Scoping starts with knowing what you have. In this video, we explore how to identify the systems, infrastructure, and technologies that could impact the protection of Controlled Unclassified Information (CUI). You’ll learn how to approach asset discovery with a focus on systems and components that handle, store, transmit, or secure CUI—laying the groundwork for defining your assessment boundary.

A well-documented network diagram is a critical part of your System Security Plan (SSP) and your scoping package. This session covers how to create a network diagram that reflects your organization’s logical and physical architecture, highlights security boundaries, and shows where CUI is processed. You’ll also learn how to external connections, and boundary protection elements.

Understanding how CUI flows through your environment is essential to validating your assessment scope. In this session, we look at how to identify entry points, processing nodes, storage locations, and outbound flows of CUI. This session also shows how to use that information to update your network diagram, refine your boundary, and ensure your controls align with how CUI actually moves across your systems.

Many organizations rely on cloud platforms, managed service providers, or SaaS tools that could affect the security of CUI. In this final session, we examine how to identify and document your External Service Providers (ESPs) and determine whether they are part of your CMMC assessment scope. You’ll learn how to define ESP responsibilities, document relationships, and support shared responsibility decisions in your SSP.