Unified Scoping Guide For Sensitive & Regulated Data   

Unified Scoping Guide Cover.JPG

The Unified Scoping Guide (USG) is a free resource that is intended to help organizations define the scope of the sensitive data where it is stored, transmitted and/or processed. This guide will refer to both sensitive and regulated data as “sensitive data” to simplify the concept this document is focused on. This model categorizes system components according to several factors:

  • Whether sensitive data is being stored, processed or transmitted;

  • The functionality that the system component provides (e.g. access control, logging, antimalware, etc.); and

  • The connectivity between the system and the sensitive data environment.

This approach is applicable to the following sensitive data types:

  • Controlled Unclassified Information (CUI)

  • Personally Identifiable Information (PII)

  • Cardholder Data (CHD)

  • Attorney-Client Privilege Information (ACPI)

  • Export-Controlled Data (ITAR / EAR)

  • Federal Contract Information (FCI)

  • Protected Health Information (PHI)

  • Intellectual Property (IP)

  • Student Educational Records (FERPA)

  • Critical Infrastructure Information (CII)

This is an evolution of the CUI Scoping Guide that ComplianceForge previously published. This new version includes CUI scoping considerations, but expands on the model to address a broader category of sensitive and regulated data. This document can be used to help companies define what is in scope to comply with NIST SP 800-171 and appropriately prepare for a CMMC assessment, since a significant step towards becoming NIST SP 800-171 compliant and being able to pass a CMMC assessment is understanding the scope of the Controlled Unclassified Information (CUI) environment.

   Zone-Based Approach To Implementing Data-Centric Security   

When viewing scoping, there are eight (8) zones for sensitive data compliance purpose:

  1. Sensitive Data Assets: The first zone contains systems, services and applications that directly store, transmit and/or process sensitive data.

  2. Segmenting: The second zone contains “segmenting systems” that provide access (e.g., firewall, hypervisors, etc.).

  3. Security Tools: The third zone contains “security tools” that directly impact the integrity of category 1 and 2 assets (e.g., Active Directory, centralized antimalware, vulnerability scanners, IPS/IDS, etc.).

  4. Connected. The fourth zone contains connected systems. These are systems, embedded technologies, applications or services that have some direct or indirect connection into the sensitive data environment. Systems, embedded technologies, applications and services that may impact the security of (for example, name resolution or web redirection servers) the sensitive data environment are always in scope. Essentially, it something can impact the security of sensitive data, it is in scope.

  5. Out-of-Scope. The fifth zone contains out-of-scope systems that are completely isolated from the sensitive data systems.

  6. Enterprise-Wide. The sixth zone addresses the organization’s overall corporate security program (cyber and physical).

  7. Third-Party Service Provider. The seventh zone addresses supply-chain security with the “flow down” of contractual requirements to Third-Party Service Providers (TSPs) that can directly or indirectly influence the sensitive data environment. TSPs are third-party organizations that provide services to the organizations.

  8. Subcontractors. The eighth zone addresses subcontractors, which are third-party organizations that are party to the actual execution of the contract where the subcontractor may create, access, receive, store and/or transmit regulated data (sensitive data).

CUI CMMC Scoping Guide.jpeg
Zone 1 - Sensitive Data Assets.JPG

Zone 1: All systems, applications and services that store, transmit and/or process sensitive data are Category 1 devices. These systems that interact with sensitive data are the main assets that sensitive data are trying to protect

Zone 1 - Segmenting.JPG

Zone 2: All network devices or hypervisors that provide segmentation functions are Category 2 devices. This category involves systems that provide segmentation and prevent "sensitive data contamination" from the sensitive data environment to uncontrolled environments. Typically, these are firewalls or segmentation technology that implement some form of Access Control List (ACL) to restrict logical access into and out of the sensitive data environment. This can also include Zero Trust Architecture (ZTA) components that provide micro-segmentation services

Note: If network segmentation is in place and is being used to reduce the scope of an assessment, expect the assessor to verify that the segmentation is adequate to reduce the scope of the assessment. the more detailed the documentation your assessor will require to adequately review the implemented segmenting solution.

Zone 3 - Security Tools.JPG

Zone 3: All systems that provide security-related services or IT-enabling services that may affect the security of the sensitive data environment are Category 3 devices. There are systems that can impact configurations, security services, logging, etc. that can be in a dedicated security subnet or on the corporate LAN.

