Unified Scoping Guide - A Methodology To Scope Compliance With Your Supply Chain

metaSCRM, in conjunction with ComplianceForge, published the Unified Scoping Guide (USG) as a means to define the scope of sensitive and regulated data, as to where it is stored, transmitted and processed. This is a zone-based model that utilizes a data-centric methodology to define the scoping for sensitive and regulated data. This approach is applicable to the following sensitive data types:

  • Controlled Unclassified Information (CUI)

  • Federal Contract Information (FCI)

  • Personally Identifiable Information (PII)

  • Protected Health Information (PHI)

  • Cardholder Data (CHD)

  • Intellectual Property (IP)

  • Attorney-Client Privilege Information (ACPI)

  • Student Educational Records (FERPA)

  • Export-Controlled Data (ITAR / EAR)

  • Critical Infrastructure Information (CII)

This USG model is applicable to Supply Chain Risk Management (SCRM) needs to protect sensitive and regulated data as it exists within the supply chain.


The model described in this document utilizes eight (8) zones to categorize system components, based on the interaction with sensitive data. This model highlights the different types of risks associated with each zone. This approach makes it evident which systems, applications and services must be appropriately protected, due to the risk posed to sensitive data. The Sensitive Data Environment (SDE) encompasses the people, processes and technologies that store, process and transmit sensitive data:

  • Store – When sensitive data is inactive or at rest (e.g., located on electronic media, system component memory, paper)

  • Process – When sensitive data is actively being used by a system component (e.g., entered, edited, manipulated, printed, viewed)

  • Transmit – When sensitive data is being transferred from one location to another (e.g., data in motion).

This guide is not endorsed by any statutory or regulatory body. This is merely an unofficial model that ComplianceForge and metaSCRM compiled to help organizations comply with their cybersecurity and data privacy compliance needs. This guide leveraged the outstanding

concepts that PCI Resources published in its PCI DSS Scoping Model and Approach by applying that scoping methodology to other types of sensitive data.


This model categorizes system components according to several factors:

  • Whether sensitive data is being stored, processed or transmitted;

  • The functionality that the system component provides (e.g. access control, logging, antimalware, etc.); and

  • The connectivity between the system and the sensitive data environment.

16 views0 comments