Unified Scoping Guide - control applicability assessment boundary scoping

Unified Scoping Guide

Unified Scoping Guide

Zone-Based Model To Apply A Data-Centric Security Approach For Scoping Sensitive & Regulated Data

The Unified Scoping Guide (USG) is a free resource that is intended to help organizations define the scope of the sensitive data where it is stored, transmitted and/or processed. This guide will refer to both sensitive and regulated data as “sensitive data” to simplify the concept this document is focused on. This model categorizes system components according to several factors:

This is an evolution of the CUI Scoping Guide that ComplianceForge previously published. This new version is updated to reflect the DoD's CMMC 2.0 Level 2 Scoping Guidance that includes Controlled Unclassified Information (CUIscoping considerations, but expands on the model to address a broader category of sensitive and regulated data. This document can be used to help companies define what is in scope to comply with NIST SP 800-171 and appropriately prepare for a CMMC assessment, since a significant step towards becoming NIST SP 800-171 compliant and being able to pass a CMMC assessment is understanding the scope of the CUI environment.

The Unified Scoping Guide (USG) is intended to help organizations define the scope of the sensitive data where it is stored, transmitted and/or processed. This guide will refer to both sensitive and regulated data as “sensitive data” to simplify the concept this document is focused on. This approach is applicable to the following sensitive data types:

  • Controlled Unclassified Information (CUI)
  • Personally Identifiable Information (PII)
  • Cardholder Data (CHD)
  • Attorney-Client Privilege Information (ACPI)
  • Export-Controlled Data (ITAR / EAR)
  • Federal Contract Information (FCI)
  • Protected Health Information (PHI)
  • Intellectual Property (IP)
  • Student Educational Records (FERPA)
  • Critical Infrastructure Information (CII)
Unified Scoping Guide | CUI Scoping Guide | CMMC Scoping Guide | NIST 800-171 Scoping Guide

Zone-Based Approach To Implementing Data-Centric Security

When viewing scoping, there are eight (8) zones for sensitive data compliance purpose.

Unified Scoping Guide (USG) - sensitive and regulated data CUI scoping guide

  1. Sensitive Data Assets: The first zone contains systems, services and applications that directly store, transmit and/or process sensitive data.
  2. Segmenting: The second zone contains “segmenting systems” that provide access (e.g., firewall, hypervisors, etc.).
  3. Security Tools: The third zone contains “security tools” that directly impact the integrity of category 1 and 2 assets (e.g., Active Directory, centralized antimalware, vulnerability scanners, IPS/IDS, etc.).
  4. Connected. The fourth zone contains connected systems. These are systems, embedded technologies, applications or services that have some direct or indirect connection into the sensitive data environment. Systems, embedded technologies, applications and services that may impact the security of (for example, name resolution or web redirection servers) the sensitive data environment are always in scope. Essentially, it something can impact the security of sensitive data, it is in scope.
  5. Out-of-Scope. The fifth zone contains out-of-scope systems that are completely isolated from the sensitive data systems.
  6. Enterprise-Wide. The sixth zone addresses the organization’s overall corporate security program (cyber and physical).
  7. External Service Provider. The seventh zone addresses supply-chain security with the “flow down” of contractual requirements to External Service Providers (ESPs) that can directly or indirectly influence the sensitive data environment. ESPs are third-party organizations that provide services to the organizations.
  8. Subcontractors. The eighth zone addresses subcontractors, which are third-party organizations that are party to the actual execution of the contract where the subcontractor may create, access, receive, store and/or transmit regulated data (sensitive data).

Unified Scoping Guide (USG) scoping tree

Zone 1: All systems, applications and services that store, transmit and/or process sensitive data are Category 1 devices. These systems that interact with sensitive data are the main assets that sensitive data are trying to protect

Zone 2: All network devices or hypervisors that provide segmentation functions are Category 2 devices. This category involves systems that provide segmentation and prevent "sensitive data contamination" from the sensitive data environment to uncontrolled environments. Typically, these are firewalls or segmentation technology that implement some form of Access Control List (ACL) to restrict logical access into and out of the sensitive data environment. This can also include Zero Trust Architecture (ZTA) components that provide micro-segmentation services

Note: If network segmentation is in place and is being used to reduce the scope of an assessment, expect the assessor to verify that the segmentation is adequate to reduce the scope of the assessment. the more detailed the documentation your assessor will require to adequately review the implemented segmenting solution.

