Avoid costly delays. Use this checklist to strengthen your CUI boundary before your CMMC Level 2 assessment.
✔ Identify where CUI is created, processed, stored, or transmitted.
✔ Document systems, users, applications, and processes that handle CUI.
✔ Separate CUI from non-CUI operations wherever possible.
✔ Eliminate systems and users who don't need access to CUI.
✔ Use segmentation (firewalls, VLANs, access controls) to isolate CUI systems.
✔ Apply the principle of "smallest possible boundary" to minimize complexity.
✔ Create an up-to-date network diagram showing CUI boundaries.
✔ Maintain an accurate System Security Plan (SSP) that matches your boundary.
✔ Ensure asset inventories are current and identify CUI-handling components.
✔ Ensure multi-factor authentication (MFA) is enabled on all CUI systems.
✔ Confirm encryption is used for CUI at rest and in transit.
✔ Validate access controls (least privilege, role-based access) are consistently enforced.
✔ Perform a gap analysis or internal mock assessment.
✔ Audit data flows: no CUI leaks to unprotected or external systems.
✔ Verify that third-party providers meet CMMC security requirements.
✔ Map boundary decisions clearly to CMMC practices (especially in Domains like Access Control, System & Communications Protection, Media Protection).
✔ Train relevant users on boundary policies and CUI handling.
✔ Be ready to justify boundary decisions to your C3PAO assessor.
Tip: A strong, well-defined boundary can reduce costs, simplify audits, and help you certify faster.
Prepare for Level 2 compliance with Coalfire Federal today!