If an operator prints a CUI drawing, does every workstation on the shop floor fall in scope?

The Question

"Our engineers view CUI drawings on a secure server. But sometimes they print them and hand them to the shop floor operators. Our MSP says because the paper touches the shop floor, we have to put all 40 shop floor PCs in scope for CMMC. Is that true?"

The Discipline

No — with discipline. The MSP's “all 40 PCs in scope” claim is a classic over-scoping error caused by failing to recognize the physical-digital boundary. The correct answer is not to automatically place all 40 PCs in scope. Classify each shop-floor PC by function and data path. A PC may be Out of Scope if it cannot process, store, or transmit CUI, does not provide security protection for CUI assets, and is physically or logically separated from CUI assets. A PC may be a Contractor Risk Managed Asset if it can, but is not intended or permitted to, access CUI and risk-based policies, procedures, and technical controls prevent CUI from reaching it. A PC becomes a CUI Asset if it processes, stores, or transmits CUI. Drawing the boundary for convenience without analytical defense is the failure mode this Desk warns against (see Inquiry 04 for the inverse parallel: under-scoping legacy CNCs is the same discipline failure as over-scoping the shop floor).

The decision is cross-functional: scoping affects CUI handling, engineering data flow, production workflow, and contractual commitments. The QM, Engineering, IT, and Owner make this call together; the MSP advises but does not determine.

When CUI is printed, it ceases to be a digital asset governed by System and Communications Protection (Family 13). It becomes a physical asset governed by Media Protection (Family 8) and Physical Protection (Family 10). Both apply to paper CUI on the shop floor.

The printed paper itself must carry the required CUI markings. NIST SP 800-171 §3.8.4 requires media containing CUI to be marked with necessary CUI markings and distribution limitations. For DoD CUI, that generally means CUI banner/footer markings and a CUI Designation Indicator; include dissemination controls, limited dissemination markings, export-control markings, or distribution statements when required by the source document, contract, CUI category, or DoD marking guidance. Coversheets supplement marking; they do not replace it. If an operator holds a printed CUI drawing, that paper is in scope: you protect it through clean desk policies, physical access control to the shop floor (visitors escorted, doors locked), coversheets, secure shred bins at job close, and operator CUI awareness training (NIST §3.2.1 and §3.2.2).

Do not forget the print path. The engineering workstation, print server, print queue, secure-release system, and printer must be scoped according to what they process, store, transmit, or protect. If the printer or print queue receives CUI, stores CUI, or transmits CUI, it should be treated as part of the CUI environment or documented according to its actual CMMC asset category. The shop-floor PCs do not come into scope merely because paper is nearby, but the systems that generate, route, store, or release the print job may be in scope.

The 40 shop floor PCs do not enter scope just because paper is nearby — provided three conditions hold. First, the PCs are documented in your asset inventory, SSP, and network diagram with the policies, procedures, and practices that prevent CUI handling explicitly described. Second, technical controls — network segmentation or access controls — prevent the PCs from reaching the engineering CUI server. Third, paper does not flow back to digital: no scanning of paper drawings into the PCs, no phone photography, no USB transfer of operator notes. If any of these conditions fails, reassess the affected PCs. A PC that processes, stores, or transmits CUI is a CUI Asset. A PC that does not handle CUI but can reach the CUI environment may need to be treated as a Contractor Risk Managed Asset or Security Protection Asset, depending on its function and connection path. The SSP, asset inventory, and network diagram must reflect the actual role.

Concrete example. A shop has 40 floor PCs. Five operators work on a CUI job; an engineer prints a properly marked CUI drawing and hands it to the five operators. Under the physical-digital boundary discipline applied with rigor: the paper drawing is in scope (Media Protection family) and carries CUI markings; the five operators have shop-floor handling protocols (clean desk, escort visitors, secure shred) and have completed CUI awareness training; the 40 PCs are documented as CRMA or Out of Scope in the asset inventory, SSP, and network diagram, with network segmentation preventing them from reaching the engineering CUI server; operator handling protocols explicitly prohibit scanning, photography, and USB transfer. With these conditions documented and operational, the MSP's claim that all 40 PCs are in scope is wrong because no PC is touching the digital CUI — and the boundary is defensible.

Printed CUI on the shop floor does not automatically pull every nearby PC into the CMMC CUI asset boundary. Classify the PCs by actual data path and function; protect the printed drawing as CUI media; scope the print path correctly; prevent paper from flowing back into digital systems; and document the boundary in the SSP, asset inventory, and network diagram. (See Inquiry 02 for the full 14-family map placing Media Protection and Physical Protection in the Greens band; see Inquiry 04 for the parallel scoping-discipline framework applied to legacy production equipment.)