Zone 3: All systems that provide security-related services or IT-enabling services that may affect the security of the sensitive data environment are Category 3 devices. There are systems that can impact configurations, security services, logging, etc. that can be in a dedicated security subnet or on the corporate LAN.

These include, at a minimum:

  • Identity and Directory Services (Active Directory, LDAP)
  • Domain Name Systems (DNS)
  • Network Time Systems (NTP)
  • Patch management systems
  • Vulnerability & patch management systems
  • Anti-malware management systems
  • File Integrity Management (FIM) systems
  • Data Loss Prevention (DLP) systems
  • Performance monitoring systems
  • Cryptographic key management systems
  • Remote-access or Virtual Private Network (VPN) systems
  • Multi-factor Authentication (MFA) systems
  • Mobile Device Management (MDM) systems
  • Log management and Security Incident Event Management (SIEM) systems
  • Intrusion Detection Systems/ Intrusion Prevention Systems (IDS/IPS)

Zone 4: Any system that has some capability to communicate with systems, applications or services within the sensitive data environment is a Category 4 device. A “connected” system, embedded technologies, application or service should be considered in scope for since it is not completely isolated. If it can potentially impact the security of sensitive data, it is in scope.

There are two sub-categories of connected devices:

  • Directly Connected; and
  • Indirectly Connected

Zone 4A: This sub-category addresses any system that is “connected to” the sensitive data environment is considered a directly-connected system. Any system outside of the sensitive data environment that is capable of communicating with a system that stores, transmits or processes sensitive data (e.g., asset within the sensitive data environment) is a Category 4A device.

Note: For systems outside of the sensitive data environment that have periodic controlled and managed outbound connections from the sensitive data environment that do not involve the transfer of regulated data (sensitive data), there is a case to argue that the system could be ruled out-of-scope since it cannot have an impact on the security of sensitive data. In cases like this, some form of Data Loss Prevention (DLP) tool may be warranted to act as a compensating control to further demonstrate how the asset would be out-of-scope.

Zone 4B: This sub-category addresses any system that does not have any direct access to sensitive data systems (e.g., not interacting with the sensitive data environment). Any system that has access to Connected or Segmenting systems and that could affect the security of the sensitive data environment is a Category 4B device.

An example of an indirectly connected system would be that of an administrator's workstation that can administer a security device (Active Directory, firewall, etc.) or upstream system that feeds information to connected systems (e.g. patching system, DNS, etc.). In the case of a user directory, an administrator could potentially grant himself/herself (or others) rights to systems in the sensitive data environment, therefore breaching the security controls applicable to the sensitive data environment.

Zone 5: Any system, application or service that is not a sensitive data-contaminated, segmenting or connected system is a Category 5 asset. These assets are considered out-of-scope for sensitive data. These out-of-scope assets must be completely isolated (no connections whatsoever) from sensitive data systems, though they may interact with connected systems (and can even reside in the same network zone with connected systems).

Four (4) tests must be considered to confirm that a system is out-of-scope and considered a Category 5 asset. This amounts to ensuring that the asset does not fall under the previously defined categories:

  1. System components do NOT store, process, or transmit sensitive data.
  2. System components are NOT on the same network segment or in the same subnet or VLAN as systems, applications or processes that store, process, or transmit sensitive data.
  3. System component cannot connect to or access any system in the sensitive data environment.
  4. System component cannot gain access to the sensitive data environment, nor impact a security control for a system, embedded technologies, application or service in the sensitive data environment via an in-scope system.

Zone 6: This category addresses enterprise-wide security controls that exist outside of just the sensitive data environment. Within this category are the corporate-wide security practices that affect both cyber and physical security, including security-related policies, standards and procedures that affect the entire organization.

