Skip to content

Insights

Developing Your Data Flow Diagram for CMMC

Key Takeaways

  • DFDs Define Scope: Data Flow Diagrams map how CUI/SPD flows, establishing system boundaries for CMMC assessments.
  • Complementary to Network Diagrams: DFDs show data movement, while network diagrams show infrastructure – together providing a complete view.
  • Assessor Reliance: Assessors use DFDs to validate scope, asset inventories, and CMMC compliance.
  • Risk & Decision Support: DFDs help identify security risks and guide system changes impacting CUI/SPD.
  • Clarity & Accuracy: DFDs must be clear, aligned with asset inventories and SSP, and include all in-scope components.

The CMMC Data Flow Diagram (DFD) is key to defining the scope of a CMMC Level 2 Assessment. The diagram must demonstrate the flow of Controlled Unclassified Information (CUI) within the CMMC boundaries and where the CUI enters and leaves the boundaries. Since Security Protection Data (SPD) is also in scope for the assessment, including the flow of SPD helps to define what assessment objectives apply to SPD.

The DFD is not a network diagram but can be combined with the network diagram. The network diagram shows the network and the devices which are included within the scope of the CMMC boundaries and highlight boundary protection. Combing the network and CUI/SPD DFDs shows how CUI and SPD move through the network and what devices they touch. However, both can be used in tandem to understand an organization’s environment. For CMMC assessors, the DFDs are key documents that give them insight into the environment and act as confirmation of the assessment scope.

Why Have a CUI/SPD Data Flow Diagram?

  1. It is a visual document that shows the assessor where CUI/SPD information lives and passes through the environment, including what systems store, process, or transmit CUI/SPD. This helps define the boundaries that are crucial for CMMC assessments. This also helps define what is in the authorization boundary of the environment, or in scope.
  2. It is documentation to reference making decisions involving the environment that could impact CUI/SPD dataflow or impact systems that store, process, or transmit CUI/SPD.
  3. The document can aid in identifying potential security risks.
  4. It is documentation to support CMMC compliance. This will help CMMC assessors reaffirm the assessment scope and understand how CUI flows through the environment. Assessors will refer to the network diagram for some controls.
  5. Organizations are required to provide a network diagram to help facilitate scoping discussions during pre-assessment activities.

Assessing the DFD

Assessors will verify that all components that store, process, or transmit CUI/SPD are listed on the categorized asset inventory list and align with the CUI/SPD DFD.

Assesors will verify that the asset inventory:

  1. Contains specifics based on purpose of the asset.
  2. Contains the type of category the asset is (CUI, SPA, CRMA, or Specialized Assets) using the appropriate CMMC scoping guide (Level 1 or 2).
  3. Does not include out of scope

The System Security Plan (SSP) should contain sufficient information to justify why CRMAs and Specialized Assets in the authorization boundary are not a CUI or SPA asset. CMMC assessors may also do interviews regarding why an asset is categorized as such.

Assessors will refer to the CUI/SPD DFD when assessing the assessment objectives to verify where CUI/SPD is moving through the environment. Assessors rely upon the CUI/SPD DFD to identify where CUI/SPD enters and exits the environment. The system boundary is typically represented as a box surrounding the in-scope systems.

Helpful Tips for an Assessor Understanding of the DFD

  1. Ensure that the DFD is easy to read and understand. This can be achieved by using labels, relevant symbols, colored arrows to represent different types of data flows, and legends.
  2. Ensure that the diagram shows both the internal information flow and the system boundary. The boundary defines what is in scope.
  3. Include all in-scope business units in the diagram building process to ensure that the diagram reflects the network on the ground.

Below are examples of DFD for simple environments:

McKonly and Asbury is an authorized C3PAO. Our clients benefit from our approach of providing clear feedback on why an assessment objective does not meet the CMMC Level 2 requirements. If you are interested in learning more about our CMMC services, please contact David Hammarberg, Partner and Lead CCA, or Elaine Nissley, CCMC Director and Lead CCA.

About the Author

Ryan Kong

Ryan Kong joined McKonly & Asbury in 2026 and is currently an Advisory Staff with the firm’s CMMC team.

Related Services

SOC & Technology Consulting

Subscribe to Our Newsletter

Related Insights

View All Insights
  Contact Us