Accurate CUI Scoping with the Right CUI Discovery Software

Accurate scoping of Controlled Unclassified Information (CUI) is the most critical step in achieving Cybersecurity Maturity Model Certification (CMMC) compliance. An inflated or incomplete scope can significantly increase compliance costs and delay certification. Selecting the right CUI discovery software vendor is essential to ensure precision in identifying CUI across diverse environments, minimizing false positives, and optimizing compliance efforts. This blog compares Teramis, a purpose-built CUI discovery software with Microsoft Purview, a general-purpose data governance platform, focusing on their effectiveness in file type support, file size limitations, sampling standards, and data discovery scope.

CUI Scoping: The Most Important Step

CUI scoping determines the size, scale, and effort required for CMMC compliance. It involves identifying where CUI resides, how it is processed, and which systems or individuals interact with it. This includes not only storage locations but also systems that transmit, view, or print CUI. For example, printing CUI on a local printer brings the printer, its network, and connected endpoint devices into scope. An inaccurate scope—either over-identifying non-CUI data or missing critical CUI—can lead to:

Increased Costs: Over-scoping requires unnecessary security controls, audits, and resources, inflating compliance expenses.

Delayed Compliance: Incomplete scoping can lead to audit failures, forcing rework and extending project timelines. This not only delays CMMC certification but may also prevent organizations from bidding on defense contracts that require compliance.

Choosing the right CUI discovery software vendor is critical to achieving a precise scope, ensuring compliance efficiency, and reducing costs.

Selecting the Right CUI Discovery Software Vendor

The effectiveness of CUI discovery software hinges on its ability to accurately identify CUI across all relevant systems and file types while avoiding false positives that inflate scope. Below, we compare Teramis and Microsoft Purview across key factors affecting CUI scoping.

Accuracy: The Foundation of Precise Scoping

Accuracy in CUI detection is paramount, as false positives can artificially expand the compliance scope, leading to costly over-application of security controls and broader CMMC assessment boundaries.

Teramis:

• Achieves up to 99% accuracy in CUI detection, leveraging advanced algorithms tailored for defense environments. This high precision minimizes false positives, ensuring only actual CUI is scoped.

• Aligns with DoD standards (MIL-STD-105E and ASQ/ANSI Z1.9:2018) for sampling, providing statistically valid and defensible results for DoD audits.

• Impact on Scope: Precise detection reduces over-identification, optimizing compliance costs by focusing controls on true CUI assets.

Microsoft Purview:

• Relies on sensitive information types (SITs), trainable classifiers, and regular expressions, which are not optimized for CUI. Independent user accounts suggest high false positive rates, indicating accuracy challenges.

• Does not align with MIL-STD-105E or ASQ/ANSI Z1.9:2018, lacking DoD-specific sampling methodologies, which may reduce audit defensibility.

• Requires manual validation to improve accuracy, increasing administrative overhead and costs.

• Impact on Scope: High false positives inflate the CUI scope, leading to unnecessary controls and higher compliance costs.

File Size Limitations

File size restrictions can significantly impact CUI detection, especially in defense environments where large technical files are common.

Teramis:

• As a purpose-built CUI discovery software, Teramis avoids file size and count limitations that plague general-purpose eDiscovery tools. It handles large files like AutoCAD drawings without restrictions, ensuring comprehensive CUI detection.

• Impact on Scope: Because there are no file size limits, Teramis avoids missed CUI ensuring an accurate scope and avoiding costly manual reviews.

Microsoft Purview:

• Imposes a 150 MB per file limit for eDiscovery workflows and a 20 MB sampling limit for deep scanning of documents, excluding large files like AutoCAD drawings common in DoD settings.

• Impact on Scope: These significant limitations can miss CUI in large files, leading to an incomplete scope or requiring costly external tools to compensate, inflating compliance expenses.

Sampling Standards

Sampling methodologies impact the reliability and defensibility of CUI detection.

Teramis:

• Employs DoD-aligned standards (MIL-STD-105E and ASQ/ANSI Z1.9:2018), ensuring statistically valid sampling for precise CUI detection and audit defensibility.

• Impact on Scope: Standardized sampling minimizes false positives and ensures all CUI is identified, optimizing compliance scope and costs.

Microsoft Purview:

• Uses SITs, classifiers, and regular expressions without DoD-specific sampling standards. Accuracy depends on manual tuning, and Microsoft does not claim a specific accuracy rate.

• Impact on Scope: Lack of DoD-aligned sampling can lead to results that are harder to defend during audits, as well as more false positives, ultimately inflating scope and costs

File Type Support

Comprehensive file type support is essential for detecting CUI in diverse formats common in defense environments.

Teramis:

• Supports a wide range of file types, including Modern & Legacy Office (DOCX, DOC), CAD (DWG) & Visio, Images (BMP, PNG, JPG, TIFF, PCX) with deep OCR and context-aware detection, PDFs, Email files (.eml/.msg), ODF (.odt, .odp), Data files (CSV, XML, text, scripts), Compressed archives (.zip), and Postscript

• Impact on Scope: Broad compatibility, especially for CAD and images, ensures no CUI is missed, maintaining an accurate scope.

Microsoft Purview:

• Supports Modern & Legacy Office, PDFs, Email files, and Data files, but has very limited or no support for CAD (DWG) & Visio, basic support or blanket protection for images (no deep OCR), generally unsupported ODF, limited scanning for compressed archives, and no known support for Postscript.

• Impact on Scope: Significant gaps in CAD and image support can miss critical CUI, requiring costly manual processes or external tools to complete the scope.

CUI Environments and Data Discovery Scope

CUI discovery software must operate across diverse environments to ensure comprehensive scoping.

Teramis:

• Detects CUI across on-premises, cloud, and hybrid environments, offering platform-agnostic flexibility for diverse data estates. It performs "comprehensive CUI discovery and mapping across your entire IT environment.

• Impact on Scope: Comprehensive discovery ensures all CUI is identified, avoiding gaps that could lead to non-compliance and reducing costs by focusing on actual CUI.

Microsoft Purview:

• Focused on Microsoft 365 (e.g., Exchange, SharePoint, OneDrive, Teams), with limited non-M365 discovery requiring additional configuration or connectors. The Data Map supports up to 1 TB of metadata but struggles with large data estates (>100 TB) due to a 7-day scan duration limit.

• Impact on Scope: Limited non-M365 discovery can miss CUI, requiring costly integrations, while slow scans for large volumes increase operational costs.

Conclusion

Accurate CUI scoping is essential to controlling CMMC compliance costs and accelerating certification. Selecting the right CUI discovery software vendor is the first step to ensuring precision. Teramis, with its 99%+ accuracy, DoD-aligned sampling standards (MIL-STD-105E, ASQ/ANSI Z1.9:2018), broad file type support (including CAD and images with OCR), and platform-agnostic discovery across on-premises, cloud, and hybrid environments, delivers precise scoping, minimizing false positives and compliance costs. Microsoft Purview, while robust for Microsoft 365, is hindered by high false positives, 150 MB file size limits, 20 MB sampling thresholds, lack of CAD and OCR support, and limited non-M365 discovery, leading to potential scope inflation or gaps that increase costs. For defense contractors, Teramis is the superior choice for accurate, cost-effective CUI scoping.

Resources:

Teramis: www.teramis.us

Microsoft Purview: learn.microsoft.com

DoD CUI Registry: www.archives.gov/cui

ASQ/ANSI Z1.9:2018: www.asq.org