These include, at a minimum:

  • Identity and Directory Services (Active Directory, LDAP)

  • Domain Name Systems (DNS)

  • Network Time Systems (NTP)

  • Patch management systems

  • Vulnerability & patch management systems

  • Anti-malware management systems

  • File Integrity Management (FIM) systems

  • Data Loss Prevention (DLP) systems

  • Performance monitoring systems

  • Cryptographic key management systems

  • Remote-access or Virtual Private Network (VPN) systems

  • Multi-factor Authentication (MFA) systems

  • Mobile Device Management (MDM) systems

  • Log management and Security Incident Event Management (SIEM) systems

  • Intrusion Detection Systems/ Intrusion Prevention Systems (IDS/IPS)

Zone 4 - Connected.JPG

Zone 4: Any system that has some capability to communicate with systems, applications or services within the sensitive data environment is a Category 4 device. A “connected” system, embedded technologies, application or service should be considered in scope for since it is not completely isolated. If it can potentially impact the security of sensitive data, it is in scope.

There are two sub-categories of connected devices:

  • Directly Connected; and

  • Indirectly Connected

Zone 4a - Directly Connected.JPG

Zone 4A: This sub-category addresses any system that is “connected to” the sensitive data environment is considered a directly-connected system. Any system outside of the sensitive data environment that is capable of communicating with a system that stores, transmits or processes sensitive data (e.g., asset within the sensitive data environment) is a Category 4A device.

Note: For systems outside of the sensitive data environment that have periodic controlled and managed outbound connections from the sensitive data environment that do not involve the transfer of regulated data (sensitive data), there is a case to argue that the system could be ruled out-of-scope since it cannot have an impact on the security of sensitive data. In cases like this, some form of Data Loss Prevention (DLP) tool may be warranted to act as a compensating control to further demonstrate how the asset would be out-of-scope.

Zone 4b - Indirectly Connected.JPG

Zone 4B: This sub-category addresses any system that does not have any direct access to sensitive data systems (e.g., not interacting with the sensitive data environment). Any system that has access to Connected or Segmenting systems and that could affect the security of the sensitive data environment is a Category 4B device.

An example of an indirectly connected system would be that of an administrator's workstation that can administer a security device (Active Directory, firewall, etc.) or upstream system that feeds information to connected systems (e.g. patching system, DNS, etc.). In the case of a user directory, an administrator could potentially grant himself/herself (or others) rights to systems in the sensitive data environment, therefore breaching the security controls applicable to the sensitive data environment.

Zone 5 - Out of Scope.JPG

Zone 5: Any system, application or service that is not a sensitive data-contaminated, segmenting or connected system is a Category 5 asset. These assets are considered out-of-scope for sensitive data. These out-of-scope assets must be completely isolated (no connections whatsoever) from sensitive data systems, though they may interact with connected systems (and can even reside in the same network zone with connected systems).

Four (4) tests must be considered to confirm that a system is out-of-scope and considered a Category 5 asset. This amounts to ensuring that the asset does not fall under the previously defined categories:

  1. System components do NOT store, process, or transmit sensitive data.

  2. System components are NOT on the same network segment or in the same subnet or VLAN as systems, applications or processes that store, process, or transmit sensitive data.

  3. System component cannot connect to or access any system in the sensitive data environment.

  4. System component cannot gain access to the sensitive data environment, nor impact a security control for a system, embedded technologies, application or service in the sensitive data environment via an in-scope system.

Zone 6 - Enterprise Wide.JPG

Zone 6: This category addresses enterprise-wide security controls that exist outside of just the sensitive data environment. Within this category are the corporate-wide security practices that affect both cyber and physical security, including security-related policies, standards and procedures that affect the entire organization.

Zone 7 - Third Party Service Provider.JP

Zone 7: Sensitive data in the supply chain needs to be taken seriously and this category addresses Third-Party Service Providers (TSPs). The formal contracts between your organization its TSPs dictate the logical and physical access those TSP have to the organization’s facilities, systems and data. The “flow down” considerations of sensitive data must be addressed with each TSP to clearly identify the TSPs’ ability to directly or indirectly influence the sensitive data environment.

Examples of TSPs that may have sensitive data flow down requirements:

  • Bookkeepers

  • Human Resource (HR) recruiters

  • Payroll providers

  • Educational training providers

  • IT service providers / cybersecurity consultants / Managed Service Provider (MSP)

  • Business process consultants

  • Project Managers (PMs)

  • Document destruction providers

  • Janitorial services and environmental control management

Zone 8 - Subcontractor.JPG

Zone 8: This category addresses subcontractors necessary to perform the in-scope contract. While a subcontractor is a third-party, a subcontractor is party to the actual execution of the contract where the subcontractor may create, access, receive, store and/or transmit sensitive data.

   Sensitive Data Scoping Decision Tree   

The following decision tree provides a logical walk-through to determine if an asset is in scope or not:

2021 Scoping Guide - Zone Scoping Tree.p

   Sensitive Data In-Scope Matrix   

The following chart summarizes the concept of what is and is not in scope:

Scoping Guide Matrix.png

   Sensitive Data System-To-System Communications Considerations   

The following chart summarizes the concept of what communications are or are not in-scope:

Scoping Guide Data Communications Matrix