There is a lot of confusion today about what a good CMMC Data Flow Diagram (DFD) looks like, so we asked ChatGPT 5.2 what it thought should be included.
In short, it should clearly show how Controlled Unclassified Information (CUI) moves through your environment, across people, systems, devices, and external parties. It illustrates where CUI is stored, processed, or transmitted.
Below, we've broken this down in a practical way, aligned to assessment expectations (especially CMMC Level 2 / NIST SP 800-171).
What a 'Good' CMMC Data Flow Diagram Must Contain
1. System Boundary (The Most Important Part)
Clearly define:
- What is inside the CMMC assessment scope
- What is outside the scope
- Connections between scoped and non-scoped systems
Assessors first ask: “Where does the CUI boundary start and stop?”
Include:
- CUI Enclave (if segmented)
- Corporate network (if separate)
- Cloud environments (M365 GCC, GCC High, Azure, AWS, etc.)
- External vendors
2. CUI Entry & Exit Points
Show every way CUI enters and leaves your environment.
Examples:
- Email (M365, Exchange)
- Secure File Transfer (SFTP)
- Vendor portals
- SharePoint / OneDrive
- VPN connections
- Remote access
- USB drives
- APIs
- DoD SAFE
Each flow should indicate:
- Direction (inbound/outbound/internal)
- Method (encrypted email, VPN tunnel, HTTPS, etc.)
3. Data Repositories (Where CUI Lives)
Identify all storage locations:
- File servers
- SharePoint libraries
- OneDrive
- Databases
- Engineering systems (e.g., SolidWorks PDM)
- Backup systems
- Endpoints (if CUI is allowed locally)
- SaaS platforms
Assessors want to see: “Where can CUI rest?”
4. Processing Systems
Show systems that process CUI, not just store it:
- ERP systems
- Ticketing systems
- Engineering tools
- CRM platforms
- HR platforms (if they touch CUI)
- EDR systems (if they log CUI)
5. Users & Roles
Include:
- Employees
- Contractors
- IT admins
- Remote workers
- Third-party vendors
Show how they access:
- VPN
- Direct web access
- Jump server
- Virtual Desktop (VDI)
6. Security Controls at Boundaries
A strong CMMC DFD doesn’t just show data — it shows protection.
Include:
- Firewalls
- Email security gateway
- Secure web gateway
- MFA
- VPN concentrator
- IDS/IPS
- EDR
- DLP
- Encryption
This demonstrates compliance with:
- AC (Access Control)
- SC (System & Communications Protection)
- IA (Identification & Authentication)
What It Should NOT...
❌ Be just a network diagram
❌ Just a Visio of switches and routers
❌ Be missing cloud flows
❌ Be missing third parties
❌ Be missing remote users
What Assessors Look For:
|
Question
|
Your Diagram Should Answer
|
|
Where does CUI enter?
|
Show it
|
|
Where is CUI stored?
|
Show all repositories
|
|
Who can access it?
|
Show user paths
|
|
How is it protected?
|
Show control points
|
|
Can CUI leave uncontrolled?
|
Show egress controls
|
Common Mistakes That Fail Assessments
- Forgetting backups
- Forgetting IT admin access
- Forgetting remote support tools
- Forgetting printers/scanners
- Forgetting mobile devices
- Forgetting APIs
- Forgetting external accountants / MSP access
Recommended Structure (Best Practice)
Level 1 – High-Level Diagram (Executive View)
- CUI boundary
- Major systems
- External connections
- Cloud providers
Level 2 – Detailed Data Flow Diagram
- Exact flow arrows
- Protocols (HTTPS, TLS 1.2, VPN)
- Trust zones
- Specific platforms (M365 GCC High, Azure Gov, etc.)
Level 3 – System Decomposition (Optional)
- Break out major systems
- Show internal segmentation
- Show privileged access paths
What Makes It “Great”
✔ Label trust zones
✔ Label encryption type (TLS 1.2, AES-256)
✔ Identify FIPS validated modules (if applicable)
✔ Identify FedRAMP boundary if using GCC High
✔ Map diagram components to NIST 800-171 control families
Remember
A good CMMC data flow diagram clearly shows where CUI comes from, where it goes, where it rests, who touches it, and how it’s protected, all within a defined security boundary.
If you have questions and want to talk with an expert, reach out to us today.
