Separation Techniques

Separation is how you keep Out-of-Scope assets out of scope. If an asset isn’t separated from CUI Assets and it’s not in one of the four in-scope categories, you have a scoping problem — it’s either in scope or it needs to be separated.

Separation is only required for Out-of-Scope assets. CRMAs don’t need separation — they’re managed through policy and documentation instead. SPAs don’t need separation — they’re in scope by function. Separation is specifically the mechanism that justifies keeping an asset outside the boundary entirely.

Two Types of Separation

Logical separation — the assets are physically connected (same building, possibly same network infrastructure) but data transfer between them is prevented by software or network controls. Firewalls with deny rules between segments, VLANs with no routing between CUI and non-CUI segments, access control lists on switches, VPN tunnels that isolate traffic. This is the most common approach because it works with existing infrastructure.

Physical separation — the assets have no connection at all, wired or wireless. Completely separate networks, separate cabling, separate switches. Data can only move between them manually (like carrying media). This is the most secure form of separation but impractical for most organizations.

---

What “Separated” Actually Means

The assessor needs to see that CUI data cannot flow from the CUI environment to the Out-of-Scope environment through network paths. This means:

• No routing between the CUI VLAN and the Out-of-Scope VLAN (or firewall rules explicitly blocking it)
• No shared services that could bridge the gap (a shared file server that both environments access could create a path)
• No common credentials that grant access across both environments (an admin account that works on both sides means the admin’s workstation is in scope regardless of where it sits)

A VLAN tag alone isn’t separation if there’s a router forwarding traffic between VLANs. Separation means the assessor can’t find a network path from Out-of-Scope to CUI — and they’ll look.

---

The Goal

Create a defined CUI security domain — a contained area where CUI lives, moves, and gets used. Everything outside that domain is either an SPA (protecting the domain), a CRMA (managed by policy), or Out-of-Scope (separated). The smaller you can make this domain while still supporting your contract work, the less you have to assess, secure, and maintain.

To a CEO or Board

Separation is our biggest scope-reduction lever. By creating a dedicated CUI enclave — separated from the rest of our network by firewalls and access controls — we only need to certify that enclave, not our entire company. The assessment is smaller, faster, and cheaper.

Test Your Separation

Before the assessment, verify your separation actually works. Run a port scan from the Out-of-Scope network targeting the CUI segment. If anything responds, your separation has a gap. The assessor will do this test — find the gaps before they do.