CMMC Scoping
IN THIS LESSON
In this video, Amira Armond and Mark Hapeman of Kieri Solutions walk viewers through one of the most important—and often misunderstood—questions in CMMC compliance: Do I even have CUI?
This session helps organizations preparing for CMMC Level 2 understand what qualifies as Controlled Unclassified Information (CUI), how to identify it, and why that matters for scoping. Viewers will learn:
• The difference between Federal Contract Information (FCI) and CUI—and how to recognize each.
• How to interpret CUI markings, including headers, footers, and designation indicators.
• Why not all sensitive information is CUI, and how to avoid common misconceptions from reading the CUI Registry.
• The role of federal contracts and legal authorities in defining what must be protected.
• What to look for in contract documents like the Contract Data Requirements List (CDRL) and distribution statements.
• How to locate CUI within your network, systems, and workforce to support accurate scoping.
By the end, viewers will be equipped to take the first critical step in scoping: identifying where CUI exists in their environment. This knowledge sets the foundation for effective compliance under the final CMMC rule.