CMMC Coffee & Compliance

How to Build a CMMC Data Flow Diagram That Stands Up in an Assessment

A practical five-step approach to documenting how Controlled Unclassified Information enters, moves through, is stored within, and leaves your environment.

View the 5-Step Process

Your Data Flow Diagram Is More Than a Picture

For CMMC Level 2, a Data Flow Diagram helps demonstrate that your organization understands where CUI lives, how it moves, who or what can access it, and where your security boundary begins and ends.

A strong DFD connects business reality to technical controls. It should reflect actual workflows, approved systems, authorized users, external connections, and the points where Microsoft security capabilities such as Entra ID, Intune, Microsoft Purview, Defender, Sentinel, and GCC High help protect the flow of sensitive information.

Assessment Mindset

When an assessor asks how CUI moves through your environment, your answer should not be a guess. Your DFD should give leadership, IT, compliance, and the assessor a shared visual record of the current “as-is” environment.

The 5-Step Process

Use this process to create a clear, defensible CMMC Data Flow Diagram that supports scoping, control implementation, and audit readiness.

1

Start with Your Network Diagram

Do not begin with a blank page. Use your existing network diagram as the foundation. The network diagram shows the infrastructure: routers, firewalls, switches, servers, endpoints, cloud services, and major connection paths. Your DFD builds on that foundation by showing how CUI actually travels through the environment.

Goal: Move from “where systems are” to “how sensitive data moves.”
2

Identify Where CUI Enters the Environment

Pinpoint every approved entry point where CUI can enter your organization. These may include email attachments, secure portals, DoD or prime contractor file exchanges, managed cloud services, physical media, or direct customer delivery.

  • Email and collaboration platforms
  • Secure web portals or file transfer tools
  • Cloud services such as Microsoft 365 GCC High or Azure Government
  • Physical media, including USB drives or external storage
  • Partner, subcontractor, or customer system interfaces
Action: Clearly mark each CUI entry point so the start of the data lifecycle is visible.
3

Map Internal CUI Movement

Trace how CUI moves once it is inside your approved boundary. Document the systems, applications, people, devices, and repositories that process, transmit, transform, protect, or store the data.

  • Use circles for processes, applications, or workflow steps.
  • Use rectangles for data stores such as SharePoint sites, file servers, databases, or document repositories.
  • Use directional arrows to show the exact path data travels.
  • Label each flow with a plain-language description, such as “contract review,” “engineering file upload,” “CUI label applied,” or “encrypted transfer.”
Goal: Make hidden workflows visible before they become audit findings.
4

Document Where CUI Leaves the Boundary

Identify every approved exit point where CUI leaves your controlled environment. These exits matter because they define the handoff between your organization, customers, subcontractors, external service providers, and cloud platforms.

  • Transfers to the Department of Defense, prime contractors, or subcontractors
  • Secure email or encrypted file sharing
  • Cloud storage, backup, archival, or disaster recovery locations
  • Engineering, manufacturing, or quality systems that exchange controlled files
  • Approved removable media workflows
Action: Label each exit with the approved method, destination, and protection mechanism.
5

Review, Validate, and Approve

A DFD is only valuable if it reflects what actually happens. Validate the diagram with system owners, IT administrators, compliance staff, program managers, and users who handle CUI day to day.

  • Compare the diagram against real data movement, not just policy.
  • Confirm all repositories, applications, and transfer methods are represented.
  • Look for undocumented workarounds, shadow IT, personal storage, or ad-hoc transfers.
  • Obtain leadership approval so the diagram becomes an official assessment artifact.
Goal: Produce an approved “as-is” artifact that can support your SSP, scope, and CMMC evidence package.

Best Practices for a Strong CMMC DFD

Use One Visual Language

Keep symbols, labels, colors, and terminology consistent. A clean diagram helps reviewers understand your environment quickly and reduces confusion during assessment discussions.

Build It with the Right People

Compliance teams know the requirement, but IT and operations teams know the real pathways. Bring them together to uncover undocumented systems, shortcuts, and legacy processes.

Treat It as a Living Artifact

Update the diagram whenever systems, cloud services, remote access methods, subcontractor workflows, or CUI handling processes change.

Why This Matters for Your CMMC Assessment

During a CMMC Level 2 assessment, you should be prepared to explain how CUI is received, processed, stored, transmitted, protected, and shared. A well-built DFD gives you a clear, visual way to demonstrate your CUI boundary, your authorized flows, and the controls that protect data throughout its lifecycle.

CUI entry points identified
Internal processing and storage mapped
Approved destinations documented
Security boundary clearly shown
External connections visible
Diagram reviewed and approved

Need Help Building Your CMMC Data Flow Diagram?

CyberProtex helps organizations translate real-world CUI workflows into practical CMMC-ready documentation, diagrams, and Microsoft security implementations.

Start the Conversation



​Our Customers

CyberProtex, LLC - 2012-2026
850 Ben Graves Dr NW Suite 306, Huntsville, AL 35816
[email protected]
256-401-7072