Zone 7: Sensitive data in the supply chain needs to be taken seriously and this category addresses External Service Providers (ESPs). The formal contracts between your organization its ESPs dictate the logical and physical access those ESP have to the organization’s facilities, systems and data. The “flow down” considerations of sensitive data must be addressed with each ESP to clearly identify the ESPs’ ability to directly or indirectly influence the sensitive data environment.

Examples of ESPs that may have sensitive data flow down requirements:

  • Bookkeepers
  • Human Resource (HR) recruiters
  • Payroll providers
  • Educational training providers
  • IT service providers / cybersecurity consultants / Managed Service Provider (MSP)
  • Business process consultants
  • Project Managers (PMs)
  • Document destruction providers
  • Janitorial services and environmental control management

Zone 8: This category addresses subcontractors necessary to perform the in-scope contract. While a subcontractor is a third-party, a subcontractor is party to the actual execution of the contract where the subcontractor may create, access, receive, store and/or transmit sensitive data.

Scoping Is A Due Diligence Activity

Failure to adequately perform due diligence in scoping activities may lead to every system, application and service in your organization to be considered in scope and require applicable statutory, regulatory and/or contractual controls. The old adage of “if you fail to plan, you plan to fail” is very applicable in this scenario, so taking the time to document assets and data flows is of the utmost importance to ensure an accurate understanding of the people, processes and technology involved exists.

?In practical terms, security and data protection controls exist to protect an organization’s data. Requirements for asset management do not primarily exist to protect the inherent value of the asset, but the data it contains, since assets are merely data containers. Assets, such as laptops, servers and network infrastructure are commodities that can be easily replaced, but data residing on those devices cannot. This concept of being data-centric is crucial to understand when developing, implementing and governing a cybersecurity and privacy program, since it provides guidelines to establish the scope for control applicability.

This model categorizes system components according to several factors:

  • Whether sensitive data is being stored, processed or transmitted;
  • The functionality that the system component provides (e.g. access control, logging, antimalware, etc.); and
  • The connectivity between the system and the sensitive data environment. 

sensitive and regulated data control applicability scoping

The model utilizes eight (8) zones to categorize system components, based on the interaction with sensitive data. This model highlights the different types of risks associated with each zone. This approach makes it evident which systems, applications and services must be appropriately protected, due to the risk posed to sensitive data. The Sensitive Data Environment (SDE) encompasses the people, processes and technologies that store, process and transmit sensitive data: 

  • Store – When sensitive data is inactive or at rest (e.g., located on electronic media, system component memory, paper)
  • Process – When sensitive data is actively being used by a system component (e.g., entered, edited, manipulated, printed, viewed)
  • Transmit – When sensitive data is being transferred from one location to another (e.g., data in motion).

This guide is not endorsed by any statutory or regulatory body. This is merely an unofficial model that ComplianceForge compiled to help organizations comply with their cybersecurity and data privacy compliance needs. 

Segmentation Considerations

It is important to understand that without adequate network segmentation (e.g., a flat network) the entire network would be expected to be in scope for an assessment. Network segmentation should be viewed as a very beneficial process to isolate system components that store, process or transmit sensitive data from systems that do not. Adequate network segmentation may reduce the scope of the SDE and overall reduce the scope of an assessment. It is important to point out that Zero Trust Architecture (ZTA) still has scoping requirements and is not a “magic bullet” to eliminate scoping requirements. Examples of mechanisms that provide controlled access include firewalls, routers, hypervisors, micro-segmentation (e.g., ZTA), etc.

To eliminate ambiguity surrounding the term “segmentation” in terms of sensitive data enclave scoping, this guide uses one of the two following terms:

  • Isolation – No logical access. This is achieved when network traffic between two assets is not permitted.
  • Controlled Access – Logical access is permitted. This is achieved when access between assets is restricted to defined parameters.
    • Controlled access is more common than isolation.
    • Restrictions may include logical access control, traffic type (e.g., port, protocol or service), the direction from which the connection is initiated (e.g., inbound, outbound), etc.

