Highground Cyber

CMMC Scoping Assessment

"Getting your CUI scoping right is a real challenge. Our internal efforts initially failed because neither the IT or business unit functions had a proper understanding of what CUI is and when we received it or when we generated it in our workflows... The Highground CUI Scoping assessment put us on a path to success."
- Matt Bergman, Director of IT at Spacesaver

Defining Your Shortest Path to Victory

Understanding The Scope Problem

The Data Classification Death Spiral

Highground Cyber has identified three things that contribute to OSAs' struggle with setting scope

01
OSAs are unaware they generate CUI
02
OSA personnel lack the read and recognition skills to know when they are handling CUI
03
OSAs cannot define the flow of CUI through their organization

These things feed into one another in a negative feedback loop across time, making the effort of defining scope a frustrating sink of time and resources where any one of these issues is present.

01
Contractor Generated CUI
Most OSAs generate CUI during contract performance. But OSAs fail to recognize that CUI is something they create, expecting CUI to be something they always receive or take in from others. But OSAs who render engineering or manufacturing services to the federal government or a prime contractor routinely generate CUI in the form of sensitive design drawings, blueprints, specifications, schematics, or delivery details. Most OSAs are unaware that such information constitutes CUI.
02
03

The Scoping Assessment

Highground Cyber works top-down to solve the scope problem. We orient ourselves with your business by focusing on what you do, for whom you do it, and how you do it. We comb through the details, finding and examining the contracts you have with the federal government and its prime contractors. We interview the various business units who have a hand in delivering your goods and services under those contracts, bringing a certified expert's understanding of CUI to each conversation along with decades of business analyst experience. With these, we map all connections between your workflows and assets, which is foundational to setting scope. This process is the only escape from a circular scoping problem, and with it, we accurately capture the people, technologies, and facilities that comprise your CUI security domain.