system must meet the full set of NIST 800-171 controls relevant to its function. Here's the practical baseline — the controls that apply to nearly every system:

Encryption

CUI must be encrypted at rest and in transit using FIPS 140-3 validated cryptography.

At rest (SC.L2-3.13.8): Full disk encryption on all endpoints and servers storing CUI. On Windows, BitLocker with FIPS mode enabled (Group Policy: "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing"). On macOS, FileVault with an Apple T2 or M-series chip (which use FIPS-validated modules). On Linux, LUKS with a FIPS-validated kernel module.

In transit (SC.L2-3.13.11): TLS 1.2 or higher with FIPS-validated cipher suites for all CUI transmission. Disable TLS 1.0 and 1.1. For site-to-site connections, use IPsec VPN with FIPS-validated algorithms. For remote access, the VPN client and concentrator must both use FIPS-validated modules.

Common mistake: Using encryption that isn't FIPS-validated. Standard AES-256 isn't sufficient — the specific implementation must appear in the NIST Cryptographic Module Validation Program (CMVP) list. Your assessor will ask for the validation certificate number for every cryptographic module protecting CUI. Check the list at csrc.nist.gov/projects/cryptographic-module-validation-program.

Access Control

Unique user accounts (AC.L2-3.1.1, IA.L2-3.5.1): Every user who accesses CUI systems must have a unique account. No shared accounts, no generic logins. Centralized identity management (Active Directory, Azure AD) is standard.

Multi-factor authentication (IA.L2-3.5.3): Required for remote access to CUI systems and for all privileged accounts. Authenticator apps, hardware tokens, or smart cards. Configure MFA at the identity provider level so it applies consistently.

Least privilege (AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.7): Users get the minimum access needed for their job. Privileged functions (admin, config changes) are restricted to dedicated accounts. Standard user accounts should not have admin rights.

Session controls (AC.L2-3.1.10, AC.L2-3.1.11): Automatic session lock after 15 minutes of inactivity. Pattern-hiding display on locked screens. Automatic session termination after defined conditions (end of business day, extended inactivity).

Audit Logging

What to log (AU.L2-3.3.1, AU.L2-3.3.2): Logins and logoffs, failed login attempts, privilege use, access to CUI files, changes to security configurations, account creation and modification, system startup and shutdown. Each log entry must include timestamp, user/process identity, event type, success/failure, and source.

Where to store logs (AU.L2-3.3.8): Centralized log management — SIEM or dedicated log server. Options include Splunk, Microsoft Sentinel, Elastic Stack (ELK), LogRhythm, or Graylog. The centralized system must itself be protected as a Security Protection Asset.

How long to keep them: Retain audit logs for at least one year, with three months immediately available for analysis. Archived logs can be in cold storage but must be retrievable.

Protect them (AU.L2-3.3.9): Audit logs must be protected from unauthorized access, modification, and deletion. Log integrity monitoring, restricted access to log management systems, and backup of log data.

Network Segmentation and Boundary Protection

Boundary controls (SC.L2-3.13.1, SC.L2-3.13.5): The CUI environment must have defined network boundaries with firewalls, access control lists, and traffic monitoring. All traffic entering or leaving the CUI boundary should be logged and inspected. This is especially critical if you're using an enclave approach.

Network monitoring (SI.L2-3.14.6, SI.L2-3.14.7): Capability to detect unauthorized access attempts, scanning activity, and data exfiltration. IDS/IPS at the boundary, with alerting configured for security-relevant events.

Wireless controls (AC.L2-3.1.16, AC.L2-3.1.17): Wireless access to CUI systems requires authorization and strong authentication (WPA2/WPA3 Enterprise with 802.1X). Monitor for rogue access points.

Endpoint Protection

Anti-malware (SI.L2-3.14.2): Endpoint protection on all systems in scope, with automatic signature updates and real-time scanning. EDR solutions (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne) provide detection capabilities beyond traditional anti-virus.

Patch management (SI.L2-3.14.1): Identify and remediate system flaws in a timely manner. Standard benchmarks: critical vulnerabilities within 30 days, high within 60, medium within 90. Document your patch policy and keep evidence of patch deployment.

Enclave vs. Enterprise: The Scoping Decision

This is the architectural decision that determines your CMMC cost and complexity.

Enclave approach — Build a separate, hardened environment just for CUI. Dedicated network segment (physical or VLAN), dedicated workstations, strict boundary controls. Only users who need CUI access enter the enclave. Everything outside the enclave is a CRMA.

Best for organizations where CUI is handled by a small team (under 20 people), CUI workflows can be isolated without major disruption, and you want to minimize the number of systems in scope. Many small defense subcontractors (50–200 employees) start here. Typical implementation cost for a small enclave: $50,000–$150,000 plus ongoing maintenance.

Enterprise approach — Bring your entire IT environment up to CMMC Level 2 standards. Every system meets the baseline. Every user is trained. No separate enclave needed because the whole environment is the enclave.

Best for organizations where most employees handle CUI, CUI flows through many systems and departments, or the operational friction of maintaining a separate enclave exceeds the cost of securing everything. Larger defense contractors and engineering firms often end up here. Higher up-front cost but simpler ongoing operations.

The hybrid reality — Most mid-size organizations end up somewhere between these two. They create an enclave for CUI processing but make enterprise-wide improvements to the corporate network that reduce CRMA risk. The enclave handles the CMMC assessment; the corporate improvements prevent the enclave boundary from being the only thing protecting CUI.

What Your Assessor Expects

Scoping validation happens on day one of your assessment. The assessor will review your asset inventory, network diagrams, data flow diagrams, and SSP to confirm you've captured everything in scope. They'll ask questions like:

  • "Walk me through a CUI data flow from receipt to destruction."
  • "What systems touch CUI that aren't in your CUI Asset inventory?"
  • "How do you prevent CUI from leaving the enclave boundary?"
  • "What happens if an employee accidentally saves CUI to a CRMA?"

If the assessor identifies systems you missed, the assessment scope expands on the spot — and you may not have the controls in place for the systems you excluded. This is how assessments fail before they really start.

Build your asset inventory and data flow diagrams before you start implementing controls. Knowing what's in scope determines every decision that follows.

---

Ready to map your CUI environment? Start with a data flow diagram — list every system CUI touches, then build your asset inventory from there.

Read more