Rationalizing Data Scoping Recommendations

When evaluating the available guidance that exists to perform appropriate scoping activities, the Payment Card Industry Data Security Standard (PCI DSS) reigns, due to its long-established and internationally-recognized practices for protecting cardholder data (e.g., credit and debit cards). PCI DSS v1.0 was first published in 2004, so it has nearly two decades of guidance for “what looks right” to scope environments that require the implementation of PCI DSS controls to protect the confidentiality and integrity of cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) publishes an authoritative scoping guide for merchants to leverage for PCI DSS compliance efforts. This PCI SSC scoping guidance is based on real-world threats and practical lessons-learned on how segmentation can be used to minimize scoping, due to limiting the ability of threats to negatively impact cardholder data.

Since PCI DSS is data-centric, that scoping guidance can be directly applied to other forms of data that require protection. This guide leveraged the outstanding concepts that PCI Resources published in its PCI DSS Scoping Model and Approach[2] by applying that scoping methodology to other types of sensitive data.

PCI DSS is a well-established and widely-adopting standard for protecting cardholder data (e.g., credit and debit cards). PCI DSS v1.0 was first published in 2004, so there is nearly two decades of guidance for “what looks right” to scope environments that require the implementation of PCI DSS controls to protect the confidentiality and integrity of cardholder data. From the perspective of PCI DSS, if scoping is done poorly, an organization’s entire network may be in-scope, which means PCI DSS requirements would apply uniformly throughout the entire company’s network. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently designed with security in mind, the Cardholder Data Environment (CDE) can be a small fraction of the company's network, which makes compliance much more achievable and affordable.

When you look at sensitive data compliance scoping, it has some similarities to PCI DSS:

  • PCI DSS is focused on protecting the confidentiality and integrity of cardholder data, which is where credit/debit card data is stored, processed and transmitted.
  • Statutory, regulatory and contractual obligations to protect sensitive data require controls to be implemented on the applicable environment(s) (e.g., system, application, service, etc.) where the sensitive data is stored, processed or transmitted. This is how PCI DSS applies its controls from a scoping perspective.
  • Cardholder data is considered “infectious” from the perspective of scoping. Without proper segmentation and clear business processes, other forms of sensitive data can “infect” the entire network and greatly expand the scope of compliance and audits.

What This Guide Does Address

Identifying and addressing the people, processes and technologies around sensitive data is a necessary part of any cybersecurity and data protection (privacy) program. This guide focuses on categorizing the system components that comprise a company's computing environment and helps with the following: 

  • Assists in determining which system components fall in and out of scope.
  • Facilitates constructive communication between your company and an assessor/regulator by providing a reasonable methodology to describe your technology infrastructure and sensitive data environment.
  • Provides a means to categorize the various different types of assets, each with a different risk profile associated with it.
  • Provides a starting point to potentially reduce the scope of sensitive data by re-architecting technologies to isolate and control access to the sensitive data environment.

This model categorizes system components according to several factors:

  • Whether sensitive data is being stored, processed or transmitted;
  • The functionality that the system component provides (e.g. access control, logging, antimalware, etc.); and
  • The connectivity between the system and the Sensitive Data Environment (SDE).

What This Guide Does Not Address

This guide does not define which statutory, regulatory and/or contractual controls are required for each category. Since every organization is different, it is up to each organization and its assessor to determine the nature, extent and effectiveness of each control to adequately mitigate the risks to sensitive data.

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    $9,500.00
    Choose Options
  • NIST 800-171 Compliance Program (NCP). This is a bundle of products that are specific to NIST 800-171 and CMMC 2.0 compliance - policies, standards, procedures, SSP & POA&M templates. Editable CMMC 2.0 Level 2 (old Level 3) policies, standards, procedures, SSP & POA&M templates. CMMC policies & standards. NIST 800-171 policies & standards.

    NIST 800-171 Compliance Program (NCP): CMMC Level 2

    ComplianceForge - NIST 800-171 & CMMC

    NIST 800-171 & CMMC Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. Includes NIST 800-171 Rev...

    $8,950.00
    $8,950.00
    $5,200.00
    Choose Options

Learn More About Cybersecurity & Data Privacy